Meaningful Use Audits, RAC Audits, and HIPAA Audits

Posted on July 14, 2014 I Written By

The following is a guest post by Barry Haitoff, CEO of Medical Management Corporation of America.
Barry Haitoff
Healthcare has always been a deeply regulated industry, so in many ways healthcare organizations are already used to dealing with government scrutiny. However, we’ve recently seen a number of new audit programs hit the healthcare world that didn’t exist even a few years ago. Here’s a look at a few of them you should be prepared for.

Meaningful Use Audits
This is one of the newest audit programs to hit healthcare. Depending on your attestation history, it could have a tremendous impact on your organization’s financial health. These EHR incentive audits have been happening across every size organization and are conducted by the CMS hired auditing firm, Figliozzi and Company of Garden City, N.Y. If you get a letter or email from Figliozzi you’ll know what it is right away. An EHR incentive audit is a big deal since the meaningful use program is all or nothing. If they find even one thing wrong with your meaningful use attestation, you could lose ALL of your EHR incentive money.

CMS recently released an informative guidance document outlining the supporting documentation needed for an EHR incentive audit. Pages 4 and 5 of the document go through the self-attestation objectives and others detailing the audit validation and suggested documentation needed for each. If you’ve attested to meaningful use, then you’ll want to take some time to go through the document to make sure you can provide the necessary documentation if needed. In many cases this simply includes dated screenshots to prove measure completion. While many EHR vendors can be helpful in the meaningful use audit process, you should not totally rely on them.

In a recent blog post, Jim Tate makes a compelling case for why you might want to consider doing a mock EHR incentive audit and how to make sure that the audit is effective. Although smaller organizations won’t likely be able to afford an outside audit, having it done by someone in your organization that wasn’t involved in the attestation is beneficial. The CMS guidance document could be used as a guide. A mock audit could help discover any potential issues and help you put mitigation strategies in place before you have a real audit and your hands are tied.

Recovery Audit Contractor (RAC) Audits
RAC audits are currently on hold as CMS works to improve the program and deal with the enormous audit backlog. We still haven’t heard from CMS about when the RAC audits will resume, but we should hear something later this summer. While no RAC audits are occurring right now, that doesn’t mean that once the RAC audits resume, the claims you’re filing today can’t and won’t be audited.

The best thing you can do to be prepared for RAC audits is to make sure that your documentation and billing ducks are in a row. A great place to start is to look at your most common denials and look at how you can improve your clinical documentation, coding and billing for each of these denials. Also, make sure that your process for responding to audits is standardized and effective. The RAC audit is just one example of an audit performed by payers. Don’t be surprised if you’re subjected to audits from other agencies or commercial payers.

RAC audits recovered billions of dollars in overpayments in recent years. You can be sure that they will continue and that other similar initiatives are coming our way. There’s just too much incentive for the government not to do it.

HIPAA Audits
The US Department of Health and Human Services’ Office for Civil Rights (HHS OCR) first started doing HIPAA audits as part of a 2011 pilot program. It’s fair to say that HHS OCR’s audit program was one of discovery as much as it was of compliance. However, the HITECH Act and Omnibus Rule have started to up the ante when it comes to enforcement of HIPAA. HHS OCR announced that they’d be surveying 800 covered entities and 400 business associations to select the next round of audit subjects. An OCR Spokesperson said, “We hope to audit 350 covered entities and 50 BAs in this first go around.”

Unlike previous audits that were done by KPMG, these HIPAA audits will be done by OCR staff. One area that these audits will likely focus on is the HIPAA Security Risk Assessment. The importance of doing this cannot be understated and is illustrated by the fact that it’s a requirement for meaningful use. I will be surprised if these audits don’t also focus on the new HIPAA Omnibus Rule requirements. I’m sure many of the HIPAA audits will catch organizations that never updated their HIPAA policies to comply with HIPAA Omnibus.

Summary
No one enjoys an audit of any sort. However, being well prepared for an audit will provide some level of comfort to yourself and your organization. Now is your opportunity to make sure you’re well prepared for these audits that could be coming your way. These audit programs likely aren’t going anywhere, so take the time to make sure you’re prepared.

Medical Management Corporation of America, a leading provider of medical billing services, is a proud sponsor of EMR and HIPAA.