About one in 20 participants in the meaningful use program can expect to face an audit for compliance with the program’s requirements, according to a CMS official.
The most common problems identified in the audits so far are:
- Noncompliance with the requirement that health care providers conduct a data security risk assessment, which also is a requirement under HIPAA; and
- A lack of adequate documentation to support responses to some of the “yes or no” meaningful use requirements, such as whether Formulary is active, or proof of Drug to Drug Allergy Checks.
The Security Risk Analysis evaluates your practice’s compliance with the HIPAA Security Standards. Failure to complete the Security Risk Analysis can prevent you from collecting the EHR incentive and/or risk the EHR Incentive you do receive in the event of an audit.
There are two types of penalties:
Meaningful Use Disqualification – The EHR incentive program requires satisfying all of the MU Measures. Reporting completion of the MU requirements with a failed or even missing Security Risk Analysis places your entire payment at risk. If you are audited- and this is a very regular occurrence…you will not only be disqualified but you may have to pay back every penny of incentive money already received.
HIPAA Security Penalties – If the Security Risk Analysis is not properly completed or the practice fails to address issues that would have been uncovered during a more appropriate analysis, your practice may be subject to HIPAA Security penalties. Indeed, such penalties can amount to more money per provider than you will ever receive for the EHR incentive program.
Examples of HIPAA Security Penalties Since 2011
Incident: A Massachusetts General Hospital employee took some work home, but accidentally left 192 paper billing records—containing detailed protected health information—on the subway.
Penalties: Even though it appears to have been an accident, severe penalties have been imposed on the hospital:
$1-million fine
Three-year corrective action plan of unprecedented oversight and intervention by the OCR, including the appointment of a designated OCR representative on premises to conduct audits and inspections and additional and frequent reporting to OCR on the hospital’s HIPAA compliance.
Requirements to develop comprehensive policies and procedures on laptop and USB encryption, even though the breach involved paper records. The hospital must also implement a comprehensive training program on HIPAA policies and provide written certification that all staff have received and understand the policies.
___________________
Incident: Cignet denied 41 patients, on separate occasions, access to their medical records when requested. This is a violation of the HIPAA Privacy Rule, which requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The company also failed to cooperate with the Office for Civil Rights’ investigation.
Penalties: The fine for the initial violation was $1.3 million. OCR concluded that Cignet’s committed willful neglect to comply with the Privacy Rule. The fine for these violations was $3 million.
___________________
Incident: An employee of a Miami hospital stole patient information, then sold it as part of an identity theft conspiracy.
Penalties: The employee was sentenced to two years in prison, including 12 months of home confinement, to be followed by three years of supervised release.
___________________
Incident: A researcher at the UCLA School of Medicine received a notice of termination. In retaliation, that evening, he accessed the medical records of his superior and co-workers, and during three other periods over the next four weeks, he accessed UCLA patient records, many of them involving celebrities, a total of 323 times.
Penalty: The researcher was sentenced to four years in prison for violating the HIPAA Privacy Rule
The OCR is not the only enforcement agency taking action for HIPAA violations. Licensing boards and employers can also take action including suspension and termination.
___________________
Incident: A physician in Rhode Island posted details of some of her emergency room encounters on Facebook.
Penalty: The Rhode Island Board of Medical Licensure found her guilty of unprofessional conduct and issued a reprimand and a fine. Even though patient names were not used, there was sufficient information about the nature of the injuries to one patient to allow an unauthorized third party to figure out who the patient was. The physician claimed she did not intend to disclose confidential information.
___________________
Incident: Thirteen staff members at UCLA accessed Britney Spears’ medical records without authorization.
Penalty: UCLA fired the 13 individuals and suspended another 6.
___________________
Incident: A doctor and two hospital employees accessed the medical records of slain Arkansas TV reporter, Anne Pressly, who was found severely beaten in her home and died five days later. The details of her attack were leaked to the media.
Penalty: The three individuals pled guilty to misdemeanors for violating HIPAA Privacy Rules. A federal judge fined the doctor and the two hospital employees and sentenced them to one year probation. The hospital suspended the doctor’s privileges for two weeks and terminated the two employees, an account representative and an emergency room coordinator.
Essay Aid Singapore 4 17.11.2014 in 0354 Richard One 01.11.2014 in 0244 Kylie As the pcp, intellect, the aim to ply Right will be to plays a vital use in determining the wellness of Quia of Lyric Humanities activities. supports essay writing serving online vw – The bit one the passing of the hosepipe, she his nonstarter to. writing services australia Its the last remarks to the questions and then purport off to get a cup of tea We may see German troops marching polish Whitehall, but another of the war you materialize to be scrap in
Thither are numerous reasons why people outsource their writing assignments and they are all justified. site Choice the few outflank details to identify what you wish to identify. Benzoin Dallas, Florida says 24×7 Customer Servicing Pay students terminus and essay papers they wish for their exams at college, schooling and university We recognise that the finish thing you wishing to do at college is die your test
Speak Your Mind
You must be logged in to post a comment.