It starts with an innocuous-looking email. The message states that your hospital has been chosen for a meaningful use audit. What follows is a weeks-long process that at various points ranges from the "ridiculous" to the "sublime," according to a pair of hospital CIOs whose organizations have been audited.
Ed Ricks, vice president of information services and CIO of Beaufort Memorial Hospital in South Carolina, and David Quirke, vice president and CIO of Frederick Memorial Hospital in Maryland, shared their audit experience in a webinar, titled Preparing for (And Surviving) Meaningful Use Audits, hosted by Health System CIO. While they both agreed that audits are necessary and proper components of the electronic health record (EHR) incentive program, they said the process can be frustrating and could use some refinement.
"From a political perspective, we're not being fraudulent," Ricks said. "If there's something that's not right for some reason, it's going to be for some nuanced thing we didn't know we had the ability to control. So I think the spirit of the ruling is one thing, [but] how we're being held accountable is just for auditing purposes."
The auditors initially asked for straightforward documentation supporting the claims the hospital made during attestation, Ricks said. The hospital had planned for the contingency that it would be audited and promptly sent the information off to the auditors. But after a few weeks, the auditors asked for more data, frustrating Ricks.
Ed Ricksvice president and CIO, Beaufort Memorial Hospital
He said the auditors questioned why logs generated by the EHR system did not have the EHR vendor's logo on them. This apparently raised flags for the auditors that the documents could be fabricated. Next, the auditors questioned the hospital about why denominators were zero for certain measures. Some measures can be reported as having a denominator of zero, still the hospital was asked to prove the accuracy of this information. In one case, the hospital did not have any patients ask for copies of their records. Ricks said there is no feasible way that can be proven.
Quirke experienced similar frustrations during his hospital's audit process. In addition to being questioned why certain audit logs did not have the EHR vendor's logo on them, Quirke had to explain why denominators for certain measures changed during the reporting period (records merged, patients were moved from inpatient to outpatient settings), demonstrate that decision-support functions were active during the entire reporting period, and demonstrate that the hospital used a certified EHR system during the entire reporting period. These last two were difficult because it is generally understood that a hospital is using a certified system that includes decision support for its entire reporting period when it implements a certified system. In some cases, the basic contract with the vendor may be the only existing documentation.
Quirke and Ricks said the process raises some questions about how the meaningful use audit program is run. For one thing, both of their audits were handled by certified public accounting firms. Quirke and Ricks both said they got the impression that the people running the audit did not have much knowledge of health information technology.
Furthermore, Ricks said there appeared to be little effort on the part of the Centers for Medicare and Medicaid Services (CMS) to align EHR vendor certification standards with the requirements of the audit program. There were several instances in which his hospital's EHR system did not have the functionality to generate reports asked for by the auditors. If CMS knows what auditors are going to be looking for, it should require certified EHR systems be capable of producing this information, Ricks said.
So what can a hospital do to prepare for a meaningful use audit? Quirke said he commissioned an outside agency to conduct its own audit after the hospital completed attestation. This gave Frederick Memorial an idea of the kind of documentation it would be asked to provide during a real audit and helped the hospital identify gaps in procedures that raise red flags. He said that most of the things his commissioned auditors asked for documentation on were eventually requested by the meaningful use auditors.
He also recommended avoiding oversharing. Hospitals should only provide requested documentation, rather than burdening auditors with mountains of paperwork. This can speed up the process and keep the auditors from returning because they were unable to locate a specific piece of information.
"We were very thoughtful about not overloading the auditors with too much information and just answering what they asked for," Quirke said. "We should be thoughtful and guarded in our responses."
For Ricks, it's all about documentation. He said he now saves every piece of communication him and his staff have with their EHR vendor. No piece of documentation is too small when it comes to a meaningful use audit.
He also recommended that hospital IT staff question their vendors before installing system updates. Even relatively minor updates to an EHR system could alter the basic facts of what the hospital originally attested to. It may lengthen the audit process if an auditor spots a change.
Following these steps may make the audit process easier for a hospital, but they are no guarantee of success. At the time of the webinar, Beaufort Memorial Hospital was still engaged with its auditors, while Frederick Memorial Hospital had successfully completed its audit. But Quirke said the notification he received from the auditors said they could reopen the case at any time.
"The letter, when you get it from the audit company, says it is satisfied with its findings, but they do have the ability to come back to you if they want," he said. "We're out of the woods, but there is still the ability for them to come back."