Have you ever noticed that part in the Meaningful Use standards that requires an annual risk assessment of EMR security? Privacy professionals have stressed the risk assessment as critical to both meaningful use and HIPAA/HITECH compliance, but healthcare organizations tend to procrastinate on taking the time, effort, or money to do and up-date the assessments.
Apparently, while some hospitals and healthcare organizations don’t take the requirement as a priority, an Arkansas hospital found out that it can be a $900,000 priority. Drew Memorial Hospital in Monticello, AR, received notice in mid-September that it had failed it’s “meaningful use” audit that measures compliance with a federal program that funded electronic medical record implementation.
The hospital states that they successfully passed 18 of the 19 compliance points, but failed on the annual risk assessment for the two years being audited. The hospital had reportedly performed risk assessments in 2005 and again in 2013, but missing the annual requirement has resulted in a demand from the federal government to refund the program payments received in the audit years, totaling $904,000. The hospital is reportedly appealing the ruling, but did not make it’s theory for reversal of the ruling public.
Drew Memorial statements indicated that the hospital was an early participant in the program and lacked program experience and the example of other organizations in the program to help guide the organization. It was also part of early audit programs that are now ramping-up, but are only projected to audit 5 to 10 per cent of program participants. A total of more than $16 Billion has already been paid to healthcare providers under the program, and Drew’s leadership predicted that other hospitals will face similar back-charges if they are audited.