Medicaid MCO Audits by OIG

Pursuant to legislation passed during the 2015 session, HHSC and the Office of the Inspector General (OIG) are required to work together on periodic audits of Medicaid MCO systems.  Two such audits were initiated in late 2015, as described in the OIG's December 2015 Quarterly Report to the Governor.  The MCO Special Investigative Unit (SIU) Audit is meant to determine the effectiveness of MCO SIUs' performance in detecting and investigating fraud, waste, and abuse; and in reporting reliable information on SIU activities, results and recoveries to HHSC. The Audit of MCO Acute Care Utilization Management (UM) has as its purpose an evaluation of the effectiveness of acute care UM practices at selected MCOs in ensuring that health care services and procedures are medically necessary, appropriate, and efficient.  It is also meant to evaluate whether such UM practices achieve the intended outcomes for Medicaid clients, including those relating to timeliness, availability, and quality of care.




Phase II HIPAA Audits by OCR Have Begun

In late March 2016, the federal Office of Civil Rights, a division of the Department of Health and Human Services, began sending (i) emails to to verify contact information and (ii) pre-screening questionnaires to various entities that may be subject to a Phase II HIPAA compliance audit.  These audits will include a review of the organizations' written policies and procedures used to comply with the HIPAA Privacy, Security, and Breach Notification Rules.   OCR plans to conduct more than 200 such audits, both desk and on-site, equally divided between covered entities and business associates.   OCR's primary focus will be on desk audits, which it intends to complete by the end of 2016.   To prepare for a potential audit, covered entities should make sure that their HIPAA policies and procedures are up-to-date; verify that business associate agreements are in place with all appropriate service providers; monitor the OCR website for updated audit protocols; and, use the OCR audit protocols to conduct an internal self-audit as part of the company's ongoing compliance program.