Meaningful Use Incentive Payments – OIG Audits Begin

The OIG (Office of Inspector General, US HHS Department) 2015 audits will focus on:

• Extent to which hospitals comply with the contingency planning requirements of HIPAA in terms of establishing policies and procedures for responding to any emergency or events that could compromise protected health information.
• How truly were the providers entitled to meaningful use incentives and how effective is the oversight of CMS (Centers for Medicare & Medical Services) on security controls over networked medical devices integrated with EHR Systems
• Adequacy of covered entities and business associates in securing electronic patient protected health information created or maintained by certified EHR technology and whether hospitals have conducted the required security risk analysis.

When you get an audit notice do you feel stressed? CMS audit rate is about 5% of facilities that have attested and according to Figliozzi and Co,  there’s a 4.7% failure for first time audits .

The reasons for failure could be due to some common myths surrounding the security risk analysis:

1. One security risk analysis is good forever – No. HIPAA Compliance mandates that you review the security risk analysis periodically.
2. My EHR vendor takes care of this – No. The EHR vendor is only responsible to provide you a certified system. Privacy and Security of your ePHI and having a complete security risk analysis conducted is solely your responsibility.
3. The security risk analysis is optional for a small practice like mine – No.  Covered Entities, whatever the size, are required to conduct /review a complete security risk analysis under HIPAA guidelines.

Audit letters are being sent out by OIG for documentary evidence of compliance with the particular meaningful use measures such as calculation reports printed from the EHR system, and security risk analysis reports. A study by OIG found that the estimated incentive payment of $6.6 billion between 2011 and 2016 to professionals and hospitals is vulnerable that incentive payments could be made to those that do not fully meet the meaningful use requirements. OIG recommended in their November 2012 report that CMS should obtain and review documentation from selected professionals and hospitals and provide guidance on documentation procedures to establish and maintain compliance.

In submitting response to the question on meaningful use measures you would be confirming that  you have conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies as part of the risk management process.  The security risk analysis must be done at least once before the end of the reporting period being attested. Thereafter, you must review the security risk analysis before each reporting period that follows. All security deficiencies and/or breaches identified during a risk analysis must be comprehensively addressed.Covered Entities, irrespective of their size, must treat the requirement to conduct a security risk analysis as a license to practice.

Businesses across the healthcare industry and its verticals therefore need to scan their PHI assets and conduct security analysis besides ensuring meaningful use of the EHR. Aegify has been developed as a comprehensive security, risk and compliance management solution that not only addresses all of HIPAA compliance needs but also provides the covered entities with meaningful use attestation reports with proof of security and risk analysis. Further, Aegify automates HIPAA management through continuous workflow assessment cycle, and provides instant remediation measures to correct the security deficiencies, a trusted Solution by 70+ MSPs with thousands of customers. Aegify protects your assets, detects vulnerabilities proactively, and responds with appropriate remedial measures. Aegify is the only solution that unifies a comprehensive Security, Risk, and Compliance Assurance system.

A cloud-based Aegify walks you through simple steps in your risk analysis and management and helps you face the OIG audit on risk analysis through effective automated processes and documentation reports. Aegify Risk Framework is comprehensive:

Aegify – Continuous Monitoring Cycle

Aegify – Risk Management Model

The Aegify Risk Management Service meets the risk assessment methodology best practice as shown below:

Aegify’s automated risk management module helps you keep track of documents required as part of required evidences. Extensive report generation facilities provide online resource with the following simple steps.

1. Configure Risk Profile	Select Standards / Regulations against which the customer need to assess the organizational Risk. Applicable controls to assets are identified based on the selected Risk Profiles here.
2. Manage Assets	Add assets, manually or through automated scan-based asset discovery, or from an uploaded asset-list file. Define Asset attributes for each asset. Asses the security risk for each asset.
3. View Dashboards/ Reports	View perspective-based security risk posture. Generate risk reports for analysis.
4. Assess Risk Controls	Publsih Risk Assessments or review risks from published and responded assessment. Generate risk assessment report.
5. Do What-if analysis	Simulate various risk scenarios by changing risk parameters. View security posture at different levels of risk settings. Prioritize remedial actions  based on what-if analysis.
6. Configure risk settings	Review and modify asset types. Review risk scenario of each asset type and customize risk settings for different assets. Work with various mitigation strategies in respect of non-compliant controls for meeting the regulatory control requirements. Customize the list of ever-changing threat sources and vulnerabilities.

The default settings would normally be adequate in identifying and managing assets, assessing the risk levels of all or selected assets, assessing compliance to regulatory risk controls, and for doing detailed what-if analysis by changing various parameters in the risk assessment process. However, where risk configuration needs more customization to meet the specific characteristics of an organization the risk configuration settings provide the advanced customization options.

Offered as a cloud-based model, Aegify includes all security and IT GRC functions. Equipped with a built-in compliance framework that supports HIPAA, RBI, NSE, BSE, MCDEX, PCI, ISO, COBIT, FISMA and other country based ones, Aegify also has advanced alert and monitoring systems that makes it a complete end-to-end automation solution for all security, audit, compliance and risk management needs of an enterprise.