Technology
e-Newsletter
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

Latest Wave of MU Audits Delivers a Fresh Scare

Scott Mace, for HealthLeaders Media, October 29, 2013

Rigid Documentation Requirements
I am also struck by how much documentation the auditors are asking for. They are demanding proof that risk assessments are being conducted during the MU attestation period in question, rather than before those periods begin.

And auditors are demanding screen shots showing various aspects of compliance. Submitting ancillary proof of compliance, such as checked-off lists of tasks performed, is insufficient.

Furthermore, healthcare systems with multiple hospitals or multiple physicians are also being required to provide that documentation for each hospital and for each physician. "There are folks across the country, especially in physician offices, that are going to be end up tripping over [their] security risk assessment," says Pamela McNutt, senior vice president and CIO at Methodist Health System in Dallas.

Tips from Methodist Health System
McNutt is a CHIME leader, and someone whose system received an audit notice for each of the four hospitals in her system. In a CHIME Webinar held Oct. 22, McNutt says there have even been debates within Methodist's physician entities about what actually constitutes a risk assessment.

"It's not something like where you hire a hacker to try and break into your networks to find your vulnerabilities," she says. Instead, it's a matrix of considerations provided through HIPAA regulations – and includes listing the organization's certified EHR plus any individually certified modules of that EHR, plus how the organization has mitigated risk "for each and every component."

1 | 2 | 3 | 4 | 5

Comments are moderated. Please be patient.

4 comments on "Latest Wave of MU Audits Delivers a Fresh Scare"


Jack Kolk (11/15/2013 at 9:04 AM)
It's more cut and dried than you think. As a company that has done 100's of risk assessments and been through the contesting of failed audits we know the process and what they are looking for. The fact that CHIMES members are still arguing over what is required is silly. The final guidance for a compliant risk assessment is at : http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

Ellis Malovany (11/6/2013 at 9:29 AM)
This is precisely the reason why having the support of an accredited EMR company is critical. Providers have enough on their plate dealing with falling reimbursements and a confusing environment that has led many providers to throw up their hands and consider retirement or sidestepping into an alternative career. EMR companies need to stay on top of the changing targets and build value by proactively conveying information to their provider/clients. Unfortunately, in this "wild west" of EMR technology, only a handful of EMR companies understand how to manage and support.

Frank Poggio (10/30/2013 at 10:10 AM)
Scott, Cut an Dried?? I don't think so. At least not in the way you may think. The MU Attestation and vendor Certificaiton program and process was slapped together in a political rush. After completing dozens of Certifications for vendors I can attest that the process is far from black and white. Scripts get revised on a monthly basis, MU criteria is still getting redefined today. There was no audit process pre-tested and put in pace in advance, niether for vendors or providers. The appeals process is as clear as mud...and on and on. The only thing that will be Cut and Dried is: Providers will get the CUTS and vendors will be hung out to Dry when this is all over!