Does your workplace accept any payments from EHR incentive programs like MACRA or Meaningful Use? If so, the fourth quarter is probably a busy time preparing and finalizing documents for submission. At HIPAA One, we understand the amount of extra work that can add to a workforce. Therefore, we would like to provide a little assistance and guidance on the specific HIPAA security risk analysis requirement so there is not any delay in receiving those crucial payments.
Date to Remember
The Meaningful Use reporting deadline for this calendar year is December 31, 2017. To the best of our knowledge, an extension has not been granted – therefore all activities must be completed in the next 6 working days of the calendar year.
HIPAA Security Risk Analysis Requirement
As mentioned above, to qualify for Meaningful Use or MACRA (MIPS) dollars, an annual HIPAA security risk analysis is a requirement for every healthcare provider attesting. If your workplace was to be audited due to a patient complaint, random audit, etc; failure to have a current documented HIPAA risk analysis could result in a mandatory requirement to give back awarded Meaningful Use dollars.
A HIPAA security risk analysis is not only a critical element in building a secure, compliant environment in any healthcare setting but also required under HIPAA. As a reminder, HIPAA requires organizations that handle electronic protected health information (ePHI) to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems. Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. (SOURCE: HHS.gov)
In order to attest for Meaningful Use, your risk analysis needs to be completed in the same calendar year for which you at attesting. The Final Rule for MU Stage 3 states the following regarding protection of health information: “The measure must be completed in the same calendar year as the EHR reporting period. If the EHR reporting period is 90 days, it must be completed in the same calendar year. This may occur either before or during the EHR reporting period; or, if it occurs after the EHR reporting period, it must occur before the provider attests or before the end of the calendar year, whichever date comes first.” To learn more about the necessary supporting documentation for audits, click here.
There’s Still Time
If this post has increased your heart rate a little or given you reason to worry about the upcoming December 31st deadline, don’t fret! There is still time to complete a bona fide HIPAA security risk analysis using our automated, self-guided software.
Our sales team members would love to answer your questions. Get started now.