January 16, 2013
According to the Centers for Medicare and Medicaid Services (CMS), as of June 2012, they have paid over $1 billion to eligible professionals who have attested to Meaningful Use. That represents payments to over 55,000 physicians in 2011 and 2012. One of the congressional requirements of these bonus payments is post-payment auditing of hospitals and eligible professionals who attested that they met the requirements for those payments. As we’ve already seen, medical practices across the country have been receiving audit letters. In fact, one of our own clients recently received an audit letter after attestation.
What’s the secret to protecting your medical practice from a Meaningful Use audit? Audits are random, so there’s no way to avoid an audit if your name is selected. You can however ensure that you can stand in front of an auditor with all of the appropriate answers to their questions and documentation proving that the core objectives were met.
This confidence starts by ensuring that you are completely truthful when attesting to Meaningful Use. Do not answer yes to any measure that you are not embracing 100%! Much of the audit focus (and resulting penalties) is on the security of electronic patient protected health information. That boils down to Core Measure #15 – Conduct a thorough Security Risk Assessment.
Your Security Risk Assessment will undoubtedly identify issues requiring follow up. You cannot answer ‘yes’ to Core Measure #15 unless you put together a plan for addressing those identified issues. Risks do not have to be resolved prior to attestation; however, you must have specific action steps documented prior to attestation. Here are a few common themes that arise during an effective Security Risk Assessment:
- Your biggest security leak comes from your workforce. Be sure that your staff is properly trained to protect your electronic patient information. CMS recommends that staff should be trained annually. Here are just a few issues you should address with your team:
- Ensure that everyone in the practice understands the importance of protecting patient security. This includes logging out of computers when you leave your desk, ensuring that doors to the practice are not left propped open, covering patient information when someone comes to your workstation, etc.
- Make sure that every staff member has his/her own unique username and password and that they do not share this information. This will allow you to create an audit trail and customize access to information on a need to know basis.
- Many medical practices have a secure network within the office which provides protection when accessing data within that network. But, if you or your team access data from outside the secure network using devices such as Smartphones, tablet PCs or even a laptop over WIFI at the local coffee shop, that data is most likely not secure.[For more information about workforce training visit http://practicemanagersolutions.com/hipaa-security-workforce-training/
- With the transmission of electronic patient data to a variety of providers, encryption is the key to ensuring that data cannot be accessed by any unintended recipient. This is particularly important for information that is sent by email.
- Do you have a reliable back-up power supply? You must have an emergency back-up plan that describes how to protect and access patient data in the event of a power outage.
- Are your policies documented in a HIPAA Compliant Policy Manual? If you are ever audited, an up-to-date compliance manual is a very good way to demonstrate your security plan and the policies that support patient data security.
- Are you ensuring that any sub-contractors who have access to patient data are aware of patient security issues; and do you have an up-to-date Business Associate Agreement in place with them?
Share and Enjoy: