MU Audits Are Coming

Ask Joy: This Week – Meaningful Use Audits – Prepare Yourself

One of the most common questions I hear from doctors is when they’re getting ready to submit their Meaningful Use attestation is, “How fast will I get paid?” While this question is certainly important, an equally important question is, “Are you prepared for an audit?” Well, are you?

I say this because times have changed. Back in 2011 and 2012, CMS would produce checks right after an Eligible Professional (EP) submitted their attestation and then perform an audit on 5-10% of those submitted. Starting in 2013 though, they updated their policy and are now auditing 5-10% of EPs before they send out the payment. So, with this week’s question, we’ll go over everything you need to know so you can be audit-ready before you press “submit.”

My practice is ready to attest our first year of Meaningful Use Stage 1. What are my chances of getting audited before CMS sends payment and how can I be prepared?

Congratulations on starting your journey up the MU mountain. Now, let’s make sure you’re prepared for event that you’re one of the lucky practices to get audited before CMS sends out your incentive payment. First, know that pre-payment audits will apply to 5-10% of attestations and they are initiated both on a random basis and based on protocols that identify suspicious or atypical attestation data.

The Office of the Inspector General (OIG) incentivized CMS to increase the number of thorough MU audits and CMS used that incentive money to contract with Figliozzi & Co., a company specializing in auditing healthcare facilities to determine compliance with CMS regulations. So, should you get chosen, you’ll receive an initial email from Figliozzi & Co., with a list of questions asking for proof on specific objectives. They probably won’t ask for information on every single MU objective, but you should be prepared for that scenario, just in case. It will be your responsibility to provide the requested documentation within 14 days by uploading it to their online portal.

After you submit your supporting documentation, they may send a team of three or four people to your site to conduct an even more detailed look into your documentation. They may want some or all of the following information:

  • Proof that you are using a certified EHR
  • Documentation that shows that, during the reporting period, at least 50% of patient encounters were entered into the EHR
  • Supporting documentation, in both paper and electronic format, used during the attestation including:
    • numerators/denominators, for for both Core and Menu Set Objectives/Measures
    • the time period the report covers
    • evidence to support that it was generated for that EP
  • Proof that a security risk analysis of the certified EHR was performed prior to the end of the reporting period
  • Proof that certain features (i.e. drug-drug/drug-allergy interaction checks) were available, enabled and active in the EHR system for the duration of the reporting period

If even one measure is not documented, an EP may fail the audit.

Here are some tips to make sure you’re ultra-prepared:

  1. Run the MU Report for each EP. If all the percentage-based measures have the same denominator, your attestation may have errors. Objectives measure different patient populations, so each set should not be identical.
  2. If your EHR does not have the capability to show that certain yes/no functions, such as the drug-allergy interaction check, was turned on during the reporting period, save one or more screen shots that are dated from the attestation reporting period.
  3. As for security risks analysis, HIPAA requires it every two years while MU requires it each year. This is certain to trip up some EPs. Documentation on your security risk analysis needs to be dated and specific to the reporting period. The auditors pay particular attention to this objective as more than 50% of EPs who attest do not meet this measure. They look to see if the organization conducted a risk analysis and more importantly to check if it remediated what they found.
  4. Make sure that everyone involved in the MU attestation is clear on their roles and responsibilities, so that should an audit take place, you can manage the process. It would be prudent to have internal checks and balances to ensure that none of the MU requirements are missed.

Your best course of action is to be proactive. Perform a self-evaluation before submitting your attestation, making sure you’ve covered your bases.

Remember, you must keep records of your attestation documentation for up to six years after submitting. The depth of the auditor’s questions may be significant, since many of the folks auditing do not have a healthcare background. Go in with the frame of mind that you can never have too much documentation.

If you have already submitted your MU attestation and find any errors during a self-evaluation, make sure to report any findings to CMS before you are audited. In the event that you find problems with your attestation, the impetus is on you to withdraw it and return any incentive money that you received.

Post-payment audits are still being conducted to 5-10% of EPs. If your organization is found deficient at the end of an audit, 100% of the stimulus funds must be refunded to CMS, even if you plan to appeal. If it’s determined that an EP attested fraudulently, CMS warns that punishment could include imprisonment, large fines, or both.

Good luck! You’ve got momentum and I wish you success on your progress. Getting prepared for an audit now will put you in the best place should you be part of that 5-10%.

About the Author: Joy Rios has worked directly with multiple EHRs to develop training programs for both trainers and practice staff. She has successfully attested to Meaningful Use for multiple ambulatory practices in both Medicare and Medicaid. She also authored the Certified Professional Meaningful Use course for www.4Medapproved.com. Joy holds an MBA with a focus in sustainability. She is Health IT certified with a specialty in Workflow Redesign, holds HIPAA security certification, and is a great resource for information regarding government incentive programs.Ask Joy is a regular column on 4Medapproved HIT Answers.