Washington Debrief: OCR Offers Details about Audits; More MACRA Considerations

Oct. 25, 2016
As more folks sink their teeth into the 2,300 page regulations, more details emerge on the Quality Payment Program (QPP).

HIPAA Update

Key Takeaway: OCR offers more details about audits.

Why it Matters: If OCR comes knocking it helps to know what to expect. Last week the Office for Civil Rights (OCR) shared more details around their audit plans.  They are targeting wide range of covered entities (CEs) numbering between 200-250 and they will start with desk audits. A small portion of the overall audits will be more comprehensive on-site audits once the desk audits are complete.  While unlikely, it is possible that a CE selected for a desk audit could also see an on-site audit.  OCR will be asking CE’s for a list of their business associates (BAs) as they plan on focusing more attention on them as well and expects to begin auditing BA’s shortly. During the desk audits OCR will be auditing on privacy rule (i.e. notice of privacy practice), security rule (i.e. security management processes), and breach notification controls (i.e. timeliness of notification). OCR lists Q’s and A’s on desk audits here.

OCR has no plans to post the list of CEs they are auditing and they will not expose what they find during each audit. Once they move to audits of BAs, however, they will not be asking for contacts for the BA’s BAs. They will be performing a webinar for BAs who have been selected for an audit to help set expectations and answer questions.

OCR offered two pieces of advice on audits. OCR will alert auditees to their inquiry via an email, so first, don’t ignore any inquiries initiated by OCR requesting an audit.  They will make a two-part request: one listing the policies, procedures and other documentation they are requesting which will need to be submitted via an online portal. Then they will request a list of all of the CE’s BA’s which must be returned to OCR within ten business days. Second, don’t upload extra files to their system following a request for information; they won’t review this information if they get it so only send what is requested by the auditors. For more information on the audits go here. For more information on audit protocols go here.

OCR Cyber Update                                                                                                                                                     

Key Takeaway: Are you signed up for OCR’s monthly cyber newsletter?

Why it Matters: Stay on top of HHS’ alerts and thinking by signing up for their monthly newsletter.  HHS began sending them in February. We have archived links for all them. Sign up here. Archived versions of Issues 1-9 can be found here. Go here to join the OCR listserve.

MACRA

More details on the Final Regulation

Key Takeaway: As more folks sink their teeth into the 2,300 page regulations, more details emerge on the Quality Payment Program (QPP).

Why it Matters: CHIME continues to cull through the regulation to make heads and tails of what CMS finalized and what is in store for physicians and clinicians for 2017 in the new QPP which will consist of two pathways for participation: The Medicare-based Incentive Program (MIPS) and Advanced Alternative Payment Models (APMs).  Our readers can find a new CIO Cheat Sheet here that gives a high-level overview of the rule.  One thing for hospital CIOs to keep in mind is CMS finalized the requirements stemming from MACRA which call for providers—both physicians/clinicians and hospitals—to attest that they have not engaged in data blocking and that they are supporting the performance of certified electronic health records (CEHRT) and ONC’s surveillance activities.  This is discussed in greater depth in our fact sheet.

Another thing that may be of interest to our hospital CIO readers is where CMS landed on how they will treat hospital-based physicians under the ACI section of MIPS.  CMS had proposed that a hospital-based clinician who provides 90 percent or more of their covered professional services in a hospital setting (defined by CMS’ place of service codes placed on the claim for sites of service 21, 22, and 23). However, under the final rule they decreased this percentage to 75 percent.

Since this is a final rule with comment we will be comments.  Those interested in participating in our workgroups slated for October 28th and November 11th and 17th please contact us. All calls will be at 1pm ET.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?