By the end of 2013, CMS (the Centers for Medicare and Medicaid Services) had provided nearly $20 billion in meaningful use incentive payments to physician offices. However, as the CMS approaches its budget limit of $27 billion, evidence that it is implementing a greater number of audits is mounting. Doctors and health administrators should assume that the chance of being audited is going to be higher than normal in 2014. Consequently, they should begin preparing for a potential audit as soon as possible.
To continue receiving meaningful use funds from the CMS, providers must prove that they are “meaningfully” or resourcefully employing their electronic health records by reaching specific objective thresholds described and established by the CMS. Audit increases are a way to better regulate fund allocation and recoup funds from non-compliant members of the meaningful use program. In addition, the growing number of audits may also be attributed to past criticism by the U.S. Department of Health and Human Services regarding the inability of the CMS to avoid doling out improper payments.
7 Strategies to Avoid Problematic Audits and Ensure Receipt of Meaningful Use Payments
1. Never assume you won’t be audited. Contact your state’s meaningful service manager to obtain copies of documents routinely requested by auditors so that you can remain fully prepared in the event of an audit.
2. Prompt, agreeable compliance with audit demands are necessary to streamline the auditing process. According to attorney Daniel Gottlieb, who works for McDermott, Will and Emery, LLP, in Chicago: “Getting angry at auditors is not helpful. Believe it or not, we know that the CMS wants to award meaningful use payments rather than withhold them simply because they want to encourage use of EHR”. Further, physicians should also be aware that auditors expect a response within 14 days of receiving a notice of audit.
3. Physicians should take the initiative to verify that all necessary documentation has been submitted instead of solely relying on practice managers. Blind assumptions concerning expected responses to audits by the CMS means that doctors are risking the viability of their corporation or entity as well as their own integrity.
4. Perform your own “pre-audit” by looking for discrepancies in your documentation. CMS auditors diligently search for discrepancies between submissions made during the process of attestation and what actually took place. All physicians audited must provide these documents: certification of the EHR system used to address meaningful use requirements; documentation indicating that menu objective data, core and quality measure were accurate; and proof that a thorough assessment of security risks was conducted in addition to the drafting of a correction action plan.
5. Establish certification of your EHR by acquiring documentation from all vendors that confirms the version of the electronic health records system they are currently using. Vendors may not realize that certain older versions are not certified and may be considered invalid by CMS. Physicians can visit the Office of the National Coordinator’s website to find a list of EHR products that have been certified. Additionally, physicians should routinely monitor system upgrades that are performed automatically to make sure changes due to upgrades do not affect certification of their system.
6. The key to a successful audit is complete documentation. This means having auditable sources that contain information used for the registration and attestment of meaningful use audits. When objectives need reports generated that involve denominators and numerators, they should also contain supporting records that show the accuracy of the denominator and that numerators have met expected thresholds. In order to prove the accuracy of denominators, cross-referencing with patient management systems (PMS), patient population documentation is often necessary.
7. Follow through with a security risk assessment or risk analysis. Although doctors’ practices should already have a risk analysis in place, “Most physicians are not aware that conducting a formal CMS guidelined security risk assessment is Meaningful Use Core Measure requirement number 15” states Jim Tate of EMR Advocate.
He goes on to say: “The goal of the objective, laid out in NIST Special Publication 800-30, is to guard the confidentiality, availability, and integrity of the electronic health record”. The requirement is now undergoing more scrutiny due to the robust CMS EHR Incentive Program audit program instituted by CMS”.
Failing to perform a risk assessment may put you at risk of remitting incentive money. In addition, the U.S. Department of Health and Human Service’s Office for Civil Rights can penalize physicians for remaining non-compliant with new HIPPA rules.
Last Updated on