By Jack Anderson
June 22, 2015
Falsely attesting to meaningful use earns a 23 month prison sentence and $4.5 million in restitution for a former Texas hospital CFO.
CMS warned that falsely attesting to meaningful use could mean; refunding all of the money, investigation for fraud, fines and or prison time if convicted. Many people thought, they will never check on my small company, but there is a long period of vulnerability since you have to keep the records for six years and they can they can act anytime in that period. If they find that you falsely attested they can use the federal False Claims Act or other state laws may apply.
In the audits done to date by Figliozzi and Company the most frequent issue is Core Measure 15. Core Measure 15 is one of the absolute requirements under the HITECH Act. It states: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”
The problem for false attesters is that a risk assessment or risk analysis is a well-defined process that occurs at a specific time and documents the status of compliance with the security rule on that date. This qualifies as a litmus test: “a test in which a single factor (as an attitude, event, or fact) is decisive.” You either have a qualified risk assessment done on a date prior to the attestation or you don’t.
But, let’s say you have the risk assessment, are you then in a safe harbor? Not really, because the next part of Core Measure 15 says “implement security updates as necessary and correct security deficiencies as part of its risk management process”. The word “process” is critical here. HHS always states that HIPAA compliance is a process not an event. So the risk assessment is an event which must trigger a process, an on-going process. If you do the risk assessment but don’t set up the process you have just qualified for “willful neglect”.
The point of all of this is whether you are applying for meaningful use funds or just trying to comply with HIPAA Omnibus Rules, you must have in place a continuous process of risk assessment, remediation, and training.
For more information contact Jack@compliancehelper.com or Jack.K@acr2solutions.com