There seems to be a disconnect between providers attesting that they have met the core measurement for conducting a risk assessment under meaningful use and actually conducting one that will pass muster. According to a recent report issued by CSC Global Healthcare Group, many providers admit that they're not conducting adequate annual risk assessments, as required both by core measure 15 of Meaningful Use and HIPAA.
But if the same providers who aren't meeting the measure are attesting that they did, then they haven't earned their incentive payments, and run a real risk that they'll be exposed during an audit by the Centers for Medicare and Medicaid Services. If the audit finds a provider is not eligible for the bonus, the payment will be recouped, says CMS. It's also likely that such a finding will trigger further audits of that provider.
So where is the breakdown? According to Jared Rhoads, senior research specialist with CSC, the process can be intense, espcially considering that providers often are "chasing the unknown." That, in turn, can lead to frustration. "[I]t's not concrete [if you're doing it correctly]," Rhoads tells FierceEMR. "[S]some providers figure that once they've put in some resources [to conduct or respond to a risk assessment] they'll leave it alone for a while."
Rhoads points out that the obligation to conduct a risk assessment is not new since it's in the HIPAA security rule. "The main difference now [that it's part of the EHR incentive program] is that you have to attest that you did the risk assessment," he says.
To conduct an appropriate risk analysis, Rhoads recommends that providers dive in and take a good look at their EHR and health IT security processes, with particular focus on:
- Physical safeguards, such as facility access and data storage;
- Administrative safeguards, including implementing policies and procedures to prevent, detect and correct security violations;
- Technical safeguards, like automatic log off policies and use of encryption.
Rhoads adds that providers also should revisit their employee training materials, and retrain staff as needed. What's more, he says they should make sure to correct any deficiencies found in the risk assessment to the extent possible, even if the government hasn't yet specified what corrective action steps would be adequate to meet Meaningful Use.
"It may sound daunting but it's a goal within reach," he says. - Marla