There’s a blind spot in every meaningful use attestation

This article has been edited to reflect a change issued by CMS. In the original article here and in our November print issue,  it was noted that dermatologists applying for meaningful use during a particular quarter must get their HIPAA risk assessment done before the end of that quarter.  That’s changed.  Now if you apply for meaningful use in 2015 you have until December 31, 2015 to complete the risk assessment.

The Centers for Medicare and Medicaid Services (CMS) pulls no punches when it warns healthcare providers that meaningful use audits are happening, at random, and consequences for failing the audit are costly. If a provider cannot produce documentation that fully supports its electronic health record (EHR) attestation, the CMS could recoup incentive payments.

Medical practices can be audited either pre or post incentive payments. It is estimated that meaningful use audits could be as high as 20 percent of all eligible providers. Any organization that fails an audit may have to return a full year of incentive money.

While providers must achieve more than a dozen core objectives and measures related to health outcomes, patient safety, clinical procedures, etc., as tracked by their EHR, a HIPAA (Health Insurance Portability and Accountability Act) security risk assessment is the one objective that falls outside EHR reporting, yet is fundamental to meaningful use attestation. The HIPAA risk assessment helps identify risks to patient information exposure, and is required for Stages 1 and 2.

Unfortunately it’s not uncommon for practices to hastily click the HIPAA risk assessment checkboxes and move on to the other core objectives. They check the boxes on the form without fully appreciating the fact that their tablets and laptops containing patient information can easily be left behind on a vacation or stolen at Starbucks. In fact, more than 60 percent of HIPAA violations are the result of lost or stolen devices; at U.S. airports alone, 12,000 laptops are stolen each week.

Next: Audit examples

Audit examples

Case in point: Two small practices that contacted us had to return a full year of incentive payments because they failed the meaningful use audit for omitting the security risk assessment. Two other medical practices contacted our company because CMS notified them of a meaningful use audit and asked for documentation to support their attestation - specifically their security risk assessment for the previous year. Neither practice had completed the risk assessment.

In addition to not receiving incentive funds or having to pay them back to CMS, HIPAA fines levied against medical practices for a breach can reach $1.5 million, not to mention potential civil suits and a damaging front-page news story.

Following the publication of this article the CMS issued an update to HIPAA risk assessment deadline.  The risk assessment can now be performed AFTER the reporting period has ended, as long as it’s performed by December 31 of the year the medical practice is attesting for Meaningful Use. 

Here are some examples of risk assessment tasks and what it takes to pass a meaningful use audit:

Inventory patient information - Conduct an inventory of where patient information is stored, accessed or transmitted. Most people think of EHRs as their only source of patient records, but patient information can be in a Microsoft Word document in the form of patient letters, or Excel spreadsheets as billing reports, or scanned images of insurance explanation of benefits (EOB). These documents could be on desktops or laptops. Patient information could also reside in emails or text messages on smartphones or tablets.

Assess current security measures - A security risk assessment looks at how patient information is currently protected. How often does the practice perform data backups? Is there a termination procedure? Do employees have the minimum level of access to patient information? Are all portable devices secured and protected?

Evaluate common threats to patient information - Physical risks such as the likelihood of a threat and the impact of the threat if it occurs must also be assessed. In addition to employees pilfering patient records, how are practices protecting information from threats, including fire or flood, lost or stolen laptops containing patient information, and sending emails to the wrong patient - to name just a few. If the practice has unprotected patient information stored on laptops and physicians frequently take them out of the office and that laptop is lost or stolen it may result in a large HIPAA fine - high risk with a high impact.

Recommend additional security - A security risk assessment will identify additional security measures to prevent the likelihood of a threat and its impact. For example, limit who can take laptops out of the office, or ensure that the data on laptops is properly protected and that they’re safely locked in a secured cabinet.

Meaningful use audits are a reality and they are increasing. Without the security risk assessment a provider could owe a full year of incentive payments, as well as heavy HIPAA fines. Don’t be blindsided by a surprise audit!