Chat with us, powered by LiveChat

Quality Reporting: A Drain on Practice Resources, New Study Shows

As featured in EMR & HIPAA, Powered by HeathScene.

If time is money, medical practices are sure losing a lot of both based on the findings in a new study published in Health Affairs. The key take-a-way, practices spend an average of 785 hours per physician and $15.4 billion per year reporting quality measures to Medicare, Medicaid and private payers.

The study, conducted by researchers from Weill Cornell Medical College, assessed the quality reporting of 1,000 practices, including primary care, cardiology, orthopedic and multi-specialty and the findings are staggering.

Practices reported spending on average 15.1 hours per week per physician on quality measures. Of that 15.1 hours per week, physicians account for 2.6 hours with the rest of the administrative work divided between nurses and medical assistants. About 12 of those 15.1 hours are spent logging data into medical records solely for quality reporting purposes. Additionally, despite a wealth of software tools on the market today, about 80 percent of practices spend more time managing quality measures than they did three years ago and half call it a “significant burden.”

Aside from the major drain on administrative resources, there are heavy financial ramifications for such lengthy and cumbersome reporting as well. The report found practices spend an average of $40,069 per physician for an annual national total of $15.4 billion.

The findings of this study clearly demonstrate the need for greater reporting automation in the healthcare industry. By embracing technology to manage labor-intensive, error-prone and mundane tasks; practices free up their staff to focus on patient care. In the past few years, we have watched electronic medical record (EMR) companies do just that by embracing cloud-based software solutions.

This overwhelming administrative bloat and financial burden can be addressed by implementing software tools and solutions designed to streamline reporting and compliance management. For example, if your practice or organization is still conducting your annual risk analysis through spreadsheets and other manual methods, it is time to embrace automation and a Security Risk Analysis software solution. Designed to control costs, a cloud based Security Risk Analysis solution automates 78% of the manual labor needed to calculate risk for organizations of all size.

There’s no time like the present to embrace best practices for your quality reporting. Allow technology to do the heavy lifting and free up your resources.

HIPAA One Releases Privacy Risk Analysis

After releasing the HIPAA One Security Risk Analysis, we received exceptional feedback on the product and how much our clients appreciated the simplicity and automation provided by the product. We have been committed to expanding our solutions and add products to be “all things HIPAA”. With the launch of the Privacy Risk Analysis, we now offer a full suite of products to address all citations and requirements related to HIPAA Security, Privacy and HITRUST.

Having implemented and performed the HIPAA One Security Risk Analysis at over 2000 locations, we know the importance of having a cloud-based process that is easy to understand and allows collaboration among different departments.   Furthermore, our Privacy Analysis, like our Security Risk Analysis, is offered in three different levels of engagement to meet the needs of not only the large practices, but also the small health and dental practices.

With the rise in hacking and breaches, our goal is to provide timely solutions to clients to ensure the patient information they keep is safe and secure. Furthermore, the OCR is accelerating the frequency and number of audits, with HIPAA One solutions, you are guaranteed to pass.


HIPAA Security for Meaningful Use : Myths and Facts


After you spend enough time in one position, role or subject, it is human nature to assume for a fleeting moment others know what you are “geeking” about.  This is particularly true when it comes to Meaningful Use and to “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” This is accomplished by doing the following: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1)…”

Was that a good example?  Let me take it back out of the “geek” closet for a moment.

So we all know that this thing called a HIPAA Security Risk Analysis can be done using tools like spreadsheets, ONC’s Security Risk Assessment Tool, and NIST Questionnaires.  Ironically, none of these tools assure you are doing the right “thing” unless you have some sort of Auditor and Security designation (e.g. JD, CISA, CISSP, HCISPP, and CHPS among others), let alone provide any sort of guarantees.  But as the old saying goes, “You get what you pay for.”

Using a professional, third-party Audit, Legal, Security or IT Managed Service Provider (outsourced IT) usually provides good results as long as they are accredited (see above paragraph on basic credentials).  They go in to the organization interviewing, collecting some documentation, running scans on the networks and provide a comprehensive, detailed project plan to achieve compliance.  Somewhere between 4-6 weeks after the flurry of activity is over, and the world moves on, the final report appears.

The HIPAA Security Risk Analysis and Assessment (SRA) report is a combination of art, content, and most-importantly; it highlights serious risks to the organization.  Except there is one problem – you now need a project deployment team to convert this static SRA report into an ongoing risk management plan (prioritized by risk-level), get status reports on tasks, research Policies and Procedures, track progress, send email or meeting reminders, and track all of this towards HIPAA compliance.

This is a huge administrative burden!

Then there are the Myths…

Myth #1 – We will update the plan from last year’s SRA for Meaningful Use reporting and attestation.

HIPAA One® take:  False – this is called updating the progress of last year’s security risk management plan (see more in Myth #2 below).

Myth #2 – Each year, I’ll have to completely redo my security risk analysis.

HHS Guidance - Each year have to redo entire SRA Myth

False. Perform the full security risk analysis as you adopt an EHR.  Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks…

HIPAA One® take:  Things change on a constant-basis.  Roles change, network computer systems are changed to meet new requirements, and internal processes change too.

“Updating the prior analysis for changes in risks.” means conducting a gap assessment and risk analysis on any of those items that changed from last year.  Since tracking these changes is a near-impossible task (ITIL Change Management processes are being widely-adopted to tackle this), HIPAA One® will allow a full-import of last-year’s HIPAA Security Risk Analysis (SRA) allowing a review of each question to see what has changed.  Ongoing tracking is built-in after the SRA is over and automated documentation requirements simplify audit responses by pressing a “Print” button.

Myth #3 – I have to outsource the security risk analysis.

I have to outsource our Risk Analysis.

I have to outsource our Risk Analysis.

HHS Privacy and Security Guide of Health Information, page 6

False.  It is possible for small practices to do a competent risk analysis themselves using self-help tools.  However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

HIPAA One® take:  If you haven’t had a third-party come in the past 3 years, or ever, then we would strongly recommend outsourcing one to ensure your efforts stand up to a compliance review.  The first year of compliance efforts are expensive however, year 2 should be roughly 50% of what year 1 is as investments are implemented.  The Security Risk Analysis should contribute to that 50% savings by automating the mundane, error-prone and labor-intensive steps to conduct the risk analysis.  HIPAA One® accomplishes this by accelerating each person’s efforts by a 5x factor; using automation vs any manual-based risk analysis while learning from the experience.  In year 2 this allows you, the non-certified auditor, to simply press the “Import Last Year’s Assessment” button and HIPAA One® allows you to insource, instead of outsource.

Org Info Import

We have tried to stay out of the geek-closet for this blog as much as possible and realize this is a very jargon-clad specification.  Let us at HIPAA One® along with our esteemed partners help provide the software, assurance and peace-of-mind for your organization.  Contact us today to get your Meaningful Use HIPAA Security Risk Analysis done before the Holidays!

Reference:  HHS Privacy and Security Guide of Health Information

AHCCCS Audit Notice Announced

Department of Health and Human Services (DHHS) Office of the Inspector General (OIG) Audit for IT System Security Notifies of AHCCCS Audits

Courtesy of DHHS

Courtesy of DHHS


HIPAA One® works with several Health Plans and Clinics that operate a Managed Care Organization (MCO)  in the great state of Arizona providing AHCCCS Audits pursuant to Policy 108 and HIPAA.  As such, we have helped these clients respond to several audits since Policy 108 took place back in 2013.

Yesterday the Arizona Health Care Cost Containment System (AHCCCS) was notified by the DHHS OIG they will be performing on-site audits of three Managed Care Organizations regarding IT system security.  To summarize the notice:

  1. The MCOs may begin the audits as soon as November 2, 2015.
  2. One MCO will be audited this year, and two more MCOs will likely be performed in 2016.
  3. DHHS OIG will provide a draft report with the combined findings to AHCCCS.
  4. A final report of the combined audit findings will be published with non-identifying information.
  5. The first MCO will be contacted Monday, October 19, 2015.

As of October 2013, the state of Arizona has joined forces with the federal Medicaid funding program to manage distribution of reimbursements. The Arizona Health Care Cost Containment System (AHCCCS) is the name of the Medicaid program in the state of Arizona. As with all Medicaid programs, this is a joint program between the state and the Centers for Medicare and Medicaid Services (CMS).

What this means, is any Covered Entities involved with Medicaid reimbursements, must use a third-party service to conduct a Data Security Audit.

In March of 2015, we posted an update to our AHCCCS blog with a responses to the annual guidance request by AHCCCS:

“Every standard should be reviewed every year.  We do the exact same thing ourselves.  Even those that were identified as the compliant ones should be reviewed to make sure there haven’t been any changes and they are still compliant…”

You can find the updated Policy 108 compliance guidance here, that states the audit needs to be done every year, and must be submitted using third-party attestation by June 1st:


In Audit and Security circles, this is a HIPAA Security Risk Analysis update, which entails performing a full risk analysis on items that have changed and re-validating compliant items.

Using HIPAA One®, an update is significantly “easier” than last year’s full SRA because we can import last year’s work, including remediation updates, directly into this year’s interview questions.  This greatly reduces the effort needed on the user’s side because the survey questions are already pre-filled including attachments proving compliance/functional controls.  For those who need a full SRA report that has proven compliance for other AHCCCS Contractors, Modern Compliance Solutions can provide the third-party attestation with full documentation in HIPAA One®.

For more information, contact your AHCCCS representative, or us at

HIPAA Compliance Saves Money AND Time

Save Time and Money with HIPAACompliance

Image Source: Tax Credit

When you’re in the healthcare industry, you have to comply with HIPAA privacy and security rules. And although the government’s rules concerning HIPAA compliance continue to change and the process of becoming HIPAA compliant appears complicated and tedious, it’s imperative that you adhere to each of the HIPAA compliance requirements.

Why is it so imperative that you take the steps necessary to be completely HIPAA complaint? For starters, compliance does two big things for you that everyone in the healthcare industry (and in every industry for that matter) wants — it saves you money and saves you time. What better reasons do you need?


Below you can find out just how HIPAA compliance saves you money and time, which in turn makes your job a little easier and helps take some of the stress out of your life.

How HIPPA Compliance Saves You Money

While you have to first invest money to become HIPAA complaint, the upfront investment costs are way less than the hundreds of thousands to millions of dollars you could pay in penalties for non-compliance and your patients will pay in out-of-pocket costs.

HIPAA Violations and Enforcement penalties

Photo from the American Medical Association

population of medical identity theft for hipaaonepopulation of medical identity theft for hipaaone - 2

“…36 percent did pay an average of $18,660, as shown in Table 1b (above). These

costs are: (1) identity protection, credit reporting and legal counsel; (2) medical services and

medications because of lapse in healthcare coverage; (3) reimbursements to healthcare

   providers to pay for services to imposters. Based on our extrapolation, we estimate the total

        outof-pocket costs incurred by medical identity theft victims in the United States at $12.3 billion.”

**Tables and Reference from the Ponemon Institute 2013 Survey on Medical Identity Theft Report


When you conduct your own security risk analysis, which most types of HIPAA compliance software let you do, you’re able to find and manage any security risks in your system so you can anticipate future issues and create action plans to prevent those issues from happening before your system is compromised. Knowing of and preventing security risks saves you the major costs associated with security breaches, i.e. fines for not being HIPAA compliant and paying someone to fix the holes and issues within your network.

HIPAA compliance also saves you money when it comes time for your organization’s HIPAA audit. Government audits can be a scary process to go through because when you don’t meet their standards, high costs are involved on your part. But when you’re prepared for an audit, there’s nothing to fear. HIPAA compliance software lets you conduct your own mock-audit so you can discover how compliant your organization is, and it usually provides the needed documentation for an audit.

Using compliance software also saves you money on labor costs because it’s a single solution that does everything for you, and does so in a shorter amount of time than manually doing everything on your own or amongst a group of employees. With this cost-effective solution, you no longer have to pay employees overtime pay for the countless hours they would spend because with this software less people and time are needed to ensure you’re HIPAA complaint.

How HIPAA Compliance Saves You Time

Like was mentioned above, HIPAA compliance saves you money with security issues and HIPAA audits, but it also saves you time in those areas. Performing a security analysis with your compliance software allows you to find any holes in your network or other potential security problems within your system, so you can prevent security breaches from ever happening. The time spent with a security analysis is just a small fraction to the time, stress and money you’d spend dealing with the hassles of a security breach. An analysis also makes sure you’re ready for a HIPAA audit so you don’t have to worry about failing the audit and having to go back and fix any problems found during an audit. Again, taking care of potential problems upfront is much better than trying to deal with problems after the fact.

HIPAA compliance software is easy to use and the all-encompassing tool. When you implement the right compliance software, it majorly cuts down the process of becoming HIPAA complaint. The process goes from taking days or weeks, to only a few hours or up to a day to complete. When you spend less time dealing with security issues and making sure your organization is HIPAA compliant, you can focus your time on your patients, employees and the other important areas within your organization that need your attention.

You might only see giant dollar signs and a mess of wordy rules that constantly change when you think about becoming HIPAA complaint. But what you should see and understand is making that upfront investment of your money, resources and time to be HIPAA compliant is the better choice. HIPAA compliance saves you a great amount of money and time compared to the costs of recovering from HIPAA violations.

Warning To All Email Users

Warning — We have received a very repetitive malware attack via email in the form of a purchase receipt.

This is a very smart attack because it makes the recipient of the email think, “Hey, I don’t remember buying this. What is it?” and then with one click you download an executable file from Dropbox.

What the file does is unknown. Fortunately, our deep-packet inspection firewall blocked one of our users who clicked on the link from downloading the malicious code triggered by the link. See example below:


Trojan attacks come by email or by accepting a solicited link from a compromised website.

To protect yourself from this type of malware, Trojan horse attack should employ 3 layers:

  1. Educate your users. Sharing this information and warning people makes them more aware and less likely to click on links in suspicious emails from unknown senders.
  1. Install a deep-packet inspection firewall. SonicWall and FortiGate are affordable options. The Cisco IPS/IDS module and other IPS/IDS (Intrusion Prevention System/Intrusion Detection System, which is a general term for inspecting all your organization’s Internet traffic to ensure nothing malicious enters your network) are needed to block this type of attack.  There are software versions of this, but in our experience they are not as effective and hamper system performance.
  1. Ensure you have antivirus and anti-malware on all your Windows and Mac-based computers. Antivirus is designed to stop this type of code from being installed, however, it is extremely difficult to block the malicious code from installing once the user authorizes and triggers the download.

Information security firms provide this type of testing. If you want to test your environment to emulate this type of attack in a harmless way, i.e. send an email to your users with a harmless link that displays a benign message like “If this was a virus or malware, you would be infected.” then reach out to your security company for help.  We can be reached at for more information.

Safe browsing and emailing!

Quick Review of HHS’s new HIPAA Security Risk Assessment Tool

ONC/HHS issued

ONC/HHS issued

As a single practice HIPAA Security Rule training app or a HIPAA SRA workbench, the tool is not bad.  The ONC/HHS HIPAA Security Risk Assessment Tool is a vast improvement over the 2011 HSR Toolkit for those scenarios.  It has fewer questions, a status bar that displays relative SRA completion status, reports that can be exported to PDF or Excel are available at any time throughout the process.  I have listed my subjective opinion in the following bullet points:

  1. The tool’s design lends itself to physician and small health provider practices.  It is not designed for health plans or business associates.
  2. A single office location is requested when setting up an SRA but the SRA Tool question set does not address locations.  Thus, by default the tool is location specific so it does not lend itself to health care providers with multiple locations.
  3. User access to the tool is completely based on the honor system.  The ability to restrict specific user activity within the tool does not exist and the ability to track specific user activity within the tool is very limited.  While there is functionality that distinguishes separate users who can each “Log In” (i.e. so that there is the appearance of multiple user “accounts”), there are no passwords assigned to these users so any user can log in as any other user.  Moreover, the tool user guide states “the SRA Tool will save the answers based on the internet protocol (IP) address used by the computer or server”.  Yet, the tool is not client-server or cloud based, so it is unclear how a team or group of people would use the tool, much less monitor or audit its use.
  4. HHS’ website states that “there are a total of 156 questions” and the tool’s navigator panel shows that these are contained in 12 groups or categories.   However, each of the 156 questions has questions of their own so that complete answers (which the tool apparently doesn’t require) causes that number (156) to be multiplied at least by 3 for answering a question “Yes”, by 4 for answering a question “No”.   For example, answering “No” to the first question (A01) requires the user to answer a total of three additional questions:  1) Select your reason for answering no, 2) Is the likelihood of an incident occurring — because of (the vulnerability posed by) not having the requested policies and procedures — low, medium or high?, and 3) Would the impact of an incident occurring — from not having the requested policies and procedures — be low, medium or high?  There is also an optional “Flag” checkbox to call attention to a question for later review.
  5. Answers marked “Yes” can be saved without citing evidence and answers marked “No” can be saved without adding an explanation, including “Addressable” questions.  If multiple people are involved in performing the SRA (which HHS recommends) this seems to be undesirable.
  6. Questions are not specific to individual EMR systems, so answering questions for multiple EMR or ePHI systems is something that can only be addressed manually in the answer notes provided for questions that pertain to ePHI systems.
  7. The tool’s website downloads page ( states “You can document your answers, comments, and risk remediation plans directly into the SRA Tool. The tool serves as your local repository for the information and does not send your data anywhere else.”  However, artifact curation is not possible within the tool, so the SRA artifact repository that supplies the evidence of compliance an auditor may want to see would need to be referenced within the tool’s free text fields and set up separately.
  8. The tool’s risk rating assistance is quite limited.  The tool’s risk rating for a given question (as reflected in the SRA report) appears to be based strictly on the “Likelihood” rating that the user sets manually for that item, regardless of the question.  Thus, a manually assigned “Impact” rating of High or Medium does not (appear to) affect the risk rating in the SRA Report.
  9. Be careful adding anything into the Notes field on the Notes tab.  Notes can only be added.  They cannot be modified or deleted.
  10. There is a bug in the version I tested (Windows version v1.3) where, if you try to modify the columns in the report using the “Show / hide columns” feature, the columns popup-box does not disappear and will be in the way until the user closes and re-starts the app.

Other upgrades to the ONC’s Security Risk Analysis Tool include:  a colorful green-yellow-red dashboard-style chart, a glossary of terms and other helps like “Things to Consider”, possible threats and vulnerabilities, and examples safeguards for each question asked.  It will probably speed up the HIPAA SRA process for small providers who want to “go it alone”.  However, outside the scope of small, single location practices, the SRA Tool will be difficult to use.

ONC/HHS issued

ONC/HHS issued

Feel free to visit the SRA Tool’s website downloads page ( and feel free to express your opinion on our website below.

Thank you,

Steven Marco, CISA, ITIL and co-authored by Joe Grettenberger, CISA, CCEP, ITIL.