Wednesday, February 18, 2015
A Meaningful Use Post-payment Audit? - “Say It Ain’t So, Joe!”
By: Susan Pretnar, President KeySys Health, LLC
Oh, what I mean is “Say it ain’t so, Mr. Figliozzi, CFA, CFF, FCPA”. Who knows if Shoeless Joe really threw the 1919 World Series, but in our world, if you attested to Meaningful Use, you know for sure that CMS could come calling to see if what you attested to is indeed what happened back in the day. And, that ‘day’ could be the very first year you attested to Meaningful Use.
In 2014, CMS audited just 5% of the providers who had attested to Meaningful Use (for any year). How in the world could they find you? Just 5% was still 20,000+ providers. The rub: the government paid out more than $20B and CMS was blasted for not auditing enough to assure the money was properly spent. Is there fraud in the Medicare and Medicaid programs? Just sayin…might that also be the case with Meaningful Use?
I thought I’d offer a first hand account of what might happen if you receive an email (yes, it comes as an email of High Importance) notifying you that one of your physicians has been selected for a HITECH EHR Meaningful Use audit for payment year XX. It is important to remember the contact email address that was given when you attested to Meaningful Use, because that is the person who will receive the email from email@example.com . Is that person still with your practice? There are all kinds of un-pleasantries if the selection email bounces back to figliozzi.com.
Make a note - recheck the contact information on your attestations
By the way, at the end of their notification email, it advises you to add this email address to your safe sender list, otherwise their correspondence might be blocked as spam. You cannot respond back to this address mind you, but you had best let them contact you!
2nd note – ask the tech people to let the figliozzi email address come flying through the firewall 3rd note – ask the tech people to check everybody’s spam folder - what the heck, better safe than sorry
Then what? The person who has been assigned as your very own personal auditor is named in the email and his/her contact information is included. You email and talk to that person, not firstname.lastname@example.org . They are probably not coming on site, after all, 20,000+ of these emails were sent out last year. They prefer a desk audit (much cheaper and faster), with your personal auditor sitting comfortably at his/her desk waiting for your stuff, while you probably have not been allowed to sit down since the selection email arrived.
The selection email gives clear directions of how to send in a list of requested documents and how to identify each file. My small sample of just two examples indicates the selection notification email will give you a month to reply. Though not a statistically valid sample, I’d go out on a limb and say that is the norm.
So, what happens in a practice in order to respond to a selection email? While every practice will be a unique scenario, the following is a brief synopsis of some generously shared notes from one practice about the time dedicated to complete their response (retrieving documents, correctly labeling and emailing files, rebuttal opportunities, etc.), the number of people who participated in the response, and what they wish they had and hadn’t done ‘back in the day’. In retrospect, this practice did not feel that the total ‘cost’ of the audit was significant enough to try to compute.
The practice was given 3 opportunities to submit documentation for specific core measures, because their first submission was not completely satisfactory. Because so many practices lack a comprehensive risk assessment, it was a primary document Figliozzi focused on and one that the practice had to clarify further, necessitating a request to their outsourced IT managed service provider for additional documentation.
Another stumbling block was the fact that the practice’s attestation in question was based on a certified EMR that had subsequently been sold, and sold again. The original product certification was no longer on CMS’s system, so there was much ado about when or whether their EMR was truly a certified system. The practice’s current EMR vendor was able to research and substantiate the original vendor certification. In addition, their EMR had been upgraded several times; recreating reports from prior periods was problematic because of configuration changes and enhancements to the reporting tool, therefore, research and correcting of records for unmatched statistics was required.
The final hurdle was the inability to electronically submit syndromic surveillance data to a state public health department. The practice was given a waiver since their EMR was incapable of electronically creating syndrome-based public health surveillance information in the required format. At one time, there was a requirement to attempt a transmission, regardless of the ability of your State Department of Health to accept it, because ONC supplied test data and the criteria for testing this capability. There was significant confusion about whether a ‘failed’ test was sufficient, and whether it could even be attempted in Alabama during the first year of attestations. Apparently, there was enough confusion that Figliozzi granted the waiver.
In summary, this practice was complementary of their treatment by their auditor, who was generous with extensions due to the holidays overlapping their audit period. Because of the way they had stored their backup information, the practice had to recreate or separate results for just one doctor, even though some of the data applied to all of them. However, this practice was able to rely almost entirely on one manager to formulate their responses, who was also instrumental in their attestation process. The audit did not cause a major disruption in their day-to-day operations, nor much concern by the management team.
By the way, there was also a happy ending. Just wanted you to know.