- “Audit” isn’t a very pleasant word for most people to hear. The fear of being caught for some little mistake or missing check box can strike fear into even the bravest of documentation experts, whether or not they have something to hide. For providers attesting to meaningful use through the EHR Incentive Program, thousands of dollars are on the line – but there’s no need to panic if you get a letter from Figliozzi & Co. Here’s a basic guide to what you need to know if you’re one of the 5% of providers selected for a pre-payment or post-payment audit.
What is CMS looking for?
The Centers for Medicare and Medicaid Services (CMS) is handing out billions of dollars to providers who reach meaningful use thresholds for quality figures during their use of an electronic health record. They just want to make sure the money is going to the people it’s supposed to go to. “As a government agency, we do an audit for anything where we’re disbursing funds,” explains Rob Anthony, Deputy Director of the HIT Initiatives Group at the Office of E-Health Standards and Services. “We obviously want to be sure that the right people are getting paid who should get paid, and that people have done what they said they did. So we take the oversight of the payment pretty seriously, and a robust audit program is really an essential component of that oversight.”
CMS is looking to make sure that the numbers you reported meet the thresholds set by the program guidelines. “For example, let’s say you attested for a measure and have a report from your EHR that said you had a percentage of 80%,” Elizabeth Holland, Director of the HIT Initiatives Group, told PhysBizTech in an interview. “Then, when the auditors reviewed it, the percentage was actually 74% percent. If the threshold for that measure is 50%, there wouldn’t be any [adverse] finding because you are still a meaningful user.” But if you reported 80% for that measure and an auditor finds your real number is 20%, that’s where you’ll get into trouble.
What is the process like?
Audits can happen both before a provider receives payment and after they get a check. Sometimes they are random, and sometimes they are conducted based on red flags in reported data. A letter from Figliozzi and Company will be sent to the provider’s email on record, and will include contact information for the audit contractor. Providers will be asked to send documentation within 14 days that supports their attestation numbers for meaningful use objectives, clinical quality measures, and payment calculations. Providers should keep these documents for six years post-attestation.
In some cases, an auditor from Figliozzi may conduct an on-site assessment, which will include a demonstration of the certified EHR system used to attest. All communications will be sent securely to and from Figliozzi, and any questions should be directed to them.
To appeal an adverse finding, providers can contact the EHR Information Center at 888-734-6433 to begin the process. Medicaid program audits will be conducted on the state level, and participants should contact their state offices for more information.
What do I need to show the auditors?
The primary document to have on hand contains the information you used to attest to meaningful use. This can be a report from your certified EHR system, or a summary of that data in either electronic or paper formats.
At a minimum, the document should contain the numerators and denominators for the measures, the time period the report covers, and evidence to support that it was generated for your specific EHR at your provider location. This evidence can include your National Provider Identifier (NPI), CMS Certification Number (CCN), or provider name. “Make sure everything is dated and that it specifically shows that it’s for you,” Anthony suggests. “I always say that providers should make a print or electronic copy of the actual report that they used for attestation so they can show those numbers when an auditor requests supporting documentation.” This is especially important if your EHR produces rolling data that may retroactively affect numbers generated during the reporting period.
One aspect of the audit that has caused widespread confusion is the security risk analysis. While the EHR Incentive Program doesn’t ask for anything beyond what providers are already doing under HIPAA, they must conduct the analysis within their meaningful use reporting period. “The requirement for HIPAA is once every two years, and for meaningful use it’s once during your reporting period,” Holland said. “People were thinking they had already done it, but they hadn’t actually done it within their reporting period.”
For more information and detailed requirements for each meaningful use objective, please refer to the CMS audit documentation guide.
What if CMS finds something wrong?
If the auditors find that you are not a meaningful user, they will recoup or not send a payment for that reporting period. Intentional fraudulent activity will be referred to the FBI and the Department of Justice for further investigation, and according to Holland, there are several open cases already.
CMS takes fraud very seriously, but is willing to work with providers to a certain extent to make the audits as unobtrusive and smooth as possible. After all, CMS wants meaningful users! That’s why the EHR Incentive Program exists in the first place. If you have your documents, your data is correct and properly dated, and you are participating in the program in good faith, then you have little to worry about.