November 12, 2013
Meaningful Use / MIPS legislation may not specifically require internal compliance audits, but recent events suggest that hospitals would be wise to conduct them.
Health Management Associates (HMA) recently completed an internal audit of their Meaningful Use / MIPS program, and just announced that 11 of its 71 hospitals inappropriately collected $31 million in benefits from the federal government’s electronic health record incentive program, as far back as 2011.
Many forward thinking hospitals and health systems are beginning to perform these internal audits as preparation for potential audits by CMS. These audits began this summer and they represent particular pain points for many providers for two reasons:
First, many providers struggled with their EMR packages reporting capabilities when producing their early reports, and either did not have (or did not retain) clear documentation on the details of that reporting. Given that the initial audit letters called for a two-week turnaround on providing audit documentation, an advance review of the certification data makes sense.
Second, the outcome of these audits represents a significant financial risk for most hospitals. The audits are “pass-fail” – if you don’t meet the criteria, you forfeit (and must return) all the incentive money. There’s no credit for being “mostly compliant.”
The biggest risk may be for the hospitals who were early participants in the incentive program and very likely made the same decisions in the subsequent years as the first, potentially placing multiple years of incentive funding at risk.
How can providers avoid the risks of these audits? Here are some suggestions:
Step One: Assemble an audit team. Ideally, this team will consist of team members who have the expertise to assess MU compliance, but who were not involved in the original implementation and attestations. Hospitals without a well-developed internal audit department may need to include consultants on the team, or perhaps arrange a mutual exchange of resources from nearby organizations. A team member who has detailed experience with other (financial, perhaps) audits will provide a useful perspective to the team as well.
Step Two: Perform an assessment of completed MU attestations. Note that some CIOs and auditors have described the collection of supporting documentation as measured “in inches and pounds.” CMS has provided an audit overview and a fact sheet explaining these documentation requirements in detail.
Organizations who have been audited have indicated having particular difficulty with:
Step Three: Perform a forward-looking risk analysis. Assess the risks that the organization will face in meeting Stage 2 certification. This assessment will provide the team with valuable insight and understanding about the Stage 2 requirements, and ease the burden when performing the next audit. At the same time, the implementation team can receive useful feedback and perspective about their current efforts.