In recent years, healthcare audits have been a trending topic within the compliance world. Following the Phase II launch of the HHS Office for Civil Rights (OCR) Audit Protocol in March 2016, many members of the healthcare community equate audits with either the federal government or other large accounting firms such as Figliozzi & Company. All too often, providers assume that due to their size, they can fly under the radar. After all, why would OCR audit a single physician practice?!? Unfortunately, as one of our clients recently learned, it is not just the federal government that is checking on gaps in compliance or incentive program participation, state departments are getting in on the action too.

Earlier in the summer, one of our clients reached out as that they had received a letter from Connecticut’s Department of Social Services. The letter explained that due to ongoing program monitoring efforts, Connecticut’s Department of Social Services would be conducting a review of Connecticut Medicaid Electronic Health Record (EHR) Incentive Program payments made to participating providers. Per the notice, federal regulations governing the Medicaid EHR Incentive Program requires States to conduct post-payment reviews. Much to the shock of our client, they were informed they had been selected for a Program Year 2014 desk review and they had just five business days to submit the requested documentation in a PHI secure manner.

Naturally, receiving such a letter would invoke a certain amount of panic in anyone, especially when considering the Program Year in question was FOUR years ago. As you can imagine, a trail of fears and concerns ran through their minds: “Did we conduct a risk analysis that year?” “What if we are unable to produce all the documentation required for this audit?” “How do we best respond?” To protect our client’s privacy, we will not share the results of the audit, however, all providers should heed this cautionary tale if they have ever participated in past or current government incentive programs.

So, what’s the takeaway from this story? Regardless of whether you performed risk analyses every year for the past six years (per HIPAA Citation 45 CFR 164.316(b)(2)(i)) or not, it is never too late to get your house in order. Auditing bodies respond much better to providers who have performed a risk analysis at least once rather than never.  The majority of settlements and fines site either failure to have completed a risk analysis OR failure to take action on high-risk findings.

At HIPAA One, we are deeply experienced at responding to a vast array of industry audits and resolutions (now we can add State Department audits to that long list!) and frequently step in to hold our clients’ hands through the experience. One of the benefits of being a HIPAA One client is the assurance that we will stand by any HIPAA risk analysis performed using our software so your organization is not shouldering that burden alone. Contact Us today to learn more.