OIG Begins Meaningful Use Audits: Are you ready?


We have all heard the stories about Centers for Medicare and Medicaid Services' (CMS) contractor, Figloiozzi and Company, conducting audits to ensure proper adherence to the criteria outlined in Meaningful Use. To date all indicators and reports have found that these audits haven't made much of an impact.

Well, the Department of Health and Human Services (HHS) has stepped up its game. In their 2015 Work Plan the enforcement arm of HHS, the Office of the Inspector General (OIG), outlined a plan to conduct reviews as a means of oversight for HHS' agencies that use Recovery Act funds. Staying true to its word, the OIG began reviews this past April by auditing the Florida and Massachusetts Medicaid electronic health records incentive programs.

Why are they doing audits?

According to the Florida and Massachusetts audit reports, the OIG is conducting these reviews for the following reason:

The Government Accountability Office has identified improper incentive payments as the primary risk to EHR incentive programs. These programs may be at greater risk of improper payments than other programs because they are new and have complex requirements.

The OIG seems to be the logical choice to perform these audits since they have been critical of CMS in the past. In a 2012 report, the OIG pointed a finger at CMS for not putting into place appropriate checks and controls to properly manage the incentive plans through Meaningful Use. Their recommendations included screening reports and documentation prior to incentives being paid, issuing guidance on what example documents/records should be archived to show compliance, requirements on EHR technologies to produce applicable reporting Yes/No MU measures and that the ONC should improve the certification process for EHRs to ensure that accurate EHR reports are built-in.

Why are they reviewing?

From what we've seen from the Florida and Massachusetts reports and their 2015 Work Plan, the OIG reviews will include incentive payments from 2011 to present for eligible healthcare professionals and hospitals that have adopted EHRs. Their checks are designed to serve as safeguards against erroneous incentive payments being issued to covered entities that are not eligible. OIG will also perform audits of covered entities, including their Business Associates, such as cloud service providers, to ensure adequate safeguards are being utilized to protect electronic health information. A primary check will be the demonstrated completion of a security risk analysis to protect electronic patient information, as prescribed in the Meaningful Use Core Measures.

What can you do?

Due diligence and documentation. Borrowing a term from my military days, I always want the “BLUF” or the “Bottom-line Upfront.” The bottom line in this case is: the intention of HIPAA/HITECH/Meaningful Use is for covered entities and their business associates to continuously assess and address risk at all levels of an organization. Risk assessment methodologies like BluePrint's Vulnerability Assessment & Risk Analysis offer a comprehensive analysis of risk from the enterprise level to the more tactical levels. The assessment is designed to meet all the requirements as defined by 45 CFR 164.308(a)(1), 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3). The key to passing an OIG audit is the ability to demonstrate that you are continuously identifying and mitigating risks to protect electronic patient information.