Figloiozzi and Company Begin Meaningful Use Audits as CMS Designee
2012: Issue 12 - Focus on HIPAA/Privacy
By: James B. Wieland and Joshua J. Freemire
Coauthor Josh Freemire has been quoted and interviewed extensively on meaningful use audits in various health care industry publications, including Bloomberg BNA, EHR Intelligence and Medscape Medical News.
A number of health care providers that attested to Meaningful Use for Stage 1 have received a letter from an Figloiozzi and Company, acting as CMS's auditor for the EHR Incentive Program (the "Program" or "Meaningful Use Program"), requesting certain records related to the attestation. CMS has not, as of this writing, made any announcement of this audit initiative or of the engagement of Figloiozzi and Company. While it is always good policy to confirm the identity and authority of any entity claiming a right to review or audit records, these letters are legitimate. Citing its statutory authority under the American Recovery and Reinvestment Act (ARRA), and without any fanfare, CMS has begun to audit the attestation materials.
The letters from Figloiozzi and Company, as the Department of Health and Human Services (HHS) Secretary's designee, request four categories of information:
Based on questions from recipients, an amended version of the audit letter has been sent out, adding "(i.e., a report from your EHR system that ties to your attestation)" to the latter two categories of requested documentation. This clarifies that the audit letters seek additional detailed information but are not, at this time, requesting identifiable or detailed patient records.
The audit letters do not provide audited entities much time to respond – a short, two-week response time is specified. Unfortunately, it is also unclear how audit candidates are selected, so hospitals and professionals will not be able to "plan ahead" for an audit they can be certain is coming.
Audits are always nerve wracking, but these letters do not appear to be the type of specific, targeted, detailed investigation that can give rise to significant operational interruptions and expense. Rather, these audits, based on the initial letters and the request for information typically stored in the EHR system, appear to promise a very basic desk audit. It seems likely that the results of these broad, basic audits will be used by CMS as the basis for further audits under subsequent initiatives at a later date.
It is important to note that while the audit letters state that information submitted will be confidential, they do not specifically request identifiable patient health information or other, similar PHI. Audited providers should be careful to ensure that they do not simply "throw the kitchen sink" at Figloiozzi and Company and, in the process, provide unnecessary and unrequested PHI. As always, entities should provide the "minimum necessary" information requested.
*Joshua J. Freemire is a former member of Ober|Kaler's Health Law Group.
© 2016 Ober|Kaler All Rights Reserved.