How to conduct a thorough EHR audit
An EHR audit should be conducted a number of reasons; foremost among these reasons involves assuring a practice maintains Meaningful Use compliance. Although there is not a guarantee a practice who has attested to Meaningful Use will not be audited, CMS plans to audit at least 5% of Meaningful Use attesters in the next year.
The results of audits already completed indicate that nearly a quarter of practices audited have failed.
Given the amount of money on the line in the event a practice is unable to meet Meaningful Use criteria, maintaining a strong internal audit protocol is vital.
A second reason for conducting an internal audit is that an audit can provide a level of precaution against a number of risk factors that arise from threats to data security. With an ever-present risk of data breaches from either accidental disclosure or malicious attack and the hefty cost of a healthcare breach estimated to reside around $383 per record conducting an internal audit above and beyond Meaningful Use standards should be considered a matter of best practices.
Below we outline four important steps to conducting an effective EHR system audit.
1. Treat Meaningful Use as the baseline
Firstly, a practice should always treat the Meaningful Use audit checklist provided by government as the baseline steps for an EHR audit. The government checklist can be found online. Using the steps prescribed by the government will allow for a methodical approach to internal audits. However, as will be discussed below, these steps should be treated as only the beginning.
2. Understand that Meaningful Use and HIPAA and HITECH compliance are not enough
The requirements for Meaningful Use compliance and HIPAA certainly overlap and have been viewed as redundant to the preexisting duties found under HIPAA and HITECH. Don’t be lulled into the assumption that compliance with all three of these standards will eliminate all forms of security risks.
3. Be ready for the Phase 2 HIPAA Audit Program
4. Do not forget about state-specific data handling rules.
HIPAA and HITECH take all the attention from a data privacy perspective; however the importance of these regulations often overshadow the fact that many states maintain their own data privacy standards. Therefore, it is important to understand the compliance and audit procedures at the state level and incorporate them into the overall risk strategy.
In the case of internal EHR audit and the preparation of external audits, never view too much precaution as a waste of resources. Given the financial risk of noncompliance or a data breach, over-preparation will never exceed the cost of failure.
How to ensure that EHR communications are HIPAA compliant
Are messages sent through your EHR HIPAA-compliant? Here are some guidelines on tightening up pat...
Not up to scratch on Meaningful Use? Here’s where to start
Hospitals that are not meaningfully using EHR will be hit by payment adjustment this October
Going beyond HIPAA compliance for your EHR data security
As healthcare technology enables the greater portability of patient data, the risk of a data brea...