SanjeevP,
I practice in Maine, and our REC gave us that same exact spreadsheet.
Yes, it's complicated.
Yes, it takes a long time to fill it out the first time.
However you can update it and use the same spreadsheet in subsequent years of MU attestation.
If you want to survive a CMS audit when they came knocking on your door three years later asking for the money back, I would STRONGLY suggest that you complete it. I have this spread sheet for each of the THREE years that I've attested to MU (2011, 2012, and 2013).
Simply having passwords on your server and in AC will definitely NOT sustain audit.
Sorry for the hard truth, but I'm passing along both what i've researched from CMS and the REC in Maine.
Please be careful attesting to this requirement, it's the most complicated of all.
Remember it's an INVENTORY, it's not a requirement of compliance. You have to identify the status of potential security breaches. You don't actually have to fix them, but you need a plan in order to address the deficiencies even if you don't actually fix the deficiencies. that being said, if you identify deficiencies you really SHOULD fix them to prevent a violation of HIPAA and the revisions to security passed in the HITECH act (OMNIBUS ruling).
sincerely,
Adam
