Meaningful Use Audits and Risk Assessment

Health and auditA topic that has been overlooked in the last couple of years, risk assessments, is coming to the forefront with a vengeance. 


Not too long ago I was assisting an office with their meaningful use attestation and I was somewhat surprised that the question of HIPAA compliant was part of the process.  The office manager completing the attestation didn’t bat an eye, answered yes, and kept on going.  Knowing what I do I was quite surprised to see how confident she was on her response that everything under HIPAA was up to par.


 Since then I have been asking questions to other Administrators, office managers and physicians just to verify my gut feeling.  The answers I obtained vary from: “I don’t want to know more because if I do I will have to do more work” to “Where is the reference that requires me to do so?”


Under §164.308(a)(1)(A) all covered entities are required to conduct a Risk Assessment.  Also,

Meaningful Use Stage I’s Core Objective 15 and attestation requires a Risk Assessment as a condition to meet meaningful use.  As a matter of fact, and based on the Omnibus Rule Business Associates must also comply with the HIPAA Requirements including but not limited to the Risk Assessment.

Luckily for us the company doing Meaningful Use audits does not seem to be looking closely at the Risk Assessment yet; however, failure to complete the same will immediately result in not meeting Meaningful Use.  So at the very least this will result in returning all monies received based on Meaningful Use.  Then again the situation may actually worsen as failure to meet this requirement could also result in the organization found in “willful neglect” which results in a minimum $50,000 penalty per incident.

Keep in mind that the $50,000 penalty applies even if you didn’t receive any incentive money!

Even with all the above information I hear comments which are so common that the Government itself saw a need to address the same on their web site.  For example:

  •  The EHR does everything needed to meet HIPAA Compliance.
  • Small Providers do not have to complete a Risk Assessment.
  • All is needed to meet the Risk Assessment is running a checklist.
  • Organizations only need to run a Risk Analysis once in their lifetime.

 All four of the above statements are false and relying on this information could get healthcare professionals in trouble. 

Another source of concern I have is that while the definition of what needs to be done sounds simple the reality is quite different.  As a matter of fact based on the complexity of these elements we at Taino Consultants Inc. have created a Compliance Software, developed specialized tools to conduct Risk Assessments and worked in conjunction with Uber University to develop courses and certification programs to prepare healthcare professionals.

So let’s not complaint and realize that Risk Assessment and HIPAA compliance is part of the cost of doing business and move on.  Remember that if you are going to play the game you must follow the rules.