Meaningful Use Audits 2.0
Most of us have gotten pretty used to the Meaningful Use (MU) audits being conducted by Figliozzi & Company. They are the folks that have been conducting the CMS EHR Incentive audits for both eligible hospitals (EH) and professionals (EP) involved in the Medicare or dually-eligible Medicare/Medicaid EHR incentive programs.
You know the drill by now. MU is achieved and attested on an annual basis. A pre-payment audit could occur shortly after attestation and a post-payment audit could occur up to 6 years after an attestation. However it comes down, the audit is performed against a single attestation.
Now we have been hearing about a wave of MU audits that has recently been launched by the Office of the Inspector General (OIG). Why another layer of audits? That answer can be found in the OIG’s Work Plan for Fiscal Year 2015.
<blockquote>We will review Medicare incentive payments to eligible health care professionals and hospitals for adopting EHRs and the Centers for Medicare & Medicaid Services (CMS) safeguards to prevent erroneous incentive payments. We will review Medicare incentive payment data from 2011 to identify payments to providers that should not have received incentive payments (e.g., those not meeting elected meaningful use criteria). We will also assess CMS’s plans to oversee incentive payments for the duration of the program and corrective actions taken regarding erroneous incentive payments.</blockquote>
The OIG is therefore conducting oversight audits of providers to make sure that CMS is doing a good job handing out the EHR incentives. We have seen the OIG audit engagement documentation and while there are similarities with the Figliozzi audits, there are also significant differences. Here are a few items taken directly from the OIG requests.
The audit period covers all EHR incentive payments from January 1, 2011, through June 30, 2014.
When transmitting any audit information to OIG over the internet, please properly safeguard the information.
We are required to report as a security breach any audit information sent to us that does not meet FIPS 140-2 requirements.
The OIG audit covers a period that could conceivably cover 4 attestations. That’s right, you are being asked to produce full documentation for multiple attestations. Depending on your ability to satisfy that request up to 4 years of incentive payments could be recouped. The text that states “We are required to report as a security breach” is also a bit on the scary side. Having a MU audit response be identified as a security breach would be like falling out of the pan into the fire.
The stakes have gotten higher and more than ever you want to make sure your “Book of Evidence” is intact and validated. It is becoming obvious that someone at the top has realized that there is a good return on investment for audits against healthcare payments and incentives. I’ll let Bob Dylan say it clearly, “You don’t need a weatherman to know which way the wind blows”.