Chat with us, powered by LiveChat

Meaningful Use Attestation Extended!

Instead of “hoping” not to get audited, consider this:  your organization can have guaranteed compliance with HIPAA One® because CMS has extended the Meaningful Use attestation period to February 29, 2016!

HIPAA Isn't Going Away

HIPAA Isn’t Going Away

Good news – with the mixed-bag of recent news from CMS, the boat has not yet left the dock!  If you conducted a “last-minute” spreadsheet or checklist to meet December 2015 deadline, the odds of passing an audit are not good.  Take advantage of the extension and guarantee compliance with HIPAA One®.

Both Meaningful Use Stage 1 and Stage 2 require that a Security Risk Analysis be completed as part of the Medicare and Medicaid EHR Incentive Programs.  In spite of the recent proclamation from CMS that MU will end in 2016; any Eligible Provider (EP) or Eligible Hospital (EH) must still file for 2015.  The specific requirements to “Protect Electronic Health Information” are described by CMS as listed in the following table:

table1The filing period for Meaningful Use Attestation and reporting is from January 4 through February 29, 2016.  This means that if you were not able to complete your Security Risk Analysis (SRA) during calendar year 2015; there is still time!  The SRA will need to be for 2015 and cannot be used for the 2016 reporting year.

HIPAA One® has a simple and automated solution for the SRA process; using a cloud-based, step-by-step- approach (see quick video here:  https://youtu.be/9G_B7U_pnuo).  As such, you will be able to comprehensively address the HIPAA required safeguards (listed below) in an efficient, logical and clear fashion:

table2A “new program” is slated to be announced by CMS on or about March 25, 2016 that will replace (some think “augment”) the current MU program.  It will focus less on technology adoption and more on clinical outcomes and value-based reimbursement.  There will also be special attention paid to APIs and interoperability.  That said; data security will still be of paramount concern.

The new MACRA (Medicare Access and CHIP Reauthorization Act of 2015) program will still include some version of the EHR incentive (not yet defined) and certainly will still include the Security Risk Assessment.  The key elements are The Merit-Based Incentive Payment System (MIPS) and Alternative Payment Models (APMs).

HIPAA One®’s take:

With respect to the MU Program:

  • Current participants still need to complete attestation / reporting:
    • By 02/29/2016
    • HIPAA Security Risk Analysis (SRA) is always required
  • A “new program” is slated to be announced on or about 03/25/2016
    • There will still be quality and process measures
    • The SRA is still a requirement – ePHI Systems/Assets always need to be secured
    • The new program will focus on “patient outcomes rather than technology use”
  • The new MACRA program will still include some version of the EHR incentive (not yet defined)

With respect to DHHS OCR:

Common Sense:

  • HIPAA Security Risk Analysis is the benchmark for any Risk Management Program
  • Reducing risk to patient breaches is saving goodwill, time and money
  • HIPAA One® provides operational clarity for staff to know what is needed to maintain a great code of conduct
  • Keep your Meaningful Use Incentives and avoid payment discounts by maintaining automated documentation proving compliance

Prevent HIPAA Violations
Get Started by Contacting Us Today

HIPAA One® has over 1600 sites leveraging the streamlined, best-of-breed cloud-based HIPAA Security Risk Analysis Software (SRA) and has a fully-certified Audit Support Team (AST) to provide support & consulting solutions.   We have a full-service package for awareness training, Privacy, Breach Notification, Policies and Procedures, and more.

Contact us today at www.hipaaone.com/contact to learn more. HIPAA One® guarantees compliance for your 2015 Meaningful Use Security Risk Assessment for 164.308(a)(1)(ii)(A) so you be assured you are compliant.

HIPAA Security for Meaningful Use : Myths and Facts

fact-vs-myth

After you spend enough time in one position, role or subject, it is human nature to assume for a fleeting moment others know what you are “geeking” about.  This is particularly true when it comes to Meaningful Use and to “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” This is accomplished by doing the following: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1)…”

Was that a good example?  Let me take it back out of the “geek” closet for a moment.

So we all know that this thing called a HIPAA Security Risk Analysis can be done using tools like spreadsheets, ONC’s Security Risk Assessment Tool, and NIST Questionnaires.  Ironically, none of these tools assure you are doing the right “thing” unless you have some sort of Auditor and Security designation (e.g. JD, CISA, CISSP, HCISPP, and CHPS among others), let alone provide any sort of guarantees.  But as the old saying goes, “You get what you pay for.”

Using a professional, third-party Audit, Legal, Security or IT Managed Service Provider (outsourced IT) usually provides good results as long as they are accredited (see above paragraph on basic credentials).  They go in to the organization interviewing, collecting some documentation, running scans on the networks and provide a comprehensive, detailed project plan to achieve compliance.  Somewhere between 4-6 weeks after the flurry of activity is over, and the world moves on, the final report appears.

The HIPAA Security Risk Analysis and Assessment (SRA) report is a combination of art, content, and most-importantly; it highlights serious risks to the organization.  Except there is one problem – you now need a project deployment team to convert this static SRA report into an ongoing risk management plan (prioritized by risk-level), get status reports on tasks, research Policies and Procedures, track progress, send email or meeting reminders, and track all of this towards HIPAA compliance.

This is a huge administrative burden!

Then there are the Myths…

Myth #1 – We will update the plan from last year’s SRA for Meaningful Use reporting and attestation.

HIPAA One® take:  False – this is called updating the progress of last year’s security risk management plan (see more in Myth #2 below).

Myth #2 – Each year, I’ll have to completely redo my security risk analysis.

HHS Guidance - Each year have to redo entire SRA Myth

False. Perform the full security risk analysis as you adopt an EHR.  Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks…

HIPAA One® take:  Things change on a constant-basis.  Roles change, network computer systems are changed to meet new requirements, and internal processes change too.

“Updating the prior analysis for changes in risks.” means conducting a gap assessment and risk analysis on any of those items that changed from last year.  Since tracking these changes is a near-impossible task (ITIL Change Management processes are being widely-adopted to tackle this), HIPAA One® will allow a full-import of last-year’s HIPAA Security Risk Analysis (SRA) allowing a review of each question to see what has changed.  Ongoing tracking is built-in after the SRA is over and automated documentation requirements simplify audit responses by pressing a “Print” button.

Myth #3 – I have to outsource the security risk analysis.

I have to outsource our Risk Analysis.

I have to outsource our Risk Analysis.

HHS Privacy and Security Guide of Health Information, page 6

False.  It is possible for small practices to do a competent risk analysis themselves using self-help tools.  However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

HIPAA One® take:  If you haven’t had a third-party come in the past 3 years, or ever, then we would strongly recommend outsourcing one to ensure your efforts stand up to a compliance review.  The first year of compliance efforts are expensive however, year 2 should be roughly 50% of what year 1 is as investments are implemented.  The Security Risk Analysis should contribute to that 50% savings by automating the mundane, error-prone and labor-intensive steps to conduct the risk analysis.  HIPAA One® accomplishes this by accelerating each person’s efforts by a 5x factor; using automation vs any manual-based risk analysis while learning from the experience.  In year 2 this allows you, the non-certified auditor, to simply press the “Import Last Year’s Assessment” button and HIPAA One® allows you to insource, instead of outsource.

Org Info Import

We have tried to stay out of the geek-closet for this blog as much as possible and realize this is a very jargon-clad specification.  Let us at HIPAA One® along with our esteemed partners help provide the software, assurance and peace-of-mind for your organization.  Contact us today to get your Meaningful Use HIPAA Security Risk Analysis done before the Holidays!

Reference:  HHS Privacy and Security Guide of Health Information