Have you attested to ‘meaningful use’ of EHR? If so, here’s some important news for you: The Centers for Medicare & Medicaid Services (CMS) have hired a New York based accounting firm, Figliozzi & Company to carry out audits to determine compliance with ‘meaningful use’. Hospitals and physician practices which have qualified for Medicare EHR Meaningful Use (MU) incentives will be audited soon.
While specific details of the audits are yet to be released, a report published in April by the Government Accounting Office (GAO) proposed audit of nearly 10 percent of the hospitals and 20 percent of the physicians who have attested under the Medicare MU program earlier. So this would mean that out of the 761 hospitals and 56,585 healthcare professionals who were awarded the EHR incentives in 2011 ( estimated $2.3 billion in Medicare EHR incentive payments), nearly 11,317 healthcare providers and 76 hospitals will be audited soon.
OberKaler, a Washington, DC-based law firm has reported that many of their clients have already started receiving letters from the auditing company Figliozzi & Company requesting for information in four specific categories:
- Copies of certification from the Office of the National Coordinator for Health Information Technology for the EHR technology which has been used to meet program requirements
- Documentation supporting the method chosen to report emergency department admissions
- Supporting documentation used to complete the attestation module for core set objectives and measures
- Supporting documentation for the attestation module responses about meeting voluntary objectives and measures.
The law firm also states that these are ‘desk audits’ where documents supporting the filings already made, such as ownership verification for the EHR system, EHR software certification numbers, EHR screenshots and reports generated by the EHR system are being requested. However, there is no evidence that on-site visits will be made by auditors.
OberKaler has also indicated that auditors may request eligible healthcare providers for a detailed security risk analysis report, which fulfills the core requirement #15 of ‘meaningful use’. Eligible practitioners and healthcare entities should note that merely a checklist will not suffice as evidence of security risk assessment. A risk analysis should have been conducted during the 90-day attestation period, or a ‘review’ of a risk analysis conducted at a reasonable time prior to the attestation period, should have been done. This is the core requirement under #15 and should be satisfied.
So when can you expect the audit?
Although the audits are mostly randomized, you will be given a two-week period to gather necessary and sufficient documentation to support your claims and respond to requests.
What’s your next step?
You should continue typical use of the EHR system and make sure you have enough documentation to support compliance will all core requirements of ‘meaningful use’ so that you are fully prepared in case you are audited.
But if you have already attested to ‘meaningful use’ but have not conducted a risk analysis, there are only two things you can do now:
- Conduct a risk analysis as soon as you can
- Simply hope that you will not be audited
It’s time you gear-up for the audits and do everything you can to prepare yourself, because the CMS audit team has stated that if any entity is found deficient on any measure then that would prove non-compliance. In such a case, CMS will recoup the entire stimulus for the reporting period in question.
So if you have not yet conducted a risk analysis or you’re not sure if the analysis you conducted is sufficient, you should take the advice of a security expert at the earliest. eGestalt can help you in this regard by conducting the risk analysis for you and providing you with a robust security solution like SecureGRC which can help you stay compliant at all times.