CMS Contractor Has Begun Meaningful Use Audits

In a post this past week, Ober | Kaler, Attorneys at Law posted Health Law Alert Newsletter entitled “FIGLOIOZZI AND COMPANY BEGIN MEANINGFUL USE AUDITS AS CMS DESIGNEE”.  We recently wrote a post entitled “HIPAA Security Risk Analysis Tips – MU Attesters, Watch Your Flank“.  As a Meaningful Use Attester, you’re approaching the intersection of the “Electronic Health Record Incentive Program; Final Rule” and the “HIPAA Security Final Rule”.  Proceed with Caution!  OCR is actively auditing for overall HIPAA compliance and Risk Analysis is a focus area.

Here’s today’s big tip — Please complete a Bona Fide HIPAA Security Risk Analysis !

harnessing risk starts with a bona fide risk analysis

HIPAA Security Risk Analysis Help

Complete a Real HIPAA Security Risk Analysis!


Ober | Kaler report that “…A number of health care providers that attested to Meaningful Use for Stage 1 have received a letter from an Figloiozzi and Company, acting as CMS’s auditor for the EHR Incentive Program (the “Program” or “Meaningful Use Program”), requesting certain records related to the attestation. CMS has not, as of this writing, made any announcement of this audit initiative or of the engagement of Figloiozzi and Company. While it is always good policy to confirm the identity and authority of any entity claiming a right to review or audit records, these letters are legitimate. Citing its statutory authority under the American Recovery and Reinvestment Act (ARRA), and without any fanfare, CMS has begun to audit the attestation materials.”

In the recent ONC Guide to Privacy and Security of Health Information, you might want specifically read page 27 and the discussion of a potential filing under the False Claims Act for failing to complete a proper risk analysis.  Yes, there are whistle blower incentives.

We would expect that the documentation requests include specific documentation related to completing a risk analysis.  Information about the CMS Audits can be found here, in case you haven’t seen this information before:

At the 2012 NIST/OCR HIPAA Security Conference we attended, an HHS official announced that 10% of the MU attesters would be audited.

Risk analysis is a fundamental, foundational part of any risk management program, including your cyber security program.  It’s not an evil creation of HIPAA or HITECH statutes or their promulgated rules.  In fact, it’s been around since the beginning of mankind.  In a nutshell, risk analysis is determining your biggest to smallest risks (a.k.a., exposures) and then using this information to make informed decisions about treating them (accept, avoid, mitigate, transfer).

Bottom Line:  Validate that your organization has complete a formal HIPAA Security Risk Analysis, according to HHS/OCR risk analysis guidance and the underlying NIST Security framework.

To learn how to complete your Risk Analysis according to HHS/OCR and underlying NIST guidance, view Clearwater HIPAA Risk Analysis Video Overview.

Wanna be even more hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.