Be Prepared for Meaningful Use Audits

Did you watch the Saturday Night Live 40^th Anniversary Special? Videos and live skits brought back Cone Heads, Blues Brothers, King Tut and many funny moments of the show. If you’ve watched SNL recently you might have seen Debbie Downer, a caricature of all the people we know who can take a sunny day and dwell on some bad possibility. In one classic SNL skit Debbie Downer uses a visit to Disney’s “It’s a Small World” to talk about the ill effects of low birth weight. At the risk of being a “Debbie Downer” this week, I’m writing about Meaningful Use (MU) audits—not the happiest topic.

 

MU audits were mentioned in a comment after the February 9 blog post, “A Nephrology Practice Discussion.” Dr. Ralph Atkinson, Tennessee, asked, “Were any of the groups subject to an MU audit, and if so, what was it like?” Linda Miller, a participant in the practice discussion, replied that their group had a post-payment audit and were waiting for results, but were confident they had good documentation. She noted that her practice had already successfully responded to a pre-payment audit in 2014. These comments made me wonder about audit frequency and what to expect from an audit.

 

A look at the numbers and the law

Perhaps it is not too surprising that Linda Miller’s Texas Nephrology Associates practice has had 2 MU audits. A 2014 Medical Economics article notes that in 2013 CMS paid $19 billion in MU incentive payments with a $27 billion overall budget. The writer speculates that as the money becomes dearer, efforts to recoup unsubstantiated payments will increase.

 

Documents from the February 10, 2015, CMS Health Information Technology (HIT) Policy Committee provide data on the incentive payments for the 2014 program year and program to date:

 

Whether or not audit frequency is increasing and is in some way tied to mounting incentive payments, MU audits are required by law. The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which created the EHR MU incentive program has an audit requirement. The law designates Figliozzi and Company, a CMS subcontractor CPA firm, as the auditing firm for this program on behalf of CMS. While post-payment MU audits began in 2011 under this law, pre-payment MU audits began in 2013 as large incentive dollars were being paid and there was growing concern about compliance with MU requirements.

 

Shedding light on the audit data

Very little MU audit data has been available until Steve Spearman with Health Security Solutions requested data in February 2014 through the Freedom of Information Act. He received MU audit data 6 months later and published an excellent summary infographic in November 2014. Some MU audit data highlights include:

• 3,820 pre-payment MU audits were completed from 2013 to 2014 with 21.5% audit failures
• ~93% of pre-payment MU audit failures were due not meeting “MU objectives and associated measures”
• ~7% of pre-payment failures were from not using an MU certified EHR
• 4,601 post-payment audits were completed with 24% failures, almost all due to not meeting “MU objectives and associated measures”
• The average proposed returned EP incentive payment (pre-appeal) is $16,862.81

It is unclear what not meeting “MU objectives and associated measures” means, but experts assisting EPs and practices with audits and appeals think the most common audit failure results from not adequately performing a Security Risk Analysis (SRA) and not documenting actions taken to mitigate identified risks.

 

What you can expect if audited

CMS notes that MU audits may be random or targeted if unusual data is reported. If you are being audited you will receive an initial audit letter from Figliozzi and Company or the EHR MU Audit Team. Generally the auditors will request documents for review. A method is provided for secure electronic transfer of these documents, which may contain Protected Health Information (PHI). The CMS.gov website has a list of the primary audit documentation that will be requested, but all audits will request these documents:

• Proof of an MU certified EHR
• Quality measure, core and menu objective data documents
• Proof of SRA with a corrective action plan

Auditors may make a site visit to complete their review. At the end of the audit process the EP will receive an Audit Determination letter stating if the audit confirms successful MU completion or not. If the EP fails a pre-payment audit, MU incentive payment will be withheld. If the EP fails a post-payment audit, steps will be taken to recoup the MU incentive payment. If the EP fails and there appears to be intentional fraudulent activity, then additional legal action will be taken. All audit failures can be appealed; there is a link to appeal process documents on the CMS.gov website for EHR incentive Regulations and Attestations information.

 

Audit survival strategies

Last July, Dr. Ketchersid wrote an Acumen blog post with some good audit preparation tips. In addition to providing a good overview of MU audits, the March 2014 Medical Economics article also outlines 7 important strategies to be prepared to successfully complete a MU audit:

1. Assume you will be audited. You must retain MU supporting documents for 6 years.

2. Handle the audit properly. Don’t get mad at the auditors; expect to be audited and be prepared.

3. Physicians must be engaged in the MU process. Work with your Practice Manager to make sure all data is correct and documents are maintained.

4. Avoid discrepancies. Documentary evidence you retain must match the documents you submit to the auditors.

5. Ensure that your version of the EHR is MU certified. This information is provided by your EHR vendor or can be viewed on the ONCHIT website.

6. Documentation is key. All data including data that confirms that denominators are accurate and numerators meet a threshold must be available. Yes/no objectives can be met by date/time stamped screen snaps that show an EHR functionality is available for us or is “turned on” during the reporting period.

7. Must have complete Security Risk Assessment (SRA) documentation. This is likely the most common MU audit failure point.

 

SRA for MU and HIPAA compliance was the topic of the April 7 Acumen blog post. As noted in that post, ONCHIT has provided an online SRA tool that can support a good assessment and risk mitigation program for your practice. The March 2014 Medical Economics article also has a helpful SRA process outline. SRA documentation must include proof that an analysis of the certified EHR technology was performed during the MU reporting period.

 

I’m definitely feeling like Debbie Downer…audits are common and almost 25% of EPs fail an audit. Unlike hospitals, some providers and practices have scarce resources to document all MU activity, but there are good resources available to help and we’ll try to highlight those in this blog. Whatever you do, make sure that you are performing your SRA and documenting your risk mitigation actions.

 

If you’ve experienced an audit or had to appeal an audit, we invite you to contribute to this conversation by posting a comment about your experience.

 

Dugan Maddux, MD, FACP, is the Vice President for CKD Initiatives for FMC-NA. Before her foray into the business side of medicine, Dr. Maddux spent 18 years practicing nephrology in Danville, Virginia. During this time, she and her husband, Dr. Frank Maddux, developed a nephrology-focused Electronic Health Record. She and Frank also developed Voice Expeditions, which features the Nephrology Oral History project, a collection of interviews of the early dialysis pioneers.