As we previously mentioned, we were busy in December, 2013 with practices rushing to get their Meaningful Use (MU) Risk Assessments completed by 12/31/2013. So here we are in 2014 and organizations need to be concerned about attesting for MU again. We are hoping to shed some more light onto MU Risk Assessments, ongoing MU audits and MU requirements for 2014. Let’s start with requirements for 2014.
2014 Meaningful Use Reporting Requirements
The first thing organizations must know for 2014, is that all organizations going for Medicare Meaningful Use incentives, regardless of which stage of Meaningful Use, only need to demonstrate Meaningful Use for 3 months. The 3 months must end on a calendar quarter.
Demonstrate MU/Reporting Period:
January – March 2014
April – June 2014
July – September 2014
October – December 2014
The Centers for Medicare & Medicaid Services (CMS) has a useful tool to show the requirements of reporting. An organization needs to enter the year they first attested or plan on attesting for MU and the tool determines the incentive payments and the reporting period for that year and subsequent years.
2014 Meaningful Use Risk Assessment Requirements
Just like previous years, a core requirement to demonstrate Meaningful Use is to perform a Risk Assessment. This is true regardless of whether an organization is in Stage 1 or Stage 2 of Meaningful Use.
Timing of Risk Assessment
One question that we were asked repetitively in 2013 was:
Do I have to complete the Meaningful Use Risk Assessment prior to the end of the reporting period or can I do a Risk Assessment after the reporting period?
Guidelines from CMS make it clear that the Meaningful Use Risk Assessment MUST be performed prior to the end of the reporting period.
EPs must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur prior to the beginning of the first EHR reporting period. However, a new review would have to occur for each subsequent reporting period.
The CMS guidelines make is clear that an organization can perform the Risk Assessment before, during but not after the reporting period.
If an organization is planning on attesting for 2014 in the first or second quarter, now is a good time to think about the Risk Assessment. It is best to address the Risk Assessment sooner rather than later. This gives the organization time to correct or make a plan on correcting any issues that were found in the Risk Assessment.
Meaningful Use Audits
Meaningful Use audits are occurring. Organizations can be audited either pre or post payment of incentive funds. It is estimated that the combined pre and post payment audits could be as high as 20% of eligible providers. At a rate of 1 in 5 eligible providers, the chance of being audited has increased significantly. It is critical that all organizations perform a Meaningful Use Risk Assessment in order to protect their incentive payments.
An organization that is audited and fails the audit may have to return a full year of incentive payments. Performing the required Risk Assessment will go a long way in protecting those incentive payments.
Just last month an EHR vendor that specializes in chiropractic practices told us that 2 of their customers were selected for Meaningful Use audits. Both had failed to perform the Meaningful Use Risk Assessment and were forced to repay a full year of incentive payments.
On a positive note, one of our small podiatrist practice clients with 5 employees recently went through a Meaningful Use audit. They were asked to show their Risk Assessment among other supporting information. We are happy to report the client passed the audit and kept their incentive payments.
Hopefully we provided some insight into the requirements for Meaningful Use in 2014, the timing of a Meaningful Use Risk Assessment and the importance of completing a Risk Assessment. If you have any questions or would like to discuss how we can help your organization with a Meaningful Use Risk Assessment, contact us and we will be more than happy to help!
Understand a HIPAA Risk Assessment
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information.
to better understand the HIPAA Risk Assessment process