How Strong is Your HIPAA Compliance?
By Mike Semel
Blog: 4Medapproved.com/HITSecurity
Twitter: @SemelConsulting
The Meaningful Use program can help offset technology costs or could cost your hospital or practice millions of dollars. It could also cost you your career.
Having to return money can mean more than just a hit to your organization’s finances. If your hospital or practice fails a Meaningful Use Audit you might lose your job because of your own failure, or if you become a scapegoat to protect others. With Meaningful Use you can win big with but the penalties are huge if you are caught cheating.
Cheating
Don’t like the word ‘cheating?’ Whether intentional or not, attesting to something that isn’t accurate—whether it is because you tried to do things on your own to save money, or by mistakenly assuming you understood the information you read— is fraud. Remember that Meaningful Use payments are part of Medicare, so if you are caught you will have to return the money and risk future penalties. Worse, you could pay triple damages through the federal False Claims Act, lose your license, or even face criminal charges.
A $31 Million Meaningful Use Error, or a Whistleblower?
This week Health Management Associates (HMA) announced it was returning $ 31 million in Meaningful Use payments and restating its income for three years and its most recent quarterly filings. The company said it “determined that it had made an error” and that 11 of its hospitals did not qualify for the incentive payments. The company is now led by an ‘Interim’ Chief Executive Officer (CEO) and ‘Interim’ Chief Financial Officer (CFO.)
Eleven hospitals? CEO and CFO replaced? An error? Really? This just may be another notch in the gun for the Meaningful Use Audit program, although the government has been silent so far about HMA. Or, maybe this came from a whistle-blowing employee not willing to risk everything for the company.
HIPAA Risk Analysis & Meaningful Use
How strong is your HIPAA compliance, since a HIPAA Risk Analysis is a prerequisite Core Measure to pass a Meaningful Use Audit? One area that keeps tripping up practices and hospitals is the Risk Analysis. Some organizations attest even though they don’t have one, they have an old one, or they tried to do one themselves and a Meaningful Use Audit exposes its weaknesses.
In its Top 10 Myths of Security Risk Analysis the Office of the National Coordinator (ONC) says you don’t have to hire a consultant for a Risk Analysis and then immediately contradicts itself with its own guidance:
MYTH: I have to outsource the security risk analysis.
FACT: False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
First the ONC says you can do a Risk Analysis yourself and then says if you want one “that will stand up to a compliance review” (like a Meaningful Use Audit!) you will require expert help. What’s better for your career— hoping that your Risk Analysis is good enough or paying ‘an experienced outside professional?’
Government Careers
The incentives for the government to aggressively pursue a Meaningful Use Audit go beyond money and get down to what makes government employees tick like the rest of us—their careers.
If you are a government official, you are on notice that you must enforce Meaningful Use and HIPAA compliance. A year ago the U.S. Department of Health and Human Services (HHS) Office of the Inspector General (OIG) reported that the ONC was not doing enough to prevent fraud in the Electronic Health Records (Meaningful Use) Incentive Program. A similar report in 2008 found that the Center for Medicare and Medicaid Services (CMS) was lax in enforcing HIPAA. It’s not good when the OIG says you aren’t doing your job, is it?
Hospital Careers
Hospitals are gambling with millions of dollars in Meaningful Use money. They are complex organizations and their executives rely on department managers and staff members to keep them informed. As an executive, it is your signature attesting for Meaningful Use money. How can you be sure that the information you receive is accurate and complete? Do your department managers have the knowledge and experience to comply with Meaningful Use? Whose name will be in the news articles and what will your Board of Directors think of your leadership if you fail a Meaningful Use Audit?
Medical Careers
If you are a physician or other licensed professional and you fail a Meaningful Use Audit you may have to pay back the money— or you could lose your license. Thinking you could just shut down your practice or retire to avoid penalties is wrong, since federal penalties are like missed income taxes—you cannot discharge them through bankruptcy. Hoping that you won’t get caught is not a sustainable business strategy.
Do you know what you are up against?
The government has outsourced its Meaningful Use Audit program to Figliozzi and Company—experienced outside professionals. Figliozzi has sent out audit letters to practices and hospitals, many of whom are surprised at the level of detailed evidence requested and also the short time to produce it. Their sample letter only gives two weeks to produce the evidence that you have complied. Could you do it?
So what can you do?
- Listen to the federal agency’s guidance if you want to sustain a compliance review and hire ‘an experience outside professional’ for your Risk Analysis. They know what they are talking about since they disburse the money and have told their auditors what to look for.
- Don’t be casual signing something you aren’t sure of. Make yourself confident that you can produce the evidence to sustain a Meaningful Use Audit. It might hurt but it is better not to attest than to attest to something that is not accurate or truthful.
Your career is at stake. Don’t put the cost of your education and years of effort at risk by failing a Meaningful Use Audit. Spend some dollars and do it right.