Disclaimer This webinar may be recorded. This webinar presents a sampling of best practices and overviews, generalities, and some laws. This should not be used as legal advice. Itentive recognizes that there is not a one size fits all solution for the ideas expressed in this webinar; we invite you to follow up directly with us for more personalized information as it pertains to your specific practice and issues. Thank you, and enjoy the webinar.
About Us Our passion is to provide solutions for our healthcare provider partners which help them improve patient care, enhance the patient experience and maintain a financially healthy practice. Since 2003 we have specialized in NextGen Healthcare services including: Consulting Hosting Customization And productivity tools such as ChartGuard and RefundManager
Upcoming Webinars: 3 part series: Improving Federal Security Initiatives: The True Impact July 20 th HIPAA Audits: What Phase II Means For You July 27 th MACRA: Breaking Down the Proposed Rule
Meaningful Use Audits True Client Experiences Revealed
Introductions Cindi Kincade Vice President, Consulting Solutions Lindsey Lanning Healthcare Informatics Coordinator Kathy Thompson Managing Consultant
Meaningful Use Audits True Client Experiences Revealed
WARNING: This presentation may contain overwhelming and somewhat frightening material in regards to Meaningful Use Audits. View at your own risk.
What Are The Odds? Winning the lottery 1 in 175 Million Getting attacked by a shark 1 in 11.5 Million Getting hit by lightening 1 in 960,000 Being in a plane crash.1 in 500,000 Selected for a HIPAA Audit.1 in 10,000 Selected for a MU Audit..1 in 10
YOU HAVE BEEN SELECTED!
Questions 1. Did you attest for Meaningful Use anytime from 2011-2015? 2. Do you have a complete binder of MU attestation data for each year? Have you started one for this year? 3. If you received an audit letter today could you have all the information CMS requested within 4 weeks? How about 2 weeks?
Audit Process Overview
Overview Providers who receive an EHR incentive payment for either the Medicare or Medicaid EHR Incentive Program may be subject to an audit. Eligible Professionals should retain ALL supporting documentation used in the completion of the attestation module responses for a minimum of six-years post attestation.
Types of Audits CMS: Medicare Pre-payment audits Post-payment audits State: Medicaid Pre-payment audits Post-payment audits OIG: Medicare and Medicaid OCR: HIPAA
EHR Incentive Program Stats The Centers for Medicare & Medicaid Services (CMS) have released the most recent numbers for the EHR Incentive programs. Here are some program-to-date highlights from this latest CMS report released in April: A total of 498,536 unique providers have been paid with the breakdown consisting of: 308,615 Medicare EPs 170,152 Medicaid EPs 4,924 eligible hospitals 14,845 Medicare Advantage Organizations for EPs Medicare EPs have been paid $9,000,031,783 A total of $34,501,319,221 has been paid out in the program to date
Meaningful Use Audit Activity CMS recently released information on the volume of CMS Meaningful Use Audits conducted to date and some key statistics shared were: 21% of pre-payment audits completed did not meet meaningful use and failed! 24% of post-payment audits completed did not meet meaningful use and failed! 98.9% of failing EPs did not meet appropriate measures and objectives CMS is stating that of those EPs who failed audits they are returning between $42.00 and $19,800 per provider Average returned incentive was $16,862 per provider There have been more than 650 audits among eligible hospitals and more than 10,000 audits targeting eligible professionals
Meaningful Use Enforcement Enforcement is Increasing! Used to be If I get audited Now its Not if, but when I get audited And it s already looking like Not when, but how many times will I be audited Why? Shift to value-based care MACRA Large amounts of money being given out
Why Audit? The Centers for Medicare and Medicaid Services (CMS) is handing out billions of dollars to providers who reach meaningful use thresholds for quality figures during their use of an electronic health record. They just want to make sure the money is going to the people it s supposed to go to.
Causes of a Meaningful Use Audit Random Abnormal data due to eligibility, reporting, and payment can cause targeted audits Failure of a HIPAA Audit Failure of a previous Meaningful Use audit Failure of a MU audit by colleagues 1 out of 10 docs fails in a practice
Pre- and Post-Payment Audits Pre-Payment Audits: Random audits Targeted Audits Post-Payment Audits: Provider selected will be required to submit supporting documentation to validate their submitted attestation data
Audit Process Figliozzi and Company is the designated contractor performing audits on behalf of CMS If you are selected for an audit you will receive a letter from Figliozzi and Company with the CMS and EHR Incentive Program logos on the letterhead
The Email The email will contain a number of items: 1. EP Audit Engagement Letter in PDF format 2. Document Request Letter 3. Attachment 1 Accessing Web Portal in PDF format 4. Attachment 2 Web Portal FAQ
Sample Letter
Sample Document Request Letter
Audit Process Initial Review Process On-site Review Demonstration of certified EHR system
Audit Process Reminders A provider that fails just one element of a Meaningful Use audit must return the entire incentive payment for that year The most common problems identified so far are noncompliance with a required data security risk assessment and a lack of adequate documentation to support some of the responses provided in the attestations Providers selected for the audits can have as little as two weeks to submit their documentation
Audit Determination Letter Audit is complete If provider did not meet meaningful use: Any incentive payment may be recouped If found to have fraudulently attested CMS may pursue additional actions Providers must use the appeals process if they believe they received an incorrect adverse audit finding
Top 3 Reasons to Fail Ignoring requirements/communication from Figliozzi Insufficient documentation Failure to conduct a security risk analysis
Ramifications of Failing Recoup Incentive Money Subject to a negative payment adjustment two years after performance year (from 2015 and beyond) More likely to be selected again for a Meaningful Use Audit More likely to be selected for a HIPAA Audit Increased chances to be selected for an OIG Audit Accused of fraud
Medicare Fraud CMS may pursue additional actions against providers who attest fraudulently to receive EHR incentive payment. It is a crime to defraud the federal government and that includes its programs. Punishment may involve imprisonment, significant fines, or both. In some states, providers may lose their licenses. Convictions may also result in exclusion from Medicare participation for a specified length of time.
Fraud in the Real World A hospital was accused of Medicare fraud in April of 2015 due to inaccurate meaningful use attestation data and the ramifications were severe: The hospital owner was sentenced to 135 months in federal prison for submitting false and fraudulent claims to healthcare payers including CMS The chief financial officer of the same hospital was also sentenced for defrauding the government and healthcare payers They had made a false statement regarding the meaningful use achievements and claimed the hospital met relevant meaningful use requirements under the Medicare and Medicaid EHR Incentive Programs This false MU attestation data led to the hospital being awarded $785,655 from Medicare in the form of incentive payment which was later recouped Since healthcare fraud is a serious issue across the nation, federal agencies are likely to continue pursuing claims under the EHR Incentive Programs and filing additional meaningful use audits
Real Life Client Stories
Example #1 Failed Audit
Things to Point Out This was a post-payment audit The audit was on a provider's attestation for stage 1 year 1 in 2012 CMS came back in 2016 to look at year 2012 And yes they can do that CMS can go back up to 6 years prior to attestation! This is the reason why a binder is required for each year The communication from CMS states this will NOT affect subsequent payment years However, this will cause alarm and there is a good chance they may be flagged for a future audit
Reasons for Failing Submitted reports with the same data used during attestation CMS needed reports from their certified EHR technology otherwise the information could have been made up You always want to pull final reports to use during attestation from your CEHRT The physician failed to provide screenshots for certain system functionality within their reporting period Screenshots are required for: Clinical decision support interventions Drug-drug and drug-allergy interaction checks Non-percentage based measures need screenshots, write-ups, or a copy of emails Percentage based measures need reports from CEHRT
More Reasons for Failing Security Risk Analysis was not comprehensive and not up-to-date NextGen has a Security Risk Analysis white paper There is a CMS FAQ on Security Risk Analysis There are also many more resources on HHS website including an interactive tool and downloadable paper analysis
A Non-Comprehensive SRA Does not address all three types of safeguards: Physical Technical Administrative Does not identify risks or include a remediation plan to mitigate those risks
A Comprehensive SRA This is a screenshot of 2 pages in a 196 page document that ENTIERLY consists of administrative safeguards for an SRA. There are two more documents for technical and physical safeguards of similar length that would need to be completed for a comprehensive SRA.
Example #2 Audit Requiring Additional Information
CMS Comes Back with Questions
Things to Point Out This was a pre-payment audit on 4 providers for 2015 The auditors came back with additional questions after initial information was sent in response to the audit request The client was able to send back numerous screenshots to prove functionality in NextGen dated within the reporting period For example: You will need a screenshot of your Attestation Information pop-up which shows that DUR alerts are enabled. This is only viewable when a provider logs in and can be accessed in EHR by going to View Attestation The provider being audited needed to provide proof that more than 80% of the medical records of unique patients seen during the attestation period were maintained in a CEHRT system To get this proof you can run a unique encounter report out of EHR/EPM Secure Messaging: The client needed to prove it was enabled for the full reporting year NextGen provided a letter
Itentive and NextGen Responses
Secure Messaging Proof On behalf of the client we were able to reach out to NextGen to get proof that secure messaging was enabled for the entire reporting period The letter states, A query was performed on the client system showing consistent use of secure electronic messaging functionality from 1/1/2015 through 12/31/2015.
NextGen Documents Needed
Another Example of Requested Documentation When reporting CPOE, CMS not only requested the Meaningful Use report showing the numerator and denominator, they also required a list of individuals entering CPOE and their credentials.
Reasons for Passing Timely response to initial and subsequent requests for documentation Collaborated with Itentive and NextGen to send back comprehensive responses to all questions as well as supporting documentation Attestation and passing an audit takes a team not just a person Submitted a complete and up-to-date security risk analysis initially
Example #3 Successful Audit
Audit Engagement Letter
Document Request Letter
Modified Stage 2 Suggested Documentation
Modified Stage 2 Suggested Documentation
Modified Stage 2 Suggested Documentation
Modified Stage 2 Suggested Documentation
Things To Point Out This was a pre-payment audit for 2015 The provider had 30 days to gather and submit all information The provider submitted reports from CEHRT originally and had screenshots ready and available The provider attested with the assumption they would undergo an audit, which meant their binder was up-to-date and ready
Lessons Learned Be proactive about gathering information Stay on top of the audit process Maintain all information from the past 6 years Collaboration is key
Medicare Audit Appeals
Appeals CMS has an appeals process for EPs and eligible hospitals that participate in the Medicare EHR Incentive Program Providers may contact the EHR Information Center through a toll free number, 888-734-6433, between 9 a.m. and 5 p.m. EST, Monday through Friday, for general questions on how to file appeals and the status of any pending appeals An electronic appeals form must be completed and submitted to: EHRappeals@provider-resource.com The appeals submission process is time sensitive, with a 30 day window for the submission period The appeal will only be processed if all documentation is provided at the time of submission There is a large backlog of audits being performed and may take some time
Frequently Asked Questions Q. Can attestation information submitted for the Electronic Health Records (EHR) Incentive Programs be updated, changed, cancelled or withdrawn after successful submission in the EHR Registration and Attestation System? A. If an eligible professional (EP) participating in the Medicare EHR Incentive Program chooses to change or withdraw their attestation, an attestation amendment form or incentive payment attestation withdrawal form must be completed and sent back along with any incentive payments already received.
Frequently Asked Questions Q. What is a common reason for an EP to fail an audit? A. One of the leading causes for failing a meaningful use audit is insufficient documentation of a security risk analysis. Q. Do meaningful use audits only apply to the most recent attestation year? A. No- CMS has clear authority to audit meaningful use attestations that occurred prior to 2015.
Recommendations
Security Risk Analysis Providers should conduct a security risk analysis and update it annually based on changes made throughout the year Within your SRA make sure to have a remediation plan in place for any risks that are identified accompanied by a date in which you plan to remediate each risk The security risk analysis should cover a span of the entire year, it cannot be episodic
Security Risk Analysis CMS Auditors are asking for proof that a security risk analysis of your CEHRT was performed before the end of the reporting year or before you attest which ever comes first. The report should document: Procedures performed during the analysis Results of the analysis Implementation plans with target completion dates for any security deficiencies discovered during the analysis
Recommendations Create a check list of all required documentation Print the documentation and put in a binder or save the documentation electronically Keep the documentation separated from year-to-year (Remember the documentation needs to be kept for six years) Keep the documentation in a safe place In an office: safe from fire? Or flood? On a computer: backed up if destroyed or stolen? Ensure there are policies in place to transition the documentation, should an employee leave the practice or organization Work with and communicate with auditors Conduct a self-audit
Itentive s Trusted Advice You can never be too cautious You can never have too much information Your binder should be ready to go before you even consider attesting Your binder and the chance of an audit can t be an afterthought It is a team effort not a single person s responsibility
SAMPLE: Itentive Can Help Measure for Drug/Allergy Interaction Checks: Screenshot from reporting period showing that the checks were enabled with a minimum level of 1 in Universal Preferences. erx Measure: Provider is marked as being excluded due to writing less than 100 RX s during the reporting period. I would include a report of all of his medications prescribed during the reporting period to show it was less than 100. Clinical Decision Support Measure: Screenshot of what the provider used for their clinical decision support. Many used the My Plan with a common high priority diagnosis and a saved order set. Patient Health Information Measure: Provider is marked as being excluded due to not receiving any requests for electronic health information. I would include documentation on where these requests are tracked to show that none were received during the reporting period. Electronic Exchange of Clinical Information Measure: One test of the electronic exchange of clinical information was required. Other groups I worked with used the Medical Summary Utility for this. I would include the screenshots of the testing that was completed along with the date and which provider/office you conducted the test with.
During and After Reporting Period Checklist Run reports monthly Gather additional screenshots for self attestation items Finish security risk analysis Export all reports used for attestation Gather all documentation and place all in audit binder Attest on time
7 Ways to Prepare for a Meaningful Use Audit 1. Assume you ll be audited 2. Respond promptly 3. Take charge 4. Avoid discrepancies 5. Ensure EHR certification 6. Documentation is key 7. Complete a Security Risk Analysis
By failing to prepare, you are preparing to fail. - Benjamin Franklin
Organizing and gathering your data to create your MU Audit binder Conducting your security risk analysis Validating your results Working with NextGen, CMS, and Figliozzi to get answers and proof you need during an audit We can help!
Questions Lindsey Lanning Healthcare Informatics Coordinator llanning@itentive.com 224-220-5621 Kathy Thompson Managing Consultant kthompson@itentive.com 224-220-5531 Cindi Kincade Vice President, Client Solutions ckincade@itentive.com 224-220-5575
Thank you