Meaningful Use Audits NextGen Physician Consulting Services
Agenda Audit Overview Documentation for measures requiring numerator and denominator data Documentation for attestation only measures Security Risk Analysis Questions
MU Audits CMS: Medicare EHR Incentive Program Pre-payment audits began Oct 2012 Post-payment audits began January 2013 State Medicaid: Medicaid EHR Incentive Program Pre-payment audits Post-payment audits Varies by state OCR: HIPAA
CMS Meaningful Use Audits Contracting with private organizations to complete random audits Conducting random audits and risk profile of suspicious/anomalous data Requesting all supporting materials Follow-up requests for more information are following a consistent pattern
Audit Determination Letter Will inform the provider whether they were successful in meeting meaningful use A provider found not to be eligible for an EHR incentive payment, will have their payment recouped CMS may pursue additional measures against providers who attest fraudulently to receive an EHR incentive payment Punishment may involve imprisonment, significant fines, or both. In some states, providers and health care organizations may lose their licenses. Convictions also may result in exclusion from Medicare participation for a specified length of time. Medicare fraud may also result in civil liability.
Medicare Audit Questions and Appeals Providers are to direct audit questions to Figliozzi and Company at: Phone: (516) 745-6400 x302 Email: pfigliozzi@figliozzi.com Website: http://www.figliozzi.com/ Appeals process: Call EHR Information Center at 888-734-6433 http://www.cms.gov/regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/ Appeal_EP_FilingRequest-.pdf
CMS Audit Resources Supporting Documentation for Audits http://www.cms.gov/regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/E HR_SupportingDocumentation_Audits.pdf Audit Overview Fact Sheet http://www.cms.gov/regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/E HR_Audit_Overview_FactSheet.pdf
Medicaid Audits Each State manages their own audit approach https://www.cms.gov/apps/files/statecontacts.pdf Responsible for auditing eligibility, AIU, hospital payments (and calculation) and MU CMS approves States audit approach and framework
Common Reasons for Failing an Audit Lack of proof of ownership of Complete EHR Reports do not identify provider and/or EHR Attestation-Only measures not well documented Security Risk Analysis not well performed and/or documented Public Health Connectivity not well documented
Keep an Audit File Keep documentation to support attestation data for meaningful use objectives and clinical quality measures for six years post-attestation All screen shots must show NextGen name to appropriately identify the EHR product Do not show PHI in screen shots Keep a copy of office policies & procedures with your audit documentation
Initial Audit Document Request
Limited Post Payment Request
Initial Audit Document Request: Part I - General Information As proof of possession of a certified Electronic Health Record technology system, provide a copy of the Office of the National Coordinator of Health Information Technology (ONC) certification Provide licensing agreements with the vendor or invoices from the time the system was purchased
How do I obtain an audit letter or proof of access letter? Complete documentation at: https://docs.google.com/forms/d/1vcvpmahs4tduzzyvo O74pRwujaX1x6P4B-xZmSWiQ6k/viewform If audit letter received, send a copy to MUvendorletter@nextgen.com Attach screen shots of NextGen EHR upgrade history (obtained via SQL query or mu_audit_data Crystal Report) Allow 3 5 business days for processing
Documentation of When CEHRT was Installed If you are asked for proof of when you installed your upgrade to CEHRT
MU Audit Data Report
Documentation of When CEHRT was Installed If you are asked for proof of when you installed your upgrade to CEHRT select * from version order by create_timestamp desc
Documentation of When CEHRT was Installed
Initial Audit Document Request: Part I - General Information At how many offices/facilities do you see your patients? Do you utilize EHR software in all of these facilities?
Stage 1 and 2 Minimum Use of EHR 50% or more patient encounters during the reporting period must occur at a practice/location equipped with certified EHR technology An EP can meet the 50% threshold through a combination of practices/locations
Stage 1 and 2 Minimum Use of EHR Documentation that 50% or more of patient encounters during the reporting period have been entered into the EHR An appointment log demonstrating all appointments that took place during the reporting period as well as A list of patient encounters from your EHR system
Proof of Patients Seen With EHR
Initial Audit Document Request: Part II /III Core & Menu Measures Provide documentation used in the completion of the Attestation Module responses (i.e. a report from your EHR system that ties to your attestation). If you are providing a summary report from your EHR system as support for your numerators/ denominators, ensure that we can identify that the report has actually been generated by your EHR (i.e. your EHR logo is displayed on the report, or step by step screenshots which demonstrate how the report is generated by your EHR are provided.) To support Y/N attestation measures, please supply documentation such as screenshots from your EHR system.
Self-Attestation Objectives for Stage 1 Drug-drug and drug-allergy interaction checks Clinical decision Security risk analysis Patient lists by condition Drug formularies Immunization registry Syndromic surveillance data
Self-Attestation Objectives for Stage 2 Clinical decision support and drug-drug and drug-allergy interaction checks Security risk analysis Patient lists by condition Summary of care measure #3 Immunization registry Syndromic surveillance data Cancer registry Specialized registry
Stage 1 Core Measure - Drug Interaction Checking Check for drug-drug interactions and drugallergy interactions Functionality must be enabled for the entire reporting period
Stage 1 Core Measure - Drug Interaction Checking They are asking for proof that drug interaction checking was enabled for the entire attestation period Screen shot of System Admin showing minimum level display > 0 Screen shots of DUR overrides from assorted dates during the EHR reporting period MU Audit Data Report
Set Minimum Level in System Admin to 1
MU Audit Data Report
MU Audit Data Report
5.8 Attestation Screen Shows Dates Functionality Enabled
5.8 Attestation Screen Shows Dates Functionality Enabled
Stage 1 Core Measure - Clinical Decision Support (CDS) Implement at least 1 clinical decision support rule related to a high priority or specialty relevant condition including diagnostic test ordering Not including drug-drug or drug-allergy interaction checking But drug-condition, geriatric/pediatric age interactions can count
Stage 1 Core Measure - Clinical Decision Support (CDS) Identify one particular clinical decision support rule that the physician followed Screen shots of the decision support (guidelines, order sets, CQM check, etc.) Run a report using the ad hoc report writer to show compliance with that item by the provider Make sure the report covers the entire reporting period
Stage 2 Core Measure - Clinical Decision Support (CDS) Identify five clinical decision support interventions that the physician followed related to 4 or more CQMs reported on. Screen shots of the decision support Run a report using the ad hoc report writer or use HQM reports to show compliance with that item by the provider Make sure the report covers the entire reporting period
One Report Per CDS Measure Report only data for providers using this measure
Drug-Age-Related Interaction Allowed for Stage 1
Transition of Care (Stage 2) 3 measures: Provide a summary of care document for more than 50% of transitions of care and referrals Can be provided either by the patient or by the referring provider or institution > 10% sent electronically At least one sent to a recipient with a different EHR vendor or successful test with CMS
Transition of Care (Stage 2) For transition of care (summary of care) Stage 2 the 3rd measure requires an exchange with the CMS test EHR or with another provider using a different vendor. One exchange will suffice for all providers that use the same EHR technology and share a network for which their organization either has operational control of or license to use. CMS FAQ 7729 https://questions.cms.gov/faq.php?id=5005&faqid=7729
Stage 1 Menu Measure Formularies Implement drug formulary checking Access to at least one internal or external formulary Formularies are available through e-prescribing functionality Attestation only
Drug Formulary Audit Stage 1 Provide documentation that the formulary was available for the entire reporting period One or more screenshots that are dated during the EHR reporting period showing that the provider had access to a drug formulary including the NextGen name Run MU Audit CR to show formulary history
MU Audit Data Report
Stage 2 Core Measure Formularies Part of the Erx objective More than 50% of all permissible prescriptions, or all prescriptions, written by the EP are queried for a drug formulary and transmitted electronically using CEHRT
Stage 2 Core Measure Formularies
Stage 2 Core Measure Formularies
MU Audit Data Report
Stage 1 Menu Measure Patient List Generate at least one report of a list of patients with a given condition Relevant to specialty Use ad hoc report writer
Stage 1 Menu Measure Patient List Audit Provide a screen shot of the set up of the report showing the NextGen name Provide a copy of the report Blank out PHI You can use the same report for your clinical decision support
Search for Diagnosis by Code/Description
Patient Lists by Condition
Patient Lists by Condition Select Head/Foot to customize header/footer Options include adding date prepared and practice title
Patient Lists by Condition
Patient Lists by Condition Save report Click OK to generate report Export report
Patient Lists by Condition
Patient Lists by Condition
Stage 1 Public Health Measures You must do either syndromic surveillance or immunization reporting If you exclude one, you must try to do the other If you can exclude both, you must keep documentation
Stage 1 Menu Measure Immunizations Test capacity to report immunization data to a registry If you can report, you must continue to do so Exemption if you give no immunizations Exemption if no immunization registry has the capacity to receive the information electronically, or if it is prohibited Requires purchase of HL7 interface
Immunization Registry Reporting Audit Documentation If you are reporting this, document the registry name, date you went into production, and get a letter from the registry confirming ongoing transmission If the test failed, document the name of the registry, the date of the test, and provide a letter from the registry confirming the test and failure If you are excluding this measure, document reason If you do not give immunizations, state this If the state does not have a registry or accept data from your population, get a letter from them confirming this
Stage 1 Menu Measure Syndromic Surveillance Test capacity to report electronic syndromic surveillance data to public health agencies If you can report, you must continue to do so Exemption if you do not collect reportable syndromic data during the reporting period Exemption if no public health agency has the capacity to receive the information electronically, or if it is prohibited Requires purchase of HL7 interface
Syndromic Surveillance Audit Documentation If you are reporting this, provide the name of the public health agency, the date it went into production and a confirmation letter from the agency If the test failed, provide date of test, name of agency, and get confirmatory letter If you are excluding this measure, you will need a letter from your public health agency confirming they are not accepting data at this time
Cancer Registry / Specialized registry Stage 2 Requires successful ongoing submission of specific case information from CEHRT to a specialized registry for the entire EHR reporting period. Provide the name of the registry, the date it went into production and a confirmation letter from the registry Registration with the PHA or other body to whom the information is being submitted of intent to initiate ongoing submission was made by the deadline (within 60 days of the start of the EHR reporting period) and ongoing submission was achieved or is still engaged in testing and validation of ongoing electronic submission or is awaiting invitation to begin testing and validation.
Stage 1 Core Measure Security Practices must conduct a security risk analysis per 45CFR 164.308(a)(1) and implement security updates as necessary. Can do this anytime starting now. Audit trails Policies & procedures Security officer Workforce training for security
Stage 2 Core Measure Security Practices must conduct a security risk analysis per 45CFR 164.308(a)(1) and implement security updates as necessary. Added data at rest as a particular focus
Why is this important? Meaningful Use requirement Without performing an SRA, you cannot successfully attest to MU; if you attest without an SRA, your incentive payment may be recouped if you are faced with an audit We have seen providers fail Stage 1 due to not performing a HIPAA SRA
Why is this important? Increased number of HIPAA breaches reported, some were among the largest ever reported by HIPAA
CMS Suggested Documentation Report that documents the procedures performed during the analysis and the results. Report should be dated prior to the end of the reporting period Should include evidence to support that it was generated for that provider s system (e.g. identified by NPI, CMS Certification Number, provider name, practice name, etc.)
Security Risk Analysis HIPAA requirement, not just MU Systematic and ongoing process: Identifying and examining potential threats to PHI in your medical practice Implementing changes to make your patient health information more secure, then monitoring results Random audits are already occurring Fines are being assessed
Security Risk Analysis Process Review existing security of PHI and e-phi Monitor results Identify threats and vulnerabilities Mitigate security risks Assess risks for likelihood and impact Source: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
What are the requirements? 164.310 Physical Safeguards 164.308 Administrative Safeguards 164.312 Technical Safeguards 164.316 Policies, Procedures and Documentation Requirements 164.314 Organizational Requirements
Physical Safeguards Examples: Your facility and other places where PHI is accessed Computer equipment Portable devices Examples of Security Measures: Building alarm systems Locks on office doors Screens shielded from other viewers
Administrative Safeguards Examples: Security Officer Workforce training and oversight Controlling information access Examples of Security Measures: Staff training Monthly review of users activities Policy enforcement
Technical Safeguards Examples: Controls on access to EHR Use of audit logs to monitor activities Preventing improper changes of patient data Secure, authorized electronic exchange of PHI Examples of Security Measures: Secure passwords Data backups Virus protection Data encryption
Policies, Procedures and Documentation Requirements Examples: Written policies and procedures to assure HIPAA security compliance Documentation of security measures Examples of Security Measures: Written protocols on authorizing users Record retention
Organizational Requirements Examples: Breach notification and associated policies Business associate agreements Examples of Security Measures: Agreement review and updates
ONC s 10 Step Plan For meeting privacy and security portions of MU: 1. Confirm you are a covered entity 2. Provide leadership 3. Document your process, findings and actions 4. Conduct your SRA 5. Develop action plan for addressing threats & vulnerabilities 6. Manage & mitigate risks 7. Prevent with education & training 8. Communicate with patients 9. Update Business Associate contracts 10. Attest for the Security Risk Analysis objective Source: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
Most Common Risks Lack of policies and procedures to protect ephi Unencrypted backup and email procedures Inadequate employee training Lack of security on portable devices Lack of documentation to prove HIPAA compliance
Most Common Risks Non HIPAA Compliant Procedures Emailing files with PHI to your EHR vendor Providing patient data in a CD to a billing company Data backups in a tape and the tape sits in the office Unencrypted backups
Common Myths Myth Simply implementing a certified EHR system is enough to fulfill my SRA requirement. Fact False. All providers who are covered entities must perform a security risk analysis. My EHR vendor will take care of all my privacy and security concerns. I only need to do the SRA once. Before I attest for MU I must fully mitigate all risks. False. Vendors may provide information, training and guidance but it is the sole responsibility of the provider to have a complete SRA conducted. False. Your SRA is an ongoing and continuous process. False. Correcting deficiencies is a part of your risk management process. Copyright 2013 NextGen Healthcare Information Systems, Inc.
Resources
Security Risk Assessment Tool http://www.healthit.gov/providers-professionals/securityrisk-assessment-tool
National Institute of Standards and Technology (NIST) NIST and HIPAA http://www.nist.gov/healthcare/security/hipaasecurity.cfm NIST: An Introductory Resource Guide to HIPAA http://csrc.nist.gov/publications/nistpubs/800-66-rev1/sp-800-66-revision1.pdf NIST: Guide for Conducting Risk Assessments http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/ nist800-30.pdf NIST Toolkit: http://scap.nist.gov/hipaa/
ONC's Guide on Health Information, Privacy and Security and Meaningful Use http://www.healthit.gov/sites/default/files/pdf/privac y/privacy-and-security-guide.pdf
CMS Security Risk Analysis Tipsheet: Protecting Patients Health Information http://www.cms.gov/regulations-and- Guidance/Legislation/EHRIncentivePrograms/Dow nloads/securityriskassessment_factsheet_updat ed20131122.pdf
OCR s Guidance on Risk Analysis Requirements under the HIPAA Security Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/ securityrule/rafinalguidancepdf.pdf
ACP HIPAA Security Manual http://www.acponline.org/running_practice/practice _management/regulatory_compliance/hipaa/
Mobile Devices http://www.healthit.gov/sites/default/files/fact-sheetmanaging-mobile-devices-in-your-health-careorganization.pdf http://www.healthit.gov/sites/default/files/fact-sheettake-steps-to-protect-information.pdf http://www.healthit.gov/sites/default/files/fact-sheet-aguide-to-understanding-your-organizations-mobiledevice-policies.pdf
ONC Cybersecurity Checklist http://www.healthit.gov/providersprofessionals/cybersecurity
ONC s Privacy and Security Training Games http://www.healthit.gov/providers-professionals/privacysecurity-training-games
Questions