Health Care IT Advisor Thrive on the Meaningful Use Audit Be Prepared, Not Scared
Health Care IT Advisor Expert Panel Anantachai (Tony) Panjamapirom Consultant, Meaningful Use Navigator The Advisory Board Company panjamat@advisory.com Joanne LaGrange Director, Meaningful Use Program Scripps Health lagrange.joanne@scrippshealth.org LEGAL CAVEAT The Advisory Board Company has made efforts to verify the accuracy of the information it provides to members. This report relies on data obtained from many sources, however, and The Advisory Board Company cannot guarantee the accuracy of the information provided or any analysis based thereon. In addition, The Advisory Board Company is not in the business of giving legal, medical, accounting, or other professional advice, and its reports should not be construed as professional advice. In particular, members should not rely on any legal commentary in this report as a basis for action, or assume that any tactics described herein would be permitted by applicable law or appropriate for a given member s situation. Members are advised to consult with appropriate professionals concerning legal, medical, tax, or accounting issues, before implementing any of these tactics. Neither The Advisory Board Company nor its officers, directors, trustees, employees and agents shall be liable for any claims, liabilities, or expenses relating to (a) any errors or omissions in this report, whether caused by The Advisory Board Company or any of its employees or agents, or sources or other third parties, (b) any recommendation or graded ranking by The Advisory Board Company, or (c) failure of member and its employees and agents to abide by the terms set forth herein. The Advisory Board is a registered trademark of The Advisory Board Company in the United States and other countries. Members are not permitted to use this trademark, or any other Advisory Board trademark, product name, service name, trade name, and logo, without the prior written consent of The Advisory Board Company. All other trademarks, product names, service names, trade names, and logos used within these pages are the property of their respective holders. Use of other company trademarks, product names, service names, trade names and logos or images of the same does not necessarily constitute (a) an endorsement by such company of The Advisory Board Company and its products and services, or (b) an endorsement of the company or its products or services by The Advisory Board Company. The Advisory Board Company is not affiliated with any such company.
IMPORTANT: Please read the following. The Advisory Board Company has prepared this report for the exclusive use of its members. Each member acknowledges and agrees that this report and the information contained herein (collectively, the Report ) are confidential and proprietary to The Advisory Board Company. By accepting delivery of this Report, each member agrees to abide by the terms as stated herein, including the following: 1. The Advisory Board Company owns all right, title and interest in and to this Report. Except as stated herein, no right, license, permission or interest of any kind in this Report is intended to be given, transferred to or acquired by a member. Each member is authorized to use this Report only to the extent expressly authorized herein. 2. Each member shall not sell, license, or republish this Report. Each member shall not disseminate or permit the use of, and shall take reasonable precautions to prevent such dissemination or use of, this Report by (a) any of its employees and agents (except as stated below), or (b) any third party. 3. Each member may make this Report available solely to those of its employees and agents who (a) are registered for the workshop or membership program of which this Report is a part, (b) require access to this Report in order to learn from the information described herein, and (c) agree not to disclose this Report to other employees or agents or any third party. Each member shall use, and shall ensure that its employees and agents use, this Report for its internal use only. Each member may make a limited number of copies, solely as adequate for use by its employees and agents in accordance with the terms herein. 4. Each member shall not remove from this Report any confidential markings, copyright notices, and other similar indicia herein. 5. Each member is responsible for any breach of its obligations as stated herein by any of its employees or agents. 6. If a member is unwilling to abide by any of the foregoing obligations, then such member shall promptly return this Report and all copies thereof to The Advisory Board Company.
Road Map 9 1 2 Understanding the Meaningful Use (MU) Audit Creating a Book of Evidence 3 Developing a MU Mock Audit
10 Potential Price Tags of MU Audit Failure Impacts of MU Audit $31M Returned meaningful use incentives by Health Management Associates (HMA) due to error in certified EHR technology application based on its internal review 1 Job Loss CIO and multiple VPs at HMA 1 CMIO of Detroit Medical Center 2 Other Impacts Red flag for subsequent audits Organizational reputation Sources: 1. http://www.marketwatch.com/story/health-management-associates-announces-restatement-of-financialstatements-2013-11-05?reflink=mw_news_stmp and 2. http://www.healthcareitnews.com/news/physicianssymposium-offers-cautionary-tale-incentive-payment-audits
11 Value of Audit Preparation Incentive Payments Payment Adjustments Average Industry Incentives 1 Received So Far $23,402 Per Medicaid Eligible Professional $19,047 $25,557 $3.09M Per Medicare Eligible Professional Per Medicare Advantage Eligible Professional Per Eligible Hospital Potential Industry Payment Adjustments in 2015 $1,110 Internal Medicine (Income 2 : $185K, 60% Medicare Reimbursements) $1,668 $2,430 $2.3M Oncology (Income 2 : $278K, 60% Medicare Reimbursements) Orthopedics (Income 2 : $405K, 60% Medicare Reimbursements) Hospital (~34,000 discharges, 66% Medicare share, 15% Medicaid, and 3% annual market basket update.) Sources: Centers for Medicare and Medicaid. January 2014: EHR Incentive Program. Available athttp://www.cms.gov/regulationsand-guidance/legislation/ehrincentiveprograms/downloads/january2014_summaryreport.pdf (accessed March 12, 2014); The Advisory Board Company Health Care IT Advisor research and analysis.
12 CMS Duty To Address the Risk of Fraud and Abuse Serious Consequences for Fraud 5% 1 of ALL Attesters Will Be Audited Types of Penalties 2 Significant fines Imprisonment Provider Type Medicare Program Type Medicaid Both fines and imprisonment YES YES Loss of licenses EPs Exclusion from Medicare participation for a specified period of time Civil liability EHs/CAHs YES YES Sources: 1. http://www.advisory.com/daily-briefing/2013/04/24/cms-one-in-20-meaningful-use-attesters-will-face-audits 2. http://www.cms.gov/regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_SupportingDocumentation_Audits.pdf
13 MU Audits Continues Full Steam Ahead CMS s MU Audit Activity Timeline July, 2010 Release of Stage 1 Final Rule CMS was finalizing an audit strategy November, 2012 OIG released a report 1 criticizing CMS auditing process October-November, 2013 Uptick in MU audit activities (October 9 November 7) July, 2012 Silent start to MU audit Post payment audit only January, 2013 Introduction of pre payment audit Random and targeted audits 1) https://oig.hhs.gov/oei/reports/oei-05-11-00250.pdf Source: The Advisory Board Company Health Care IT Advisor research and analysis.
14 MU Audit Mechanism Auditors Audit Timing Provider Type Medicare Program Type Medicaid Attestation Pre-Payment Audit EPs EHs/CAHs Figliozzi and Company OR the EHR Meaningful Use Audit Team State or its contractor 6 Years Incentive Payments Post-Payment Audit Audit Methodology & Off the Audit Hook Random Risk Profile Sources: Centers for Medicare and Medicaid Services. (February, 2013). EHR Incentive Programs Audit Overview. Accessed 11/6/13 http://www.cms.gov/regulations-and-guidance/legislation/ehrincentiveprograms/downloads/ehr_audit_overview_factsheet.pdf; The Advisory Board Company Health Care IT Advisor research and analysis.
15 On Your Mark, Get Set, Go! MU Audit Processes 1 z 2 3 Receive the Initial Request via the Email Address Entered during Registration Conduct Internal Response Processes Submit Requested Documentation Via Regular Mail or Secured Portal 6 z 5 4 Receive an Audit Determination Letter from the Auditor Potentially Receive A Request For Onsite Review Potentially Receive Additional Rounds of Subsequent Requests Sources: Centers for Medicare and Medicaid Services. (February, 2013). EHR Incentive Programs Audit Overview. Accessed 11/6/13 http://www.cms.gov/regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_Audit_Overview_FactSheet.pdf and The Advisory Board Company Health Care IT Advisor research and analysis.
16 It s the Question of When not If Assume MU Audits Are Unavoidable Team Sport Formal vs. informal governance Time and resource consuming Objective owner Business continuity Preparation is Key Tight Response Workflow Robust Book of Evidence Per payment year Electronic vs. paper Effective naming convention Centralized, secured location Detailed support documentation Assign accountability and responsibility Prioritize audit activities Streamline the workflow through reiterations based on experiences Source: The Advisory Board Company Health Care IT Advisor research and analysis.
Road Map 17 1 2 Understanding the Meaningful Use (MU) Audit Creating a Book of Evidence 3 Developing a MU Mock Audit
18 Developing a Robust Book of Evidence Per Payment Year Electronic vs. Paper Centralized, Secured Location Effective Naming Convention and Organization Detailed Support Documentation (CEHRT, Core and Menu Objectives, Clinical Quality Measures) Source: The Advisory Board Company Health Care IT Advisor research and analysis.
19 Support Documentation Examples of Recommended Documentation Possession of CEHRT Required Standards Contracts for all CEHRT components, including details such as bundle or version possessed Letter validating possession of all elements in additional software required Screenshots of CHPL site indicating items selected to secure a CMS Certification ID Number Screenshots of coding options for measures with prescribed standards (e.g., OMB standards for race and ethnicity) Proof that C-CDA included the minimum data set required coded as prescribed (e.g., problems coded in SNOMED-CT, medications and medication allergies coded in RxNorm) Source: The Advisory Board Company Health Care IT Advisor research and analysis.
20 Support Documentation (continued) Examples of Recommended Documentation Source Documents for Performance Thresholds Test of Capabilities and Enabled Capabilities Report generated for each percentagebased measure with reporting timeframe Vendor-supplied logic used to calculate each measure and ED volume calculation Calculations done outside CEHRT to compute numerator/denominator/ exclusion for any measure Proof of compliance with Yes/No measures (e.g., screenshots or audit log for CDS, Drug-Drug/Drug-Allergy Interaction Checks), asserting EHR capabilities are turned on and used Proof of data transaction (e.g., screenshots or confirmation letter), indicating submission of data (test or ongoing) with a public health agency Source: The Advisory Board Company Health Care IT Advisor research and analysis.
21 Support Documentation (continued) Examples of Recommended Documentation Clinical Quality Measures Security Risk Analysis Reports generated for the selected CQMs by the CEHRT Proof that the selected CQMs cover at least 3 National Quality Strategy (NQS) domains, starting in 2014 Electronic submission: Patient-level QRDA-I reports generated for 16 specified CQMs required for the Hospital IQR Program Copy of security risk analysis per location, conducted before the end of the reporting period, with detailed listing of deficiencies identified Remediation plan with timelines for resolution established Source: The Advisory Board Company Health Care IT Advisor research and analysis.
22 Highlights from the Field Reports with Vendor Logo Date of Security Risk Analysis Completion and Inclusion of Remediation Plan Screenshots of CEHRT Functionalities Rationale for Selecting the CEHRT Consistency of Denominators Volume-Based Review EH: ED Volume Calculation Method EP: Low Patient Volume Source: The Advisory Board Company Health Care IT Advisor research and analysis.
Road Map 23 1 2 Understanding the Meaningful Use (MU) Audit Creating a Book of Evidence 3 Developing a MU Mock Audit
24 Scripps Health at a Glance Demographics Key Statistics Meaningful Use Status Private, nonprofit, integrated health system in San Diego County, CA 4 hospitals on 5 campuses 25 outpatient centers and clinics Providers offer more than 60 medical & surgical specialties Employees: 13,500 Physicians: 2,600 (2,000 in independent practice) Total Licensed Beds: Nearly 1,400 Total Discharges: More than 70,000 Total Outpatient Visits: 2 Million Plus Total Revenue: $2.6 Billion Eligible Providers Stage 1 Year 1 CY 2012 Stage 1 Year 2 CY 2013 Stage 2 Year 1 CY 2014 (Planned reporting period: April 1 June 30, 2014) Eligible Hospitals Stage 1 Year 1 FY 2013 Stage 1 Year 2 FY 2014 (Planned reporting period: July 1 September 30, 2014) Source: Scripps Health
25 Why Conduct an Internal Mock Audit? Develop a replicable, systematic approach Ensure timely responses to audit requests Confirm audit processes are compliant with internal policies Guarantee readiness of audit tracking tools Build senior leadership confidence Source: Scripps Health
26 7 Effective MU Audit Preparation Steps Step 1 Obtain Feedback / Update Process Create a Comprehensive Book of Evidence Define Role of Internal Audit Conduct (Mock) Audit MU Audit Preparation Formulate Guiding Principles Determine Stakeholders & Roles Create Audit Tracking Tools Source: Scripps Health
IMAGE CREDIT: SCRIPPS HEALTH. IMAGE CREDIT: SCRIPPS HEALTH. IMAGE CREDIT: SCRIPPS HEALTH. IMAGE CREDIT: SCRIPPS HEALTH. 27 Step 1: Creating a Comprehensive Book of Evidence Scripps Health s Book of Evidence Stored on secure drive with limited access Systematically organize folders Use different media types (recorded demonstration vs. screenshots) Core Objectives Source: Scripps Health
IMAGE CREDIT: SCRIPPS HEALTH. IMAGE CREDIT: SCRIPPS HEALTH. IMAGE CREDIT: SCRIPPS HEALTH. 28 Step 1: Creating a Comprehensive Book of Evidence Performance Reports Source: Scripps Health
IMAGE CREDIT: SCRIPPS HEALTH. IMAGE CREDIT: SCRIPPS HEALTH. IMAGE CREDIT: SCRIPPS HEALTH. 29 Step 1: Creating a Comprehensive Book of Evidence Decision Making, CMS Communications, and CEHRT Source: Scripps Health
30 Step 2: Define Role for Internal Audit Independent Function Oversight/Steering Committee Stakeholders Assurance Responsibilities Corporate VP, Chief Audit, Compliance, and Information Security Executive serves as our Chief Audit Executive Reports to: President/CEO, SVP- General Counsel, and Audit Committee of the Board of Trustees 19 individuals from IT, compliance and security, clinical, finance, general counsel, HIM, knowledge management, and operations Corporate VP, Chief Audit Compliance & Information Security Executive guidance role Executive Oversight Steering Committees Meaningful Use Acute Care EHR Risk Committee Meaningful Use Ambulatory EHR Risk Committee Performs Book of Evidence Audit/Validation Meaningful Use Report Audit Validation Ensures Legal input as needed Consultation Role Observation Role in the Mock Audit Source: Scripps Health
31 Step 3: Formulate Guiding Principles 1. Single point of contact for communications with CMS audit contractor 2. Only provide specific information requested 3. Internal "mock audit" will be performed as a self-assessment to strengthen our readiness and ensure timely responses to audit requests with Internal Audit in Observation Role 4. Aggregate all required documents in half the time allotted to allow time for approvals and sign-offs 5. All templates for tracking audit progress will be developed prior to "mock audit" 6. All communications with auditor will request email confirming receipt 7. Log all documents shared and communications with auditor Scripps Health s MU Audit Preparation and Response Process 8. To protect patient confidentiality, patient information will be deidentified 9. All relevant supporting documentation will be maintained for six (6) years post-attestation Source: Scripps Health
IMAGE CREDIT: SCRIPPS HEALTH. 32 Step 4: Create Audit Tracking Source: Scripps Health
33 Source: Scripps Health
IMAGE CREDIT: SCRIPPS HEALTH. 34 Step 4: Create Audit Tracking EP Audit Acknowledgement Form Grants permission to respond to audit request on their behalf Approval of submission packet before sending to Figliozzi and Company Source: Scripps Health
35 Source: Scripps Health
IMAGE CREDIT: SCRIPPS HEALTH. 36 Step 5: Determine Stakeholders & Roles Align Stakeholder Roles with Audit Checklist Mock Audit Identifies Roles: Mock Auditor Key Audit Contact Internal Audit Role EP Audit Signatures: Executive Sponsor & EP Source: Scripps Health
37 Step 6: Conduct a Mock Audit Wave 1 Proof of certified EHR Plan Two Waves Source documents used when completing attestation for Core & Menu Summary Report numerator/denominator & time period Evidence report was generated for the EH or EP Security Risk Assessment Proof performed prior or during reporting period Procedures performed during analysis, results of analysis, implementation plan and completion dates for deficiencies Wave 2 Core & Menu objectives with thresholds documentation Attestation measures proof of enabled functionality Documents to support exclusions Public Health Agency test Patient List by Condition de-identity PHI CMS FAQ 7711 Audit guidance https://questions.cms.gov/faq. php?id=5005&faqid=7711 Source: Scripps Health
38 Step 7: Obtain Feedback and Incorporate Lessons Major Lessons Learned from the Mock Audit and Actual Audits 5 6 We are prepared, not scared! Supportive documentation created for each individual objective 4 Value of screenshots from LIVE 3 Obtain vendor approval for using agreements as PROOF of CEHRT 2 Allow time for legal inputs on your security risk analysis submission 1 Determine internal audit role and requirements early in process Source: Scripps Health
39 Appeal Don t Wait to Get Here Respondents ONLY EPs, EHs, and CAHs that do not respond to the auditor CANNOT appeal. Time Sensitive An appeal must be filed within 30 days of the demand letter. Electronic submission File an appeal with documentation at ehrappeals@provider-resources.com Required Documentation An appeal will be considered ONLY IF all documentation is provided at the time of submission. Questions Contact the EHR Information Center at 888-734-6433 Audits and Appeals Misconceptions 1 No one outside of CMS or its audit contractor has special or privileged access to the audit or appeal process No one has been asked to consult with CMS or its audit contractor on the audit or appeal process No one has any specialized knowledge Centers for Medicare and Medicaid 1) Anthony, R and Myers, E. CMS Meaningful Use Stage 2 Requirements. Session 56. Presented at HIMSS14 Annual Conference and Exhibition. February 25, 2014. Source: Centers for Medicare and Medicaid Services. (February 27, 2014). Electronic Health Record (EHR) Incentive Program Appeals. Accessed 4/1/14 https://www.cms.gov/regulations-and- Guidance/Legislation/EHRIncentivePrograms/Appeals.html
40 Download Useful Tools and Educate Yourself Publicly Available Tools Book of Evidence Checklist: Preparing for Meaningful Use Audit www.advisory.com/consulting/meanin gful-use-navigator/meaningful-use- Audit-Checklist Scripps Health Audit Tracker Additional Resources o o o Meaningful Use The Whiteboard Story Quick Guide Comparison Stage 1 to Stage 2 Objectives and Measures Bookmarked Versions of the Final Rules www.advisory.com/mubookmarkcms www.advisory.com/mubookmarkonc
2445 M Street NW I Washington DC 20037 P 202.266.5600 I F 202.266.5700 advisory.com