What not to do in a meaningful use audit
We've all seen articles, interviews, and blog posts telling hospitals how to be prepared for potential audits of their meaningful use incentives. "Lessons learned" and "best practices" abound in an attempt to give advice about protecting those EHR incentives from recoupment. There is a lot of money on the table, not to mention careers, and the audit process should not be taken lightly. There is simply too much at stake and a wrong move during the audit or appeal process would take a hospital's staff to a place where it should never have to go.
Sometimes it is best to look at what not to do, the so-called "worst practices." In the past year I have worked with numerous hospitals that have been down the dark and scary road of meaningful use audits. In the long ago days of 2011 there was a lack of clarification and guidance on the CMS EHR Incentive programs, but we wanted those seven figure incentives. Hospitals were moving quickly to adopt certified technology and achieve meaningful use even though the "knowledge gap" was very, very wide.
Allow me to present a few worst practices that I have come across in the past year. Employing these will put your ability to obtain and hold on to those lovely incentives at risk.
[See also: MU audits: Off to a rocky start]
- Having no one in charge. Assign a committee to be responsible for the audit process and requests for documentation. When things go wrong there will be plenty of people to blame.
- Having insufficient documentation. Just assume you can always go back and recreate reports that you can't find. All that data is in there somewhere, I'm sure we can find it if we need to.
- Ignoring requirements. We are not really sure what is this "syndromic surveillance submission" business. We only have to do one test? Let's just say "yes" and move on.
- Having an undocumented MU strategy. What was the reasoning behind those core measures that were excluded and menu measures that were not chosen? Who was that staff member that made the decisions?
- Blaming the EHR vendor. This entire mess was created by our vendor. It is their job to make sure there are no problems. They should be responsible and make this go away.
- Failing to perform a Security Risk Assessment. I'm pretty sure we did one of these a few years back and it was OK. Probably still good now.
I could go on and on but you get my point. Don't shoot yourself in the foot. Hold your head up high. Don't cut corners. Do things in such way so that if you are asked to explain your actions two years down the road, you will be able to maintain eye contact and not hem and haw. How is that for a best practice?
Jim Tate is president and founder of EMR Advocate, where this article originally appeared.