Another Way Meaningful Use Won’t Work “Out of the Box”

One good thing that could come out of my post about Meaningful Use Attestation Issues is that it will hopefully awaken providers to realize that meeting the meaningful use requirements requires more than just opening your proverbial “EHR software box.” Indeed, you have to do a fair amount of work to make sure that you’re using your EHR software in the right way to meet the meaningful use measures.

In fact, in response to that post, Mike Regan from ACR2 Solutions pointed out one meaningful use requirement that an EMR software can’t accomplish.

The company I work with focuses on Risk Assessments for the HIPAA Security Rule and Meaningful Use Item 15. We found a number of EMR vendors who guaranteed their clients that all that the client needed to do for Item 15 is install their EMR software. Most folks would realize that an EMR software package cannot accomplish a Risk Analysis required by 45 CFR 164. Granted the EMR vendor can ensure that the data is encrypted and access properly controlled but that is about all they can do. How would the EMR software know about the client’s written HIPAA Security Rule policies? We contacted many of the vendors to make them aware of a potential problem with their marketing pitches. As recent as a month ago, we found a sales rep for a major EMR vendor, still spouting the “just install our software that is all you need for Meaningful Use” marketing pitch. We even pointed out to him that his own CTO had recanted that pitch and now the legal department has added verbage to the sales agreement indicating that their clients must meet the requirements of privacy and security laws.

We have informed CMS of the problem and they are looking into the issue. The recent OIG tasking to review Meaningful Use recipients to ensure that they met the requirements may have been the outcome. I’m certain that there are a number of providers who have attested that they have completed Item 15 who have not completed a proper Risk Assessment based on this erroneous guidance from EMR vendors. While I doubt there would be legal action taken by CMS given that the provider acted in good faith and was mislead by the marketing pitch, what action would be taken against the provider remains to be seen.

Yes, this is going to get very interesting indeed. I guess people should know that they have to dot all their i’s and cross all their t’s when they’re getting money from the government. I have a feeling a bunch of basically innocent people are going to get hurt by things like this. Although, I am cautiously hopeful that CMS will be reasonable with it all.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • I like to think I coined the term out-of-the-box as it relates to EHR systems and Meaningful Use.

    Not one EHR I’ve seen is properly configured to report MU numbers out of the box.

    Obviously we’ve seen Centricity is putting out garbage data.

    Other EHRs don’t allow live data to be seen, but only push that data to your system once a month.

    Live data is needed so a practice can trouble shoot what they “really” need to do to be using that EHR in a meaningful way.

    There is plenty of dual input (yes even on a computer).
    You need to understand how your system actually tracks meaningful use within its interface.

    Core item 15: It is IMPOSSIBLE for an EHR to suffice core item 15 – Risk Assessment.
    Yes, the Information System Activity Review should be/is a built in function of an EHR…BUT that is only a portion of Core item #15.

    So, if an EHR vendor is telling you their system will handle everything about Stage 1 MU for you, they are full of BS.

    You have to run a risk assessment on your practice.

  • This is a timely subject. Many practices are unaware that MU objective 15, which requires a risk analysis, is different from the HIPAA privacy provisions they have been meeting for years. At least practices that intend to apply for incentives are being warned that they need to meet this requirement.

    I am very concerned for practices that have EHRs in place and DO NOT intend to apply for an incentive. Recently, when I spoken to doctors in practices that fit this description, none of them knew that the privacy rule was different from the security rule.

    I wonder how many sales reps know about the differences between the privacy and security rules? CMS needs to initiate an awareness campaign to address this issue.

  • We’ve seen this over and over again, both in working with an EMR vendor to embed core measures, and with individual providers who assumed magic would happen upon implementation. Everyone seems to have forgotten the GIGO rule of software.

    As to the privacy vs security issue, most providers we’ve dealt with have a good understanding of privacy and almost none on security. If you can keep their eyes from glazing over when you try to explain it, you’ve almost won the war. A lot of them, however, are pretty sure their sister’s kid knew what he was doing when he set up their network. It’s going to be interesting to see what happens when the audits get going.

  • @Matt

    That’s exactly what we see.

    We went to one practice that was taking pictures of patients with their iPhones then email the pics to themselves!!

    “You mean that’s not ok??”

  • Hmm…an EMR vendor could make an app that was compliant to do that. Interesting. I love taking a mistake and turning it into an interesting product.

  • As a paranoid HIPAA consultant, I’d NOT want there to be a product like that.

    Way too easy to screw up…look what people do with laptops…and they a big and bulky.

    Additionally – a doc using an iPhone/Smartphone as a medical device does not instill confidence.

    Whether looking up info or taking pics, there is something unprofessional about using that device in the office…a different argument can be made for an emergency situation, etc.

  • I don’t necessarily disagree with John B, but we were bouncing the idea around. The two keys, I think would be uploading the picture to a secure server where it could be retrieved, rather than using email, and deleting it from the mobile device after a successful upload.

  • Matt,
    I could be wrong, but I think John B’s concern is more the “Oh Crap, I opened the regular photo app and not the EMR photo app. Now the picture is stored on my phone.”

    Or the “Oh crap, I pulled out my own iPhone and took the picture instead of the company one.”

  • Which is why we’ll also be introducing our new line of iPhone cases, complete with a giant, lime green caduceus. Problem solved!

  • Again – a smartphone as a medical device?

    At least a tablet looks more appropriate.

    Sure an iPhone is stylish…but to see my doc tapping on his phone – is he sending a text? is he sending an email?

    I just think it doesn’t look professional.

  • “Again – a smartphone as a medical device?”

    This is completely subjective. I’m sure there are plenty of patients who would be thrilled that their physician just authored an ePrescription on their smartphone.

    – JW

  • Thrilled is a stretch. Seriously??

    A patient really doesn’t give a hoot how it’s done, just that it is done.

    OK, there will be the select apple-juice drinker who will think the doc is cool because he taps away on an iPhone…nice ego stroke for the doc.

    But…oh, or is he texting? Hmm, I wonder if he has a password on that phone. Are my records on that phone? I keep talking and he is tapping on his phone, I feel like I’m talking to my teenager…

    My favorite is the magical: doc speaks into thin air and assistant puts in prescription order.

    The point is – Just like my lawn getting mowed: I don’t care if they use a hovercraft or a reel mower, as long as it gets done properly.

    To be clear, I’m all for innovation – especially that hovercraft lawn mower.

  • John Brewer,
    This really isn’t that big of an issue. Doctors are actually pulling out their phones all the time now so they can look things up on programs like Epocrates. So, many patients are use to this happening and many doctors are use to saying that they’re working not texting.

  • Hey Guys, interesting stuff as always John. The thing all potential consumers should keep in mind when buying an EHR, EMR or any medical management software is this; the more out-of-the-box the product is, the less customization the product is capable of. Customization in this case being meaningful customization, not screen color or placement of toolbar.

  • It’s a good point Curt. What you can customize really matters. Sounds like a good future blog post. The balance of customization vs. out of the box functionality is another good one.

  • Customization (power) vs. out-of-the-box (ease of use) has always been a battle – that is reality.

    But that is off the subject…
    Why, if an EHR is certified Meaningful Use, would it not be able to print out reports PROVING this meaningful use?

    This makes no sense.

    Among other things, I’m a gadget guy. I’m not against smart phones, but I do believe that a Doc looking things up on a smart phone looks un-professional.

    Yet, looking that same item up on a tablet or computer may look perfectly normal.

    I go back to a client I had that was using their iPhone to take pictures of patients. Not only a HIPAA violation, but that looks un-professional.

    “…and many doctors are use to saying that they’re working not texting.”


Click here to post a comment