Meaningful Use Attestation Process and EHR Incentive Audits

Meaningful Use Attestation: A Word to the Wise on Audits

The CMS EHR Incentive Program is going full bore. Over $390,000,000 was paid out in November alone by Medicare to Eligible Professionals (EP) and Eligible Hospitals (EH). That doesn’t even include the Medicaid incentives.  Seems like every possible EHR is certified, EPs and EHs are registering, and we’ve even seen the Stage 1 early 2011 adopters be given a present of not having to reach Stage 2 until 2014. With everything humming along what could go wrong? Certification, registration, meaningful use, attestation, incentives. Where is the fly in the ointment? Well just don’t forget the potential for audits.

CMS clearly states that there will be audits: “All providers attesting to receive an EHR incentive payment for either Medicare or Medicaid EHR Incentive Programs should retain ALL relevant supporting documentation (in either paper or electronic format used in the completion of the Attestation Module responses).  Documentation to support the attestation should be retained for six years post-attestation. Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes.”  CMS even tells us how to prepare for an audit: “To ensure you are prepared for a potential audit, save the supporting electronic or paper documentation that support your attestation. Also save the documentation to support your Clinical Quality Measures (CQMs). Hospitals should also maintain documentation to support their payment calculations.”

I won’t be the one doing any Medicare or Medicaid audits but if I was I would tell you what I would examine as soon as I walked through your door. I would ask to see your Security Risk Analysis documentation for either EPs or EHs: “Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.” If you can’t produce it, or it is incomplete then you do not have the documentation to support the incentives you have received.

During the attestation process I suggest you pause before you check that little attestation box that says: “Yes, I have conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies”. During the recent HIT Policy Committee Meeting it was revealed that numerous EPs are checking that box without adequate documentation to support that action. There is real risk here and not too many EHR vendors understand what the issues are. The RECs certainly know what is involved and can provide direction and clarification.

2012 will see the first audits for the CMS EHR Incentives and there will be some real horror stories coming out when incentives are taken back due to incomplete or missing security documentation. Don’t be one of those.  As Aunt Bee used to say: “a stitch in time saves nine”.

Jim Tate is a nationally recognized expert on the CMS EHR Incentive Program, certified technology and meaningful use and author of The Incentive Roadmap® The Meaningful Use of Certified Technology: Stage 1.