But when the government disburses $20 billion in incentives, there will be strings attached, and those strings have come in the form of post-payment audits. Approximately five percent of Meaningful Use participants who have received incentive money will be audited via CMS's contractor, Figliozzi and Company. According to recent statistics released by CMS, since 2011, it has authorized more than 10,000 audits on more than 265,000 attestations by EPs (this does not include audits of eligible hospitals), and more than 25 percent of those audits have resulted in failure. Failure is expensive. A failed audit requires return of all incentive money received for that audit year - in other words, no partial credit for partial compliance. The most common areas of failure involve failing to conduct proper data risk assessments, per Core Measure 15 (meaningful use regulations require these assessments in addition to those assessments performed to comply with HIPAA regulations), and failing to keep adequate documentation that support attestation. Relying on the vendor's certification and its retained system data alone will not be enough to survive the audit. So what can an EP do to be ready for the audit letter when it comes? The best weapon is anticipation.
Upon receiving notification of the impending audit, the EP will generally have two weeks to submit responsive data. Although certified EHR systems have the capability to produce information reasonably fast, and all clinical quality measure data must in fact be reported directly from the EHR system, certified systems do not always provide the complete picture. Supporting documentation can and should be available from other sources. It is important to be able to quickly produce not just the attestation data, but all source data that was relied upon in making the attestation. According to CMS, reports from all sources should demonstrate at a minimum the numerators and denominators used in all calculations, the timeframe of the reporting, and evidence to support that it was generated for that particular provider. CMS acknowledges that certified EHR systems cannot always limit reporting periods or properly support non-percentage based objectives, and so it is important that other documentation be maintained for the auditor's review.
If the EP has anticipated his/her "burden of proof," so to speak, the chances of a successful audit are greatly improved. For example, did the EP attest that he/she writes fewer than 100 prescriptions a month to apply a MU exclusion? If so, what documentation proves it? Did he/she attest that more than 60 percent of medication orders were done via computer entry? If so, what source documents will demonstrate the numerator and the denominator values for that calculation? Was there a successful electronic submission of public health information? How can it be proven? Approximations and assumptions won't be enough to survive the audit. The following tips, when done before the audit letter arrives, gives the EP a fighting chance:
- Keep all source documentation for a minimum of six years
- Ensure proper paper exists to support the "yes/no" attestations
- Work with IT to access and preserve general system data and audit trails. For example, when was the "generate patient lists by condition" function turned on? When was a function toggled from no to yes?
- Use screen shots to document point-in-time entries, specific reporting periods, and successful submissions where possible
- Perform routine gap analyses and audits internally. Know your weaknesses before CMS does!
- Be ready to prove the negatives. Zero patients requested copies of medical records during the reporting period? What documents support that?
- Be duplicative where needed and maintain separate compliance files. A system security analysis under HIPAA will not qualify as the system security analysis under Core Measure 15.
- Every attestation should have documents to support it.
Remember that one failed element equals a failed audit. A failed audit will result in repayment of all incentives received for that audit year. Successful navigation of the Meaningful Use program is about more than just meeting objectives and figuring out the attestation process, which admittedly was challenging enough. At the end of the day, it is about keeping the money that was earned. Anticipating the audit and its pitfalls is a critical component to surviving the regulatory land mine of Meaningful Use.
Jackie Trimm practices in Burr & Forman's tort trial and insurance practice group, with an emphasis on health care litigation.