September 2013
Meaningful Use Audits Create Anxiety
By Mike Bassett
For The Record
Vol. 25 No. 12 P. 14
Is there reason to worry? Not if your documentation is in order.
When it comes to meaningful use incentive payments, there’s a lot of money at stake.
According to figures released in June by the Centers for Medicare & Medicaid Services (CMS), the EHR adoption program had paid out about $15.5 billion in incentive payments. Eighty-five percent of eligible hospitals were registered in the program, and 75% had been paid either Medicare or Medicaid incentive payments.
With that kind of cash and that many providers involved, it was seemingly inevitable that audits would become part of the picture. The CMS, which plans to audit approximately 5% of eligible professionals and hospitals attesting to meaningful use, performs both pre- and postpayment audits through its contractor, Figliozzi and Company.
The possibility of outsiders doing some digging has created a bit of anxiety among participating providers. “They seem to be very nervous about this,” says C. Peter Waegemann, a Boston-based consultant and HIT thought leader on issues ranging from mHealth to EHRs. “It seems to be comparable to being notified that you’re having your taxes audited. Most of those people getting notices will probably be OK, but it still gives them sleepless nights.”
That’s understandable. If an audit reveals the provider isn’t eligible for an incentive payment, the award will have to be returned. And if it’s determined that a provider attested fraudulently, the CMS warns that punishment could include imprisonment, significant fines, or both.
Be Prepared
While some providers will become audit targets because they’ve provided “suspicious or anomalous” data, most will be selected randomly, which means it’s impossible to make an attestation audit-proof. According to the CMS, eligible providers should be retaining the “relevant supporting documentation,” either in electronic or paper form, that was used to complete the attestation module. This documentation should be retained for six years after attestation.
Documentation is the key word when it comes to what auditors are seeking. Jim Wieland, an attorney with the Baltimore-based firm Ober Kaler who represents several providers that have gone through the auditing process, says auditors are looking for documentation that can verify the EHR system used to meet meaningful use requirements is certified as well as supporting documentation proving that core and menu objectives were met.
On its website, the CMS says the “primary documentation that will be requested in all reviews is the source document(s) that the provider used when completing the attestation. This document should provide a summary of the data that supports the information entered during attestation. Ideally, this would be a report from the certified EHR system, but other documentation may be used if a report is not available or the information entered differs from the report.”
As the starting point of any audit review, the primary documents should include the numerators and denominators for the measures, the time period the report covers, and evidence to support that it was generated for that eligible professional, eligible hospital, or critical access hospital. The CMS advises providers that the process could extend beyond the primary review step and consist of more detailed analysis of any measure, including a review of patient records.
With that in mind, Waegemann says it’s important for hospitals to have a good understanding of how the original attestation was performed and who was involved. The person who handled the attestation may have moved to a different organization or maybe particular individuals strongly influenced the process, he says. “The moment you know an audit is coming, you need to revisit that process,” Waegemann says.
Ed Ricks, vice president of information sources and chief information officer at Beaufort Memorial Hospital in South Carolina, said the organization is well prepared for an audit. “We are an organization that has always put a value on how technology can help us not just do cool things but also solve some of our clinical and business workflow challenges,” he said in a June webcast sponsored by Iatric Systems, an HIT integration company.
When Ricks arrived at Beaufort five years ago, the organization was in the process of implementing computerized physician order entry. “[We] did a lot of work to make sure that not only did we implement these products but actually used them fully and did all the right things,” he said. “We were kind of lucky we were going down the right path when meaningful use came out because I hate doing things just to check a box for meaningful use. … At that time, we were just trying to do the right thing for our hospital and our community.”
When meaningful use became a reality, Beaufort, like the majority of the nation’s hospitals, got involved. Suspecting audits would, at some point, become part of the equation, Ricks said Beaufort took precautions. “We wanted to make sure that when we checked a box, we meant it, and it was good,” he noted.
Beaufort hired an outside firm to perform a gap analysis to help determine where there may have been holes in its meaningful use approach. It created a master plan and formed a disciplinary meaningful use committee consisting of representatives from all over the hospital, including the clinical, IT, finance, and compliance departments.
“I was really proud of us,” Ricks said. “We attested the first year we could, which was fiscal 2011.” The hospital’s 90-day reporting period was the last quarter of the fiscal year (July through September 2011), after which it accumulated all the data and ran all of its reports.
“We thought we did all the right things and did the attestation,” Ricks recalled. “The funding came in quickly, and it was a sizeable amount of money. In no way does it repay you for everything you’ve done … to put in these advanced clinical systems, but it certainly helps.”
Beaufort had gone into the process expecting the possibility of an audit. With that in mind, it worked to mitigate any concerns from the gap analysis, utilized best practices for data capture as suggested by its vendor (Meditech), performed a HITECH security assessment, and saved all information, such as vendor contracts and measures reports, it deemed necessary to document attestation. “We thought we were in great shape, that we had done all the things we needed to do,” Ricks said. “We didn’t think we’d get audited, but just in case, we wanted to be able to validate what we had attested to.”
And wouldn’t you know it, the audit request arrived. “I was almost happy to get [the audit notification] because we wanted to prove that we had done the right things,” Ricks said.
The Audit Process
When a provider is selected for an audit, it receives an initial request letter from Figliozzi and Company via e-mail. The notice is accompanied by an information request list that, according to the CMS, “may not be all inclusive” and may require the submission of additional information in order to complete the audit. Providers have 14 days after receiving the request to supply the requested information.
Are two weeks enough time to gather the necessary data? Laura Kreofsky, meaningful use program director for California-based Sutter Health, believes the time frame is reasonable considering the anxiety created by an audit. “It is something you would like to get out of the way, and this forces you to get through the process,” she says.
Of course, there’s no guarantee that once a provider has responded to the initial request for information that the auditors won’t come back asking for more. That’s what happened at Beaufort.
Ricks and his team responded to the audit request within the allotted 14 days and then waited. After a few weeks, the auditors came back with further requests and questions, such as why the logs generated by the EHR didn’t carry the vendor’s logo, representing concerns that the documents could be fraudulent.
After several more weeks, the hospital was asked to supply information explaining why denominators were zero for certain measures, such as the number of patients asking for copies of their medical records. The problem, Ricks said, was how to prove a negative. “So we had to show what our steps would be from a workflow perspective if they [the patients] had responded and how we would have responded,” he said. “Just saying zero wasn’t good enough. It didn’t make sense to me because it was OK if it was zero, but we had to prove it somehow.”
Beaufort received one more request, this one warning the hospital that it risked losing its incentive payment if it couldn’t satisfy the auditors that it was complying with certain measures, in particular, drug-to-drug formulary checks. Ricks’ efforts to demonstrate compliance in this area failed to convince the auditors, and it took a phone call to finally resolve the issue.
Several weeks later, the hospital received notification that it was in the clear, although the door for future audits remains open. The entire process, Ricks said, “was a lot more rigorous than it needed to be.”
Self and Simulated Audits
Some providers actually have performed self-audits, found problems with their attestations, and then gone through the process of withdrawing those attestations, which involves submitting a withdrawal form and returning the incentive payment. Wieland says the advantage of this strategy is that it suggests there was no intent to defraud the federal government and that the faulty attestation was simply an honest mistake.
According to Kreofsky, several Sutter Health eligible professionals withdrew meaningful use attestations when problems became apparent during self-audits. In those cases, the troubles stemmed from a CMS requirement that eligible professionals demonstrating meaningful use must have at least 50% of their patient encounters during the EHR reporting period at a practice or location equipped with certified EHR technology.
“In the case of these few eligible professionals, although they were using a certified EHR in their clinic practice, they saw a majority of their patients in other settings, typically skilled nursing homes or long term care sites,” Kreofsky says. “We had done a prescreen of such providers prior to embarking on the meaningful use registration process for our eligible professionals, but with nearly 1,900 eligible professionals for which we had to determine eligibility, these few were not categorized correctly. Once we realized what had occurred, we worked collaboratively with Figliozzi to address the situation, and we also rereviewed and confirmed all of our other eligible professionals met the 50% requirement.”
Gary Tomlinson, a community access hospital consultant for the Massachusetts eHealth Collaborative, which operates the regional extension center of New Hampshire’s meaningful use services and health information exchange technical services for the state’s 13 critical access hospitals, is in the process of creating a simulated audit.
As the IT director at Cottage Hospital in Woodsville, New Hampshire, Tomlinson learned about the value of documentation when the facility attested to stage 1 meaningful use in 2011. He’s using that knowledge to help guide the 13 New Hampshire hospitals—particularly smaller ones such as Cottage—through the process, including possible self-audits. “It’s better to spend a few thousand dollars having a [simulated] audit done rather than have to return millions of dollars,” he says.
Lessons Learned
Ricks said it was apparent from the questions posed by auditors that they didn’t have much of a health care background, a characteristic providers should keep in mind during the attestation process. He also expressed disappointment that despite using software from a certified vendor, it nevertheless did not correspond to the auditing program’s requirements. “The vendor had no idea what we were going to be asked [to document to prove] that we had actually used their system appropriately,” Ricks said. If that information had been provided, Beaufort would have had a better sense of what kind of information it would have to provide. “That was a huge failure,” he added, “and I think CMS has realized that since then.”
The CMS emphasizes that it is the provider’s responsibility to supply documentation backing meaningful use and the clinical quality measures data used for attestation. This includes saving any electronic or paper documentation that supports the values entered in the attestation module for clinical quality measures.
While Ricks wasn’t surprised by the fact Beaufort was audited, the “depth of the questions asked” did take him aback. Saving information and having it readily available will make surviving an audit a lot easier, he noted. “You can never have too much documentation,” Ricks said. “I’ve talked to people since [our audit] who saved even more information than I had saved, and I think they did the right thing. And I’ve talked to people who’ve saved less, and they haven’t been audited. But I think you can’t save too much.”
Kreofsky recommends organizations establish solid and timely audit response plans. “You want to make sure that all who are involved are clear on their roles and responsibilities, [and that you can] centrally manage the process,” she says. “And put in place internal checks and balances to help ensure the subtle nuances of meaningful use requirements aren’t missed.”
— Mike Bassett is a freelance writer based in Holliston, Massachusetts.