Successfully Navigating Health Care Reform Vol. 1 | Page 6

Experience the Brown Smith Wallace Difference HIPAA/IT Controls, Privacy and Security All too often, organizations are unaware of the information security risks they face, and are unable to manage the impact in the event of an information security and privacy breach. Businesses may face potential litigation, regulatory fines, and reputation issues if sensitive information is not properly protected. The risks are typically higher in industries with complex regulatory requirements such as Health Care, organizations that are unable to determine what constitutes sensitive data and organizations that lack an integrated approach to data privacy. Recently, the rules have been tightened to also cover business associates — organizations with which a covered entity shares PHI. These changes mean that business associates now have to fully comply and Meaningful Use Services be accountable under the HIPAA security rule. Our team will examine your critical business systems and determine the level of exposure you have to internal and external threats. We will work with you to complete Risk Assessments, analyze and minimize HIPAA IT and operational risks, protect and secure PHI, train your workforce on HIPAA regulations and compliance, and help develop and implement compliance plans. Additionally, we provide a wide array of security and privacy services to assist organizations in identifying and addressing potential risks, security exposures - such as loss of customer data, loss of revenue and reputation damage before they become problems, and completeness of their control infrastructure. “Brown Smith Wallace has provided a complete suite of HIPAA security and privacy services to many of our clients on a national basis. Over the years we have developed a relationship with Brown Smith Wallace as a trusted HIPAA resource service provider and expert. If our clients request or require HIPAA support, we refer them to Brown Smith Wallace as an option for service. We have always had positive feedback from those referrals and look forward to having Brown Smith Wallace continue to be our HIPAA resource partner.” Jay Kirschbaum Willis Group The Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs provide financial incentives for eligible professionals, hospitals, and critical access hospitals (CAHs) to use certified EHR technology to improve patient care. To receive an EHR incentive payment, providers must meet attestation and performance measures, designed by CMS, to demonstrate “meaningful use”. The Medicare and Medicaid EHR Incentive Programs are staged in three steps with increasing requirements for participation. All providers begin participating by meeting the Staage 1 requirements for a 90-day period in their first year of meaningful use and a full year in their second year of meaningful use. After meeting the Stage 1 requirements, providers will then have to meet Stage 2 requirements for two full years. Eligible professionals participate in the program on the calendar years, while eligible hospitals and CAHs participate according to the federal fiscal year. The government will potentially fund $20 billion over five years to those eligible through the EHR Incentive Programs. Federal and State governments are auditing eligible professionals, hospitals and CAHs to determine if those eligible accomplished the Meaningful Use objectives to which they attested in an attempt to recoup those dollars. We anticipate that only a percentage of eligible professionals and hospitals will be audited, but any attestation error could result in a repayment to the government of 100% of the incentive payment. The Brown Smith Wallace team of professionals will work with you on the selection and implementation of EHR systems and subsequent potential application to the EHR Incentive Program. We will also complete internal Meaningful Use attestation audits to identify compliance and related risk areas for compliance for all three stages of the EHR Incentive Program. The audit process not only identifies areas of noncompliance, but also works with you to develop and implement risk mitigation plans and related action steps to resolve areas of non-compliance.