Would Your Office Pass this Audit for
Core Measure 15/Core Measure 9 ?
Many practices are under the false impression that their EMR company has provided them with everything they need to pass a Risk Analysis Audit. However, many discover (often too late) that they do not. The scope of the Risk Analysis extends well beyond the technical controls built into your EMR software - these controls are just one part of what is required under Core Measure 15. Analysis and detailed documentation of risks associated with your Administrative Policies, Physical infrastructure, and Technical controls of ALL the software used in your practice is required to successfully meet the requirements of Core Measure 15 (or Core Measure 9 if you are attesting for stage 2 Meaningful Use).
A practice that failed a recent audit for Core Measure 15 was told the following:
"The documentation supplied does not demonstrate that a risk analysis was performed prior to the end of the reporting period. Acceptable documentation would be a written report which documents the scope of the analysis, the procedures performed during the analysis, and the results of the analysis. For example, the assessment would include questions and answers covering the Administrative, Physical, and Technical controls for your electronic Protected Health Information."
Figliozzi & Company CPAs P.C.
This practice did in fact provide the auditors with written documentation of their "Risk Analysis", which included a letter from their IT company, but this was determined to be insufficient by the auditors, who then failed the practice for Core Measure 15. This has cost the practice their incentive payment, and they now face a reduction in their Medicare payments as well.
Obviously, practices who provide no or minimal written documentation of their Risk Analysis, or who do not complete a thorough formal Risk Analysis and Remediation, will face a similar result during a Meaningful Use Audit.
HIPAA-STAT is different. The documentation and reports that will be provided to your practice under our
HIPAA-STAT program encompass all of the required elements, examining over 180 aspects of your practice, and can range between 50 to 75 pages in length.
We are proud to report that our HIPAA-STAT Risk Analysis has successfully passed a
Core Measure 15 Audit.
Does Your Practice Really Need to be Concerned about Meaningful Use Audits?
In a word: Yes
According to Healthcare IT News, in an article dated April 2014, "At least one in 20 MU attesters will undergo a meaningful use audit". In addition, they noted that "the vigor and the frequency of the meaningful use audit will increase."
You can read the full article HERE
Other sourCes have indicted that the actual percentaGe of Meaningful Use Audits can be as high as 1 in 5. In our observation, certain specialities and geographic regions seem to be targeted more frequently than others.
Actual CMS Audit Request
This is a copy of a HITECH CMS Audit received by a (Happily Compliant) Systematix HIPAA-STAT Client