HIMSS: Are you ready for a meaningful use audit?

Cynthia E. Keen
Mar 3, 2013

NEW ORLEANS - Hey, meaningful users! Are you prepared to pass a federal privacy and security audit? You may not be, which can carry important consequences, participants learned at a Sunday symposium of the Healthcare Information and Management Systems Society (HIMSS) annual meeting.

Healthcare IT security expert Mac McMillan, president of CynergisTek, pulled no punches as he explained the responsibilities that come with attesting to meaningful use (MU), the federal government financial incentive program to motivate healthcare providers to adopt electronic medical records. Based on his firm's experiences and those of peers in this field, a worrisome proportion of meaningful users may already have committed fraud.

McMillan believes that healthcare providers do not take the need to implement security measures as seriously as they should. Maintaining consistently high levels of security has not been part of the healthcare industry's culture.

In view of the fact that HIPAA rules have been law for a decade, complying with stage 1 and 2 meaningful use privacy and security requirements should be minimal. "They are exactly the same," he said. "If you are complying with the HIPAA rules, you are complying with the MU rules."

But many are not, if the results of the first federal audit of meaningful use attestees are representative. Forty-seven (80%) of 59 providers failed audits conducted in April 2012 by U.S. Centers for Medicare and Medicaid Services' (CMS) contractor Figliozzi and Company.

Risk analysis and assessment

Before any hospital or eligible provider formally joins the meaningful use program, a risk analysis and assessment needs to be undertaken or reviewed. The risk analysis is the process of analyzing any risks that could compromise patient data and records. The risk assessment refers to the process of conducting such an analysis. While both terms tend to be used interchangeably, the end result is to identify points of vulnerability and develop a remediation plan to correct them.

"This is nothing new," McMillan said. "Anyone complying with the HIPAA technical security rule has already done this, on at least an annual basis or whenever there is a major healthcare IT change, such as acquisition of new software. If you are already doing your risk assessments under HIPAA like you are supposed to be doing, you don't have to do another one."

If the potential attestee has not been complying with this HIPAA privacy and security rule, a risk analysis needs to be conducted in accordance with 45 CFR 164.308(a)(1). Technical controls within the certified electronic health record (EHR) system or modules also need to be implemented.

The day that the MU applicant has attested, it is necessary to retain copies of all system-related information, tests, self-audits, screen shots of controls, configuration files, and subsequent risk analyses so that this documentation will be available for a federal audit. To be compliant, the auditors require tangible production of actual evidence.

If the MU attestee has not done any of this, the attestee has committed fraud based upon the statement preceding the signature at sign at the end of the attestation:

I certify that the foregoing information is true, accurate, and complete. I understand that the Medicare/Medicaid EHR incentive program payment I requested will be paid from Federal Funds, and the use of any false claims, statements, or documents, or the concealment of a material fact used to obtain Medicare/Medicaid EHR incentive program payment may be prosecuted under Federal or State criminal laws and may also be subject to civil penalties.

What's a user to do?

"Not conducting a risk assessment becomes a fraud and financial issue," McMillan said. "Money can be taken back, additional fines can be added, and if somebody decides that someone has done something nefarious, you can go to jail. You need to realize this."

"Also, you cannot falsify documents with respect to the date that you conducted your risk assessment," he added. "I had one client who recently asked me if my company would do this. I told that client that I don't look good wearing orange."

A postdated assessment could be an audit issue; however, late is better than not at all.

McMillan also pointed out a difference between HIPAA and MU remediation requirements: The U.S. Office for Civil Rights (OCR) will give a healthcare provider "credit" for being in the process of implementing remediation; CMS offers only a 12-month grace period.

He also reminded the attendees that a certified EHR system or module needs to have its audit functions that demonstrate compliance turned on by the purchaser, not by the vendor. Each certified EHR system or module has a core set of technical security functions, but certification does not guarantee that they are optimally configured or deployed.

The purchaser will need to ensure these functions are enabled correctly and demonstrate the ability to use, review, and report on them. McMillan reminded attendees that their risk analysis should specifically measure the maturity of these controls and their adequacy to protect electronic health information. These criteria are defined in the U.S. Office of the National Coordinator for Health IT (ONC) meaningful use core measures (measure 15) dated November 2010. ONC also explains these in its published guide to privacy and security of health information.

The user of certified systems or modules is the party responsible for setting the rules and configuring the software properly; vendors are responsible for providing products that can meet the requirements. A participant asked what to do about an uncooperative vendor whose answer to problems with its software was to turn off the security system. McMillan's answer was blunt: "Fire the vendor. Demand a refund. And report them to the ONC."

What do audits request?

Meaningful use audits request certain categories of documentation:

  • Documentation from ONC that shows the provider used a certified EHR system
  • Documentation that supports the provider's attestation for the core set of MU criteria
  • Documentation that supports the provider's attestation for the required number of menu set MU objectives
  • For hospitals, information about the method used to report emergency department admissions

The provider has 14 days to produce the requested documentation. If it is inadequate, auditors may come to the facility to perform onsite reviews.

This may not be all of the information that is requested, however. In 2012, the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) conducted a survey on safeguards in EHRs as part of a study on fraud and abuse. The survey focused on how hospitals were implementing the features of EHRs that limit fraud and increase data integrity.

The survey requested data about access controls, outside entity access, audit log and metadata, entry of clinical notes, transmission of data, patient access and identity management, and any additional safeguards. It did not require entities to submit any documentation to substantiate their answers.

The survey's results were published in September; OIG has not stated what it will do with the findings. McMillan speculated this was a way for HHS to sample compliance, and it could also potentially be interpreted as "fair warning" action. It's possible that audits with teeth may follow as a result of the low compliance findings, he said.

McMillan believes that eligible providers, small clinics, pharmacies, and diagnostic testing labs may be totally outside their competency levels in dealing with federal privacy and security rules. These providers may not have knowledgeable enough staff. They may presume passwords represent encryption, for example. They think they are complying when they are not.

Small hospitals may also have limited staff IT resources and funds. If a provider doesn't understand what is requested, it's time to outsource the work to an experienced healthcare IT security firm, he suggested.

The money will be well-spent in exchange for the peace of mind of being in compliance, and also the knowledge that patient records and data are secure.

Latest in IS
2017 03 30 15 16 56 745 Mammogram Calendar 400
Can self-scheduling and referral close breast cancer screening gaps?
July 31, 2023
2018 11 19 17 20 4754 Back Pain 400
Simple EHR intervention reduces unnecessary lower-back x-rays
July 30, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Amazon Web Services releases imaging data platform
July 25, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
Online course teaches students about appropriate imaging use
July 19, 2023
Related Stories
2013 03 13 14 08 14 656 Mostashari Farzad 175 20130313211030
IS
ONC chief Mostashari believes data can fix U.S. healthcare
2013 03 06 17 02 46 734 Clinton Bill 70
IS
HIMSS: Clinton sees healthcare IT as global game changer
2013 03 04 14 47 33 750 Rozmus 70
IS
HIMSS: Staffing, security are top concerns for HIT leaders
2012 09 18 16 03 37 198 Saltzman Mary 70
IS
Mary's Musings: Imaging management and the new paradigm
More in IS
Can self-scheduling and referral close breast cancer screening gaps?
By Amerigo Allegretto
Online patient portal self-scheduling and self-referral methods can help mitigate health disparities in breast cancer screening, according to research published July 26 in the Journal of the American College of Radiology.
July 31, 2023
2017 03 30 15 16 56 745 Mammogram Calendar 400
Simple EHR intervention reduces unnecessary lower-back x-rays
By Kate Madden Yee
A relatively simple electronic health record (EHR) intervention reduces the incidence of unnecessary x-rays for patients presenting with low back pain, a study published July 28 in the Journal of the American College of Radiology has found.
July 30, 2023
2018 11 19 17 20 4754 Back Pain 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Online course teaches students about appropriate imaging use
By Amerigo Allegretto
An online elective course can effectively educate radiology students on the concept of appropriateness in medical imaging, according to an Israeli study published July 18 in Academic Radiology.
July 19, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
CMS proposes radiology reimbursement cuts, AUC pause for 2024 MPFS
By Erik L. Ridley
In what has seemingly become an annual event, the U.S. Centers for Medicare and Medicaid Services (CMS) has once again included radiology reimbursement cuts in its Medicare Physician Fee Schedule (MPFS) Proposed Rule.
July 13, 2023
2019 07 31 17 01 7432 Medicare Puzzle 400
Summary reports improve CT planning for ovarian cancer surgery
By Kate Madden Yee
A synoptic, or summary radiology report, improves pretreatment CT planning for patients with advanced ovarian cancer compared to a simple structured report, according to a study published on July 12 in the American Journal of Roentgenology.
July 12, 2023
2023 07 12 19 50 6142 2023 07 12 Ajr Ct Ovarian 400
PET/CT shows value in patients with portal vein thrombosis
By Will Morton
PET/CT could be a valuable new imaging technique for distinguishing benign from malignant portal vein thrombosis in liver cirrhosis patients, according to a group in Egypt.
June 26, 2023
2023 06 22 23 04 9721 2023 06 23 Pet Pvt 20230622231003
Ransomware affects emergency radiology workflows
By Amerigo Allegretto
Ransomware attacks have a significant effect on emergency radiology workflows, as well as on acute care delivery and the personal well-being of healthcare providers, according to a study published June 15 in the Annals of Emergency Medicine.
June 19, 2023
2021 08 10 16 10 2928 Cybersecurity Lock V2 400
SIIM: Can Microsoft Teams lessen radiologist interruptions?
By Erik L. Ridley
AUSTIN, TX - Asynchronous forms of communication such as Microsoft Teams are much less disruptive to radiologists than phone calls or in-person visits, according to a talk delivered at the annual Society for Imaging Informatics in Medicine (SIIM) meeting.
June 18, 2023
2020 04 16 18 17 3383 Radiologist Ct Scan Brain Tumor 400
Turing debuts MRI visual feedback module at ISMRM 2023
By AuntMinnie.com staff writers
Neuroimaging software company Turing Medical Technologies (formerly Nous Imaging) used the venue of ISMRM 2023 in Toronto to launch FIRMM-pix, an in-bore visual feedback module designed to actively reduce head motion during brain MRI scans.
June 8, 2023
2023 01 30 21 50 9506 Computer Display Monitor Lab Mri V2 400
ImagineSoftware acquires Within Health
By AuntMinnie.com staff writers
Radiology billing and RIS developer ImagineSoftware has acquired artificial intelligence software developer Within Health. Terms of the deal were not disclosed.
May 23, 2023
2020 08 20 17 37 8876 Business Handshake Man 400
DetectedX touts learning platform success
By AuntMinnie.com staff writers
DetectedX is highlighting that the user base for its Radiology Online Learning Centre has exceeded 4,500 users, which the company says range from large radiology groups to individuals around the world.
May 3, 2023
2020 06 16 22 09 9134 Doctor Virtual Meeting Laptop Computer 400
Page 1 of 603
Next Page