HITECH Audits

Audit 3HITECH refers to the Health Information Technology for Economic and Clinical Health Act.  This particular Act increased the compliance requirements of HIPAA as it relates to Covered Entities and Business Associates.  The HITECH Act is part of the American Recovery and Reinvestment Act of 2009 and for the last couple of years has been directly related to the electronic Incentive/meaningful use audits. As Healthcare Consultants we have been involved with a significant number of these audits, some of them requiring information dating as far back as calendar year 2012, and some of the lessons we have learned include:

  1. Do not trust back-ups or databases as information may not reflect the values entered when doing the attestation.
    1. We have seen a number of upgrades within the same EHR that can no longer read previous version databases.   As a result of these upgrades the EHR reporting mechanism is unable to recreate reports with the attestation data.
    2. EHR companies have been bought out and while for the user it seems as if they had the same EHR in reality they may be using a completely different system in a different platform so old data is either corrupted or not available.
    3. Erroneous guidance.
      1. Using menu objectives at random without ruling out others that could be met.  In other words, you cannot use a Menu Measure exception as one of your choices until you can prove that you couldn’t meet any of the other measures.
      2. Using total number of patients in EHR as denominator versus total number of patients seen by the Covered Entity during the reporting period.
      3. Failure to meet HIPAA requirements yet attesting as if they were compliant with all the provisions.
        1. The most common violation has been the failure to complete a Risk Analysis.  Some Covered Entities simply have not completed a risk assessment prior to the attestation, others have IT companies complete an assessment that doesn’t meet all the requirements specified under HIPAA Security and a few simply download checklists that could be used as a guide but not as the final Risk Analysis.
        2. Failure to create a Security Management Plan as response to the Security Risk Analisys.
        3. Failure to train employees and create policies and procedures relevant to HIPAA Security.
        4. Failure to document actions of the Privacy and Security Officers.
        5. Failure to keep proof of measures that do not require specific reports from the EHR.  For example,
          1. Core Measure 11: generate lists of patients by specific conditions
          2. Core Measure 15 (3): Conduct one or more successful electronic summary of care exchanges
          3. Core Measure 16: Submit electronic data to immunization registries

There is a lot more we can share in terms of audits and even appeals but for now our recommendations are:

  • Print all information when submitting attestation.  You may want to keep an electronic copy for file as well but do not rely on the system or its reporting and back-up capabilities.
  • Ideally, create a book of evidence with the information obtained for every entity you are attesting to.
  • Complete an annual risk analysis and keep the report with your important documents.
  • Monitor your e-mail as any future inquiry may be done using this medium
  • Find a reliable and competent professional to assist so you know you are doing it right.