July 9, 2013

The EHR Auditors Are Coming??

Filed under: CMS,EHR Audits,EHR Incentive,HIPAA,Meaningful Use — HankMayers @ 11:15 am

Some of you may have heard that the CMS EHR Incentive program (for both Medicaid and Medicare) has begun the process of conducting audits of providers who have applied for, or have received their EHR incentive payment. There has been a lot of chatter as of late on this event, and not all of it accurate.

I can share with you the following facts and feedback that we are getting from CMS, HIMSS, and those being audited.

1. This does not represent some kind of negative political turn of events for the program. Yes there has been a number of congressional hearings on how the incentive program is doing. But these audits were always part of the regulations on the incentive program.

2. All providers are not being audited. Generally, the selections are made on a random basis

3. It is true that some providers are being audited before they receive their incentive. This is the case for providers seeking a Medicaid incentive. These pre-payment audits are apparently only focused on validating that the applicant has met the minimum threshold of Medicaid or “needy” patients (20%+ for pediatricians, or 30%+ for all other practitioners).

4. Medicare audits are conducted subsequent to the provider receiving his/her/its incentive payment.

5. One of the complicating factors is that the auditors’ requests are not consistent, but are changing, as the CMS auditing contractor, Figliozzi, gets clarifications from CMS on the way the regulations should be interpreted.

6. Your audit will require that you provide documentation to validate the data that you submitted in your attestation to CMS or your state Medicaid agency. The best strategy is to use the exact documents you used to construct your attestation – just like you would with your tax return. This would include:

a. Reports and/or screen shots from your EHR containing the data you submitted
b. If your attestation was for implementing, not using, your EHR (Medicaid only), the best proof is a confirmation letter from your vendor that their product was fully installed and available to you for implementation.

c. Copies of any patient lists you generated

d. Copy of your Risk Audit
……………1. Remember that it is possible that you could ALSO get selected for a HIPAA Security & Privacy Audit.
………………….This is an entirely unrelated audit process
……………2. Your EHR Risk Audit requires that you follow the HIPAA guidelines
………………….The HIPAA Audit will require that you ALSO be implementing remediation efforts on discovered short-falls in your current security & privacy practices
……………………….The EHR regulations do NOT require (at the present) that you be engaged in remediation efforts

7. If you fail the audit, you will be directed to refund your incentive back to CMS

8. There is a formal appeal process that is part of the EHR audit program.

9. CMS has published the following document on this audit program:

We are very interested in learning more from healthcare entities on their experiences with these audits. Please share your experiences by commenting on this blog.

Powered by WordPress