Elizabeth Holland is director, HIT Initiatives Group, Office of e-Health Standards and Services for CMS.
Describe the scope and process for the Meaningful Use audits for hospitals and EPs.
It’s really two pronged now, because we started last year. We started a post-payment audit program and now we are also doing pre-payment audits as well.
When I say audits, it’s mainly the audits that are being done on the Medicare side. Medicare is actually handling the audits for all the Medicare eligible professionals and then all the Medicare hospitals as well as the Medicare dual hospitals, the hospitals that can get Medicare and Medicaid. But the Medicaid audits of the eligible professionals are being done by the individual states.
Our audit are looking at Meaningful Use. We’re looking at providers to validate that they are using certified EHR technology. Secondly, we’re looking at them to see if they have the documentation and can justify that they are in fact Meaningful Users.
Will all attesting providers be audited in some fashion or will it be a random selection?
It’s actually a little of both. Certainly not all will be audited, but we are looking and refining our ability to make selections. Some selections are totally random and others are more targeted. We’re using a combination of both.
Some of the targeting is really crude and basic, like we had people who wrote a numerator and denominator to get 100 percent on every single measure. That flagged them for audit.
Like IRS audits, where you have a chance of being randomly audited, but there are certain red flags that you may or may not publicize?
Will the audits be strictly desk audits or will there be field audits?
There may be some field audits, but so far they’ve all been desk audits.
The question I’m asked most often if it will be like IRS forms that tell you how long it will take you to provide the information. Do you have an idea of how much time providers will need to set aside?
I don’t have a feel for that. The audit process becomes very individualized. We’re using the same contractor for pre-payment and post-payment. They send an initial request letter asking for certain things.
What I’m told is that it varies by practice how quickly they can pull that stuff together. Some providers have it all together because they pulled it together when they did their attestation, so it’s very easy for them to pull it together. Others, it takes more time.
I believe the initial request gives them two weeks to pull everything together. However, if they need more time, we’re very flexible. All they need to do is contact the contact names on the letter they received. We’ve been giving everybody who’s requested it additional time.
What criteria were used to select the audit contractor?
That I honestly don’t know. The selection wasn’t done in my office, so I don’t know how.
Will the auditors, either the individual auditors or the auditing firm, be financially rewarded for identifying fraudulent attestations so that they’re encouraged to find problems?
I don’t believe so. I think they’re paid by the audit. We’re not looking for fraud so much. We’re wanting for people to tell the truth, but so far the only thing happens if you’re found not to be a Meaningful User is that you return your incentive payment. That goes right into the Treasury. It’s not like the whole practice and all your Medicare claims billings are being looked at. That’s not the way these audits are working.
I assume that a lot of what you may find wrong, like on tax forms, are honest mistakes rather than intentional fraud.
How will you determine intention if you’re only doing desk audits? It would seem like you would need to have a direct conversation.
It has varied. We have sent audit letters and people have returned checks without sending in any documentation. What does that mean? I don’t know. I’m just telling you that’s a fact.
This is not really meant to be a gotcha. If you attested to a particular measure and the standard for that measure was 50 percent and what you told us is you had 90 percent … if we go back in and see you only had 80 percent, that’s fine. You’re still a Meaningful User. We’re not going to say gotcha.
We’re really looking to validate Meaningful Use. if it’s like a percentage off on one measure, we’re not going to die on our sword for that. It’s just if you have repeated measures where what you told us is massively different than the documentation that you’ve shared with us, that’s when you may have more of an issue.
How many audits have been done so far?
All we’re saying right now is that we’re aiming for 5 to 10 percent of the people who received incentive payments.
Based on experience and what you’ve learned so far, do you have any feeling for what the percentage might be that you will find not in compliance that will have to return their check?
I don’t have the feeling for that yet. Part of it is when they first started doing the audits, there were a lot of things that the auditors weren’t totally clear on. My policy staff has worked with them very closely to try to clarify things. That’s part of why we put out some of the guidelines that we put out, so that everybody can be more clear about what documentation they need to save, what they need to be attached to, all sorts of things like that, so that everybody’s nearly well aware of what the requirements are.
I think in the beginning there was just a lot of cloudiness and now we’re trying to make everything much clearer for the auditors and for the providers as well.
Will it be a phased approach where they’re looking at a random sample over a fixed time period, or will it be a big swoop of people …
It will be ongoing throughout the program. What will probably happen — and I don’t know this for sure — but my sense is that if you are audited and you pass, the likelihood of you being selected in the next year will be lower than if you did not pass and you participate in a subsequent year.
Going back to the model of financial audits or IRS audits, there’s usually a thoroughly documented step-by-step process that has every procedure down pat so that the audit person doesn’t have to use a lot of judgmental analysis. Does that exist for Meaningful Use audits, and if so, is it publicly available?
Very close. Any time there is any call for judgment, it comes to my staff. If there’s anything that’s not clear, we make the decision.
Since providers are being held to those audit standards, would they have access to see what those standards are other than the obvious about how the process will work?
I’m thinking we’re going to be putting out a lot more information on that. But yes, they should know what the standards are, and part of that is what the definition of Meaningful Use is.
The goal of the program from my perspective is to get people to switch from paper to electronic, and then once you’re using the EHR, to use it in a meaningful way. We’re not trying to scare people. We’re not trying to get people to return to paper. But then again, we’re also paying out an incredible amount of money. We want to make sure that taxpayers are getting what they expected — that people are really switching to electronic health records.
We have a really strong fiduciary responsibility, so we’re trying to balance that to make sure people know that we’re serious. You should have documentation that backs up your attestation, but it’s not going to be like a “surprise, gotcha” thing. It will be things that you know about.
If the provider is judged to have not been in compliance, is there an appeals process?
At this point, we are still deciding that.
But from what you said, the auditors won’t hold the sole authority on any decision …
That’s the thing. The appeal process is run by my office. If we’ve already weighed in back and forth on the audit, then there’s no need for us to weigh in again.
Let’s say a provider fails the audit and blames their certified vendor. Will there be any push to then evaluate the vendor as well as the user?
We’re talking to the Office of the National Coordinator a lot about that. Honestly, a lot of providers are concerned about their products. But what we’ve said is if the product produces a report and you rely on that report for your attestation, that gives you documentation, and if the tool itself is not calculating accurately but you have reports that document what you attested to, then you’re fine.
There have been lots of instances that the EHR is not calculating things correctly and patches going out and providers being really scared.
If that occurs and it turns out the vendor software has made a mistake of some sort, will there be repercussions to that vendor?
I don’t know if there will be, but we’ve certainly known of several instances with different vendors about patches they’ve put out. We made the auditors well aware of those things so that they don’t penalize the providers.
Much of the documentation involves EMR-generated reports with the vendor’s name on them. It seems like it would be pretty easy for someone to just Photoshop those.
That’s one of the things we’re working on.
Doctors are telling me that there is definitely fraud occurring under the Medicaid program Adapt, Implement, and Upgrade where providers claim to be customers of a vendor and the vendor has never heard of them. Is there ability or an interest in checking to see that if a customer claims that they’re using a particular vendor software that by simply contacting the vendor to find out if they really are or not?
Each state is handling that differently, but before they pay, they’re supposed to have in various standard of validation comes before they pay. In a way it’s like a pre-payment audit where you have to give a bill of sale and things like that to justify your payment.
I don’t want to suggest even though I used that Medicaid example that the possibility is limited to Medicaid. Under the Medicare audit, it could be the same issue, where someone has attested and says, “I use NextGen,” but NextGen says, “No, they’re not a legal user of our software.”
Some of the things that we ask for in the audit are screen shots and things like that. We’re talking about trying to get some sort of automatic … like you have to send an e-mail from the EHR to us so we can validate that they’re actually using the tool. But I think for Medicaid, it’s because you don’t have any measures to do. You are just adapting, implementing, or upgrading. You don’t have to be using. You can just get these tools. I think it’s harder to validate. At this point, the number or people we have participating is so large that I don’t know how we would call all the vendors to find out.
Will the results of the audits be made publicly available in any form?
Yes, but I don’t know when that will be. We have a lot of people who are wanting that.
That wouldn’t name providers, I assume.
I don’t believe so, no. It could certainly go after like provider type, like large or small eligible professional or hospital. I think from my understanding right now we’re doing a lot more audits on EPs just because there’s more of them. The hospitals are doing really well. The EPs have more issues, but that’s mainly based on sheer numbers.
Audit notices are going out by e-mail. In the experience so far, have there been providers who just didn’t get the e-mail or just ignored it hoping it would go away?
I don’t know that if they ignored it to would go away, but I think if they don’t respond then we send them a letter, like a mail letter. That’s just the first. Just because they don’t respond doesn’t mean they’re off the hook. Good try.
There’s been a lot of attention paid to the group of Republican senators who are challenging the Meaningful Use program. Do you see that the nature or the scope of the audits will be adjusted in any way to appease the folks who want to see it made tougher?
Quite honestly, I think that was an interesting letter. And I think we’re actually, despite what the letter says … a lot of what they want us to do is already included in Stage 2 of Meaningful Use. I believe we’re on the path that they want us to be, but also in the letter they told us to slow down to Stage 3. Stage 3 would be an additional push to do more, but they asked us to … they were happy that we were delaying the rulemaking.
We’re definitely going to have more conversations with them to clarify how we’re moving forward. We believe we’re really in alignment. We just have to make a better case for ourselves, I think.
One of the most misunderstood aspects from the beginning is that you didn’t have to buy anything to qualify for the incentive. Do you think that people understood that you didn’t necessarily have to invest? Do you have a feel for how many people did invest to earn the payment versus those who are already pretty much in compliance already?
My understanding is that every EHR system out there had to be tweaked. Some were major tweaks and some were minor tweaks, so depending on what kind of system you had, they had to be certified, but in that most cases like the vendors would take care of that. Then you had to make sure you got whatever upgrade or whatever and made sure that it was certified.
What we don’t have good intelligence on are how many people, especially with the early adopters, were already electronic and just had to do Meaningful Use to get a payment and how many people were nowhere. They just decided, oh, here’s an opportunity to go electronic — you can get some compensation for it. We’re trying to look more into that data.
There’s misinformation out there thinking that there’s a mandate that they must go to electronic health records. That’s not true, although it is true if they’re not Meaningful Users for Medicare, they will get a payment reduction starting in 2015. It’s sort of like the carrot or the stick, any way you can get people to switch to going electronic, because one of the big goals is having interoperability but if you have half the EPs still on paper, reaching true interoperability is going to be really hard.
I don’t mean to harp on this question, but I have a lot of vendor readers. Do you see any reaction to the results of the audits that would impact vendors, such as some changing of the certification criteria?
The certification criteria are already changing for 2014. That was all in rulemaking, so there’s nothing else we can do for Stage 2 at this point. We had to do the rulemaking so early without, in my opinion, enough data to really know what the main issues were with Stage 1.
What we heard anecdotally from vendors is a lot of them have many different tools and that there’s going to be some sort of consolidation as they move to Stage 2. Not necessarily a merging of vendors, but a vendor may have 10 tools that he may only get six or something like that certified for Stage 2 or the 2014 certification. Hopefully that means that vendors are concentrating on certain products and trying to make those products as good as they can possibly be.
Any final thoughts?
From my perspective, we’re trying really hard to educate providers, but we’re also trying really hard to educate the vendors. We have a new vendor work group that we have called with the vendors, working through issues that they’re having. My staff are the people who wrote the Meaningful Use rules, so that we go into in depth explanations about what we mean about each of the Meaningful Use objectives and measures.
We’ve had a much more collaborative process as we’re moving through Stage 2, mainly because there were a lot of misinterpretations of Meaningful Use measures at the beginning of Stage 1. This time we’re trying to be more proactive as we move forward. The providers have been appreciating that and the vendors have been very appreciative.
We have a really large group of vendors that is participating with us. Hopefully that will lead to a more unified determination for programming of the Stage2 EHRs so that the EHRs will just do better work. They’ll work for providers better.
The main thing that I keep saying to people that I talk to is you shouldn’t be worried about the audits as long as you have told the truth. I know there’s some panic out there, but if you’re honest and you’re telling the truth, you have really nothing to worry about.