Is Your Organization Ready for a Meaningful Use Audit?

14M02 MLH Using-Stark-Anti-Kickback

Scenario: General Physician Medical Group (GPMG) has recently completed the implementation of an enterprise electronic health record (EHR) solution, has attested for Stage 1 of meaningful use (MU), and is now preparing for other quality initiatives, all while facing the challenges of declining reimbursement, increasing regulatory pressures, and healthcare system transformation. The GPMG chief executive officer (CEO) just received a letter from Figliozzi & Company, Inc., requesting additional documentation to substantiate that GPMG providers legitimately met the core and menu sets of MU requirements. A panicked scramble begins as staff attempt to collect and organize information that no one has reviewed in months.

The situation facing the GPMG CEO is an increasingly common one for health system executives across the country. In many cases, these executives incorporated the incentive funding into previously approved budgets; the money may well have already been spent in support of new quality initiatives, enhanced technologies, or increased staffing. Future payments can be delayed if an audit is not successfully completed in a timely manner, and if the organization does not pass the audit, payments can be canceled altogether and previously collected monies will have to be paid back.

This article seeks to establish accurate expectations for the MU audit process and outlines the best practices for successful preparation for such an audit.

Audit Background

Providers who have attested to receive an EHR incentive payment from either the Medicare or Medicaid incentive programs are subject to audits performed by CMS or by the state Medicaid agency, depending on the program attested to by the organization. CMS awarded accounting firm Figliozzi & Company a contract to audit payments and compliance with the agency’s EHR Incentive Programs. Figliozzi & Company or Medicaid will inform the audited organization and/or providers of any noncompliance that is identified. CMS will ultimately evaluate the evidence in order to determine each meaningful EHR user’s eligibility to collect or retain funds. For example, if an organization attested to Medicare for 100 eligible professionals beginning in 2012, as much as $1.8 million is at risk for that year, plus another $1.2 million for 2013, pending the results of the audit. It is critical that everyone be prepared, because although some organizations may be intentionally audited as a result of discrepancies or other “red flags” in their attestation information, others are randomly selected. Therefore, everyone has an equal chance of being audited.

Getting Organized

Organizations should be prepared to provide material with very little notice, even within a few days of contact from the auditor. It is also not uncommon for the auditors to perform several rounds of review for materials, which may cause the audit to be prolonged for months. Thus, establishing a process to track the audit materials is critical so that they can be supplied quickly and offer no reason for the auditor to initiate further reviews. More specifically, develop a master folder structure in a secure network directory. The folder hierarchy should contain general eligibility, registration, and attestation information, including the EHR certification number, documentation for each individual measure, and audit policies and procedures for populating and maintaining the folders.

Compiling the Documentation

An MU audit will include a review of documentation to support the information that was entered during the attestation process. The level of the audit review may depend on a number of factors, making it impossible to develop an all-inclusive list of supporting documents. In lieu of this, it is recommended that organizations and providers err on the side of caution and maintain comprehensive information to substantiate the performance for every measure. It has even been cited that source code is required to prove certain actions were taken in the system during the reporting period. At a minimum, organizations should provide clearly identifiable reports from the certified EHR system or other documentation if a specific report is not available. Compiled documents should include:

  • Start and end dates for the full 90 days (which may not be the same as 3 calendar months) of the initial period.
  • Numerators and denominators for each measure, even in the case of exemption.
  • Evidence that the numerators and denominators were generated by the certified EHR.
  • Successful registration and attestation screenshots.
  • Proof that functionality exists for yes/no questions and evidence that the functionality was enabled and utilized during the reporting period.
  • Confirmation of a security risk analysis and implementable solutions, especially those that follow National Institute of Standards and Technology guidelines.
  • The rationale and supporting documentation for any exclusions.

Additional documentation should be available for the following measures:

All audit documentation should be kept on hand for a minimum of 7 years. If an organization is audited, all correspondence and information from the process should be added to the repository, because providers are still subject to additional audits, possibly even in the same year.

Creating a successful MU audit process requires diligence during and after attestation but will allow providers and organizations to be confident that they can continue with the quality and technology projects funded by the EHR incentive programs. In order to focus their attention on achieving the benefits that come with these types of initiatives, health systems need to avoid the distraction and stress of an MU audit by preparing for one proactively.