A HIPAA Risk Analysis Can Help You Keep Your Meaningful Use Dollars


Did you generate hundreds of thousands of dollars through Meaningful Use attestation? Even if you only received funds for one doctor, it's important you keep your money. Unfortunately, the frightening trend is that thousands of optometry practices are at risk of failing a Meaningful Use audit. If you misunderstood, or misrepresented your compliance on any part of the Meaningful Use guidelines, the Centers for Medicare and Medicaid Services [CMS] could force you to pay back the revenue you received through attestation.

Many failed audits center around the Core Measure 15—Protecting Electronic Health Information. The goal in Core Measure 15 is to make sure a Meaningful Use participant is in compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Privacy and Security Rules. Specifically, Core Measure 15 states a provider must conduct or review a HIPAA security risk analysis within the attestation period. A HIPAA risk analysis, typically misunderstood, is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality of electronic health patient information held by the CE.

Other than outlining five areas of interest within a practice to focus on (Technical Safeguards, Physical Safeguards, Administrative Safeguards, Policies and Procedures, and Organizational Requirements), there are few additional guidelines given by CMS. For example, CMS.gov does provide the following chart that lists potential security measures for these five areas, but there is little mention here about EHRs.

In addition, CMS does provide a tipsheet on security risk analysis for adhering to HIPAA while attesting to Meaningful Use here— Security Risk Analysis Tipsheet: Protecting Patients' Health Information.

As with other Core Measures, there is no way to pass a CMS audit without proper documentation. The same is expected when it comes to the HIPAA security risk analysis.

Unfortunately, for most doctors, this core measure has been overlooked or ignored. For the small minority of CE's who actually have attempted to conduct a risk analysis, it has not been completed thoroughly enough to the government's liking. Hence, the reason why so many of the CE's who have been audited, have failed and had to return the incentive funds received for that specific calendar year.

Consider the example of a Meaningful Use participant with five locations and two doctors per location. In year one, they collected the full reimbursement amount of $20,000 per doctor. In this case, a failed audit would represent about $200,000 of funds rescinded due to fines and penalties. If the subject of conducting a risk analysis has not been addressed by your organization, the time to act is now.

Remember, when it comes to whom CMS decides they will audit, they are treating all participants equally. This means an independent physician is just as likely to be audited as a major hospital. Therefore, making sure the documentation is accessible and reliable in case of an audit, is prudent for everyone.

One major decision a Meaningful Use participant has is whether or not to outsource this type of service. Do you try to tackle the tasks of vetting the web for CMS guidelines and conducting and documenting a thorough risk analysis on your own? Or do you go outside your organization to ensure compliance? With this much money at stake, unless your IT department has had extensive compliance training and has a history of passing audits, outsourcing to a specialized company is the best option.

It's never too late to attain HIPAA compliance as long as you surround your organization with those who understand it best. The only way to show compliance is by implementing and documenting a proactive HIPAA Compliance Plan for your organization. By doing so, you can be sure that the ongoing investment will be minimal in order to have the peace of mind that both your electronic patient health information and your incentive funds are secure.


Jay Binkowitz, optometric business consultant, is chief executive officer and president of GPN, exclusive provider of The EDGE.





Evan Kestenbaum, MBA, is chief information officer of GPN, Exclusive Provider of The EDGE. Contact Jay and Evan directly at clientservices.gpn@gmail.com.