Home Forums Discussions Meaningful Use meaningful use help

As a newbie, I had a couple of questions on meaningless use. One is the core requirement for security check. Should I get some IT person in to look at my system and "attest" it is adequately secure and keep it as documentation or is that overkill. The other is under the CQM's for BP checks - it says: % of visits of pt's with HTN that have been seen for at least two visits with BP's recorded. Does that mean two visits within the chosen 3 month reporting period? If most are controlled you may only see them once within 3 months? Thanks for any help.

Donald Phillips MD Cedar Hill, Texas

Hi Don, I can help answer your questions:

1) the security component of the core measures. there is specific language that the office of CMS is using to determine what constitutes a secure system. Some people erroneously believe it is simply having passwords on your computer but it was painful for me to learn it is much much more than this. Some feel they can just click the "attest" button and be done with it. But the process is actually written by statute which is (not surprisingly) very complex. I have a toolkit that my Regional Extension Center in Maine gave me. I'm happy to email it to you. If you don't want this, I would encourage you to contact the REC in your state. There are numerous files in the toolkit and can't be posted here. Please either PM or email me if you would like these tools. It will take a great deal of effort to truly comply. I did it myself. It would be money well spent to employ someone else to do it, if you don't have time. It is definitely not overkill to keep record of this process for this core measure documented. In fact if you are audited, you will be required to prove that you conducted an internal audit of your security. You are also required to demonstrate which policy you enacted to address any deficiency in your security. This is no doubt the toughest measure to meet correctly with the proper documentation. However it's definitely doable. If you are to poll other physicians, I'm quite certain you will find a majority who did not attest to this correctly. It's ultimately up to you if you wish to do this measure correctly, or trust that simply having a firewall and passwords will protect you in an audit.

2) HTN CQM. You are correct in assuming this means two visits within the chosen report period, in your case attesting for the 1st time is 90 day minimum. However you are allowed to collect data for a longer than 90 day term if you wish. are you attesting to 2011 or 2012? If 2012, you are all set. Simply report for the whole year or most of the year. If you only report on 90 days, surprisingly you will probably have at least one or two visit you. You only need one to make this denominator greater than zero and therefore have passable numbers. Don't worry it will most likely happen. Make sure however that you use ICD9 code 401.1 when selecting diagnosis for HTN patients in order to tell AC that this patient has HTN. Otherwise it won't track them properly.

again let me know if you want the security toolkit, I'm happy to send it. The files are huge, over 10MB. And most email systems won't accept files >10MB. I would split it up into two zip files for email, or mail you a CD ROM. Just let me know.

This is the opposite of what I've heard. CMS didn't introduce any new measures with meaningful use. They do have some suggestions however. The main thing you want to do is document what you have in place and any loopholes you can think of and how you plan to resolve them. The language is intentionally left vague as not to impose any restrictive measures.

Here's a guide that CMS often refers to: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

That'll help with the documentation.

EDIT: They emphasize physical security as a lot of people forget about things like natural disasters, theft, or power outages.

This is what I found most relevant:
"HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity?s business, as well as the covered entity?s size and resources.

Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:

Its size, complexity, and capabilities,
Its technical, hardware, and software infrastructure,
The costs of security measures, and
The likelihood and possible impact of potential risks to e-PHI."

Bold added.
The source for the quote is the following reference in the CMS description of the rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

Agreed, Jon. Specific technical implementations have not yet been specified. If they were, I doubt anyone would be P2P. That's another reason I suggest the "server/client" setup in the event they do start specifying requirements.

Thanks for the help. I knew it would be confusing if it's government. Adam, I will try our Texas REC and if not satisfied - will try to get that info from you. I am solo with a wired system and AC on my desk top with two other computers. I was hoping it would be simple. I can just see them auditing everyone over the next few years and after you collect $18,000 and pay $7,000 to the IRS, they come and want the $18,000 back because of a loophole.
Donald H. Phillips MD
Cedar Hill, Texas

Don, your point is well taken and that's why I am following my REC's advice on the toolkits for security implementation. I don't want to give back $18,000 plus fines and penalties if audited and found not be compliant with MU attestation.

Despite what the others were kind enough to post from the CMS website, the toolkit they gave us is loaded with references derived from HIPAA security measures. In fact the entire toolkit is created specifically to the HIPAA security rules.

I agree with Sandeep that their is a major emphasis on physical security. In fact many of the questions on the internal audit are geared at physical security and accidental errors by staff. Malicious outside attacks are barely covered in the security audit.

One main point to remember, it's an internal audit. Think of it this way: you conduct a self-review of your potential security breaches. you identify none, you are done. You identify a few, write a brief policy in the policy manual for the office addressing the security deficiency and you are done. What was tedious is going through the entire slef-audit, reviewing dozens upon dozens of potential scenarios and dozens of questions asking about the security of my system.

Best of luck! I'm sure you'll do fine.