Meaningful Use / MIPS legislation may not specifically require internal compliance audits, but recent events suggest that hospitals would be wise to conduct them.

Health Management Associates (HMA) recently completed an internal audit of their Meaningful Use / MIPS program, and just announced that 11 of its 71 hospitals inappropriately collected $31 million in benefits from the federal government’s electronic health record incentive program, as far back as 2011.

Many forward thinking hospitals and health systems are beginning to perform these internal audits as preparation for potential audits by CMS.  These audits began this summer and they represent particular pain points for many providers for two reasons:

First, many providers struggled with their EMR packages reporting capabilities when producing their early reports, and either did not have (or did not retain) clear documentation on the details of that reporting.  Given that the initial audit letters called for a two-week turnaround on providing audit documentation,  an advance review of the certification data makes sense.

Second, the outcome of these audits represents a significant financial risk for most hospitals.   The audits are “pass-fail” – if you don’t meet the criteria,  you forfeit (and must return) all the incentive money. There’s no credit for being “mostly compliant.”

The biggest risk may be for the hospitals who were early participants in the incentive program and very likely made the same decisions in the subsequent years as the first, potentially placing multiple years of incentive funding at risk.

How can providers avoid the risks of these audits? Here are some suggestions:

Step One: Assemble an audit team. Ideally, this team will consist of team members who have the expertise to assess MU compliance, but who were not involved in the original implementation and attestations. Hospitals without a well-developed internal audit department may need to include consultants on the team, or perhaps arrange a mutual exchange of resources from nearby organizations. A team member who has detailed experience with other (financial, perhaps) audits will provide a useful perspective to the team as well.

Step Two: Perform an assessment of completed MU attestations. Note that some CIOs and auditors have described the collection of supporting documentation as measured “in inches and pounds.” CMS has provided an audit overview and a fact sheet explaining these documentation requirements in detail.

Organizations who have been audited have indicated having particular difficulty with:

• Gaps in their paperwork, some of which is now two years old.
• Relying on screenshots to prove certain activities, where the screenshot does not show a date on the screen.
• Identifying system generated reports that show that required functionality was active for the entire measurement period.
• Security Risk assessments that are overly general.  The MU requirements call for  “Security risk analysis of the certified EHR technology “ and a broader risk analysis that might have easily met HIPAA’s requirements for the organization may not adequately address the specific risks to the EMR data.

Step Three:  Perform a forward-looking risk analysis. Assess the risks that the organization will face in meeting Stage 2 certification. This assessment will provide the team with valuable insight and understanding about the Stage 2 requirements, and ease the burden when performing the next audit.  At the same time,  the implementation team can receive useful feedback and perspective about their current efforts.

Learn more about Meaningful Use / MIPS on our website or if you’d like to speak with an expert, contact us.