Meaningful Use audits: What providers can expect
With the Centers for Medicare & Medicaid Services doling out billions of dollars in Meaningful Use incentive payments, it is no surprise that providers are increasingly at risk of being audited to see if they actually were entitled to the money.
CMS has stated that it intends to audit about 5 percent of all providers to ensure that they are meaningfully using their electronic health records, but that number is likely higher. About 10 to 15 percent of eligible hospitals attesting to Meaningful Use can expect to be audited; for eligible professionals the number may be closer to 20 percent, according to David Zavala, senior manager with consulting firm Protiviti in Dallas. Even if only 5 percent of providers are audited, that’s still 20,000 providers, according to attorney Brian Flood, with Husch Blackwell in Austin, Texas.
And the stakes of being audited are high: A provider that fails just one element of a Meaningful Use audit not only must return the entire incentive payment for that year, but also is automatically scheduled for another audit of another participating year, according to Flood.
“They keep going until you pass or they have it all back,” he warns.
Moreover, CMS is under pressure to conduct these audits vigilantly. The Government Accountability Office (GAO) has warned that the Meaningful Use program may be at greater risk than other programs of making inappropriate payments because it’s relatively new and so complex. The Office of Inspector General (OIG) has already chastised CMS for not auditing the program adequately.
So how can providers reduce the risk that they’ll be subject to a Meaningful Use audit? And what steps should they take to improve their chances of passing one?
The providers selected for a Meaningful Use audit theoretically are chosen at random. However, they’re not completely accidental; auditors keep an eye out for certain “red flags” that may trigger an audit, warns Ed Koschka (pictured), IT Program Manager, Meaningful Use and Accountable Care Organization Programs for Franciscan Alliance, a health system based in Mishawaka, Indiana. His healthcare system, which includes 12 hospitals and 500 physicians, has been subject to three hospital Meaningful Use audits, five professional Medicare Meaningful Use audits and two Medicaid Meaningful Use audits. (The system has passed all of them so far; one of the Medicaid audits is still pending).
Some of the red flags that the auditors are looking for include:
- Inconsistences within the provider’s own data, such as exclusions that may be inconsistent with other measures a provider is attesting to or discrepancies with numerators and denominators
- Certain EHR systems which are known for having functionality problems and which may make their users more likely to be audited, warns David Zavala, senior manager with consulting firm Protiviti in Dallas
- Years where scores are combined, say while transitioning from one EHR to another, midyear
- Attestation data that is inconsistent with CMS supplemental data, such as measures or exclusions inconsistent with the provider’s patient mix or inconsistencies between the attestation and a state or local public health agency’s capabilities, notes attorney Brian Flood, with Husch Blackwell in Austin, Texas
- Providers that attest in 2014 using CMS’ new “flexibility” rule. “It’s a gut feel only,” Koschka warns. “It’s a potential red flag. It will be an area of suspect.”
Providers can–and should–take several proactive steps to avoid a Meaningful Use audit or at least be better positioned to successfully defend one’s attestation.
“Have all of your ducks in a row before hand. Know where you stand in meeting the measures,” says David Zavala (pictured), senior manager with consulting firm Protiviti in Dallas.
Providers should consider these 10 actions:
- Maintain evidence that you’ve met the requirements: The most important step is to make sure you have the documentation to support your attestation. “You need a repository of proof or book of evidence,” Zavala says. The documentation should include a thorough security risk analysis, screen shots, reports, calculations, a copy of the EHR purchase agreement, EHR implementation documents, public health reporting documentation and other information to support the data for the Meaningful Use objectives and clinical quality measures. If you’re attesting for 2014 via the new flexibility rule, make sure you have evidence to justify why you’re doing that, Zavala says. “A lot of providers are failing an audit because they don’t have or didn’t save the documentation that supports attestation,” adds attorney Brian Flood, with Husch Blackwell in Austin, Texas.
- Collect and store the documentation on an ongoing basis. Note that a screen shot of a single day won’t be sufficient for the other days in the reporting period. Ed Koschka, IT Program Manager, Meaningful Use and Accountable Care Organization Programs for Franciscan Alliance, a health system based in Mishawaka, Indiana, tells FierceEMR that his vendor helped him run reports to show that the system met the yes/no attestations and a transaction log that shows that they did so every day in the reporting period.
- Store the Meaningful Use documentation in a central location: That will make it easier and faster to respond to an audit, Koschka says. Since the documentation needs to be submitted electronically, he adds, make sure you store it electronically, and back it up.
- Assign Meaningful Use to a team led by a designated individual: The group should monitor whether the provider is meeting the Meaningful Use requirements and periodically meet and review the provider’s progress so that any trouble spots can be flagged and corrected, Flood says. “If you know the problem early it can be fixed before discovering it in the audit process,” he points out.
- Be on the lookout for new developments regarding the Meaningful Use audit process: Stay apprised of how other providers are faring. For instance, it’s been widely reported that many providers are failing audits because they lacked an appropriate security risk analysis of their system’s vulnerabilities, a core objective. The Meaningful Use team should also track CMS’ guidance on Meaningful Use audits, since it’s “constantly evolving” with each FAQ, Flood warns.
- Maintain the documentation for at least six years past attestation, pursuant to CMS’ guidance, Zavala says.
- Watch for the red flags that might increase the likelihood of an audit: Try to avoid or eliminate them.
- Check patient mix before attesting to Medicaid Meaningful Use: Don’t have a physician attest that he/she had at least 30 percent Medicaid population unless you’re sure he/she meets the threshold, Koschka warns.
- Set up a Meaningful Use audit committee, just in case: This way the provider can quickly respond to an audit, since the timeframe for submitting supporting documentation for a Medicare audit can be just two weeks. The committee should include the compliance officer, the security officer, the legal department, finance, IT and clinical leadership, Flood tells FierceEMR.
- Ensure that relevant staff can identify what a Meaningful Use audit letter looks like: For the first couple of Meaningful Use audits experienced by Koschka’s organization, they only had a week to respond because of the lag time involved from receipt of the notice to notification to the personnel who needed to respond to it. The health system ultimately conducted a campaign to communicate to staff what the letters looked like and what they would say.
What should a provider do if it receives an audit letter from Garden City, New York-based Figliozzi and Company, the designated contractor for the Medicare audits, or from a state Medicaid auditor?
First, don’t panic. “Others are going through this and help is available,” says David Zavala, senior manager with consulting firm Protiviti in Dallas.
Then take these six steps:
- Engage the Meaningful Use audit team to respond: Respond with the requested documentation within the stated deadline, says attorney Brian Flood (pictured), with Husch Blackwell in Austin, Texas.
- Contact your EHR vendor: The vendor may have a toolkit or other resources that can help a provider survive a Meaningful Use audit. “They know their system the most, know its capabilities to complete reports, etc.,” Zavala tells FierceEMR.
- Provide the auditors with a summary and table of contents of the security risk analysis, not the actual analysis, recommends Ed Koschka, IT Program Manager, Meaningful Use and Accountable Care Organization Programs for Franciscan Alliance, a health system based in Mishawaka, Indiana. You don’t want to alert the auditors of weaknesses that you uncovered within your organization, especially since presumably, you’ve resolved any vulnerabilities that have been identified.
- Review all material before submitting it to an auditor: Make sure that it’s accurate and complete. “It can affect how the audit goes,” Flood says.
- Conduct a formal review of the audit, Koschka says. See what needs to be improved. “Meaningful Use is a long-term program, a ‘forever’ program,” he points out.
- Consider appealing a negative determination if there’s a good chance you can overturn it: Providers that fail a Meaningful Use audit should appeal if they have something to stand on, such as evidence that they met the Meaningful Use requirements or that the auditor committed a mistake. But if you can’t go back in time and create evidence, such as screen shots. “You need to know the cause of your fail. It might be best to learn from your mistakes and move on,” Zavala says.