Although an old adage cautions us against making assumptions, in the case of meaningful use audits, it's a good idea for medical practices to assume they will be audited.
An old adage cautions us against making assumptions, and that’s certainly sound advice. But in the case of meaningful use audits, it’s a good idea—and even recommended—for medical practices to assume they will be audited.
Melissa Goldman, an attorney with the Florida Health Law Center, says that the Centers for Medicare and Medicaid Services is not only ramping up its efforts at auditing, she cautions that the penalties for failing an audit are costly.
“In 2011, the CFO of a hospital that has since closed its doors, attested that the facility had met meaningful use stage 1,” Goldman says. “The hospital was audited in 2013, all the way back to 2011, and, in fact, the hospital had not met meaningful use stage 1. The CFO of the hospital was charged with fraud, and is looking at 5 years in jail.”
Certification not enough
Goldman explains that where meaningful use audits are concerned, it’s not sufficient simply having or using a certified electronic health record (EHR). Medical practices must demonstrate that the EHR is being used meaningfully, and that the practice is meeting all of the core objectives.
“It really has to do with what patient information you’re collecting, and what you’re putting in,” Goldman says.
One huge problem, she explains, is that some medical establishments will have an IT firm customize an EHR to better fit their established workflows. However, doing so could mean the EHR is no longer certified because CMS did not certify that particular template.
“Changing a tiny little dialogue or input box changed the way information was reported,” Goldman says. “And now the practice is in a lot of trouble. CMS can go back and attach all of your incentive payments for the year that you didn’t meet meaningful use.”
Importance of documentation
Goldman recommends to her physician clients that, where documentation is concerned, they do not simply rely on having data printed out on sheets of paper.
“Things can get lost, and you don’t know who touched or whose eyes were on that paper,” she explains.
Even a small practice, she says, should have some type of electronic system—even something as simple as an Excel spreadsheet.
“Every paper gets a doc ID number, and a checklist for the office manager, to make sure that he or she has every single piece of paper, and that every piece of paper is in the document management system,” Goldman says. “That makes it very easy for the auditors to come in and see what papers they have, what they don’t have, and it’s a lot more cost effective for the doctor to do it on the front end than to have the attorney look through three big boxes of printed out papers and not be sure who did what.”
Many of the better EHRs are now equipped with systems that automatically capture the data relating to the different objectives the practice is striving to meet. That can make the audit process much smoother.
“Medical practices need to keep track of every single objective that they’re attesting they met, and how they met it, and not be complacent and assume the system is tracking it for you,” Goldman says. “And that the data is in a PDF searchable format. So when they’re in your office, you can easily pull it up and show you’re compliant.”
Goldman stresses it is absolutely critical for physicians, not just their office managers, to be fully immersed in preparing for meaningful use audits, and to do so early on. She says every year physicians need to have documentation that they’re doing the critical quality measure reporting, and not just assume it’s happening.
“You’re required to do a security risk assessment pursuant to the HIPAA security objective,” Goldman says. “That is the biggest thing that people get smacked on during an audit. A lot of times the vendor does it, but even if the vendor conducts the security audit, you’re supposed to review it.”
She points out that many vendors, while being compliant, do not send the security audit to the doctor. Instead, the doctor has to specifically request it. Physicians should have a document showing they requested the security audit, and another document showing they reviewed it.
Lastly, don’t just assume you will be audited, conduct a trial run of an audit, so when an audit actually comes down, you’ve been there and done that.
“You want to make sure that you’re doing everything right,” Goldman says. “There’s significant money at stake. Not only could you lose your incentive payments—and if you’re a large practice or a hospital that can be a big deal—but you also have that personal liability, and you don’t want to be accused of committing fraud or making a false statement to CMS and facing felonies or jail time.”