Did you know that if your practice received an incentive payment through either the Medicare or Medicaid EHR Incentive Programs, you could be subject to a pre- or post-payment audit? Here’s what you need to know:
- For pre-payment audits: Auditors could request supporting documentation to validate submitted attestation data before releasing payment to you.
- For post-payment audits: If—based on the audit—you’re found not to be eligible for an EHR incentive payment, payment could be recouped.
Given the volume of other third-party audits to which physicians are subject these days, many forget that Meaningful Use (MU) audits are even a possibility, said Susan Clark, BS, RHIT, CHTS-IM/PW, HIT solutions executive at eHealthcare Consulting. Clark spoke during the 88th annual American Health Information Management Association’s (AHIMA) annual convention held October 16-19 in Baltimore, MD.
As with any type of audit, documentation is critical, said Clark. “It’s more than just turning in some numbers,” she added.
CMS says that eligible professionals should retain all relevant documentation that supports attestation data for Meaningful Use objectives and clinical quality measures. They must keep this information for six years’ post-attestation.
In addition, practices don’t have a lot of time to respond to an MU audit. More specifically, they must respond within 14 days for a Medicaid MU audit and within 30 days for a Medicare MU audit.
Being ‘Audit Ready’
The best way to prepare for an MU audit is to build an audit readiness file with data that supports all information entered during attestation, said Clark. She gave the following examples of data that physicians can sometimes overlook and thus not retain:
- Medicaid eligibility data for the specific reporting period. Run and save this report at the time of attestation.
- Proof of certified EHR technology (CEHRT). Clark says your EHR contract may suffice. Another option may be to obtain a letter from your EHR vendor that includes your start date, product name/number, and vendor certification number at the time of attestation.
- Evidence that you’ve recorded more than 50% of patients in CEHRT. A personal attestation letter may suffice, she said.
- Detailed reports for calculated measures (i.e., those measures using numerators and denominators). These reports must be generated using the CEHRT, and they must include the provider’s name, reporting period, and ideally the EHR vendor’s logo, said Clark. Run these reports at the time of attestation. “You need that report to reflect what you attested to,” she added. Practices that assume they can archive data when switching EHR vendors—and then pull reports from that archived data—may find that reports are ultimately inconsistent with what they used for attestation purposes. This is a red flag for auditors, she said.
- Screenshots for various aspects of attestation. This includes:
- Non-calculated measures. Screenshots should denote the dates during which the functionality is available, enabled, and active, said Clark. These dates should span the entire reporting period.
- Evidence that a test exchange of key clinical information (successful or unsuccessful) occurred with another provider of care.
- Evidence to demonstrate a test submission to the registry or public health agency (successful or unsuccessful). What information did you submit? If you excluded information, what did you exclude and why?
- Proof that the practice performed a security risk assessment of the CEHRT. This analysis must occur prior to a practice's attestation. Documentation should include the following: Procedures performed during the analysis, audit results (including mitigation of at least one item found), date of the audit, and name of the individual completing the audit. Clark recalled one practice with which she worked that produced several invoices for some work it had done to its IT infrastructure, assuming this documentation would satisfy the requirements for a security risk assessment. “I said, ‘No that’s not your security risk assessment. It’s great, but you need more than that. This needs to be done every year,’” she said, adding that the risk assessment is often the most common reason why physician practices fail an MU audit.
MU Audit Tips
Clark also provided the following general tips to help physician practices stay on track with MU audits:
- Identify someone within the practice (e.g., the practice manager) who can receive and respond to MU audit letters immediately. Figliozzi and Company sends letters for MU Medicare audits. States and their contractors perform audits on Medicaid providers. Contact your state Medicaid agency for more information, said Clark.
- Remember the six-year retention requirement for MU attestation documentation. This includes any documentation regarding hardship exemptions.
- Use various storage media to retain documentation. This includes mobile media, electronic desktop files, paper files, and cloud-based files.
- Ensure that more than one individual has access to MU attestation documentation. Clark said she worked with one practice that had only maintained paper files for MU attestation—and only the practice manager knew where that information was located. When the practice manager left her job, nobody could find the information.
Don’t Raise a Red Flag
CMS doesn’t disclose how or why it chooses certain providers for an MU audit; however, Clark said these factors probably contribute to the likelihood of selection:
- Skipping program years, or only attesting once
- Numerator values of zero
- Denominator inconsistencies
- Previously-failed audit
Practices that take the time to maintain an audit readiness file will have far more success with these audits than those that don’t, said Clark. If a practice is scrambling to compile information when an initial audit letter comes in, there may not be a positive outcome, she added.
Watch for more in our ongoing blog series on AHIMA.