During an educational session at HIMSS13, Mac McMillan, CEO at health information security consultancy CynergisTek Inc., will walk through the early stages of the audit program and what is to come. Audits in the initial phase were very simple as organizations were sent a list of questions they could answer without a lot of documentation--the feds were basically asking that they reaffirm what had already been attested, he notes.
A second phase later in 2012 was more comprehensive with about 10 pages of questions asking for detailed information such as how an organization is using the EHR’s capabilities and how well it performs. For instance, does the EHR generate a log? Can you manipulate, view and print the log? Is the EHR configured for role-based privileges assigned to persons using it?
While these initial audit programs were rather simple with little or no measurement of performance, not being truthful could really hurt an organization later if it has a reportable data breach, McMillan warns. For instance, even in these basic early audits, organizations had to re-attest that they have conducted a HIPAA-mandated security risk assessment and update it regularly. “If you aren’t honest in the audit then have a breach, and the investigation shows you didn’t do the risk assessment required under meaningful use, you’re in trouble,” McMillan says.
At some point, McMillan believes, someone in government is going to say, “I want to see a real audit run,” and the program will get tougher with real teeth. That time could come with Stage 2. He sees the early audits as the start of preparing EHR users for a more comprehensive program. “You need to get serious about your attestations and your documentation around attestation so you can be prepared to document it when the audits come.”
The session during the pre-conference Meaningful Use Symposium on March 3, “Meaningful Use Audits--What Your Provider Organization Needs to Know,” is scheduled at 2:30 p.m.