At a pre-conference session on meaningful use on Sunday, Mac McMillan, chairman and CEO of CynergisTek, Inc., Austin, Texas, advised provider organizations to be prepared for privacy and security audits associated with meaningful use attestation. Providers are required to conduct a risk analysis prior to attestation, he said, and are given a deadline for getting it done within the attestation period. He notes that at the end of an attestation, providers are required to sign a statement that the information required is true. Failure to conduct a risk analysis could result in the incentive money being taken back, he said.
MacMillan said there is really nothing new under the meaningful use risk assessment, and is essentially the same as under the HIPAA requirements. Technical controls align with what’s in the HIPAA rule, he said.
His advice to provider organizations is to get ready early. “If you are attesting, you are already required to do a risk assessment. Get ready early, and go ahead with conducting a risk assessment. He also advised saving all electronic and paper documentation that supports attestation. “Save documentation that supports calculations in your system,” he said.
He said providers should seek assistance with conducting a risk audit if they require it. This is especially true for small provider organizations that may lack the technical resources.
MacMillan says the industry will probably see more robust audits going forward, which mirror what OCR is doing on the HIPAA side.