Lessons Learned from Meaningful Use Audits

HITECH Act meaningful use auditor
By Margaret Levi and Kathie McDonald-McClure
As we previously reported in a blog post on September 24, 2013, an eligible professional, eligible hospital, or critical access hospital receiving an incentive payment for the meaningful use (MU) of electronic health records (EHRs) will likely be subject to a stringent audit from either Medicare or Medicaid.  The fact that these MU audits are underway is now fully evident.

We have heard from several sources that CMS auditors are hitting Tennessee and Kentucky hospitals and physician practices and demanding repayment of meaningful use incentive monies if providers cannot fully back up their attestations for Stage 1 compliance in every respect. 

Recent articles suggest that healthcare providers elsewhere are facing similar challenges in the audit process. Modern Healthcare reported in November that “HMA to repay government $31 million for improper EHR claims.” HMA self-reported that 11 of its 70 hospitals did not properly meet the meaningful use standard. For a link to the full article, click here. And HealthLeaders Media reported on October 29, 2013, that the “Latest Wave of MU Audits Delivers a Fresh Scare.” For a link to the complete article, click here.  The article warns that providers should be prepared because “deadlines are tight” and the “documentation requirements exacting” for these audits.

Practice Tips:

  1. Be on the lookout for audit request letters sent via email. The request letter will be sent electronically by Figliozzi and Company from a CMS email address to the email address provided during registration for the EHR Incentive Program. Make sure this email address is monitored at all times, even when the owner is on vacation.  When an audit notice arrives, a provider will have a very short timeframe to prepare and respond.  Some providers have missed the email because the email address provided during registration was for a person no longer with the organization!  So, check your initial Incentive Program registration to see what email address was provided.  Update it with CMS if necessary. 
  2. Make sure you can back up all meaningful use attestations with electronic or paper documentation. It is easiest to compile supporting documentation as you complete the attestation process since it may be difficult or impossible to recreate it quickly in response to an audit request.  Immediately notify and seek out support from your EHR vendor when you receive the audit notice.  See our September 24, 2013 blog post for additional tips on documentation, such as audit logs and EHR-generated reports that support the numerator and denominator values used in the MU attestation.  CMS has published some guidance on preparing for audits which lists some of the documentation that may be reviewed during an audit. Check out audit FAQs  and factsheet entitled “EHR Incentive Programs Audits Overview.” 
  3. Designate a person to be in charge of the audit and to gather the MU evidence. Gather the following evidence now, even if you have not yet received the audit notice:  EHR vendor agreements; EHR project plans and configuration documents; attestation reports generated from the EHR matching the attestations on Core and Quality measures; public health measure transmissions including any confirmations of receipt from public health agencies; documentation of determinations that supports decision to take the exclusion for certain measures; complete HIPAA Security Rule Risk Analysis documentation, including identified threats and mitigation plans; a statement from your EHR vendor that demonstrates and supports certain MU functionalities (e.g., Drug/Allergy Interaction Checking) was enabled for the entire reporting period.
  4. Establish contact with the auditor immediately upon receipt (or discovery) of the audit notice.  If you do not discover the notice until you have little time left to comply, explain the need for additional time to prepare a response and, if additional time is verbally granted, follow-up with a written confirmation to the auditor.   Calendar and monitor each deadline set by the auditor.
  5. Consider whether to seek counsel!

To see a sample MU audit letter, click here.

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.