In case it wasn’t clear before, everyone should be aware that CMS Meaningful Use Incentive Program audits are going on – both pre- and post-payment, and be prepared in case they call your name. CMS has announced it will audit up to 5% of providers claiming Meaningful Use incentives after January 2013. And recently, several hospitals returned incentive payments, announcing they had not earned the incentives after all as a result of their own internal audit processes.
Documentation about the CMS Meaningful Use Incentive Program Audits is available
CMS has published two relevant documents on its website, one containing an overview of the CMS Meaningful Use Incentive Program audits process and the other describing the supporting documentation providers should develop and maintain in case they receive an audit notification.
The overview of the CMS Meaningful Use Incentive Program audits process is pretty straight forward. Providers receive a letter requesting documentation to support their attestation data for the applicable meaningful use incentives, and in the case of hospital eligible providers, documentation supporting their payment
The supporting documentation guidance is much more extensive. The key to undergoing a successful audit is the documentation you have accumulated while you were monitoring your performance with respect to Meaningful Use objectives, including those objectives which have Yes/No answers. Make sure you know how to run reports to monitor your MU performance frequently during the reporting period, and that you know how to download these reports. If you are not sure how to run the reports, ask your vendor – early!
Review the Meaningful Use reports from your EHR software
Meaningful Use reports should show:
- the numerator and denominator for each objective that has a numeric performance measure,
- the time period covered by the report, and
- evidence that it was prepared for the specific provider, by name or some identification number like the NPI number.
For attestation in 2013, Eligible Professionals (EPs) must report on all 13 Core measures. Six of the 13 Core measures have potential exclusion criteria, so make sure you fit into one of the exclusion criteria if your practice does not plan to achieve the performance level for a specific measure/objective.
In addition, EPs must report on 5 of 10 Menu objectives, including at least 1 public health measure, again subject to exclusions.
If your system cannot generate reports with specific time frames, plan to save a copy of the report you generate for the attestation period.
HIPAA Risk Assessments – something the software cannot do!
And don’t forget about Core Measure 13, the requirement to perform a HIPAA Risk Assessment. This is not an activity that the software vendor can do for you. The risk assessment required by the HIPPA Security Rule provides guidance in four areas:
- A risk analysis where you evaluate the vulnerability of your systems to internal and external threats of compromise;
- Developing a plan to implement changes to reduce or eliminate the vulnerabilities identified;
- Developing policies and procedures on worker sanctions for violations; and
- Developing procedures to review system activity from time to time.
The HIPAA Risk Assessment must cover the EHR system your practice is using to achieve meaningful use, and must be completed during the attestation period. Corrective actions can be completed after the attestation period, and you must have a copy of your risk assessment on file for the audit.
Documenting non-performance based objectives
Documentation for other non-performance based objectives is also important. In an audit, the auditors will be looking for documentation that the capability required has been available (and in use) during the entire reporting period. To do that, it is necessary to produce the documentation at the beginning of the reporting period and at the end. Different vendors will have different methods of documenting implementation of these objectives so again it is important that you investigate how to accomplish the documentation early – before the attestation period, in fact.
The CMS Meaningful Use Incentive Program audits process is designed to let you submit documentation electronically, but the auditors may ask for additional documentation, including medical records, and may perform a site visit to see a demonstration of the use of the EHR system.
It should be evident by now that getting a letter announcing you have been selected to participate in the CMS Meaningful Use Incentive Program audits is serious business. Just like an IRS audit, it must be taken that way, but with proper preparation, it is easily possible to pass the audit – and keep your incentive payment!