As my friend and fellow HIPAA Audit Prep BootCamp™ faculty member, Jim Pyles, Esq., poses:  Did you really think the government was going to hand out $30B in Meaningful Use (MU) Incentives without checking on the meaningful use part?  The HIPAA Security Risk Analysis requirement (at 45 CFR 164.308(a)(1)(ii)(A)) is MU Core Objective 14 and 15 for eligible hospitals and eligible providers.  CMS announced its intention to audit up to 10% of the organizations attesting to MU and receiving incentive money.  In a recent Guide to Privacy and Security of Healthcare Information, ONC connected the dots between failure to perform a risk analysis AND the False Claims Act.  Oh yes, don’t forget about the HITECH-mandated audits focusing on Risk Analysis and the HHS/OCR Settlement Agreements highlighting failures to perform risk analyses.

Here’s today’s big tip — Watch Your Flanks; there are Risk Analysis several attack vectors.


NIST SP800-30

HIPAA Security Risk Analysis Tips – Watch Your Flank


Here are the top four (4) ways to find yourself in trouble with DHSS over risk analysis… and possibly having to pay treble damages:

  1. Be found to not have completed one in an OCR HIPAA Compliance Audit.
  2. Earn an OCR Investigation as the result of a complaint and be found to not have completed one.
  3. Be found to not have completed on as a result of a CMS Meaningful Use Audit.
  4. Have an (qui tam) employee or member or patient file a claim under the False Claims Act stating that you really didn’t complete a risk analysis the right way.

NIST SP800-30 Risk Analysis – The Right Way

HHS / OCR published its “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” relies on the NIST Security framework and specifically NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT.  According to both documents and NIST SP800-30,

“A Risk Analysis is the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system.  Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. “

CMS Meaningful Use Audits

From the CMS web site:
Will CMS conduct audits?
Any provider attesting to receive an EHR incentive payment for either the Medicare EHR Incentive Program or the Medicaid EHR Incentive Program potentially may be subject to an audit. Here’s what you need to know to make sure you’re prepared:

Overview of the CMS EHR Incentive Programs Audits

  • All providers attesting to receive an EHR incentive payment for either Medicare or Medicaid EHR Incentive Programs should retain ALL relevant supporting documentation (in either paper or electronic format used in the completion of the Attestation Module responses). Documentation to support the attestation should be retained for six years post-attestation. Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes.
  • CMS, and its contractors, will perform audits on Medicare and dually-eligible (Medicare and Medicaid) providers.
  • States, and their contractors, will perform audits on Medicaid providers.
  • CMS and states will also manage appeals processes.

Preparing for an Audit

  • To ensure you are prepared for a potential audit, save the supporting electronic or paper documentation that support your attestation. Also save the documentation to support your Clinical Quality Measures (CQMs). Hospitals should also maintain documentation to support their payment calculations.
  • Upon audit, the documentation will be used to validate that the provider accurately attested and submitted CQMs, as well as to verify that the incentive payment was accurate.

Details of the Audits

  • There are numerous pre-payment edit checks built into the EHR Incentive Programs’ systems to detect inaccuracies in eligibility, reporting and payment.
  • Post-payment audits will also be completed during the course of the EHR Incentive Programs.
  • If, based on an audit, a provider is found to not be eligible for an EHR incentive payment, the payment will be recouped.
  • CMS will be implementing an appeals process for eligible professionals, eligible hospitals and critical access hospitals that participate in the Medicare EHR Incentive Program. More information about this process will be posted to the CMS Web site soon.
  • States will implement appeals processes for the Medicaid EHR Incentive Program. For more information about these appeals, please contact your State Medicaid Agency.

Bottom Line:  if you have not completed a bona fide risk analysis HHS/OCR guidance and NIST robust methodology , you may be in big trouble with both OCR (Security, Privacy and Breach Rule enforcers) AND CMS which operates the Meaningful Use EHR Incentive Program and will perform audits on attestations… and possibly DOJ, if it results in a false claims filing.

To learn how to complete your Risk Analysis according to HHS/OCR and underlying NIST SP800-30 guidance, view Clearwater HIPAA Risk Analysis Video Overview.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group:
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.