29 OIG 2014 Work Plan explores new compliance projects: Part 2. Nathaniel Lacktman

Transcription

1 Compliance TODAY May 2014 a publication of the health care compliance association A unique dual role Indiana s OIG successfully combines statutory law enforcement with Code of Ethics education & advice an interview with David Thomas first statewide Inspector General of Indiana See page Prepare for and survive a CMS meaningful use audit Christopher J. Laney and Ann Varbanov 29 OIG 2014 Work Plan explores new compliance projects: Part 2 Nathaniel Lacktman 41 Nurturing a compliance culture of selfimprovement Paul P. Jesep 47 Internal compliance reviews: Should they be privileged? Susan Lee Walberg This article, published in Compliance Today, appears here with permission from the Health Care Compliance Association. Call HCCA at with reprint requests.

2 by Christopher J. Laney and Ann Varbanov Prepare for and survive a CMS meaningful use audit Designate a point person to coordinate with auditors. Recognize that misrepresentation when attesting to a claim could subject a provider to criminal or civil liability. It is almost always to the provider s advantage to appeal the audit determination. The security risk analysis must be specific to your EHR and particular practice. Legal counsel should review EHR vendor agreements to ensure the vendors have documentation-retention obligations. Christopher J. Laney (claney@healthlex.com) is an Associate Attorney at Rogers Mantese and Associates, PC in Farmington Hills, MI, and focuses his practice on healthcare law. Ann Varbanov (avarbanov@healthlex.com) is a Paralegal at Rogers Mantese and Associates, PC in Farmington Hills, MI, and part of the firm s healthcare team. As hospitals and healthcare providers transition to electronic health records (EHR) systems around the country, the phrase meaningful use has become common around the workplace. The government s main goal in implementing incentive payments for meaningful use of EHR among hospitals and providers is to promote the spread of EHR technology and improve healthcare outcomes in the United States. The government does not consider the EHR Incentive Program a reimbursement program for those who simply purchase or upgrade their record systems. Rather, the government will only pay eligible professionals and hospitals for what it considers meaningful use of those systems. As a result, the government has enlisted a contractor in order to audit these providers and hospitals for compliance with government standards for EHR meaningful use. Compliance officers must ensure that their organizations are prepared for an audit of their meaningful use of EHR. What is meaningful use? Participants in the EHR Incentive Program are already aware that the Centers for Medicare & Medicaid Services (CMS) provides incentive payments to eligible professionals and hospitals that attest to meeting the Medicare meaningful use Laney requirements. Incentive payments for the three-stage implementation process for an eligible Medicare professional can be up to $44,000 over a five-year period, and $63,750 for an eligible Medicaid professional over a six-year period. To receive incentive payments, providers need to demonstrate a set Varbanov of meaningful use criteria. The criteria, objectives, and measures will evolve in three stages over the next five years. For Stage 1 of Meaningful Use, eligible professionals are required to meet 19 of 24 criteria. Fourteen of these criteria are mandatory core objectives, and providers must also choose and meet five from a list of ten menu set objectives. Eligible hospitals must meet 18 objectives, 13 of which are mandatory. These criteria serve as the government s guideline for effective EHR implementation. During the eligible provider s

3 first year of participation in the program, he/she need only show meaningful use compliance over a shortened 90-day reporting period. The last day to start the shortened reporting period was October 3, 2013; after that date, or following their first year of participation in the program, providers must demonstrate meaningful use year-round. CMS provides Meaningful Use Specification Sheets on its website that give detailed information on each objective to help providers understand what steps they need to take in order to meet the program requirements. It is important for an organization to thoroughly review these specification sheets many of the measures have detailed and non-intuitive requirements. Once the reporting period has ended, a provider can attest to CMS to earn his/her incentive payment using the online CMS attestation module. Starting in 2015, providers will face penalties for not demonstrating meaningful use. Providers will be charged 1% of Medicare Physician Fee Schedule reimbursements, with penalties increasing each year up to 5%, until they demonstrate meaningful use. With such substantial incentive payments and penalties at stake, it is important for compliance officers to understand what steps are necessary to get through an audit successfully. Interestingly, CMS will make these payment adjustments beginning in 2015, but CMS will determine which providers will be subject to these cuts beginning in That is, if a provider first demonstrates meaningful use in 2013 or earlier, that provider must demonstrate meaningful use in 2013 for that provider s required time period (either the 90-day reporting period for first-time attesters, or the full year for others), and every year thereafter, in order to avoid Medicare reimbursement cuts in Providers who demonstrate meaningful use in 2014 for the first time must attest by October 1, 2014, in order to avoid those 2015 payment cuts. On December 6, 2013, CMS published a joint blog post with the Office of the National Coordinator for Health Information Technology (ONC) on its website indicating that the deadline for Stage 2 Meaningful Use implementation was being extended until CMS also pushed back Stage 3 implementation until 2017 for providers who have completed at least two years of Stage 2 compliance. CMS anticipates publishing Stage 3 regulations in early CMS has contracted Figliozzi and Company, CPA, to perform Stage 1 pre-payment and post-payment audits on 5% to 10% of all program participants. Providers selected for pre-payment audits will be asked to present supporting documentation to validate their attestation data before CMS will release incentive payment. Providers selected for postpayment audits will also be required to submit supporting documentation to validate their attestation data. If CMS determines that the provider is not in compliance, it will recoup any incentive payments for the period in which the provider was not in compliance. Audit process If your office is selected for an audit, the contact person listed in the organization s attestation worksheet, not necessarily the compliance officer or EHR coordinator, will receive a request from Figliozzi and Company. The auditor will conduct an initial audit review process using information the provider or hospital forwards in response to the auditor s request letter. In some cases, an on-site review at the provider s location may follow. Figliozzi and Company. uses a secure portal to assist providers in sending sensitive information, including protected health information (PHI) under HIPAA. The auditor will respond with a decision regarding the provider s or hospital s Stage 1 Meaningful Use compliance once it has conducted a review of the submitted information. If the provider is found to be ineligible for an

4 EHR incentive payment, CMS will recoup the payment. In this situation, it is almost always to the provider s or hospital s advantage to appeal the audit determination. How to prepare for an audit Preparing for a meaningful use audit may cause compliance officers some frustration because it can be difficult to recreate what happened during your attestation period, especially if the compliance officer is not familiar with the organization s EHR. It is always a good idea to coordinate with the organization s EHR vendor when preparing for or responding to an audit, but ultimately the responsibility to produce documentation during an audit falls on the provider, not the vendor. We recommended that compliance officers include the following in their preparation for an audit. Preparing for [an] audit may cause compliance officers some frustration because it can be difficult to recreate what happened during your attestation period Preparation is critical Once selected for an audit, providers will normally have about two weeks to gather and submit documentation. Not submitting documentation on time could result in a more thorough review of the attestation period or cause a participant to be selected for a pre-payment audit. If a provider is found to have failed even one measure, CMS will recoup the entire incentive payment. CMS does not allow partial incentive payments. Attorney-client privilege To the extent that an organization works with either its inside or outside legal counsel, preparatory audits and other work to improve compliance can be protected by the attorney-client privilege. Common audit issues Our experience has shown several common areas where providers and hospitals fall short during their audits. Know the core and menu set objective measures Review the Meaningful Use Specification Sheets and frequently asked questions published by CMS. If you are unclear of what the objectives require, work with your EHR coordinator, vendor, consultants, and legal counsel to ensure that not only does the EHR system comply with meaningful use, but that it also documents meaningful use in a way that can be easily accessed and conveyed to the auditors. Designate a point person Designating one person who is responsible for compliance and coordination with auditors can cut down on confusion and help streamline document production, in addition to centralizing accountability in the organization. Security risk analysis The first is perhaps the most intimidating: the security risk analysis. Compliance officers are likely familiar with the risk analysis required by HIPAA and, luckily, meaningful use does not impose any additional operational requirements though it does mandate that an organization conduct the analysis every year. Providers and hospitals must show CMS that they completed the security risk analysis before the end of the reporting period. Further, the analysis must be specific to their EHR system and particular practice. Lack of adequate documentation By far, the most common mistake we have seen is a lack of documentation for both the

5 criteria that require percentage responses (i.e., numerators and denominators), as well as those that merely require a yes attestation. Providers and hospitals need to retain all relevant supporting documentation for each and every attestation they make. It may be a good idea to have legal counsel review EHR vendor agreements to ensure that those vendors also have documentation-retention obligations. Providers and hospitals need to ensure that the system audit logs are fully functioning in their EHR and, for any criterion that is not numerical, that their system tracks compliance adequately. It is imperative to work with the organization s vendor, legal counsel, and any consultants that the compliance officer thinks are necessary in order to be able to prove to the government that the organization was meaningful use-compliant. A lack of documentation could also lead to further investigation by the Department of Health and Human Services (HHS) Office of Inspector General (OIG). HHS has made clear that it considers any false attestation an attempt to defraud the government and a crime. Conviction of such a crime can lead to fines, imprisonment, and/or exclusion from federal healthcare program participation. The government can also choose to treat such false attestations as a civil matter, which could result in fines and exclusion. Audit appeal process If a provider or a hospital receives an unfavorable determination from the auditors, it may be a good idea to appeal the result. The appeal process set out by CMS is very limited. Appeals are permitted in two categories: eligibility appeals and meaningful use appeals. The latter is what providers will choose if they have an adverse audit determination. The EHR Incentive Program appeal process is wildly different than other appeals within HHS. Instead of having multiple levels of appeal, as providers and hospitals do for things like post-payment Medicare audits and de-participation, there is a single level of appeal. Further, there are few if any published guidelines for the appeals, which can lead to confusion among program participants. To begin an appeal, a provider or hospital calls the CMS EHR Incentive Program directly to notify the program of the appeal. After the appellant receives a case number, he/she fills out a form and submits any further documentation that the appellant thinks is relevant. CMS can take anywhere from several weeks to several months to process the appeal. Adverse appeal determinations are accompanied by a letter stating that the decision is final and there is no further appeal. Presumably providers can take an adverse appeal determination to the federal court in their districts, but there is no indication that this is an option in the materials from CMS. Conclusion The best way to survive a meaningful use audit is to show compliance to the auditors. This necessitates ensuring that all members of an organization with responsibility for EHR implementation work together to demonstrate compliance with CMS rules. An organization can save time and money by being prepared for an audit and doing its best to have all supporting documentation in a format that is easy for auditors to review and approve. If the auditors do not agree that the organization was compliant with meaningful use objectives, the organization will have to make the decision whether to appeal the determination. At this point, again, the organization will need all members of the EHR team to work together in order to submit any information that was missing at the initial audit. Preparation is the best way to avoid the expense and inconvenience of a long audit and appeal process