I can't help but feel sorry for Monticello, Arkansas-based Drew Memorial Hospital, which failed a Medicare Meaningful Use audit and is being asked by CMS to return its incentive payment for that year in the amount of $904,000.
It turns out that the hospital failed to meet just one of the 19 Meaningful Use objectives: the security risk analysis. The hospital had conducted one in 2005 and another in 2013, but not for fiscal year 2011-2012, the year that was audited.
"We were one of the first wave of hospitals to take advantage of the program and these types of audits simply are not that common. When you're the youngest and you don't get to learn from other's mistakes, these things happen," hospital CEO Scott Barrilleaux said.
Conducting a security risk analysis to identify vulnerabilities in an organization's health IT systems is burdensome and time consuming. Providers have been struggling with the requirement, which is also mandated by HIPAA.
Yet, it's important to do so in order to identify risks so that they can be effectively managed.
Jocelyn Samuels, the new director of the U.S. Department of Health and Human Service's Office for Civil Rights (OCR), honed in on this point in her opening remarks at this week's joint OCR/NIST conference in the District of Columbia. She said the security risk analysis is "the cornerstone of any good compliance program."
So yes, Drew Memorial should have conducted a security risk analysis of its EHR systems for the year it was attesting to Meaningful Use.
But what I'd like to know is whether there were any actual vulnerabilities in the system.
Evidently, the hospital failed the audit for not performing the analysis. There's been no indication that any patient records were vulnerable due to this failure. I don't even know if the auditors get that deep into the weeds. So even if the hospital's systems were airtight, it is still required to return the entire incentive payment (it does plan to appeal the determination).
But it does highlight one of the components of the Meaningful Use program that many providers find troublesome: there's no partial credit for complying with most of the requirements. It's an all or nothing deal: either you meet every objective, or you forfeit the incentive payment.
And of course, the stakes become even higher next year, when failing to meet even one objective means a provider also incurs a penalty for not meeting Meaningful Use.
The American Medical Association (AMA) has been particularly vocal about this Draconian result, advocating that there be more flexibility and replacement of the all or nothing approach with a 75 percent pass rate.
AMA reiterated its concern at its webinar last week announcing its new EHR usability framework. AMA President-Elect Steven Stack, M.D., said that it would be "most immediately helpful" for the government to address the rigidity of the 100 percent pass rate. "If you instill more flexibility in the program it would allow vendors and hospital users to better tailor tools to physicians and other clinicians who are using them and allow certification to focus on what's of greater importance," he said.
A 100 percent pass rate is a very high bar. Can anyone or anything be perfect all of the time?
In the Victor Hugo novel Les Miserables, Inspector Javert was relentless in his pursuit of Jean Valjean in the name of the law. According to him, the law must be upheld, no matter how out of sync it was with the current reality, famously declaring "I am the law and the law is not mocked."