This week’s Medicare updates include the release of the October 2016 Medicare Quarterly Provider Compliance Newsletter; OIG reports on Medicare payments for clinical diagnostic laboratory tests; Reform of Requirements for Long-Term Care Facilities; and more!
As OCR's auditors wrap up the final desk audit reports for phase two of the HIPAA audit program, many covered entities (CE) are breathing a little easier. Only 167 CEs were selected for desk audits in July. Audited CEs can expect to wait several months to see the final audit reports, although they will have the opportunity to review a draft version and submit comments that will be attached to the final report.
But phase two is far from over. Business associates (BA) will be selected for desk audits this fall—the first time these entities will be subject to OCR's HIPAA audits. And early next year, OCR will launch comprehensive on-site audits of both CEs and BAs.
This week’s Medicare updates include a story about the OIG levying its largest penalty under a corporate integrity agreement against nation's biggest provider of post-acute care; a fact sheet and press release about moving Medicare Advantage and Part D forward; and more!
CMS’ wireless network has significant vulnerabilities that could compromise the integrity of the agency's data, the Office of Inspector General (OIG) said in a recent report.
There's good news and bad news on the 2-midnight rule front. The good news: CMS has put short-stay inpatient audits related to the 2-midnight rule on hold as of May 4. The bad news: This isn't a free pass, and it isn't going to last.
Information systems activity review is a fancy way of saying you need to monitor your network and your applications including who is looking at and manipulating your patient information. That can be an expensive, or even almost impossible, proposition when it comes to regular monitoring of access to patient information stored in electronic health records (EHR). Two of the well-known automated audit logging tools on the market, FairWarning and Iatric, are well outside the budget for small- to medium-sized covered entities (CE). The manual option, checking audit logs by hand, is slow and ineffective.
As Phase 2 of the HIPAA audit program begins, covered entities (CE) and business associates (BA) will be watching their email for an audit letter from OCR. Of those chosen for audit, most will be selected for a desk audit. They'll have 10 days after receipt of the email to gather requested documents for OCR's auditors.
But how will CEs and BAs know they are collecting the right information? A careful reading of the updated Phase 2 audit protocol (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html) will help guide CEs and BAs. But if the protocol isn't read carefully, and in full, important documents could easily be left out, leading to inaccurate audit reports and even a visit from OCR's investigators.
The Phase 2 audit protocol expands the Phase 1 compliance areas to reflect changes made by the 2013 HIPAA omnibus final rule. The updated audit protocol also includes information for BAs, which were not audited during Phase 1 but will be in the current round of audits. The protocol contains a description of the audit areas, general instructions and definitions, and a keyword-searchable table.
Phase 2 audits will be conducted in three rounds. The first two rounds will consist of desk audits of specific audit targets, while the third round will be comprehensive audits. Round one audits will target CEs and round two audits will target BAs.
