h1

What you need to know for Medicare EHR audits

March 8, 2013

Among the most daunting aspects of a Medicare EHR Incentive Program post-payment audit may be documenting compliance with Meaningful Use Core Measure 15. The measure requires health care practitioners to conduct or review a security risk analysis in accordance with federal regulations, correct any identified security deficiencies, and then implement any security updates as necessary.

The U.S. Centers for Medicare & Medicaid Services (CMS) defines the technical capability to protect patient information under Measure 15 using the 13 EHR certification and standards criteria below.

Practitioners called on to document compliance with this measure, as part of a Medicare EHR Incentive Program post-payment audit, should be able to produce evidence that the steps outlined under each of the criteria were taken during the EHR reporting period to protect patient information. In many cases, EHR systems may be able to generate reports documenting compliance with the criteria. Should an EHR system not be able to produce such a report, practitioners need to be prepared to provide paper records or worksheets.

Certification Criteria

Access control

Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information.

Emergency access

Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency.

Automatic log-off

Terminate an electronic session after a predetermined time of inactivity.

Audit log

(1) Record actions—Record actions related to electronic health information.
(2) Generate audit log—Enable a user to generate an audit log for a specific time period and to sort entries in the audit log according to any of the elements specified in federal standards.

Integrity

(1) Create a message digest.
(2) Verify in accordance upon receipt of electronically exchanged health information that such information has not been altered.
(3) Detection—Detect the alteration of audit logs.

Authentication

Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information.

General encryption

Encrypt and decrypt electronic health information.

Encryption when exchanging electronic health information

Encrypt and decrypt electronic health information when exchanged.

Accounting of disclosures (optional)

Record disclosures made for treatment, payment, and health care operations.

Standards Criteria

Record actions related to electronic health information

The date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed, or deleted; and an indication of which actions(s) occurred and by whom must also be recorded.

Verification that electronic health information has not been altered in transit

A hashing algorithm with a security strength equal to or greater than Secure Hash Algorithm (SHA-1), as specified by the National Institute of Standards and Technology (NIST), must be used to verify that electronic health information has not been altered.

Encryption and decryption of electronic health information

Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) should be used for any encrypted and integrity protected link.

Record treatment, payment, and health care operations disclosures

The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations.

For additional information see “Eligible Professional Meaningful Use Core Measures: Protect Electronic Health Information” at http://tinyurl.com/EHRMeasure15.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: