These risk assessments must also show that any deficiencies found were completely remediated before the reporting period ended, McNutt says.
Providers even have to watch their words carefully lest they invite extra scrutiny. "Avoid using words like 'deficiencies' and 'remediations'" if the organization is simply contemplating a set of best practices, McNutt says.
Another lesson Methodist learned was to provide proof that they were on a Meaningful Use-certified version of its EHR software during the entire reporting period. This can be tricky if software upgrades happen anywhere near that period of time, McNutt says.
"A letter from your vendor would do, or if you have screen shots you can take from your EHR that say what exact day certain releases were moved into production, you could use that for your defense, but that's the first thing they ask for."
Medicaid Surprise and a CMS Challenge
Then there was McNutt's Medicaid surprise, which reinforces the fact that these audits are as much about proving actual use of EHR systems as they are about proper installation and risk assessments. "This audit from CMS is as much an audit of your state Medicaid agency as it is of you, and so they come to you to reprove everything that the state already has," she told the CHIME Webinar audience.