Latest Wave of MU Audits Delivers a Fresh Scare
Rigid Documentation Requirements
I am also struck by how much documentation the auditors are asking for. They are demanding proof that risk assessments are being conducted during the MU attestation period in question, rather than before those periods begin.
And auditors are demanding screen shots showing various aspects of compliance. Submitting ancillary proof of compliance, such as checked-off lists of tasks performed, is insufficient.
Furthermore, healthcare systems with multiple hospitals or multiple physicians are also being required to provide that documentation for each hospital and for each physician. "There are folks across the country, especially in physician offices, that are going to be end up tripping over [their] security risk assessment," says Pamela McNutt, senior vice president and CIO at Methodist Health System in Dallas.
Tips from Methodist Health System
McNutt is a CHIME leader, and someone whose system received an audit notice for each of the four hospitals in her system. In a CHIME Webinar held Oct. 22, McNutt says there have even been debates within Methodist's physician entities about what actually constitutes a risk assessment.
"It's not something like where you hire a hacker to try and break into your networks to find your vulnerabilities," she says. Instead, it's a matrix of considerations provided through HIPAA regulations – and includes listing the organization's certified EHR plus any individually certified modules of that EHR, plus how the organization has mitigated risk "for each and every component."
- As Retail Clinics Surge, Quality Metrics MIA
- Providers' Push to Consolidate Roils Payers
- Medicare Cost, Quality Data Tools Weak, Says GAO
- RN Named Chief Patient Experience Officer
- No Employee Satisfaction, No Patient-Centered Culture
- Former NQF Co-Chair Linked to Conflicts of Interest in Journal Probe
- Population Health Pays Off for NY Collaborative
- How Simple Data Analytics is Driving Physician Incentives
- In PCMH, the 'P' is Not for 'Physician'
- AMA Pushes Lame Duck Congress for SGR Repeal