Every Check Has a Balance—Even with Healthcare IT

electronic health record EHR auditBarry Mathis, PYA Principal-Information Technology, authored the below article, “Every Check Has a Balance—Even with Healthcare IT,” which recently was published by the Tennessee Society of Certified Public Accountants.

This article first appeared in the November/December 2016 issue of the Tennessee CPA Journal. It is reprinted with permission.

Every check has a balance—even with healthcare IT.  In this case, for every check there is an audit.  Providers receive federal and state funds based on their ability to provide access to electronic health records (EHR).  In order to qualify under the Centers for Medicare & Medicaid Services EHR incentive program, providers must demonstrate that they are meaningfully using their EHR by meeting thresholds for numerous objectives.  Among the core objectives is the responsibility to protect electronic health information created or maintained by certified electronic health record technology (CEHRT).  The completion of a HIPAA Security Risk Analysis (HSRA), implementation of necessary security updates, and the correction of identified security deficiencies represent measures providers should take when protecting electronic health information created or maintained by the CEHRT.

Outlined by the Department of Health and Human Services (HHS), the minimum necessary steps to complete an HSRA include:

  • Identifying the scope of the analysis
  • Gathering the data
  • Identifying and documenting potential threats and vulnerabilities
  • Assessing current security measures
  • Determining the likelihood of threat occurrence
  • Determining the potential impact of threat occurrence
  • Determining the level of risk
  • Identifying security measures
  • Finalizing the documentation

Despite this detailed guidance, some providers may have hastily completed the HSRA or completely misunderstood the requirement.  Providers now are being audited and discovering a gap between what they understood and what was expected.  During these audits, providers who fail to furnish adequate evidence that they have met a core measurement could find their Meaningful Use (MU) payments recalled.

Ongoing MU audits are not the only audits providers face when it comes to HIPAA.  The Office of Civil Rights (OCR) has begun Phase 2 of the federal HIPAA audits.  These audits are comprised of desk audits and a smaller number of on-site audits.  Since the inception of the Phase 2 audits, approximately 200 providers have received notification to submit documentation for a desk audit.  Approximately 50 providers, both from within and outside of the desk audit pool, have been notified of an on-site HIPAA audit.  Although the scope of a desk audit is limited to a total of seven controls drawn from the Security Rule, Privacy Rule, and the Breach Notification Rule, the HSRA is a required component of all audits.


Desk audits are underway, and the OCR will base the audits only on the documents submitted in its specified electronic process within ten business days.  Business Associates (BAs) desk audits commenced this fall, and the selection pool is largely comprised of BAs identified by the Covered Entities (CEs) in their document responses.  Comprehensive on-site audits of both CEs and BAs will begin in early 2017.

So, what should you be doing now to prepare for future HIPAA audits?

  1. If you have not yet completed an HSRA, complete one as soon as possible.  To comply with HIPAA, you must review, correct, modify, and update security protections.  If no HSRA has been completed, you are in violation of the HIPAA Rule, and delaying the HSRA could result in additional fines and ultimately lead to a breach.
  2. Review your HSRA for alignment with HHS guidance.  Have you identified all ePHI, threats, vulnerabilities, and likelihood of exposure?  Have you completed the analysis and prioritized your risks?  Do you have an updated mitigation plan?
  3. Gather your documentation to include the HSRA results, your mitigation plan, and your HIPAA policies and procedures.  Organize and standardize formats to make uploading and reviewing documentation an easier process.  Refrain from submitting superfluous documentation, as there is a 10MB file size limitation.
  4. Using the OCR 2016 HIPAA Desk Audit Guidance on Selected Protocol Elements, conduct internal reviews to identify gaps that might delay your response to an OCR audit request.
  5. If gaps are identified, begin mitigation efforts now.  Be prepared to include additional commentary and detailed mitigation plans, as needed.

Do not assume that just because you were not included in the first round of audits that you will not be audited in the future.  OCR plans to identify additional on-site audits beginning in 2017.  It is likely that the documentation required for these audits will be similar to the documentation required for the desk audits.  On-site audits will not be limited to specific control areas; rather, they will be comprehensive HIPAA compliance audits.


[1] https://www.hhs.gov/sites/default/files/2016HIPAADeskAuditAuditeeGuidance.pdf

[2] Retain the documentation required…for 6 years from the date of its creation or the date when it last was in effect, whichever is later (emphasis added) (45 CFR 164.316)

Barry Mathis

Barry Mathis


Related Posts
Bundled Payments for Care Improvement – Advanced (BPCI-A) is the Center for Medicare and Medicaid Innovation’s (CMMI) latest voluntary alternative payment model (APM), and it is garnering a great deal...
Read More

Choosing Wisely – BPCI-A Episode Selection Due August 1

About one-third of all hospitals and clinicians now participate in the Medicare Shared Savings Program (MSSP).  For those considering participation, the Centers for Medicare & Medicaid Services (CMS) offers a...
Read More

While You Are Waiting: Getting Ready to Apply for the MSSP

PYA has released a new white paper explaining how competing health systems may overcome antitrust obstacles to merger by formally committing to population health improvement in the communities they serve....
Read More

PYA White Paper Explains How Pro-Competitive Impacts of Hospital Consolidation Can Overcome Antitrust Concerns

PYA announces that Marci Nielsen, Ph.D., has joined as a Principal within its Consulting service line. Marci Nielsen has a passion for equitable, person-centered care.  Given her background, with -...
Read More

Health policy expert Marci Nielsen, Ph.D., noted for putting patients in the center of healthcare, is the newest principal at PYA.

The new Tax Cuts and Jobs Act (TCJA) can be confusing for many-- especially small business owners.  Although many aspects of the TCJA have been discussed, one component of the...
Read More

Government Clamps Down on “Deductible Fun” for Businesses

As businesses consider the impact of the Tax Cuts and Jobs Act (TCJA) introduced late last year, the corporate tax rate is receiving substantial attention.  However, according to a 2014...
Read More

2018 Tax Reform – The Excess Loss Limitation Likely to Squeeze Owners of Cyclical Businesses

A recent Accounting Standards Update (ASU) addresses land easements and their accounting under the new lease standards.  In January 2018, the Financial Accounting Standards Board (FASB) issued ASU 2018-01 Leases:...
Read More

Land Easements—Guidance for Implementing New Lease Accounting Standards

PYA Principals David McMillan, Michael Ramey, and Martie Ross authored an article that was recently published in the AHLA Transactions Guide.  The article, “Overcoming Antitrust Obstacles to Mergers by Committing...
Read More

Overcoming Antitrust Obstacles to Mergers by Committing to Population Health Improvement

PYA has released a new white paper offering healthcare organizations guidance for conducting claims-based reviews in light of the U.S. Department of Health and Human Services Office of Inspector General’s...
Read More

PYA White Paper Offers Guidance for Conducting Claims-Based Reviews of Inpatient Quality Reporting Data and the Link Between Payment and Quality

Share This Insight

If you received value from this article, please share it with your network (e.g., Facebook, Twitter, LinkedIn). Icons below for your convenience.

Stay Current

* indicates required
Monthly eNewsletters
See more newsletter and alert options.

PYA Population Health Ascend

PYA Healthcare Blog

PYA Thought Leadership Services

The Healthcare Loop