Think the chances of getting a meaningful use audit are slim? Tell that to the folks who lost their job for doing it wrong, or folks at the four-hospital Scripps Health, who, all told, have undergone 11 meaningful use audits to date.
Tony Panjamapirom, consultant at The Advisory Board Company, said successfully preparing for -- and surviving -- an audit also comes down to seeing audits as a "serious need, rather than a threat."
At the end of the day, he pointed out, proper preparation can save a healthcare provider or hospital money, as it can help protect or defend incentive payments in addition to preventing payment adjustments. It can also potentially save your job.
Panjamapirom cited the case of Detroit Medical Center's Chief Medical Information Officer Leland Babitch, MD, whose employment was terminated after it was discovered the hospital could have to pay back a potential $14 million in EHR incentives. Ultimately, auditors concluded the hospital was not at fault and would not be required to pay back any incentive money, but the damage had already been done.
"My name was at the bottom of those attestations," said Babitch, speaking at a HIMSS physician's symposium back in March 2013. "The biggest unintended consequence of meaningful use, in my instance, was that I lost my job."
In another case, Health Management Associates – which operates 71 hospitals – back in November, announced it was returning $31 million in improperly claimed electronic health record incentive payments, for hospitals that did not meet meaningful use requirements as originally claimed.
That September, both HMA's chief financial officer and senior vice president of finance announced their resignations, which were also a result of earlier criticism over their handlings and questionable financial practices.
Although financial error was discovered via an internal review, Panjamapirom pointed out this would have undoubtedly come up in a meaningful use audit as well, had the company not discovered the discrepancy first.
Another incident is what transpired at Shelby Regional Medical Center in Texas earlier this year. The former chief financial officer at the hospital was charged with healthcare fraud violations after falsely attesting to CMS for meaningful use incentive payments. The hospital received $785,655 in wrongfully claimed payments.
This, as Panjamapirom said, appeared to be more of a deliberate case, but nonetheless all these details would emerge if say, a meaningful use audit headed their way.
And these audits are expected to increase.
"We could expect from these activities that the vigor and the frequency of the meaningful use audit will increase," said Panjamapirom.
"After you hit the submit button for attestation, the auditor can come knock on your door at any time before or after you received the incentive payment, and remember that they can audit you up to six years. It's critical because it determines how long you need to keep your support documentation in place."
Doing it right: conducting a mock audit
The four-hospital Scripps Health in California, who has undergone 11 meaningful use audits to date, say proper preparation proves integral to survival.
At least one in 20 MU attesters will undergo a meaningful use audit, of which 50 percent will undergo a pre-payment audit, according to the Centers for Medicare & Medicaid Services.
"We've had prepayment audits. We've had post payment audits, and we've had those CMS mini audits," said Joanne La Grange, director of the meaningful use program at Scripps, speaking to a HIMSS14 audience.
Add to this the fact that all 11 of these audits have occurred in the last nine months. "Auditing is escalating," she added, and it's a serious time and resource commitment, so best be prepared, which is why she and her Scripps team conduct mock audits to ensure their house is in order come time for the real deal.
"This gives you an opportunity to develop a systematic approach so that you can respond in a timely manner," added La Grange, who said Scripps was given four weeks for post/pre-payment audits and two weeks for the limited audits.
[See also: Preparing for a meaningful use audit.]
Thus, the first step of developing a successful mock audit comes down to creating a book of evidence, which needs to be developed prior to attestation. This "book," La Grange pointed out, should be stored on a secure device with limited access. Part of this step involved systematically organizing folders and using different media types, like recorded demonstration.
"For every core and menu objective, we have screenshots, and we have a standardized template, but we came across a challenge in trying to show that we had enabled the drug formulary check for the entire reporting period," said La Grange. "Our solution was recorded demonstration."
Their pharmacist developed a script, then identified the key points he wanted to highlight, proceeded to use WebEx, which was ultimately converted to a Windows Media file and voilà. They used a test patient in a live environment, with all the protected health information eliminated. The entire recording was less than two minutes long. "It is an effective way to demonstrate compliance," La Grange added.
"First, we have all of our recommendations and key decisions along with accountability and rationale to support our decision," said La Grange. “This makes us feel very comfortable knowing that we could be audited at any time in the next six years."
The next part in creating the book of evidence is crucial, she opined. After thinking they were all set and covered for their mock audit, the folks on Scripps' internal audit team came back and recommended that La Grange and her crew reach out to the system's legal counsel on the subject of vendor agreements. The legal counsel eventually advised La Grange to ask their vendors if they would give the green light to share the vendor agreement, as they often have "a certain level of confidentiality." Turns out, it was a good thing they asked.
"Neither of our two key health information system vendors wanted us to share their agreements," said La Grange. "Instead they preferred that we use a vendor supplied letter."
So bottom line? Go back and check.
The second step of developing a mock audit program involved clearly defining the role of the internal audit, which should operate as an independent function.
Next, it was a matter of developing guiding principles for their process. This, La Grange said, involved establishing a single point of contact for the CMS auditor to deal with, that way you're eliminating the possibility of providing conflicting information, she said. Part of Scripps guiding principles include only providing specific information requested, logging all communication with the auditor, de-identifying patient data and ensuring all relevant documentation is maintained at least six years following attestation.
Then, La Grange and her team created audit-tracking tools, essentially a checklist of items to be done and audit request forms.
Next, it's about clearly defining stakeholder and roles in the audit process.
[See also: What not to do in a meaningful use audit.]
"We found it helpful to compartmentalize the roles," she said. "There are some participants who really need to be actively involved in the process, where others just want to keep the finger on the pulse of our progress." At Scripps, there were three key roles, La Grange pointed out: mock auditor, key audit contact and internal audit role.
Now, you're ready for the mock audit. La Grange recommends doing this part in two phases, with the first phase including proof of certified EHR, source documents, summary report, evidence report, security risk assessments and procedures performed during the risk analysis.
The next phase included core and menu objectives with thresholds, with the supporting documentation in addition to attestation measures.
The final step, La Grange said, is just a matter of incorporating lessons learned and examining feedback.
Ultimately, these mock audits "took some of the organization's fear away from the real audit, added La Grange. "When we got our first audit request, our heart rate went up. I'll admit it, but we got out our audit tracking tools, and we followed our pre-defined methodology."
