In 2011, during the Department of Health and Human Services Office for Civil Rights (OCR) pilot audit program, 58 of 59 providers audited had at least one negative security finding or observation.  As part of this audit the OCR also found that two-thirds of the audited entities didn’t have a complete and accurate risk analysis. HIPAA Security Risk Analysis is a requirement of 45 CFR 164.308(a)(1)(ii).  Conducting a security risk analysis is also included as one of the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs. The gravity of the situation is still not understood by many Eligible Providers and Entities. When dealing with Meaningful Use, is a case of all or nothing.  In other words, failure to meet one requirement or many is no different as Meaningful Use requires 100% completion of all measures in order to be considered within the required parameters. Even more important are the consequences of failing to meet these standards as any discrepancy requires the forfeiture of any monies received and repayment within a 60 day period.  The 60-day rule comes from Section 6402(d) of the Affordable Care Act (ACA), which mandates any person or entity who has received an overpayment to report and return the overpayment to the appropriate entity by the later of:

• 60 days after the date on which the overpayment was identified; or
• the date any corresponding cost report is due (if applicable).

The Affordable Care Act also made retaining an overpayment past the 60-day deadline an “obligation” under the False Claims Act’s (FCA) “reverse” false claim provision and therefore the basis of FCA liability. In short, due diligence and risk analysis are a must so play by the rules and don’t take unnecessary chances.