Rigid Documentation Requirements
I am also struck by how much documentation the auditors are asking for. They are demanding proof that risk assessments are being conducted during the MU attestation period in question, rather than before those periods begin.
And auditors are demanding screen shots showing various aspects of compliance. Submitting ancillary proof of compliance, such as checked-off lists of tasks performed, is insufficient.
Furthermore, healthcare systems with multiple hospitals or multiple physicians are also being required to provide that documentation for each hospital and for each physician. "There are folks across the country, especially in physician offices, that are going to be end up tripping over [their] security risk assessment," says Pamela McNutt, senior vice president and CIO at Methodist Health System in Dallas.
Tips from Methodist Health System
McNutt is a CHIME leader, and someone whose system received an audit notice for each of the four hospitals in her system. In a CHIME Webinar held Oct. 22, McNutt says there have even been debates within Methodist's physician entities about what actually constitutes a risk assessment.
"It's not something like where you hire a hacker to try and break into your networks to find your vulnerabilities," she says. Instead, it's a matrix of considerations provided through HIPAA regulations – and includes listing the organization's certified EHR plus any individually certified modules of that EHR, plus how the organization has mitigated risk "for each and every component."