CMS has announced that providers – hospitals and physicians – who received meaningful use incentive payments are now being audited. CMS has outsourced this function to the New York audit contractor Figliozzi & Company. Providers who fail to produce documentation to support their Stage 1 Meaningful Use incentive payment are at risk for losing that money and are at risk of Medicare and/or Medicaid fraud charges.
CMS has posted a basic outline of the audit program on their Attestation FAQ page. To prepare for an audit, providers should save ALL electronic and paper documentation to support their attestation. This documentation should be retained for 6 years.
While additional details are limited, the law firm Ober & Kaler, as detailed in their online newsletter, has apparently seen the letters from Figlliozzi which call for
- Copies of the certification from the HHS Office of the National Coordinator for Health Information Technology to demonstrate that they possess the necessary technology
- For hospitals, documentation to support the method (observation services or all ED visits) they choose to report ED admissions,
- Documentation to support the completion of core measure objectives and measures, and
- Documentation to support the completion of the menu set measures
Most hospitals have the sophistication to prepare the necessary supporting documentation prior to reimbursement requests such as the meaningful use attestation. Physician practices in general have fewer resources and are likely at greater risk for non-compliance.
This batch of audits provides only about two weeks for a response, so practices are advised to be prepared with the required documentation. Of course, this supporting documentation should have been saved during their attestation process. Should any be lacking, now is an appropriate time to create this documentation.
First, an abbreviated list of the meaningful use measures may be pulled up here. Here is what should be in your file:
- A report or screenshot of your EHR’s Meaningful Use “dashboard” – this should show results for Core Objective numbers 1,3-9,12 and 13 and Menu Set items 2 and 4-8.
- Screenshots, or reports, showing the required functionality should be included for Core Measure Items 2, 10, 11, 14 and Menu Set Items 1,3, 9,10 and 11. To comply with HIPAA’s minimum necessary provision, black-out any patient names on these screenshots or reports.
-
For Core Objective #15, the Privacy and Security Measure, you should submit:
- a written copy of your computer security risk analysis compliant with the HIPAA Security guidelines
- any corrective action plan prepared as part of this analysis
- documentation that corrective action items have been completed
- Practices must select either Menu Set #9 (performing a test submission to the state immunization registry) or Menu Set #11, Perform a test of submitting electronic syndromic surveillance data to a public health agency. If neither of these was possible because your state and/or local agencies were not equipped to receive your submission, some documentation of their inability should be provided.
If any of this documentation is missing, of if some of these steps have not been performed, it is probably better to complete these steps late, although we can provide no guarantees regarding the audit outcome if this is late.
Editor’s Note: Subsequent to the publication of this article, CMS has renamed the “Meaningful Use” programs and MIPS “Advancing Care Information” category to “Promoting Interoperability”.
