Are MU Audits Causing Nightmares for CIOs?

Besides serious time and resource commitment, every “Meaningful Use” audit results in a lot of stress. Healthcare enterprises heave a sigh of relief after passing an EHR Incentive Program audit, assuming they don’t have to bother anymore as they have proved their meaningful use merit to the Centers for Medicare & Medicaid Services (CMS). But that is clearly not the case. Ralph Johnson, chief information officer of rural Franklin Community Health Network, in Farmington, Maine, has attracted the attention of CMS for the second consecutive attestation period.

Considering that these audits are random, he figured he was done with his turn last year. However, this is the second time in a row that that he has received another notification, indicating that it is not totally uncommon for healthcare enterprises to face a second meaningful use audit. Jeff Smith, director of federal affairs at CHIME, said the CIO trade organization doesn’t have data on frequency of audits, but pointed out that they were 94 facilities who received audit requests in a 2013 survey. Smith also mentioned that there were other hospitals to have been audited twice from the CMS auditors, once from Medicaid (state-based) and one more from HHS OIG.

Does CMS have any audit specifics?

Of those providers attesting for meaningful use, at least 5 percent are likely to undergo a CMS audit, with half of those being subjected to a pre-payment audit. Additionally, detailed documentation is an absolute necessity as CMS wants to ensure that providers are using certified EHR technology, take a closer look at MU reports for core and menu attestation data, and check copies of security assessments.

While CMS won’t actually discuss specific audits, a spokesperson did provide some information related to the incentive program. According to CMS, the attestations submitted during and after January 2013 by Medicare providers may have to endure pre-payment audits. These pre-payment audits will include random audits, as well as audits that target anomalous data. CMS also stated that those providers selected for pre-payment audits will need to provide supporting documentation to validate the submitted attestation data before releasing payment. CMS will continue to conduct post-payment audits during the course of the EHR Incentive Programs. All providers selected for post-payment audits need to submit supporting documentation to validate their submitted attestation data.

Are you prepared?

Of those providers attesting for meaningful use, at least 5 percent are likely to undergo a CMS audit, with half of those being subjected to a pre-payment audit. Additionally, detailed documentation is an absolute necessity as CMS wants to ensure that providers are using certified EHR technology, take a closer look at MU reports for core and menu attestation data, and check copies of security assessments.

While CMS won’t actually discuss specific audits, a spokesperson did provide some information related to the incentive program. According to CMS, the attestations submitted during and after January 2013 by Medicare providers may have to endure pre-payment audits. These pre-payment audits will include random audits, as well as audits that target anomalous data. CMS also stated that those providers selected for pre-payment audits will need to provide supporting documentation to validate the submitted attestation data before releasing payment. CMS will continue to conduct post-payment audits during the course of the EHR Incentive Programs. All providers selected for post-payment audits need to submit supporting documentation to validate their submitted attestation data.

Handling MU Audits Twice

Johnson feels that the random MU audits are not really random, bringing a tremendous amount of make-work and sleepless nights. However, on the other hand, having already gained some first-hand experience the first time around, the second time audit preparations can be completed quickly. Being audited for the second time, he adds that the other advantage is that the hospital’s auditors are happy as they don’t have to worry about putting a reserve in case there is an audit. Believing that he had the right formula to satisfy them, Johnson also stated that the auditors were not actually evaluating his responses but rather looking to check if an issue was identified and addressed.

Stay Prepared

With the likelihood of audits increasing, it is best to always stay prepared. After submitting for attestation, the auditors can knock on your door at any time. Either, prior to or after receiving the incentive payment – an audit can occur anytime up to six years. It is thus best to be prepared and ensure that your documentation and your enterprise are in order. What will also prove beneficial is the adoption of a unified and comprehensive solution such as Aegify Security Posture Management or Aegify SecureGRC that can help organizations remain continually secure and compliant. The meaningful use assessment in Aegify SecureGRC will help sail through these audits very smoothly. Aegify SecureGRC provides has a built-in repository for policies, best practices and citation guidance with quick access to documentation and evidences from a central repository for pre/post audits, making the whole process simple and efficient.