{"id":428,"date":"2013-03-18T11:00:32","date_gmt":"2013-03-18T15:00:32","guid":{"rendered":"http:\/\/www.eclipsepracticemanagementsoftware.com\/blog\/?p=428"},"modified":"2014-07-08T15:10:50","modified_gmt":"2014-07-08T19:10:50","slug":"meaningful-use-audits","status":"publish","type":"post","link":"https:\/\/eclipsepracticemanagementsoftware.com\/blog\/2013\/03\/18\/meaningful-use-audits\/","title":{"rendered":"Meaningful Use Audits"},"content":{"rendered":"

The rumors began the moment the law (ARRA) was passed in 2009, intensified as testing protocols were created, and continued through the implementation process. Some physicians simply couldn\u2019t get past those rumors, and decided to avoid the cash incentives provided by the Meaningful Use program. An unfortunate choice. However,\u00a0if you received incentive payments, the audit program is here. And with it, some unexpected confusion.\u00a0 The audit process is not difficult. The most important items that an auditor may initially request include proof that you owned the certified technology you purchased during the attestation period ,\u00a0a copy of the report you printed from your certified EHR, some screenshots, etc.\u00a0But those items certainly aren\u2019t confusing, and as an ECLIPSE user, you knew from your HELP to save such reports rather than discard them. So, where does the confusion lie? Just a few short years ago, it\u2019s likely that you attended one or more seminars with regard to maintaining HIPAA compliance within your facility. Perhaps you received C.E. credits. Perhaps your staff attended. You learned some of the protocols you were expected to follow to ensure protection of Patient History Information (PHI). You also learned that this was an ongoing process. It\u2019s likely you appointed a HIPAA Compliance Officer<\/em> within your practice and created a HIPAA Compliance Manual<\/em> at that time. Your HIPAA Compliance Manual might have contained wording to the effect of:<\/p>\n

Risk Analysis and Management: Little Ferry Chiropractic Center (LFCC) conducts thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held in its computer systems on a regular basis. When LFCC\u2019s Compliance Officer believes\u00a0risks exist, the Compliance Officer addresses each risk and completes a mitigation report. LFCC\u00a0has implemented security measures to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule. These measures are described in detail\u2026<\/p><\/blockquote>\n

In other words, you\u2019ve been doing risk assessments for years now. During attestation, for item #15, you attested that you have\u2026<\/p>\n

conducted a review or security analysis per 45 CFR 164.308(a)(1) and have implemented security updates as necessary, corrected security deficiencies as part of your risk management process.<\/p><\/blockquote>\n

Now that we\u2019ve established that you\u2019ve been doing this all along\u2026\u00a0\u00a0let\u2019s visit some of the protocols you\u2019ve certainly implemented & checked in your office:<\/p>\n