If the government gives you money, you can expect that it will look to audit your results. Since 2011, CMS has disbursed nearly $20 Billion under the Medicare and Medicaid Electronic Health Records (EHR) Incentive Programs, to nearly half a million eligible professionals. It should come as no surprise that CMS now intends to audit at least 5% of Meaningful Use attesters. And the early results are not positive as nearly a quarter of professionals audited to date have failed! The audits are required by the Health Information Technology for Economic and Clinical Health Act, which created the Meaningful Use Incentive program and are conducted by the accounting firm of Figloiozzi and Company (See a sample audit letter here).
A failed audit likely means refunding some or all of your incentive payments back to the government.
Post-payment audits by CMS began in 2011 at the meaningful use program's beginning. In November 2012, the HHS Office of Inspector General published a report saying CMS was not doing enough to prevent improper payments and recommending that CMS conduct pre-payment audits to verify attestation documents. Pre-payment audits began in 2013. Every provider who has accepted money from the EHR Incentive Programs is facing the potential of a Meaningful Use audit.
CMS recently released statistics on the volume of CMS Meaningful Use Audits conducted to date. The audit failures only report who failed an audit, not whether the failure was reversed on appeal.
- 10,000 unique audits were conducted on 265,075 attestations
- 4,601 have been completed
- 22.7% of EPs failed to meet meaningful use standards
- 98.9% of failing EPs did not meet appropriate measures and objectives
- 613 post-payment audits were initiated from 4,637 attestations
- 4.9% of EHs failed their audits
- The average incentive returned was $1.1 M
- Total incentive recoupment has totaled $33 M
A provider that fails just one element of a Meaningful Use audit not only must return the entire incentive payment for that year, but also is automatically scheduled for another audit for another participating year. The most common problems identified so far are noncompliance with a required data security risk assessment and a lack of adequate documentation to support some of the responses provided in the attestations.
Providers selected for the audits have two weeks to submit their documentation.
Per CMS, the initial review process will be conducted at the audit contractor’s location, using the information received as a result of the initial request letter. Additional information might be needed during or after this initial review process, and in some cases an on-site review at the provider’s location could follow. A demonstration of the EHR system could be requested during the on-site review.
For more CMS guidance about pre-payment and post-payment audits, please refer to the CMS EHR Incentive Programs Audits Overview.
So what can you do to prepare for an audit? Attesting providers should not to rely on their EHR vendor’s certification, as providers are responsible for assuring and documenting Meaningful Use within their practice. Providers also should maintain supporting documentation for six years (as that is the potential audit window), and make sure that the information is easy to retrieve, since the time limits for responding to audit requests can be as short as 2 weeks. CMS has prepared advice for providers in preparing documentation in the event of an audit.