FierceEMR posted a story on how some providers are attesting to meaningful use measures but are actually not addressing all of the required measures. Specifically some providers are stating that they have performed a meaningful use risk assessment on how patient data is being protected but have not actually performed the risk assessment. The article goes on to warn that these providers are at risk of being exposed during an audit by the Centers for Medicare and Medicaid Services.
There seems to be a disconnect between providers attesting that they have met the core measurement for conducting a risk assessment under meaningful use and actually conducting one that will pass muster. According to a recent report issued by CSC Global Healthcare Group, many providers admit that they’re not conducting adequate annual risk assessments, as required both by core measure 15 of Meaningful Use and HIPAA.
But if the same providers who aren’t meeting the measure are attesting that they did, then they haven’t earned their incentive payments, and run a real risk that they’ll be exposed during an audit by the Centers for Medicare and Medicaid Services. If the audit finds a provider is not eligible for the bonus, the payment will be recouped, says CMS. It’s also likely that such a finding will trigger further audits of that provider.
Let’s take a quick look at what is required for the meaningful use risk assessment. In order to achieve Stage 1 meaningful use for eligible providers, one of the core objectives is to perform a risk analysis/assessment.
Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities
Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process
A risk assessment is not only a requirement for meaningful use but it is also a requirement for the HIPAA security rule.
If you are planning on achieving meaningful use then take a look at our meaningful use risk assessment. It is easy, thorough and provides great insight into how you are protecting patient data as well as makes specific recommendations to better protect data.