• Extent to which hospitals comply with the contingency planning requirements of HIPAA in terms of establishing policies and procedures for responding to any emergency or events that could compromise protected health information.
• How truly were the providers entitled to meaningful use incentives and how effective is the oversight of CMS (Centers for Medicare & Medical Services) on security controls over networked medical devices integrated with EHR Systems
• Adequacy of covered entities and business associates in securing electronic patient protected health information created or maintained by certified EHR technology and whether hospitals have conducted the required security risk analysis.

When you get an audit notice do you feel stressed? CMS audit rate is about 5% of facilities that have attested and according to Figliozzi and Co,  there’s a 4.7% failure for first time audits .

The reasons for failure could be due to some common myths surrounding the security risk analysis:

1. One security risk analysis is good forever – No. HIPAA Compliance mandates that you review the security risk analysis periodically.
2. My EHR vendor takes care of this – No. The EHR vendor is only responsible to provide you a certified system. Privacy and Security of your ePHI and having a complete security risk analysis conducted is solely your responsibility.
3. The security risk analysis is optional for a small practice like mine – No.  Covered Entities, whatever the size, are required to conduct /review a complete security risk analysis under HIPAA guidelines.

Audit letters are being sent out by OIG for documentary evidence of compliance with the particular meaningful use measures such as calculation reports printed from the EHR system, and security risk analysis reports. A study by OIG found that the estimated incentive payment of $6.6 billion between 2011 and 2016 to professionals and hospitals is vulnerable that incentive payments could be made to those that do not fully meet the meaningful use requirements. OIG recommended in their November 2012 report that CMS should obtain and review documentation from selected professionals and hospitals and provide guidance on documentation procedures to establish and maintain compliance.

In submitting response to the question on meaningful use measures you would be confirming that  you have conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies as part of the risk management process.  The security risk analysis must be done at least once before the end of the reporting period being attested. Thereafter, you must review the security risk analysis before each reporting period that follows. All security deficiencies and/or breaches identified during a risk analysis must be comprehensively addressed.Covered Entities, irrespective of their size, must treat the requirement to conduct a security risk analysis as a license to practice.

Businesses across the healthcare industry and its verticals therefore need to scan their PHI assets and conduct security analysis besides ensuring meaningful use of the EHR. Aegify has been developed as a comprehensive security, risk and compliance management solution that not only addresses all of HIPAA compliance needs but also provides the covered entities with meaningful use attestation reports with proof of security and risk analysis. Further, Aegify automates HIPAA management through continuous workflow assessment cycle, and provides instant remediation measures to correct the security deficiencies, a trusted Solution by 70+ MSPs with thousands of customers. Aegify protects your assets, detects vulnerabilities proactively, and responds with appropriate remedial measures. Aegify is the only solution that unifies a comprehensive Security, Risk, and Compliance Assurance system.

A cloud-based Aegify walks you through simple steps in your risk analysis and management and helps you face the OIG audit on risk analysis through effective automated processes and documentation reports. Aegify Risk Framework is comprehensive:

Aegify – Continuous Monitoring Cycle

Aegify – Risk Management Model

The Aegify Risk Management Service meets the risk assessment methodology best practice as shown below:

Aegify’s automated risk management module helps you keep track of documents required as part of required evidences. Extensive report generation facilities provide online resource with the following simple steps.

1. Configure Risk Profile	Select Standards / Regulations against which the customer need to assess the organizational Risk. Applicable controls to assets are identified based on the selected Risk Profiles here.
2. Manage Assets	Add assets, manually or through automated scan-based asset discovery, or from an uploaded asset-list file. Define Asset attributes for each asset. Asses the security risk for each asset.
3. View Dashboards/ Reports	View perspective-based security risk posture. Generate risk reports for analysis.
4. Assess Risk Controls	Publsih Risk Assessments or review risks from published and responded assessment. Generate risk assessment report.
5. Do What-if analysis	Simulate various risk scenarios by changing risk parameters. View security posture at different levels of risk settings. Prioritize remedial actions  based on what-if analysis.
6. Configure risk settings	Review and modify asset types. Review risk scenario of each asset type and customize risk settings for different assets. Work with various mitigation strategies in respect of non-compliant controls for meeting the regulatory control requirements. Customize the list of ever-changing threat sources and vulnerabilities.

The default settings would normally be adequate in identifying and managing assets, assessing the risk levels of all or selected assets, assessing compliance to regulatory risk controls, and for doing detailed what-if analysis by changing various parameters in the risk assessment process. However, where risk configuration needs more customization to meet the specific characteristics of an organization the risk configuration settings provide the advanced customization options.

Offered as a cloud-based model, Aegify includes all security and IT GRC functions. Equipped with a built-in compliance framework that supports HIPAA, RBI, NSE, BSE, MCDEX, PCI, ISO, COBIT, FISMA and other country based ones, Aegify also has advanced alert and monitoring systems that makes it a complete end-to-end automation solution for all security, audit, compliance and risk management needs of an enterprise.

The post Meaningful Use Incentive Payments – OIG Audits Begin appeared first on Aegify.

Even with meaningful use regulations being in use, there have been cases of fraud by the healthcare providers such as the one wherein the CFO of a leading hospital pleaded guilty to lying about meaningful use for Medicare payments. The former chief financial officer of Shelby Regional Medical Centre, Texas, now-closed, pleaded guilty to wrongly claiming EHR incentive money. Joe White, the CFO while overseeing the hospital’s EHR implementation, falsely attested to the Centre for Medicare & Medicaid Services that the medical centre met meaningful use requirements for the 2012 fiscal year. This helped them to receive $785,655 in payments while the hospital actually relied on paper records throughout the fiscal year of 2012 and only minimally used an EHR. This fraud involved software vendors and hospital employees who manually transferred data of patients who were already discharged into electronic health record at the end of the fiscal year.

Six Texas hospitals operated by the same individual were paid $16.8 million in meaningful use incentives for fiscal years 2011 and 2012 in this case. However, with federal govt rolling out dollars to providers to adopt electronic health record systems, there is a possibility of more cases such as this. Further, under the HITECH Act, to obtain financial incentives from Medicare or Medicaid, healthcare establishments and providers must submit detailed documents that attest to meeting the requirements for the program, including conducting a HIPAA security risk assessment.

While such frauds on the part of the Healthcare provider and hospitals work as a wakeup call, the federal authorities need to take action to crack down such abuse of HITECH Act. The Office of Inspector General demands eligible hospitals and critical access hospitals to demonstrate they’re using certified EHR technology in ways that can be measured significantly in quantity and in quality. The use of Aegify solutions will help these healthcare providers and hospitals to demonstrate meaningful use through simplified methods.

Aegify is a powerful, simple-to-use, cloud-based solution, that provides necessary expertise to assess, analyze and mitigate regulation risk and move towards on-going HIPAA/HITECH compliance. This tool help the healthcare providers demonstrate meaningful use of their EHR and help them secure federal grants.

The post Adopting a Guilt-Free Method to Demonstrate Meaningful Use of EHR appeared first on Aegify.

“Meaningful Use of EHR” is a Medicare and Medicaid program that awards incentives for using certified electronic health records (EHRs). This program enables healthcare providers to provide patients with improved patient care. However, to achieve the stamp of “Meaningful Use” and avoid any penalties these providers must follow the roadmap to effective usage of EHR not later than 2014. While this program encourages switch over to electronic records, it is not just the improved patient care but also includes improved efficiency and performance levels along with government incentives for the healthcare providers. The eligible healthcare providers who have not yet ventured into the meaningful use of EHR will be penalized in 2015 with a 1% equivalent to their Medicare Part B Reimbursement.

Staying away from penalties therefore calls for smart decision making. Moreover, to check on the EP’s attestation of meaningful use program and collection of incentives, government will be conducting random audits. The healthcare providers need to have in place all their documentation irrespective of whether it is in-house or outsourced. 2014 being the last year to begin MU and EHR incentive program, the EP’s not only lose out on $23,520 but will also be penalized in 2015.

Moreover, there are reports of CMS targeting 257,000 doctors with meaningful use penalties beginning January 5th, 2015. The EP’s need to therefore demonstrate that they have adhered to MU regulation since Oct 1, 2014 in order to avoid any penalty.

However, EP’s can still cut their losses by:

• Building a dedicated MU team who can initiate and adhere to the regulations.
• Demonstrating meaningful Use program prior to 2015.
• Availing hardship exceptions for EP’s.
• Making use of an integrated EHR or outsourcing services of specialist.

The Aegify solution through its simplified process will help EP’s achieve Meaningful Use status. Being a powerful, simple-to-use, cloud-based solution, Aegify provides all the necessary expertise to assess, analyze and mitigate regulatory risk while adhering to the on-going HIPAA/HITECH compliance. While this solution provides eligible professionals every means to secure the federal grant through tools that demonstrate meaningful use, it also helps them meet the industry-wide perspective of HIPAA compliance. Aegify SecureGRC, with its built-in assessment of meaningful use, produces reports that can be used for filing the online application for grant. This addresses the requirements relating to meaningful use core measures, menu measures, clinical quality measures, and in particular addresses requirement for eligible hospitals as well as for EP’s with respect to risk analysis.

The post How can EP’s avoid being penalized for Meaningful Use failures in 2015 appeared first on Aegify.

With the federal money flowing in the form of EHR incentive program, hospitals, providers, vendors and consultants are working their way to a meaningful use of EHR. Nevertheless, if a hospital or medical practitioner accepts the federal money to put EHR to meaningful use, they must also prove it by using appropriate electronic tools as per the norms put across by the Center of Medicare and Medicaid Services. Further, incidents such as those that occurred at Shelby Regional Medical Center in Texas, and Detroit Medical Center that led to heavy data leakage and financial loss, demands that the healthcare providers, their business associates and vendors consider meaningful use of electronic patient health records as a compliance requirement. In the wake of such requirement, the eligible professionals, hospitals, and critical access healthcare centres were asked to maintain relevant documentation to support this activity.

Besides, as Daniel R. Levinson, U.S. inspector general points out, among the important changes that are taking place across the healthcare industry there is an emphasis on coordinated care and increased use of electronic health records. The OIG will therefore need to adopt oversight approaches that are suited to an increasingly sophisticated healthcare system and also customizable to protect programs and patients from existing and new vulnerabilities. The OIG audits till date have discovered that the state agency overpaid 13 hospitals, $3.1 million in federal EHR cash. The payment errors were found to be the result of unclear and incorrect patient volume calculations. Further, nearly 80 % of the state’s hospitals analyzed in the audit also failed to comply with federal regulations.

By 2015, OIG will therefore need to leverage data analytics and “forensic enhancements” to investigate the increasingly sophisticated healthcare frauds, including the electronic health records in the process.

The OIG authorities will not only perform audits of various covered entities receiving the EHR, but will also look into factors such as:

• Identify EHR system fraud and determine if  EHR systems address vulnerabilities
• Review Medicaid and Medicare EHR incentive payments
• Analyze the IT security of community health centers funded by the Health Resources and Services Administration.
• Regular review of the Centers for Medicare & Medicaid Services health information technology systems to cross check on necessary security controls.

Besides these, conducting mock audits will help the healthcare providers to stay prepared to face both pre-payment and post-payment audits. However, it is also prudent for enterprises to implement a comprehensive and an effective solution. Security solution like the Aegify Security Posture Management or Aegify SecureGRC offered by the leading service providers of IT Risk and Compliance management solutions will help the healthcare establishments to achieve meaningful use status with ease, while ensuring a near to nil breach of security protocol.

The post Healthcare Industry gears up to meet the EHR Audits in the New Year appeared first on Aegify.

Medical records being shared electronically brought in increased need to ensure data control. Even though the HIPAA Act was enacted, the HITECH Act was further designed to enforce HIPAA regulations and provide tools to standardize the interchange of electronic data and accelerate security and confidentiality of electronic health information. Furthermore, to ensure that the health care providers and their business associates deploy comprehensive electronic health Records (EHR) by 2015 and be compliant to HIPAA, the American Recovery and Reinvestment Act (ARRA) designated $20.2 billion for IT healthcare through the HITECH Act for enterprises, facilitating the “meaningful use” of “certified” electronic medical records.

Government also instituted the “meaningful use” EHR Incentive Program (MU) to ensure more and more health care organizations and providers make use of EHR. With “Meaningful use” describing the benefits of health information technology for improvements in healthcare and secure information exchange among health care professionals, it was necessary for Health Care Organizations and providers to meet the MU criteria every year to receive the incentive. Also every provider who receives an electronic health record (EHR) incentive payment is subject to audits. And according to HITECH Act, healthcare enterprises who have failed to achieve “meaningful use” standard by 2015 would be penalized.

The health care providers should therefore take proactive steps to avoid a Meaningful Use audit, or armed to successfully defend one’s attestations. Experts list out various steps to prepare for a possible audit:

• Make collection, storing and documentation an ongoing process
• Store the Meaningful Use documentation in a central location with a proper backup
• Assign Meaningful Use to a team for continuous monitoring and reviewing of the progress
• Look for new developments in the Meaningful Use audit process
• Maintain a minimum of six years documents past attestation
• Try to avoid and eliminate the red flags that might increase the likelihood of an audit
• Check patient mix before attesting to Medicaid Meaningful Use
• have a Meaningful Use audit committee in place
• Ensure that even the staff identifies and understands Meaningful Use audit letter

Nevertheless, use of Aegify greatly simplifies the method of achieving ‘Meaningful Use’. This cloud based solution is not only easy to use but is also powerful and provides healthcare professionals necessary expertise to assess, analyze, mitigate any risks and be HIPAA and HITECH compliant. Moreover, it also helps doctors and providers to demonstrate meaningful use and helps them secure the federal grants and reimbursements ranging from $44,000 up to $2 Million as per the MU EHR incentive program.

Aegify SecureGRC compliance management has built-in tools for assessment of meaningful use and produces a ready-to-use report for applying for the grant. With a detailed list of risk parameters and controls, Aegify meaningful use reports addresses the requirements of meaningful use across various measures, making it easy for eligible hospitals and providers to apply for grants and meeting the meaningful use objectives.

The post Smart ways to prepare for Possible ‘Meaningful Use’ Audits appeared first on Aegify.

"Meaningful use" describes the use of health information technology for improvements in healthcare and aims towards information exchange among health care professionals. However, to become "Meaningful users", providers need to demonstrate they’re using certified EHR technology in ways that can be measured significantly in terms of quantity and in quality. Moreover, the providers should know that adopting certified EHR technology helps them to achieve specific objectives such as:

• Quality, safety, efficiency in health records, and reduction in health disparities
• Care coordination and public health
• Privacy and security of Patient Health Information (PHI)
• Quality research data on health systems

Even though the US government implemented the mandatory requirement of HIPAA and HITECH Act compliance, the stage 1 of meaningful use allowed the existence of electronic medical record vendors to help healthcare professionals meet the government regulations. While most healthcare enterprises used technology to ease out information interchange for the benefit of the patients, there were still large number of medical practitioners and hospitals that had not moved towards the meaningful use program.

The US department of Health and Human Services then set aside a $28 billion stimulus fund as meaningful-use grant. To qualify for these incentive payments the healthcare organizations had to conduct a mandatory security risk analysis in accordance with the requirements under HIPAA regulation and generate meaningful use reports. Besides, the Centers for Medicare & Medicaid Services (CMS) were authorized to cross check them through audits. Since the authorities conduct these audits on the basis of certain red flags that trigger the same, the stakes are high and providers should have a clear idea of what they can expect from meaningful use audits which includes:

• purpose of the audits- verification of the electronic documents
• what the audit agencies look for – the suspicious or anomalous data
• The audit process
• Electronic or paper documentation that needs to be produced to support attestation

Even if CMS audits only 5% of all providers to ensure meaningful use of electronic health records, this will amount to 20,000 providers. As healthcare provider one is expected to return the entire incentive payment for that year and will also be automatically scheduled for next audit in case of failure even in just one element of a Meaningful Use audit.

To protect from such a high stake situation you can make use of Aegify SecureGRC solutions that will generate a detailed meaningful-use report which includes HIPAA compliance and security gaps. Since Aegify portrays the results of risk analysis by scanning your network, it not only identifies and discovers all HIPAA critical IT assets that capture, process, store or transmit PHI, and their security vulnerabilities but also provide remediation guidance to fix any gaps found.

The post Understanding Meaningful-Use Audits and ways to withstand it appeared first on Aegify.

‘Meaningful use‘ risk analysis is critical to your compliance program. Organizations and professionals that fail to conduct a proper risk analysis expose themselves to fines, lawsuits, and loss of incentive funding. A preemptive security risk analysis is thus vital to prevent your healthcare practice from falling victim to a security breach.

Of course meeting this requirement is logical and simple – just embrace the analysis as a way to identify threats and protect electronic health information. Here’s what you can do to ensure that data loss is effectively plugged in breach-prone areas:

Portable devices

Unencrypted patient data on portable devices like a laptop, Smartphone, PDAs are plain disasters waiting to happen! Thefts, stolen devices, unattended devices are common occurrences. Ensure that patient data is encrypted regardless of the device it resides in.

PC desktops

Again, the same worry of unauthorized access. Desktops need to be locked and workstations moved away from the view of people standing in line.

Paper/Fax/Email

To ensure that they don’t get into the wrong hands, all paper records containing patient information need to be shredded. Patient information can be compromised when data is faxed to the wrong number, or emailed to a wrong recipient. Slow down & pay attention.

Children

Take extra care with medical records of patients younger than 18 years. The state regulations vary; so stay abreast of the federal and your state’s rules.

Besides this, you could also adopt a comprehensive platform like Aegify Security Posture Management, Aegify Risk Manager or Aegify SecureGRC. These solutions from eGestalt come with the capability to perform a detailed risk analysis using a sophisticated model, supporting you through the processes of security risk analysis.

The post Is Your Patient Data Secure? You Can Ensure That It Is – With These Tips for Successful ‘Meaningful Use’ Security Risk Analysis appeared first on Aegify.