© 2015 chan healthcare place image here preparing for meaningful use audits erik dahl, cisa, cissp...
TRANSCRIPT
© 2015 CHAN Healthcare
Place Image Here
Preparing for Meaningful Use AuditsErik Dahl, CISA, CISSP
IT Audit Director
© 2015 CHAN Healthcare 22
Learning Objectives
Understand the types of Meaningful Use audits that you may be subject to
Understand the process CMS audits are following
Learn what supporting documentation is being requested
Discuss key lessons learned that may help you with your audit defense strategy
© 2015 CHAN Healthcare 33
Agenda
Meaningful Use Common Challenges Attestation Requirements Overview Types of Audits Initial CMS Audit Results
Meaningful Use Audit Process Audit Notification Documentation Request Providing Documentation
Lessons Learned
© 2015 CHAN Healthcare 44
Common MU Challenges A fast-paced timeline for adopting Meaningful Use criteria, mandating aggressive
project implementation plans and reporting to achieve Meaningful Use status Ever increasing and evolving changes and complexity to the Meaningful Use
Attestation requirements, magnifying the need for maintaining and sustaining an effective Compliance and Reporting Program
Completing a Security Risk Assessment that covers the requirements for Meaningful Use Attestation Reporting, Testing and Validation, Documentation Retention and Compliance with HIPAA and HITECH requirements
Likelihood of being audited by CMS for compliance and failure to provide proper supporting evidence, resulting in payments being withheld or payments being recouped by CMS
Knowing the relevant supporting documentation that should be maintained and archived post-attestation to support the Meaningful Use Attestation calculations and measurements that were filed
© 2015 CHAN Healthcare 55
Meaningful Use (MU) – Attestation Requirements Overview Attestation Requirements
Meet Program Eligibility Requirements Use Certified Electronic Health Record Technology (CEHRT) during the attestation
period Achievement of Core and Menu Measures Implementation and Reporting of Clinical Quality Measures Completed Security Risk Assessment
Penalties If non-compliant, refund Meaningful Use incentives earned plus penalties where
applicable If fraudulent attestation, punishment may involve imprisonment, significant fines, or
both; loss of operating license; exclusion from Medicare/Medicaid participation for a specified length of time; and/or civil liability (Medicare/Medicaid fraud)
© 2015 CHAN Healthcare 66
Types of Meaningful Use Audits
Centers for Medicare and Medicaid Services (CMS) Most common type of MU audit Cover Medicare or dually eligible Performed by Figliozzi & Company Target between 5 to 10% of attestations Performed as both Pre and Post payment audits
Medicaid Performed by states and their contractors If first year of participation, the audit will focus on support for adopting, implementing,
or upgrading, certified EHR technology Beyond first year, requirements similar to CMS audit requirements
© 2015 CHAN Healthcare 77
Types of Meaningful Use Audits
Office of the Inspector General (OIG) Performed beginning in 2015 as oversight audits over CMS May cover all your attestations not just one program year Looking for support of Medicaid patient volumes and Medicare cost report calculation You may only have 10 days to respond to the audit The OIG warns of secure transmission of any documentation containing ePHI
Medicare Administrative Contractor (MAC) EHR Audits Audits have recently began focusing on Critical Access Hospitals Focused on cost reporting and allowable costs and inpatient days Request listing is provided in the form of a spreadsheet Some requests have been mistaken for phishing attacks
© 2015 CHAN Healthcare 88
Initial CMS Audit Results – Eligible Professionals
Pre-payment Audits – Eligible Professionals1
• Of those EP’s audited, 21 percent failed pre-payment audit• Of those that did not pass, 93 percent did not meet “appropriate objectives and
associated measures”• The remaining 7 percent did not use a certified EHR when attesting
Post Payment Audits – Eligible Professionals1
• Of those EP’s audited, 23 percent failed post payment audit• Of those that did not pass, 99 percent did not meet “appropriate objectives and
associated measures”• The remaining 1 percent did not use a certified EHR when attesting
1 - CMS provided this information to Steve Spearman, of advisory firm Health Security Solutions, in November 2014, nine months after he filed a Freedom of Information Act request.
© 2015 CHAN Healthcare 99
Initial CMS Audit Results – Eligible Hospitals
Post Payment Audits – Eligible Hospitals1
• Eligible Hospitals had a much lower audit failure rate at 4.7 percent.• Incentive payments to be returned, pending an appeal, ranged from $280,414 to
$3,430,591• The average incentive payment proposed for return (pending an appeal) was
$1,132,937
Common Audit Failure Reasons• Lack of security risk analysis• Failure to use a certified and complete EHR• Failure to maintain supporting evidence
1 - CMS provided this information to Steve Spearman, of advisory firm Health Security Solutions, in November 2014, nine months after he filed a Freedom of Information Act request.
© 2015 CHAN Healthcare 1010
CMS MU Audit - Notification
Audit Engagement Cover Letter
Document Request Letter
Web Portal Instructions
Web Portal Frequently Asked Questions
© 2015 CHAN Healthcare 1313
Scope of Request – Five Topics in Three Parts
Part I – General Information: Proof of use of a Certified EHR system Documentation to support the method chosen to report ED admissions
Part II – Core Set Objectives/Measures: Supporting documentation and reporting for core measures used in the completion of
the Attestation Module Provide proof that a security risk analysis of the Certified EHR Technology was
performed prior to the end of the reporting period Part III – Menu Set Objectives/Measures:
Supporting documentation and reporting for menu measures used in the completion of the Attestation Module
Supporting documentation for menu items for which there are not EHR reports
© 2015 CHAN Healthcare 1414
Scope of Request – Item 1
Requests evidence of use of a Certified Electronic Health Record Technology
system
Requests a copy of your licensing agreement with the vendor or invoices.
Specifies the licensing agreements or invoices identify the vendor, product
name and product version number
If version number is not present, requests a letter from your vendor attesting to
the version number used during your attestation period
© 2015 CHAN Healthcare 1515
Item 1 – Examples of Documents Submitted
Certified EHR Technology (CEHRT) Verification Letter
Discussion of CEHRT Contracts
Redacted copies of CEHRT Contracts (multiple documents)
© 2015 CHAN Healthcare 1616
Scope of Request – Item 2
Requests confirmation of the methodology requested for reporting Emergency
Department (ED) admissions. (Observation Services or All ED Visits)
Requests documentation to support patients admitted to the ED were included
in the denominators according to the selected ED methodology
Asks for an explanation of how the ED admissions were calculated and a
summary of ED admissions
© 2015 CHAN Healthcare 1717
Item 2 – Examples of Documents Submitted
Screen shots showing selection of the chosen ED methodology within the
EHR reporting module.
Screen shots of the reporting logic to include explanation of the logic and
how it enforces the chosen ED methodology.
© 2015 CHAN Healthcare 1818
Scope of Request – Item 3
Requests support for metric based Core Measures (percentage based
measures for which there are EHR reports)
Requests supporting documentation used in the completion of the Attestation
Module responses (i.e. a report from your EHR system that ties to your
attestation)
Can be provided in either paper or electronic format
Requests that reports display the EHR logo to evidence the reports were
generated from your EHR system
If reports do not display the EHR logo, step by step screens shots
demonstrating how the reports are generated by your EHR are requested
© 2015 CHAN Healthcare 1919
Measures Covered by Request Item 3
CPOE for Medication Orders Maintain Problem List ePrescribing (EP’s Only) Active Medication List Medication Allergy List Record Demographics Record Vital Signs Record Smoking Status *Electronic Copy of Health Information *Electronic Copy of Discharge Instructions (Hospital/CAH) Clinical Summaries (EP’s Only)
* - Replaced by Patient Electronic Access Measure in 2014
© 2015 CHAN Healthcare 2020
Item 3 – Examples of Documents Submitted
Summary reports for the requested measures generated for the EHR reporting
period
Screen shots of the output from CEHRT’s reporting utility by objective
Step by step guide for running MU functional reports in CEHRT or Third Party
MU Reporting Utility
Spreadsheet tables used to aggregate the data submitted at attestation by
objective
© 2015 CHAN Healthcare 2121
Scope of Request – Item 4
Requests evidence that a security risk analysis of Certified EHR technology
was performed prior to the end of the reporting period
Requests a report which documents the procedures performed during the
analysis and the results of the analysis
If deficiencies are identified, requests you supply the implementation plan to
include completion dates
© 2015 CHAN Healthcare 2222
Security Risk Analysis Considerations
Can be performed internally or outsourced
Must include risk analysis and mitigation plans if deficiencies are identified
Must be performed during each MU reporting period
Addressing encryption of data was added for Stage 2 MU
Devices that access your EHR should also be included (Desktops, Connected
Medical Devices, Mobile Devices, etc.)
© 2015 CHAN Healthcare 2323
Item 4 – Examples of Documents Submitted
Security Risk Analysis Executive Summary and Detail Report
Security Risk Analysis Remediation Plan with Completion Dates
Meaningful Use Security Risk Analysis Strategy Description
© 2015 CHAN Healthcare 2424
Scope of Request – Item 5
Requests support for metric based Menu Set Measures selected for attestation (percentage based measures for which there are EHR reports)
Requests supporting documentation used in the completion of the Attestation Module responses (i.e. a report from your EHR system that ties to your attestation)
Can be provided in either paper or electronic format Requests that reports display the EHR logo to evidence the reports were
generated from your EHR system If reports do not display the EHR logo, step by step screens shots
demonstrating how the reports are generated by your EHR are requested Requests supporting documentation for Menu Set Measures for (Y/N
Measures) selected for attestation
© 2015 CHAN Healthcare 2525
Measures Covered by Request Item 5
Advance Directives (Hospital/CAH) Clinical Lab Test Results Patient Reminders (EP’s Only) Patient Electronic Access (EP’s Only prior to 2014) Patient-Specific Education Resources Medication Reconciliation Transition of Care Summary Patient Lists Immunization Registries Data Submission Syndromic Surveillance Data Submission Reportable Lab Results to Public Health Agencies (Hospital/CAH)
© 2015 CHAN Healthcare 2626
Item 5 – Examples of Documents Submitted
Summary reports for the requested measures generated for the EHR reporting period
Screen shots of the output from CEHRT’s reporting utility by objective Spreadsheet tables used to aggregate the data we submitted at attestation by
objective Step by step guide for running MU functional reports in CEHRT reporting utility Patient Lists – Example report and walkthrough of how patient lists may be
generated Public Health Reporting Objectives (Immunization, Labs and Syndromic)
Email or Letter for receiving entity confirming successful test and on-going submission Email or Letter confirming registration and testing
© 2015 CHAN Healthcare 2727
Measures Not Audited
Core Measures:
Drug Interaction Checks
Clinical Quality Measures (CQMs)
Clinical Decision Support Rule
Electronic Exchange of Clinical Information (Discontinued in 2013)
Menu Measures:
Drug Formulary Checks
© 2015 CHAN Healthcare 2828
Lessons Learned
Assign a MU Governance Committee or MU Project Team that keeps abreast of
the MU Attestation rules and requirements to help maintain and sustain an
effective Compliance & Reporting Program
Document MU Strategy that describes the reasoning behind those core and
menu measures that were chosen or excluded
Pay attention to detail and develop a good understanding of the detailed
reporting requirements before attesting
Conduct one’s own data validation and not to rely on EHR vendor for
completeness and accuracy of data used in the reported measures
Conduct a thorough and comprehensive MU Security Risk Analysis
© 2015 CHAN Healthcare 2929
Lessons Learned, continued
Prepare a Gap Analysis document for the key risks identified
Assign accountability and follow-up on status of Corrective Action Plan
Retain thorough documentation with the proper cutoff dates that provide point-
in-time evidence and detailed supporting documentation
Maintain a centralized MU Attestation Documentation Repository
Have a COMPLETE CEHRT and supporting licenses / documentation for all
MU required modules
Verify reasonableness and accuracy of all MU measures before filing attestation
© 2015 CHAN Healthcare 3030
For more information, contact:
Erik Dahl, CISA, CISSP
Direct 856.885.0127
Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. © 2014 Crowe Horwath LLP