Meaningful Use audits: Seven strategies to protect your practice

As of December 2013, the Centers for Medicare and Medicaid Services (CMS) had doled out more than $19 billion in meaningful use incentive payments. As the agency inches closer to its $27 billion budget, there’s evidence that it’s increasing its auditing activities. Physicians should assume they will be audited, and prepare accordingly.

CMS and Figliozzi and Co., the Garden City, New York, accounting firm contracted to facilitate the Medicare meaningful use auditing program, have not reported the number of audits that have been conducted. But many close to the auditing process say they have seen evidence of audits increasing in frequency in recent months-and that some physicians are not prepared when the auditors come calling.

“Medicare is not going to make us aware of why, neither is Figliozzi,” says David Zetter, founder of Zetter HealthCare, a Mechanicsburg, Pennsylvania-based healthcare consulting firm, and a member of the National Society of Certified Healthcare Business Consultants. He adds that, in his experience, some physicians just “aren’t doing what they attested to do.”

Attorney Clinton Mikel, JD, says he has also seen anecdotal evidence that audits are occurring more frequently. “From a policy perspective, it makes sense that [audits are] increasing because it is such a hot focus area and, frankly, it’s a way to recoup money,” says Mikel, who is a partner at the health law firm The Health Law Partners.

Medical Economics sought to contact officials at CMS and Figliozzi on meaningful use audits and whether they are increasing in frequency. CMS would not provide data on the number of audits that have been conducted. Peter J. Figliozzi, CPA, managing partner of Figliozzi and Co., said his firm is  “precluded by CMS from disclosing any information.”

The Health Information Technology for Economic and Clinical Health Act portion of the 2009 stimulus law, which created the meaningful use program, requires CMS to audit participants in the meaningful use program. It tapped Figliozzi to conduct them. Audits for the Medicaid incentive program are carried out by each state.

Post-payment audits began in 2011, when the meaningful use program began. In November 2012, U.S. Department of Health and Human Services’ (HHS) Office of Inspector General published a report criticizing CMS for not doing enough to prevent improper payments. The report recommended that CMS conduct prepayment audits to verify attestation documents.

“Doing so would strengthen [CMS] oversight of the anticipated $6.6 billion in incentive payments,” the report stated, referring to CMS’ estimate of incentive amounts to be paid out between 2011 and 2016. “Verifying self-reported information prior to payment could also reduce the need to identify and recover erroneous payments after they are made.”

CMS Administrator Marilyn Tavenner initially rejected the idea of prepayment audits, saying they would delay payments and create a burden. Despite the initial response, CMS instructed Figliozzi to begin conducting prepayment audits in 2013, to be performed in addition to post-payment audits.

These seven strategies will help ensure a smooth audit that ends with a positive result for your practice.

No. 1: Assume you’ll be audited

The best thing a physician can do to ensure an audit goes well is assume they will be audited before they attest and prepare for it.

Lynn Grigsby, MSIS, MBA,  the meaningful use services manager at the Kentucky Regional Extension Center, says she gives eligible professionals a list of documents they should retain, which are the same documents the auditors will ask for.

They essentially perform a pre-audit and keep those records on file, Grigsby says.

“That way if they are ever audited, they have everything in one spot and it doesn’t take much time,” she explains.

Because some physicians are chosen for audits at random, there is no way to completely eliminate the possibility of being audited.

“However, by verifying the physician meets the specific requirements for meaningful use program participation … and keeping records of the registration/attestation processes and documentation-for at least 6 years-the physician will have a solid foundation for responding to the audit,” says Laura Kreofsky, principal of Impact Advisors, a Naperville, Ill.-based consulting firm.

No. 2: Handle audit promptly

Complying with the demands of an audit means accomplishing a long list of tasks. But there are also things physicians should avoid doing. Getting angry at the auditors tops the list of Daniel Gottlieb, JD, partner in the Chicago-based law firm McDermott Will & Emery LLP.

“It’s obviously not helpful. Our experience has been that CMS actually wants to pay out the money,” Gottlieb says. “They want to encourage EHR use.  And, keep in mind that the incentive program was part of the stimulus bill. So if the money is not paid out, it’s not stimulative.”

It’s also important to respond right away after receiving an audit letter, Mikel says. Getting the necessary documents in order can be a time-consuming process. Auditors generally allow 14 days to respond to an audit notice.

Mikel also advises physicians not to engage the auditors on their own, outside of the document exchange. Often, physicians mistakenly believe that information presented during an offline exchange with the auditors satisfied a particular request; then they get penalized for failing to send the required documentation.

Many also make the mistake of responding to certain document requests with only a statement, according to Gottlieb.

“Auditors love screen shots,” he says. “If all the provider responds with is a simple statement that, ‘We did X, Y, and Z,’ that is not going to be adequate.”

No. 3: Physicians take charge

Many small practices leave the legwork of meaningful use to practice managers. Zetter says while it is good to have some level of trust in the practice manager or whomever is in charge of the legwork, it’s always smart for physicians to verify for themselves that the work is being done and not simply assume.

“If you don’t, that’s blind assumption. And you are taking a big chance and putting yourself at risk, as well as your entity, your corporation, whatever the case may be, and that’s not very smart nowadays,” Zetter says.

No. 4: Avoid discrepancies

The auditors are looking for discrepancies between what was submitted during the attestation process and what was actually done, Grigsby says.

Practices know they are being audited when they receive an e-mailed letter from Figliozzi alerting them to the audit. Attached to that letter will be a document request list. The process is the same for both prepayment and post-payment audits. Every physician who is
audited must produce the same documents, which fall into these three categories:

• Proof that the EHR system used to meet meaningful use requirements is certified.

• Documentation that quality measure, core, and menu objective data were accurate.

• Proof a security risk assessment was conducted and a corrective action plan has been drafted.

No. 5: Ensure EHR certification

To satisfy the certification requirements, physicians will need documentation from their vendors confirming the version of the EHR system they are using. Some vendors may have older versions of their EHRs that are not certified. A list of certified EHR products is kept on the Office of the National Coordinator’s website. Physicians should monitor any upgrades to their systems to ensure that changes don’t affect the certification status, Gottlieb says.

No. 6: Documentation is key

“Above all, it is critical physicians have an auditable source for all data used for registering and attesting to meaningful use,” Kreofsky says. “This not only includes the data presented on the meaningful use reports generated by the EHR, but evidence of all ‘yes/no’ objectives.”

Objectives requiring the generation of reports that include numerators and denominators must include supporting documentation showing the denominator is accurate and a report showing the numerator met the required threshold. Cross referencing with practice management system patient population data may be necessary to show the denominator is accurate.

The yes/no objectives relate to functionality that is turned on during the duration of the reporting period. Kreofsky says doctors can accomplish this by printing dated screen shots from their EHRs showing the function was turned on during the reporting period.

Because eligible professionals only need to show that certain functions were turned on, not actually used, Gottlieb says it’s important to check multiple times throughout the reporting period that those functions are, in fact, turned on. He had a hospital client that had to return its incentive bonus when an audit revealed someone in the information technology department had turned a certain function off by accident. Because it was a function that was not used, it went unnoticed.

No. 7: Complete a Security Risk Assessment

Experts agree the security risk assessment is one of the requirements that trip up many physicians.

A risk analysis is something all physician practices should have had in place since 2005, when the Health Insurance Portability and Accountability Act (HIPAA) Security Rule went into effect. Yet it’s a concept many are still not familiar with, says Zetter.

“I know some clients that we have followed up on after the fact come in stating they need assistance, and we find out they blatantly lied about it,” he says, adding that the client attested to having had done a risk assessment only to later admit they didn’t know what it was.

Neglecting the risk assessment can not only place physicians at risk of paying back incentive money, but they also risk a penalty from the U.S. Department of Health and Human Service’s Office for Civil Rights for not being in compliance with HIPAA, says Gottlieb.

Mikel agrees the risk assessment is one of the most difficult requirements for physicians to understand and to comply with because it is an ever-evolving document.

Each time a change is made in the practice, or new technology is adopted, the risk assessment must specifically address it. He has seen auditors rule that a risk assessment is invalid because it did not specifically name the brand of EHR being used.

View all articles in this Issue