Several officials from CMS spoke at HIMSS 2014 in Orlando regarding meaningful use audits. Approximately 5% of both physician and hospital providers are being audited, and these audits are split about 50/50 between post-payment and pre-payment audits. “Document, Document, Document” is the advice of one CMS official. One best practice, presented by an executive of a large health system, is to create a comprehensive “Book of Evidence” prior to each attestation. Failure to prove compliance with Privacy and Security Objective #15 (Stage 1) is near the top of the list of reasons for failed audits so it is important to have written evidence that this task was complete.
A professionally completed risk analysis which uses one of the well accepted methodologies can typically span 50 to 150 pages for a hospital and 20 to 50 pages for a physician practice. However, Joy Pritts, the Chief Privacy Officer for the Office of the National Coordinator of Health Information Technology, along with co-presenter Jonathan Coleman, offered advice to providers who have limited resources and may be unable to afford professional help.
Speaking primarily to physician practices and smaller hospitals, they offered a simplified methodology:
- Identify the scope of the analysis.
- Gather data. Include previous analyses and an inventory of all ePHI in the organization.
- Identify and document potential threats. Limit this list to those that are reasonably anticipated. It may be helpful to group threats in the following categories:
a. Threats from people with network access
b. Threats from people with physical access
c. Environmental threats – e.g. possible hurricanes or power outages if these apply
d. System threats – e.g. system failure - Assess current security measures for vulnerabilities – these include physical, technical and administrative security measures
- Determine the likelihood of threat occurrence – they advised not to get bogged down in detailed expectancy calculations – “high”, “medium” or “low” can be sufficient
- Determine level of risk. For each threat, calculate risk which is a function of likelihood vs. severity.
- Identify security Measures already in place to reduce these risks, such as technical measures or policies and procedures in place.
- Finalize documentation. As detailed above, this is very important. Keep a copy of the documentation with your “Book of Evidence” to support your attestation.
The core of the report is a table detailing the risks identified. Coleman presented the following sample: Sample Risk Table
One core message of this presentation is that meaningful use auditors will accept a properly documented meaningful use risk analysis if it is prepared with appropriate diligence, even if it lacks the polish and rigor of a professionally conducted study.
Editor’s Note: Subsequent to the publication of this article, CMS has renamed the “Meaningful Use” programs and MIPS “Advancing Care Information” category to “Promoting Interoperability”.
