Some EHR Incentive Payment Recipients Lacked Risk Assessments
Audit Finds Millions Paid Inappropriately Due to Lack of Evidence
Although OIG found 6 percent of eligible professionals in its review sample were unable to support their attestations of conducting a security risk assessment, Keith Fricke, partner and principal consultant at tw-Security, says the actual figure among healthcare providers who have weak security risk assessment practices is likely higher.
“It is probably a safe bet to say that more than 6 percent do a poor job of conducting or documenting security risk assessments, but I don’t how much higher the metric is,” he says. “Some organizations don’t fully understand what a risk assessment involves. Others may conduct a risk assessment and document the findings but take no action on addressing findings. I often see documentation that states it is a risk assessment, when in fact, it is really a HIPAA gap analysis. Those are two very different things.”……