Eligible hospitals and professionals attesting to meeting the Meaningful Use requirements should print and retain every document they rely on when attesting in the event that they are audited, since the documents often can't be reproduced by the EHR afterward, according to Phyllis Patrick (pictured), a consultant and former information security officer for Mount Sinai Medical Center in Purchase, N.Y., speaking at the Twenty-Second National HIPAA Summit in Washington, D.C., Feb. 6.
"Documentation doesn't have to take hours," she said. "You want to be audit ready but it's so much easier to do it as you go."
Some of the documentation providers should be retaining, Patrick said, includes screenshots, hospital cost report data, clinical quality measures and payment calculation documentation, the security risk analysis of vulnerabilities of the EHR system and any risk management processes.
Providers should maintain the documentation for six years, she added, and make sure that the information is easy to retrieve, since the time limits for responding to audit requests can be short.
Patrick also warned not to rely on EHR vendors' certifications, as providers are responsible for assuring and documenting the Meaningful Use measures. However, she said, vendors may have dashboards to help providers meet the core measures, so providers should be sure to ask if that, and any other support, is available.
"Know who the security officer is for your vendor. You should be talking to him or her," she said.
The Meaningful Use audits, which include both pre- and post-payment audits, began in 2012 and are expected to continue. They are being conducted by Garden City, New York-based Figliozzi and Company on behalf of the Centers for Medicare & Medicaid Services.
To learn more:
- read about the summit