japolia - Fotolia
Meaningful use and HIPAA experts bear this advice for physicians, CIOs and their staffs preparing for potential CMS meaningful use audits: Do a security risk analysis, and do it correctly.
Much is at stake, from EHR incentive payment dollars to the health data of the very patients your organization is trying to heal to the reputation of your healthcare organization.
Millions of dollars returned
The audits cover meaningful use attestations going back to 2013. CMS plans to continue audits in 2015. Millions of dollars in federal incentive payments have already had to be returned by those who flunked, and more will likely have to be given back, up to an estimated total of $33 million according to an analysis of the CMS data posted as an infographic by consultant Health Security Solutions.
Two consultants and a lawyer interviewed for this story by SearchHealthIT said they believe nonexistent or shoddy self-assessments of how well doctors and healthcare organizations are protecting patient health information are the main reasons for a notably audit high failure rate among eligible practitioners (EPs). Meaningful use requires HIPAA security assessments, which forces the practitioner or hospital to identify and mitigate risks threatening the data contained on their networks.
For solo doctors, or EPs, who have failed audits at a far greater rate than eligible hospitals (EHs) according to CMS audit data obtained by healthcare security consultant Steven Spearman under a public records request, many "just don't understand anything about security," said Spearman's colleague, Jim Tate, a meaningful use expert.
"There's a knowledge gap," Tate said.
Many more docs than hospitals fail audits
The data Spearman received from CMS in September, six months after his February 2014 records request to CMS, show that as of September, nearly a quarter -- 821, or 21.5% of the 3,820 completed audits -- of the EPs audited before they received federal incentive payments failed to meet meaningful use standards or use a certified EHR, according to Spearman. The data only covers dually eligible Medicare-Medicaid providers who were audited.
The great majority (92.9%) of the pre-payment audit failures were because the EPs did not meet meaningful use stage 1 and stage 2 measures.
Meanwhile, post-payment audited EPs failed at about the same rate, 1,106 or 24% of the 4,601 total.
By comparison, EHs failed audits far less frequently. The contracted audit firm, Figliozzi and Co., completed 651 post-payment audits of eligible hospitals, only 29 of which, or 4.7%, failed.
Docs need help with security, privacy analysis
Both Tate, whose EMR Advocate consultancy is based in North Carolina, and Spearman, who runs the aforementioned Health Security Solutions in South Carolina, agree that a markedly higher proportion of doctors failed audits because the practitioners often don't have enough staff to do the necessary work. Also, the consultants, who both sell audit prep services, said that with more money on the line for big healthcare systems, there can be a bigger motivation to do well at audit time.
"For an EP to be ready, they have to document that they've achieved meaningful use," Tate said. "They have to put in the numbers and supporting documents going up to six years back."
While CMS did not specify in the data the specific meaningful use measures that were not met by the failed EPs, "we know that the overwhelmingly most problematic measure is risk analysis," Spearman said.
Meanwhile, CMS has changed its rules to make it easier for eligible doctors and hospitals to attest to the meaningful use security risk assessment. Now, providers have the whole year in which they attest, either for stage 1 or stage 2, to perform the assessment, while before the change was issued they had to do the assessment within the 90-day meaningful use reporting period.
Strict ONC privacy, security requirements
ONC's meaningful use criteria for privacy and security are based on HIPAA rules for both privacy and availability of patient information that are embedded in the Medicaid and Medicare EHR incentive programs.
In stage 2, the requirements for doctors and hospitals become stricter, such as an added requirement around data encryption, although even stage 1 involves a HIPAA-compliant security risk analysis.
"You have a positive responsibility in stage 2 to document the weaknesses and vulnerabilities to the confidentiality and availability of personal health information," Spearman noted.
After analyzing the audit results turned in by Figliozzi, Spearman said he does not consider the audit firm's approach unusually strict.
Outsourcing risk assessment could pay off
Spearman acknowledged, in the meantime, that spending money on a security or audit consultant such as him or Tate could eat into the incentive payments of audited entities. But the alternative, potentially losing all or part of the incentive, is worse, he said.
Spearman noted that there are also free risk analysis tools healthcare providers can use to help survive an audit, most notably the downloadable one on ONC's website that was developed in conjunction with the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA.
Another healthcare privacy specialist, Boston lawyer David Harlow, said he often recommends outsourcing security risk analysis (he offers that as a consultant). He added that many providers aren't taking privacy and security seriously enough.
Audits can capture their attention, he said.
"It's a step in the right direction," Harlow said during a break in the recent 2014 HealthCamp "unconference" at the Microsoft New England Research and Development Center in Cambridge, Mass. "Risk assessment is key. It's easy to take shortcuts."
HHS releases a HIPAA compliance app
HIPAA risk assessment only a part of solid patient data security
Learn how CMS chooses targets for meaningful use audits