Reprinted with Permission from the Birmingham Medical News

For health care professionals who began accepting Meaningful Use incentive money at the outset of availability under the Medicare option in 2011, the year 2015 is an important year. If the provider has met all core requirements and objectives for the designated reporting periods, he or she has not only successfully converted to an efficient electronic health records system, but has also collected the maximum incentives authorized by CMS to do it - a total of $44,000 for eligible health care professionals (EPs). In today's health care environment, that is significant money. Not only did starting early earn the EP the full incentive, but he/she avoided the payment reductions - starting at 1% and progressing to 5% annually - that began this year for eligible professionals who chose not to participate in the Meaningful Use Incentive Program. Yes, 2015 marks the end of five good years for those professionals who got in early, figured out the process, stayed current on the constant changes, and kept attesting to satisfaction of those meaningful use objectives and measures for the designated reporting period. These providers are well on their way to Stage 3 - no small feat.

But when the government disburses $20 billion in incentives, there will be strings attached, and those strings have come in the form of post-payment audits. Approximately 5% of Meaningful Use participants who have received incentive money will be audited via CMS's contractor, Figliozzi and Company. According to recent statistics released by CMS, since 2011, it has authorized more than 10,000 audits on more than 265,000 attestations by EPs (this does not include audits of eligible hospitals), and more than 25% of those audits have resulted in failure. Failure is expensive. A failed audit requires return of ALL incentive money received for that audit year - in other words, no partial credit for partial compliance. The most common areas of failure involve failing to conduct proper data risk assessments, per Core Measure 15 (meaningful use regulations require these assessments in addition to those assessments performed to comply with HIPAA regulations), and failing to keep adequate documentation that support attestation. Relying on the vendor's certification and its retained system data alone will not be enough to survive the audit. So what can an EP do to be ready for the audit letter when it comes? The best weapon is anticipation.

Upon receiving notification of the impending audit, the EP will generally have two weeks to submit responsive data. Although certified EHR systems have the capability to produce information reasonably fast, and all clinical quality measure data must in fact be reported directly from the EHR system, certified systems do not always provide the complete picture. Supporting documentation can and should be available from other sources. It is important to be able to quickly produce not just the attestation data, but all source data that was relied upon in making the attestation. According to CMS, reports from all sources should demonstrate at a minimum the numerators and denominators used in all calculations, the timeframe of the reporting, and evidence to support that it was generated for that particular provider. CMS acknowledges that certified EHR systems cannot always

limit reporting periods or properly support non-percentage based objectives, and so it is important that other documentation be maintained for the auditor's review.

If the EP has anticipated his/her "burden of proof," so to speak, the chances of a successful audit are greatly improved. For example, did the EP attest that he/she writes fewer than 100 prescriptions a month to apply a MU exclusion? If so, what documentation proves it? Did he/she attest that more than 60% of medication orders were done via computer entry? If so, what source documents will demonstrate the numerator and the denominator values for that calculation? Was there a successful electronic submission of public health information? How can it be proven? Approximations and assumptions won't be enough to survive the audit. The following tips, when done before the audit letter arrives, gives the EP a fighting chance:

• Keep all source documentation for a minimum of 6 years
• Ensure proper paper exists to support the "yes/no" attestations
• Work with IT to access and preserve general system data and audit trails. For example, when was the "generate patient lists by condition" function turned on? When was a function toggled from no to yes?
• Use screen shots to document point-in-time entries, specific reporting periods, and successful submissions where possible
• Perform routine gap analyses and audits internally. Know your weaknesses before CMS does!
• Be ready to prove the negatives. Zero patients requested copies of medical records during the reporting period? What documents support that?
• Be duplicative where needed and maintain separate compliance files. A system security analysis under HIPAA will not qualify as the system security analysis under Core Measure 15.
• Every attestation should have documents to support it.

Remember that one failed element equals a failed audit. A failed audit will result in repayment of all incentives received for that audit year. Successful navigation of the Meaningful Use program is about more than just meeting objectives and figuring out the attestation process, which admittedly was challenging enough. At the end of the day, it is about keeping the money that was earned. Anticipating the audit and its pitfalls is a critical component to surviving the regulatory land mine of Meaningful Use.

[View source.]