Meaningful Use EHR Audits: When, Not If

Regardless of how much clinicians complain about their EHRs, if a hospital or medical practice accepts federal money to put them in place, it must prove it's using these electronic tools in a meaningful way, as defined by the Centers for Medicare and Medicaid Services. "When you pay $21 billion for a government program, you have to conduct appropriate oversight," Robert Anthony of the CMS said at the Healthcare Information and Management Systems Society (HIMSS) 2014 conference.

The CMS is performing pre-payment and post-payment audits on 5-10% of healthcare providers, choosing some of them randomly and others based on a CMS risk profile of suspicious or anomalous data. It's easy to get complacent when there's only a one in 10 chance of being audited, but that statistic is misleading. If 10% of all incentive recipients are audited in 2014, another 10% in 2015, and so on, eventually your organization will be targeted. As Tony Panjamapirom of the Advisory Board Co. put it in a separate HIMSS presentation: "I encourage you to think of the Meaningful Use audit as a matter of when you will get audited, not whether."

That Advisory Board Co. presentation, available on the HIMSS 2014 website, also pointed out the serious consequences of not taking the attestation and audit processes seriously. Panjamapirom explained that one provider was required to return $31 million in MU incentive payments because of an error in the EHR application it was using. Several high-level executives lost their jobs in the process. An independent report said Detroit Medical Center let go its chief medical information officer for similar missteps.

Be prepared for the audit
If the CMS decides to audit your organization, you will probably get an initial letter from Figliozzi & Co., the contractor the government has hired to conduct the vast majority of audits. Expect the letter to come electronically from a CMS email address.

The review will be conducted using information you provide in response to this request letter, but in some cases, the auditors will also conduct an on-site review and ask for a demonstration of your organization's EHR system.

One of the keys to passing a Meaningful Use audit is good documentation, which, by the way, needs to be retained for six years after attestation. That means holding on to the primary report generated by the EHR system, assuming that report was the basis for the attestation statement your organization submitted. That report should show the reporting time period for the attestation and the numerators and denominators for the quality control measures documented in your request for incentive payment.

For example, in Stage 2 of the MU program, providers must send a summary of patient care records for more than 50% of transitions of care or referrals. The denominator to meet this quality measure is the total number of transitions and referrals that occurred during the reporting period, while the numerator is the actual number of case summaries sent electronically to other facilities or clinicians. The numerator and denominator translate into a percentage the CMS is looking to confirm.

Also, keep in mind that numerators and denominators must match the numbers submitted on the CMS attestation form. That requirement may seem simple, but Anthony says you'd be surprised at how many providers have in-house documentation that doesn't match the numerator and denominators originally submitted to the CMS. One reason is that some EHR systems report these figures as snapshots, while others provide rolling totals. In the latter case, the system's tally changes as more data is entered. So the number of patients who received an electronic summary of their medical care when you submitted your initial attestation statement to CMS on May 2, 2013, for instance, will have increased by the time you saved a copy of the EHR tally on Sept. 2, 2013 -- thus the discrepancy.

The report must also show that it was generated for your individual organization. That is, it should include the National Provider Identifier, or CMS certification number, as well as your organization's name.

Some of the quality measures in the CMS regulations don't involve percentages but simply require your organization to answer Yes or No on its original report. In situations like this one, you'll need a different kind of documentation to verify that you've followed the rules.

For example, the MU program requires providers to prove they have the ability to share clinical data electronically with another care provider that has a different EHR system -- to prove the organization's interoperability capabilities. A CMS tip sheet on how to handle this type of documentation recommends "dated screenshots from the EHR system that document a test exchange of key clinical information (successful or unsuccessful) with another provider of care during the reporting period."

The prospect of an MU audit needn't keep healthcare IT managers up at night, but if you hope to survive the process without having to pay back the incentive dollars, your organization must organize the necessary documentation long before it gets that dreaded CMS letter.