© 2015 CHAN Healthcare Place Image Here Preparing for Meaningful Use Audits Erik Dahl, CISA, CISSP IT Audit Director
© 2015 CHAN Healthcare 22 Learning Objectives Understand the types of Meaningful Use audits that you may be subject to Understand the process CMS audits are following Learn what supporting documentation is being requested Discuss key lessons learned that may help you with your audit defense strategy
© 2015 CHAN Healthcare 33 Agenda Meaningful Use Common Challenges Attestation Requirements Overview Types of Audits Initial CMS Audit Results Meaningful Use Audit Process Audit Notification Documentation Request Providing Documentation Lessons Learned
© 2015 CHAN Healthcare 44 Common MU Challenges A fast-paced timeline for adopting Meaningful Use criteria, mandating aggressive project implementation plans and reporting to achieve Meaningful Use status Ever increasing and evolving changes and complexity to the Meaningful Use Attestation requirements, magnifying the need for maintaining and sustaining an effective Compliance and Reporting Program Completing a Security Risk Assessment that covers the requirements for Meaningful Use Attestation Reporting, Testing and Validation, Documentation Retention and Compliance with HIPAA and HITECH requirements Likelihood of being audited by CMS for compliance and failure to provide proper supporting evidence, resulting in payments being withheld or payments being recouped by CMS Knowing the relevant supporting documentation that should be maintained and archived post-attestation to support the Meaningful Use Attestation calculations and measurements that were filed
© 2015 CHAN Healthcare 55 Meaningful Use (MU) – Attestation Requirements Overview Attestation Requirements Meet Program Eligibility Requirements Use Certified Electronic Health Record Technology (CEHRT) during the attestation period Achievement of Core and Menu Measures Implementation and Reporting of Clinical Quality Measures Completed Security Risk Assessment Penalties If non-compliant, refund Meaningful Use incentives earned plus penalties where applicable If fraudulent attestation, punishment may involve imprisonment, significant fines, or both; loss of operating license; exclusion from Medicare/Medicaid participation for a specified length of time; and/or civil liability (Medicare/Medicaid fraud)
© 2015 CHAN Healthcare 66 Types of Meaningful Use Audits Centers for Medicare and Medicaid Services (CMS) Most common type of MU audit Cover Medicare or dually eligible Performed by Figliozzi & Company Target between 5 to 10% of attestations Performed as both Pre and Post payment audits Medicaid Performed by states and their contractors If first year of participation, the audit will focus on support for adopting, implementing, or upgrading, certified EHR technology Beyond first year, requirements similar to CMS audit requirements
© 2015 CHAN Healthcare 77 Types of Meaningful Use Audits Office of the Inspector General (OIG) Performed beginning in 2015 as oversight audits over CMS May cover all your attestations not just one program year Looking for support of Medicaid patient volumes and Medicare cost report calculation You may only have 10 days to respond to the audit The OIG warns of secure transmission of any documentation containing ePHI Medicare Administrative Contractor (MAC) EHR Audits Audits have recently began focusing on Critical Access Hospitals Focused on cost reporting and allowable costs and inpatient days Request listing is provided in the form of a spreadsheet Some requests have been mistaken for phishing attacks
© 2015 CHAN Healthcare 88 Initial CMS Audit Results – Eligible Professionals Pre-payment Audits – Eligible Professionals 1 Of those EP’s audited, 21 percent failed pre-payment audit Of those that did not pass, 93 percent did not meet “appropriate objectives and associated measures” The remaining 7 percent did not use a certified EHR when attesting Post Payment Audits – Eligible Professionals 1 Of those EP’s audited, 23 percent failed post payment audit Of those that did not pass, 99 percent did not meet “appropriate objectives and associated measures” The remaining 1 percent did not use a certified EHR when attesting 1 - CMS provided this information to Steve Spearman, of advisory firm Health Security Solutions, in November 2014, nine months after he filed a Freedom of Information Act request.
© 2015 CHAN Healthcare 99 Initial CMS Audit Results – Eligible Hospitals Post Payment Audits – Eligible Hospitals 1 Eligible Hospitals had a much lower audit failure rate at 4.7 percent. Incentive payments to be returned, pending an appeal, ranged from $280,414 to $3,430,591 The average incentive payment proposed for return (pending an appeal) was $1,132,937 Common Audit Failure Reasons Lack of security risk analysis Failure to use a certified and complete EHR Failure to maintain supporting evidence 1 - CMS provided this information to Steve Spearman, of advisory firm Health Security Solutions, in November 2014, nine months after he filed a Freedom of Information Act request.
© 2015 CHAN Healthcare 10 CMS MU Audit - Notification Audit Engagement Cover Letter Document Request Letter Web Portal Instructions Web Portal Frequently Asked Questions
© 2015 CHAN Healthcare 11 CMS Audit Notification – Audit Engagement Letter
© 2015 CHAN Healthcare 12 CMS Audit Notification – Document Request List
© 2015 CHAN Healthcare 13 Scope of Request – Five Topics in Three Parts Part I – General Information: Proof of use of a Certified EHR system Documentation to support the method chosen to report ED admissions Part II – Core Set Objectives/Measures: Supporting documentation and reporting for core measures used in the completion of the Attestation Module Provide proof that a security risk analysis of the Certified EHR Technology was performed prior to the end of the reporting period Part III – Menu Set Objectives/Measures: Supporting documentation and reporting for menu measures used in the completion of the Attestation Module Supporting documentation for menu items for which there are not EHR reports
© 2015 CHAN Healthcare 14 Scope of Request – Item 1 Requests evidence of use of a Certified Electronic Health Record Technology system Requests a copy of your licensing agreement with the vendor or invoices. Specifies the licensing agreements or invoices identify the vendor, product name and product version number If version number is not present, requests a letter from your vendor attesting to the version number used during your attestation period
© 2015 CHAN Healthcare 15 Item 1 – Examples of Documents Submitted Certified EHR Technology (CEHRT) Verification Letter Discussion of CEHRT Contracts Redacted copies of CEHRT Contracts (multiple documents)
© 2015 CHAN Healthcare 16 Scope of Request – Item 2 Requests confirmation of the methodology requested for reporting Emergency Department (ED) admissions. (Observation Services or All ED Visits) Requests documentation to support patients admitted to the ED were included in the denominators according to the selected ED methodology Asks for an explanation of how the ED admissions were calculated and a summary of ED admissions
© 2015 CHAN Healthcare 17 Item 2 – Examples of Documents Submitted Screen shots showing selection of the chosen ED methodology within the EHR reporting module. Screen shots of the reporting logic to include explanation of the logic and how it enforces the chosen ED methodology.
© 2015 CHAN Healthcare 18 Scope of Request – Item 3 Requests support for metric based Core Measures (percentage based measures for which there are EHR reports) Requests supporting documentation used in the completion of the Attestation Module responses (i.e. a report from your EHR system that ties to your attestation) Can be provided in either paper or electronic format Requests that reports display the EHR logo to evidence the reports were generated from your EHR system If reports do not display the EHR logo, step by step screens shots demonstrating how the reports are generated by your EHR are requested
© 2015 CHAN Healthcare 19 Measures Covered by Request Item 3 CPOE for Medication Orders Maintain Problem List ePrescribing (EP’s Only) Active Medication List Medication Allergy List Record Demographics Record Vital Signs Record Smoking Status *Electronic Copy of Health Information *Electronic Copy of Discharge Instructions (Hospital/CAH) Clinical Summaries (EP’s Only) * - Replaced by Patient Electronic Access Measure in 2014
© 2015 CHAN Healthcare 20 Item 3 – Examples of Documents Submitted Summary reports for the requested measures generated for the EHR reporting period Screen shots of the output from CEHRT’s reporting utility by objective Step by step guide for running MU functional reports in CEHRT or Third Party MU Reporting Utility Spreadsheet tables used to aggregate the data submitted at attestation by objective
© 2015 CHAN Healthcare 21 Scope of Request – Item 4 Requests evidence that a security risk analysis of Certified EHR technology was performed prior to the end of the reporting period Requests a report which documents the procedures performed during the analysis and the results of the analysis If deficiencies are identified, requests you supply the implementation plan to include completion dates
© 2015 CHAN Healthcare 22 Security Risk Analysis Considerations Can be performed internally or outsourced Must include risk analysis and mitigation plans if deficiencies are identified Must be performed during each MU reporting period Addressing encryption of data was added for Stage 2 MU Devices that access your EHR should also be included (Desktops, Connected Medical Devices, Mobile Devices, etc.)
© 2015 CHAN Healthcare 23 Item 4 – Examples of Documents Submitted Security Risk Analysis Executive Summary and Detail Report Security Risk Analysis Remediation Plan with Completion Dates Meaningful Use Security Risk Analysis Strategy Description
© 2015 CHAN Healthcare 24 Scope of Request – Item 5 Requests support for metric based Menu Set Measures selected for attestation (percentage based measures for which there are EHR reports) Requests supporting documentation used in the completion of the Attestation Module responses (i.e. a report from your EHR system that ties to your attestation) Can be provided in either paper or electronic format Requests that reports display the EHR logo to evidence the reports were generated from your EHR system If reports do not display the EHR logo, step by step screens shots demonstrating how the reports are generated by your EHR are requested Requests supporting documentation for Menu Set Measures for (Y/N Measures) selected for attestation
© 2015 CHAN Healthcare 25 Measures Covered by Request Item 5 Advance Directives (Hospital/CAH) Clinical Lab Test Results Patient Reminders (EP’s Only) Patient Electronic Access (EP’s Only prior to 2014) Patient-Specific Education Resources Medication Reconciliation Transition of Care Summary Patient Lists Immunization Registries Data Submission Syndromic Surveillance Data Submission Reportable Lab Results to Public Health Agencies (Hospital/CAH)
© 2015 CHAN Healthcare 26 Item 5 – Examples of Documents Submitted Summary reports for the requested measures generated for the EHR reporting period Screen shots of the output from CEHRT’s reporting utility by objective Spreadsheet tables used to aggregate the data we submitted at attestation by objective Step by step guide for running MU functional reports in CEHRT reporting utility Patient Lists – Example report and walkthrough of how patient lists may be generated Public Health Reporting Objectives (Immunization, Labs and Syndromic) or Letter for receiving entity confirming successful test and on-going submission or Letter confirming registration and testing
© 2015 CHAN Healthcare 27 Measures Not Audited Core Measures: Drug Interaction Checks Clinical Quality Measures (CQMs) Clinical Decision Support Rule Electronic Exchange of Clinical Information (Discontinued in 2013) Menu Measures: Drug Formulary Checks
© 2015 CHAN Healthcare 28 Lessons Learned Assign a MU Governance Committee or MU Project Team that keeps abreast of the MU Attestation rules and requirements to help maintain and sustain an effective Compliance & Reporting Program Document MU Strategy that describes the reasoning behind those core and menu measures that were chosen or excluded Pay attention to detail and develop a good understanding of the detailed reporting requirements before attesting Conduct one’s own data validation and not to rely on EHR vendor for completeness and accuracy of data used in the reported measures Conduct a thorough and comprehensive MU Security Risk Analysis
© 2015 CHAN Healthcare 29 Lessons Learned, continued Prepare a Gap Analysis document for the key risks identified Assign accountability and follow-up on status of Corrective Action Plan Retain thorough documentation with the proper cutoff dates that provide point- in-time evidence and detailed supporting documentation Maintain a centralized MU Attestation Documentation Repository Have a COMPLETE CEHRT and supporting licenses / documentation for all MU required modules Verify reasonableness and accuracy of all MU measures before filing attestation
© 2015 CHAN Healthcare 30 For more information, contact: Erik Dahl, CISA, CISSP Direct Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. © 2014 Crowe Horwath LLP