Through the first half of this year, the Centers for Medicare & Medicaid Services auditor has conducted numerous pre- and post-payment audits of meaningful use attestations submitted by eligible providers to the Medicare Electronic Health Record Incentive Program. This newsletter provides an overview of pre- and post-payment audit activity as well as recommendations for how Eligible Providers should prepare themselves for audits.
Through the first half of this year, Figliozzi & Company (Figliozzi), the audit contractor for the Medicare Electronic Health Record (EHR) Incentive Program (EHR Incentive Program), has conducted numerous pre-payment and post-payment audits of meaningful use attestations submitted by eligible professionals, eligible hospitals and critical access hospitals (collectively, Eligible Providers). This experience navigating pre-payment and post-payment audits has generated several recommendations that Eligible Providers should consider, whether or not they are under audit.
The following sections of this On the Subject provide an overview of Medicare EHR Incentive Program pre- and post-payment audit activity, an overview of the more recently implemented pre-payment audit program and recommendations for how Eligible Providers should prepare themselves for audits.
Overview of Incentive Program Audit Activity
The Centers for Medicare & Medicaid Services’ (CMS) EHR Incentive Program regulations authorize CMS to review an Eligible Provider’s meaningful use attestation to determine whether the Eligible Provider has met the requirements for an incentive payment. Since its inception, CMS has incorporated automatic pre-payment edit checks into the EHR Incentive Program attestation and payment systems. According to a February 2013 publication from CMS titled “EHR Incentive Programs Supporting Documentation for Audits” (CMS Audit Publication), CMS uses such pre-payment edit checks “to detect inaccuracies in eligibility, reporting and payment.” Beginning with attestations submitted in January 2013, CMS also conducts pre-payment audits, which are “random and may target suspicious or anomalous data.”
In addition to pre-payment edit checks and audits, CMS also conducts post-payment audits, amounting to approximately 5 percent to 10 percent of Eligible Providers receiving incentive payments. Eligible Providers selected for post-payment audits must present supporting documentation to validate their submitted attestation data, and CMS will withhold payment of the incentive payment for the Eligible Provider’s subsequent EHR incentive payment year until the audit is resolved.
Pre-Payment Audit Program
Implementation of pre-payment audits was widely anticipated in response to criticism from the Department of Health and Human Services Office of Inspector General (OIG). In November 2012, the OIG released a report titled “Early Assessment Finds That CMS Faces Obstacles in Overseeing the Medicare EHR Incentive Program” (OIG Report). The OIG Report noted that “CMS does not verify the accuracy of professionals’ or hospitals’ self-reported meaningful use information prior to payment.”
In recommending pre-payment audits, the OIG Report states that “[a]lthough CMS is not required to verify the accuracy of this information prior to payment, doing so would strengthen its oversight of the anticipated $6.6 billion in incentive payments. Verifying self-reported information prior to payment could also reduce the need to identify and recover erroneous payments after they are made.”
CMS initially resisted the implementation of pre-payment audits in an October 2012 letter from CMS Acting Administrator Marilyn Tavenner to the OIG, speculating that implementation of pre-payment audits could significantly delay payments to Eligible Providers and, further, that requesting additional documentation from Eligible Providers would also impose an increased upfront burden.
Notwithstanding the initial resistance, CMS began conducting pre-payment audits for attestations submitted in 2013. Figliozzi, which was previously appointed as a CMS contractor for purposes of conducting post-payment audits, conducts pre-payment audits on behalf of CMS.
As with the post-payment audits, CMS intends to conduct pre-payment audits of approximately 5 percent to 10 percent of Eligible Providers submitting attestations for meaningful use; according to the CMS Audit Publication, some Eligible Providers will be selected at random, while others will be audited based on submission of “suspicious or anomalous data.” Given the unrelated process for selecting Eligible Providers for pre- and post-payment audits, it is possible that CMS may audit up to 20 percent of Eligible Providers submitting attestations for meaningful use in a given year.
Eligible Providers selected for pre-payment audits must present supporting documentation to validate data submitted during attestation before CMS will release their incentive payments. The CMS regulations for the Medicare and Medicaid Program provide that Eligible Providers must keep documentation supporting their demonstration of meaningful use for six years.
Pre-Payment Audit Preparation Best Practices
Based on Eligible Providers’ experience with the pre-payment and post-payment audits, we recommend the following practices to improve the chance of a successful audit:
- Understand Core and Menu Set Measures. An Eligible Provider should review and be familiar with the specification sheets and frequently asked questions (FAQs) for the core and menu set meaningful use measures published by CMS on the EHR Incentive Program website. The specification sheets and FAQs resolve many ambiguities created by the measures themselves and the auditors rely upon them as interpretive guidance to the measures.
- Use Multi-Disciplinary Teams. Eligible Providers should utilize a multi-disciplinary team of information technology and clinical personnel for the implementation and management of their EHR systems and meaningful use requirements to ensure the system is properly configured for measures (such as the drug-drug and drug-allergy interaction checks measure) that simply require functionality to be activated during the Eligible Provider’s meaningful use reporting period.
- Documenting Measure Compliance. Eligible Providers should retain documentation for each of the measures. Such documentation may include: dated screen captures that demonstrate the Eligible Provider met the measure during the reporting period or otherwise by the applicable deadline, security risk assessment reports or an e-mail from an immunization registry confirming receipt.
- Security Risk Analysis. The protection of electronic health information meaningful use measure requires an Eligible Provider to conduct or review a security risk analysis that meets the HIPAA Security Rule's risk analysis standard. The HIPAA standard requires an analysis of all systems that maintain or transmit electronic protected health information and not only the Eligible Provider's EHR. If an Eligible Provider relies upon the vendor hosting its EHR to perform a security risk analysis of the EHR, the Eligible Provider should request a letter from the vendor stating the timing of the vendor’s assessment in order to demonstrate that the risk analysis was completed before the end of the Eligible Provider’s meaningful use reporting period.
- Certification of EHR System. Eligible Providers should be prepared to provide documentation that they have implemented the version of a vendor’s EHR that has been certified as supporting meaningful use by the Office of the National Coordinator for Health Information Technology rather than an earlier uncertified version. Eligible Providers using an EHR system that is provided on a “software-as-a-service” (SaaS) basis or otherwise from a cloud environment should be prepared for the auditor to request verification regarding the version number of the EHR system in use during the applicable reporting period. Eligible Providers must obtain such verification from their EHR vendor and, as such, should maintain a relationship with an appropriate contact person at the vendor. Eligible Providers should also monitor upgrades and version changes pushed by EHR vendors to ensure any upgrade does not affect the certified status of the EHR technology. A significant change to an EHR system may require the vendor to seek re-certification of the system.