Posted from AAFP News Now:
Use of the words “audit” and “Medicare” in the same sentence tend to make even the most seasoned physician uncomfortable. So when the news broke in March that CMS had added prepayment meaningful use (MU) audits to its ongoing postpayment audit process, some family physicians expressed concern.
Understanding that a little knowledge can go a long way toward alleviating anxiety, AAFP News Now recently spoke with a government expert about how physicians can prepare for MU audits associated with the Medicare Electronic Health Records (EHR) Incentive Program.
Rob Anthony, deputy director of the Health IT Initiatives Group for CMS’ Office of E-Health Standards and Services, noted that as many as 10 percent of program participants would face an audit. “Keep in mind that the audits are both random and targeted,” said Anthony, so physicians shouldn’t assume they’ve made an error if they receive an e-mail audit notification from Figliozzi and Co., the certified public accountant firm selected by CMS to conduct the audits.
“We’re required to do due diligence on our end,” said Anthony, and that includes robust oversight of a government program that disperses taxpayer dollars in the form of physician bonuses that can total as much as $18,000. According to Anthony, the audit process is the same regardless of whether physicians are notified before or after they are issued a check for successfully meeting MU program requirements.
“The first thing we always tell people is that if you’ve entered accurate numbers (in the MU attestation process) and have the documentation to support that, then the audit is a really simple process for this program. You’re simply showing (auditors) supporting documentation,” said Anthony.
For the vast majority of people, the primary support document is the report generated by a certified EHR because it generally provides both the numerator and denominator values needed for MU attestation.
“It’s important to make sure the report specifies a time period and indicates that it is specific to you as a provider,” said Anthony. That’s as easy as including a National Provider Identifier, provider name or practice name.
Anthony noted that some certified EHRs provide a “snapshot in time,” meaning that the physician can go back to any 90-day period, and the system always shows the correct numerator and denominator values for that period. However, many EHRs don’t have that function and instead use what Anthony called a “rolling system” that changes the values of the numerators and denominators after the reporting period ends.
In that situation, he advised physicians to “save either a paper or an electronic copy of the report you used to attest so that when an auditor comes knocking and asking for supporting documentation, you can hand him a report that shows the numerator and denominator values that you entered (for attestation) rather than something that might have changed later down the line.”
A number of physicians also have had trouble complying with what Anthony called the “yes/no functionality issues” that require specific EHR functions — such as drug allergy interaction checks and clinical decision support — to be turned on during the entire reporting period.
“Some systems have an audit log that shows that you have functionality enabled for the entire reporting time, but many systems don’t,” said Anthony. If your system doesn’t, save one or more screen shots that are dated from the reporting period to which you are attesting.
One additional area that has snagged numerous physicians is the security risk analysis. “This doesn’t impose any additional requirements beyond what’s already required for a security risk analysis for your practice as part of HIPAA (the Health Insurance Portability and Accountability Act),” said Anthony. “The only difference is that we require it more frequently,” or every year for MU versus every two years for HIPAA purposes.
Anthony warned that a “generalized” security risk analysis wouldn’t meet the MU audit requirement. “You need something that shows it (an analysis) was done before the end of the reporting period and that shows it is specific to your certified EHR and your particular practice. Information that is dated and specific to you goes a long way for a lot of these requirements.”
Lastly, Anthony advised physicians to direct any audit questions to Figliozzi and Co., including requests for clarification about requested documents as well as requests for additional time to comply.
Anthony summed up how to make the audit process go smoothly: “If you’ve input the numbers correctly and accurately, and you have the documentation to show how you got there, the audit process is simple. You’re not generating new information.”
Additional resources can be found by clicking the following links:
CMS: Sample Audit Request Letter