Meaningful Use Audit Red Flags: Pay Careful Attention To The Security Risk Analysis - Or Else

Transcription

1 Meaningful Use Audit Red Flags: Pay Careful Attention To The Security Risk Analysis - Or Else

2 Jim Tate Founder: EMR Advocate, Inc. Managing Partner: HITECH Answers Author of The Incentive Roadmap The Meaningful Use of Certified EHR Technology Certified Technology direct involvement in over 250 EHR certification projects Subject Matter Expert to RECs and Law Firms on MU & Audits Specialist in Meaningful Use Audits/Appeals & Mock Audits

3 Audit Basics CMS, and its contractors, will perform audits on Medicare and dually-eligible Medicare/Medicaid providers. States, and their contractors, will perform audits on Medicaid providers. CMS and states will also manage appeals processes.

4 Who Gets the Audit? As of April 2014 over 4,700 unique EHs/CAHs have received CMS EHR incentives. Medicare only: 270 $561,000,000+ Medicaid only: 156 $335,000,000+ Dually eligible: 4,301 $13,607,000,000+ CMS states the aim is to audit 5%+.

5 What Generates the Audit? Random Risk profile - suspicious data Successive audits based on history Reach back Whistleblowers

6 The Audit Process ed letter of audit engagement Request for documentation Response and request Final Determination

7 Audit The Letter from Figliozzi & Company from a CMS address to the address provided during registration for the EHR Incentive Program. - or - from CMS EHR Meaningful Use Audit Team

8 Audit The Letter This letter is to inform you that you have been selected by CMS for an audit of your meaningful use of certified EHR technology for the attestation period. Attached to this letter is an information request list. Be aware that this list may not be all-inclusive and that we may request additional information necessary to complete the audit. - or Limited audit: proof of Certified EHR

9 Documentation Request As proof of use of a Certified Electronic Health Record Technology system, provide a copy of your licensing agreement with the vendor or invoices. Please ensure that the licensing agreements or invoices identify the vendor, product name and product version number of the Certified Electronic Health Record Technology system utilized during your attestation period. If the version number is not present on the invoice/contract, please supply a letter from your vendor attesting to the version number used during your attestation period.

10 Documentation Request Provide the documentation to support the method (Observation Services or All ED Visits) chosen to report Emergency Department (ED) admissions designating how patients admitted to the ED were included in the denominators of certain meaningful use core and menu measures (i.e. an explanation of how the ED admissions were calculated and a summary of ED admissions).

11 Documentation Request For Core Measures #1, 3, 4, 5, 6, 7, 8, 11, & 12, provide the supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses (i.e. a report from your EHR system that ties to your attestation).please Note: If you are providing a summary report from your EHR system as support for your numerators/ denominators, please ensure that we can identify that the report has actually been generated by your EHR (i.e. your EHR logo is displayed on the report, or step by step screenshots which demonstrate how the report is generated by your EHR are provided.)

12 Documentation Request Protect Electronic Health Information: Provide proof that a security risk analysis of the Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis). If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.

13 Documentation Request If attested to Menu Set Measures #2, 3, 5, 6, or 7, provide the supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses (i.e. a report from your EHR system that ties to your attestation).please Note: If you are providing a summary report from your EHR system as support for your numerators/ denominators, please ensure that we can identify that the report has actually been generated by your EHR (i.e. your EHR logo is displayed on the report, or step by step screenshots which demonstrate how the report is generated by your EHR are provided.) If attested to Y/N Menu Set Measures #4, 8, 9, or 10, please supply supporting documentation.

14 Security Risk Analysis for MU Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Exclusion: No exclusion.

15 Security Risk Analysis for MU Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year. In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted. Any security updates and deficiencies that are identified in the review should be included in the provider s risk management process and implemented or corrected as indicated by that process. CMS

16 Security Risk Analysis for MU There is no single method or best practice that guarantees compliance, but most risk analysis and risk management processes have steps in common. Here are some considerations as you conduct your risk analysis: Review the existing security infrastructure in your hospital against legal requirements and industry best practices Identify potential threats to patient privacy and security and assess the impact on the confidentiality, integrity and availability of e-phi Prioritize risks based on the severity of their impact CMS

17 Security Risk Analysis for MU Question: Do the auditors use a checklist when the SRA is reviewed? The key for us is the security risk assessment encompasses the EHR system and that it is a review either performed by the EH or a consultant. Given the vast spectrum of security risk assessments we have seen, it would be hard to put together a checklist to be used. We review each one on an individual basis and at times have meetings with the staff and point out why the particular assessment meets the criteria or why it does not. Of course, there are a great deal of assessments that fall into that gray zone of, is this really an assessment or is it just policies or checklists?

18 Final Determination Good We performed a desk review on your facility s meaningful use attestation for the Program Year 2011 and Payment Year 1. Based on our desk review of the supporting documentation furnished by the facility, we have determined that Hospital XYZ has met the meaningful use criteria.

19 Final Determination Bad We performed a desk review on your facility s meaningful use attestation for the Program Year 2011 and Payment Year 1. Based on our desk review of the supporting documentation furnished by the facility, we have determined that Hospital XYZ has not met the meaningful use criteria, for the following reasons: Failed Eligible Hospital Meaningful Use Core Measure X. Since your facility did not meet the meaningful use criteria, the incentive payment will be recouped. You will receive a demand for your total Medicare EHR incentive payment shortly from the EHR HITECH Incentive Payment Center.

20 The Demand Letter The purpose of this letter is to inform you that a Meaningful Use Audit determined a HITECH incentive overpayment in the amount of $X,XXX,XXX..to be repaid to our office in full. Full refund within 30 days...interest begins on 31 st day.referred to Department of Treasury on 61 st day.

21 Appeals CMS handles the appeal process for EPs, EHRs, and CAHs in the Medicare and dually eligible hospitals. States are responsible for appeals related to the Medicaid EHR Incentives.

22 Appeals Filed electronically More flexibility than at the audit level Less communication than during audit Timeline of appeal process Only failed MU measures addressed

23 Best Practices for Audits & Appeals Have response plan in place Full documentation available Watch the deadlines Look to vendor for support Mock audit

24 Mock Audits Best Practices The mock audit should never be conducted by the same individuals that were involved in the incentive attestation. The team performing the mock audit must be extremely knowledgeable in all aspects of the foundational elements of the CMS EHR Incentive programs. The mock audit should follow as closely as possible the documentation requests and process utilized by the CMS Medicare audit contractors, Figliozzi & Company.

25 Jim Tate President, EMR Advocate, Inc