CMS official offers details on MU audits
The Centers for Medicare & Medicaid Services this year implemented pre-payment audits on Medicare and dually eligible (Medicare and Medicaid) providers participating in the EHR Incentive Programs. The pre-payment audits complement post-payment audits that CMS has conducted since 2012.
Both audit programs target between 5 and 10 percent of eligible professionals attesting to meaningful use, according to Elizabeth Holland, director of the HIT Initiatives Group within CMS' Office of E-Health Standards and Services.
Figliozzi & Company, a CMS contractor based in Garden City, N.J., will perform the audits on Medicare and dually eligible providers. States will conduct audits on providers participating in the Medicaid EHR Incentive Program.
PhysBizTech Editor Frank Irving talked with Holland about details of the audit program.
Q: Are both audit programs expected to be in place for the duration of the EHR Incentive Programs?
Q: And the process starts with a letter to the practice from your audit contractor?
A: Right. There is a sample copy of the audit letter request on our website.
Q: CMS offers other online resources such as an audit overview and a fact sheet explaining documentation required to support meaningful use attestation. Aside from studying those materials, what else should small practices do to prepare for the audits?
A: The first thing we recommend to providers is to not panic, and always tell the truth. I know people are a little unsettled by the whole notion of an audit, but this is not meant to be a "gotcha" sort of thing.
CMS has a responsibility to make sure that HITECH dollars are being spent appropriately. We're doing the audits to make sure that people who are receiving incentive payments are actually using certified EHR technology, and that they are actually meaningful users.
Q: In practical terms, how can they be ready?
A: As you mentioned, they can refer to the documentation guidelines, which give you a sense of what you need to retain. A lot of this information you would have prepared when you attested [for meaningful use]. So you should already have this information on hand.
When you actually get the letter indicating that you've been selected for an audit, you have two weeks to submit the documentation that is requested. Then it becomes a back-and-forth process.
Some providers submit the information, it checks out, and they are fine. But other providers do not submit the appropriate documentation – or some of it appropriate and some of it is not. It is very much an iterative process. It's not that you submit the information and we say yea or nay. If there are any issues, we try to work with the provider as much as possible.
In some cases, the provider has the proper documentation, but didn't realize what they needed to send us. And there may be times when my policy staff needs to weigh in, so we really try to make the process as individualized as possible. Continue to work with the audit people.
[See also: Preparing for a meaningful use audit.]
Q: Is there any leeway in the two-week response window for submitting documentation?
A: We have been granting extensions [in some cases] if the provider cannot supply the documentation in the allotted time. You just need to ask.
We realize that some providers are busier than others and we don't want this to shut down a practice. The reason we had put in the two weeks for the pre-payment audit documentation is that we will not be making the payment until we have the documentation and everything checks out. We're trying to keep the provider on the path to get the payment as quickly as possible.
Q: At the conclusion of the audit, there would be a determination of whether the provider has been determined to be a successful meaningful user as defined under the program. At the other end of the spectrum, there would be a recoupment of any payment that had been made. Is that accurate?
A: That's correct. You're either a meaningful user or you're not. But to get to that "no" determination would probably be based on several factors.
Q: Do you publish the results of the audits?
A: They have not been released to date because we're still in the preliminary findings stage. But I do expect over time that more and more information will be released.
What we're doing now…the first audits have enabled us to learn from what the auditors found, and that's why we've issued some more documentation guidelines to help people. We continue to learn through the audit process what people are confused about -- which measures seem to be especially problematic.
Q: What would be an example of something you've discovered through the process that may have been a bit confusing to providers?
A: We didn't expect the security risk analysis would be confusing. We thought that providers would be really familiar with the analysis because it is required for HIPAA. But the requirement for HIPAA is once every two years, and for meaningful use it's once during your reporting period. People were thinking they had already done it, but they hadn't actually done it within their reporting period. So we are trying to clarify that.
Q: What else has come up?
A: Some people are concerned about how their EHR is producing reports. That's really not what we're going after here. For example, let's say you attested for a measure and have a report from your EHR that said you had a percentage of 80 percent. Then, when the auditors reviewed it, the percentage was actually 74 percent. If the threshold for that measure is 50 percent, there wouldn't be any finding because you are still a meaningful user.
We're looking for instances where a provider told us he got 90 percent, and when the auditors looked, they found he got 10 percent -- and the threshold was actually 30 percent. There has to be a big discrepancy. So people shouldn't worry if their percentages are off a little bit. There is some wiggle room there.
Q: Has there been any fraudulent activity uncovered through the audit process?
A: There are investigations ongoing.
Q: Can you tell us anything about the nature of the investigations?
A: I know the investigations exist, but haven't been told the nature because they are being handled by the FBI and the Department of Justice. I don't have the details.