10 steps to prepare for a possible audit

By Marla Durben Hirsch

Providers can--and should--take several proactive steps to avoid a Meaningful Use audit or at least be better positioned to successfully defend one's attestation.

"Have all of your ducks in a row before hand. Know where you stand in meeting the measures," says David Zavala (pictured), senior manager with consulting firm Protiviti in Dallas.   

Providers should consider these 10 actions:

  1. Maintain evidence that you've met the requirements: The most important step is to make sure you have the documentation to support your attestation. "You need a repository of proof or book of evidence," Zavala says. The documentation should include a thorough security risk analysis, screen shots, reports, calculations, a copy of the EHR purchase agreement, EHR implementation documents, public health reporting documentation and other information to support the data for the Meaningful Use objectives and clinical quality measures. If you're attesting for 2014 via the new flexibility rule, make sure you have evidence to justify why you're doing that, Zavala says. "A lot of providers are failing an audit because they don't have or didn't save the documentation that supports attestation," adds attorney Brian Flood, with Husch Blackwell in Austin, Texas.
  2. Collect and store the documentation on an ongoing basis. Note that a screen shot of a single day won't be sufficient for the other days in the reporting period. Ed Koschka, IT Program Manager, Meaningful Use and Accountable Care Organization Programs for Franciscan Alliance, a health system based in Mishawaka, Indiana, tells FierceEMR that his vendor helped him run reports to show that the system met the yes/no attestations and a transaction log that shows that they did so every day in the reporting period.
  3. Store the Meaningful Use documentation in a central location: That will make it easier and faster to respond to an audit, Koschka says. Since the documentation needs to be submitted electronically, he adds, make sure you store it electronically, and back it up.
  4. Assign Meaningful Use to a team led by a designated individual: The group should monitor whether the provider is meeting the Meaningful Use requirements and periodically meet and review the provider's progress so that any trouble spots can be flagged and corrected, Flood says. "If you know the problem early it can be fixed before discovering it in the audit process," he points out.  
  5. Be on the lookout for new developments regarding the Meaningful Use audit process: Stay apprised of how other providers are faring. For instance, it's been widely reported that many providers are failing audits because they lacked an appropriate security risk analysis of their system's vulnerabilities, a core objective. The Meaningful Use team should also track CMS' guidance on Meaningful Use audits, since it's "constantly evolving" with each FAQ, Flood warns.
  6. Maintain the documentation for at least six years past attestation, pursuant to CMS' guidance, Zavala says.
  7. Watch for the red flags that might increase the likelihood of an audit: Try to avoid or eliminate them.
  8. Check patient mix before attesting to Medicaid Meaningful Use: Don't have a physician attest that he/she had at least 30 percent Medicaid population unless you're sure he/she meets the threshold, Koschka warns.
  9. Set up a Meaningful Use audit committee, just in case: This way the provider can quickly respond to an audit, since the timeframe for submitting supporting documentation for a Medicare audit can be just two weeks. The committee should include the compliance officer, the security officer, the legal department, finance, IT and clinical leadership, Flood tells FierceEMR.
  10. Ensure that relevant staff can identify what a Meaningful Use audit letter looks like: For the first couple of Meaningful Use audits experienced by Koschka's organization, they only had a week to respond because of the lag time involved from receipt of the notice to notification to the personnel who needed to respond to it. The health system ultimately conducted a campaign to communicate to staff what the letters looked like and what they would say.
10 steps to prepare for a possible audit