By Jim Tate, EMR Advocate and Meaningful Use Audit Expert
Twitter: @JimTate
eMail: audits@emradvocate.com
Website: www.meaningfuluseaudits.com
In recent conversations with Eligible Hospitals (EHs) two questions seem to be coming up more and more concerning CMS EHR incentive audits. Let’s take them on one at a time.
How long can my CMS EHR incentive attestation be subject to an audit?
CMS is pretty clear that documentation used in support of an attestation should be saved for 6 years. “Documentation to support attestation data for Stage 2 meaningful use objectives and clinical quality measures should be retained for six years post‐attestation. Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes.” Sounds to me that you could possibly be audited for up to 6 years after an individual attestation. Case closed.
If an audit is failed, does that make me more likely to be audited again in future years?
Ah, this is a good one and gets into the shady area of “risk profile”. CMS, for obvious reasons, is keeping their cards close to their chest on what makes up the “risk profile”. There is another angle to this that touches not on risk of audits for future attestations but also on past attestations. Case in point, I was contacted last week about such a “look back” audit situation. The initial audit was performed on a 2012 attestation and notification was received of a Negative Determination in August 2013 based on one measure. They were then the subject of an audit based on an earlier (2011) attestation and were notified of failure in March 2014 on the exact same measure. It only makes sense that during an audit if it becomes obvious that there is evidence of a “problematic” attestation the same issue might exist in earlier attestations. Now I have no insider info on what makes up the “risk profile” but I can usually do a little reading between the lines. If you went through an 2014 meaningful use audit, and didn’t have a Security Risk Assessment, I would think there would be a chance you couldn’t provide it for prior attestations either. I’m expecting we will see more and more of these “look back” audits based on what is revealed during an initial audit. Just make sense to me.
Side note: At HIMSS in February I spoke with Elizabeth Holland (director CMS’ Health IT Initiatives Group) and Robert Anthony (deputy director of CMS’ Health IT Initiatives Group) at HIMSS this year and here’s what they told me: The majority of failed audits occur either for lack of having documentation of the MU measures or the Security Risk Analysis. To address this critical documentation issue, we’ve now added a review of the Security Risk Assessment to our Mock Audit Services. If you are interested in learning more about conducting a mock audit for your organization, please contact me at audits@emradvocate.com.
