Expect the unexpected

By Gienna Shaw

Both Tenet and Methodist were among the first organizations to undergo Meaningful Use attestation audits--and those first days were rocky. Although Johnson and McNutt told FierceHealthIT that many of the kinks have since been smoothed out, there were plenty of surprises.

"One of unexpected areas of focus for us was that they dove pretty deeply into our HIPAA security risk assessment," McNutt (pictured) said. "We learned that the audit needs to specifically mention your EHR and your certified modules."

Like other organizations, Methodist does vulnerability testing and an annual HIPAA risk assessment, but those may not suffice for an MU audit. "They want proof the audits focus directly on your certified EHR technology and the version that you're running," McNutt said.

Additionally, your audit, your report and your reaction to the report all must be done within the attestation time period. So if you're attesting for 90 days, you need to do the audit before the end of the reporting period, she said.

These kinds of details can trip you up if you don't proceed with caution--and start doing so before the auditors appear. Click below to learn more about that step on the next page of this special report. 

Expect the unexpected