Download Guide for Providers: Internal Monitoring & Auditing of EHRs and more Summaries Auditing in PDF only on Docsity!
Job Aid
1
Sample Checklists
for Conducting Internal
Monitoring and Auditing
A well-designed compliance program should include both external and internal auditing.[ 1 ] Independent auditors, program integrity contractors, or regulatory agencies conduct external audits, while providers conduct their own internal audits. This job aid will help providers conduct internal monitoring and auditing of electronic health records (EHRs). It may also help managed care plans and other ancillary entities that may conduct or assist in monitoring or auditing EHRs. The initial discussion in this job aid addresses using automated vendor or third-party software to monitor for potential fraud, waste, and abuse in EHRs. Further discussion addresses periodic internal auditing and auditing providers should conduct to follow up on items identified through monitoring as possible instances of fraud, waste, or abuse. For information on internal monitoring and auditing for program integrity issues in general, refer to the “Conducting a Self-Audit: A Guide for Physicians and Other Health Care Professionals” booklet, which is part of the Audit Toolkit posted to https://www.cms.gov/Medicare-Medicaid-Coordination/ Fraud-Prevention/Medicaid-Integrity-Education/audit-toolkit.html on the Centers for Medicare & Medicaid Services (CMS) website.
Internal Monitoring
Monitoring is an ongoing effort “to ensure that policies and procedures are in place and are being followed.”[ 2 ] It takes place on a regular basis during normal operations.[ 3 ] There are several reasons for providers to implement an internal monitoring program to detect unauthorized access to or use of patient EHRs. These reasons include:
• As “covered entities” under the Health Insurance Portability and Accountability
Act’s (HIPAA)[ 4 ] Privacy Rule,[ 5 ] providers are required to take appropriate steps to protect EHRs from unauthorized access.[ 6 ] Failure to take these steps can lead to civil monetary penalties;[ 7 ]
• CMS requires certain managed care plans to conduct internal monitoring and
auditing for potential fraud, waste, and abuse as one of the seven elements of an effective compliance program;[ 8 ] and
- The U.S. Department of Health and Human Services, Office of Inspector General (HHS-OIG) recommends conducting internal monitoring and auditing.[ 9 ] Providers who want to purchase a new EHR system or upgrade an existing system should ask vendors whether automated monitoring and reporting capabilities are available. Providers may also want to consider purchasing third-party software or services to add fraud, waste, and abuse detection capabilities to their systems. In 2005, the American Health Information Management Association predicted that customized fraud detection software would eventually become as widely available in the health care field as it is in banking and financial services.[ 10 ] An industry article from 2014 indicates this prediction is coming true. The article notes that CMS and the Massachusetts health insurance exchange use automated fraud detection software, and cites a report that 97 percent of payers surveyed planned to invest in their fraud, waste, and abuse detection systems in 2014–15.[ 11 ] For now, fraud detection software is not standard in certified EHR systems, and HHS-OIG recently released a report[ 12 ] encouraging CMS to provide guidance to EHR users on how to detect fraud, and more specifically how to use the audit logs, which are now required by rule in certified EHR software.[ 13 ] Many providers, especially small and solo provider practices, may not be able to afford new or upgraded software or third-party monitoring services to automate their monitoring efforts. However, these providers can still lay the foundation for a basic monitoring program by controlling access to EHRs and authorizing certain tasks only to those who need to perform those tasks. For example, both billing personnel and medical professionals need access to the content of medical records, but typically, only the medical professionals would be in a position to revise or add to the content. Providers can then establish a process to manually examine randomly selected EHRs and their corresponding audit log entries. This approach is discussed in the “Manual Review of Electronic Health Records” job aid, and the booklet, “Detecting and Responding to Fraud, Waste, and Abuse Associated With the Use of Electronic Health Records,” both posted to https://www.cms.gov/Medicare-Medicaid-Coordination/ Fraud-Prevention/Medicaid-Integrity-Education/electronic-health-records.html on the CMS website. Regardless of whether monitoring occurs through automated software, or through random sampling and manual inspection, providers should take similar steps to complete the process. These steps are:
- Identify risks.
- Do a baseline audit.
- Develop and implement a plan for ongoing monitoring.
- Perform corrective action.
monitoring and periodic audits.[ 17 ] Doing a baseline audit for EHR compliance with security, coding, billing, and documentation requirements, whether as part of an overall compliance audit or as a separate effort, should serve the same purpose. The compliance officer or designee and monitoring team should work with the system administrator to identify the queries or methods to put into place to identify noncompliance through a baseline audit. Vendor or third-party software may also offer system edits or have built-in algorithms to identify potential fraud, waste, abuse, and improper payments. Systems certified by the U.S. Department of Health and Human Services, Office of the National Coordinator for Health Information Technology (ONC), must have the capability to sort log entries and create audit reports for specific time periods.[ 18 ] This capability can be useful in developing a baseline audit, but systems that meet the minimum certification requirements may not perform this function efficiently.[ 19 , 20 ] Third-party software may be necessary and can address this problem. For example, third-party software can load EHR access data from the audit log into a separate database and then analyze the data through statistical and machine-learning methods. One study has shown this to be an effective approach to identifying suspicious incidents.[ 21 ] Small providers and others for whom buying such software is not feasible can still do a simple baseline audit by manually reviewing a random sample of records and their associated claims and audit log entries. Small providers can follow a similar procedure to the one described by HHS-OIG for performance of a baseline general compliance audit by a small provider.[ 22 ] Sample Checklist 1. Events provides some event questions, based on regulations and experience, to include as part of a baseline audit. Check the “Yes” box for each question found to be true during the baseline audit. Check the “No” box for each question found to be false during the baseline audit. If an event is marked with a “Yes” in this toolbox, take remedial action to correct it.
Sample Checklist 1. Events
Events Yes or No* Has the audit log function been disabled at any time? (^) Yes No Are known changes to data entries missing from the audit log? (^) Yes No Is there evidence that the audit log has been altered? (^) Yes No Has the encryption status been disabled, either on the server or locally on end-user devices? Yes No Are unauthorized employees able to disable the audit log? (^) Yes No Were there changes to the EHR software program? (^) Yes No
Events Yes or No* Was there duplicate text in a patient’s record on different dates or for different providers that treat the patient (cloning)? Yes No Was there duplicate text from the health record of one provider’s patient in the record of another provider’s patient (clinical plagiarism)? Yes No Were notes entered by personnel, other than the attending or supervising provider, which the provider did not validate? Yes No Are there an unusually large number of certain types of transactions? Yes^ No Are there transactions that reflect unusually large dollar amounts? (^) Yes No Are there abnormal types of transactions? (^) Yes No Are there an unusually large number of patient information views, especially by one or a few unauthorized individuals? Yes No Have any employees viewed records they would not ordinarily need to see? Yes No Are there unauthorized views of EHRs for friends and relatives (especially of the one accessing the records), celebrities, or minors being treated for pregnancy or other sex-related conditions? Yes No Have any incident reports not been evaluated to determine the cause or source of the incident? Yes^ No Are system warning messages and responses disabled? (^) Yes No
- Find other ideas for the questions for this checklist on the Internet at:
- http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_050599. hcsp?dDocName=bok1_ - http://oig.hhs.gov/oei/reports/oei-01-11-00571.pdf - https://www.gpo.gov/fdsys/pkg/FR-2015-10-16/pdf/2015-25597.pdf Incident reports describe actual or alleged events involving a patient, employee, volunteer, or visitor that puts themselves or others at risk.[ 23 ] In health care, incidents reported are usually critical incidents or adverse events that may cause or have caused patient harm or death. Larger health care entities maintain a list of suggested reportable events that include items that can involve the EHR system, such as medication errors, diagnostic or therapeutic procedure errors, lost or stolen patient records, privacy violations, and security violations.[ 24 , 25 ] These errors and violations can affect quality of care and can lead to fraud, waste, or abuse. As part of the internal monitoring process, providers and others should educate staff on reportable incidents, and evaluate any reported incidents to see if the error was related to EHR use.
- Time frames for delivery of analytical reports to the compliance officer or designee. There should be a designated person responsible for implementing and tracking the monitoring plan. It is helpful to develop a monitoring plan tracking tool to make sure to address all identified program integrity risk areas.[ 30 ]
4. Perform Corrective Action
Those responsible should analyze each monitoring report and identify changes from the baseline audit outcomes. An anomaly could indicate the EHR monitoring and reporting process is flawed and requires further review. Investigate changes in measures from the baseline audit for possible unauthorized or suspicious activity. Once the provider identifies an issue through data analysis, they should develop and implement a plan for corrective action. This plan may include employee discipline, modification of software, changes in policy, and referral to State or Federal agencies. In general, HHS-OIG expects managed care plans to report violations of the law to HHS-OIG and CMS within 30 days.[ 31 ] Contract provisions or State Medicaid agency procedures may require reporting to other entities or reporting within different periods. After implementing corrective action, the provider should include analysis of how effective the corrective actions are in the monitoring reports. Internal Audits Providers should examine incidents that internal monitoring identifies as suspicious. If a short examination does not resolve the incident, and if the incident does not require immediate referral to law enforcement, an internal audit should further examine the incident. An internal audit is different from monitoring in that it is done periodically rather than on an ongoing basis. An internal audit is more focused, more comprehensive, and based on specific predetermined standards. Internal audits to determine compliance with the predetermined standards should occur at least once a year.[ 32 , 33 ] The persons who conduct the audits should be different from those who conduct monitoring.[ 34 ] Those who conduct the audits should have knowledge and experience related to the risk areas under review.[ 35 ] HHS-OIG recommends that periodic audits focus on areas in which the provider has identified a risk of noncompliance.[ 36 ] Therefore, providers seeking to ensure compliance with EHR program integrity requirements should use periodic internal audits to determine whether the monitoring program is doing an adequate job in detecting unauthorized access and other risks to the integrity of EHRs.
In general, the steps for an internal audit of EHRs are the same as for any other internal audit, and include the following:
- Identify the risks;
- Audit the risks;
- Document the audit by stating: a. Where the information came from; b. Why the information was gathered; c. What the information means; and d. What was done with the information;
- Review and act on the audit results. The next section reviews the steps for an internal audit in more detail.
1. Identify the Risks
Providers should periodically audit the program integrity risk areas that are part of their internal monitoring plan. In addition, providers should consider auditing other risk areas based on their experience, or the experiences of other providers. Providers and others can identify other risks by using risk assessment tools that are available commercially or free of charge from the websites of compliance organizations.[ 37 ]
2. Audit the Risks
Sample Checklist 2. Internal Audit Findings provides common items providers should check to ensure they are functioning during an internal audit. Recognizing these items is a method for discovering EHR fraud, waste, and abuse. Only answer the question “Yes” if there are no exceptions. Otherwise, answer “No.” If an item is marked “No,” plan and implement corrective action.
Sample Checklist 2. Internal Audit Findings
Audit Questions: Yes or No Is the audit log complete and functional? (^) Yes No Are there adequate limitations on access to EHRs that are properly enforced? Yes^ No Are data in transit and in storage adequately encrypted? (^) Yes No Are stored data adequately protected from outside intruders or hackers? Yes No Are there adequate controls requiring outside approval before any one person can make changes to the EHR system? Yes^ No
Monitor and measure the efficacy of changes during the next regular audit cycle. As in any quality improvement activity, evaluate changes when implemented. If they are not effective, revise them. Following an audit, the monitoring response team should review the results to identify risk areas in the audit they should include in the ongoing monitoring plan. Figure 1 illustrates the dynamic relationship between monitoring and auditing. Figure 1. Relationship Between Monitoring and Auditing Conclusion Providers can help detect and prevent fraud, waste, and abuse associated with EHRs by establishing processes for monitoring and auditing their EHR systems. Use review or audit to further analyze suspicious incidents detected during monitoring. In addition, providers should institute periodic internal audits of identified risk areas. Providers can use the audit results to correct violations, make appropriate referrals, and improve systems for preventing and detecting fraud, waste, and abuse in EHRs. To see the electronic version of this job aid and the other products included in the “Electronic Health Records” Toolkit posted to the Medicaid Program Integrity Education page, visit https://www.cms.gov/Medicare-Medicaid-Coordination/Fraud-Prevention/ Medicaid-Integrity-Education/edmic-landing.html on the CMS website. Follow us on Twitter #MedicaidIntegrity
References 1 Centers for Medicare & Medicaid Services. (2014, June 26). Affordable Care Act Provider Compliance Programs: Getting Started Webinar (Slide 26). Medicare Learning Network. Retrieved April 11, 2016, from https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNEdWebGuide/ Downloads/MLN-Compliance-Webinar.pdf 2 Kusserow, R.P. (2014, September-October). Claims Processing Ongoing Monitoring and Auditing: Improves Revenue and Prevents Costly Errors (pp. 45-46). Journal of Health Care Compliance. Retrieved April 11, 2016, from http://www.compliance.com/wp-content/files_mf/jhcc_091014_kusserow.pdf 3 Centers for Medicare & Medicaid Services. (2014, June 26). Affordable Care Act Provider Compliance Programs: Getting Started Webinar (Slide 28). Medicare Learning Network. Retrieved April 11, 2016, from https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNEdWebGuide/ Downloads/MLN-Compliance-Webinar.pdf 4 Health Insurance Portability and Accountability Act of 1996. Pub. L. 104-191, §§ 262, 264, 110 Stat. 196. Retrieved April 11, 2016, from http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf 5 45 C.F.R. pts. 160, 164. Retrieved April 11, 2016, from http://www.ecfr.gov/cgi-bin/text-idx?SID=1a6fd6d be254e4c2011ad1d0045ba5&tpl=/ecfrbrowse/Title45/45CsubchapC.tpl 6 45 C.F.R. §§ 164.302, 164.306, 164.530(c). Retrieved April 11, 2016, from http://www.ecfr.gov/cgi-bin/text-id x?SID=81320ec41eb3eb8ad72adfd2df6c2ff2&tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl 7 45 C.F.R. § 160.404(b)(2). Retrieved April 11, 2016, from http://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SI D=1001176da38a56b24f8899c788f9b5fa&n=sp45.1.160.d&r=SUBPART&ty=HTML#se45.1.160_ 8 Specific Requirements, 42 C.F.R. § 438.608(b). Retrieved April 11, 2016, from http://www.ecfr.gov/cgi-bin/ text-idx?SID=86e51d80c638deecda3e627fbc1d7270&mc=true&node=se42.4.438_1608&rgn=div 9 U.S. Department of Health and Human Services. Office of Inspector General. (2000, October 5). OIG Compliance Program for Individual and Small Group Physician Practices. 65 Fed. Reg. 59434, 59436. Retrieved April 12, 2016, from http://oig.hhs.gov/authorities/docs/physician.pdf 10 Foundation of Research and Education. American Health Information Management Association. (2005, September 30). Report on the Use of Health Information Technology to Enhance and Expand Health Care Anti- Fraud Activities (p. 33). Retrieved April 14, 2016, from http://library.ahima.org/PdfView?oid= 11 Hom, D. (2014, September 30). Predictive Analytics–Detecting Fraud, Waste and Abuse in Health Insurance Exchanges. SCIO Health Analytics. Retrieved April 11, 2016, from http://www.sciohealthanalytics.com/blog/ exchanges/post/predictive-analytics-detecting-fraud-waste-and-abuse-health-insurance-exchanges 12 U.S. Department of Health and Human Services. Office of Inspector General. (2014, January). CMS and Its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs. Retrieved April 11, 2016, from http://oig.hhs.gov/oei/reports/oei-01-11-00571.pdf 13 U.S. Department of Health and Human Services. (2015, October 16). 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications; Final Rule. 45 C.F.R. 170 § 315(d). Retrieved April 11, 2016, from https://www.gpo.gov/fdsys/pkg/FR-2015-10-16/pdf/2015-25597.pdf 14 Centers for Medicare & Medicaid Services. Medicare Learning Network. (2014, June 26). Affordable Care Care Act Provider Compliance Programs: Getting Started Webinar (Slide 16). Retrieved April 11, 2016, from https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNEdWebGuide/ Downloads/MLN-Compliance-Webinar.pdf 15 Centers for Medicare & Medicaid Services. (2014, September 24). Managed Care Plans: Critical Partners in the Fight Against Fraud, Waste, and Abuse in Medicaid (p. 3). Retrieved April 11, 2016, from https://www.cms. gov/Medicare-Medicaid-Coordination/Fraud-Prevention/Medicaid-Integrity-Education/Provider-Education- Toolkits/Downloads/managedcare-preshandout100114.pdf 16 Centers for Medicare & Medicaid Services. (2013, January 11). Medicare Managed Care Manual. Chapter 21, Section 50.6.2. Retrieved April 11, 2016, from https://www.cms.gov/Regulations-and-Guidance/Guidance/ Manuals/Downloads/mc86c21.pdf
33 U.S. Department of Health and Human Services. Office of Inspector General. (2000, October 5). OIG Compliance Program for Individual and Small Group Practices. 65 Fed. Reg. 59434, 59437. Retrieved April 12, 2016, from http://oig.hhs.gov/authorities/docs/physician.pdf 34 Kusserow, R. P. (2014, September-October). Claims Processing Ongoing Monitoring and Auditing: Improves Revenue and Prevents Costly Errors (p. 46). Journal of Health Care Compliance. Retrieved April 12, 2016, from http://www.compliance.com/wp-content/files_mf/jhcc_091014_kusserow.pdf 35 Centers for Medicare & Medicaid Services. (2013, January 11). Medicare Managed Care Manual. Chapter 21, Section 50.6.5. Retrieved April 12, 2016, from https://www.cms.gov/Regulations-and-Guidance/Guidance/ Manuals/Downloads/mc86c21.pdf 36 U.S. Department of Health and Human Services. Office of Inspector General. (2000, October 5). OIG Compliance Program for Individual and Small Group Practices. 65 Fed. Reg. 59434, 59437–38. Retrieved April 12, 2016, from http://oig.hhs.gov/authorities/docs/physician.pdf 37 Mazarredo, Y., & Munroe, F. (2012, March 9). Risk Assessments: From a Compliance Audit and Internal Audit Perspective (pp.13–19). Health Care Compliance Association. Retrieved April 12, 2016, from http://www. hcca-info.org/portals/0/pdfs/resources/conference_handouts/compliance_institute/2012/p7print2.pdf 38 U.S. Government Accountability Office. (2011, December). Government Auditing Standards. (Para. 6.03, p. 124). Retrieved April 12, 2016, from http://www.gao.gov/assets/590/587281.pdf 39 Bradshaw, R. (2000, April). Using Peer Review for Self-Audits of Medical Record Documentation. American Academy of Family Physicians. Retrieved April 12, 2016, from http://www.aafp.org/fpm/2000/0400/p28.html Disclaimer This job aid was current at the time it was published or uploaded onto the web. Medicaid and Medicare policies change frequently so links to the source documents have been provided within the document for your reference. This job aid was prepared as a service to the public and is not intended to grant rights or impose obligations. This job aid may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. Use of this material is voluntary. Inclusion of a link does not constitute CMS endorsement of the material. We encourage readers to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents. June 2016
