October 3, 2013
Today is the beginning of the 90-day attestation period for Meaningful Use in 2013 which can be reported by February of 2014. Are you ready? If you are an eligible medical provider, you could qualify for incentive payments for Meaningful Use but not if you miss the deadline. To get started, I’ve put together a couple of tips that will help you achieve this goal.
- Start reviewing your data now.
- Make sure you have your MU Core and Menu data collecting correctly by reviewing your dashboards for Numerators and Denominators that meet the criteria for attestation.
- Review your dashboards for clinical quality measures for reporting.
Everyone I work with knows that I am continually reminding anyone who has or is attesting to Meaningful Use that you can’t just attest that you’ve met the criteria of each measure – you must actually do what you say you’ve done – and most importantly be able to prove that you have met that criteria. To that end, here are some facts you’ll want to consider. You may have seen these warnings from me before but they are worth repeating.
- If you’re attesting to Meaningful Use Core Measure #15 – Conduct a Security Risk Assessment on your EHR system – you must actually complete the Security Risk Assessment. If you haven’t completed it, then DO NOT attest.
- It’s not enough to just conduct the Security Risk Assessment; you must also identify potential risks and create a plan for mitigating those risks.
- Your plan is worth nothing more than the piece of paper it is printed on unless you work through the list of corrective actions to ensure that vulnerabilities in your system are identified and addressed. Click to learn more about our Security Risk Assessment resource.
- Addressing risks is not a ”one time and you’re done” project. It is an evergreen project. You must continually assess your EHR and systems that use or access ePHI to identify potential future points of risk. Have a plan in place for continuous review, maintenance and corrective action.
- Have your Security Risk findings been incorporated into your HIPAA Compliance Manual? If not, then the intent of Core Measure #15 and most importantly the Omnibus Rule, has not been fully completed. Update your policy manual with your Security Risk Assessment findings and corrective actions. Be sure to include in your plan a continuous review timeframe. A fully documented HIPAA Security Compliance Manual is one of your best defenses in the event of an audit. A fully documented compliance manual addresses both HIPAA Privacy and HIPAA Security Policies and Procedures.
- Has your workforce been trained? Your workforce is your #1 leak to HIPAA non-compliance. Without proper training, they have the potential to harm your practice either intentionally or unintentionally by leaking information. Click here for helpful On Site Workforce Training resource.
- Finally, DO NOT attest (Did I say that already?) if you haven’t conducted a thorough and effective Security Risk Assessment and gone the extra steps to incorporate the findings into your policies. Plain and simple. You could be committing fraud and open your practice to potential corrective action costs and/or fines. Click here for Security Checklist.
As always, I am available to help you check this list of Meaningful Use attestation criteria off your list of things to do. Check out the links to helpful resources that I’ve included above and for more personalized help, you can contact me at firstname.lastname@example.org .
Share and Enjoy: