Use of the words "audit" and "Medicare" in the same sentence tend to make even the most seasoned physician uncomfortable. So when the news broke in March that CMS had added prepayment meaningful use (MU) audits to its ongoing postpayment audit process, some family physicians expressed concern.
Understanding that a little knowledge can go a long way toward alleviating anxiety, AAFP News Now recently spoke with a government expert about how physicians can prepare for MU audits associated with the Medicare Electronic Health Records (EHR) Incentive Program.
Rob Anthony, deputy director of the Health IT Initiatives Group for CMS' Office of E-Health Standards and Services, noted that as many as 10 percent of program participants would face an audit. "Keep in mind that the audits are both random and targeted," said Anthony, so physicians shouldn't assume they've made an error if they receive an e-mail audit notification from Figliozzi and Co., the certified public accountant firm selected by CMS to conduct the audits.
- CMS has authorized prepayment and postpayment audits associated with its Medicare Electronic Health Records (EHR) Incentive Program.
- As many as 10 percent of all physicians and other health care professionals attesting to meaningful use of an EHR will be audited through either random or targeted selection.
- A government expert with knowledge of the auditing process explains how physicians should prepare in the event they are selected for an audit.
"We're required to do due diligence on our end," said Anthony, and that includes robust oversight of a government program that disperses taxpayer dollars in the form of physician bonuses that can total as much as $18,000. According to Anthony, the audit process is the same regardless of whether physicians are notified before or after they are issued a check for successfully meeting MU program requirements.
Anthony drew on nearly a year's worth of experience with the audit program to provide some pointers on how physicians should prepare in the event they are audited.
"The first thing we always tell people is that if you've entered accurate numbers (in the MU attestation process) and have the documentation to support that, then the audit is a really simple process for this program. You're simply showing (auditors) supporting documentation," said Anthony.
For the vast majority of people, the primary support document is the report generated by a certified EHR because it generally provides both the numerator and denominator values needed for MU attestation.
"It's important to make sure the report specifies a time period and indicates that it is specific to you as a provider," said Anthony. That's as easy as including a National Provider Identifier number, provider name or practice name.
Use This Audit Tip Sheet
The auditing process can be daunting for busy family physicians. Keep this quick tip sheet handy, and use it as a reminder of actions that, taken in advance, will save time and headaches later.
- Enter accurate numbers when you attest to meaningful use of an electronic health record (EHR).
- Keep your supporting documentation.
- Know that dated screen shots provide a good source of documentation.
- Save paper or electronic copies of reports used to attest if the practice's EHR automatically changes numerator and denominator values after the reporting period ends.
- Turn on, for the entire reporting period, EHR features that track functionality issues, such as drug interaction checks and clinical decision support.
- Understand that the security risk analysis must be specific to the EHR and the practice and is required every year.
- Direct all audit questions directly to Figliozzi and Co., the certified public accountant firm selected by CMS to conduct the audits, for faster response time.
Anthony noted that some certified EHRs provide a "snapshot in time," meaning that the physician can go back to any 90-day period, and the system always shows the correct numerator and denominator values for that period. However, many EHRs don't have that function and instead use what Anthony called a "rolling system" that changes the values of the numerators and denominators after the reporting period ends.
In that situation, he advised physicians to "save either a paper or an electronic copy of the report you used to attest so that when an auditor comes knocking and asking for supporting documentation, you can hand him a report that shows the numerator and denominator values that you entered (for attestation) rather than something that might have changed later down the line."
A number of physicians also have had trouble complying with what Anthony called the "yes/no functionality issues" that require specific EHR functions -- such as drug allergy interaction checks and clinical decision support -- to be turned on during the entire reporting period.
"Some systems have an audit log that shows that you have functionality enabled for the entire reporting time, but many systems don't," said Anthony. If your system doesn't, save one or more screen shots that are dated from the reporting period to which you are attesting.
One last area that has snagged numerous physicians is the security risk analysis. "This doesn't impose any additional requirements beyond what's already required for a security risk analysis for your practice as part of HIPAA (the Health Insurance Portability and Accountability Act)," said Anthony. "The only difference is that we require it more frequently," or every year for MU versus every two years for HIPAA purposes.
Anthony warned that a "generalized" security risk analysis wouldn't meet the MU audit requirement. "You need something that shows it (an analysis) was done before the end of the reporting period and that shows it is specific to your certified EHR and your particular practice. Information that is dated and specific to you goes a long way for a lot of these requirements."
Lastly, Anthony advised physicians to direct any audit questions to Figliozzi and Co.(www.figliozzi.com), including requests for clarification about requested documents as well as requests for additional time to comply.
Anthony summed up how to make the audit process go smoothly: "If you've input the numbers correctly and accurately, and you have the documentation to show how you got there, the audit process is simple. You're not generating new information."