Chat with us, powered by LiveChat

AHCCCS Audit Notice Announced

Department of Health and Human Services (DHHS) Office of the Inspector General (OIG) Audit for IT System Security Notifies of AHCCCS Audits

Courtesy of DHHS

Courtesy of DHHS

 

HIPAA One® works with several Health Plans and Clinics that operate a Managed Care Organization (MCO)  in the great state of Arizona providing AHCCCS Audits pursuant to Policy 108 and HIPAA.  As such, we have helped these clients respond to several audits since Policy 108 took place back in 2013.

Yesterday the Arizona Health Care Cost Containment System (AHCCCS) was notified by the DHHS OIG they will be performing on-site audits of three Managed Care Organizations regarding IT system security.  To summarize the notice:

  1. The MCOs may begin the audits as soon as November 2, 2015.
  2. One MCO will be audited this year, and two more MCOs will likely be performed in 2016.
  3. DHHS OIG will provide a draft report with the combined findings to AHCCCS.
  4. A final report of the combined audit findings will be published with non-identifying information.
  5. The first MCO will be contacted Monday, October 19, 2015.

As of October 2013, the state of Arizona has joined forces with the federal Medicaid funding program to manage distribution of reimbursements. The Arizona Health Care Cost Containment System (AHCCCS) is the name of the Medicaid program in the state of Arizona. As with all Medicaid programs, this is a joint program between the state and the Centers for Medicare and Medicaid Services (CMS).

What this means, is any Covered Entities involved with Medicaid reimbursements, must use a third-party service to conduct a Data Security Audit.

In March of 2015, we posted an update to our AHCCCS blog with a responses to the annual guidance request by AHCCCS:

“Every standard should be reviewed every year.  We do the exact same thing ourselves.  Even those that were identified as the compliant ones should be reviewed to make sure there haven’t been any changes and they are still compliant…”

You can find the updated Policy 108 compliance guidance here, that states the audit needs to be done every year, and must be submitted using third-party attestation by June 1st:

 Policy 108 – AHCCCS SECURITY RULE COMPLIANCE

In Audit and Security circles, this is a HIPAA Security Risk Analysis update, which entails performing a full risk analysis on items that have changed and re-validating compliant items.

Using HIPAA One®, an update is significantly “easier” than last year’s full SRA because we can import last year’s work, including remediation updates, directly into this year’s interview questions.  This greatly reduces the effort needed on the user’s side because the survey questions are already pre-filled including attachments proving compliance/functional controls.  For those who need a full SRA report that has proven compliance for other AHCCCS Contractors, Modern Compliance Solutions can provide the third-party attestation with full documentation in HIPAA One®.

For more information, contact your AHCCCS representative, or us at info@hipaaone.com.

Data Security Audits Required For Covered Entities Involved With Medicaid Reimbursements

arizona mapUPDATED 3/9/2015

For those who are unaware, as of October 2013, the state of Arizona has joined forces with the federal Medicaid funding program to manage distribution of reimbursements. The Arizona Health Care Cost Containment System (AHCCCS) is the name of the Medicaid program in the state of Arizona. As with all Medicaid programs, this is a joint program between the state and the Centers for Medicare and Medicaid Services (CMS).

What this means, is any Covered Entities involved with Medicaid reimbursements, must use a third-party service to conduct a Data Security Audit.

As part of the AHCCCS Security Rule Compliance steps, Contractors must conduct a Data Security Audit then submit an AHCCCS Security Compliance Report to the Division of Healthcare Management (DHCM) for review and approval by June 1.  This security audit needs to be performed by an independent third party on an annual basis.

We at MCS believe this is for purposes of accountability and segregation of duties.  We use the most simple, automated and affordable cloud-based HIPAA Security Compliance and Risk Analysis solution called HIPAA One®.  HIPAA One® provides several benefits including preparing for an OCR/OIG audit, HIPAA Security Officer training checklist/interviews, and ongoing remediation planning with reporting.

We can help conduct the Data Security Audit and attest per the AHCCCS Contractor Operations Manual, Chapter 100 – Administration, fill out Attachment A:  AHCCCS Security Rule Compliance Summary Checklist as part of our service.  We are already covering these items as part of the 78 HIPAA Security Citations in the OCR Audit Protocol, OCR’s Guidance on HIPAA Security, and for Meaningful Use Stage 2 requirements.

HIPAA One® can help – please contact us at 801-770-1199, email at support@hipaaone.com, or visit us at www.hipaaone.com for more information.

UPDATED 3/9/2015

MCS has just received word from AHCCCS in response to a 2015 guidance request:

Every standard should be reviewed every year.  We do the exact same thing ourselves.  Even those that were identified as the compliant ones should be reviewed to make sure there haven’t been any changes and they are still compliant…

You can find the updated Policy 108 compliance guidance here, that states theaudit needs to be done every year, and must be submitted using third-party attestation by June 1st:

108 – AHCCCS SECURITY RULE COMPLIANCE

In Audit and Security circles, this is a Security Risk Analysis update, which entails performing a full risk analysis on items that have changed and re-validating compliant items.

Using HIPAA One®, an update is significantly “easier” than last year’s full SRA because we can import last year’s work, including remediation updates, directly into this year’s interview questions.  This greatly reduces the effort needed on the user’s side because the survey questions are already pre-filled including attachments proving compliance/functional controls.  For those who need a full SRA report that has proven compliance for other AHCCCS Contractors, Modern Compliance Solutions can provide the third-party attestation with full documentation in HIPAA One®.

For more information, contact your AHCCCS representative, or us at info@hipaaone.com.