Chat with us, powered by LiveChat

OCR’s Updated HIPAA Audit Program – What you need to know

Health and Human ServicesWith the pinnacle of patient breaches hopefully behind us (e.g. Anthem/WellPoint breach, Premera, Blue Cross, and others in 2015), it is clear the industry has struggled with proper security of our electronic health information (ePHI).  As such, the federal government has stepped in to ensure measures are in place to secure ePHI, abide by privacy rules granting all of us access to our health information, and making it illegal to discover a breach and not take appropriate steps to notify those affected.

The Office for Civil Rights (OCR) is a division of Health and Human Services with the responsibility to ensure industry compliance with an individual’s rights to Privacy, safeguards to electronic PHI and to investigate an organization’s diligence when breaches occur.  Part of the OCR’s focus is also to develop audit rules in its activities ensuring the industry is adopting compliance efforts, reducing risk of breaches and improving health care.  This is called the HIPAA Audit Program, and leverages the instructions, called the Audit Protocol, to test compliance.

Phase 1 of the HIPAA Audit Program officially ended and Phase 2 of the HIPAA Audit program was announced on March 21, 2016 by Health and Human Services. In April 2016 they announced the updated HIPAA Audit Protocol.  To clarify, the HIPAA law itself has not changed since the Omnibus update in 2013, but the government’s auditing of compliance has been updated and expanded.

The HIPAA Audit Protocol is something the Healthcare Information Technology compliance and audit communities have been asking for a long time, which is more guidance on HIPAA regulations.  In addition to NIST-based risk analysis methodologies, this new set of protocols (instructions) are the most comprehensive guidance we have for HIPAA security (safeguards around electronic protected health information, or PHI), privacy (rights and restrictions to PHI) and breach notification requirements (what to do when a breach of PHI happens).  This graphic shows the number of top-level HIPAA citations covered under the OCR’s checklist, color-coded by discipline:

HIPAA Audit Protocol 2016

To summarize the changes between Phase 1 and Phase 2 of the Audit Program:

What it was – Phase 1 of the OCR’s Privacy, Security and Breach Notification Audit Program:
  1. HITECH added Breach Notification to HIPAA and endorsed the OCR‘s Audit Program.
  2. Contained 169 total protocols.
  3. Pilot program included 115 covered entities.
What it is now – the HIPAA Audit Program-Phase 2:
  1. OCR is implementing Phase 2 to include both CEs and business associates (every covered entity and business associate is eligible for an audit)
  2. Provides an opportunity for the OCR to identify best practices, risks and issues before they result in bigger problems (e.g. resulting in a breach) through the expanded random audit program.
  3. 180 Enhanced protocols (groups of instructions) which contain the following updates:
    1. Privacy – 708 updates (individual lines of instructions)
      1. Most notable changes are more policies and procedures surrounding the HIPAA Privacy Officer as well as some changes for Health Plans and Business Associates.
    2. Security – 880 updates (individual lines of instructions)
      1. Most notable changes are that Health Plans must have assurances from their plan sponsors and all companies now have to get proof of HIPAA compliance from their business associates, vendors and subcontractors.

HHS Spreadsheets Outdated?With so many recent changes, it is clear that checklists, spreadsheets, the ONC’s SRA tool , HITRUST and most commercial compliance software companies are now out of date with the new HIPAA Audit Protocol.   As we get to the end of the Meaningful Use incentive program, we risk having a high number of covered entities potentially using outdated software tools for modern HIPAA compliance requirements.

Regarding the HIPAA Audit Protocol’s compliance date, says Brad Trudell of MetaStar, “Remember it’s intended to detail the specific questions OCR plans to ask in Phase 2 audits to determine compliance with the previously existing HIPAA/HITECH requirements.  If possible, CEs/BAs should use the protocol as the basis for conducting their own internal audits to make sure compliance is whipped into shape before the REAL auditors come knocking.”

In other words, the compliance date would match the release date – April of 2016 (about 2 months before this article was written).

Specific steps to take in light of the new HIPAA Audit Protocol:
  1. Check your “Clutter”, “Junk” or “Spam” folders to ensure that an email sent from OSOCRAudit@hhs.gov (OCR office) is forwarded to the appropriate person (e.g. Compliance Officer, legal counsel, etc.) and responded to accordingly. Example of the email is here.
  2. Conduct an accurate and thorough HIPAA Security Risk Analysis. Be sure to include Privacy and Breach notification assessments since these are often overlooked
  3. Review your organization’s policies and procedures along with the associated processes, compliance programs and other supporting documentation proving compliance. For gaps, update processes, policies and procedures to address identified issues.
  4. Address risks found in previous risk analysis efforts. This requires documented progress of gaps in compliance and associated vulnerabilities (e.g. installing enterprise-wide encryption, implementing a training and awareness program, updating policies and procedures).  This also includes having supporting documentation tracking these updates.
  5. Identify who your business associates (BA) are (or subcontractors a BA would give PHI to in order to facilitate a particular service for the upstream BA). Get a copy of each signed BA Agreement, ensure your agreements are updated per the HIPAA Omnibus update (after March, 2013), and collect proof (e.g. reasonable assurances) that the BA or Subcontractor actually has a HIPAA Security, Privacy and Breach Notification assessment and/or other proof of compliance (e.g. proof of encryption, training and awareness, policies and procedures).
  6. Ensure any software tools used are updated with the new release of the OCR’s updated HIPAA Audit Protocol (e.g. as part of OCR’s Phase 2 of their Audit Program); therefore, your risk management and compliance program will become compliant today (not months from now).

Why invest in yesterday’s Audit Protocol?  HIPAA One® announced on June 15, 2016 they are current with the OCR’s Phase 2 of the Audit Program.  To learn more on how your organization can simplify and automate HIPAA Security, Privacy and Breach Notification Assessments, Mock-Audits and Risk Analysis in compliance with the HIPAA Audit Protocol, HITECH and NIST-based methodologies contact us or email info@hipaaone.com.

 

Demystifying HIPAA Security Risk Analysis

Steven Marco

As a business owner, my professional conversations with physicians run the gamut, from how my business services can solve their problems, to exchanging ideas and best practices, and offering support in starting and growing a business. I get the feeling that physicians running a medical practice often feel like they have a target on their back because staffing, management, regulations, documentation, and reimbursement have become such big parts of medicine.

Building a business requires tremendous time, money and effort in order to become profitable.  The compliance landscape shifts and evolves.  Today, a HIPAA Security Risk Analysis has become paramount for almost any medical practice to collect state and federal reimbursements.  An often overlooked benefit, however, is the Security Risk Analysis, which can improve the efficiency and professionalism of these same practices.

But how does complying with HIPAA help?

First, HIPAA Security is greatly misunderstood.  HIPAA was originally conceived because patients were not able to access their own health information.  Today, HIPAA enforcement is the main driver to ensure we don’t mishandle or otherwise treat patient’s protected health information (PHI) with neglect—willful, or not.

Many practices believe that if they complete a quick checklist or perform a risk assessment with an auditor on the phone and get a final report, they are done and have “checked the box.”    Like doing a fast tax-return, this quick approach diminishes the value of HIPAA. If embraced, HIPAA’s Security Risk Analysis checklist of best practices provides ongoing benefits, such as:

Staff morale:Improve morale

  • Policies and Procedures establish a code of conduct on how staff should represent the clinic in day-to-day interactions with patients.
  • Guidance on handling patients, staff, processes and technology provides operational clarity
  • Assurance that the IT department makes Electronic Medical Records available (e.g. performance, backups and recovery), complete, accurate and confidential.
  • A clear baseline on how to handle all aspects of patient releases, authorizations, business associates and internal operations.

Technology:Improve technology

  • One aggregated place for information about patient visits can contribute to population health research and disease management.
  • Encryption of laptops, desktops, smartphones and all portable media can reduce the risk of having to report a breach by up to 68% (according to OCR breach data for theft, loss and improper disposal).
  • Meaningful Use provides incentives and ongoing reimbursements (soon to become MACRA).

Clinic appearance:Improved appearance

  • Staff attire, name badges and a proper patient waiting area separate from the clinic complies with HIPAA and improves the professional look and feel of the clinic.
  • Training and employee awareness reinforces policies and procedures which drives improved moral and reduces risk to the clinic.

The Bottom Line:

Conducting a HIPAA Security Risk Analysis covers Administrative, Technical and Physical (PAT) safeguards and provides a snapshot into where the clinic is performing well and where improvements are needed.  If a HIPAA Security Risk Analysis is the snapshot, then the “moving picture” is the ongoing process of improving gaps in compliance, not only to reduce the chances of a security breach but also to improve the efficiency of the health care organization.   For a quick 5-minute assessment, take our high-level HIPAA Security Assessment quiz and see how your practices measures-up to the the top 13 HIPAA items typically missed.  Contact us today to learn how to get more of a return on investment in HIPAA than simply, “checking the box”.

Meaningful Use Attestation Extended!

Instead of “hoping” not to get audited, consider this:  your organization can have guaranteed compliance with HIPAA One® because CMS has extended the Meaningful Use attestation period to February 29, 2016!

HIPAA Isn't Going Away

HIPAA Isn’t Going Away

Good news – with the mixed-bag of recent news from CMS, the boat has not yet left the dock!  If you conducted a “last-minute” spreadsheet or checklist to meet December 2015 deadline, the odds of passing an audit are not good.  Take advantage of the extension and guarantee compliance with HIPAA One®.

Both Meaningful Use Stage 1 and Stage 2 require that a Security Risk Analysis be completed as part of the Medicare and Medicaid EHR Incentive Programs.  In spite of the recent proclamation from CMS that MU will end in 2016; any Eligible Provider (EP) or Eligible Hospital (EH) must still file for 2015.  The specific requirements to “Protect Electronic Health Information” are described by CMS as listed in the following table:

table1The filing period for Meaningful Use Attestation and reporting is from January 4 through February 29, 2016.  This means that if you were not able to complete your Security Risk Analysis (SRA) during calendar year 2015; there is still time!  The SRA will need to be for 2015 and cannot be used for the 2016 reporting year.

HIPAA One® has a simple and automated solution for the SRA process; using a cloud-based, step-by-step- approach (see quick video here:  https://youtu.be/9G_B7U_pnuo).  As such, you will be able to comprehensively address the HIPAA required safeguards (listed below) in an efficient, logical and clear fashion:

table2A “new program” is slated to be announced by CMS on or about March 25, 2016 that will replace (some think “augment”) the current MU program.  It will focus less on technology adoption and more on clinical outcomes and value-based reimbursement.  There will also be special attention paid to APIs and interoperability.  That said; data security will still be of paramount concern.

The new MACRA (Medicare Access and CHIP Reauthorization Act of 2015) program will still include some version of the EHR incentive (not yet defined) and certainly will still include the Security Risk Assessment.  The key elements are The Merit-Based Incentive Payment System (MIPS) and Alternative Payment Models (APMs).

HIPAA One®’s take:

With respect to the MU Program:

  • Current participants still need to complete attestation / reporting:
    • By 02/29/2016
    • HIPAA Security Risk Analysis (SRA) is always required
  • A “new program” is slated to be announced on or about 03/25/2016
    • There will still be quality and process measures
    • The SRA is still a requirement – ePHI Systems/Assets always need to be secured
    • The new program will focus on “patient outcomes rather than technology use”
  • The new MACRA program will still include some version of the EHR incentive (not yet defined)

With respect to DHHS OCR:

Common Sense:

  • HIPAA Security Risk Analysis is the benchmark for any Risk Management Program
  • Reducing risk to patient breaches is saving goodwill, time and money
  • HIPAA One® provides operational clarity for staff to know what is needed to maintain a great code of conduct
  • Keep your Meaningful Use Incentives and avoid payment discounts by maintaining automated documentation proving compliance

Prevent HIPAA Violations
Get Started by Contacting Us Today

HIPAA One® has over 1600 sites leveraging the streamlined, best-of-breed cloud-based HIPAA Security Risk Analysis Software (SRA) and has a fully-certified Audit Support Team (AST) to provide support & consulting solutions.   We have a full-service package for awareness training, Privacy, Breach Notification, Policies and Procedures, and more.

Contact us today at www.hipaaone.com/contact to learn more. HIPAA One® guarantees compliance for your 2015 Meaningful Use Security Risk Assessment for 164.308(a)(1)(ii)(A) so you be assured you are compliant.

HIPAA Security for Meaningful Use : Myths and Facts

fact-vs-myth

After you spend enough time in one position, role or subject, it is human nature to assume for a fleeting moment others know what you are “geeking” about.  This is particularly true when it comes to Meaningful Use and to “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” This is accomplished by doing the following: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1)…”

Was that a good example?  Let me take it back out of the “geek” closet for a moment.

So we all know that this thing called a HIPAA Security Risk Analysis can be done using tools like spreadsheets, ONC’s Security Risk Assessment Tool, and NIST Questionnaires.  Ironically, none of these tools assure you are doing the right “thing” unless you have some sort of Auditor and Security designation (e.g. JD, CISA, CISSP, HCISPP, and CHPS among others), let alone provide any sort of guarantees.  But as the old saying goes, “You get what you pay for.”

Using a professional, third-party Audit, Legal, Security or IT Managed Service Provider (outsourced IT) usually provides good results as long as they are accredited (see above paragraph on basic credentials).  They go in to the organization interviewing, collecting some documentation, running scans on the networks and provide a comprehensive, detailed project plan to achieve compliance.  Somewhere between 4-6 weeks after the flurry of activity is over, and the world moves on, the final report appears.

The HIPAA Security Risk Analysis and Assessment (SRA) report is a combination of art, content, and most-importantly; it highlights serious risks to the organization.  Except there is one problem – you now need a project deployment team to convert this static SRA report into an ongoing risk management plan (prioritized by risk-level), get status reports on tasks, research Policies and Procedures, track progress, send email or meeting reminders, and track all of this towards HIPAA compliance.

This is a huge administrative burden!

Then there are the Myths…

Myth #1 – We will update the plan from last year’s SRA for Meaningful Use reporting and attestation.

HIPAA One® take:  False – this is called updating the progress of last year’s security risk management plan (see more in Myth #2 below).

Myth #2 – Each year, I’ll have to completely redo my security risk analysis.

HHS Guidance - Each year have to redo entire SRA Myth

False. Perform the full security risk analysis as you adopt an EHR.  Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks…

HIPAA One® take:  Things change on a constant-basis.  Roles change, network computer systems are changed to meet new requirements, and internal processes change too.

“Updating the prior analysis for changes in risks.” means conducting a gap assessment and risk analysis on any of those items that changed from last year.  Since tracking these changes is a near-impossible task (ITIL Change Management processes are being widely-adopted to tackle this), HIPAA One® will allow a full-import of last-year’s HIPAA Security Risk Analysis (SRA) allowing a review of each question to see what has changed.  Ongoing tracking is built-in after the SRA is over and automated documentation requirements simplify audit responses by pressing a “Print” button.

Myth #3 – I have to outsource the security risk analysis.

I have to outsource our Risk Analysis.

I have to outsource our Risk Analysis.

HHS Privacy and Security Guide of Health Information, page 6

False.  It is possible for small practices to do a competent risk analysis themselves using self-help tools.  However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

HIPAA One® take:  If you haven’t had a third-party come in the past 3 years, or ever, then we would strongly recommend outsourcing one to ensure your efforts stand up to a compliance review.  The first year of compliance efforts are expensive however, year 2 should be roughly 50% of what year 1 is as investments are implemented.  The Security Risk Analysis should contribute to that 50% savings by automating the mundane, error-prone and labor-intensive steps to conduct the risk analysis.  HIPAA One® accomplishes this by accelerating each person’s efforts by a 5x factor; using automation vs any manual-based risk analysis while learning from the experience.  In year 2 this allows you, the non-certified auditor, to simply press the “Import Last Year’s Assessment” button and HIPAA One® allows you to insource, instead of outsource.

Org Info Import

We have tried to stay out of the geek-closet for this blog as much as possible and realize this is a very jargon-clad specification.  Let us at HIPAA One® along with our esteemed partners help provide the software, assurance and peace-of-mind for your organization.  Contact us today to get your Meaningful Use HIPAA Security Risk Analysis done before the Holidays!

Reference:  HHS Privacy and Security Guide of Health Information

Meaningful Use 2015: When does the Security Risk Analysis Need to be Done?

MU reporting screen 2012

Image Courtesy of HHS

Quick History

Meaningful Use (MU) is an incentive program introduced and managed by the Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS) to help cover expenses with migrating from paper charts to electronic medical records.  It’s part of a larger incentive program derived from the 2009 “American Reinvestment and Recovery Act” which was enacted to help stymie a financial system collapse while stimulating the economy following the mortgage-backed security crisis.

Most clinics and hospitals have become very familiar with the “Meaningful Use” term.  Essentially, it means using a Certified Electronic Health Technology (CEHRT) in a meaningful way.

Specifically, the Meaningful Use incentive program for Stage 1 started in 2011 and Stage 2 has been live for 2 years now, while Stage 3 is being released.  All Stages require Core, Menu and Optional Menu Set measures.  This basically boils down to specific pieces of information maintained per-patient, how computerized order entries are used and processed for a percentage of patients.

The reporting period is when the measures are taken.  In the first year of attestation, it is any 90-day period in the fiscal year, subsequent years are based upon 365 days of reporting.  Recent proposed changes reduce the reporting period back to the original 90-day measurement period per CMS.

When do we have to get our HIPAA Security Risk Analysis(SRA) and Updates done?

To help accelerate the response, Stage 1 stated an SRA can be completed prior to reporting.  But it doesn’t explicitly state when the earliest is that it can be done (i.e. within 1 calendar or fiscal year).     Per the CMS guidance on Stage 1 MU guidance for Hospitals, “Eligible Hospitals (EH) and CAHs must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur prior to the beginning of the EHR reporting period.”

HIPAA One® take:

The initial risk analysis for 1st year of Stage 1 MU can have it done within one fiscal year of the end of the reporting period.

Security updates do not mean updates to the remediation plan (i.e. risks identified in the risk analysis)!  Security updates are defined as, per the DHHS Privacy and Security Guide, Chapter 2 under Myths and Facts:

HHS Privacy and Security Guide, page 6

Myth:  Each year, I’ll have to completely redo my security risk analysis.
Fact:  False.

Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks.  Under the Meaningful Use Programs, reviews are required for each EHR reporting period.  For Eligible Physicians (EPs); the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of commencing participation in the program.

HIPAA One® take:

A full HIPAA Security Risk Analysis covers all 78 HIPAA Safeguards.  Subsequent “updates” would be directly translated to run a full SRA on all items that have changed.  Our software has the ability to populate this year’s SRA with last year’s materials (Turbo Tax® – like) such that users may review and update changes from last year and recompiling risk to the organization with minimal effort.

Stage 2 and subsequent years, requires the SRA update to be done in the reporting period).  Per the CMS guidance on Stage 2 MU for Core Measure 9 for Eligible Providers , ” EPs must conduct or review a security risk analysis of CEHRT including addressing encryption/security of data, and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur prior to the beginning of the first EHR reporting period. However, a new review would have to occur for each subsequent reporting period.”

HIPAA One® take:

HIPAA One® is the solution to simplifying complex compliance requirements.  It provides seasoned security experts and those without any security experience the ability to conduct a full HIPAA Security Gap Assessment and Risk Analysis and rapid delivery of updates for subsequent years.   We recommend a full SRA be conducted at least every 3 years with updates each of the years in-between.  This is the only way to gauge compliance and the effectiveness of ongoing risk management for the organization.  For Meaningful Use, the 1st year of incentive payments allow the use of a HIPAA SRA that is within 1 year of attestation, and subsequent updates being completed within the subsequent reporting periods.

 

Quick Review of HHS’s new HIPAA Security Risk Assessment Tool

ONC/HHS issued

ONC/HHS issued

As a single practice HIPAA Security Rule training app or a HIPAA SRA workbench, the tool is not bad.  The ONC/HHS HIPAA Security Risk Assessment Tool is a vast improvement over the 2011 HSR Toolkit for those scenarios.  It has fewer questions, a status bar that displays relative SRA completion status, reports that can be exported to PDF or Excel are available at any time throughout the process.  I have listed my subjective opinion in the following bullet points:

  1. The tool’s design lends itself to physician and small health provider practices.  It is not designed for health plans or business associates.
  2. A single office location is requested when setting up an SRA but the SRA Tool question set does not address locations.  Thus, by default the tool is location specific so it does not lend itself to health care providers with multiple locations.
  3. User access to the tool is completely based on the honor system.  The ability to restrict specific user activity within the tool does not exist and the ability to track specific user activity within the tool is very limited.  While there is functionality that distinguishes separate users who can each “Log In” (i.e. so that there is the appearance of multiple user “accounts”), there are no passwords assigned to these users so any user can log in as any other user.  Moreover, the tool user guide states “the SRA Tool will save the answers based on the internet protocol (IP) address used by the computer or server”.  Yet, the tool is not client-server or cloud based, so it is unclear how a team or group of people would use the tool, much less monitor or audit its use.
  4. HHS’ website states that “there are a total of 156 questions” and the tool’s navigator panel shows that these are contained in 12 groups or categories.   However, each of the 156 questions has questions of their own so that complete answers (which the tool apparently doesn’t require) causes that number (156) to be multiplied at least by 3 for answering a question “Yes”, by 4 for answering a question “No”.   For example, answering “No” to the first question (A01) requires the user to answer a total of three additional questions:  1) Select your reason for answering no, 2) Is the likelihood of an incident occurring — because of (the vulnerability posed by) not having the requested policies and procedures — low, medium or high?, and 3) Would the impact of an incident occurring — from not having the requested policies and procedures — be low, medium or high?  There is also an optional “Flag” checkbox to call attention to a question for later review.
  5. Answers marked “Yes” can be saved without citing evidence and answers marked “No” can be saved without adding an explanation, including “Addressable” questions.  If multiple people are involved in performing the SRA (which HHS recommends) this seems to be undesirable.
  6. Questions are not specific to individual EMR systems, so answering questions for multiple EMR or ePHI systems is something that can only be addressed manually in the answer notes provided for questions that pertain to ePHI systems.
  7. The tool’s website downloads page (http://www.healthit.gov/providers-professionals/security-risk-assessment-tool) states “You can document your answers, comments, and risk remediation plans directly into the SRA Tool. The tool serves as your local repository for the information and does not send your data anywhere else.”  However, artifact curation is not possible within the tool, so the SRA artifact repository that supplies the evidence of compliance an auditor may want to see would need to be referenced within the tool’s free text fields and set up separately.
  8. The tool’s risk rating assistance is quite limited.  The tool’s risk rating for a given question (as reflected in the SRA report) appears to be based strictly on the “Likelihood” rating that the user sets manually for that item, regardless of the question.  Thus, a manually assigned “Impact” rating of High or Medium does not (appear to) affect the risk rating in the SRA Report.
  9. Be careful adding anything into the Notes field on the Notes tab.  Notes can only be added.  They cannot be modified or deleted.
  10. There is a bug in the version I tested (Windows version v1.3) where, if you try to modify the columns in the report using the “Show / hide columns” feature, the columns popup-box does not disappear and will be in the way until the user closes and re-starts the app.

Other upgrades to the ONC’s Security Risk Analysis Tool include:  a colorful green-yellow-red dashboard-style chart, a glossary of terms and other helps like “Things to Consider”, possible threats and vulnerabilities, and examples safeguards for each question asked.  It will probably speed up the HIPAA SRA process for small providers who want to “go it alone”.  However, outside the scope of small, single location practices, the SRA Tool will be difficult to use.

ONC/HHS issued

ONC/HHS issued

Feel free to visit the SRA Tool’s website downloads page (http://www.healthit.gov/providers-professionals/security-risk-assessment-tool) and feel free to express your opinion on our website below.

Thank you,

Steven Marco, CISA, ITIL and co-authored by Joe Grettenberger, CISA, CCEP, ITIL.

Meaningful Use Stage 2 – What You Need To Know!

The Centers for Medicare and Medicaid Services have EHR Incentive Programs that provide financial incentives to health providers who prove they are meaningfully using certified EHR (electronic health record) technology. These monetary enticements are only given to those providers who meet the required objectives in each stage of participation.

The Medicare and Medicaid Incentive Programs are arranged into three different steps. CMS set up a timeline for when providers need to meet the criteria for each stage. Eligible hospitals, critical access hospitals and healthcare professionals must meet their specific core set and menu set of objectives in Stage 1 before they can move on to Stage 2.

meaningful use stage 2

Stage 2 objectives are divided up between eligible professionals and eligible hospitals and critical access hospitals. EPs have 17 core objectives they must meet and then three menu objectives they select and meet out of a list of six. The eligible hospitals and CAHs have 16 core objectives to meet, as well as three menu objectives they select from six options and then are required to meet.

It’s extremely important for providers to meet the meaningful use requirements in order to receive the EHR financial incentives. With the Medicare program the eligible providers can receive up to $44,000, while they can receive up to $63,750 with the Medicaid program. It’s also important because EHR technology is so beneficial to healthcare providers. EHR systems make patient health records and information instantly and securely available to approved users, whenever they need it and wherever they might be. EHRs also improve care coordination among all clinicians involved with a patient’s care, increase cost savings and help build a healthier, better future for our world.

Photo Courtesy of CMS.gov