An Interview with Jim Tate
The following is an interview by Steve Spearman, Founder and Chief Securityfor Consultant Health Security Solutions and is republished here with permission.
Jim Tate is known as the most experienced authority on the CMS Meaningful Use (MU) audit and appeal process. His unique combination of skills has brought successful outcomes to hospitals at risk of having their CMS EHR incentives recouped. He led the first appeal challenge in the nation for a client hospital that had received a negative audit determination. That appeal was decided in favor of the hospital. If you are a hospital with questions or concerns about the meaningful use audit process, contact him at: audits@emradvocate.com . You can also find out more about Meaningful Use audits and appeals at Jim’s website.
Steve: This is Steve Spearman with Health Security Solutions. I have on the phone Jim Tate. I don’t think it’s an exaggeration to say that Jim Tate may be the foremost expert on Meaningful Use in the country. He has helped dozens, even hundreds, of electronic medical record vendors become certified for Meaningful Use, as well as people on the clinic and hospital side understand and comply with the Meaningful Use requirements. Welcome, Jim.
Jim: Thanks, Steve. Glad to speak with you. This is an area dear to my heart, and I’m really an advocate for the provider side. There’s a lot of confusion around the Meaningful Use incentives, security risk analysis, all those sort of things, so I’m looking forward to speaking with you.
Steve: Let’s start by talking about the audit program. We will assume that most of our listeners know what Meaningful Use is, but there was a part of the Meaningful Use legislation that was designed to prevent fraud and abuse. What can you tell us about that component?
Jim: The whole incentive program was an attempt to stimulate the adoption of electronic health information technology. Legislators figured the best way to do that was with a series of incentives which can be pretty substantial to providers and run into the millions of dollars for hospitals. Then down the road there would be penalties or fee adjustments if they don’t attain Meaningful Use with certified electronic medical record technology. In giving out this money and incentives, the law had provisions to provide oversight to make sure entities were actually meeting the requirements to earn that money because attestation for the incentives is based on an honor system. The audit program was put in place to audit at least 5% of providers. Those audits took place, originally, after incentives were received. Although now they’re also doing pre-payment audits. So the audit program is an attempt to provide oversight and to make sure those funds are going where they’re supposed to be going.
Steve: So when did the audit program start and how has it evolved over time?
Jim: The incentive program began back in 2011, the first year any incentives were received, and we’re about two years into the actual audit program. The initial audits were targeted post-payment, after the incentives were received. For those individual providers or hospitals that received those incentives, they were emailed an audit engagement letter, if they’re a Medicare provider, from Figliozzi and Co., the contractors that won the contract to do Meaningful Use audits. This email asks for a lot of the information and documentation. The Office of the Inspector General at that point in time said “Oh, that’s not quite good enough. We need to make sure that we start doing some pre-payment audits.” So as of last year, they started doing pre-payment audits. So you might attest for the incentives, but before you even receive your incentive, you might be audited.
One thing that has changed quite a bit is in the early days of auditing, a couple of years ago, it was a new program, so it took maybe a good six months for the auditors to get their process down, to get a lot of clarification on what type of documentation they needed, and to really wrap things up. Now most of the wrinkles and bugs have been worked out of the audit program and the appeal program. If you fail the audit, you can appeal that, not to Figliozzi and Co., but to CMS itself. And so the whole process is much more streamlined and I think everybody has certainly heard of someone who has been audited, so it’s very, very common. A year and a half ago, we rarely heard about it, but now everybody knows somebody. Every vendor has heard of some of their users who have been audited.
Steve: What’s been the biggest problem area for eligible providers and eligible hospitals?
Jim: Well, that’s a really good question. In my experience, and in speaking with some audit personnel for eligible professionals, again these are doctor’s offices, ambulatory clinics, psychiatrists, chiropractors, that whole group of ambulatory care, I would say without a doubt, the number one weakest link when you’re audited is a security risk assessment. This is a core requirement, it has to be done, it has to be reviewed every year, and it has to be documented. And this is the way, since we’re dealing with electronic health information, to make sure that there is some type of security and privacy around that protected personal health information.
But there is a lot of confusion about what a security risk assessment is. Many vendors don’t understand it. There are giant knowledge gaps. And so during the attestation period and process, you’d be asked to fill in the form, and the form would say “Did you perform one of these security risk assessments?” and you’d check “Yes” or “No”. No documentation was required, so many would check “Yes”, thinking that maybe because they had a certified electronic health record that meant they were okay. And they still may think they’re okay, but when they’re audited, the auditors want a copy of that documentation. It’s not just a simple little checklist. There’s got to be review of workflow, hardware, software, and number of technical issues, to identify security risks to make sure we don’t send out easy access to that electronic health information. So for the professional, I’d say, definitely, a security risk assessment is the biggest area of failure of an audit. After the fact, you can’t go back and re-create it. It has to be done during that reportable period.
I’ve also worked with quite a few hospitals that have been audited who have really had troubles with the security risk assessment. Either they didn’t have proper documentation or it could have been a smaller hospital that attested back in 2011 or 2012, and again, there’s a knowledge gap, not the willful omission of these items. Also in hospitals there’s a lot of confusion about how to include emergency department and observation patients in their meaningful use calculations, so that’s also a confusing area for a lot of the hospitals that is often misunderstood.
Steve: So I assume you’re of the mind that a hospital shouldn’t wait until they get a letter to prepare for an audit. If so, what do clients, hospitals, and providers need to do to get ready for the event that they get an audit letter?
Jim: Yes. Well, certainly preparation ahead of time is the important thing. There are a lot of resources available on the web. Many eligible professionals take advantage of their medical associations or their regional extension centers that help professionals really understand not only what meaningful use is, but how to document compliance with meaningful use, how to save that documentation in case of an audit, and what that security risk analysis is and how to preserve that documentation. In the case of a hospital or hospital system where there’s so much at stake, I would recommend that they, either internally or externally, have somebody come in and do a mock audit. The reason I say that is because hospitals, even small hospitals, attesting between 2011 and 2012 got over a million dollars each. Some hospitals got over $4 million dollars. A slight misunderstanding or misinterpretation for attestation (what core and menu measures to attest to) could put that incentive 100% at risk. So since there’s so much at stake for hospitals, I think it just makes sense for them to have some other people take a look at their existing documentation for past attestations to make sure everything is okay, as in a mock audit. Even if some things are found that are maybe out of line a little bit, it’s possible to do some mitigation and get things back into line. So a fresh set of eyes should go through everything. No doubt about that.
Steve: I know audits are one of the services you provide, but if an organization is going to do it internally, would you agree that you don’t want the same people doing the mock audit that actually did the attestation?
Jim: That’s exactly right. What I’ve seen previously is maybe someone for a hospital did the attestation and they got the incentives back in 2011. Now they’re getting audited for what happened two years ago, and those people are not there anymore. Somebody really needs to know that all the information is not in somebody’s head who might leave. Hospitals need to know that documentation exists, it’s easily accessed, and it’s going to be easy to provide to the auditors. They also need to know the decisions that were made as to why certain measures were chosen, why they were excluded, and where the documentation that supports those exclusions is located. So it’s one of those things where you really can’t audit yourself. Somebody else has to do it. And a large hospital maybe will have the staff to do it internally, but they have to rely on their own knowledge and not the knowledge of people who did the actual attestation and provided documentation. We really want a mock audit to mimic a real audit as closely as possible.
Steve: Well thanks for all the information, Jim. I understand you have a webinar on Monday, being sponsored by HIMSS around this program, best of luck with that.
Jim: Thanks so much, always good to talk to you Steve.
Jim Tate’s upcoming webinar on Meaningful Use Audits and Appeals for Hospitals takes place this Monday, March 31, 2014 at 3:00 pm EST. This hour-long webinar will help educate participants about how to avoid or appropriately respond to an audit.