An article in Modern Healthcare provides an overview of the MU audits coming to a neighborhood near you. The federal government chose a third-party contractor (Figliozzi & Company) to audit 5% of participants in the EHR Incentive Program. Only a few audits have been conducted to date, but some have entered the appeals process. Some findings have been referred for possible fraudulent activity.
One of the most common findings to date has been non-compliance with the security risk assessment that is required under Meaningful Use Stage 1. The Office of the National Coordinator produced a Guide to Privacy & Security of Health Information that outlines these requirements. Core Measure #15 has further details about these requirements. Note that the MU requirements, “… are not intended to supersede or substitute for compliance required under HIPAA.”
Another resource is the 10-step plan for Health Information Security and Privacy from HealthIT.Gov.