We’ve assisted numerous clinics and hospitals through their audits, and you’re absolutely correct John. Those clinics that have the people and processes already in place, this ends up (most of the time), being a non -issue, just time consuming. However, we have clients that have undergone significant changes since 2011 and now that they are being audited, the changes are coming back to haunt them since tracking MU documentation through the changes may not have been the highest priority.
Even those clinics that have the right documentation are now finding that they shouldn’t just mail the documents in bulk to the auditors unless they’ve spent time creating a good summary document which clearly defines each and every appendix document being sent. Case in point, we had one clinic call us to help them with their appeal for a failed audit. When we engaged we spent a few hours trying to determine why they failed the audit since the documents they had on file to support their attestation were excellent. Then we reviewed how they sent them in (in just one mass mailing with no cover letter or explanation beyond a title for each document (ie, In Reference to Measure 2)).
Once we created a clear cover letter and resubmitted, they were notified very quickly that their appeal was successful. The clinic had mixed feelings – great that they passed, but unhappy about having to ‘mind-read’ the preferred format that the auditor was looking for. Right or wrong, many clinics are in the same place – frustrated with the process.
I don’t know anyone who enjoys an audit. However, an audit can at least be bearable if it’s clear what’s expected in the audit. I think we’re going to have a lot more stories about meaningful use audits coming down the pipe. Hopefully Todd’s advice helps some who run into a meaningful use audit.
Meaningful Use Expert, Jim Tate, has a really interesting post up on his Meaningful Use Audits website that shares some of the details CMS offered on the EHR incentive audits and appeals process. I know many of my readers are worried about the meaningful use audits and are interested in these details.
You can go and read Jim’s full post for all the details, but I wanted to highlight a few of the items he mentions.
First, CMS said that 5-10% of providers will be subject to pre/post-payment EHR incentive audits. Jim calls this casting a “wide net” for the MU audits. Considering meaningful use stage 1, it makes some sense why the MU audit net would be cast wide. I’m sure many who read this have a friend who’s been through the audit.
I was really intrigued that CMS said “If a provider continues to exhibit suspicious/anomalous data, could be subject to successive audits.” This reminded me of something my brother said about the military. He said that if you got your uniform inspection right the first couple times, then the officers would stop looking at you quite as much. However, if you had something wrong at first, be ready to be scrutinized. It seems like CMS is taking a similar approach. As in most things in life, it’s just better to be honest and accurate. Then, you don’t have to look over your shoulder.
Jim also notes that CMS said that no risk profile will be made public. Basically, we aren’t going to get any clue into how they chose who to audit. Plus, Jim notes that the only next step if you fail an meaningful use audit is to file an appeal.
As long as we have meaningful use tied to EHR incentive money and payment adjustments, I don’t see these MU audits going anywhere. So, if you’re attesting to meaningful use, make sure you’re prepared for an MU audit if it comes.
If you look at the number one meaningful use audit risk for a healthcare organization, I’m certain you’ll find lack of a proper Risk Assessment at the top of the list. I found this video of Jack Kolk, President of ACR2, talking about the need to do a risk assessment as part of the HITECH EHR incentive money which I’ll embed below.
That’s right, there’s a whole company that’s main focus is doing healthcare risk assessments. I think this illustrates a number of things. First, there are a lot of healthcare organizations that are outsourcing their risk assessment. This is likely a good plan for most large organizations since they often don’t have the time or expertise to do it well in house. Second, I believe it also illustrates that doing the risk assessment is not a simple task. There’s a lot that goes in to doing a proper risk assessment.
I must admit that I was also intrigued by ACR2’s cloud based risk assessment platform. Far too often a risk assessment consists of huge stacks of paper that get shuffled around the office. There’s a certain irony that the audit of IT would happen on stacks of paper. It just makes sense to do the risk assessment in the cloud.
Regular readers will probably now realize that I think the risk assessment is important both because of the meaningful use audit risk, but also because keeping a patient’s health information secure is the right thing to do.
The reality is that half of you reading this have already done a proper risk assessment or are looking to do one now. The other half have already decided that it’s too much work and so you don’t care to go to the work of a full risk assessment. You’d prefer to risk not doing one. You won’t likely admit this in public, but I know this is what goes on in many healthcare organizations.
For this later group, let me see if I can at least offer a couple important suggestions on HIPAA security compliance and protecting your health information. If healthcare did only these two things, we’d see a decrease in HIPAA violations.
Disk Encryption – Hospitals have no excuse to not be doing disk encryption on all of their devices. The technology is there and every hospital IT staff should be able to easily implement disk encryption in their environment. I’m not going to give a pass to ambulatory environments either, but I won’t be surprised if many ambulatory clinics just never knew they should be doing it.
Disk encryption is a relatively simple technology to implement and should have very little effect on your workflow. Every hospital CIO should make this mandatory and implement it immediately if it’s not already implemented. Every ambulatory office even down to the solo practice should find some IT help to implement disk encryption in their environment as well. If your IT support doesn’t know how to do disk encryption (and possibly if they haven’t recommended it previously), then you might want to consider finding new IT support.
Strong Authentication – Generally organizations do a pretty good job when it comes to strong authentication. I know that this is the case because I hear so many people complaining about their hospitals authentication requirements. Most have some sort of two factor authentication in place and have implemented strong password policies.
One challenge for hospitals is that they have so many different applications that they manage. This makes it a real challenge to ensure that good password policies and other authentication requirements are met.
Luckily, the tools we have to centrally manage these and other computer security policies are so much better today than they were previously. Plus, most of them integrate with an array of biometric, single sign on (SSO), Digital Signatures, and more. I’ve been a big fan of the DigitalPersona biometric solution since I first wrote about it years ago. It is really amazing how far they’ve come with their integration in the enterprise healthcare environment and how they can solve many of these issues.
The Real Solution
The most important thing a healthcare organization can do is to integrate HIPAA security and risk assessment into everything they do. Securing health IT and assessing your risk shouldn’t just be a one time event. Instead, a quality healthcare organization will make an institutional decision to make HIPAA security a priority in everything they do. However, the realist in me hopes that every organization will at least start with disk encryption and strong authentication.
This post is sponsored by HP Healthcare, however opinions on products and services expressed here are my own. Disclosure per FTC’s 16 CFR, Part 255.
Lynn Scheps is Vice President, Government Affairs at EHR vendor SRSsoft. In this role, Lynn has been a Voice of Physicians and SRSsoft users in Washington during the formulation of the meaningful use criteria. Lynn is currently working to assist SRSsoft users interested in showing meaningful use and receiving the EHR incentive money. Check out Lynn’s previous Meaningful Use Monday posts.
By definition, attestation is based on the honor system—that is, at least until you find yourself the subject of an audit. CMS has launched its anticipated program, and some physicians who have received an EHR incentive payment recently received a letter from the designated auditing firm, Figloiozzi and Company.
Although there is no way to predict which physicians will be audited, providing the information requested should not be too onerous a task for those “lucky” ones who are tapped. Providers are being asked to show proof that they possess a certified EHR and to substantiate the data they reported for the core and menu measures—specifically, via “a report from their EHR system that ties to their attestation.” Since all certified EHRs generate an automated measure calculation report and a clinical quality measure report, that documentation should be readily accessible. It would not surprise me if they are also asked to provide documentation of the security and risk analysis that the practice conducted to ensure HIPAA compliance. For suggestions regarding the type of data to retain to support your attestation, see the Meaningful Use Monday post, MU Attestation: Save Your Documentation.
Based on material published by the auditors and by CMS on its EHR Incentives website, it does not seem that the audits will be so detailed as to require site visits or reviews at the patient chart-level. My sense is that CMS is looking to identify failures to comply with the major requirements—adopting and using a certified EHR to meet the meaningful use measures and reporting accurately on the data generated by that EHR.
(If you have been audited and would like to share your experience, please post a comment.)