Meaningful Use Audits, HIPAA Privacy and Security and Safeguards

Meaningful Use requires both compliance to HIPAA Privacy and Security and compliance with HITECH Act safeguards.

The HIPAA Security Rule§ 164.316(b)(1) requires HIPAA covered entities to

“Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”

HIPAA Covered Entities must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

The HITECH Act, which was enacted as part of ARRA, promotes the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information. While the HITECH Act mirrors HIPAA, it elaborates with specific requirements including:

For example, §170.302(o) Access control requires that HIPAA covered entities assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information.

If your firm is audited with respect to a Meaningful Use Attestation you will need to provide, among other documents:

  • Documentation including budgets for HIPAA privacy and security risk analysis
  • Meaningful Use reports from CEHRT (certified E.H.R. technology) and screen shots
  • Documentation from the certified E.H.R. vendor
  • Clinical quality measure information

If your firm has proof of exclusion from any measure that must be provided as well, though there are no exclusions for HIPAA security or HITECH Act Safeguards.

Policies and procedures must :

“Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][the Security Standards: General Rules, Flexibility of Approach]. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.”

Eligible hospitals and CAHs must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure.

Eligible hospitals and CAHs must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR.  If there are any changes in your E.H.R. or security infrastructure, ensure that you document updated risk assessments.[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

Michael F. Arrigo

Michael Arrigo brings four decades of experience in the software, financial services, and healthcare industries. In 2000, Mr. Arrigo founded No World Borders, a healthcare data, regulations, and economics firm with clients in the pharmaceutical, medical device, hospital, surgical center, physician group, diagnostic imaging, genetic testing, health IT, and health insurance markets. His expertise spans the federal health programs Medicare and Medicaid and private insurance. He advises Medicare Advantage Organizations who provide health insurance under Part C of the Medicare Act. Mr. Arrigo serves as an expert witness regarding medical coding and medical billing, fraud damages, as well as electronic health record software for the U.S. Department of Justice. He has valued well over $1 billion in medical billings in personal injury liens, medical malpractice, insurance fraud cases. The U.S. Court of Appeals considered Mr. Arrigo's opinion regarding loss amounts, vacating, and remanding sentencing in a fraud case. Mr. Arrigo provides expertise in the Medicare Secondary Payer Act, Medicare LCDs, anti-trust litigation, medical intellectual property and trade secrets, HIPAA privacy, health care electronic claim data Standards, physician compensation, Anti-Kickback Statute, Stark law, the Affordable Care Act, False Claims Act, and the ARRA HITECH Act. Arrigo advises investors on merger and acquisition (M&A) diligence in the healthcare industry on transactions cumulatively valued at over $1 billion. Mr. Arrigo spent over ten years in Silicon Valley software firms in roles from Product Manager to CEO. He was product manager for a leading-edge database technology joint venture that became commercialized as Microsoft SQL Server, Vice President of Marketing for a software company when it grew from under $2 million in revenue to a $50 million acquisition by a company now merged into Cincom Systems, hired by private equity investors to serve as Vice President of Marketing for a secure email software company until its acquisition and multi $million investor exit by a company now merged into Axway Software SA (Euronext: AXW.PA), and CEO of one of the first cloud-based billing software companies, licensing its technology to Citrix Systems (NASDAQ: CTXS). Later, before entering the healthcare industry, he joined Fortune 500 company Fidelity National Financial (NYSE: FNF) as a Vice President, overseeing eCommerce solutions for the mortgage banking industry. While serving as a Vice President at Fortune 500 company First American Financial (NYSE: FAF), he oversaw eCommerce and regulatory compliance technology initiatives for top ten mortgage banks and led the Sarbanes Oxley Act Section 302 internal controls IT audit for the company, supporting Section 404 of the Sarbanes Oxley Act. Mr. Arrigo earned his Bachelor of Science in Business Administration from the University of Southern California. Before that, he studied computer science, statistics, and economics at the University of California, Irvine. His post-graduate studies include biomedical ethics at Harvard Medical School, biomedical informatics at Stanford Medical School, blockchain and crypto economics at the Massachusetts Institute of Technology, and training as a Certified Professional Medical Auditor (CPMA). Mr. Arrigo is qualified to serve as a director due to his experience in healthcare data, regulations, and economics, his leadership roles in software and financial services public companies, and his healthcare M&A diligence and public company regulatory experience. Mr. Arrigo is quoted in The Wall Street Journal, Fortune Magazine, Kaiser Health News, Consumer Affairs, National Public Radio (NPR), NBC News Houston, USA Today / Milwaukee Journal Sentinel, Medical Economics, Capitol ForumThe Daily Beast, the Lund Report, Inside Higher Ed, New England Psychologist, and other press and media outlets. He authored a peer-reviewed article regarding clinical documentation quality to support accurate medical coding, billing, and good patient care, published by Healthcare Financial Management Association (HFMA) and is published in Healthcare IT News.

Leave a Reply