In the Stage 1 Federal Register, CMS mentions that incentive payments may be received until 2021. The Stage 2 Federal Register identifies increasing levels of Meaningful Use Compliance stages through 2021. Also, the Secretary of CMS has the authority to increase annual penalty percentages for each year. So there is statutory evidence to believe providers will be held accountable to Meaningful Use at least through that date.
We also know that auditors will be involved. MU creates a structure within which CMS can reduce Medicare costs by forcing penalties that will be paid out at least through 2023 (two years after the last year of Meaningful Use). Under current legislation, the Secretary of CMS is obligated to charge penalties of up to 3% of Medicare Reimbursement, and is permitted to increase those penalties to 5%, depending on market conditions.
Here’s a credible two-part speculation. Congress has stated that Meaningful Use of EHR is an important part of the Federal goals of Health Care effectiveness, cost reduction and access to information. The legislation charged CMS with continuously increasing the sophistication by which providers use their EHR technology, through the end of the current program.
- Speculation part #1 is that Congress could extend the Meaningful Use program to extend on through increasingly more sophisticated and rigorous usage as technology and internet infrastructures improve.
- Speculation part #2 is that CMS, in seeing the ability to assess penalties for non-compliance, could use Meaningful Use to reduce Medicare payments at least for some providers. Further, it is hard to imagine either Congress or CMS to rescind legislation that has the effect of reducing Medicare payments.
Even if Meaningful Use sunsets in its current legislative and regulatory authority, providers need to retain well-organized Meaningful Use data for six years (the audit period) after the last Meaningful Use Attestation has been filed, in 2021. However, we believe it is likely that once Meaningful Use has become institutionalized within CMS, and within the provider community, the program will be difficult to halt.
Every provider, regardless of whether they have “chosen” Medicare or Medicaid programs, will be subject to sustaining increasingly rigorous Meaningful Use status, or be subject to penalties; and are subject to audit over that period as well.
The Ticking Time Bomb of Meaningful Use
What’s the Ticking Time Bomb? The Bomb is Recoupment. It is delivered by CMS Auditors, and has a fuse that is up to six years long (although we will see a little later on that the length of the fuse could be changed at any time). What it means is that any money the government gave you could be taken away, at any time up to six years after you have spent it.
Although the Auditors deliver the bomb, the boom is really out of their hands. Any single trigger event, no matter how small, causes a full recoupment of any Stimulus paid in a year being audited. The Auditors simply look for triggers.
The triggers they look for are not necessarily whether a hospital or physician was compliant in a given year, but simply evidence showing proof of compliance. And therein lies the real issue. The Government (CMS) has never really defined what it takes to fully prove compliance, and in fact has actually issued a statement that they really can’t predict all the documentation that a provider should have.
What this means, is that Auditors are put in the position of making some impactful judgment calls. An auditor, in reviewing a Provider’s attestation of Meaningful Use from some time in the past, must decide whether the Provider can prove they were truly in compliance with each of 24 or 25 complex rules. Providers, although generally quite diligent in becoming compliant, have often been far less worried about the paperwork.
Here’s a good example. Let’s consider CPOE (Computerized Provider Order Entry). CPOE is neither more complex, nor less complex than most of the other rules, so it forms a good example. To fully understand CPOE, a diligent professional needs to read at least five separate documents. This simple four letter acronym is supported by 21 columns of fine print in the Stage 1 Federal Register, and another six columns of the Stage 2 Federal Register, eight FAQ’s (buried in a list of 300 on a CMS Website), and several pages of technology specifications in each of two separate issues of the Federal Register dedicated to what functionality a Certified EHR must have. Sound complicated yet? And yet it is quite common for a provider to rely on a single line item on a summary report from their EHR system that shows a single summary percentage.
Now, put yourself in an Auditor’s shoes for a moment. CMS has contracted with Auditors, under Congressional direction to be the steward for Program Integrity over Meaningful Use. After all, Congress authorized gross expenditures of over $30 Billion and they expect a couple things. First of all, they expect a return on that investment. That ROI should primarily consist of increased efficiencies in healthcare delivery (remember that on average, Congress pays for about 40% of healthcare in the form of Medicare and Medicaid claims). Since those efficiencies are, at best somewhere in the future, it will be impractical to try to measure ROI directly.
What this means is the Congress? stewards (the Auditors) have only one yardstick to use in measuring Program Integrity, and that yardstick is the body of regulation supporting Meaningful Use. Using CPOE as an example, an Auditor should be familiar with the entire body of regulations and use that familiarity to judge whether each provider was compliant with all of it. Auditors, being skeptical by nature (in fact, professional skepticism is actually a formal requirement of being a CPA), are unlikely in their Stewardship role, to accept a single line item on a summary report as evidence of compliance with any single rule so complex as CPOE.
What this means, is that when an audit happens, providers will be asked to produce documentation proving compliance with complex regulations, some of which have changed, using EHR Technology which almost certainly has changed, against patient data that is also time-sensitive. Further, some of what it means to be compliant with a rule will be quite hard to prove with a report. For CPOE, providers may be asked to prove that each entry was made by a licensed healthcare professional, and that it was input to the EHR in a sufficiently timely fashion that a physician could react to any alerts generated by the entry before the associated medications are administered.
Remember, the auditor has the right to expect this kind of proof.
Of course, the Auditor has some latitude. Some of their latitude is based on the normal judgment implicit in the job. Every day, Auditors have to decide how likely it is that their current target is to be non-compliant. Based on that judgment, each individual Auditor makes a choice to dig either deeply or shallowly. But even beyond that judgment call audit practices will be shaped by the policies and politics of their current client.
The Auditor’s client of course is the Federal Government, but the practicalities are a bit more complicated. CMS is part of the Executive Branch. But Meaningful Use is a recent invention of the Legislative branch, which continues to deploy their oversight agencies (GAO and OIG for starters), to make sure the Executives are administering the Congressional Mandate consistently with Congressional Intent. Does all this sound as if there could possibly be some conflicting agendas.
In 2013, the Executive Branch is eager to be part of Stimulating the Economy. Relative to Meaningful Use that translates into making sure as many providers as possible receive as much Stimulus Payment as possible. Congress, of course passed the law and is (largely) of the same mind. At the moment, anyway. But even so, Congress has already initiated multiple reviews of CMS’s administration of the Meaningful Use Program, and has at times been critical of some aspects.
All this plays into the Auditor’s latitude when reviewing proof of compliance. If Congress and/or the Executive Branch wanted to be sticklers on making sure every attestation was squeaky clean, the complexity of the regulations opens a lot of doors for denial of compliance, based on whether or not a provider, up to six years in the past, developed, organized and deployed adequate documentation to support attestation to a complex set of regulations, in a complex organization.
So far, Auditors seem to be taking the position of only looking for egregious or intentional non-compliance. Still, when faced with a lack of documentation, they have little latitude other than to judge a provider as non-compliant. In a case of non-compliance, CMS has little latitude other than to demand recoupment, based on the law passed by Congress.
The Ambiguity of Documentation Requirements
CMS has published over 1,600 pages defining and describing Meaningful Use. In none of those pages is there a definition of what documentation a provider is required to produce in the event of an audit. In spring of 2013, almost three years after passage of the Meaningful Use law, CMS finally published a five page briefing on how providers should document their compliance. While this booklet gives some direction, one single sentence puts providers on notice that they should expect no definitive structure, and that significant individual judgment is the only standard:
An audit may include a review of any of the documentation needed to support the information that was entered in the attestation. The level of the audit review may depend on a number of factors, and it is not possible to detail all supporting documents that may be requested as part of the audit.
As time passes, providers will share their experiences with audits. We will all learn more about what documentation techniques and strategies best mitigate audit risk, and what cost is reasonable to incur in developing defensive documentation. The problem will always be that today’s audit program is not necessarily tomorrow’s audit program. CMS’s policy is to review their audit program each calendar quarter and make adjustments, based on their success in defending program integrity.
It could be simple, in an environment of easy audits to assume that all future years will be equally as easy. The danger in this perspective is that CMS could decide, at any point, to reach back to the initial years of the Meaningful Use program and audit aggressively.
The Difficulty of Documenting Compliance
EHR’s are certified to be able to support Meaningful Use. Supporting Meaningful Use is quite a different story than proving it, though. Remember back to CPOE. In order to become Certified, an EHR is required to correctly calculate a percentage from a numerator and denominator. Certification testing does not extend to exhaustively proving that the population in either the numerator or the denominator is correct. In cases where hospitals (or even physician staff) use multiple EHR technologies during a reporting period, it is often necessary to combine data from multiple systems. We refer to this numerator / denominator calculation as the Certified EHR Report.
The Certified EHR Report is not in itself acceptable proof to an auditor that a provider is compliant for multiple reasons. First, it only shows summary statistics for each measure, and auditors are notorious for wanting to see the details making up those summaries. It is important to understand that there is no assumption that simply because software is certified, that its reported Meaningful Use percentages are accurate. The certification process is not required to exhaustively test for completeness or accuracy, but simply to verify that the EHR will create percentages.Second, the existence of a measure, even if accurate, does not in itself assure that the underlying processes were compliant. In one well-known case, a hospital officer was prosecuted for fraud when he loaded his Meaningful Use content into the EHR after patients were discharged from the hospital.
How Meaningful Use Audits differ from other compliance audits
Consider the example of Joint Commission Audits in hospitals. The auditor conducts a review, issues a report, and provides the opportunity for any procedural shortfalls to be remediated. The hospital corrects its documentation, and the actual non-compliant processes, then invites the auditor to return and verify. In the case of Meaningful Use, though, audits are always ?fter-the-fact, and it is not possible to correct a process that was flawed in a prior year. And if you can’t prove what your process was in a prior year, you may have difficulty refuting an auditor’s assertion of non-compliance.
What’s the bottom line? Even after all your providers have achieved compliance with all the Meaningful Use measures and requirements you will need to sustain a Meaningful Use compliance process, individual and database to support ongoing scrutiny from CMS or bear penalties based on reductions of your Medicare fee schedules from now on.