OIG Meaningful Use Audits

In the first quarter of the year 2015 we at Taino Consultants have seen more Meaningful Use audits taking place that in the last three years together.  All of these audits have been performed by the Centers for Medicare & Medicaid Services (CMS) Subcontractor, Figliozzi and Company, and so far have concentrated on those Providers who received the incentive via the Medicare program. We have not been surprised about the findings so far as there is a lot of misinformation and misunderstanding about the actual work required to meet Meaningful Use Standards.  Some of the key issues we found included the fact that entering information in the electronic record is not the same as entering information as data that can be read by the system.  Another key area of content relates to the HIPAA requirements which include a Risk Assessment and a Security Management Plan.  Regardless of all of that, the sad part is that based on our forecasting formula we calculated that 100% of the Eligible Providers (Hospitals and other eligible entities included) submitting their attestation via Medicare would be audited by CMS’ subcontractor.  We didn’t count on the OIG at that time and now there is a definite potential that Eligible Providers may be audited twice, once by CMS and the other one by the OIG. This is neither a threat nor a fantasy of a pessimistic Consultant but a reality.  For example, the OIG has already completed audits on state Medicaid Meaningful Use programs in Florida and Massachusetts.  During these audits they covered the records of 42 hospitals (report) in Florida 25 hospitals (report) in Massachusetts. In other words, if the State Medicaid Agencies are a target for these audits this means that no one is safe. As to prove the point, on April 1^st, 2015 the OIG confirmed that multiyear audits of Eligible Providers (Hospitals and other entities included) are underway nationwide.  So while we don’t have many specifics the main differences between the OIG and CMS audits seem to be:

	CMS	OIG
Period audited	One Year	Three Years
Core & Menu Objectives	All	Selection of Measures

These audits should not be a surprised as the OIG was already covering this topic on its 2015 OIG report.  As a matter of fact, OIG summarized these audits as follows: Hospital Contingency Plans - We will determine the extent to which hospitals comply with contingency planning requirements of the Health Insurance Portability and Accountability Act (HIPAA). We will also compare hospitals' contingency plans with government- and industry-recommended practices. The HIPAA Security Rule requires covered entities to have a contingency plan that establishes policies and procedures for responding to an emergency or other occurrence that damages systems that contain protected health information (45 CFR, Part 164 § 308(7)(i)).  (OEI; 01-14-00570; expected issue date: FY 2015). Security of certified EHRs - We will perform audits of various covered entities receiving EHR incentive payments from CMS and their business associates, such as EHR cloud service providers, to determine whether they adequately protect electronic health information created or maintained by certified EHR technology. A core meaningful-use objective for eligible providers and hospitals is to protect electronic health information created or maintained by certified EHR technology by implementing appropriate technical capabilities. To meet and measure this objective, eligible hospitals, includingcritical access hospitals, must conduct a security risk analysis of certified EHR technology as defined in Federal regulations and use the capabilities and standards of Certified Electronic Health Record Technology. (45 CFR § 164.308(a)(1) and 45CFR §§ 170.314(d)(1) – (d)(9).)  Furthermore, business associates that transmit, process, and store EHRs for Medicare and Medicaid providers are playing a larger role in the protection of electronic health information.  Therefore, audits of cloud service providers and other downstream service providers are necessary to ensure compliance with regulatory requirements and contractual agreements. (OAS; W-00-14-42020; W-00-15-42020; various reviews; expected issue date: FY 2015; Recovery Act). Medicare Incentive Payments - We will review Medicare incentive payments to eligible health care professionals and hospitals for adopting EHRs and the Centers for Medicare & Medicaid Services (CMS) safeguards to prevent erroneous incentive payments. We will review Medicare incentive payment data from 2011 to identify payments to providers that should not have received incentive payments (e.g., those not meeting selected meaningful use criteria). Medicaid Incentive Payments - We will review Medicaid incentive payments to Medicaid providers and hospitals for adopting electronic health records (EHRs) and CMS safeguards to prevent erroneous incentive payments. The OIG is not looking at their findings as outright fraud but they do make two points clear:

1. Incentives that cannot be proven, failure to provide proof that Provider met Meaningful Use), must be returned to the Government;
2. Any indication that there is potential fraud will be referred to the proper agencies for investigation.

The key recommendation is to be proactive and prepare yourself for these audits.  Remember that, as some Providers have found, do not rely on your system to give you an accurate record as the information in many of them is updated constantly.  Instead print the reports needed and use those print outs as you complete your attestation. Also, make sure to complete these steps:

1. Assign a Security Officer
2. Train your staff
3. Update your Policies and Procedures
4. Conduct an annual Risk Assessment
5. Develop a Security Management plan in response to the risk assessment
6. Document actions regarding your policies and the security management plan.

We understand that these tasks are not easy and time consuming for which we also recommend you to hire an outside consultant to overlook the process.