by Ann F. Triebsch
As we indicated in a posting last October and in a more recent August post , audits are now underway to verify that providers who received incentive monies from the Centers for Medicare and Medicaid Services (CMS) under the Health Information Technology for Economic and Clinical Health (HITECH) Act for implementation of a certified electronic health record (EHR) have indeed met the “meaningful use” (MU) criteria. The Office of the National Coordinator for Health Information Technology (ONC) has contracted with Garden City, NY-based Fagliozzi and Company to conduct these audits. The audits are designed to verify that providers receiving incentive payments are using certified EHR technology in a meaningful way. These audits can be a hassle, and there are risks if you cannot promptly provide what is requested—even if you are complying with the MU criteria.
Post payment audits began in mid-2012. In early 2013, CMS also started conducting prepayment audits. Estimates are that 3-5%, or as many as 10%, of eligible providers may be subject to MU audits, some of which are targeted and some random, and which are appearing all over the country in no apparent pattern. While the auditors have been described as open, there is general acknowledgement that the process is new and bugs are still being worked out. Some providers indicated that the auditors were not fully knowledgeable about the technology they were investigating, leading to complications. A recipe for more trouble. . .
So what are auditors looking for? What are the trouble spots? And how can you be ready?
For most providers, the primary support document auditors need is the report generated by a certified EHR. That report generally provides both the numerator and denominator values needed for MU attestation. But it needs to specify a time period and indicate that it is specific to your practice or facility. Some EHR systems can generate a report based on a 90-day snapshot in time, but other systems are “rolling”, meaning that numerators and denominators can change after the provider has attested at the end of the reporting period. In those cases, providers should keep a paper or electronic copy of their original report to substantiate which numbers were used for attestation. So know up front whether your EHR system has a rolling or snapshot capability, and prepare accordingly.
Another requirement where many providers have had issues proving compliance are the “yes/no” measures that require specific EHR functions to be turned on during the entire reporting period. Some systems have an audit log that shows that functionality was enabled for the entire period, but if your system doesn’t, save one or more screen shots that are dated from the reporting period to which you are attesting. Again, know up front the capability of your EHR system and document as needed.
While this is the same analysis required by HIPAA, it must be done annually. You need dated documentation to show it was performed during the attestation period. Also, your documentation of your security risk analysis must show that it is specific to your EHR system and your practice.
In short, know what your EHR system can do. For what it can’t do, dated screen shots can save you a lot of headaches. For more guidance on preparing for MU audits, check out two recent CMS publications on attestation documentation and an EHR audit fact sheet.
The Wyatt HITECH Law Blog credits this article for some of the information contained in this posting, to which you may wish to refer for a longer discussion of the MU audits.