EHR Incentive Audits to Escalate
EHR Incentive Audits, Now Pre-Payment
The calls keep coming in. Hospitals, providers, vendors, consultants, and of course the occasional journalist. Those CMS EHR Incentive audits are starting to work their way through the ether and everybody wants to talk about them. Attesting in 2011 and 2012 for Meaningful Use (MU) was easy. Input a few numbers here and there on the CMS web based attestation screens and hit that “submit” button. No annoying clarification to confuse and confound. In four to six weeks here comes that check and you are off to Cancun. Fast forward two years and here come those pesky audits. Some of the folks who received incentives based on 2011 and 2012 MU are being audited now and some more recent ones are being audited prior to receiving the incentives. I have talked to a number of Eligible Providers (EPs) who received pre-payment audit notification and promptly withdrew their attestation. If you haven’t had the pleasure of receiving an audit engagement letter you can see a sample here.
Now a few words about the Medicare EHR Incentive auditors. I don’t envy their jobs. Imagine how much clarification and guidance has come out in the past two years to help explain the details of MU. Now imagine trying to audit compliance with a process that has generated so much confusion. One of the Stage 1 MU objectives, Exchange of Key Clinical Information, is so confusing to achieve and document that even CMS has thrown in the towel on this one for 2013: “Beginning in 2013, the objective for electronic exchange of key clinical information will no longer be required for Stage 1 for EPs, eligible hospitals, and CAHs. Providers faced numerous challenges in understanding the requirements for this objective…” In my communications with auditors on behalf of clients I have found them responsive and willing to review all collateral documentation. There has been a diligent effort on their part to balance the documentation requirements with common sense. It is a delicate balance but from what I have seen they should be commended.
My advice? When you attest just don’t do anything crazy. Don’t report different numbers of “unique patients” for different MU measures. Don’t claim you have a certified EHR unless you really have one. Don’t say you have performed a Security Risk Analysis unless you can produce it. If you have multiple EPs in your practice it is probably not a good idea to report the exact same numbers for every provider during attestation. I guess what I am saying is it might be a good idea to understand what you are doing before you hit that “submit” button. I have placed links to the “CMS Audit Information and Guidance” documents on my website that I hope will be helpful.