by Joe Ingemi

In my last post for Hospital Impact, I spoke of the possibility of standards-based meaningful use criteria, and performance-based meaningful use, such as recording the number of smokers enrolled in cessation. Hidden beneath these regulations are a whole other set of compliance standards that are yet to be discussed: internal controls.

[More:]

When you hear the term 'internal controls,' you may think of them in terms of the financial industry's Sarbanes-Oxley (SOX) compliance. However, internal controls have also manifested within the healthcare and life sciences industries. HIPAA deals with internal controls in the concept of how privacy is protected. The FDA regulation, 21 CFR Part 11, takes into account internal controls by requiring audit trails on access to GMP data stored electronically.

Internal controls will ultimately be required for meaningful use compliance, especially the performance-based regulations. For instance, if a provider must report the number of smokers enrolled in a cessation class, how can it verify whether the number is accurate? Although there is no way to be 100 percent certain, internal controls could help improve the certainty. Audit trails and electronic signatures can verify who accessed the files. Standard Operating Procedures can confirm whether those individuals have authority to adjust the enrollment number. Then, training records can confirm if those individuals understand what those enrollment numbers represent.

The need for providers to establish a meaningful use compliance framework is not a question of "if," but rather a question of "when." Providers must begin thinking in terms of standards, performance and internal controls.

Joseph Ingemi is a blogger, Certified Information Systems Auditor, and certified Project Management Professional who writes about healthcare IT issues. He also consults on healthcare IT issues through his company, Pinarus Technologies.