With the news that CMS has started conducting pre-payment audits to monitor meaningful use payments, some providers have been worried about what it means if they get a letter in the mail. Below, Rob Anthony, Deputy Director of the HIT Initiatives Group, Office of E-Health Standards and Services at CMS, discusses how CMS is handling its EHR audits of potential meaningful users, and to give some tips to providers about what to have on hand if an auditor comes knocking on the door.
What’s the purpose of meaningful use audits, and how do they help CMS and providers?
As a government agency, we do an audit for anything where we’re disbursing funds. We obviously want to be sure that the right people are getting paid who should get paid, and that people have done what they said they did. So we take the oversight of the payment pretty seriously, and a robust audit program is really an essential component of that oversight. And really, the purpose of the audits is partially to detect inaccuracies in things like eligibility or reporting and payment information, ensuring that the providers who are participating in the Medicare EHR Incentive Program are only receiving payment if they successfully demonstrated meaningful use and met the other program requirements.
But also, as we’re moving into years where the payment adjustments take effect, we’re moving into a time where providers, if they’re not meaningful users, will receive payment adjustments. So we want to ensure that, as we move forward, everybody who is actually attesting to meaningful use is really a meaningful user so that they can avoid those adjustments moving forward. Incentives are great, but we want to make sure that people aren’t subject to those payment adjustments when they don’t have to be.
The OIG made some strong recommendations last year about how CMS should improve their oversight of EHR Incentive Payments. How are you addressing these concerns?
We’ve instituted the pre-payment audit program, after initially only doing post-payment audits. It should be noted that at the time the OIG report was initially compiled, we really were at the very beginning of our audit program. We were really just establishing the audit protocols that we use to determine what documentation to ask for, what to look for, and how we go out and talk to providers, so we really didn’t have a developed audit program at the time those recommendations were released. As we have moved forward, I think that we have been able to really figure it out.
We do both random and targeted audits, and we’ve figured out the type of things that are anomalous and raise a red flag for us to start taking a look at, so that allows us to be much more robust in our oversight. And now, with the introduction in January of the pre-payment audits, we’re doing that random and targeted check of providers to look at their attestation before they actually receive payments. We think that appropriately addresses the OIG recommendations.
What are some of the things you look for, and how can providers satisfy the audit requirements?
We can’t really tell you exactly what we’re looking at, because it’s an audit program. But I can tell you one of the primary areas to look at is documentation. This is an attestation program, and when we come to look at someone, we want to see that they have documentation that supports the attestation information that they entered. And that’s why we’ve released the documentation guide on our website that goes through each of the objectives and gives a suggested documentation example, whether that’s a screenshot from a certified EHR system that’s dated, or whether it’s a report for your clinical quality measurements.
Make sure you have that type of documentation on hand. I always tell people that when you go through and attest, not everybody’s system is able to provide a snapshot in time. Not everybody’s system is able to go back to the date you attested and show what the data looks like. They may have a system that has rolling data, which means that information that you’ve entered long after the close of the reporting period could actually affect the measurement that your system does when you make a subsequent report. So I always suggest that providers make a print or electronic copy of the actual report that they used for attestation so they can show those numbers when an auditor requests supporting documentation.
The other area that I can say where there’s great confusion is the security risk analysis. We always suggest they make sure they know what they have to do as part of a security risk analysis with their EHR system. A lot of people don’t realize that analysis is the same type of thing that they should be doing under HIPAA for all privacy and security. This one is just specific to their EHR system. So familiarize yourself with those HIPAA requirements, make sure you have some type of security risk analysis specific to your EHR, and be sure it’s dated. And be sure that if you have not been able to address all of the concerns raised in the risk analysis, that you at least have a plan to address those concerns.
What advice do you have for providers who might be nervous about the audit process?
I’ve talked to several vendors and consultants, and they tell their clients this same thing: make sure that you enter the accurate information. Make sure that you have the documentation to support it. If you have those things, then you’re a meaningful user, and you don’t have anything to worry about. This is one of those areas where prevention is truly the best way to address this. So just make sure that you have the documentation ahead of time. The information we’ve put out on supporting documentation is a great place to find out what you need and what has to be there. Make sure everything is dated and that it specifically shows that it’s for you. You should have your NPI or provider name to show that this is evidence that supports your EHR system.
Source: www.ehrintelligence.com; Jennifer Bresnick; April 15, 2013.