7 ways to prepare for a meaningful use audit

The best way to get ready for a meaningful use (MU) audit of your practice is to assume you will be audited and prepare accordingly.

Here are seven strategies your practice can use to make sure you meet all the requirements of the MU program should the auditors come calling, and ensure you can keep the incentive money you earned.

1: Assume you’ll be audited

The best thing a physician can do to ensure an audit goes well is assume they will be audited before they attest and prepare for it. Because some physicians are chosen for audits at random, there is no way to completely eliminate the possibility of being audited.

“However, by verifying the physician meets the specific requirements for meaningful use program participation … and keeping records of the registration/attestation processes and documentation-for at least 6 years-the physician will have a solid foundation for responding to the audit,” says Laura Kreofsky, principal of Impact Advisors, a Naperville, Ill.-based consulting firm.

2: Respond promptly

Complying with the demands of an audit means accomplishing a long list of tasks. But there are also things physicians should avoid doing. Getting angry at the auditors tops the list of Daniel Gottlieb, JD, partner in the Chicago-based law firm McDermott Will & Emery LLP.

It’s also important to respond right away after receiving an audit letter. Getting the necessary documents in order can be a time-consuming process. Auditors generally allow 14 days to respond to an audit notice.

Physicians nshould ot to engage the auditors on their own, outside of the document exchange. Often, physicians mistakenly believe that information presented during an offline exchange with the auditors satisfied a particular request; then they get penalized for failing to send the required documentation.

Many also make the mistake of responding to certain document requests with only a statement, according to Gottlieb.

3: Take charge

Many small practices leave the legwork of meaningful use to practice managers. While it is good to have some level of trust in the practice manager or whomever is in charge of the legwork, it’s always smart for physicians to verify for themselves that the work is being done and not simply assume.

NEXT PAGE: Avoiding discrepancies and EHR certification

4: Avoid discrepancies

The auditors are looking for discrepancies between what was submitted during the attestation process and what was actually done.

Every physician who is audited must produce the same documents, which fall into these three categories:

• Proof that the EHR system used to meet meaningful use requirements is certified.

• Documentation that quality measure, core, and menu objective data were accurate.

• Proof a security risk assessment was conducted and a corrective action plan has been drafted.

5: Ensure EHR certification

To satisfy the certification requirements, physicians will need documentation from their vendors confirming the version of the EHR system they are using.

Some vendors may have older versions of their EHRs that are not certified. A list of certified EHR products is kept on the Office of the National Coordinator’s website. Physicians should monitor any upgrades to their systems to ensure that changes don’t affect the certification status.

NEXT PAGE: Documentation and security risk analysis

6: Documentation is key

Objectives requiring the generation of reports that include numerators and denominators must include supporting documentation showing the denominator is accurate and a report showing the numerator met the required threshold. Cross referencing with practice management system patient population data may be necessary to show the denominator is accurate.

The yes/no objectives relate to functionality that is turned on during the duration of the reporting period. Doctors can accomplish this by printing dated screen shots from their EHRs showing the function was turned on during the reporting period.

Because eligible professionals only need to show that certain functions were turned on, not actually used, It’s important to check multiple times throughout the reporting period that those functions are, in fact, turned on. He had a hospital client that had to return its incentive bonus when an audit revealed someone in the information technology department had turned a certain function off by accident. Because it was a function that was not used, it went unnoticed.

7: Complete a Security Risk Assessment

Experts agree the security risk assessment is one of the requirements that trip up many physicians.

A risk analysis is something all physician practices should have had in place since 2005, when the Health Insurance Portability and Accountability Act (HIPAA) Security Rule went into effect. Yet it’s a concept many are still not familiar with.

Neglecting the risk assessment can not only place physicians at risk of paying back incentive money, but they also risk a penalty from the U.S. Department of Health and Human Service’s Office for Civil Rights for not being in compliance with HIPAA.

The risk assessment is one of the most difficult requirements for physicians to understand and to comply with because it is an ever-evolving document.

Each time a change is made in the practice, or new technology is adopted, the risk assessment must specifically address it. He has seen auditors rule that a risk assessment is invalid because it did not specifically name the brand of EHR being used.

Editor's note: This article is a condensed version of a previously published cover story.