April 2015 is the month the dreadful OIG Meaningful Use audits commenced. These audits are different than the ones conducted by Figliozzi & Company, the outside audit contractor of the Centers for Medicare and Medicaid Services (CMS).

Unlike the Figliozzi audits, which cover MU attestation for a single Meaningful Use reporting period, the OIG audits cover incentive payments from January 1, 2011, through June 30, 2014. Also, OIG is more concerned about the security requirements of Meaningful Use; it wants to know if an organization’s Meaningful Use program adequately complies with HIPAA and sufficiently protects PHI.

If you have received an audit notice, you are among a lucky few who have been chosen by the Office of Audit Services of the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (if the audit hasn’t irritated you, the length of that name should.)

Did you do anything to deserve this?

Probably not. As per the OIG, the selection is completely random.

Would everyone have to go through it?

Not necessarily. But it’s always better to be prepared. Your Meaningful Use incentives and the reputation of your practice are at stake. Moreover, you do not want to be caught on the wrong side of HIPAA. I shudder to think of the consequences.

Should you be worried?

Depends on your level of preparedness. (. How many times have we repeated this line with one healthcare regulation or the other)?

Has someone actually received a notification?

Yes. The OIG does mean business with this one.

In fact, those who did receive the audit notifications had some interesting things to say. For example, Cathy Borst, Vice President and CIO at Chicago-based National Surgical Healthcare, while speaking at HiMSS this year, quipped:

“I was coloring my hair every two weeks regularly before the audit. It became a weekly practice when I received the audit request.”

In short, these audits are happening. They are comprehensive and will require considerable resources to deal with them. The auditors aren’t people you want at your doorstep, but if you do, here is how you can successfully handle them:

Be Prepared, Not Scared

The top leader of your organization will receive a notification from the OIG. Next, several auditors will show up at your doorstep. They intend to be present at your practice/hospital for at least two weeks, so ramp up on your supply of Tylenol and patience.

I reiterate that the aim of this audit is to review certain, not all, Meaningful Use measures, in order to make sure that a provider has not received incentive payments in error. Make certain that all your documentation such as measure calculation reports printed from your EHR, security risk analysis reports, and dated screen prints, demonstrate that you met the measure during the Meaningful Use reporting period or before the applicable deadline.

For the security risk analysis, OIG auditors will review ePHI protection procedures in place for the past several years during multiple stages of meaningful use and compare those with government and industry wide best practices. SO, make sure that your risk analysis is comprehensive and that you have a contingency plan for the protection of ePHI in case of an emergency.

The auditors will also look at the security profile of your her, and that of the connected networks and business associates, including cloud services. If you have a contract with an EHR vendor to host your system, OIG will want to know if the vendor is actually hosting it or if they have contracted an outside cloud service; you must know the name of the cloud service. Moreover, if you do not have a Business Associate Agreement in place, that will be a problem.

This audit also requires additional protection to be in place, which the CMS audit does not include; such as turning on and using audit trails or review logs in your EHR.

The following will be the key areas of interest for the OIG auditors:

• Risk Assessment audits and reports
• EHR security plan
• Organizational chart
• Network diagram
• EHR websites and patient portals
• Policies and procedures
• System inventory
• Tools to perform vulnerability scans
• Central log and event reports
• EHR system users list
• Contractors supporting the EHR and network perimeter devices.

Also, they will want to talk to the person primarily responsible for each of the areas of interest to address how well policies and procedures are followed. You might want to conduct a mock audit to prepare. Most importantly

These audits are no joke

While planning for this audit, it is worth noting that deficiencies identified for one physician in a physician group or one hospital within a multi-hospital system, may apply to the other physicians and hospitals using the same EHR system, and/or implementing meaningful use in the same way.  Thus, the incentive payments at risk in this audit may be greater than the payments to the particular provider being audited.

It is but normal to dread these audits. However, think of it this way. If you do end up being audited, the preparation you do for it might save you from a lawsuit filed for breach of information in the long run. I am sure you would much rather go through this process with OIG than with a plaintiffs’ lawyers.

In the meantime, let’s keep our fingers crossed. The American Academy of Family Physicians (AAFP) has recently appealed to Andy Slavitt, acting administrator of the Centers for Medicare & Medicaid, for relief from Meaningful Use audits. Hopefully, just like the simplification of Meaningful Use program the government will show some flexibility here as well.

Till then, you can learn more about Meaningful Use audits by downloading our MU Audit guide.