© 2015 CHAN Healthcare

Place Image Here

Preparing for Meaningful Use AuditsErik Dahl, CISA, CISSP

IT Audit Director

© 2015 CHAN Healthcare 22

Learning Objectives

Understand the types of Meaningful Use audits that you may be subject to

Understand the process CMS audits are following

Learn what supporting documentation is being requested

Discuss key lessons learned that may help you with your audit defense strategy

© 2015 CHAN Healthcare 33

Agenda

Meaningful Use Common Challenges Attestation Requirements Overview Types of Audits Initial CMS Audit Results

Meaningful Use Audit Process Audit Notification Documentation Request Providing Documentation

Lessons Learned

© 2015 CHAN Healthcare 44

Common MU Challenges A fast-paced timeline for adopting Meaningful Use criteria, mandating aggressive

project implementation plans and reporting to achieve Meaningful Use status Ever increasing and evolving changes and complexity to the Meaningful Use

Attestation requirements, magnifying the need for maintaining and sustaining an effective Compliance and Reporting Program

Completing a Security Risk Assessment that covers the requirements for Meaningful Use Attestation Reporting, Testing and Validation, Documentation Retention and Compliance with HIPAA and HITECH requirements

Likelihood of being audited by CMS for compliance and failure to provide proper supporting evidence, resulting in payments being withheld or payments being recouped by CMS

Knowing the relevant supporting documentation that should be maintained and archived post-attestation to support the Meaningful Use Attestation calculations and measurements that were filed

© 2015 CHAN Healthcare 55

Meaningful Use (MU) – Attestation Requirements Overview Attestation Requirements

Meet Program Eligibility Requirements Use Certified Electronic Health Record Technology (CEHRT) during the attestation

period Achievement of Core and Menu Measures Implementation and Reporting of Clinical Quality Measures Completed Security Risk Assessment

Penalties If non-compliant, refund Meaningful Use incentives earned plus penalties where

applicable If fraudulent attestation, punishment may involve imprisonment, significant fines, or

both; loss of operating license; exclusion from Medicare/Medicaid participation for a specified length of time; and/or civil liability (Medicare/Medicaid fraud)

© 2015 CHAN Healthcare 66

Types of Meaningful Use Audits

Centers for Medicare and Medicaid Services (CMS) Most common type of MU audit Cover Medicare or dually eligible Performed by Figliozzi & Company Target between 5 to 10% of attestations Performed as both Pre and Post payment audits

Medicaid Performed by states and their contractors If first year of participation, the audit will focus on support for adopting, implementing,

or upgrading, certified EHR technology Beyond first year, requirements similar to CMS audit requirements

© 2015 CHAN Healthcare 77

Types of Meaningful Use Audits

Office of the Inspector General (OIG) Performed beginning in 2015 as oversight audits over CMS May cover all your attestations not just one program year Looking for support of Medicaid patient volumes and Medicare cost report calculation You may only have 10 days to respond to the audit The OIG warns of secure transmission of any documentation containing ePHI

Medicare Administrative Contractor (MAC) EHR Audits Audits have recently began focusing on Critical Access Hospitals Focused on cost reporting and allowable costs and inpatient days Request listing is provided in the form of a spreadsheet Some requests have been mistaken for phishing attacks

© 2015 CHAN Healthcare 88

Initial CMS Audit Results – Eligible Professionals

Pre-payment Audits – Eligible Professionals1

• Of those EP’s audited, 21 percent failed pre-payment audit• Of those that did not pass, 93 percent did not meet “appropriate objectives and

associated measures”• The remaining 7 percent did not use a certified EHR when attesting

Post Payment Audits – Eligible Professionals1

• Of those EP’s audited, 23 percent failed post payment audit• Of those that did not pass, 99 percent did not meet “appropriate objectives and

associated measures”• The remaining 1 percent did not use a certified EHR when attesting

1 - CMS provided this information to Steve Spearman, of advisory firm Health Security Solutions, in November 2014, nine months after he filed a Freedom of Information Act request.

© 2015 CHAN Healthcare 99

Initial CMS Audit Results – Eligible Hospitals

Post Payment Audits – Eligible Hospitals1

• Eligible Hospitals had a much lower audit failure rate at 4.7 percent.• Incentive payments to be returned, pending an appeal, ranged from $280,414 to

$3,430,591• The average incentive payment proposed for return (pending an appeal) was

$1,132,937

Common Audit Failure Reasons• Lack of security risk analysis• Failure to use a certified and complete EHR• Failure to maintain supporting evidence

1 - CMS provided this information to Steve Spearman, of advisory firm Health Security Solutions, in November 2014, nine months after he filed a Freedom of Information Act request.

© 2015 CHAN Healthcare 1010

CMS MU Audit - Notification

Audit Engagement Cover Letter

Document Request Letter

Web Portal Instructions

Web Portal Frequently Asked Questions

© 2015 CHAN Healthcare 1111

CMS Audit Notification – Audit Engagement Letter

© 2015 CHAN Healthcare 1212

CMS Audit Notification – Document Request List

© 2015 CHAN Healthcare 1313

Scope of Request – Five Topics in Three Parts

Part I – General Information: Proof of use of a Certified EHR system Documentation to support the method chosen to report ED admissions

Part II – Core Set Objectives/Measures: Supporting documentation and reporting for core measures used in the completion of

the Attestation Module Provide proof that a security risk analysis of the Certified EHR Technology was

performed prior to the end of the reporting period Part III – Menu Set Objectives/Measures:

Supporting documentation and reporting for menu measures used in the completion of the Attestation Module

Supporting documentation for menu items for which there are not EHR reports

© 2015 CHAN Healthcare 1414

Scope of Request – Item 1

Requests evidence of use of a Certified Electronic Health Record Technology

system

Requests a copy of your licensing agreement with the vendor or invoices.

Specifies the licensing agreements or invoices identify the vendor, product

name and product version number

If version number is not present, requests a letter from your vendor attesting to

the version number used during your attestation period

© 2015 CHAN Healthcare 1515

Item 1 – Examples of Documents Submitted

Certified EHR Technology (CEHRT) Verification Letter

Discussion of CEHRT Contracts

Redacted copies of CEHRT Contracts (multiple documents)

© 2015 CHAN Healthcare 1616

Scope of Request – Item 2

Requests confirmation of the methodology requested for reporting Emergency

Department (ED) admissions. (Observation Services or All ED Visits)

Requests documentation to support patients admitted to the ED were included

in the denominators according to the selected ED methodology

Asks for an explanation of how the ED admissions were calculated and a

summary of ED admissions

© 2015 CHAN Healthcare 1717

Item 2 – Examples of Documents Submitted

Screen shots showing selection of the chosen ED methodology within the

EHR reporting module.

Screen shots of the reporting logic to include explanation of the logic and

how it enforces the chosen ED methodology.

© 2015 CHAN Healthcare 1818

Scope of Request – Item 3

Requests support for metric based Core Measures (percentage based

measures for which there are EHR reports)

Requests supporting documentation used in the completion of the Attestation

Module responses (i.e. a report from your EHR system that ties to your

attestation)

Can be provided in either paper or electronic format

Requests that reports display the EHR logo to evidence the reports were

generated from your EHR system

If reports do not display the EHR logo, step by step screens shots

demonstrating how the reports are generated by your EHR are requested

© 2015 CHAN Healthcare 1919

Measures Covered by Request Item 3

CPOE for Medication Orders Maintain Problem List ePrescribing (EP’s Only) Active Medication List Medication Allergy List Record Demographics Record Vital Signs Record Smoking Status *Electronic Copy of Health Information *Electronic Copy of Discharge Instructions (Hospital/CAH) Clinical Summaries (EP’s Only)

* - Replaced by Patient Electronic Access Measure in 2014

© 2015 CHAN Healthcare 2020

Item 3 – Examples of Documents Submitted

Summary reports for the requested measures generated for the EHR reporting

period

Screen shots of the output from CEHRT’s reporting utility by objective

Step by step guide for running MU functional reports in CEHRT or Third Party

MU Reporting Utility

Spreadsheet tables used to aggregate the data submitted at attestation by

objective

© 2015 CHAN Healthcare 2121

Scope of Request – Item 4

Requests evidence that a security risk analysis of Certified EHR technology

was performed prior to the end of the reporting period

Requests a report which documents the procedures performed during the

analysis and the results of the analysis

If deficiencies are identified, requests you supply the implementation plan to

include completion dates

© 2015 CHAN Healthcare 2222

Security Risk Analysis Considerations

Can be performed internally or outsourced

Must include risk analysis and mitigation plans if deficiencies are identified

Must be performed during each MU reporting period

Addressing encryption of data was added for Stage 2 MU

Devices that access your EHR should also be included (Desktops, Connected

Medical Devices, Mobile Devices, etc.)

© 2015 CHAN Healthcare 2323

Item 4 – Examples of Documents Submitted

Security Risk Analysis Executive Summary and Detail Report

Security Risk Analysis Remediation Plan with Completion Dates

Meaningful Use Security Risk Analysis Strategy Description

© 2015 CHAN Healthcare 2424

Scope of Request – Item 5

Requests support for metric based Menu Set Measures selected for attestation (percentage based measures for which there are EHR reports)

Requests supporting documentation used in the completion of the Attestation Module responses (i.e. a report from your EHR system that ties to your attestation)

Can be provided in either paper or electronic format Requests that reports display the EHR logo to evidence the reports were

generated from your EHR system If reports do not display the EHR logo, step by step screens shots

demonstrating how the reports are generated by your EHR are requested Requests supporting documentation for Menu Set Measures for (Y/N

Measures) selected for attestation

© 2015 CHAN Healthcare 2525

Measures Covered by Request Item 5

Advance Directives (Hospital/CAH) Clinical Lab Test Results Patient Reminders (EP’s Only) Patient Electronic Access (EP’s Only prior to 2014) Patient-Specific Education Resources Medication Reconciliation Transition of Care Summary Patient Lists Immunization Registries Data Submission Syndromic Surveillance Data Submission Reportable Lab Results to Public Health Agencies (Hospital/CAH)

© 2015 CHAN Healthcare 2626

Item 5 – Examples of Documents Submitted

Summary reports for the requested measures generated for the EHR reporting period

Screen shots of the output from CEHRT’s reporting utility by objective Spreadsheet tables used to aggregate the data we submitted at attestation by

objective Step by step guide for running MU functional reports in CEHRT reporting utility Patient Lists – Example report and walkthrough of how patient lists may be

generated Public Health Reporting Objectives (Immunization, Labs and Syndromic)

Email or Letter for receiving entity confirming successful test and on-going submission Email or Letter confirming registration and testing

© 2015 CHAN Healthcare 2727

Measures Not Audited

Core Measures:

Drug Interaction Checks

Clinical Quality Measures (CQMs)

Clinical Decision Support Rule

Electronic Exchange of Clinical Information (Discontinued in 2013)

Menu Measures:

Drug Formulary Checks

© 2015 CHAN Healthcare 2828

Lessons Learned

Assign a MU Governance Committee or MU Project Team that keeps abreast of

the MU Attestation rules and requirements to help maintain and sustain an

effective Compliance & Reporting Program

Document MU Strategy that describes the reasoning behind those core and

menu measures that were chosen or excluded

Pay attention to detail and develop a good understanding of the detailed

reporting requirements before attesting

Conduct one’s own data validation and not to rely on EHR vendor for

completeness and accuracy of data used in the reported measures

Conduct a thorough and comprehensive MU Security Risk Analysis

© 2015 CHAN Healthcare 2929

Lessons Learned, continued

Prepare a Gap Analysis document for the key risks identified

Assign accountability and follow-up on status of Corrective Action Plan

Retain thorough documentation with the proper cutoff dates that provide point-

in-time evidence and detailed supporting documentation

Maintain a centralized MU Attestation Documentation Repository

Have a COMPLETE CEHRT and supporting licenses / documentation for all

MU required modules

Verify reasonableness and accuracy of all MU measures before filing attestation

© 2015 CHAN Healthcare 3030

For more information, contact:

Erik Dahl, CISA, CISSP

Direct 856.885.0127

edahl@chanllc.com

Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. © 2014 Crowe Horwath LLP