Meaningful Use Attestation: Avoiding a HIPAA Audit

April 9, 2015

When attesting to meaningful use, be sure you are truthful about your HIPAA compliance efforts. Otherwise, you could risk being audited.

According to Webster's Dictionary, attest is defined as, "(1) to affirm to be true or genuine; specifically, to authenticate by signing as a witness; (2) to verify the usage of; (3) to be proof of; or (4) to put on oath." In relation to Medicare, physicians attest to the validity of their statements in a variety of submissions, including meaningful use. By selecting certain answers and signing the Attestation Worksheet, a physician is indicating that the statements/answers contained therein are true. In the event of an audit or other inquiry, these statements can pose significant problems if they are less than truthful.

For example, Question 13 on the EHR Incentive Program Attestation, requests a yes or no answer to the following items:

Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

This answer is directly related to HIPAA and what is required. If a physician's practice has never undergone a third-party HIPAA audit, then how can this question be answered in any other way other than "no"? Now, what if HHS sees this as a red flag and sends it over to OCR to conduct a HIPAA audit on top of it? And, when a physician attests on the Medicare Provider Attestation, they are affirming that they are in compliance with all relevant laws. A seemingly simple question has multiple layers to it, both in terms of residual questions and liability.

At a recent American Health Lawyers meeting, Elizabeth Holland, director of the Office of E-Health Standards, HIT Initiatives Group, indicated that the attestation is the central focus of the HIPAA audit. Moreover, she said, "the top three failed measures by EPs during Stage 1 audits were: protecting electronic health information, clinical summaries, and access to certified electronic health record technology." Holland noted that the measure of protecting electronic health information also is a Health Insurance Portability and Accountability Act requirement, so shouldn't be something that EPs are failing to achieve. For Stage 2 audits, the top three failed measures were: generate lists of patients, protecting electronic health information, and use secure messaging.

For physicians, the take-aways are:

1. Make sure that the practice's annual risk assessment and risk analysis, which are required under HIPAA, are conducted.

2. Answer the statements on any attestation truthfully.

3. Utilize secure technology when creating, receiving, maintaining, or transmitting protected health information.