Wednesday, October 3rd is the last day for Eligible Professionals (EPs) to start attestation for the Meaningful Use Medicare program. The Medicare version of Meaningful Use requires EPs to complete a 90-day period in which they meet all of the core and menu measures. EPs hoping to attest this year need to implement an electronic health record (EHR) in the early days of September.

XLEMR is proud to announce the launch of our new web-based product just in time to help you attest for meaningful use in 2012. Web-based systems offer rapid deployment, require less IT infrastructure, and cost much less up front. Although many web-based EHRs are generic, cookie cutter systems, XLEMR’s web-based architecture allows us to offer the same level of customization that makes our client-server version so popular.

In addition, XLEMR is in the early stages of partnering with Vertiga PM, a robust billing and scheduling system formerly known as MPM Soft. If your practice is looking for a new billing and scheduling system, Vertiga PM could be right for you. If you are looking to stay with your current practice management system, we can usually interface with what you have now.

Our basic web-based version costs $125 per provider per month, with an additional $50 per non-provider user per month. XLEMR requires additional third-party software titles in order to comply with meaningful use. Our web-based system requires a six-month contract.

We are offering a September Sign-up Special that includes three hours of free training to those who sign up for our web-based version of XLEMR prior to September 15th. If you would like more information about our web-based EHR, please contact us at info@xlemr.com or contact Ryan at 678-908-3543. We look forward to hearing from you.

CMS launched its program to audit meaningful use participants in July. The ONC Privacy officer announced it will audit ten percent of meaningful use recipients to see if they have complied with the appropriate criteria. Practices will have two weeks to comply and will have to refund the money if found to be negligent in any one area.

Accounting firm Figliozzi & Company, a New York firm, are conducting the audits. The firm sends letters to practices requesting documentation to support their attestation, such as: Documentation from the ONC to show they used a certified EHR system during attestation; Information about emergency department admissions; and documentation that the provider completed the appropriate number of core and menu measures. At this time the audits will not require site visits.

Keep in mind that meaningful use core item 15 requires providers to conduct or a review a security risk assessment as required by the HIPAA security rule. Failure to conduct a risk assessment and produce the required documentation could result in forfeiture of any meaningful use monies received. Be sure your practice has conducted a risk assessment based on the NIST 800-30 standard. A simple check list or vulnerability scan is not sufficient.

Do not neglect your risk assessment if you are attesting for meaningful use. Please feel free to contact us at info@xlemr.com if you need help. Prices start just below $1000 for small practices, and our consultants can complete a baseline assessment in about four hours. Don’t gamble with your meaningful use payments, let us help.

If you have been in the Health IT (HIT) space for any length of time, you will remember when Atlanta’s Piedmont Hospital was audited for HIPAA compliance back in March of 2007. Fast forward to our era of Meaningful Use. Health and Human Services (HHS) has announced a new round of HIPAA audits for those practices which have received meaningful use funding. HHS expects to audit about ten percent of meaningful use participants.

How can you prepare your practice for an audit? The first step is to conduct a standards-based risk assessment. Incidentally, a risk assessment is also the first step required by the HIPAA security rule and is also core item 15 in meaningful use stage one. Completing a risk assessment will give you a prioritized list of items to address.

Once you have completed your risk assessment and begun remediation, going through a mock audit is a useful exercise. It will help you prepare answers in advance and ensure all your policies are easily located. Here are a few of the questions and items HHS asked Piedmont Hospital to answer or provide during their audit:

1. Establish and terminate user access to electronic protected health information (ePHI)
2. Inactive session time out
3. Employee violations and sanctions
4. Risk assessment results
5. Password management
6. Firewall, router, and switch configuration
7. System, network, and device monitoring
8. Regular reviewing of system activity, audit logs, and access reports
9. Antivirus and patch management
10. Wireless security configuration
11. Provide a list of systems that house ePHI
12. Provide a list of recently terminated employees and new hires
13. Provide a list of encryption algorithms.
14. Provide a list of outsourced contractors with access to ePHI.

HITECH, the act that brought you meaningful use, also amended HIPAA law. The HITECH amendments increased the maximum fine for willful negligence to $1.5 million. If your practice is participating in the meaningful use program, it’s time to get serious about security. If you have questions about security compliance, risk assessments, or audits, please feel free to contact us at info@xlemr.com. We look forward to hearing from you.

If your practice is attesting for meaningful use (MU), there is a good chance you could be audited. Unfortunately, many practices over look core item 15, which requires a HIPAA risk assessment and remediation. In addition, CMS expects you to develop a plan and improve your security and compliance over the course of the HITECH program. Although managing security can be a hassle, here are a few tips to get you started.

Start with a risk assessment. MU Stage one and the HIPAA security rule both require risk assessments. Instead of implementing technologies haphazardly, a risk assessment will give you a prioritized punch list. Follow the plan, and focus on the high-risk items first. Whether you hire a consultant, or use a software-based assessment, be sure it uses the NIST 800-30 standards. You do not want to waste time with a sub-par assessment.

Second, implement a disaster recovery plan complete with local and off-site backups. Chances are this will be one of the high-risk items on your risk assessment. As such, it should receive your undivided attention. Compliance is important, but preserving your data is critical. Backing up your data locally and off-site will prevent data loss, which could shut down your practice and put you at risk of HIPAA prosecution.

Third, create password management policies. Most practices do not manage passwords effectively. Computers may not even require passwords, and when they do, chances are the passwords are very simple, have never been changed, or are even written down on a near by sticky note. Create a sensible policy addressing password length, complexity, and rotation. Make sure employees do not share passwords or write them down.

Next, check the status of antivirus and software updates for all computers. Malicious software not only harms your computer, but it can result in a data breach as well. Make sure every computer has antivirus software that updates daily. Windows security updates also play an important role, so be sure you download and install them as soon as possible.

HIPAA and security compliance is a complex process that addresses many other areas. Our consultants at XLEMR have years of experience conducting risk assessments and implementing security policies and controls. If you would like more information about how we can help you on the road to compliance, please contact us at info@xlemr.com.