The government is serious about enforcing Privacy and Security regulations. In addition to potential HIPAA audits, any provider who receives an electronic health record (EHR) incentive payment for either the Medicare EHR Incentive Program or the Medicaid EHR Incentive Program may be subject to a Meaningful Use (MU) audit. In fact, each year, at least 1 in 5 eligible hospitals will be audited for Meaningful Use.
Based on recently released CMS statistics, 22.7% of Eligible Professionals and 4.9% of Eligible Hospitals failed to meet Meaningful Use standards. A provider that fails just one element of a Meaningful Use audit not only must return the entire incentive payment for that year, but also may be scheduled for future audits in subsequent years. The average incentive returned is $1.1M, with a total incentive recoupment of $33M to date.
CMS has contracted with Figliozzi & Co, an audit firm, to conduct the audits. Participants selected for an audit will receive an email to their organization’s attestation address from either CMS or Figliozzi. Organizations should closely monitor these email boxes, as the audit email may appear to be junk. The email will contain credentials for a portal, confirmation of a contact person and a preferred method of correspondence.
Participants selected for an audit will have approximately two weeks to supply the requested information. The audit process will occur virtually, from the contractor’s location, either via a secure portal or mail. Audit results will usually be given three to four weeks after submission of the requested information. At that time, additional information may be requested, including a possible demonstration of the organization’s EHR.
In the event of an audit failure, Figliozzi will notify CMS, who will contact the organization. CMS may recoup any MU incentive funds paid to the covered entity and may prevent future MU payment for future stages and years. A failed audit also increases the chance that the organization will be selected for an audit in subsequent years.
The MU security measure is a major audit failure point. The most common problems identified to date are noncompliance with a required data security risk assessment and a lack of adequate documentation to support some of the responses provided in the attestations.
BlueOrange Compliance, a leading provider of compliance services, has just launched a new eBook on Audit FAQ’s & MU Security Measure Best Practices. This eBook has some great tips on how to ensure your organization is audit-ready for the MU Security Measure.
