Surviving a ‘Meaningful Use’ Audit

The preliminary results of the ‘Meaningful Use’ audits conducted by the Centers for Medicare & Medicaid Services have indicated that healthcare providers are having trouble substantiating their attestations, and are especially facing issues with documentation. Robert Anthony, deputy director of the Health IT Initiatives Group at CMS’ Office of e-Health Standards and Services, mentioned in an interview that Electronic Health Record (EHR) systems should provide audit logs to let users record when they began tracking a measure, in order to substantiate the time period. But the EHR systems in some entities failed to do this.

Moreover, while some entities use systems that generate reports based on a snapshot in time, others have ‘rolling systems’ that cause numbers in the EHR to change after the entity has attested. In these cases, a copy of the original report has to be kept to substantiate the numbers used for attestation. While this is one of the concerns, there are also many other issues to be considered and steps to be taken while preparing for the Meaningful Use audit.

How to Survive a Meaningful Use Audit

Although only a small percent of healthcare entities will go through the Meaningful Use attestation audit, all healthcare entities should bear in mind that even a single attestation misstep could result in loss of the entire incentive payment. This is a major concern for a number of healthcare CIOs, and is one of the main topics addressed by the attendees at the CHIME13 CIO forum in Scottsdale, Arizona recently. Elizabeth Johnson, Vice President of Applied Clinical Informatics at Tenet Healthcare Corporation, and Pam McNutt, Senior Vice President and CIO at the Methodist Health System in North Texas provide 5 steps to survive the Meaningful Use audit:

1. Preserve the Data. Meaningful Use audits may go as far back as six years. So entities should have preserved data over all those years to support attestation claims. It is therefore important to protect data at all costs. Entities that have an aggressive purge criteria to save disc space, should be careful not to do away with all the data that may be needed to prove Meaningful Use. It may also be helpful to configure EHR systems ahead of time in such a way that patient records and audit logs contain everything the auditors may seek.
2. Plan in Advance. Logs and system settings should help produce the required data when needed. Moreover, in order to make documentation easier, the vendor’s name and software version should be on the header of all the Meaningful Use reports. This can help prove that they have come from a certified system.
3. Be Prepared for Surprises. Although it is crucial to prepare well in advance for the audits, it is also equally important to expect the unexpected. For both Tenet and Methodist, an unexpected area of focus was HIPAA security risk assessment. While many entities may be conducting vulnerability testing and annual HIPAA risk assessment, these may not suffice for the Meaningful Use audit. The audits may also focus on the EHR technology and the version that is being used. In addition to this, the audit, the report, and the reaction to the report should all be done within the attestation time period. Hence entities should proceed with caution and be prepared for surprises.
4. Think Before Upgrading. Entities may have to prove to auditors that they have been on a certified release the entire time. But some entities get tripped up with this during the upgrade cycles thinking that all that is needed is to be on the certified release before running all the reports. But this is not the case, because they have to prove with screenshots showing the date on which the certified EHR technology went into production. And this date has to be on or before the date of the attestation period.
5. Proceed Quickly. Once the Meaningful Use audit notice is received, entities have two weeks to respond and send documentation through an online portal. But it is important to be ready to file in less than two weeks because there is no guarantee that the notice will reach the right person. There have been cases where the notice had been completely overlooked. So entities should prepare all employees to recognize the audit notification, and understand the importance of taking quick action by alerting the right person.

While these steps can be extremely helpful in facing the Meaningful Use audits with confidence, what will also prove beneficial is the adoption of a unified and comprehensive solution such as Aegify Security Posture Management or Aegify SecureGRC which can help organizations sail through these audits very smoothly. Aegify SecureGRC provides quick access to documentation and evidences from a central repository for pre/post audits. This significantly eases the audit process.