Surviving a Meaningful Use Audit
Although many providers assume that the government’s audits will be focused on large multi-specialty practices and health systems, the MU audits are touching a wide variety of providers and group practices. CMS has indicated that 5-10% of providers who attest will receive either a pre-payment or a post-payment audit.
For example, Dr. Linda Hughes, a solo-family medicine physician in Fayetteville NC, was looking forward to receiving $12,000 for her second year of the EHR Incentive Program. Instead, her administrator opened an e-mail one day last April to find notification of a pre-payment audit. Dr. Hughes had done her homework – selecting a certified EHR, changing her workflows to accommodate all the Meaningful Use criteria, generating Meaningful Use reports to monitor her progress and completing the attestation on the CMS Website. Like many providers, she had not read the fine print about the potential for audits and a requirement to keep all documentation for at least 6 years following the final EHR Incentive payment.
After confirming that the audit notification from CMS contractor Figliozzi & Company was indeed legitimate, Dr. Hughes’ practice administrator enlisted the help of a field expert at MSOC Health and the EHR vendor, Care 360. Dr. Hughes had saved the confirmation from CMS regarding the initial Registration and second year Attestation, as well as a paper copy of the MU Measure report from her EHR system. Working together, we set about augmenting this with screen shots, vendor material, and a concise explanation that justified the response for each measure in the Attestation.
Getting Help From Your EHR Vendor
The audit notification email specifically requested a copy of the license agreement or invoices showing the EHR Vendor Name, Product Name and Version used during the attestation reporting period. Dr. Hughes used a cloud-based Software-as-a-Service product with versions that were upgraded from her initial purchase and throughout the reporting year. We obtained a letter from the EHR vendor identifying the implementation date for each version from the initial install date through the end of the attestation reporting period.
Fortunately, Dr. Hughes did have the EHR report that provided numerators and denominators for all numeric measures. That report listed the EHR, the physician, the reporting dates (matching the attestation reporting period) and the date it was generated. If the vendor name had not been listed on the report, we could have submitted screen shots of how the report was generated to verify that the report came from the certified system.
However, Dr. Hughes had not kept the EHR report that provided the numerators and denominators for the Clinical Quality Measures. With assistance from Care 360, we regenerated this report using the same start and end date as the attestation period.
Documenting the Yes/No Measures
Several of the Core and Menu Meaningful Use Measures require a Yes/No response. To justify your Yes response, some type of documentation is required. For some measures, we provided screen shots of the setup screens showing that the function was ‘turned on’ for this provider. For others, we provided screen shots showing the function in actual use. Be sure to use a Test Patient or white out any confidential patient information that might be on the screen when you copy it. We copied these screen shots to a Word Document and added text explaining how the function met the specific MU Measure and a statement that it was operational during the full reporting period.
For the two public health Menu Measures, we went to the Public Health Department’s website and found pages and statements that confirmed that electronic submission was not yet available. The printout of these web pages became our documentation for these two measures.
We located the Security Risk Assessment, which had been completed as a HIPAA requirement but was not stored with the Meaningful Use documentation. The auditors specifically requested the written Security Risk Assessment. It is important to note that a written Security Risk Assessment is required for each reporting period, and must clearly identify the completion date, which must be within the reporting period. If you are attesting to your first year of Meaningful Use, the Risk Assessment may be completed anytime within the 12-month period prior to the end of your 90-day reporting period. If deficiencies were identified in the Risk Assessment, you must include documentation on how and when these deficiencies were corrected, and all corrections must have been completed within the reporting period. Meaningful Use auditors appear to be focused on ensuring that a Security Risk Assessment exists, that it was done in the proper timeframe, and that deficiencies were addressed in a timely fashion.
What if the EHR Reports are Wrong
Clinical Quality Measures must be reported to CMS exactly as they appear on the EHR report, even if you believe that the EHR report is inaccurate. You should definitely discuss possible inaccuracies with your EHR vendor, but the HITECH law requires Clinical Quality Measures to match exactly to the report. Note that reporting denominators or numerators of zero is acceptable for Clinical Quality Measures.
If the MU Measure report from the EHR does not match the numbers you entered into the attestation website, you need to provide details about the source of the data you reported and any calculations you made. We constructed a document that went through each Measure and identified whether the data came from the MU Measure Report or detailed an alternate source. Here are a few scenarios where you might need to enhance your documentation above and beyond what appears on the MU Measure Report:
Scenario 1: The provider sees patients at two different locations, each of which has a different EHR. Generate the MU Measure report from each system; for each measure, add the denominator from each system and report the combined total as the denominator for that measure on the attestation website. Do the same for the numerator. Provide your spreadsheet showing the data from each system, summed and matched to the number to which you attested.
Scenario 2: Many of the MU measures allow you to select whether you are reporting on all patients seen during the reporting period, or only those whose records were maintained in a certified EHR. If you choose the former, you will need to document the numbers that you added to the MU Measure report from the Certified EHR. This might come from a Practice Management System (total patients seen), or from a registry program, or possibly from some sort of manual tally sheet. The method does not have to be sophisticated, but the auditors will be looking to see that you can justify where your final numbers came from.
Scenario 3: One of the most difficult measures for many providers to meet is providing a Clinical Summary to 50% of patients seen. Perhaps patients were notified that they could pick up the Summary in 3 business days; or perhaps the MU report required multiple additional clicks to appropriately record that the Clinical Summary was handed to the patient. Instead of relying on the information from the EMR’s MU Measure report, you may be able to use other EMR or Practice Management reports to calculate the total visits (denominator) and the number of visit notes that were closed or billed within 3 business days (numerator). You would include, in your documentation, both written descriptions of the processes used to provide Clinical Summaries to your patients and the specific reports used and calculations made that generated the numerator and denominator that you reported.
Scenario 4: If you have identified in the attestation that you are excluded from a specific measure, include in your documentation a statement about why you meet the exclusion. For example, if you consider vital signs outside your scope of practice, you might provide a statement about why services provided at your practice do not require height, weight and/or blood pressure.
Of course, the best practice is to compile all the documentation at the time that you do your attestation and file it away. It is clear that ANY provider can receive an audit, and you will want to be ready when that letter shows up on your desk. There should be nothing to fear for those practices that have completed the MU attestation accurately and with careful attention to detail. However, like anything new, the instructions may be incomplete, and the time to clarify them is not during an audit! The EHR Vendor and a knowledgeable consultant can provide critical assistance to busy practices that are navigating these new regulatory requirements.
For Dr. Hughes, we submitted the requested documents within the 30 day window. She received an email requesting clarification on a couple of points in early June and responded promptly. Finally, in early August, she received notice that she had passed the audit and would finally be receiving the $12,000 bonus payment for Year 2. With the assistance of Care 360 and MSOC Health, we survived the audit process and are now on to Stage 2!
Find more details about Audits and Required Documentation in this CMS Fact Sheet: www.cms.gov.