From Ober Kaler’s Health Law Alert Newsletter, 2012: Issue 12 – Focus on HIPAA/Privacy we learn from James B. Wieland and Joshua J. Freemire that it is “unofficially official” – audits of meaningful users have begun.
Are Mandatory 14/15 the chink in a meaningful user’s armor? After all, the other core measures are explicit and require daily measurement. Most meaningful users have cracked the code on such measurement and reporting. But what is the measurement to demonstrate that your organization is “protecting electronic health information” with the same vigilance and accountability as you perform against the other core measures?
Did you perform or review a risk analysis consistent with the ONC’s published guidance? A real risk analysis?
Do you have a documented plan to remediate any deficiencies or unacceptable risks?
How do you document your performance against that plan? It is probably unrealistic, impractical or of little value to measure daily, but can we agree that a monthly “status” is reasonable? If so, is your organization performing to that level?
Do not let the simplicity of the “check box” for Mandatory 14/15 on the attestation profile fool you into a false sense of security (no pun intended) about your organization’s performance. In fact, in its simplicity it may represent the greatest risk to your organization in the event of an audit.
The cost/benefit analysis here is really a no-brainer when you consider the penalty for a fraudulent attestation could be as much as 3x the stimulus your organization has received. If there is any doubt in your organization’s mind that you have met the requirement of Mandatory 14/15, now is the time to take action.
Wieland and Freemire write:
A number of health care providers that attested to Meaningful Use for Stage 1 have received a letter from an Figloiozzi and Company, acting as CMS’s auditor for the EHR Incentive Program (the “Program” or “Meaningful Use Program”), requesting certain records related to the attestation. CMS has not, as of this writing, made any announcement of this audit initiative or of the engagement of Figloiozzi and Company. While it is always good policy to confirm the identity and authority of any entity claiming a right to review or audit records, these letters are legitimate. Citing its statutory authority under the American Recovery and Reinvestment Act (ARRA), and without any fanfare, CMS has begun to audit the attestation materials.
The letters from Figloiozzi and Company, as the Department of Health and Human Services (HHS) Secretary’s designee, request four categories of information:
- Audited entities are asked to produce a copy of their certification from the HHS Office of the National Coordinator for Health Information Technology for the technology they used to meet Program requirements. Presumably, this documentation will be used to demonstrate that the entity “possesses” a certified Electric Health Record technology system as required under Program rules.
- Audited entities are asked to provide documentation to support the method (observation services or all emergency department visits) they chose to report emergency department admissions. This distinction plays a large role in several of the Program requirements as it determines which patients were included in the denominators of certain meaningful use core and menu items.
- Audited entities are asked to supply supporting documentation with regard to their completion of the attestation module responses as to core set objectives and measures. While the audit letter’s request is not specific, it would appear that this request is intended to solicit information beyond that already provided to CMS as part of the attestation process. A hospital might consider, for instance, producing reports substantiating the encounters that gave rise to the calculation relied upon to successfully attest. Such reports should be deidentified.
- Audited entities are asked to supply supporting documentation with regard to their completion of the attestation module responses as to “menu set” or voluntary, objectives and measures. Again, the information request appears to solicit a level of information beyond that provided in the attestation documents themselves.
Based on questions from recipients, an amended version of the audit letter has been sent out, adding “(i.e., a report from your EHR system that ties to your attestation)” to the latter two categories of requested documentation. This clarifies that the audit letters seek additional detailed information but are not, at this time, requesting identifiable or detailed patient records.
The audit letters do not provide audited entities much time to respond – a short, two-week response time is specified. Unfortunately, it is also unclear how audit candidates are selected, so hospitals and professionals will not be able to “plan ahead” for an audit they can be certain is coming.
You may also appreciate an article on FierceEMR today by Marla Durben Hirsch on this topic: CMS starts Meaningful Use attestation audits – FierceEMR http://www.fierceemr.com/story/cms-meaningful-use-attestation-audits-providers/2012-07-23#ixzz21VMMAsFc
To learn more:
– here’s some general information from CMS
– read the GAO report
– check out the FAQ