CMS is now sending out letters to eligible providers asking for various information before they send out your meaningful use payments. Have you been selected for a HIPAA Audit? In the past, they would send the money, then ask for it back if you were audited. By doing it this way, they are not sending you the payment until you prove everything you attested to.

What are they looking for?

With Tier3MD clients, the audit focuses mainly on protecting ePHI. According to the letter they send, they are looking for: A security risk analysis of the EP’s Certified Electronic Health Record Technology (CEHRT) system, which was performed no earlier than the start of the reporting year, and no later than the date of attestation. (i.e. a report which documents the procedures performed during the analysis and the results of the analysis). This analysis must be in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in CEHRT in accourance with requirements under 45 CFR 164.213(a)(2)(iv) and 45 CFR 164.306(d)(3). The testing could occur prior to the beginning of the first EHR reporting period, however a new review would have to occur for each subsequent reporting period. Documentation should also be supplied to show that the EP implemented security updates as necessary and corrected identified security deficiencies.

What to do if you do not have an SRA

If you have been selected for HIPAA Audit, and have not had a security risk assessment performed, the first thing you want to do is contact your IT department, or IT provider. As a business associate, they should know what you need and may have performed tests and ran reports that may meet your requirements. For example, a good MSP will have system monitoring agents, push out patches, test backups, have good policies in place with check lists, document any system problems, etc. They may have information you need. It’s worth a shot.

Other Measures Audited

Aside from the security portion of the audit, you will want to make sure you use a certified EHR and be able to prove it. You will also want to make sure you are using your certified EHR correctly by being able to prove the amount of unique patients, prescribing measures, the CPOE objective, including labs, xrays, etc. You want to make sure you have 10% electronic education, and that you are able to provide printed summaries to your patients within a certain amount of time.

If you have been selected for a HIPAA audit, you want to make sure you have your ducks in a row. There are numerous resources out there that can help you with the requirements. You can start with HHS and the ONC websites. If you have any questions, please contact Tier3MD.


If you have been selected for a HIPAA Audit, we an help.

Have you been selected for a HIPAA Audit?