Sixty-six years after George Orwell penned his prophetic vision of 1984, many physicians are encountering tangible evidence that “Big Brother” is alive and well: Meaningful use audits are here, and we’ve heard from a lot of our readers that they are time consuming and disconcerting, if not a bit scary. We, too, have encountered Stage II audits and have helped physicians navigate audit mysteries, so we thought it would be a good idea to offer our insight into the process.
First, a disclaimer: The best advice for passing an audit should come from a consultant familiar with your unique situation and audit request. There are, however, a few general principles that everyone should adopt to make the process as smooth as possible. We will highlight them here, beginning with the following axiom:
Prepare, but don’t panic
The most important piece of advice we can offer to providers attesting for meaningful use is to plan carefully for an audit, even if an audit request never comes. The best way to do this is to maintain attestation documentation so it is readily available when needed. This might mean screenshots, “dashboard” reports, letters of intent from collaborating registries, or records of successful data transmission. If you are not sure what to prepare, your EHR vendor should be able to provide you with guidance; every EHR product needs to be certified for meaningful use, so vendors must have documentation on how you can prove you’ve achieved it.
It’s also worth pointing out that audits may encompass a multistep process. Once you respond to the request, the auditor may require additional documentation. This may become a two-way conversation and allow you to clarify what is needed, but preparation will make the process go much more smoothly. Thus, if an audit request materializes, you’ll have already done all of the hard work and will need only to provide it to the third-party auditor. A word of caution, though: Don’t believe that once you’ve received your meaningful use payment that you are completely out of the woods, because ...
Audits may come before or after payment
There are several types of audit requests. Auditors may simply ask you to prove you are using a certified EHR, or they may ask for a whole lot more. Furthermore, they may perform “prepayment” or “postpayment” audits. In the case of a prepayment audit, they will hold any incentive payments until after the audit requests are satisfied. Audits after payment is issued can be a bit trickier; if you don’t “pass” a postpayment audit, the Centers for Medicare & Medicaid Services will ask for the money back and typically won’t be too friendly about it. The appeal process isn’t easy and may involve lawyers and other complications, so make sure to take the audit request quite seriously, and cover yourself by remembering that when it comes to a Meaningful Use audit …
There is no such thing as TMI (too much information)
When submitting supporting documentation to an auditor, try to be as exhaustive as possible to avoid making the process lengthier than it needs to be. It is critical to make your case clear, and screenshots depicting the measure, source, and date can be one great way to do this.
For example, if you are sending attainment numbers from scored measures (e.g., ePrescribing, CPOE, or Clinical Summaries), be sure to include some evidence that the numbers were obtained from your certified EHR’s scorecard or dashboard (such as the software’s logo, etc.). If sending evidence of compliance for a yes/no measure (e.g., patient lists by condition or clinical support rule activation), be sure the date you generated it is clear so you can prove it was active during the reporting period. Finally, be sure to provide clear documentation that you are actively submitting data to immunization and disease registries (or at least have done your due diligence to set it up), and whatever you do ...
Don’t neglect the security risk analysis
This is one area that seems to become a focus point in every audit. It’s also something that may be taken for granted by providers, as it is a yes/no measure that can be easily overlooked. Don’t fall into this trap; the CMS takes data security very seriously and so should you. If you receive an audit request from them, they will want to know not only that the analysis was performed but also what potential risks were identified, what type of data was collected, and what your practice is doing to improve upon any deficiencies. If you need guidance on how to do this, you’ll find help here.