{"id":2023,"date":"2015-04-10T09:51:38","date_gmt":"2015-04-10T13:51:38","guid":{"rendered":"http:\/\/162.144.41.148\/~msinc\/__production\/website\/?p=2023"},"modified":"2015-07-27T10:27:33","modified_gmt":"2015-07-27T14:27:33","slug":"security-risk-assessments-what-you-need-to-know","status":"publish","type":"post","link":"http:\/\/162.241.140.166\/~msinc\/newsletter\/security-risk-assessments-what-you-need-to-know\/","title":{"rendered":"Security Risk Assessments – What you need to know."},"content":{"rendered":"

IF YOU ARE A MEDICAL PRACTICE, WE STRONGLY URGE YOU TO READ THE ENTIRE THREAD AS IT WILL HELP PROTECT THE PRACTICE.<\/strong><\/p>\n

Earlier this year, the Medical Association of Georgia (MAG) released an alert on their website and email campaign urging practices to confirm they are meeting all of the \u2018meaningful use\u2019 requirements in full. The Centers for Medicare and Medicaid Services (CMS) plans to conduct 38,000 retroactive and pre-payment audits in 2015, and it is stressing that it will recoup the incentives from practices that did not meet the requirements in full.<\/p>\n

CMS auditors have reportedly stated that \u201c\u2026being found deficient on any one measure will cause a provider to be out of compliance. In this case, CMS will recoup the provider\u2019s entire stimulus for the reporting period in question.\u201d CMS has up to six years to conduct an audit for a given year.<\/p>\n

Bill Steuer with GSG Compliance, LLC says, \u201cMany practices attesting for Meaningful Use, will satisfy each of the requirements for that particular stage, except to actually complete the required Security Risk Assessment.\u00a0 What they do not understand is that if they get audited, CMS can and will take back 100% of the stimulus funds they received for not fully completing the attestation requirements.”<\/p>\n

He states, “additionally, practices who do not<\/strong> attest for Meaningful Use, have the misconception that they do not have to complete a Security Risk Assessment. The reality is that the HIPAA Security Rule was enacted in 2003, well before the Meaningful Use program, and it requires practices mitigate their security risks by periodically performing a Security Risk Assessment.<\/p>\n

Medicus Solutions specializes in healthcare informatics and we are here to help. We have started to see these audits in practices which we support. Completing the security risk assessment is the responsibility of the practice due to the areas which is involves<\/span><\/strong>. <\/span>We strongly urge each and every practice to review all of their documentation and specifically your security risk assessments. You should have a completed security risk assessment for each year \/ reporting period and it must be updated with risks and risk remediation plans.<\/p>\n

We have received a number of requests from clients over the past couple months for Medicus to complete the practice\u2019s security risk assessment. A security risk assessment is compiled of at least three (3) areas which include administrative safeguards, technical safeguards, and physical safeguards. Completing a risk assessment requires a time investment and Medicus is here to help its clients with the technical portion of the risk assessments included in our support. Practices will need to complete the administrative and physical safeguard sections.<\/p>\n

The Office of the National Coordinator for Health Information Technology (ONC) has worked with the Health and Human Services (HHS) Office for Civil Rights (OCR) and the Health and Human Services (HHS) Office of the General Counsel (OGC) to develop a tool to help practices complete a security risk assessment.<\/p>\n

We have provided access to the tool the ONC has released on our website for your convenience. This includes paper-based versions of the tool, iPad version of the tool, a desktop computer version of the tool, and the user\u2019s guide for the tool. There are a total of 156 questions. Resources are included with each question to help you:<\/p>\n