Everything HITECH

“Congress for the HITECH Act specifically authorized submission of information as to meaningful use through attestation.  CMS is developing an audit strategy to ameliorate and address the risk of fraud and abuse.”  Federal Register, July 2010

So how should we be preparing ourselves? 

Bottom line is, no one yet knows the answer to how audits will be conducted. Attestation is deceptively simple,  it requires little documentation, and is complete when you submit your online application. Where we see documentation becoming important is as a response to downstream audits. Here’s what we believe to be a conservative approach to preparing an advance defense.  We see three grades of conservatism in your documentation approach, and a series of additional strategies to add a little additional strength. 

1. Rely on Certified Software to report correct data at the time of an audit –While this has the merit of little or no up-front work, we steer people away from this “wait and see” approach. Audits can happen up to six years later, and a lot can change over six years in a hospital EHR, or in the composition of the team who remembers the details surrounding interpretations of measures in the “grey area” where CMS could not fully predict all the nuances of clinical operations that you have to follow.   
2. Save copies Certified (Summary level) EHR Reports – some CMS advisories have implied that data in a Certified EHR will be deemed accurate. Most reports we’ve seen from Certified EHR’s are a single page per MU Measure. Content is numerator, denominator, percentage, and date range, for the organization and the Measure.  Saving copies of these reports will certainly give you some audit defense. 
3. Create copies of Patient Level Detail – CMS states no explicit requirement for patient level detail, nor is it required for software to be certified. We recommend it though.  CMS requires you to attest to the “accuracy and completeness” of your data, and each Measure. It seems that you cannot do so, without analyzing patient level detail (i.e., would your CFO accept a bank statement with no more detail than just the balance?). Further, some Measures are based on site-specific variables, such as “observation services” vs “all ED patients” choices.  And patient-level detail will show whether all choices have been correctly represented.  The downside is that you may need to create these reports, if you software has only fulfilled the bare bones requirement of certification. 

Regardless of documentation strategy, here are  techniques to enhance the reliability of your defense against an audit:

• Conduct Explicit Reasonableness Checks – If you know your annual volume is 20,000 patients, and your CPOE report is only reporting on 7,000, maybe you should dig a bit deeper into that report.  If your EHR is showing the same patient volume for metrics requiring “all patients” as for “EHR only” patients, then you should be prepared to show data as to why this should be so.  A skeptical auditor will probably estimate your patient volume from billing or census data, and compare that to your EHR records. 
• Maintain a Measures Checklist - In MUM, we show audit checklist reports summarizing all Measures. The checklist identifies the numerator / denominator and date range values, resulting percentage, (or Yes/No value as appropriate), and show whether a link exists to a PDF of an “audit proof” report. Prior to attestation, internal audit should review this checklist, verify each audit proof report, and make sure it shows the level of detail and proof you deem appropriate. We suggest presenting that signed checklist to the CFO (or other attesting officer), prior to attestation. In our checklist we have placeholders for certification “proof” as well. (i.e., a letter from your vendor, certifying that you have purchased from them all modules included in their certified software).
• PDF your reports – and store them in a dedicated, secure repository, with an explicit retention period of at least equal to the six years.  Tie each PDF to your Measures checklist, too. 
• Supplement Screen Prints – as be part of the documentation for those Measures with yes / no Attestation types (like those requiring you to show that a feature in your EHR is “turned on”).  But even with screen prints, we advise showing supplemental reports with patient level detail, showing that the functionality was in place throughout the reporting period. 
• Document Test results – for Measures requiring you to conduct a test of a given capability, store your test data, scripts, and the entities with which tests have been conducted.  Testing plans and associated results should be a part of your six-year Meaningful Use documentation repository. 
• Document your assumptions – the wording around some Measures leaves room for different interpretations of what specific clinical behaviors would be compliant.  Over time, these “grey areas” may be crystallized by CMS pronouncements.  Until that happens, we recommend that your documentation repository leave room for written interpretations, workflows or policies, associated with each individual measure. 

So ultimately, think like an auditor.  Auditors are trained to “professional skepticism”, and are motivated by finding shortfalls.  They will have work plans based on knowing where and how to look for discrepancies, whether you intended them or not.  Defending against their pre-planned approach should not wait until they ring your doorbell, but a well-constructed documentation defense should be done before attesting.  After all, CMS is developing an audit strategy … shouldn’t you?