Meaningful use audits are a growing reality for health systems. In October of 2013, close to 100 of the 1,400 provider organization members of the College of Healthcare Information Management Executives received meaningful use audit notices. In March 2013, CMS announced that 5 to 10 percent of eligible professionals will be subject to pre-payment audits before incentive payments are made. Meanwhile, a health system recently returned $31 million in MU incentives to CMS and Medicaid agencies because it had improperly received the payments.
Greater challenges for health systems
The MU audit escalation is of particular concern for health systems with numerous providers and complex organizational structures. They are especially vulnerable to being audited and failing an audit. Often a health system has not created an audit response team in advance. It is simply not prepared to address the sudden appearance of the initial audit information request. This request must be submitted within two weeks. The scramble to collect information from across the organization is inefficient, disruptive and often incomplete. In many cases, staff turnover since the attestation in question leaves holes in the response. This has resulted in CIOs hoping that auditors will grant extensions of the deadline. Furthermore, every attestation in every year of the MU program is subject to audit up to six years after the attestation date. With this increasing complexity, how do health systems continuously reduce both the risk of being audited and of failing an audit when one occurs?
Likely audit triggers
Although only CMS and the Medicaid agencies know the precise algorithms and criteria which trigger an audit, some useful clues have emerged, such as on a conference call led by the MU auditor Figliozzi and Co. and hosted by the Office of the National Coordinator for Health IT in November 2013. Eligible providers with a potentially higher risk of being audited have some or all of the following qualities:
- Measure values with several standard deviations from the norm
- Measure improvement trends that seem too fast relative to when the provider adopted an EHR
- Measure data anomalies (such as different denominators being the same or different when the opposite is the norm)
- Being at a large organization receiving large incentive checks
- Figliozzi also highlighted that audits can be triggered through pure random sampling of organizations
Best practices for reducing the risk of triggering an audit
- Check for data outliers or anomalies as outlined above prior to attesting
- Continuously seek information or guidance on how recent audits have likely been triggered
Note that triggering criteria likely varies over time and across audit types (e.g., pre-payment versus post-payment audits and Medicare versus Medicaid audits).
Reasons for failing an audit
Incorrect reporting of percentage-based measures has led to the greatest percentage of failed audits to date. Failed audits due to incorrect or insufficiently substantiated 'Yes/No' measures are the second most frequent cause. At least one organization has had every provider audited, likely due to a single provider having been investigated by CMS in the past for possible fraud. Although the above points are for MU audits of eligible providers, one might consider some or all of these to be relevant to audits of hospitals in analogous ways.
Reducing the risk of failing an audit
It is best to assume that a health system will be audited anytime within six years after each attestation. Prepare accordingly:
1. Create an audit response team before an audit occurs. With an initial response required within two weeks of receiving an audit notice, avoid trying to recruit a response team after the fact. Designate a team and refresh if there is staff turnover.
2. Continuously monitor your MU registration email account. Alarmingly, some CIOs have seen an audit notice only after it has languished in an email inbox for weeks. CMS emails audit notices to the email address entered during the MU registration process, so keep monitoring it.
3. Understand the different documentation requirements across different audit types. Pre-payment and post-payment audits have so far required different sets of documentation which is the same for Medicare versus Medicaid audits. Preparation for one type of audit does not automatically mean readiness for any other type of audit. Do the homework and seek advice.
4. Collect and store documentation comprehensively supporting every attestation. Collect and securely store documents, preferably electronically, in a way that's easy to understand and quickly accessible, even in the absence of all your MU program staff at the time of audit. Start with CMS' online guide and FAQs on audit documentation, and also consider including these artifacts, as gathered from real field experience with audits:
- Original electronic health record MU reports with the vendor's logo and date-time stamp reflecting the exact numerators and denominators attested (note that historical data can change over time due to late signatures, etc., so capture those reports as soon as possible after the reporting period is completed)
- EHR screenshots supporting certain 'Yes/No' measures, such as drug-drug interaction checking being enabled
- Calculation methods used to determine hospital and provider payment amounts and eligibilities
- As much supporting documentation as possible related to the security risk assessment, as this has been a key point of audit vulnerability for health systems
- EHR certification IDs and other proof, such as documentation of deployment dates, that the EHR and other MU-certified modules used during the reporting period were indeed certified versions for the relevant MU stage
- Emails from public health agencies confirming that public health information measures were met
- Export of EHR preference settings directly from the EHR that can support documentation of certain 'Yes/No' measures
- Augmentations to documentation for FY2011-2012 attestations performed prior to today’s best knowledge of how to prepare for an audit
- Documentation and auditable support of data imported from a new provider’s previous organization to support that provider’s attestation, (e.g., proof that clinical decision support was enabled on that provider's old EHR)
5. Seek continuously updated and expert advice on MU auditing. Consult your EHR vendor, consultants or knowledgeable audit experts who constantly monitor changes in MU audit requirements and what’s happening in the field. The six-year, post-attestation window for an MU audit requires consistent vigilance and preparation.
Tom Lee is the CEO and founder of SA Ignite, which provides an enterprise cloud platform for automating meaningful use reporting and attestation for eligible providers. He previously helped establish the Chicago Health IT Regional Extension Center after 15 years in leadership roles in Fortune 500 and startup IT companies in Chicago, Silicon Valley, and China. He earned a BS from Stanford, a PhD in physics from U.C. Berkeley, and an MBA. with distinction from the Kellogg School of Management at Northwestern University. Contact him at tom@saignite.com.