(866) 966.9030 or (907) 770.2626

Preparing for an Audit

By: Fran Nay, Optum

You’ve finally attested to Meaningful Use Stage 1, or you are almost ready to do so.  The Measures and Quality Metrics look good; your certified system is in order.  Time to breathe a sigh of relief?  Maybe – if your information could also sustain an audit!

While relatively few audits have been performed (and therefore there is not a good body of evidence related to the types of information to be checked) there are a few givens:

  1. Make sure before attestation that your numerators and denominators make sense and are consistent. 

    For example, an almost automatic audit flag would be generated if all of the denominators that were “unique patients” are not the same.  If a denominator is a sub-set of unique patients (e.g., smoking status for patients 13 and older) it should be smaller than the “unique patient” denominator for practices with patients both older and younger than 13.

  2. Keep a copy of all information used that was used for your attestation in an easily-accessible audit archive.

    The audit can be requested for six years and you will undoubtedly be on a different version of your EHR software by then, and the person attesting may have moved on.  Do not depend on being able to generate the required information at the time an audit is requested.  An archive of additional reports specific for audit purposes is also crucial since you will be given a short (two-week) period to respond.

  3. Verify that the certified reports are correct for each item in your attestation. 

    The certified reports available from your vendor are correct for the “model” delivered software.  If you made any modifications or do not use the standard data elements, your certified reports may be producing incorrect results for your specific implementation.  Use a known data set to run the reports and verify that the expected results are being produced.  Keep records of the report verification in your audit archive.

  4. Archive the certification from the U.S. Dept. of Health and Human Services (HHS) that you generated for attestation.

    Keep this along with proof that the corresponding software and release levels were in place during the entire attestation period.

  5. For each Measure with numerators and denominators, your archive should contain not just a report of the numbers (which has to be from your certified report and be produced by your certified system) but also supporting detail. 

    For example, for Measure 13 Provide clinical summaries for patients for each office visit, if you report that your numerator was 239 and you had a list of the 239 patients and the date the clinical summary was produced, then your case supporting an audit of this measure would be very strong.  While vendor systems may be able to report this additional level of detail, they are not required to for certification purposes.  You may have to generate this additional level of detail or contract with your vendor to do so.
    Note that any patient information produced for audit purposes should be de-identified.  As always, entities should provide the “minimum necessary” information requested per HIPAA regulations.

  6. For the “Yes/ No” measures you also need to be able to produce supporting information. 

    For example, for the measure Implement drug-drug and drug-allergy interaction checks, there are Internet posts identifying that this has been audited; proof was needed that the interactions were turned on for the entire attestation period.  A report of interactions on a daily basis is one way that this could be supported in an audit.

For all of the information in your attestation you have to be able to answer the question, “If I had to prove that the attestation was correct, how would I verify that?”  That is the information you need to have readily available in your audit archive.