Meaningful Use and the Security Risk Assessment
Everybody, and I mean everybody, knows by now that if an eligible hospital (EP) or eligible professional (EP) wants those delectable CMS EHR incentives they better do a Security Risk Analysis (SRA). You may not understand the details of this Core measure to, “protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.” But it has to be done. The relevant requirements are essentially unchanged from the heady early days of the ARRA/HITECH legislation.
We even thought we knew when the SRA had to be performed. Uh-oh. No we didn’t. Fasten your seatbelts, we are about to take a trip down the bunny hole with Alice to the Wonderland of MU.
For years it has been documented that the SRA must be performed on a yearly basis, it could be dated prior to the beginning of the MU reporting period but had to be completed by the end of the reporting period. Pretty clear to me. In fact, that guidance is still available on the CMS website.
Suddenly, without warning, CMS guidance appeared on 10/6/2014 that stated, “These steps may be completed outside of the EHR reporting period timeframe but must take place no earlier than the start of the reporting year and end of the reporting year.” A cached copy of this is available here. At first I couldn’t believe my eyes and the security experts I contacted were equally surprised. This new guidance basically said an EP or EH could achieve MU for a reportable period, and could perform or review the SRA after the reporting period. This was especially important to those reporting periods of 90 days. For those providers, the SRA could be dated after their reporting period.
Here comes round 3. On 11/5/1014 additional CMS guidance was published that updated the 10/6/2014 FAQ. So now we have guidance on the guidance. The new text states, “These steps may be completed outside or the EHR reporting period timeframe but must take place no earlier than the start of the EHR reporting year and no later than the provider attestation date.” This opens up the door for all EPs and EHs whether they attesting for a 90 day of full year reporting period. According to this communique a hospital that does a full year of MU, for example October – September, could have a SRA dated after the reporting period and after the reporting year. Since the deadline for a hospital’s attestation is 60 days after the reporting year the SRA could be dated in November.
The ongoing confusion is multiplied when we consider the effects of this issue on MU audits and appeals. Many EPs and EHs have failed audits and subsequent appeals based on the dates of their SRA’s. Depending on which of the 3 CMS guidance documents are referenced you could have passed an audit that was failed. I’m getting a headache just thinking about this. Sorry to drop this on you just before the Thanksgiving weekend, but it has been on my mind this week. I will not trouble you next week with a post. I wish you peace.