EHR Meaningful Use Audits | What You Need to Know

By: Jon Ault

Look through any healthcare forum or publication today and you are sure to see multiple headlines regarding Electronic Health Record (EHR) incentive program audits on meaningful use and clinical quality measures. For those organizations that have fully prepared, these audits are simply a formal review process to confirm that all program standards have been met and properly documented within their organization. For organizations who are not prepared, negative EHR incentive program audit reports can result in orders to return incentive payments and can even lead to legal action against executive leaders accused of fraudulent attestations. (At least one individual has been criminally indicted for lying about attainment of EHR meaningful use standards.) With a high audit rate of 5 - 10% of all participants in the EHR incentive program, the stakes for ensuring you are adequately and completely prepared for a meaningful use audit are high!

Prepare your organization for a meaningful use audit today by ensuring you have demonstrated attainment of EHR incentive program standards based on your requirements' stage. In some cases, key staff may have changed since completion of the attestation process. Therefore, it is critical that you ensure the ability of current staff to accurately validate achievement of each measure during the attestation period in the event of an audit.

Key Areas:

Response Team

Requests for audit information will require you to respond in a matter of weeks; therefore, proactively assigning responsibility for responding to an EHR incentive program audit is critical to ensuring a smooth and timely response. Your response team's efforts should include: 

• Appointing a specific individual to coordinate maintenance and review of all meaningful use documentation and communications.
• Making sure you have the right team assembled, this typically includes: Clinical, Technology, Financial and other Administrative staff.
• Centrally storing all documentation (electronic and / or paper) from the attestation process.
• Conducting mock meaningful use audits to ensure you can respond to any and all requests for information demonstrating you have met each meaningful use measure.
• You may be selected for an audit randomly or as a result of suspicious / anomalous data. It is critical that your response team continues to maintain all meaningful use attestation data throughout the process, even if you have already been audited.
• Possibly engaging with outside consultants or legal counsel to review or perform mock audits of your attestation documentation for completeness and accuracy.

With a pre-determined response team in place and successful completion of internal mock meaningful use audits, your facility (or practice) will be in a much stronger position to respond confidently and clearly in the event of an actual audit.

Confirm Documentation

The primary documentation requested in all EHR meaningful use reviews will be the source documentation, supporting the values entered during completion of the attestation process. Per the Centers for Medicare and Medicaid Services (CMS) audit resources, at a minimum, this will include: 

• Numerators and denominators for the measures data
• Time period covered in the report
• Evidence to support that the measures report were generated for the eligible professional (EP), eligible hospital or critical access hospital (CAH) in question (i.e., identified via National Provider Identifier (NPI), CMS Certification Number (CCN), provider or practice name, etc.) 

Audit Lesson's Learned

Eide Bailly's experience with clients who have undergone EHR incentive program audits indicates that the following areas represent the most significant risk in audits: 

• Incomplete Risk Assessment documentation. Your Risk Assessment must:
• Demonstrate that the Risk Assessment was completed during the appropriate attestation period.
• Demonstrate that your Risk Assessment includes all content required to meet meaningful use requirements. Please join us for a free webinar!
• Meaningful use measure data that is not clearly from your certified EHR:
• Save screen shots or reports directly from your certified EHR that demonstrate attainment of calculated meaningful use measures.
• EHR configuration and / or system logs should be saved to demonstrate features required for attainment of meaningful use are enabled on your certified EHR.
• Save documentation from your EHR vendor demonstrating that you have implemented a certified EHR product.
• Calculation errors are common.
  • Maintain records that demonstrate how you calculated attainment of each meaningful use measure (e.g., Details for each measure's numerator and denominator).
  • Confirm all data used in calculations is directly from your certified EHR.
  • Ensure each measure has correctly defined "unique" patients for calculation purposes.
• In the event your are audited:
  • Communicate with the auditors to clarify and confirm expectations for all documentation requests.
  • Save all communications related to the audit process (emails, data submissions, etc.).

Retain Records

All EHR incentive program meaningful use objective and clinical quality measures documentation should be retained for a suggested six years post-attestation. This includes documentation to support payment calculations, such as cost reports.

If you would like more information regarding EHR incentive program meaningful use objectives and clinical quality measures reviews or have any questions on how to prepare your organization for a potential audit, please contact Jon Ault at 701.476.8913 or your local Eide Bailly representative.

Safeguarding Patient Information | What Is Your Risk?

According to the U.S. Department of Health & Human Services, in 2014, there have been more than 100 reportable data breaches of protected health information affecting 500 individuals or more. These breaches in the health care sector are much broader than those eye-catching hacking headlines in the news. Every year, dozens of lesser known incidents occur, impacting local health care providers and their employees or patients, both financially and otherwise. The unfortunate fact remains, however, that a large number of the breach events occurring within the industry could easily be prevented simply by implementing the right technology solutions. In today's age of seemingly limitless data collection, the risk of a breach or hack will likely always be prevalent, but you can implement policies, processes and technical solutions to dramatically reduce your risk today.

Areas of Opportunity  

In particular, there are two areas that should be a focus for your organization: 

• HIPAA Risk Analysis:

Completing a HIPAA Risk Analysis is required to meet Stage II Meaningful Use. In addition, incomplete HIPAA Risk Analysis documentation has been a frequent finding in Stage I Meaningful Use audits. A complete HIPAA Risk Analysis for Meaningful Use requires all of the following elements: 

• A Definition of the Scope of Analysis (All PHI must be included)
• Data Collection (Where is PHI stored?)
• Identification and Documentation of Potential Threats and Vulnerabilities
• An Assessment of Current Security Measures
• A Determination of the Likelihood of Threat Occurrence
• A Determination of the Potential Impact of Threat Occurrence
• A Determination of the Level of Risk
• Finalized Documentation
• A Plan for Periodic Review and Updates to the Risk Analysis

In addition, completion of this analysis is a critical first step to further understanding your HIPAA / PHI-related risks and limiting your organization's risk of exposure. How effective is your overall information security program? 

• Security Testing:

Many organizations view their HIPAA Risk Analysis as a simple review of policies, technologies in place and staff training. However, for an information security program to be effective, it is essential that you frequently complete technical testing to identify specific vulnerabilities in your unique environment. External penetration and internal vulnerability assessments are two common, effective testing methods. Completing these tests are a critical step to developing a plan for improving your "Technical Safeguards" under HIPAA.