Although most CIOs support the idea behind Meaningful Use audits, they find the methodology to be maddening, according to the October healthsystemCIO.com SnapSurvey, which found that 55 percent view audits as a “necessary evil.”
Nearly a quarter of CIOs, however, believe they merely add to the burden of already overtaxed IT organizations, with one respondent stating that the process is “far from reasonable, and that “there has got to be a better way.”
The good news is that a large majority (79 percent) of CIOs believe their organization is adequately prepared to respond to an audit. Some have even conducted internal assessments to help identify potential problems.
Not surprisingly, when it comes to managing the audit process, 45 percent said the burden falls mostly on CIOs. MU coordinators and CFOs are also relied upon to either take the helm or offer support, the survey found.
Although the biggest concern CIOs have with audits is the added strain on staff resources (38 percent), the ability to provide all of the required information was also a cause for alarm. “Things are being asked for were not part of certification, and in the end, after the fact, are unreasonable — like proving CDS was turned on for the entire period,” one CIO noted. “I can get there, but it is a tremendous amount of work and time.”
Lack of consistency was also an issue, with one respondent calling the requirements “vague and subjective,” and another stating that “the rules appear to change depending on the auditor.”
Finally, some CIOs questioned how auditors are incented through the process, expressing concern that a lack of alignment may lead them to “hunt for a problem that does not exist.”
(SnapSurveys are answered by the healthsystemCIO.com CIO Advisory Panel. To go directly to a full-size version of any individual chart, click on that chart.)
1. Has your organization experienced a Meaningful Use audit?
- We have been audited twice by the state (Medicaid eligibility) and we have had three provider audits.
- We were one of if not the first to be audited, since we were the first in the country to attest to Meaningful Use.
- We have conducted an internal audit by the corporate Office of Audit and Compliance.
- Not yet!
- We know of a few that have received letters and are hoping that they can provide guidance subsequent to completing the audit.
2. Do you feel your organization is adequately prepared to respond to an audit? (Or if your organization has already been audited, were you adequately prepared?)
- We were well prepared. In addition, we had completed an internal audit prior to the real thing — very helpful.
- We think we have all the supporting requirements.
- We have recently matched our documentation to MU criteria as a test and feel comfortable.
- We performed an internal audit based on the factors that would be reviewed by an external/Federal audit.
- My answer is “yes with a ‘but’ … We collected and assembled an evidence book measured in inches and pounds but guidance has suggested that we did not capture 100 percent of what an auditor may be looking for.
- We recently put ourselves through an internal audit and learned about our gaps. We feel very well prepared.
- I think the expectations are becoming much clearer after the first wave of audits performed (our wave). I still think the requirements are vague and subjective, but the audit company was willing to work with us regarding evidence of compliance.
- I’m not sure
- We feel that we’ve documented every response of the attestation for MU, but there are many questions about the interpretation of some of the requirements that we’ll never know the real answer to until (or if) the auditor shows up.
- The rules appear to change depending upon the auditor.
3. What concerns you most about the MU audit process?
Ability to provide all of the required information (including follow-up requests)
- Although we are prepared, others I’ve spoken to who were also prepared were surprised.
- Some of our screen shots do not have the vendor logo on them. Providing hard evidence that we used the certified system the entire period and that drug formulary checks were active during the period can be difficult without requiring some inference on the auditor’s part.
Possibility of having to appeal
Dealing with strain on staff resources
- It really depends on how vigorous of an audit it is. If it’s supplying the information that supports attestation, then no problem. We all knew going in that we have to keep this data for 6 years.
All of the above
- Unfortunately we had to attest for the first 2 rounds prior to any audit standards were produced. For phase 2, we will be clearer.
- Just the aggravation of it all. While we had no real problem with our provider audits, there is the problem of having our hospital docs being eligible providers, and therefore, the workflows implied by the meaningful use objectives don’t work for them. Additionally our definition of patients “seen by you” includes only “face-to-face visits,” this leads to low or zero denominators for some procedural-based providers (e.g. dialysis nephrologists). These folk look “odd” from the auditors’ perspective.
- Variable interpretation of standards. There’s not a lot of history in the audit and appeal process to know what is truly concerning. Are they looking for gross misrepresentation or can you fail on a technicality?
- Misaligned incentives. I wonder if the auditors’ incentives will be misaligned with ours, leading them to hunt for a problem that does not exist.
4. In the event of an audit, who would be charged with managing the process?
- The CIO is the Compliance Officer in our organization.
- The CFO is heavily involved as well.
- The same person who was responsible for attestation.
- In conjunction with our CFO and MU coordinator, I would be the lead.
- Our meaningful use team, led by the CMIO, initiates and coordinates the attestation process. Audits are the responsibility of compliance with us in support.
- Supported by the CIO and CFO.
We have a designated team in place
- Consists of CIO, CISO, Compliance and Quality leaders.
I’m not sure
- Joint compliance and CIO.
- CIO and a host of others.
- CIO and MU Coordinator.
- Internal auditor.
5. What is your overall impression of the MU audit program?
It places an unnecessary burden on organizations
- Things are being asked for were not part of certification, and in the end, after the fact, are unreasonable — like proving CDS was turned on for the entire period. I can get there, but it is a tremendous amount of work and time.
- Generally I think audits are reasonable. However, from what I have heard, the methodology for the MU audits is far from reasonable. There has got to be a better way.
- I would prefer a different attestation approach be created so no future audits would be necessary.
- I would rather we have to submit all of the supporting documentation along with rather than SO FAR after the fact… we are being audited in October 2013 for the Oct. 2011 to Sept. 2012 time period.
It’s a necessary evil that must be dealt with
- Clear fraud and abuse must be dealt with, and unfortunately, there must be some watchdog to assure appropriateness. I am concerned, however, that these watchdog groups aren’t about the end result of what we need to deal with, and that mistakes (or misinterpretations) are made. These audits must be done in a way that the organization has an opportunity to correct the any findings without jeopardizing revenue or stimulus funds received.
- This is a real burden and liability for independent solo practitioners who don’t have compliance support. I am aware of examples where this went poorly even though the doc had spent a considerable sum converting his paper-based practice and clearly was using the EMR appropriately, but because he is a doc and not an auditor or compliance person, he failed miserably to prepare to defend. This is clearly not the intent and in my view is egregiously unfair.
- I think there are many organizations, particularly practices that have attested and really did not meet the measures. Hospitals are generally more paranoid about compliance and I would be shocked to know someone hasn’t met the measures. Seeing the statistics for recoupments broken between hospitals and practices would be interesting.
- The “all or nothing” part of MU makes it a stressful event to look forward to. If an organization is doing everything “right” but missed one small item, there should be room for a partial settlement.
I fully support it and have no issues with it
I’m not sure
- I believe that there should be some level of audit; however, the folks conducting the audit need a level of understanding about how HIT is implemented/installed and used.
- I am not familiar with the audit process so I can’t comment.
- None of these choices adequately describes my position. It’s necessary since there are taxpayer dollars and there is a fair amount of fraud, so the risk of an audit should encourage accuracy and appropriateness. That isn’t “evil.” I am not sure how the external agencies performing the audit are funded; I would hope it is on a global cost and not on findings — we should not financially incent the groups to look for problems as errors are more likely from mistakes and not gross negligence.