Tougher Meaningful Use Audits Ahead; Kentucky REC Can Help You Prepare

Audit 3d Word Sphere with magnifying glass on white background.Be Ready! A recent audit by the OIG revealed that CMS issued hundreds of millions of dollars worth of incorrect EHR incentive payments.

Per the EHR Incentive Program, documentation to support attestation data for meaningful use objectives and clinical quality measures should be retained for six years post-attestation.

From The Wall Street Journal:

Medicare erroneously paid an estimated $729 million to doctors and other health professionals under a multibillion-dollar federal initiative designed to shift the health-care system from paper records to computer files, according to a new federal audit.

The U.S. Department of Health and Human Services Office of Inspector General, which conducted the audit, said Medicare, over a three-year period, improperly paid health professionals who vouched they earned bonus payments under the initiative, but who either lacked required proof or failed to meet bonus criteria.

The Centers for Medicare and Medicaid Services, the agency that oversees Medicare, should review its incentive payments and recoup any money erroneously paid and do more to scrutinize spending under the incentive program, OIG auditors said in a report of its audit. The program was created by 2009 legislation to accelerate use of electronic health records.
CMS “conducted minimal documentation reviews,” the report said, “leaving the EHR program vulnerable to abuse and misuse of federal funds.”

The audit estimated improper payments totaled 12% of the approximately $6.1 billion Medicare paid out as electronic health-record incentives to professionals during the three years reviewed by auditors. Auditors based the estimate on a review of 100 health professionals who vouched they earned bonuses between May 2011 and June 2014. To do so, health professionals must meet several criteria, such as using computers to order prescriptions and transfer health data electronically. Rules also require professionals to monitor cybersecurity.

Auditors said they found, in that sample of 100, 14 health professionals who reported incorrect information or who couldn’t produce required documents or other proof they met bonus criteria, including six without evidence of cybersecurity efforts. The 14 professionals were paid $291,222 in that three-year period.

In a February letter responding to the OIG findings, then-acting CMS Administrator Patrick Conway touted the rapid use of electronic health records under the initiative and said Medicare would recoup improper payments to professionals included in the sample audited by the OIG. Dr. Conway said CMS also launched targeted audits “to strengthen the program integrity,” which continue this year. The OIG report, however, said it didn’t believe the targeted audits would be enough. “This administration is committed to turning the page and ushering in a new era of accountability,” CMS officials said in a statement responding to the audit. “Providing high-quality care to Medicare beneficiaries while being responsible stewards of taxpayer dollars remains a top CMS priority, and we recognize the value data validation and auditing bring to our programs.”

The audit also found Medicare overpaid health-care professionals by $2.3 million during the same period as some professionals moved between incentive programs run by Medicare and Medicaid. Health-care workers are allowed to earn such electronic-health-record incentives from either Medicare or Medicaid, but not from both. The OIG found some who switched incorrectly received higher payments than they would have otherwise.

See the original WSJ article here.

No one likes to think about being audited, but we at Kentucky REC would like to help you be better prepared when facing a Meaningful Use Audit. Kentucky REC can help you prepare for pre and post payment Meaningful Use Audits. When receiving an audit notice, most practices find that a large amount of information is requested and must be provided in a very short time period. Kentucky REC offers a Meaningful Use Mock Audit service that will assist you in knowing what documents may be requested during an audit. We will help you make sure that your practice is organized and prepared with the items needed at your finger tips for each program year.

If a provider is unable to prove they have met each objective and measure for Meaningful Use, they face the risk of failing the audit and their incentive money may be recouped. Providers and staff have worked hard to meet Meaningful Use objectives. Make sure you are ready for a Meaningful Use Audit and contact us at Kentucky REC to find out more and receive a quote for this helpful service.

Read the Office of Inspector General notice here. The OIG complete report is available here.

Our experts at Kentucky REC are here to answer your questions. Call us at 859-323-3090.

Patient-Centered Specialty Practice (PCSP) Cohort to begin on June 23, 2017

Posted June 12th in PCMH, Service Offering

PCSP Cohort KentuckyThe Patient-Centered Specialty Practice is a National Committee for Quality Assurance (NCQA) recognition program that extends the Patient-Centered Medical Home (PCMH) concepts to specialists. Specialty practices committed to access, communication and care coordination can earn accolades as the “neighbors” that surround and inform the medical home and colleagues in primary care.

This cohort framework is designed to accelerate your journey to NCQA PCSP Recognition within a 14-16 month period. Through our expert training, coaching, and resources, your staff will be well-prepared to carry out the practice transformation process.

Our cohort will begin on June 23, 2017. Please let us know if you would like to join or would like to request additional information.

Now is the perfect time! By receiving recognition as a PCSP, your organization will receive full points in the Improvement Activities category of the Merit-Based Incentive Payment System under the Medicare Access and CHIP Reauthorization Act (MACRA).

Don’t miss the opportunity to be a part of something special as we work to transform healthcare in Kentucky!

To learn about the PCSP program and our Cohort services:

Watch our FREE educational webinar recording
For more information about joining the Kentucky REC PCSP Cohort, please email Megan Housley or Stephen Williams or call 859-323-3090.

Watch our new MACRA Overview Module – CE Credit Available

Posted May 30th in Education, Service Offering

The Medicare Access and CHIP Reauthorization Act (MACRA) is a transformative law that will ultimately lead the American health care system away from a fee-for-service model and towards a new risk-bearing, value-based, coordinated care models. MACRA will drive payment and delivery reform across the payer mix for the foreseeable future in an attempt to lessen the overall burden of ever-climbing healthcare costs in the US.

Anyone who bills Medicare Part B for more than $30,000 or sees more than 100 Medicare Part B patients must participate in MIPS/MACRA. Eligible Clinicians include: MD, DO, NP, PA, CNS, CRNA.

Kentucky Regional Extension Center has launched a FREE MACRA Overview Module. One hour of CME credit (AMA PRA Category 1 Credit(s)™) is available.

Watch the MACRA Overview Module Here

Upon completion of this activity, participants will be able to:

  1. Review the changes in health care reporting and reimbursements brought about by MACRA legislation
  2. Describe what is needed to prepare for 2017 reporting including tips and tricks for MU and PQRS
  3. Discuss how to organize your practice for MU, PQRS, and MACRA success
  4. Cite the top HIPAA threats and success strategies for practices
  5. Identify what is needed to prepare for practice transformation
If you need MACRA guidance and support, Kentucky REC can help! We offer FREE support through our Quality Payment Program Resource Center™ and more tailored, individualized assistance through our Fee-For-Service program.

Kentucky REC’s FREE MIPS and MACRA Support Services

qpp-surs-logoThe Medicare Access and CHIP Reauthorization Act (MACRA) is a transformative law that will ultimately lead the American health care system away from a fee-for-service model and towards a new risk-bearing, value-based, coordinated care models. MACRA will drive payment and delivery reform across the payer mix for the foreseeable future in an attempt to lessen the overall burden of ever-climbing healthcare costs in the US.

Anyone who bills Medicare Part B for more than $30,000 or sees more than 100 Medicare Part B patients must participate in MIPS/MACRA. Eligible Clinicians include: MD, DO, NP, PA, CNS, CRNA.

The good news: Kentucky REC is here to help. We have been awarded a grant from CMS to establish the Quality Payment Program Resource Center™ to provide FREE help to eligible clinicians as they navigate participation in the CMS Quality Payment Program focused on supporting providers in small practices (15 or fewer Eligible Clinicians), and rural or underserved areas.

The Resource Center™ web portal will be your trusted source for the education and resources you need to be successful under this new Medicare payment program. We can offer you:

  • Straightforward, self-directed resources and tools
  • Up-to-date materials reviewed for accuracy and usability
  • Expert Quality Payment Program Advisors available via live chat or phone support
Sign up NOW to ensure access to full portal services available late Spring 2017

Please join us for a FREE kick-off webinar on May 31st from Noon – 1pm (EST). This webinar will explain why the Quality Payment Program is important to you, how the Resource Center™ web portal will empower your team with our educational resources and tools, and what your next step is to start receiving our no-cost support.

Register Here for the May 31st webinar

*During this webinar, you will be connected to audio using your computer’s microphone and speakers (VoIP). A headset is recommended.

Ransomware: Are You Protected?

ransomewareOn May 12, 2017 The Department for Homeland Security released the following report:

US-CERT has received multiple reports of WannaCry ransomware infections in several countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored.

Can HIPAA compliance help covered entities and business associates prevent infections of malware, including ransomware?

Yes. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Some of the required security measures include:

• implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
• implementing procedures to guard against and detect malicious software;
•training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
• implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?

Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

Call the Kentucky REC today at 859-323-3090 to see how we can help with your HIPAA compliance.