As an associate at Ober|Kaler, Joshua Freemire has advised clients in the healthcare industry (e.g., hospitals, physicians, pharmacies) to manage their compliance with government mandates and protocols such as the Health Insurance Portability and Accountability Act (HIPAA). Recently, Freemire and his colleagues have responded to some of their clients’ receipt of letters from Figliozzi & Company, the firm which serves as the Centers for Medicare & Medicaid Services (CMS) auditor for the Electronic Health Record (EHR) Incentive Programs.
As with any other government program, doing business with federal or state governments isn’t without a catch. Along with his Ober|Kaler colleague James Wieland, Freemire broke the news that audits of meaningful use incentives have indeed begun although information about the process is still scare, advising recipients of EHR Incentive Program payments to maintain proper records in anticipation of a potential audit.
With little official information about the audits available at this time and many wondering if they’re next, we connected with Freemire to see if we couldn’t glean a little more information about the process and preparation necessary to comply with requests for attestation documentation.
What is your role in the EHR Incentive Program auditing process?
We are attorneys and we represent providers who are involved in the EHR Incentive Program. As part of that representation, both folks that we represent and other folks in the industry, we became aware of the fact these audits were happening
How frequently are these audits taking place?
It’s difficult to say right now because there’s no organizing reporting or a structure announcement of the program. What we have heard thus far is just that — we have heard. We’re aware of several providers who have received letters, we’ve seen examples of the letters, we’ve spoken with some folks at the auditing firm, but what we have not seen is any kind of structured announcements. When HIPAA audits were pending, for instance, CMS announced in advance how many providers would be audited, when they’d be auditing, who would be handling the auditing — all those types of things. This program came about a little differently in that most people found out about it only after they had received letters or heard about someone receiving a letter.
What has CMS had to say about the audits?
CMS as a government agency isn’t always free to respond to inquiries from attorneys. We did reach out to the auditing company; we talked to them a little. Basically what we learned we laid out in that article: how the audits will be conducted. As far as we’re able to tell, they’re going to be desk audits. At this stage we haven’t heard anything about auditors arriving at a facility and demanding to review records onsite or anything similar to that. They’re just asking for documents to provide basic back-up for filings that were already made.
How are recipients of these letters responding to them? Are they surprised?
Anytime a provider sees an audit letter they’re a little surprised. In some circumstance (for instance, in the HIPAA audits), it was helpful that CMS notified everyone that these were coming. Everyone who’s been involved in the EHR Incentive Program was aware that audits were authorized and could happen, but they were surprised timing-wise. Anyone who has received these letters would have been surprised that they were selected since they didn’t know that they were coming, didn’t know how many folks were going to be selected, and whether this was common or uncommon or indicates something they’ve done wrong.
Are there any similarities between recipients of these letters?
We don’t necessarily have a large enough sample size to get into that. To the extent we did have some kind of knowledge about that, some of that information is a result of relationships we have with our clients.
What can be done to improve the situation?
It would be helpful for providers if CMS had been a little more transparent about this process, just because they can ease confusion if there’s some official statement about what they’re really looking for and how many folks will be selected and how common these will be and how extensive they’ll be. It removes a little of the mystery for providers. We expect that as the program goes on they’ll address those issues.
What kind of information do we have even less information about?*
One of the things we were careful about not saying in the article was we don’t have any information about individual eligible professionals who have received letters. As far as it is right now, it’s hospitals that are receiving them. That isn’t to say that they haven’t received them, but that we haven’t heard about that. It’s something to keep in mind: If hospitals are receiving them, we expect that eventually eligible professionals will as well. But without any guidance at CMS, you can’t make any statement about that.
It’s not very likely that EPs will be prepared as prepared as hospitals to handle an audit, correct?*
That’s exactly true. It may very well be that CMS has chosen to start with institutional providers for exactly that reason. They will have a procedure in place to respond; they will have people they can dedicate to respond to these. Obviously, the money at stake with the large hospital is radically larger than that for an individual professional. They’re more high-value targets for CMS. I don’t want that to come across that we can any kind of maliciousness from these audits; in fact, it’s been exactly the opposite. It’s a desk audit; they’re checking some things out. To the extent that there’s going to be further target audits, these are not them.
*Editor’s note: Since our interview with Freemire, he notified us of the following: “We have heard that eligible professionals are also receiving these audit requests, and that they are similar in scope (though not exactly the same). Right now, those are all the details we have.”
Have you seen vendors making themselves available as a part of these audits?
We haven’t. That being said, a lot of what is requested is backup information. Beyond that, there wouldn’t necessarily be. When you attest, you attach certain printouts and records from the EHR system. It’s our understanding that these audits, although they’re at a ten-thousand-foot level, they still want to go behind the information that is submitted as part of the attestation process.
Isn’t it a touch ironic that paper documents are necessary to prove an electronic system?
We’re in that transitional period in a technological universe, unfortunately.
Do we have any indication of how long the auditing process will take?
We don’t. And that’s another problem that’s arisen from not really having clear guidance from CMS. It’s not clear how long these will take. It’s clear if these initial requests will be the only requests or if there will be follow-ups. It’s not clear if some of the providers in this group will be selected for future scrutiny or more detailed document requests. There is really not at this stage a whole lot to say regarding the process because unfortunately there’s just been no annoucement about it or a description of it.
Will you publish more information as it becomes available?
To the extent that we learn information about the process that is not part of a privileged relationship with a client and is useful to our broader group of clients and interested parties out there, we’ll certainly publish that. That’s part of what we do here.
What further advice do you have for participants who may be audited?
I would give them the same advice I give providers and clients beyond the healthcare spectrum with regard to a variety of these programs: You always want to maintain clear and complete records so that if you’re ever asked to justify actions, decisions, attestations, things of that nature, you can pull a file and it’s right there. The better your records, the more comfortably you can sleep at night.