Embed Size (px)
Citation preview
Meaningful Use Security Risk Analysis: Do It Right and Retain Your Incentive
Introduction
Nicholas P. Heesters, Jr., JD, CIPP Privacy and Security Specialist Quality Insights of Delaware
Disclaimer The information included in this presentation is for informational purposes only and is not a substitute for legal advice. Please consult your attorney if you have any particular questions regarding specific legal issues.
MU Audits • Conducted by Figliozzi and Co. for Medicare • Individual states arrange for Medicaid audits • Can be a pre- or post-payment audit • A right to appeal an audit determination is
available • Failure of an audit requires that incentive
monies be returned
• Approximately 5% of MU participants will be audited
Meaningful Use (Stage 2) Objective: Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities. Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for EPs.
MU SRA Audit Guidance Validation: Security risk analysis of the certified EHR technology was performed prior to the end of the reporting period. Suggested Documentation: Report that documents the procedures performed during the analysis and the results. Report should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider’s system (e.g., identified by National Provider Identifier (NPI), CMS Certification Number (CCN), provider name, practice name, etc.).
MU SRA Audit Issues Ensure that the Security Risk Analysis is a bona fide Security Risk Analysis of the Certified EHR Technology and not a narrative description of security controls in use at the organization nor a security gap analysis. “The documentation provided for this measure is … not an actual security risk analysis specific to the CEHRT system. Acceptable documentation would be proof that a security risk analysis was performed prior to the end of the reporting period (i.e. a report that outlines procedures performed and the results of an analysis).”
MU SRA Audit Issues
“The documentation provided is not a valid security risk analysis. Acceptable documentation would be proof that a security risk analysis of the certified EHR technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis. If material deficiencies were identified, mitigation of these deficiencies must be included).”
MU SRA Audit Issues
Ensure that the SRA report documents the correct date of the SRA and does not include extraneous dates.
“The supplied security risk assessment was performed as of XX/XX/20XX. However, per CMS Regulations, a new review would have to occur for each subsequent reporting period. Therefore, we will need the security risk assessment that was completed for the 20XX attestation (i.e. report which documents the procedures performed during the analysis, the noted threats/vulnerabilities, and the results of the analysis).”
MU SRA Audit Issues
Ensure that remediation plans are complete. “The …Remediation [Plan] of the risk analysis supplied was not completed.” “A security risk management gap analysis was supplied. However, the results of the analysis, risks identified, and remediation plan to address the risks are also needed.”
MU Audit Resources • Sample MU Audit Letter:
• http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SampleAuditLetter.pdf
• Stage 2 MU Audit Guidance: • http://www.cms.gov/Regulations-and-
Guidance/Legislation/EHRIncentivePrograms/Downloads/Stage2_AuditGuidance.pdf
• CMS MU Audit Appeal Process: • http://www.cms.gov/Regulations-and-
Guidance/Legislation/EHRIncentivePrograms/Appeals.html
• Your Regional Extension Center
Questions
Nicholas Heesters Quality Insights [email protected]
