Key Takeaway: OCR offers more details about audits.
Why it Matters: If OCR comes knocking it helps to know what to expect. Last week the Office for Civil Rights (OCR) shared more details around their audit plans. They are targeting wide range of covered entities (CEs) numbering between 200-250 and they will start with desk audits. A small portion of the overall audits will be more comprehensive on-site audits once the desk audits are complete. While unlikely, it is possible that a CE selected for a desk audit could also see an on-site audit. OCR will be asking CE’s for a list of their business associates (BAs) as they plan on focusing more attention on them as well and expects to begin auditing BA’s shortly. During the desk audits OCR will be auditing on privacy rule (i.e. notice of privacy practice), security rule (i.e. security management processes), and breach notification controls (i.e. timeliness of notification). OCR lists Q’s and A’s on desk audits here.
OCR has no plans to post the list of CEs they are auditing and they will not expose what they find during each audit. Once they move to audits of BAs, however, they will not be asking for contacts for the BA’s BAs. They will be performing a webinar for BAs who have been selected for an audit to help set expectations and answer questions.
OCR offered two pieces of advice on audits. OCR will alert auditees to their inquiry via an email, so first, don’t ignore any inquiries initiated by OCR requesting an audit. They will make a two-part request: one listing the policies, procedures and other documentation they are requesting which will need to be submitted via an online portal. Then they will request a list of all of the CE’s BA’s which must be returned to OCR within ten business days. Second, don’t upload extra files to their system following a request for information; they won’t review this information if they get it so only send what is requested by the auditors. For more information on the audits go here. For more information on audit protocols go here.
OCR Cyber Update
Key Takeaway: Are you signed up for OCR’s monthly cyber newsletter?
Why it Matters: Stay on top of HHS’ alerts and thinking by signing up for their monthly newsletter. HHS began sending them in February. We have archived links for all them. Sign up here. Archived versions of Issues 1-9 can be found here. Go here to join the OCR listserve.
More details on the Final Regulation
Key Takeaway: As more folks sink their teeth into the 2,300 page regulations, more details emerge on the Quality Payment Program (QPP).
Why it Matters: CHIME continues to cull through the regulation to make heads and tails of what CMS finalized and what is in store for physicians and clinicians for 2017 in the new QPP which will consist of two pathways for participation: The Medicare-based Incentive Program (MIPS) and Advanced Alternative Payment Models (APMs). Our readers can find a new CIO Cheat Sheet here that gives a high-level overview of the rule. One thing for hospital CIOs to keep in mind is CMS finalized the requirements stemming from MACRA which call for providers—both physicians/clinicians and hospitals—to attest that they have not engaged in data blocking and that they are supporting the performance of certified electronic health records (CEHRT) and ONC’s surveillance activities. This is discussed in greater depth in our fact sheet.
Another thing that may be of interest to our hospital CIO readers is where CMS landed on how they will treat hospital-based physicians under the ACI section of MIPS. CMS had proposed that a hospital-based clinician who provides 90 percent or more of their covered professional services in a hospital setting (defined by CMS’ place of service codes placed on the claim for sites of service 21, 22, and 23). However, under the final rule they decreased this percentage to 75 percent.
Since this is a final rule with comment we will be comments. Those interested in participating in our workgroups slated for October 28th and November 11th and 17th please contact us. All calls will be at 1pm ET.