preparing for (and surviving) a meaningful use audit · 2014. 8. 19. · •risk management next...

Slide Deck: http://goo.gl/61dwUcWebex Support 1-866-223-3239

Event # 667 893 764

“Preparing For (and Surviving) a Meaningful Use Audit”

A Complimentary Webinar From healthsystemCIO.com

Sponsored by Redspin

Your Line Will Be Silent Until Our Event Begins

Thank You!

http://goo.gl/61dwUc


Event # 667 893 764

Housekeeping

• Moderator – Anthony Guerra, editor-in-chief, healthsystemCIO.com

• Ask A Question• We will be holding a Q&A session after the formal presentations. • You may submit your questions at any time by clicking on the QA panel located in the

lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as “All Panelists.”

• Download the Deck • Go to: http://healthsystemcio.com/presentation/muaudit-huffman-webinar.pdf• Shortened link below appears on most slides.

• View the Archive• You will receive an email when our archive recording is ready. • Separate registration is required.


http://healthsystemcio.com/presentation/muaudit-huffman-webinar.pdf


Event # 667 893 764

Agenda — 45 Minutes

• 20 minutes: Steve Huffman, CIO, Beacon Health System

• 5 minutes: A Word From Our Sponsor: Dan Berger, President/CEO, Redspin

• 20 minutes: Q&A w/Steve Huffman



Event # 667 893 764

“Preparing for….(and surviving)a Meaningful Use Audit”



Event # 667 893 764

CMS



Event # 667 893 764

You should know by now…..

• Payments = audit potential (thank goodness)

• Your documentation should be kept for 6 years from attestation!

• States are auditing separately for Medicaid

• Figliozzi is the current CMS audit contractor for MU

• Assume you will be audited (more than once)

• Each payment is an audit target

• Each audit can be a bit different

• Prepare to be tired of audits



Event # 667 893 764

Pre-Audit Activity

Be ridiculously familiar with the nuances of MU

• Saying “I didn’t know” is never a good response

• Read and re-read the detail of the MU measures

• If you assign a team to lead MU, read the detail yourself

• Read the CMS Supporting Documentation for Audits material



Event # 667 893 764

Pre-Audit Activity

Assemble, Practice and Communicate

• Develop a team responsible for MU submission & audits• Our team is led by CPO & includes internal audit and specific analysts and

informatics

• Any information should be held in a KNOWN spot – someone might leave!

• Practice audits (inpatient / ambulatory / state / CMS)

• Inform your Board – usually Audit Committee



Event # 667 893 764

Pre Audit Activity

Create and maintain your MU submission documentation

(a.k.a. The Audit Book)

• Screen shots (host & receiver systems is possible)

• Reports (vendor logo?!?!?!)

• Letters (vendor certification / exchange recipients)

• Summary of any changes that occurred during reporting period

• Include latest information from your vendor related to MU detail –their reports change!

• Ask your vendor for help or examples



Event # 667 893 764

Pre Audit Activity

Risk Analysis

• Perform a risk analysis!

• Any Health System could always improve this activity!

• Budget for it – both assessment and remediation

• Our approach:• State regional extension center risk assessment• Internal major changes risk assessment • Document plan post assessment• Document progress on remediation• For the love of Pete – DOCUMENT!



Event # 667 893 764



Event # 667 893 764

During the Audit

• Your auditor is a real person, not the enemy

• Provide exact information requested, no more and no less

• If you need to explain, then provide a summary

• If you have questions, call the person responsible for the audit

• Test your connection to their secure site to submit documents early

• If you need more time or more info – ASK

• Communicate about the audit – be open (admin team, audit committee)

• It takes about 16 hours to go through a typical CMS audit and 32 for Medicaid



Event # 667 893 764

Post Audit Activity

• Debrief – what went well, what didn’t

• Refine your documentation

• Communicate



Event # 667 893 764

A Few Random Thoughts

• Our auditors have been tough but fair

• Risk assessments are tough – lots of scrutiny & lots of work

• Risk management next target? - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

• Information system activity review next target? - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

• Concern over MU2 audits – The level of documentation required around process – Direct messaging, visit summary and portal


Meaningful Healthcare IT Security ®

To help our clients safeguard protected health

information (PHI) from data breach and meet and

maintain regulatory compliance.

Mission Statement

www.redspin.com

Healthcare Experience

• Conducted HIPAA Security Risk Analysis at 115 hospitals

• Helps Meet Meaningful Use Stage 1 and Stage 2

• Expert Security Engineers and Compliance Professionals

• Extended Risk Analysis Scope:

- Application Risk Analysis

- Business Associates

- Mobile Devices


Technical Services

• Penetration Testing

• Web Application Security

• HIPAA Risk Analysis

• Mobile Device Security

• Social Engineering

www.redspin.com


www.redspin.com


Protect electronic health information created or

maintained by the certified EHR technology (CEHRT)

through the implementation of appropriate technical

capabilities.”

- Preamble to Stage 2 CMS Final Rule;

Medicare and Medicaid Programs; Electronic

Health Record Incentive Program

Meaningful Use: Objective

www.redspin.com


“Conduct or review a security risk analysis in accordance with

the requirements under 45 CFR 164.308 (a)(1) including

addressing the encryption/security of data stored in certified

EHR technology in accordance with requirements under 45

CFR 164.312 (a)(2)(iv) and 45 CFR 164.306 (d)(3) and

implement security updates as necessary and correct identified security deficiencies as part of the risk management process.”

www.redspin.com

Meaningful Use: Core Measure


• CMS is auditing MU attestors (so might the OIG)

• CEHRT is not synonymous with EHR application.

• Assessing security risk to PHI must extend to networks,

hosts, applications, cloud storage, back-up, mobile devices,,

business associates, etc

• That said, don’t neglect to document all EHR security

controls

• Document your encryption strategy for data at rest

A Few Tips

www.redspin.com


Event # 667 893 764

Q&A

Click on the Q&A panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the

send to default as “All Panelists.”



Event # 667 893 764

Thank You!

• You will receive an email when our archive recording is ready. (Separate registration is required)

• Thanks to our sponsor: Redspin!

• Don’t Forget To Claim Your CHIME CHCIO Credits – Attending healthsystemCIO.com Webinars = 1 CEU

• Questions/Comments – Anthony Guerra [email protected]

Go to www.healthsystemCIO.com/webinars to view our upcoming schedule and see the last 12 months of archived events.


mailto:[email protected]

http://www.healthsystemcio.com/webinars

preparing for (and surviving) a meaningful use audit · 2014. 8. 19. · •risk management next...

Documents