We have written previously about the "Meaningful Use" electronic health record (EHR) initiative, which is run by the Centers for Medicare & Medicaid Services (CMS). We most recently noted that stakeholders are requesting delays in Meaningful Use Stage 2 requirements and penalties.
As a brief refresher: Under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act (part of the Recovery Act), hospitals and healthcare providers must be able to demonstrate by 2015 that their EHR systems are capable of certain tasks that constitute "meaningful use."
Currently, to receive a payment, providers must meet 19 of 24 "meaningful use" objectives that include electronically tracking patients' medications and allergies, sending reminders, sharing lab test results and producing summaries of a patient's office visit.
In order to receive incentive payments under the meaningful use program, CMS subjects providers and entities to audits to ensure compliance with the regulations promulgated by the agency. We noted back in September 2012 that CMS "quietly" began auditing providers.
"Only a small percentage of providers attesting to Meaningful Use will be audited by the government, but the outcome could be harsh, since any single shortfall will be grounds for loss of the full incentive payment, according to attorney Brian Flood with Husch Blackwell in Austin, Texas, who spoke on a webinar conducted Sept. 26, by the American Bar Association's Health Law Section."
Several of the red flags that might trigger an audit, according to the speakers, as reported by FierceEMR include:
- Elements of attestation, such as inconsistencies in numerators and denominators that should be related
- Attestation data that's inconsistent with Centers for Medicare & Medicaid Services data, such as measures inconsistent with the providers' patient mix, or local public health capabilities
- Vendor characteristics. "Some vendors are known for having issues with their systems," Zavala said. "Those systems are more likely to be subject to an audit."
5 Steps to Survive a Meaningful Use Audit
This story, written by Gienna Shaw, summarized recommendations from two leaders in EHRs: Elizabeth Johnson, vice president of applied clinical Informatics at Tenet Healthcare Corporation, which has 78 hospitals in 20 states, and Pam McNutt, senior vice president & CIO at the six-hospital Methodist Health System in North Texas. Both recently spoke at the CHIME13 CIO forum in Scottsdale Arizona.
McNutt and Johnson took audience members through the steps they took to prepare for--and survive--audits at their organizations. "Much of the work needs to be done before you even get the audit notice, starting with collecting data and making sure you hold onto it."
Step 1: Resist the Purge
Meaningful Use audits can go as far back as six years--so that's how long organizations must keep data to support attestation claims. Protect that data at all costs. While some organizations have "aggressive" purge criteria for their systems, this led to negative results because those entities had "no recourse to fall back and prove things by looking at audit logs or polling data in an easy fashion from a data repository."
In addition, Johnson recommended that entities "back up the binder" or create "attestation evidence." In other words, organizations need a copy to know exactly what they attested against and to have a "way to quickly retrieve and produce it." While much of this information may be kept in a binder on a shelf, Johnson said to put that information in a PDF so it can be quickly produced in the future.
Step 2: Plan Ahead
To prepare for a Meaningful Use audit, "ensure logs and system settings can help you produce the data when you need it, especially proof for "yes or no" attestation items, such as medication checking."
"Think about system settings ahead of time so that patient records and audit logs contain the kind of detail an auditor will seek. Logs and system settings will help produce the data when you need it ... as long as you plan ahead."
"Our vendor software was not able to show exactly when that field in our dictionaries had been flipped on and off. And I suspect that's the case with most software, because that [functionality] was not part of the certification requirement," McNutt.
"We ran reports from our audit logs to show our medication interactions and our formulary was triggering every single day for the time period ... we really couldn't prove it any other way."
"To make documentation easier, make sure the vendor's name and the software version are on the header of all Meaningful Use reports, to show they came from a certified system. When that's not available, provide screen shots showing the system name and version number to prove it was from a certified system."
"You're in a better position if you can use your vendor's generated reports," McNutt said.
"We keep all of our information electronically from the very beginning," Johnson said. Tenet created a software program to store and manage MU data for its 78 hospitals. It allows them to upload and transmit evidence directly from the program to the portal.
Step 3: Expect the Unexpected
Both Tenet and Methodist were among the first organizations to undergo Meaningful Use attestation audits--and those first days were rocky. Although Johnson and McNutt told FierceHealthIT that many of the kinks have since been smoothed out, there were plenty of surprises.
"One of unexpected areas of focus for us was that they dove pretty deeply into our HIPAA security risk assessment," McNutt said. "We learned that the audit needs to specifically mention your EHR and your certified modules."
Like other organizations, Methodist does vulnerability testing and an annual HIPAA risk assessment, but those may not suffice for an MU audit. "They want proof the audits focus directly on your certified EHR technology and the version that you're running," McNutt said.
"Additionally, your audit, your report and your reaction to the report all must be done within the attestation time period. So if you're attesting for 90 days, you need to do the audit before the end of the reporting period, she said."
Step 4: Upgrade with Caution
Although the auditors didn't dive as deeply into quality measures as McNutt expected, she did have advice for the CHIME13 audience on getting quality reports in order. "The quality metrics are not something you can compute in a spreadsheet or some other fashion. You must use the report as delivered by your certified quality metric reporting vendor … and show that to the auditors," she said.
"You need to prove you were on a certified release the entire time," McNutt added. "I know of some organizations that got tripped up with this during upgrade cycles, believing that all you had to do was be on the certified release before you ran all your reports. Well, that's not the case. You need to prove it with screen shots showing the date that your certified EHR technology went into production. And that needed to be on or before the start date of your attestation period."
"You cannot upgrade in the course of a year and say you were on that certified release the entire year. So every time you are doing an upgrade, if you're in the path of Meaningful Use reporting, you need to think about that."
Step 5: Act Fast
Once your organization gets notice of a Meaningful Use audit, "you have two weeks to respond and send documentation via an online portal. But you may not want to wait two weeks." In fact, the policy at Tenet Healthcare Corporation is to file the response and documentation within seven days, Johnson said.
"One reason to be ready to file in less than two weeks: There's no guarantee that the email notification of the audit will go to the right person--or that the right person will be in the office to get the email. Speakers and audience members told stories of emails that went to the wrong person or were almost overlooked."
Although Tenet designated a contact person for CMS to notify of an audit, Johnson received some email notices herself; others were sent directly to individual hospitals. "To guard against that problem, make sure everyone in your organization knows how to recognize an audit notification, understands the importance of fast action and knows who to alert."
"Because Tenet is such a large, geographically spread out organization, fast response time is critical. The response team includes people who are directly responsible for the Meaningful Use program, including Johnson and leaders from government relations, audit services, compliance and IT. They hold a conference call within 24 hours and then meet again the following day after gathering data and reviewing evidence to write the cover letter. The team uploads the supporting data within seven days."
5 Ways to Fail a Meaningful Use Audit
While these tips above describe how organizations can survive a meaningful use audit, below are 5 ways to fail one based off a recent article on HITECHanswers.net from Meaningful Use audit expert Jim Tate. Tate identifies some of the "worst practices" he's seen hospitals engage in, including these 5:
- Fail to put one person in charge of the audit
- Ignore Meaningful Use requirements you don't understand
- Don't document attestation work
- Blame the vendor for your problems
- Fail to conduct a security risk analysis