The security risk assessment has been a major pain point for healthcare organizations since the beginning of the audit program.
- Drew Memorial Hospital in Monticello, Arkansas is celebrating a successful appeal of its failed meaningful use audit today, but not all healthcare organizations that have undergone the process are about to break out the cake and party hats. Jim Tate, a meaningful use consultant from EMR Advocate who helped Drew Memorial through its trials, told EHRintelligence that the failure rate for Stage 1 meaningful use audits is around 5% for eligible hospitals and 22% for eligible professionals.
In mid-September, Drew Memorial CEO Scott Barrilleaux revealed that insufficient documentation about their security risk assessment prompted CMS to ask the organization to return more than $900,000 in EHR incentive payments from two years of participation in the program. Barrilleaux stated at the time that Drew Memorial was already filing their appeal paperwork, and enlisted Tate to help them. They learned on October 20 that their appeal was successful, Tate said, and that the hospital will keep its incentive payments. “It took probably less than two weeks before they heard, so now they don’t have to have anything recouped,” Tate said.
The security risk assessment has been a major pain point for healthcare organizations the beginning of the audit program. Early in 2013, Rob Anthony, Deputy Director of eHealth Standards and Services at CMS, even flagged the risk assessment as an area where providers would be getting themselves in trouble, and it looks like an accurate assessment.
“A big part of the audit failures come from the security risk assessment,” Tate said. “Hospitals are generally more likely to do something about it. But if you have a small practice, you might not understand what that really is. When you attest, it just asks if you did it, and you check either yes or no. But then if you get audited, they’ll ask, ‘Where is it?’ You can’t just say, ‘Well, I thought – I don’t know – I didn’t understand that.’”
Read More: Meaningful use audits: What you need to know
CMS is understandably tight-lipped about its auditing processes, but Steve Spearman of Health Security Solutions went so far as to file a Freedom of Information Act request to get access to data on how many audits were being conducted and how many organizations were failing them. Figliozzi & Co., the firm tapped by CMS to conduct the audits, has completed 613 post-payment audits of hospitals and more than 8,000 audits of eligible professionals. CMS had originally projected a target of auditing about 10% of healthcare organizations.
While data on the number of successful appeals is not currently available, Tate himself has represented several organizations that had their failure decisions overturned. The appeals process is simple, he says, but nearly entirely opaque.
“The one thing that’s different with the appeals process is that you get one shot at it,” Tate said. “With the audits, you know who you’re dealing with. If they tell you they need more information, you can provide that for them before they make their determination. With the appeal, you get one shot. You put your best documents together and try to make them as simple as possible, then you put them into an email address and hear back one way or the other. There’s no leeway at the appeal level.”
“They’ll never tell you why they reversed the appeal, but we did add additional documentation and presented it in such a way that we convinced them that we met the requirement,” he added. “We just tried to make it as simple as possible so it would be clear. If someone has no security risk assessment, and they appeal that…well, there’s no way they are going to be successful. But you just have to make your best argument and find any possible documentation that might be relevant and appropriate.”