These certified EHR programs are typically called “EMRs” – short for Electronic Medical Records. These EMRs have the medical care side, and the business tracking side typically rolled into one large computer application.
EMR companies provide many fantastic solutions to help streamline workflow while accurately capturing charge codes. They will also tout they are the sole-source, one-stop shop of Meaningful Use Certification. They will even provide prospective clients with a table showing all the Meaningful Use requirements and how their software meets all of them.
Here’s the dirty little secret: EMR companies will take care of all but 1 measure – to secure (or protect) the Personal Health Information (PHI). For stage 1 of Meaningful Use, this is known as core measure 15 (14 for hospitals) and this is the responsibility of the Provider to have addressed outside of the EMR’s capabilities. Stage 2 also includes the same provision and it is required for all Covered Entities to conduct a Risk Analysis – at least once every 3 years.
The ramifications of skipping this core measure are severe – and the likelihood of being audited are estimated at 1 in 10 for 2013. If you haven’t heard 2012 was the first year of fines and numerous clinics, hospitals, group health plans and business associates have been fined. These investigations can be conducted by the Office of Civil Rights (OCR) or even State Attorney Generals (SAG). Either through the OCR random audit program or an investigation triggered by a patient complaint you will be asked to provide your “most recent HIPAA Security Risk Analysis report…” in addition to proof you have addressed any one of the 169 Privacy, Security and breach-notification laws (HIPAA and HITECH).
Not to mention the cost – a recent interview with Hospice of North Idaho revealed there is the cost of non-compliance (fines), then the cost of moving towards compliance (hiring people, buying technology and modifying the way then organization views protecting the data their patients entrust them to protect).
For pennies on the dollar, conducting a HIPAA Risk Analysis that is based on HIPAA Security Laws and the appropriate methodology will not only comply with regulations, but improve organizational clarity. The process is about 40% technical, and 60% policies, processes, training, and encryption. It has been proven that government-provided Risk Analysis spreadsheets are ineffective, and products like the HITRUST CSF is too expensive, complicated and time consuming for most health care professionals to utilize. It is highly recommended (but not required) to have a certified, independent third-party provide the first Risk Analysis to provide the guidance needed to minimize cost and disruption involved with: identifying the high-level risks and solutions to provide a reasonable action-plan towards compliance and improved security.
Modern Compliance Solutions specializes in personalized solutions and services that have proven success in defending against OCR investigations. HIPAA One is a web-based, security risk analysis platform that captures the most efficient, simple, streamlined process garnered through performing hundreds of risk analysis in health care. For more information on HIPAA Security strategy, solutions please contact Steven Marco (801)770-1199 or visit the company website at www.hipaaone.com/hipaaOne.php. Click the “play” icon next to the HIPPO for a short introductory video.”