MU audits: One CIO's recurring bad dream
Ralph Johnson figured once would be enough. Having passed one EHR Incentive Program audit, he assumed his small health system had proven its meaningful use merit to the Centers for Medicare & Medicaid Services. Then he got another email.
For the second consecutive attestation period, Johnson, chief information officer of rural Franklin Community Health Network, in Farmington, Maine, had attracted the attention of CMS.
"Two years in a row," says Johnson. "I was under the impression they were random. So it seemed odd to me to get the notification again, the second year after the filing."
At least 5 percent of organizations attesting for meaningful use will undergo a CMS audit, with half of those subject to a pre-payment audit.
CMS wants to see that providers are using certified EHR technology, to take a closer look at MU reports for core and menu attestation data, to see copies of security assessments and more. Thorough documentation is critical.
"It's a pain in the neck," says Johnson. "It's at least a week or more of just heads-down work: copying files, making PDFs, organizing them, going to the vendors – you have to get attestations from all of your vendors that you're on a certified version, you've got to track down all your contracts to show you were under contract for those versions. You have to have invoices to show that you paid for them and are licensed to use the products during that time period that you reported."
So, for the second year in a row, "I've got a big pile of paper now here on my desk," he says. "I'll probably come in on a Saturday when I'm not going to get interrupted and scan it all in."
Not a fun way to spend a weekend. "No."
Is this common? Anecdotally, at least, it's common enough that one of Johnson's counterparts at another small hospital in Maine is also facing a second meaningful use audit.
CMS won't discuss specific audits, but a spokesperson did provide some information related to the incentive program.
"Beginning with attestations submitted during and after January 2013, Medicare providers may also be subject to pre-payment audits," according to CMS. "These pre-payment audits will include random audits, as well as audits that target suspicious or anomalous data.
"For those providers selected for pre-payment audits, CMS will request supporting documentation to validate submitted attestation data before releasing payment" and "will also continue to conduct post-payment audits during the course of the EHR Incentive Programs. Providers selected for post-payment audits will also be required to submit supporting documentation to validate their submitted attestation data."
Jeff Smith, director of federal affairs at CHIME, said the CIO trade organization doesn't have data on frequency of audits but did point to a 2013 survey that showed 94 facilities that had received audit requests.
"Anecdotally, I know of other hospitals that have been audited twice from the CMS auditors, once from Medicaid (state-based) and one more from HHS OIG," said Smith.
Franklin Community Health Network passed its first audit, says Johnson, after correcting one minor piece of missing information.
"Some of the reports didn't have our facility name on the header, so I had to rerun the reports for them, but they accepted those and gave us a finding that we passed the audit."
This time around, "I'm making sure that those are there so I don't get a second round of requests," he says, but he won't be doing much differently. "I think what we did last time was the right formula to satisfy them."
Johnson – a former CIO of the Year for the HIMSS New England chapter – gave a presentation to the chapter recently, where he likened a CMS audit to being scrutinized by CPAs, rather than by lawyers.
"CPAs look for source documents," he explains. "That's really what they're tracking down: whether you can verify what's in the ledger. Lawyers may be looking at the semantics and nuances around different things."
That difference was exemplified by CMS' response to FCHN's initial security audit, says Johnson. "I was concerned about it – not that we had problems with security, but how were my responses to everything in the finding? I gave them the report and created a table for the security audit I had done: 'These were the findings that were recommended, and this was my action to address them.'
"I worried they were going to look at it and say, 'You didn't do enough,' but I think they actually looked for, 'An issue was identified; you responded to it.' It was just check-boxes; they weren't evaluating my response."
And so, for the second time in two years, Johnson will be making lists, gathering documents and completing checklists.
If there's any silver lining, it may be that he can do it all a little bit more quickly this time, having already gained some first-hand experience.
"The other small blessing is that the hospital's auditors are happy to hear this because they don't have to worry about putting a reserve in case we get audited," Johnson adds.
"Our financial statements include the fact that we received our meaningful use incentive payment last December, so from our CPA's point of view they would at least put it in their management notes or put it as a reserve that there's a possibility we could be audited," he says. "But if we're already going through the audit they won't have that finding on us on any of our financial statements."
Beyond that, an audit just makes for a lot of unwanted stress. It's "keeping me up at night," says Johnson.
"I really would like to understand better how random the selection process is, because it really doesn't feel like it's random at all – it feels like there's something that must have been triggered," he says.
"It just seems like an awful lot of make-work," adds Johnson. "I'll be doing a cost-benefit analysis by the time I get to the fourth year and the (incentive) payment is so small. Especially if I get drawn a third time."