Skip to main content

Latest Wave of MU Audits Delivers a Fresh Scare

 |  By smace@healthleadersmedia.com  
   October 29, 2013

A slew of Meaningful Use audit notices have suddenly materialized, aimed not only at Medicare, but at Medicaid recipients as well. The deadlines are tight and the documentation requirements exacting, making a most unwelcome October surprise for healthcare CIOs.

As the CHIME conference wound down on the evening of October 10, CIOs were abuzz: A new wave of Meaningful Use audit notices was making its way into their email boxes with November 7 due dates for responses.

The government might have been shut down, but the federal contractor conducting the audits, Figliozzi & Company, was still on the job. The new fiscal year was unfolding before CIOs with a fright worthy of Halloween.

In response, CHIME leadership sent out an urgent survey to its members. The results were sobering. The rolling, random audits were indeed going out in force, and they weren't just aimed at Medicare, but at Medicaid recipients as well. The survey found that out of 1,400 member organizations, close to 100 received audit notices this month.

I had led myself to believe that the Meaningful Use audit process was more cut-and-dried than it is. In fact, that may be more true for small practices, where the provider's own bureaucracy is at a minimum. When audit notices go to the largest organizations, however, they can really test the governance mechanisms and responsiveness of providers.

For one thing, there appears to be great variability in who receives the audit notice emails at the larger organizations. Some emails are going to general inboxes. So the first challenge is to filter and find the audit-notice emails, wherever they're landing.

Rigid Documentation Requirements
I am also struck by how much documentation the auditors are asking for. They are demanding proof that risk assessments are being conducted during the MU attestation period in question, rather than before those periods begin.

And auditors are demanding screen shots showing various aspects of compliance. Submitting ancillary proof of compliance, such as checked-off lists of tasks performed, is insufficient.

Furthermore, healthcare systems with multiple hospitals or multiple physicians are also being required to provide that documentation for each hospital and for each physician. "There are folks across the country, especially in physician offices, that are going to be end up tripping over [their] security risk assessment," says Pamela McNutt, senior vice president and CIO at Methodist Health System in Dallas.

Tips from Methodist Health System
McNutt is a CHIME leader, and someone whose system received an audit notice for each of the four hospitals in her system. In a CHIME Webinar held Oct. 22, McNutt says there have even been debates within Methodist's physician entities about what actually constitutes a risk assessment.

"It's not something like where you hire a hacker to try and break into your networks to find your vulnerabilities," she says. Instead, it's a matrix of considerations provided through HIPAA regulations – and includes listing the organization's certified EHR plus any individually certified modules of that EHR, plus how the organization has mitigated risk "for each and every component."

These risk assessments must also show that any deficiencies found were completely remediated before the reporting period ended, McNutt says.

Providers even have to watch their words carefully lest they invite extra scrutiny. "Avoid using words like 'deficiencies' and 'remediations'" if the organization is simply contemplating a set of best practices, McNutt says.

Another lesson Methodist learned was to provide proof that they were on a Meaningful Use-certified version of its EHR software during the entire reporting period. This can be tricky if software upgrades happen anywhere near that period of time, McNutt says.

"A letter from your vendor would do, or if you have screen shots you can take from your EHR that say what exact day certain releases were moved into production, you could use that for your defense, but that's the first thing they ask for."

Medicaid Surprise and a CMS Challenge
Then there was McNutt's Medicaid surprise, which reinforces the fact that these audits are as much about proving actual use of EHR systems as they are about proper installation and risk assessments. "This audit from CMS is as much an audit of your state Medicaid agency as it is of you, and so they come to you to reprove everything that the state already has," she told the CHIME Webinar audience.

This particular audit process dragged on. After four or five go-rounds with the auditor hired to do Texas-specific audits, "they finally just said, 'you just need to send us every single claim that you produced,' and we could de-identify it, but they wanted to know who the payer was and how much we were paid, and whether we were denied, for all payments, not just Medicaid.

"That was a surprise to us, and I challenged it all the way up to CMS, and I was told that that was a valid request. So be prepared for that."

Some providers, including McNutt, have even received phone calls as part of HHS's Office of Inspector General's effort to audit the auditors in each state.

At CHIME, I happened to mention this to former National Coordinator Farzad Mostashari, whose response was a shrug, signifying that this is the way things go with audits at times.

McNutt's co-presenter during the CHIME Webinar was Liz Johnson, vice president of applied clinical informatics at Tenet Healthcare, which has received nineteen audit notices so far. Tenet has the added headache of operating in 22 states, making its challenge and learning experience exponentially greater than Methodist's.

In some cases, the audit notice got to Johnson with only two days left to respond. "We did call and get a few extra days, but it is one of those things where you want to stay on top of it," she said.

Once an audit notice is received, Tenet has a policy that its audit response team decides a course of action within 36 hours. Among other things, Tenet has had to demonstrate to auditors that clinical decision support rules are firing correctly. OIG staff even visited Tenet facilities in person to see some of these rules in action.

A Necessary Burden
The twists and turns of these audits seem to go on and on. Not every provider tuned into this CHIME Webinar, so I hope raising the issue to a higher profile here is useful to all providers. Like too many things in healthcare, it seems that larger organizations, with more clinical, financial and legal resources, might be better able to respond to these audit requests.

Probably those at greatest risk, as usual, are smaller community hospitals, while the very smallest of practices might benefit from being more simply organized than larger providers.

As with audits in so many areas of healthcare, audits of Meaningful Use are a necessary burden of leadership, and the continuing scrutiny of the value of technologies purchased with Federal and state funds shows no sign of easing.

Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.

Tagged Under:


Get the latest on healthcare leadership in your inbox.