The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) described its commitment to review meaningful use incentives in its Work Plan for FY 2014.  Specifically, OIG will audit the security of certified EHR technology (CEHRT) of entities receiving payments under the EHR Incentive Program (Meaningful Use (MU) Program).  This is consistent with the Centers for Medicare and Medicaid Services’ (CMS) 2013 announcements that HHS would conduct prepayment and postpayment audits of 5-10 percent of all eligible professionals (EPs) attesting for meaningful use under the MU Program. [1]

Since those announcements, we have seen first-hand HHS’ increased audit activity, with an emphasis on the protection of electronic protected health information (ePHI) maintained within CEHRT.

HHS’ recent announcement of a hospital executive’s criminal indictment for allegedly making false statements to achieve MU Program incentive payments further underscores the importance of accurate attestations and the need for supporting documentation.  Although such severe penalties are rare, enforcement of the MU Program requirements is not uncommon.  The results of CMS’ first round of audits likely informed OIG’s current concern over the adequate protection of ePHI created or maintained within CEHRT, as the initial audit indicated that many HIPAA covered entities have not adequately addressed CEHRT security risks.  This concern has increased with the recent implementation of the HIPAA Final Rule, numerous security breaches, and the growing popularity of cloud-based CEHRT and vendors.  In addition to reviewing information security, the 2014 Work Plan indicates OIG will review the CMS audits conducted by contractor Figliozzi & Company that resulted in incentive payment denial and the recouping of significant funds.

The heart of any CMS audit remains its Document Request list, which requires documentation supporting the completion of many or all of the Program’s Core Set Objectives and EP attestations.  However, CMS, and now OIG, are particularly interested in Core #15 – Protect ePHI.   This Core Measure specifically requires EPs to provide evidence of a HIPAA Security Rule risk analysis for the reporting period and the implementation of security updates necessary to correct deficiencies identified in the analysis.  To date, HHS has provided little guidance as to what constitutes a compliant HIPAA risk analysis; however, at minimum, EPs must (i) identify the system(s) that access, transmit, and maintain ePHI; (ii) identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; and (iii) implement reasonable and appropriate mitigation steps to reduce identified risk. [2]  The risk analysis must address internal and external threats to ePHI, such as environmental, human, and technological risks, as well as the existence or lack of encryption while taking into consideration the EP’s size, complexity, and capabilities.  Risk analyses must be revisited and updated on a reasonable basis and upon any change to the EP’s system(s).  Notwithstanding the preceding required elements, the risk analysis does not need to adhere to a precise form or be contained in a single document, and the acceptable methodologies and processes used to perform the analysis may vary widely. [3]

Although an audit often requests significant documentation within a short (approximately 30-day) timeframe, EPs can take simple preparatory measures to ensure its ability to respond to audit requests in a meaningful and timely manner to ensure full payments and avoid regulatory liability.

Steps to Prepare for a MU Program Audit

The following upfront action plan will enable an EP to timely provide a meaningful response to a MU Program audit:

  • Document fulfillment of MU Program objectives and measures (Core and Menu) for each MU Program participation year   
  • Retain screenshots demonstrating enabled capabilities, including capture of required data elements   
  • Conduct and/or update a HIPAA risk analysis for each MU Program participation year   
  • Document security implementation plan(s), including proposed dates of completion   
  • Identify other supporting documents addressing CEHRT security such as:
    • Privacy and security policies and procedures;
    • Safeguard mechanisms;
    • Back-up, emergency, and recovery plans;
    • EHR vendor agreements and business associate agreements; and
    • Mitigating and corrective action measures.  
  • Identify a point of contact and support team; work with compliance officers, medical professionals, IT, and the C-Suite to adequately implement the MU Program and respond to HHS in a clear, complete manner  
  • Obtain and retain copies of EHR certification and vendor licensing agreements and invoices  
  • Identify related areas of potential regulatory noncompliance (e.g. fraud and abuse, HIPAA)