Information systems activity review is a fancy way of saying you need to monitor your network and your applications including who is looking at and manipulating your patient information. That can be an expensive, or even almost impossible, proposition when it comes to regular monitoring of access to patient information stored in electronic health records (EHR). Two of the well-known automated audit logging tools on the market, FairWarning and Iatric, are well outside the budget for small- to medium-sized covered entities (CE). The manual option, checking audit logs by hand, is slow and ineffective.
As Phase 2 of the HIPAA audit program begins, covered entities (CE) and business associates (BA) will be watching their email for an audit letter from OCR. Of those chosen for audit, most will be selected for a desk audit. They'll have 10 days after receipt of the email to gather requested documents for OCR's auditors.
But how will CEs and BAs know they are collecting the right information? A careful reading of the updated Phase 2 audit protocol (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html) will help guide CEs and BAs. But if the protocol isn't read carefully, and in full, important documents could easily be left out, leading to inaccurate audit reports and even a visit from OCR's investigators.
The Phase 2 audit protocol expands the Phase 1 compliance areas to reflect changes made by the 2013 HIPAA omnibus final rule. The updated audit protocol also includes information for BAs, which were not audited during Phase 1 but will be in the current round of audits. The protocol contains a description of the audit areas, general instructions and definitions, and a keyword-searchable table.
Phase 2 audits will be conducted in three rounds. The first two rounds will consist of desk audits of specific audit targets, while the third round will be comprehensive audits. Round one audits will target CEs and round two audits will target BAs.
The 2016 Revenue Integrity Symposium brings together training on Medicare billing and compliance, case management, revenue integrity, coding, CDI, and patient status, and more.
Over the past couple months, HIMB has had audits on the brain. We covered the progress of the 2-midnight audits and walked you through the pass-fail meaningful use audits in detail. Now it's time to get a bird's-eye view of the 2016 audit landscape to ensure you're prepared for whatever comes your way this year.
Recovery Auditors
With 2-midnight rule audits shifting to the BFCC-QIOs, Crump predicts the Recovery Auditors will likely spend 2016 focusing on diagnosis-related group (DRG) audits and medical necessity reviews. These audits will likely focus on reviewing medical necessity for procedures, tests, and treatments in relation to what the Payment Integrity Manual states should be captured in the health information. Records that do not capture information related to local and national coverage determinations will likely be the low-hanging fruit if the Recovery Auditors are approved to focus on these reviews, says Dawn Crump, MA, SSBB, CHC, vice president of audit management solutions for CIOX Health in Alpharetta, Georgia.
To prepare for the Recovery Auditors, HIM professionals should focus on analyzing the risk at their facility. In addition, they should ensure there is a continuous feedback loop not only within the department but outside of it as well. Coding, compliance, and medical staff should be in the loop too, Crump says. Solid communication and education can go a long way in ensuring everyone is well prepared for an audit.
Establishing good quality checks, especially with EMRs, can also help a hospital bolster its audit preparation. HIM should be involved in checking that the information in the record tells the patient's complete story, Crump says.
"Records are evolving and EMRs are evolving, so I think status quo needs to be checked on a regular basis," she says.
For example, EMRs don't always capture all of the needed information. As local and national coverage determinations change for high-risk procedures and admissions, HIM and coding should be involved in the process of ensuring the EMR captures the latest changes and meets the new requirements; this way, the hospital will be ready to present information in the event of an audit, Crump says.
OCR's long-awaited Phase 2 HIPAA Audit Program is finally in full swing. On March 21, OCR announced that it will begin verifying the contact information of covered entities (CE) and business associates (BA) selected for audits (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2a...). This shouldn't surprise savvy healthcare organizations. The audits kicked off after a flurry of activity from OCR and HHS, including pricey HIPAA settlement fines and the publication of user-friendly HIPAA guidance for providers, developers, and patients.
