More info

For more information on how to bill Chiropractic Medicare please visit

Thank you for your interest!

Friday, September 26, 2014

You Must Meet the Requirements for Core Measure #15

I need a Security Risk Analysis? What is that? I get calls from Chiropractors or their staff with this question every week. Here is the information and links to help you better understand Core Measure 15.

But first, from:

“The Office of the National Coordinator for Health Information Technology (ONC) Certification Program provides a defined process to ensure that Electronic Health Record (EHR) technologies meet the adopted standards and certification criteria to help providers and hospitals achieve Meaningful Use (MU) objectives and measures established by the Centers for Medicare and Medicaid Services (CMS).
Eligible professionals and eligible hospitals who seek to qualify for incentive payments under the Medicare and Medicaid EHR Incentive Programs are required to use certified EHR technology.”

Translation: The Certified Software you purchased is required to meet certain criteria in order to be a Certified Technology by the ONC. The job of the software is to help you meet all of the requirements. They are all set up basically the same and have training requirements, video tutorials, how-to documents, and support staff available to you. It is important and necessary to use not only the software but to use the training and support available to your office.

The Core Measure #15, also referred to as “Protect Electronic Heath Information”, or “Security and Risk Analysis”
This Core Measure has been wreaking havoc on Chiropractors. It isn’t a number to report found on your Dashboard. It’s a report or template that should be provided by your software company and completed in your office during the reporting period. A security risk analysis comprises the following parts: Risk Analysis, Risk Management, Sanction Policy, and Information Systems Activity Review. Think of it as an audit of your software and how you and your staff are protecting the fragile information contained therein. It should be easy to get these 4 templates or forms, run the audit, complete the forms, and file them in a safe place. The problem is most offices skip this step, and attest “YES” anyway. Later, when asked by CMS to provide their Risk Analysis they fail to provide and have to pay their incentive back.
The Measure states: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.”
Going further, below you will find better description of the 4 things you need:
164.308(a)(1)(i) Standard: Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
(A) Risk analysis (Required)
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity
(B) Risk management (Required) - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). (Link found here:
(C) Sanction policy (Required) - Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
(D) Information system activity review (Required) - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
More links regarding Core Measure #15. Some are full of long explanations, but still full of information.