November 10th, 2014
This article over on Search Health IT reported on 11/10/2014, that
CMS data from public records request reveals physicians, hospitals fail meaningful use audits with missing or shoddy HIPAA security analysis.
To the tune of $33M in EHR incentives recovered.
The audits cover meaningful use attestations going back to 2013. CMS plans to continue audits in 2015. Millions of dollars in federal incentive payments have already had to be returned by those who flunked, and more will likely have to be given back, up to an estimated total of $33 million according to an analysis of the CMS data posted as an infographic by consultant Health Security Solutions.
Two consultants and a lawyer interviewed for this story by SearchHealthIT said they believe nonexistent or shoddy self-assessments of how well doctors and healthcare organizations are protecting patient health information are the main reasons for a notably audit high failure rate among eligible practitioners (EPs). Meaningful use requires HIPAA security assessments, which forces the practitioner or hospital to identify and mitigate risks threatening the data contained on their networks.
Al Rozell from InfoTech Innovators stated:
“Very often in small to medium size practices ( and larger healthcare organizations on occasion) we are find unqualified personnel that try to do their own internal assessments. They fill out a questionnaire they downloaded, answer the questions, sometimes they note IT security gaps (sometimes not), etc. HIPAA Security Risk Assessments need to be performed by qualified IT Security personnel with trained HIPAA security professionals and THAT is what InfoTech Innovators does. A complete Security Risk Assessment with a risk remediation strategy and a proposed execution plan is critical. If they have not done an adequate Security Risk Assessment, the answer is even more simple.. do one:) and start making HIPAA compliance an aspect of how you run your business and care for your patients.”
Mr Rozell added :
“Complaining about doing it doesn’t get it done. The cost of the HIPAA compliance related to hiring professionals, supplementing staff or training staff to execute assessments for you internally is a cost of doing business and that cost is considerably less than the punitive or other costs to your practice and/or reputation if HIPAA is ignored.“