Another Way Meaningful Use Won’t Work “Out of the Box”

Posted on November 8, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One good thing that could come out of my post about Meaningful Use Attestation Issues is that it will hopefully awaken providers to realize that meeting the meaningful use requirements requires more than just opening your proverbial “EHR software box.” Indeed, you have to do a fair amount of work to make sure that you’re using your EHR software in the right way to meet the meaningful use measures.

In fact, in response to that post, Mike Regan from ACR2 Solutions pointed out one meaningful use requirement that an EMR software can’t accomplish.

The company I work with focuses on Risk Assessments for the HIPAA Security Rule and Meaningful Use Item 15. We found a number of EMR vendors who guaranteed their clients that all that the client needed to do for Item 15 is install their EMR software. Most folks would realize that an EMR software package cannot accomplish a Risk Analysis required by 45 CFR 164. Granted the EMR vendor can ensure that the data is encrypted and access properly controlled but that is about all they can do. How would the EMR software know about the client’s written HIPAA Security Rule policies? We contacted many of the vendors to make them aware of a potential problem with their marketing pitches. As recent as a month ago, we found a sales rep for a major EMR vendor, still spouting the “just install our software that is all you need for Meaningful Use” marketing pitch. We even pointed out to him that his own CTO had recanted that pitch and now the legal department has added verbage to the sales agreement indicating that their clients must meet the requirements of privacy and security laws.

We have informed CMS of the problem and they are looking into the issue. The recent OIG tasking to review Meaningful Use recipients to ensure that they met the requirements may have been the outcome. I’m certain that there are a number of providers who have attested that they have completed Item 15 who have not completed a proper Risk Assessment based on this erroneous guidance from EMR vendors. While I doubt there would be legal action taken by CMS given that the provider acted in good faith and was mislead by the marketing pitch, what action would be taken against the provider remains to be seen.

Yes, this is going to get very interesting indeed. I guess people should know that they have to dot all their i’s and cross all their t’s when they’re getting money from the government. I have a feeling a bunch of basically innocent people are going to get hurt by things like this. Although, I am cautiously hopeful that CMS will be reasonable with it all.