OCR Launches Phase 2 of HIPAA Audit Program
(info from HHS)
As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates. Audits are an important compliance tool for OCR that supplements OCR's other enforcement tools, such as complaint investigations and compliance reviews. These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).
In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.
The 2016 audit process begins with verification of an entity's address and contact information. An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.
If an entity does not respond to OCR's request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review. Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity's spam filtering and virus protection are automatically enabled, we expect entities to check their junk or spam email folder for emails from OCR.
The audit program is developing on pace and OCR is committed to transparency about the process. OCR will post updated audit protocols on its website closer to conducting the 2016 audits. The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.
OCR's audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits. Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches. We will evaluate the results and procedures used in our phase 2 audits to develop our permanent audit program.
The WVSMA wants physicians to know that the audit inquiry to those lucky enough to be selected is being done by email and OCR has indicated that these emails may get caught in providers email spam folders. OCR is pulling providers by random based on NPI numbers. We have heard hat providers are now getting the email inquiries. The OCR notification asks the provider to verify their email/contact information for the audit. Reportedly, physicians have been receiving these emails and will continue to throughout June. The email would be sent from OSOCRAudit@hhs.gov. The WVSMA recommends that physicians check their spam filter or search to see if they have received an inquiry from OCR.
(This information is courtesy of Robert L. Coffield of Flaherty, Sensabaugh, Bonasso, LLC.
To learn more about OCR's Phase 2 Audit program, please visit the HHS website at http://www.hhs.gov
(info from CMS and AMA)
The WVSMA is working to provide information about MACRA as it becomes available. Many of you participated in the MACRA physician survey during January/February, where it was determined that there is a need to provide more information in order for practices to have a much clearer understanding of the new physician payment rules. Below is some information from the AMA that may help you as you begin to prepare for these new payment methods.
First off, MACRA is going to change many Medicare program requirements. There will be two main pathways for physician payment under MACRA---one is the modified fee for service model, called MIPS (Merit-based Incentive Payment System) and the other is an advanced payment model (APM). With the APM, physicians participating in specific CMS approved models may receive an annual bonus payment.
Whether you ultimately participate in an APM or the MIPS, taking action in the following areas can position your practice for success in the future. Below are some ways you can being to prepare your practice.
Determine whether you have $10,000 or less in Medicare
charges and 100 or fewer Medicare patients annually. If so, you are exempt from MIPS participation.
If you are not already participating in a patient clinical data registry, contact your specialty society about participating in their registry. Data registries can streamline reporting and assist with MIPS performance scoring.
Physicians in a practice of more than one eligible clinician should decide whether to report individually or as a group.
Determine whether your practice meets the requirements for small, rural or non- patient facing physician accommodations.
MIPS: Quality measurement and Reporting
Check your Medicare Physician Quality Reporting System (PQRS) feedback reports. Make sure that you understand your current quality metrics reporting requirements and how you are scoring across both PQRS and private payers. While it is anticipated that the general PQRS requirements will stay the same under MIPS, there are some proposed changes to MIPS quality requirements and quality measures. Determine which quality measures you plan to report on; there are individual measures and specialty-specific measure sets.
Access and review the 2014 annual PQRS feedback reports to see where improvements can be made. Authorized representatives of group and solo practitioners can view the reports on the CMS Enterprise Portal using an Enterprise Identity Data Management account with the correct role.
Consider whether you plan to report through claims, electronic health record (EHR), clinical registry, qualified clinical data registry (QCDR) or group practice reporting o (GPRO) Web-interface. The GPRO Web-interface is only available for physicians in practices of 25 or more eligible clinicians.
Seek out local support for your quality improvement activities. Many local organizations such as Practice Transformation Networks provide resources and technical support, often free of charge, to help small physician practices succeed.
MIPS: Resource Use
Check your Medicare quality and resource use reports (QRURs) to see where improvement can potentially be made.
Review CMS's proposed list of episode groups at www.cms.gov.
Identify your most costly patient population conditions and diagnoses.
Identify targeted care delivery plans for these conditions.
Identify any internal workflow changes that can be made to support care delivery plans. Identify potential partners outside of your practice to advance a coordinated care plan (e.g., other specialists to whom you refer patients).
MIPS: Clinical Practice Improvement Activities
Review the proposed rule's list of clinical practice improvement activities (CPIAs) to evaluate what activities your practice is already doing and what adjustments it should make to complete additional activities in 2017.
The reporting period for CPIAs is 90 days. Consider which 90 days in 2017 would work best for your practice's selected CPIAs.
If you participate in a nationally recognized, accredited patient-centered medical home (PCMH), a Medicaid medical home model, a medical home model, or are recognized by the National Committee for Quality Assurance as a patient-centered specialty model, ensure that your certifications and accreditations (as applicable) are current. Physicians participating in these medical homes earn full CPIA credit.
MIPS: Advancing Care Information
If you have an EHR, make sure it is certified EHR technology, which is often referred to as CEHRT. Determine whether it is 2014- or 2015-edition certified health information technology;the version will determine the measures on which you report in 2017.
Speak with your vendor about how their product supports new payment model adoption. For example: How does their product support Medicare quality reporting? Document these conversations.
Consider how to ensure that you can report at least one unique patient (or answer "yes," as applicable) for each measure of the base score's six objectives. Ideas include:
Reach out to existing patients to encourage their use of patient portals to view, download and transmit their health information in 2017.
Your EHR may allow you to send a secure message through the patient portal to all of your patients at once. If so, and doing so is appropriate for your practice, consider sending.
Conduct a careful security risk analysis in early 2017. Failure to properly do so will result in a score of zero for this category. Your risk analysis should comply with the HIPAA Security Rule requirements.
Determine whether there is an additional public health registry to which you can report to receive an additional point towards your total Advancing Care Information score.
Alternative Payment Models
Confirm whether you are a participant in any of the advanced APMs. If not, contact your specialty society or state medical society to find out if there are APM opportunities for your practice.
Evaluate whether you are likely to meet the threshold for significant participation in an advanced APM, which would qualify you for incentive payments.
Determine whether 50 percent of your clinicians use certified EHR technology todocument and communicate clinical care information.