How to conduct a thorough EHR audit

An EHR audit should be conducted a number of reasons; foremost among these reasons involves assuring a practice maintains Meaningful Use compliance. Although there is not a guarantee a practice who has attested to Meaningful Use will not be audited, CMS plans to audit at least 5% of Meaningful Use attesters in the next year.

The results of audits already completed indicate that nearly a quarter of practices audited have failed.

Given the amount of money on the line in the event a practice is unable to meet Meaningful Use criteria, maintaining a strong internal audit protocol is vital.

A second reason for conducting an internal audit is that an audit can provide a level of precaution against a number of risk factors that arise from threats to data security. With an ever-present risk of data breaches from either accidental disclosure or malicious attack and the hefty cost of a healthcare breach estimated to reside around $383 per record conducting an internal audit above and beyond Meaningful Use standards should be considered a matter of best practices.

Below we outline four important steps to conducting an effective EHR system audit.

1. Treat Meaningful Use as the baseline

Firstly, a practice should always treat the Meaningful Use audit checklist provided by government as the baseline steps for an EHR audit. The government checklist can be found online. Using the steps prescribed by the government will allow for a methodical approach to internal audits. However, as will be discussed below, these steps should be treated as only the beginning.

Recommended reading: EHR implementation: 6 steps to success - Get step-by-step information on how to implement EHR effectively

2. Understand that Meaningful Use and HIPAA and HITECH compliance are not enough

The requirements for Meaningful Use compliance and HIPAA certainly overlap and have been viewed as redundant to the preexisting duties found under HIPAA and HITECH. Don’t be lulled into the assumption that compliance with all three of these standards will eliminate all forms of security risks.

The foundation of a strong security risk mitigation program rests in a solid internal privacy policy. The privacy policy should serve as a clear model which all stakeholders in a practice should model their data handling practices. A strong privacy policy should provide guidance on such as topics as workstation security, passwords, establishing an audit trail for record handling, access controls, and the use of mobile and off site devices among other topics.

3. Be ready for the Phase 2 HIPAA Audit Program

Beginning in 2016 OCR will begin conducting its Phase 2 HIPAA Audit Program, which will review the policies and procedures adopted and employed by covered entities to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. The main takeaway from the initiation of this continued EHR audit program is that the privacy policy discussed above should take into account not only security and privacy but also breach notification protocols.

4. Do not forget about state-specific data handling rules.

HIPAA and HITECH take all the attention from a data privacy perspective; however the importance of these regulations often overshadow the fact that many states maintain their own data privacy standards. Therefore, it is important to understand the compliance and audit procedures at the state level and incorporate them into the overall risk strategy.

In the case of internal EHR audit and the preparation of external audits, never view too much precaution as a waste of resources. Given the financial risk of noncompliance or a data breach, over-preparation will never exceed the cost of failure.