Last week we made our annual summer trek to the beach. While there I watched with amazement as Tim Howard and company stymied a more-talented Belgian squad for the better part of two hours. Coach Klinsmann truly had this bunch of U.S. footballers prepared to compete in the most-viewed sporting event on the planet. While at the beach, I too was participating in a competition of sorts—an annual competition between the sun and my pale, freckled skin. In this competition (where the sun won yet again) I was reminded of Benjamin Franklin’s oft used quote, “An ounce of prevention is worth a pound of cure,” which leads us to today’s post: preparation for a meaningful use audit. We discussed meaningful use audits in this forum over a year ago, but with more experience under our collective belts, let’s revisit the topic today.
Two types of audits
Meaningful use audits come in two flavors: post payment or prepayment. This is not rocket science. As the names imply, a post-payment audit occurs after you receive your check from CMS (if you fail, you get to pay them back) and a prepayment audit occurs shortly after you attest, but before you are paid (if you fail, you do not get paid). The audit itself is conducted in the same fashion whether it occurs before or after you receive your meaningful use incentive.
The process starts with your receipt of a form letter from Figliozzli & Company, the New York-based accounting firm tasked with conducting the audits. The letter asks you to submit documentation supporting your meaningful use attestation. Last year CMS published this PDF to clarify what they mean by the phrase “supporting documentation.” CMS is relatively silent regarding how providers are selected for an audit. My read suggests most are random, but a small subset may occur because of anomalies in the data submitted. Neither CMS nor Figliozzli & Company are willing to say how many providers will face an audit. People with experience in this area believe the number is 5%, with half prepayment audits and half post-payment audits. If you practice in a group with 20 or more docs, odds are you know someone who either has had or will have the pleasure of facing a meaningful use audit.
Preparation in lieu of prevention
No offense to Mr. Franklin, but within the realm of a meaningful use audit, let’s turn our attention to preparation. I recently came across a well-written article on the subject authored by Pamela Lewis Dolan. She describes seven strategies to protect your practice in the event of a meaningful use audit. Ms. Lewis Dolan starts with a excellent suggestion: assume you will be audited. Assume Figliozzli & Company will come knocking and you are already ahead of most practices. Using this assumption as a starting point, I’d like to suggest a few steps based on conversations with a number of nephrologists who have faced an audit.
Terry’s tips
- Make sure your email address is accurate. If you are serious about preparation, stop reading this post, log into the meaningful use Registration and Attestation System and make certain the email address you entered (or someone entered on your behalf) is accurate. If Figliozzli & Company sends you an audit letter via email, failing to respond because you did not receive the email is indefensible. Make sure the email address works so you can respond in a timely fashion if called upon to do so.
- Save a copy of your dashboard. Most certified EHRs today offer a dashboard, which tracks your performance across the meaningful use objectives. Typically the dashboard displays the actual numbers for the numerator and denominator for MU objectives with a target threshold. If this view contains your name, NPI number, and the reporting period, this will suffice as documentation for the objectives with a target threshold. Make sure you either save a copy of this view when you attest or that you or your EHR vendor can reproduce it in the future.
- Document the yes/no objectives with screen captures. The dashboard works for the objectives with a threshold (reported as fractions), but it will not suffice for the attestation-only objectives (e.g., generated a clinical list; turned on drug-drug, drug-allergy checks; or activated clinical decision support). For these objectives CMS recommends you obtain a screen capture to document compliance with the individual measures. I know this sounds a bit tedious, but obtaining these screen shots today is substantially easier than trying to reproduce them next year if the auditor comes knocking.
- Perform a security risk analysis. If there is one objective I have seen trip people up more than any other it is this one. Remarkably, the security risk analysis has been part of the law for almost decade now. The HIPAA Security Rule, in play since 2006, requires all health care providers to conduct or review a security risk analysis, and if risks are identified, to “implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.” When you attest for Stage 1 or 2, you are attesting to the fact that your practice is in compliance with this piece of the HIPAA Security Rule. If you are subject to a meaningful use audit, you need to send a copy of your security risk analysis as part of the supporting documentation. You would be surprised how many small- and medium-sized practices believe this is a box they simply check because their EHR is certified. Not only is the absence of a security risk analysis the most common reason I have seen for failing a meaningful use audit, it also puts you in jeopardy with the Office of Civil Rights, the branch of Health and Human Services tasked with enforcing HIPAA. If you have not conducted a security risk analysis, do yourself a favor and either hire outside help to conduct one or use one of several useful tools to conduct one yourself.
- Keep everything for at least six years. Last but not least, hang on to your supporting documentation. This one is tough to swallow, but CMS clearly states an audit can occur up to six years after you attest. Thankfully, digital storage is cheap, so archive your supporting documentation for at least six years.
Preparation is the key
Meaningful use audits are here to stay, and some believe they are increasing in frequency. Through April, CMS distributed almost $24 billion of the $26 billion budgeted by the HITECH Act. Within this context, the audits will certainly continue. I know several providers that have been through the process and each would tell you preparation is the key to a stress-free experience. Follow the tips outlined above and take a look at the Medical Economics article I previously referenced. If Figliozzli & Company comes knocking, you will be ready.
[poll=”4″]
Leave a Reply