With the overwhelming amount of work that most clinics and practices face every day, sometimes it’s hard to plan past the next patient’s appointment time – much less start planning for a 90-day Meaningful Use attestation period that isn’t technically required for months. But with the last chance to begin the 90-day 2012 reporting period for the Medicare EHR Incentive Program rapidly approaching on October 3, getting ahead of the game is worth a little extra prep time.
Important Medicare Dates to be Mindful of:
- October 1, 2011 – Reporting year began for eligible hospitals and CAHs.
- January 1, 2012 – Reporting year began for eligible professionals.
- May 2012 – EHR Incentive Payments began.
- July 3, 2012- Last day for eligible hospitals to begin their 90-day reporting period to demonstrate meaningful use for the Medicare EHR Incentive Program.
- September 30, 2012 – Last day of the federal fiscal year. Reporting year ends for eligible hospitals and CAHs.
- October 3, 2012 – Last day for eligible professionals to begin their 90-day reporting period for calendar year 2012 for the Medicare EHR Incentive Program.
- November 30, 2012 – Last day for eligible hospitals and critical access hospitals to register and attest to receive an Incentive Payment for FY 2012 under the Medicare EHR Incentive Program.
- December 31, 2012 – Reporting year ends for eligible professionals.
- February 28, 2013 – Last day for eligible professionals to register and attest to receive an Incentive Payment for calendar year (CY) 2012.
Although every measure designated by Meaningful Use is important to ensure you receive the maximum incentive payment, the easiest to evaluate – and therefore most heavily audited – is the security risk analysis. Essentially an audit in and of itself, the security risk analysis is more easily verified than other Meaningful Use Measures, which consist primarily of demographic information that can be time-consuming and costly to pull out of an EMR. Although every measure should be met accurately, focusing on the one that will almost surely be scrutinized is wise.
Getting your practice in order now can guarantee peace of mind come September, when most others will be scrambling to get their act together. Some unprepared practices may even get left behind. Waiting until the last minute can result in massive penalties (should you be audited and they find problems) since practice administrators are more likely to run into problems they don’t have time to fix and could end up unable to complete a security risk analysis at all by the deadline.
But beware of the “security risk analysis” that is inaccurate, incomplete or misleading. Questionnaires, network vulnerability scans, configuration audits or penetration tests, among many others, are NOT complete risk analyses under the requirements set forth by the HHS/OCR. According to an OCR-issued document regarding risk analysis requirements under the HIPAA Security Rule: “A Risk Analysis is the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, … resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.“
The Security Risk Analysis offered through ScanSTAT Technologies is specifically designed to be secure, accurate and comprehensive under these regulations. Additionally, getting your Security Risk Analysis through ScanSTAT is cost-effective, saving you the time of trying to figure it out on your own. Remember, investing in a quality Security Risk Analysis costs far less than the fine you would face for not having one.
Avoid the end-of-the-year dash, and start planning for your Security Risk Analysis today. We invite you to join us for an upcoming educational webinar, “Measure 15: Don’t Do It Alone!” on July 24 at 2pm CST, or by contacting one of our security risk analysis experts today.