Written By: Scott R. Thomas

Figliozzi and Company is the designated contractor performing audits on behalf of the Centers for Medicare & Medicaid Services.  If you sought or obtained an incentive payment for either the Medicare or Medicaid EHR Incentive Program, you are subject to being audited.  A November 2012 report from the Office of Inspector General stung CMS with the conclusion that it was not doing enough to validate attestations.  This spurred CMS to ramp up its program to the point where it’s not really a question of whether you will be audited; it’s only a matter of when.

If the recipient can’t back up the attestations, CMS will recoup the incentive payment.  CMS doesn’t do partial recoupment.  Fail in one respect and they claw back all the money.  CMS may also pursue additional remedies if they smell fraud.  But don’t panic just because your number came up.  While some recipients are targeted for an audit because their numbers seem out of whack, CMS also does random audits.   The key is to acknowledge the fact you will ultimately be audited and start preparing now.

Advance preparation is critical because you typically have only two weeks to respond once you are notified of the audit.  That’s just not enough time if you wait for the mail to arrive.  Asking the auditor for an extension of the deadline implies that you don’t have your stuff in one sack.  And don’t think you can simply rely on your EHR vendor’s certification.  You are the provider and you are responsible for assuring and documenting Meaningful Use within your practice.  The good news is that there’s plenty you can get a head start on.

The first thing to do is to decide who is going to respond.  You may want to set up a team.  This is not something you want to dump on your already over-worked practice manager and forget about it.  The stakes are too high.  The doctors must be involved.  One person should be in charge so the ball doesn’t get dropped in the middle.  The Team Leader should be the sole liaison to the auditor.

The Team Leader should be the only person to have telephone conversations with the auditor.  This will minimize miscommunications.  When the phone call is over, that person should immediately email the auditor and summarize the call, e.g., “Thanks for giving us until Friday, July 15th, to get you the 2015 screen shot you requested and the documentation supporting the SRA corrective actions taken.”  Always add a catch-all such as, “Please let me know if there is anything else you need me to do that I haven’t mentioned.”  That way, you put the burden on them to tell you what they want and avoid any dispute about unfulfilled promises.  Save all the email communications related to the audit.

Put the deadline for getting the documentation into the auditor’s hands on your calendar or tickler system so it doesn’t get missed.

Then gather all your documentation to support attestation data for meaningful use objectives and clinical quality measures.  For most practices, your primary document is the report generated by your certified EHR; that generally provides the data Meaningful Use attestation.  Make sure the report on its face shows that it’s your report by reflecting your provider number, etc.  All this information has to be kept for six years so make sure it’s maintained appropriately and people know where it is.  Mark it conspicuously so no one inadvertently throws it out.   Don’t forget the electronic documentation that supports your attestation.  Store that information together.  Consider saving the data in multiple locations.  Get an external hard drive and keep a copy there as insurance against a system meltdown.

Sit down with your Certified EHR vendor.  Pull out the license agreement.  A contract with the Certified EHR vendor may suffice to prove the use of a Certified EHR.  Some vendors, however, include confidentiality requirements in their contract which may prohibit you from sharing the document with the auditors.  If your agreement has such a term, brainstorm with the vendor about how to give the auditors what they need while still honoring the agreement.

One of the best ways to prepare is to do a self-audit.  Better to iron out all the wrinkles in the tranquility of a dry run before the stress of the real event.  Put yourself in the hot seat and ask the tough questions:

  • Do you have reports from the Certified EHR vendor that validate the clinical quality measures you reported?
  • Are there any red flags at the 50,000-foot level? Do all of the percentage-based measures have the same denominator? Do the numerators and denominators match the figures you put on the CMS attestation form?  Are the figures inappropriately uniform?  For example, do all of the doctors attest with the same percentage figures?  Sniff out discrepancies and get your math right.
  • If your certified EHR doesn’t enable you to do “look backs” and show the values at any past point in time, do you have a paper or electronic screen shot of the report used for attestation purposes? Do you have screen shots from the Certified EHR during the reporting period? Do your screen shots show the level of detail needed (e.g., date, provider, name, etc.)?
  • Do you have proof of performing an adequate Security Risk Analysis per the HIPAA security rule? Did you complete it before the end of the reporting period? Do you have the documentation to memorialize the actions you took to mitigate the risks you identified?
  • If asked (for the purpose of further validating implementation), could you produce evidence of the costs incurred to train staff on the Certified EHR?
  • Is your vendor using the most up-to-date version of a Certified EHR product? Is the product you are using on the list at the Office of the National Coordinator’s website? Is there an upgrade that you haven’t obtained yet?
  • Do you have documentations to support any exclusions you claimed? This may be tricky, as you’re essentially proving a negative.
  • If necessary, would you be able to show the auditor when a particular functionality became operational?
  • The audit is likely to be done remotely but the auditor can request a site visit. The auditor can ask you to give a demonstration of your system. Do you know how you would handle that request?

Whenever you send hard-copy documents to the auditor, send them either by FedEx or by certified mail, return receipt requested.  That way, you will have proof of delivery.  Include a cover letter and make sure the contents are labeled.  Keep a complete copy of every document you provide.

The word is that one out of four recipients fails the CMS audit.  Don’t be one of them.  Sure, you have a right to appeal.  But better to get right from the beginning.  Start getting ready now.

If you would like more information about these issues, please contact Scott Thomas.   He welcomes the opportunity to help you navigate these waters.  Scott’s direct line is 859.578.3862.  You can email him at [email protected].  If there is a particular topic you would like to see addressed in a blog, please send Scott an email with your ideas.

Hemmer DeFrank (1)