Upping the Ante on Meaningful Use Audits
By Selena Chavis
For The Record
Vol. 27 No. 8 P. 20
The OIG expands its reach as security takes center stage.
There has been significant noise on the audit landscape for some time now. As federal scrutiny becomes increasingly intense to ensure compliance and to safeguard government incentive and insurance programs, providers must stay abreast of the latest movements.
Meaningful use (MU) has been a chief source of audit activity in recent years, primarily due to the sheer amount of money being doled out in incentive payments—nearly $30 billion in Medicare and Medicaid funds as of April. And the focus on MU compliance is only going to intensify.
While the Centers for Medicare & Medicaid Services (CMS) has been monitoring MU incentive payments through contractor Figliozzi & Co, the Office of Inspector General (OIG) has also gotten in on the action in recent years in an effort to ensure the CMS is providing sufficient oversight of the program.
"Anytime you see that amount of money going out the door, and anytime the claim to receive payments is as simple as [MU attestation requirements], then there's going to be audit activity and there are going to be false claims," says James Flynn, a partner with Bricker & Eckler and chair of the law firm's health care group. "This is just OIG following the money. There's a lot of money going out the door; it's easy to get, and a lot of people are claiming."
In late 2012, the OIG released a report criticizing CMS' oversight of the MU program. Since that time, MU audit activity has been ramped up in the agency's annual work plan.
Recently, the OIG completed audits of state Medicaid MU program operations in Florida and Massachusetts. While Florida successfully passed its audit, the report for Massachusetts told a different story. Current recommendations include provisions for the state to refund the federal government more than $2 million in net overpayments made to 19 hospitals and adjust those hospitals' remaining incentive payments to account for the incorrect calculations.
"These audits have been in the OIG work plan for several years. We all knew it was coming," Flynn notes. "The focus is very much on the agencies, but as it affects the industry and the providers that actually receive those Medicaid payments, it appears that the OIG will take a direction that will require states to correct and recoup what they shouldn't have paid. It has a lot of providers on edge because of that."
The OIG's latest work plan, published in late 2014, suggests that the agency is further expanding its target areas. The organization intends to zero in on several EHR-specific issues, including the following:
• whether providers were entitled to incentive payments;
• the effectiveness of CMS' payment oversight;
• the security of hospital-networked medical devices;
• whether covered entities and business associates adequately secured electronic protected health information and conducted risk assessments; and
• whether EHR contingency plans as required by HIPAA security rules were implemented.
Security Takes Center Stage
According to Carolyn Hartley, MLA, president and CEO of Physicians EHR, security is now central to the OIG's audit activity and "striking terror in the hearts of health care professionals." And for good reason, as one of the most common causes of a failed CMS MU audit is a failure to conduct a security risk assessment—a requirement under both MU and HIPAA.
As the OIG forges ahead, Hartley emphasizes that providers shouldn't stick their heads in the sand. "The right thing is to expect an audit," she says.
As each stage of MU is introduced, covered entities must attest to various core and menu measures to qualify for incentive payments. One of several consistent core measures through all stages is the requirement to maintain and protect the confidentiality of patient information. "The way that is achieved is through a risk assessment typically done by an outside agency," Flynn says. "Someone looks at your systems to ensure that the right security measures are in place to safeguard against data breaches."
What has become evident to the OIG, according to Hartley, is that health care organizations aren't updating their security procedures as required. In fact, she notes that congressional lawmakers were "stunned" at the end of 2013 and 2014 at the number of breaches occurring.
"In 2013, when [the CMS] did the random security audits, they found huge security failures," Hartley says, adding that consumer confidence in the system has diminished substantially. "OIG is saying to CMS, 'If you are going to give taxpayer dollars to health care professionals to adopt health IT, somebody better make sure we don't have security breaches.'"
As the CMS has conducted MU audits, a recurring theme has been outdated risk assessments. Flynn points out that the confusion may be associated with the difference between HIPAA and MU requirements. While HIPAA requirements loosely suggest that risk assessments occur biannually or every three years, there are no specific parameters around frequency. In contrast, MU requirements demand annual risk assessments.
Hartley, who says security check-ups should be conducted at least annually, notes that recent HIPAA guidance suggests this strategy as well.
The latest risk assessments identify new risks, such as physicians leveraging mobile technology in care delivery. "If you are still using your 2005 or 2010 security measures and doctors are using USB drives or portals to take information home, that could be a red flag," Hartley says. "Those USB drives are so susceptible to being lost, and if that occurs, then you have to report the breach. From a security perspective, the HIM manager has to show progress. You have to demonstrate that in an audit." In this case, the ability to show "progress" may be tied to creating a rule that prohibits physicians from taking patient information home on USB drives.
In another example, health care organizations that have implemented texting programs to engage patients by sending reminders or appointment confirmations must use encryption to ensure that only the parties involved can understand the messages.
Flynn says the primary goal of CMS' MU audits is to make sure a risk assessment has been conducted, not necessarily to measure its effectiveness in improving security measures. Recognizing this limitation, the OIG is taking the audit a step further.
"What I understand OIG is doing with new audit activity is to test and stretch every aspect of an organization's operations to see if, in fact, their information is secure," Flynn says, pointing out that early indications suggest intense, onsite audits that can take weeks at a time. "I think OIG is giving CMS a pass, saying, 'That's great that you require they perform risk assessments. If that's good enough for you to give MU dollars, then I guess that's up to you. We're not content.'"
Flynn believes that while the OIG's mission is to make sure CMS is doing its job, the main target is the providers themselves. Although it's too early to know whether the OIG will try to recoup MU dollars through these audits, he suspects the agency is "going to use remedies available under HIPAA laws rather than MU laws," adding that this new activity is "scarier" than previous OIG MU efforts.
The Audit Process
Flynn says the process and methodology for the security audits is still a bit of an unknown because the current round is just starting to ramp up. Hartley suggests that while there are random audits being conducted, the OIG tends to pick up where the CMS left off, often as a follow-up to a failed CMS audit. She also notes that situations uncovered in a CMS audit that may be criminal in nature or involve civil penalties are often rolled up to the OIG as well.
"Most people don't know why OIG is doing an audit. They are simply given 10 days to supply information requested," Hartley says, adding that the initial contact is almost always an e-mail to the person listed as the contact point. "OIG is coming in and saying, 'Something doesn't look right on that MU audit.'"
While virtually all CMS MU audits are handled through electronic means, Flynn points out that OIG MU audits are much different. "Auditors are coming on site, and they are literally turning your organization upside down and shaking it to see where the leaks are occurring," he says. "These providers' operations are disrupted, and it's a very traumatic experience."
Figliozzi & Co auditors rarely come on site for CMS audits, Flynn notes, adding that typical audits focus on technical and procedural guidelines. For example, if a health care organization reports it saw a certain number of patients and a specified percentage of those received a summary of care document through electronic means, CMS requires that it present evidence through a computer-generated report tied to certified EMR technology.
In a privacy and security MU audit, auditors are more likely to test processes to see where gaps may exist, exposing providers to more vulnerabilities. OIG audits also differ in that they consider a certain measure over a three-year period, while CMS MU audits cover measures for a one-year attestation period.
Preparing and Responding
Because many industry compliance issues stem from a failure to conduct security risk assessments, Hartley suggests health care organizations start there. "When you are putting a technology plan in place, also put a risk management plan in place," she advises. "If you are not doing a risk assessment every year, then Figliozzi is going to say 'you fail,' and that leaves you wide open for an OIG audit."
Next, Hartley says revisit the HIPAA Omnibus Rule, and ask key questions such as: Is there an updated business associate agreement in place? Is encryption being managed effectively?
Another important step is to form an audit response team. In a physician practice, this group should comprise a HIMSS professional, a lawyer, a practice or operations manager, and a physician, Hartley says. Eventually, find out where the organization stands in terms of audit readiness.
"I highly recommend doing a mock audit," Hartley says, pointing out that hospitals are more likely to follow through on this step than physician practices. "Preparing for an MU audit is a great activity to do at any time."
Flynn suggests organizations create an MU audit "defense book" containing files from every attestation. This resource can serve as a guideline and model for best practices moving forward. In addition, the book can provide documented proof that every step of the attestation process was met and include guidance for how each individual measure and requirement was achieved.
The defense book also makes an ideal spot for chronicling risk assessments and the actions taken in response to the findings. "If you had a security risk assessment done, and it comes back suggesting A, B, C, and D, you need to show that you did those things in the next year," Flynn says.
Once a request for an OIG audit is received, the designated person should immediately contact the agency to verify all components of the request. Besides clarifying any questions the organization may have, the initial call can be an opportune time to request an extension to better prepare for the audit. On any calls to the OIG, Hartley suggests having multiple staff members present to ensure everyone is on the same page.
Hartley cautions organizations against going it alone in an OIG audit, a process that can get pretty intense. She recommends enlisting legal counsel. "Attorneys understand OIG audits better than they understand CMS audits," Hartley says. "Make sure leadership, an attorney, and an HIM professional are involved. An [OIG] audit can shut you down."
While all of these steps better prepare organizations to respond to an OIG audit, Flynn acknowledges that the outlook is challenging for the average resource-strapped physician practice. "Hospitals tend to have better and more resources to devote to this activity. For that reason, they are better able to deal with these situations than physicians," he says, pointing out that physician failure rates with MU audits run higher than their hospital counterparts. "I could easily tell you all these things to do; I just don't know that physician offices are able to do them. It's just a challenge."
— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications covering everything from corporate and managerial topics to health care and travel.