Security Risk Analysis Timeline
By Jim Tate, EMR Advocate
Meaningful Use Audit Expert
Twitter: @JimTate, eMail: audits@emradvocate.com
“Like sands through the hourglass, so are the days of our lives.” I heard that immortal phrase every week day afternoon throughout my high school years. I’d get off that big yellow school bus, run in the house, grab a Sprite and then I would hear it. My mother would be ensconced in what we call the “TV room” with a box of tissues by her side and a look of concern on her face. Every day, without fail that is where she would be transported to the alternate universe of “The Days of Our Lives”. I don’t know if soap operas are big now, maybe they have been replaced by cooking shows and reality TV. Back in those pre-cable days they were giant. I knew better than to interrupt my mother until the final sign off. “Like sands through the hourglass, so are the days of our lives.” That was burned into my nervous system in a way that became mythic. Those words remain hardwired in my limbic brain. Even now I always have a sense that life is fleeting and time is running out.
What does this trip down memory lane have anything to do with meaningful use (MU)? Well, I tell you. In the past week I have received call after call, email after email, asking one question: “What is the timeline for the Security Risk Analysis?” Quite a few eligible professionals and hospitals are asking; “Can it be performed before the MU reporting period?”, “Must it be done during the reporting period?” and even “Is it true it can be done after the reporting period?”
To answer these questions we only have to look to CMS for the alpha and omega clarification of this issue and put it to rest, once and for all. “EPs must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur prior to the beginning of the first EHR reporting period. However, a new review would have to occur for each subsequent reporting period.” The language is the same for hospitals.
Now why is this important? From what I have seen in many CMS MU audits a common denominator of failure is often the absence of a Security Risk Analysis. If you don’t have one that was performed within the proper time window you will fail the audit and all received incentives for that year’s attestation will go back. 100%. Many eligible professionals are in their second or third year of Medicare meaningful use and their 2013 reportable period is the entire year. Time is running out if they have not yet conducted a documented review of an existing Security Risk Analysis for 2013. A word to the wise: there are less than 6 weeks left to take care of this documentation and the absence of diligence in this matter will certainly bring great risk. There are but a few grains of sand left to fall through the hourglass. If you are unsure if you have this MU base covered I have simple advice. Reach out immediately to a trusted source. My sermon ends. Enjoy your turkey next week.
Jim Tate is known as the most experienced authority on the CMS Meaningful Use (MU) audit and appeal process. His unique combination of skills has brought successful outcomes to hospitals at risk of having their CMS EHR incentives recouped. He led the first appeal challenge in the nation for a client hospital that had received a negative audit determination. That appeal was decided in favor of the hospital. He has also been successful in leading the effort to reverse a failed appeal, even after the hospital had received notification of the failure with the statement, “This decision is final and not subject to further appeal”. That “final” decision was reversed in less than a week. If you are a hospital with questions or concerns about the meaningful use audit process, contact him at: audits@emradvocate.com. This post was originally published on MeaningfulUseAudits.com.