Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

OCR Didn’t Meet HIPAA Security Requirements

Posted on December 27, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @annezieger on Twitter.

Oops — this doesn’t sound good. According to a report from the HHS OIG, the agency’s Office for Civil Rights has failed to meet the requirements for oversight and enforcement of the HIPAA security rule.

The 26-page report spells out several problems with OCR’s enforcement of the security rule, which was expanded by the HITECH ACT of 2009 to demand regular audits of covered healthcare organizations and their business associates. The vulnerabilities found leave procedural holes which could harm OCR’s ability to do its job regarding the security rule, the OIG said.

What was OCR failing to do? Well for one thing, the report contends, OCR had not assessed the risks, established priorities or implemented controls for the audits to ensure their compliance. Another example: OCRs investigation files didn’t contain the required documentation supporting key decisions made by staff, because the staff didn’t consistently follow the offices procedures by reviewing case documentation.

What’s more, the OCR apparently hasn’t been implementing sufficient controls, including supervisory review and documentation retention, to make sure investigators follow policies and procedures for properly managing security rule investigations.

The OIG also found that OCR wasn’t complying with federal cyber security requirements for its own information systems used to process and store data on investigations. Requirements it was neglecting included getting HHS authorizations to operate the system used to oversee and enforce security rule. OCR also failed to complete privacy impact assessments, risk analyses or system security plans for two of its three systems, the OIG concluded.

All told, it seems that if the OCR is going to oversee the privacy rule properly, it had better get its own act together.

CMS Needs To Tighten Up Meaningful Use Procedures, OIG Says

Posted on December 4, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @annezieger on Twitter.

It looks like members of Congress aren’t the only ones finding fault with how CMS handles Meaningful Use incentives. In fact, HHS’s Office of the Inspector General has concluded that CMS needs to do more to verify that providers have indeed met MU standards both before and after payments get made.

As the OIG notes in its new report, CMS estimates that it will pay out $6.6 billion in incentives between 2011 and 2016. As things stand, the payments will be based on data self-reported by professionals and hospitals. To get a sense of how well this method is working, the OIG reviewed CMS’s incentive program oversight for 2011, as well as analyzing the self-reported data and auditing the agency’s planning docs, regs and guidance for the  program.

What did the OIG find?  Researchers concluded that CMS faces obstacles to overseeing the EMR incentive program which could end up with its paying providers and hospitals that haven’t fully met Meaningful Use requirements.

More specifically, the OIG concluded that CMS hasn’t put strong prepayment safeguards in place, nor has it good mechanisms for auditing incentive disbursements postpayment.  Moreover, ONC requirements for EMR reports might be getting in the way of more accurate incentive payment processes, the report said.

The OIG’s recommendations include having CMS get and review supporting documentation from selected hospitals and professionals before it cuts Meaningful Use checks, a step CMS rejects as imposing too big a burden on providers and slowing the payment process too much.  (For the sake of providers that need timely checks, let’s hope it stays that way.) The OIG also recommended that CMS  issue specific examples of documentation that can be used to support MU compliance.

Meanwhile, the OIG would like to see ONC  change certification requirements for EMRs to make it more likely that they can produce reports for yes/no Meaningful Use measures where possible. It would also like ONC to improve the certification process for EMR technology to make sure EMRs generate accurate reports.

For the most part, the  OIG’s recommendations seem reasonable, if not capable of being done overnight.  But I’ve got to agree that auditing incentive payments before issuing them would throw a serious kink into the process. Let’s hope the OIG and CMS compromise on something reasonable here.

Are EMRs Going To Generate Billing Audits?

Posted on November 28, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @annezieger on Twitter.

As readers are likely to know, EMRs have already begun to get a bad rap among some payers — most prominently Medicare — as leading to upcoding and padding of services performed on the E/M side of medicine. It may seem a bit unfair for CMS to push for EMR adoption then waggle the finger of disapproval when they lead to billing changes, but that’s how the cookie crumbles.

The thing is, we’re not just talking about disapproval and public chastisements over billing patterns.  HHS has gone a step further than public tut-tutting. In the 2013 work plan for the HHS Office of the Inspector General, the OIG has specifically targeted EMR documentation for E&M services  as an area for study and possible audits:

We will determine the extent to which CMS made potentially inappropriate payments for E/M services in
2010 and the consistency of E/M medical review determinations. We will also review multiple E/M
services for the same providers and beneficiaries to identify electronic health records (EHR)
documentation practices associated with potentially improper payments. (emphasis mine)

According to Betsy Nicoletti, a prominent coding consultant who chatted with me this week about this topic, the OIG is going all out this year, looking at Medicare A, B, C, D and just about every type of provider you can imagine (such as, for example, skilled nursing facilities). Private payers are also getting particularly aggressive in looking for suspect billing patterns, particularly profiles that don’t fit with other physicians in a given specialty.

From what she told me, it’s not that EMRs are automatically suspect, but rather, that EMRs can create inconsistencies and red-flag billing patterns through the use of templates and forms.  For example, CMS may very well notice and audit your practice, she says, if the use of templates leads to using the same code too often (something CMS frowns upon, as it assumes patients’ conditions will vary widely).

If you want to get ahead of possible OIG audit problems, she suggests physicians read the work plan and self-audit in areas that are relevant to their medical practice.  Better safe than sorry, no?