Even with meaningful use regulations being in use, there have been cases of fraud by the healthcare providers such as the one wherein the CFO of a leading hospital pleaded guilty to lying about meaningful use for Medicare payments. The former chief financial officer of Shelby Regional Medical Centre, Texas, now-closed, pleaded guilty to wrongly claiming EHR incentive money. Joe White, the CFO while overseeing the hospital’s EHR implementation, falsely attested to the Centre for Medicare & Medicaid Services that the medical centre met meaningful use requirements for the 2012 fiscal year. This helped them to receive $785,655 in payments while the hospital actually relied on paper records throughout the fiscal year of 2012 and only minimally used an EHR. This fraud involved software vendors and hospital employees who manually transferred data of patients who were already discharged into electronic health record at the end of the fiscal year.

Six Texas hospitals operated by the same individual were paid $16.8 million in meaningful use incentives for fiscal years 2011 and 2012 in this case. However, with federal govt rolling out dollars to providers to adopt electronic health record systems, there is a possibility of more cases such as this. Further, under the HITECH Act, to obtain financial incentives from Medicare or Medicaid, healthcare establishments and providers must submit detailed documents that attest to meeting the requirements for the program, including conducting a HIPAA security risk assessment.

While such frauds on the part of the Healthcare provider and hospitals work as a wakeup call, the federal authorities need to take action to crack down such abuse of HITECH Act. The Office of Inspector General demands eligible hospitals and critical access hospitals to demonstrate they’re using certified EHR technology in ways that can be measured significantly in quantity and in quality. The use of Aegify solutions will help these healthcare providers and hospitals to demonstrate meaningful use through simplified methods.

Aegify is a powerful, simple-to-use, cloud-based solution, that provides necessary expertise to assess, analyze and mitigate regulation risk and move towards on-going HIPAA/HITECH compliance. This tool help the healthcare providers demonstrate meaningful use of their EHR and help them secure federal grants.

The post Adopting a Guilt-Free Method to Demonstrate Meaningful Use of EHR appeared first on Aegify.

“Meaningful Use of EHR” is a Medicare and Medicaid program that awards incentives for using certified electronic health records (EHRs). This program enables healthcare providers to provide patients with improved patient care. However, to achieve the stamp of “Meaningful Use” and avoid any penalties these providers must follow the roadmap to effective usage of EHR not later than 2014. While this program encourages switch over to electronic records, it is not just the improved patient care but also includes improved efficiency and performance levels along with government incentives for the healthcare providers. The eligible healthcare providers who have not yet ventured into the meaningful use of EHR will be penalized in 2015 with a 1% equivalent to their Medicare Part B Reimbursement.

Staying away from penalties therefore calls for smart decision making. Moreover, to check on the EP’s attestation of meaningful use program and collection of incentives, government will be conducting random audits. The healthcare providers need to have in place all their documentation irrespective of whether it is in-house or outsourced. 2014 being the last year to begin MU and EHR incentive program, the EP’s not only lose out on $23,520 but will also be penalized in 2015.

Moreover, there are reports of CMS targeting 257,000 doctors with meaningful use penalties beginning January 5th, 2015. The EP’s need to therefore demonstrate that they have adhered to MU regulation since Oct 1, 2014 in order to avoid any penalty.

However, EP’s can still cut their losses by:

• Building a dedicated MU team who can initiate and adhere to the regulations.
• Demonstrating meaningful Use program prior to 2015.
• Availing hardship exceptions for EP’s.
• Making use of an integrated EHR or outsourcing services of specialist.

The Aegify solution through its simplified process will help EP’s achieve Meaningful Use status. Being a powerful, simple-to-use, cloud-based solution, Aegify provides all the necessary expertise to assess, analyze and mitigate regulatory risk while adhering to the on-going HIPAA/HITECH compliance. While this solution provides eligible professionals every means to secure the federal grant through tools that demonstrate meaningful use, it also helps them meet the industry-wide perspective of HIPAA compliance. Aegify SecureGRC, with its built-in assessment of meaningful use, produces reports that can be used for filing the online application for grant. This addresses the requirements relating to meaningful use core measures, menu measures, clinical quality measures, and in particular addresses requirement for eligible hospitals as well as for EP’s with respect to risk analysis.

The post How can EP’s avoid being penalized for Meaningful Use failures in 2015 appeared first on Aegify.

Medical records being shared electronically brought in increased need to ensure data control. Even though the HIPAA Act was enacted, the HITECH Act was further designed to enforce HIPAA regulations and provide tools to standardize the interchange of electronic data and accelerate security and confidentiality of electronic health information. Furthermore, to ensure that the health care providers and their business associates deploy comprehensive electronic health Records (EHR) by 2015 and be compliant to HIPAA, the American Recovery and Reinvestment Act (ARRA) designated $20.2 billion for IT healthcare through the HITECH Act for enterprises, facilitating the “meaningful use” of “certified” electronic medical records.

Government also instituted the “meaningful use” EHR Incentive Program (MU) to ensure more and more health care organizations and providers make use of EHR. With “Meaningful use” describing the benefits of health information technology for improvements in healthcare and secure information exchange among health care professionals, it was necessary for Health Care Organizations and providers to meet the MU criteria every year to receive the incentive. Also every provider who receives an electronic health record (EHR) incentive payment is subject to audits. And according to HITECH Act, healthcare enterprises who have failed to achieve “meaningful use” standard by 2015 would be penalized.

The health care providers should therefore take proactive steps to avoid a Meaningful Use audit, or armed to successfully defend one’s attestations. Experts list out various steps to prepare for a possible audit:

• Make collection, storing and documentation an ongoing process
• Store the Meaningful Use documentation in a central location with a proper backup
• Assign Meaningful Use to a team for continuous monitoring and reviewing of the progress
• Look for new developments in the Meaningful Use audit process
• Maintain a minimum of six years documents past attestation
• Try to avoid and eliminate the red flags that might increase the likelihood of an audit
• Check patient mix before attesting to Medicaid Meaningful Use
• have a Meaningful Use audit committee in place
• Ensure that even the staff identifies and understands Meaningful Use audit letter

Nevertheless, use of Aegify greatly simplifies the method of achieving ‘Meaningful Use’. This cloud based solution is not only easy to use but is also powerful and provides healthcare professionals necessary expertise to assess, analyze, mitigate any risks and be HIPAA and HITECH compliant. Moreover, it also helps doctors and providers to demonstrate meaningful use and helps them secure the federal grants and reimbursements ranging from $44,000 up to $2 Million as per the MU EHR incentive program.

Aegify SecureGRC compliance management has built-in tools for assessment of meaningful use and produces a ready-to-use report for applying for the grant. With a detailed list of risk parameters and controls, Aegify meaningful use reports addresses the requirements of meaningful use across various measures, making it easy for eligible hospitals and providers to apply for grants and meeting the meaningful use objectives.

The post Smart ways to prepare for Possible ‘Meaningful Use’ Audits appeared first on Aegify.

"Meaningful use" describes the use of health information technology for improvements in healthcare and aims towards information exchange among health care professionals. However, to become "Meaningful users", providers need to demonstrate they’re using certified EHR technology in ways that can be measured significantly in terms of quantity and in quality. Moreover, the providers should know that adopting certified EHR technology helps them to achieve specific objectives such as:

• Quality, safety, efficiency in health records, and reduction in health disparities
• Care coordination and public health
• Privacy and security of Patient Health Information (PHI)
• Quality research data on health systems

Even though the US government implemented the mandatory requirement of HIPAA and HITECH Act compliance, the stage 1 of meaningful use allowed the existence of electronic medical record vendors to help healthcare professionals meet the government regulations. While most healthcare enterprises used technology to ease out information interchange for the benefit of the patients, there were still large number of medical practitioners and hospitals that had not moved towards the meaningful use program.

The US department of Health and Human Services then set aside a $28 billion stimulus fund as meaningful-use grant. To qualify for these incentive payments the healthcare organizations had to conduct a mandatory security risk analysis in accordance with the requirements under HIPAA regulation and generate meaningful use reports. Besides, the Centers for Medicare & Medicaid Services (CMS) were authorized to cross check them through audits. Since the authorities conduct these audits on the basis of certain red flags that trigger the same, the stakes are high and providers should have a clear idea of what they can expect from meaningful use audits which includes:

• purpose of the audits- verification of the electronic documents
• what the audit agencies look for – the suspicious or anomalous data
• The audit process
• Electronic or paper documentation that needs to be produced to support attestation

Even if CMS audits only 5% of all providers to ensure meaningful use of electronic health records, this will amount to 20,000 providers. As healthcare provider one is expected to return the entire incentive payment for that year and will also be automatically scheduled for next audit in case of failure even in just one element of a Meaningful Use audit.

To protect from such a high stake situation you can make use of Aegify SecureGRC solutions that will generate a detailed meaningful-use report which includes HIPAA compliance and security gaps. Since Aegify portrays the results of risk analysis by scanning your network, it not only identifies and discovers all HIPAA critical IT assets that capture, process, store or transmit PHI, and their security vulnerabilities but also provide remediation guidance to fix any gaps found.

The post Understanding Meaningful-Use Audits and ways to withstand it appeared first on Aegify.

Many healthcare entities share a similar trepidation. Colin Banas, MD, the chief medical information officer at the Virginia Commonwealth University (VCU) Medical Center firmly believes that this process is driven by – "fear of audit, fear of penalty, and fear of vendor abandonment if should a client choose to forge a different path." His worries stem from the fact that VCU occasionally tailors a vendor’s certified product in order to make it more usable, and this could fail meaningful use requirements. Given that VCU already follows the intent of the measure, Banas, further states that it could be next to impossible to estimate the resources used by VCU to readjust clinical workflows and codes to adhere to the letter of the law.

The New York-Presbyterian Hospital also shares a like-wise anxiety. According to Virginia Lorenzi, a health IT veteran with nearly 25 years of experience and associate manager of information services, the hospital has spent time and energy aplenty in trying to ascertain if its EHR would be safe when there were modifications to what was actually written into the certified product. Bad meaningful use audit drives many of her decisions, worries Lorenzi, and if an area is gray and unclear, like all others, she would prefer to land on the safe side.

What do the certifying bodies say?

The truth is that many certifiers believe that the gray areas are indeed convoluted. To add to this, the Office of the National Coordinator for Health Information Technology (ONC) has not unified the way various certification bodies interpret measures. Considering that some believe  that there is a lack of guidance from the ONC, Kyle Meadors, director of EHR testing with the Drummond Group, also an authorized testing and certification body of the ONC, suggests that information-sharing among the certification bodies is likely to bring some clarity. Given that the certifiers are not privy to each other’s interpretations, Meadors deems it is necessary for ONC to start engaging the certification bodies periodically to understand the challenges and start seeing different interpretations from other vendors. Amit Trivedi, program manager of healthcare at ICSA Labs, a certification body, thinks it may be best for ONC to conduct pilot certification tests involving all the bodies, observe testing, understand the expected results, learn how test tools operate, and provide feedback.

As always, ONC on its part is listening to feedback, and will accordingly make necessary changes when appropriate. Certification workgroup member Charlene Underwood, senior director of government and industry affairs at Siemens Medical, doesn’t think it is possible to certify the actual intent of what they are trying to accomplish, as the same gets lost in the standards. However, Jacob Reider, MD, deputy national coordinator, who is in charge of certification, stated that ONC is gearing up a new initiative that will soon address the challenges and irregularities in certification and auditing.

A clean gap analysis of a company’s security posture and compliance levels to regulatory controls, using cloud-based solutions such as Aegify Security Posture Management or Aegify SecureGRC can help organizations meet the Meaningful Use requirements more effectively through a thorough gap analysis and remediation recommendation in a comprehensive manner ensuring that health records remain safe, while also ensuring that there is  significant benefit from ‘Meaningful Use’ of EHR. The adoption of such a unified and comprehensive solution can take away all fears and anxieties from the process of Meaningful Use.

The post Is Meaningful Use Requirement Triggering Panic? You’re Not Alone appeared first on Aegify.

Taking an Incremental Approach – This would mean conducting tests to prove that healthcare providers can comply with the updated requirements of the rule. This can help determine how transparency of data disclosures can be ensured without overburdening healthcare organizations. Approaching this in a structured fashion and pursuing an implementation method that would be feasible from the perspectives of policy and technology would prove helpful. The HIT Policy Committee urges HHS to take a focused approach that gives priority to quality over quantity, where the scope of disclosures and related details reported to patients contains information that is useful to them while not overwhelming them or putting undue burden on providers.

Focusing on Disclosure of Records to Those Outside the Entity – Providing patients with a report of disclosures made to parties outside of the healthcare entity, should be the first step in taking an incremental approach. So HHS should follow a method wherein disclosure reports are triggered whenever an entity transfers control of information to an external party. While the current HIPAA Privacy Rule requires covered entities to make available, an account of information disclosures of individual Patient Health Information (PHI), on paper or in electronic form, upon request, the HITECH Act calls for revising the disclosure requirement to include those disclosures made for healthcare payment, treatment, or operations made using an EHR.

Scaling Back Plans for Providing Detailed Access Reports – OCR’s notice in May 2011 for carrying out the HITECH Act requisite for revising the disclosure requirements, also included a controversial provision necessitating that, upon a patient’s request, an ‘access report’ should list out everyone, including internal users who have viewed their information. As per this requirement, patients have to be provided details of the date and time of access, name of the person/entity accessing the information, and the action performed, such as creation, modification, or deletion. However, the HIT Policy Committee has now endorsed scaling back on these reports, allowing patients to suspect inappropriate access to their health information and requesting for an investigation inside the entity that controls the information. These recommendations were crafted over several months based on public and industry feedback about the original rule revision that was proposed.

Conducting Technology Pilots – To enable covered entities to conduct investigations of inappropriate access, the HIT Policy committee recommends the addition of the two following implementation specifications to the existing audit control standard in the HIPAA rule: 1. Addressable audit controls must record PHI access activities to the granularity of the individual user and the individual whose PHI is accessed; and 2. Information recorded by the audit controls must be sufficient to support the information system activity review required by the HIPAA Security Rule and the investigation of potential inappropriate access to PHI.

As soon as the pilots are completed, OCR will resume work on a revised rule taking the recommendations and pilot findings into account. However, safeguarding PHI is not just about being transparent in disclosing details of access to patients. It has to begin with ensuring comprehensive security, improving risk assessment capabilities, and building an efficient system of information access management, for which, Aegify Security Posture Management and Aegify SecureGRC can come in handy. These solutions can prove valuable in preventing breaches due to inappropriate access to PHI and other such HIPAA violations.

The post Revamp of HIPAA Disclosures Rule Endorsed appeared first on Aegify.

Moreover, while some entities use systems that generate reports based on a snapshot in time, others have ‘rolling systems’ that cause numbers in the EHR to change after the entity has attested. In these cases, a copy of the original report has to be kept to substantiate the numbers used for attestation. While this is one of the concerns, there are also many other issues to be considered and steps to be taken while preparing for the Meaningful Use audit.

How to Survive a Meaningful Use Audit

Although only a small percent of healthcare entities will go through the Meaningful Use attestation audit, all healthcare entities should bear in mind that even a single attestation misstep could result in loss of the entire incentive payment. This is a major concern for a number of healthcare CIOs, and is one of the main topics addressed by the attendees at the CHIME13 CIO forum in Scottsdale, Arizona recently. Elizabeth Johnson, Vice President of Applied Clinical Informatics at Tenet Healthcare Corporation, and Pam McNutt, Senior Vice President and CIO at the Methodist Health System in North Texas provide 5 steps to survive the Meaningful Use audit:

1. Preserve the Data. Meaningful Use audits may go as far back as six years. So entities should have preserved data over all those years to support attestation claims. It is therefore important to protect data at all costs. Entities that have an aggressive purge criteria to save disc space, should be careful not to do away with all the data that may be needed to prove Meaningful Use. It may also be helpful to configure EHR systems ahead of time in such a way that patient records and audit logs contain everything the auditors may seek.
2. Plan in Advance. Logs and system settings should help produce the required data when needed. Moreover, in order to make documentation easier, the vendor’s name and software version should be on the header of all the Meaningful Use reports. This can help prove that they have come from a certified system.
3. Be Prepared for Surprises. Although it is crucial to prepare well in advance for the audits, it is also equally important to expect the unexpected. For both Tenet and Methodist, an unexpected area of focus was HIPAA security risk assessment. While many entities may be conducting vulnerability testing and annual HIPAA risk assessment, these may not suffice for the Meaningful Use audit. The audits may also focus on the EHR technology and the version that is being used. In addition to this, the audit, the report, and the reaction to the report should all be done within the attestation time period. Hence entities should proceed with caution and be prepared for surprises.
4. Think Before Upgrading. Entities may have to prove to auditors that they have been on a certified release the entire time. But some entities get tripped up with this during the upgrade cycles thinking that all that is needed is to be on the certified release before running all the reports. But this is not the case, because they have to prove with screenshots showing the date on which the certified EHR technology went into production. And this date has to be on or before the date of the attestation period.
5. Proceed Quickly. Once the Meaningful Use audit notice is received, entities have two weeks to respond and send documentation through an online portal. But it is important to be ready to file in less than two weeks because there is no guarantee that the notice will reach the right person. There have been cases where the notice had been completely overlooked. So entities should prepare all employees to recognize the audit notification, and understand the importance of taking quick action by alerting the right person.

While these steps can be extremely helpful in facing the Meaningful Use audits with confidence, what will also prove beneficial is the adoption of a unified and comprehensive solution such as Aegify Security Posture Management or Aegify SecureGRC which can help organizations sail through these audits very smoothly. Aegify SecureGRC provides quick access to documentation and evidences from a central repository for pre/post audits. This significantly eases the audit process.

The post Surviving a ‘Meaningful Use’ Audit appeared first on Aegify.