beyond meaningful use: lessons learned and implications for the auditor phyllis a. patrick, mba,...

Beyond Meaningful Use: Lessons Learned and Implications for the Auditor Phyllis A. Patrick, MBA, FACHE, CHC, CISM NEHIA Conference December 3, 2014

Topics Status of the Meaningful Use Incentive Program Key Components of a Meaningful Use Program Adding Value: Opportunities and Challenges for the Auditor Meaningful Use 2015 What Can We Expect? 2

Status of the Meaningful Use Incentive Program CMS and ONC Strategic Objectives Regulatory Requirements The 3 Stages of Meaningful Use Quality and Quality Reporting Security Risk Analysis what is required? Successes, Obstacles, Lessons Learned -- Where are we today? 3

CMS Goals for Meaningful Use Improve quality, safety, and efficiency of health care and reduce health disparities; Engage patients and families; Improve care coordination; Improve population and public health; and Ensure adequate privacy and security protections for personal health information. 4

5 Federal Health Information Technology Strategic Plan 2014 2018

Regulatory Requirements ARRA HITECH HIPAA ACA EHR Incentive Programs Final Rule HIT: Initial Set of Standards, Implementation Specifications and Certification Criteria for EHR Technology Interim Final and Final Rules Establishment of Temporary Certification Program for HIT Final Rule Establishment of Permanent Certification Program for HIT Final Rule Breach Notification Rule HIPAA Privacy and Security Rules Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the HITECH Act Proposed Rule HIPAA Privacy Rule Accounting of Disclosures under the HITECH Act Proposed Rule (in limbo!)

Roots in HITECH The Health Information Technology for Economic and Clinical Health (HITECH) Act provides the Department of Health & Human Services (HHS) with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange. 7

Regulations and Statutes American Recovery & Reinvestment Act (February 2009) Medicare & Medicaid Electronic Health Record (EHR) Incentive Program Notice of Proposed Rulemaking (NPRM) and Final Rule (July 28, 2012) Stage 2 Meaningful Use Final Rule (August 23, 2012) Security Risk Analysis 45 CFR 164.308(a)(1) (April, 2005) Health Information Technology for Economic and Clinical Health (HITECH) Law Interim Final Rule (February, 2009) Omnibus Rule (January, 2013, Effective September 23, 2013) 8

Key Players CMS Centers for Medicare & Medicaid Services Established EHR Incentive Program (formal rule making) Rule provides parameters and requirements for Medicare & Medicaid EHR Incentive Programs ONC - The Office of the National Coordinator for HIT Resource to support adoption of Health Information Technology (HIT) and promotion of nationwide Health Information Exchange (HIE) to improve health care OCR Office for Civil Rights Responsible for HIPAA Enforcement (Privacy & Security) OIG Office of the Inspector General 9

What is a Meaningful User? An EHR user must meet the following requirements: Use of certified EHR technology in a meaningful manner (e.g. e-prescribing); Use of certified EHR technology for electronic exchange of health information to improve quality of health care, such as promoting care coordination; and Use of certified EHR technology to submit Clinical Quality Measures (CQH) and other measures in a form & manner specified by the Secretary of HHS. 10

Meaningful Use Stages 2011 - 2013 Stage 1 Data Capture & Sharing 2014 - 2015 Stage 2 Advanced Clinical Processes 2016 Stage 3 Improved Outcomes Phyllis A. Patrick & Associates LLC www.phyllispatrick.com 11

Clinical Transformation Meaningful use represents the means of clinical transformation managing information for better care, safer care, more effective and efficient care. Stages 1 3 of MU progress from capture of health information and reporting of QCM and public health data (Stage 1) to information exchange and decision support (Stage 2) to systematic health care improvement (Stage 3). 12

EHR: A Platform for Quality EHR functionality is the beginning, not the endpoint. The quality of data and what providers do with the EHR is important and has to be carefully planned and managed. EHRs can be used to improve care. When will we get there? How do we get there? Understanding the BIG Picture is key! 13 Phyllis A. Patrick & Associates LLC

The Classic Quality Measurement Model Process Outcome Structure 14 Donabedian, A., The 7 Pillars of Quality Crossing the Quality Chasm, Institute of Medicine 2001 Phyllis A. Patrick & Associates LLC

Clinical Quality Measure Alignment Quality Measures CMS Core Measures Professional Credentialing Requirements MU Core Measures And Menu Set Measures Performance Improvement Goals 15 Phyllis A. Patrick & Associates LLC

Quality Programs How many? Hospital Inpatient Quality Reporting (HIQR) The Joint Commission Physician Quality Reporting System (PQRS) CMS Shared Savings Program National Council for Quality Assurance (NCQA) Childrens Health Insurance Program Reauthorization Act 16 Phyllis A. Patrick & Associates LLC

Harmonization of Quality Reporting CMS goal is to harmonize all quality reporting programs with EHR electronic reporting. In 2014 simultaneous reporting is voluntary. At some point (TBD), CMS will make this mandatory. How are hospitals and physicians preparing??? 17 Phyllis A. Patrick & Associates LLC

Decisions Hospitals Must Make When to begin to align CQM and Meaningful Use reporting, i.e. in 2014 or continue to report measures separately? Separate reporting requires submission of 57 CQMs for calendar year via chart abstraction and 16 CQMs for selected reporting period via CMS attestation portal for Meaningful Use. Alignment of reporting between the two programs EHR incentive program requires reporting for 1 quarter of patient-level data for 16 CQMs electronically and Inpatient Quality Reporting CQMs requires electronic reporting of 57 inpatient measures via chart abstraction. FY 2014 IPPS Final Rule, pages 50811-50819 18 Phyllis A. Patrick & Associates LLC

Where Are We Today? 19

Program Successes Four years of successful attestation and funds awarded to eligible hospitals and eligible providers. As of September, 2014 more than 415,000 health care providers received payment for participating in the Medicare and Medicaid EHR Incentive Programs. Medicare payments in excess of $16.3 billion (Stage 1) and approximately $48 million (Stage 2) from May 2011 through September 2014. More than $8.59 billion in Medicaid payments have been made between January 2011 (when the first set of states launched their programs) and September 2014. 20

Program Successes (Contd) 279,813 eligible providers and 4,283 eligible hospitals have attested. Of the EPs, 213 attested unsuccessfully; and 9,638 attested for Stage 2. Most popular menu objectives: For EPs drug formulary, immunization registries and patient list For EHs advance directives, clinical lab test results, drug formulary Least popular menu objectives: For EPs -- transition of care summary, patient reminders For EHs transition of care summary, reportable lab results 21

Obstacles Lack of attention by senior management. Lack of cultural adoption and involvement of key stakeholders. Lack of coordination, program planning, and centralized coordination. Lack of strategy, clear program goals and measures. Inadequate resources allocated for attestation. Failure to develop and maintain documentation processes. Failure to perform security risk analysis and risk mitigation planning, including documenting the risk analysis and risk mitigation plan and updating the program during the attestation cycle. Lack of qualified professionals with clinical and IT experience. 22

Lessons Learned The meaningful use program is a strategic initiative, best led by clinical and quality leadership. Key stakeholders must be identified and involved early and throughout the ongoing processes. Sponsorship by leadership is key to program success. The program must be organized and centralized, with sufficient resources to conduct day-to-day tasks, provide oversight of the program, plan and implement new processes. Documentation policies, procedures and processes are important and the devil is in the details. Communication across the organization should be ongoing and systematic. 23

Lessons Learned (Contd) Senior leadership and those responsible for EHR implementation must think differently about the capabilities required to support clinicians, support and frontline staff involved with the EHR. Clinicians and leadership must know how to drive optimization of EHR-derived data through health analytics. As the EHR process reaches a mature level of functionality, leadership, clinicians and others must understand and articulate the benefits of the EHR for the organization, for patients and for the community. 24

Lessons Learned (Contd) Think enterprise-wide (inpatient, ambulatory, ancillary, support) and CARE COORDINATION. Closely link the ACO and EHR programs and include mutual goals. Be patient! Expect to spend more money. Dont underestimate the challenges of influencing physicians to get on board. 25

MU Misconceptions True or False??? Meaningful use is an IT initiative. Meaningful use is an incentive program and obtaining funds is the goal. Providers are not accountable for the monies they obtain through the program. If a provider applies for and does not receive MU funds, there is no opportunity for appeal. Medicare will reduce overall payments to providers that dont meaningfully use certified EHRs and may declare providers ineligible for the program if audits turn up problems more than once. CMS audits will end in 2015. 26

Key Components of the Meaningful Use Program Governance Interdisciplinary Process Program Goals Financial Reporting and Reconciliation Outcomes Reporting Documentation 27

Governance Monitoring, tracking and managing compliance with the various and ever-changing requirements requires a concentrated focus and effort. A successful meaningful use program requires three foundational work streams: incentive program compliance; organization performance, and electronic health record (EHR) enhancement. The Meaningful Use Program requires comprehensive coordination and oversight to ensure current compliance and to establish capabilities for future health reform initiatives. Charter Statement is important. 28

Interdisciplinary Process Senior leadership must sponsor and champion the program. This is not an IT initiative. Clinical leadership on a day-to-day basis is critical. Fits with Quality. Areas involved, should include, among others: medical, nursing, and clinical staff; ancillary services; quality performance improvement; risk management; legal services; information security and privacy; finance; HIM; practice managers; information technology; and other key stakeholders. 29

Program Goals Flow from the Charter and Governance Structure Relate to organizational Mission, Vision, Values Foundation in strategic plan, IT plans, quality plans Outcomes reporting Ongoing auditing and monitoring Coordinating/directing activities for internal compliance audits Managing preparation and responses to external compliance audits Align MU improvement initiatives with internal current and future quality initiatives. 30

Financial Reporting and Reconciliation EHR technology is not critical to the delivery of patient services. Incentive payments are similar to revenues derived from sources other than providing health care services. How can management determine whether there is reasonable assurance that meaningful use has been or will be achieved for a particular period? Should there be a set aside for contingency/pay-back? Guidance available, e.g., HFMA Issues Paper (2011) Contingency Model IAS Grant Accounting Model 31

Quality Reporting is a Strategic Decision What resources and capabilities does the hospital have to align and report measures simultaneously? What is the organizations strategy on quality reporting? Are the different reporting requirements centralized and coordinated? How does data align across departments? How is data integrity addressed with quality reporting requirements? Is the EHR capable of creating and submitting reports for the various requirements? What is the organizations plan for simultaneous reporting - need to balance competing priorities and resources? How do quality reporting, EHR development, and clinical priorities fit with the organizations overall strategic plans and goals? 32 Phyllis A. Patrick & Associates LLC

Outcomes Reporting/ Clinical Quality Measures CMS selected CQMs to align with the DHHS National Quality Strategy priorities for health care quality improvement. CMS Quality Domains: Patient and Family Engagement Patient Safety Care Coordination Population and Public Health Efficient Use of Healthcare Resources Clinical Processes/Effectiveness 33

Quality Professionals Need to be Involved Stage 2 goals focus on ensuring that the meaningful use of EHRs supports the priorities of the National Quality Strategy. Use of Health IT for continuous quality improvement at the point of care Exchange of information in a structured format Health Information Exchange requirements: E-prescribing becomes more demanding Structured lab results need to be incorporated Electronic transmission of patient care summaries to support transitions in care across unaffiliated providers settings and EHR systems. INFORMATION FOLLOWS THE PATIENT. 34

OIG Interest CMS AND ITS CONTRACTORS HAVE ADOPTED FEW PROGRAM INTEGRITY PRACTICES TO ADDRESS VULNERABILITIES IN EHRS January 2014 CMS and its contractors had adopted few program integrity practices specific to EHRs. Specifically, few contractors were reviewing EHRs differently from paper medical records. In addition, not all contractors reported being able to determine whether a provider had copied language or over-documented in a medical record. Finally, CMS had provided limited guidance to Medicare contractors on EHR fraud vulnerabilities. 35

Vendor Technology Stability Vendors are under increasing pressure to deliver changes for Stages 2 and 3. Providers need to stay in contact with vendors and understand their delivery timelines and limitations. Due diligence and documentation re. vendor challenges and any failures to meet criteria must be documented. Providers should not rely on vendors to perform risk analysis or substantiate that all criteria are met. Management, clinicians, IT need to be on same page. 36

Additional Resources Are Needed This is not another IT project. Dont assume that technology can lead to FTE reductions. Support for MU will require additional resources. Key issues will include: Vendor management; Implementation of software changes and system modifications; Infrastructure changes; Interface development and maintenance; Need for sound change management procedures; and Interface with HIEs and other provider organizations. 37

Security Risk Analysis and Risk Mitigation: Meeting Privacy & Security Requirements 38

HIPAA RA/RM Requirements conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Once have you completed the risk analysis, you must take any additional reasonable and appropriate steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(iii)) 39

Security in Stage 2 Core Objective 15 Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Note: the preamble specifically addresses encryption/security of data stored in Certified EHR Technology, and notes that a review of the assessment must be conducted each EHR reporting period. Expectation is that security will evolve and change as needs change. Expectation of robust security. 40

Stage 1 vs. Stage 2 Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Security Risk Analysis must be conducted during each reporting period for Stage 1, Stage 2, and Stage 3. 41

Measure: Stage 1 vs. Stage 2 Stage 2: Eligible professionals (and hospitals) need to meet the same security risk analysis requirements as Stage 1, but must also address the encryption/security of data at rest. 42

Additional Precautions Dont attest for EHR Incentive Program until you have conducted the security risk analysis (or reassessment) and developed a risk mitigation plan to correct any deficiencies identified during the risk analysis. You must implement the plan, which can be phased, but the plan needs to be clear and documented. Document changes/corrections in the security program. Update policies as appropriate to reflect changes and improvements. Communicate policies and changes. 43

Keep in mind. When a provider attests to meaningful use, it is a legal statement that the provider has met the specific standards, including protecting electronic health information. 44

False Claim Engaging in a conspiracy to defraud by the improper submission of a false claim FCA strengthened by: Fraud Enforcement and Recovery Act (2009) - redefined obligation to include retention of any overpayments Patient Protection and Affordable Care Act (2010) - a person need not have actual knowledge or specific intent to commit a violation Providers will not be able to successfully argue that they did not know. 45

Recoupment of Funds Failure to meet one (1) of the criteria can result in recoupment of all payments. Some providers incentive funds been recouped and some have self-disclosed and paid monies back. Be aware CMS has noted that several providers have been referred for possible fraud investigations, through direct reports to CMS. 46

Potential Bumps in the Road The Attestation Process If you attest prior to actually meeting the meaningful use security requirement, you could increase your business liability for federal law violations and making a false claim. From this perspective, consider implementing multiple security measures as feasible, prior to attesting. The priority would be mitigating high- impact and high-likelihood risks. ONC Guide to Privacy and Security of Health Information 47

Final Statement in Attestation I certify that the foregoing information is true, accurate and complete. I understand that the Medicare/Medicaid EHR incentive program payment I requested will be paid from Federal Funds, that by filing this claim for Federal Funds, and the use of any false claims, statements, or documents, or the concealment of a material fact used to obtain Medicare/Medicaid EHR incentive program payment, may be prosecuted under Federal or State criminal laws and may also be subject to civil penalties. 48

Between You and Your Contractor If during attestation, you or your EHR contractor answered yes that you were in compliance with this MU criteria without first ensuring complete compliance with the Security Rule Risk Analysis requirements, not only is your incentive payment at risk, but you also may be subject to liability under the Federal False Claims Act. 49

The MU Audit Program The Basics Federal and State Programs 2015 and Beyond: What can we Expect? 45 CFR Section 164.308(a)(1)(ii) 50

Meaningful Use Audit Process Pre- and post-payment audits (January 2013 ) Edit checks in EHR systems Documentation audits Source documents required Appeals process (888-734- 6433) Comprehensive audits Payment recoupment 51

Focus of State Audits States to collect and verify information provided by applicants for MU funding: Eligibility (upon enrollment or re-enrollment); Patient Volume; Physicians hospital-based status; If physician practices predominately in a FQHC or RHC; and Providers efforts to adopt, implement, or upgrade CEHRT. State audit processes vary. 52

Current CMS Audit Process CMS contracted with Figliozzi & Company to conduct audits, send out audit notifications and documentation requests. Contract period is 2012 2015. Audit notification letters initiate the process. Documents are requested (hospitals and professionals). Follow-up questions may be posed to auditees. 53

54 Audit Request from

Audit Process Initial request letter (sample is on CMS web site). Letter is sent electronically by Figliozzi and Company. On-site review may occur EP/EH may be required to demonstrate how the EHR system meets the meaningful use criteria. Audit Determination Letter Will document success in meeting the MU audit or Recoupment of payment. 55

Document Request List - Examples Medicare Incentive Program for eligible hospitals (2012) General Information Proof of possession of certified EHR technology system; Copy of ONC certification; Licensing agreements with vendor; Invoices from time of purchase; and Documentation to support method chosen to report ED admissions, calculations, etc. 56

Examples (Contd) Core Set Objectives/Measures Supporting documentation is used to complete Attestation Module responses (report from EHR system that ties to Attestation). Screenshots from EHR system may be used. Menu Set Objectives/Measures Supporting documentation is used to complete Attestation Module responses (report from EHR system that ties to Attestation). Screenshots from EHR system may be used. 57

Preparing for MU Audits 58

Supporting Documentation Documentation is required for pre- and post-payment audits. Documentation must support meaningful use and clinical quality measure data that is submitted. All source material (paper and electronic) must be saved for at least 6 years from attestation. If using hospital cost report data, follow data retention policies and process. Documentation must support payment calculations (hospitals). Reports must come directly from the certified EHR system/modules. Dont rely on vendor for documentation! 59

Additional Supporting Documentation Primary documentation should include: Numerators and denominators used for the measures; Time period the report covers; Evidence to support that the report was generated for the eligible hospital, eligible provider (NPI, CCN, provider name, practice name); and Documentation that demonstrates how data was accumulated and calculated. 60

Source Documents Audit logs Screen shots Letters received from public health agencies Summary of data that supports the information entered during attestation 61

Be sure to follow the same order as requested in the letter from Figliozzi (or CMS). Cover letter outline exactly what you are submitting in response to each document request. Create a single PDF of all of the documents in the correct order along with a cover letter and submit. Most importantly Dont miss the submission deadline! Documentation Submission 62

Lessons Learned Patient List does it make sense for the type of EP? Dont confuse how your vendor numbers the MU requirements with CMS documentation request. Security Audit documentation: Must cover MU reporting period; Must update for every MU reporting period; and Must address any new focus, based on MU Stage. 63

Good Practices Make sure that a Security Risk Analysis was conducted, a remediation plan developed, remediation occurred, remediation was documented. Plan of Action with administrative, physical, technical safeguards; organizational requirements and documentation. Document ongoing RA/RM processes. Save all: Attestation supporting documentation; CQM documentation; and Payment calculation documentation. 64

Good Practices (Contd) Maintain all documentation for at least 6 years. Review all supporting documentation for attestations, CQMs, payment verification, etc. BEFORE any audit request. If contractor was used for Attestation process, review supporting documentation on a regular basis. Ask questions. Make sure you have all documentation. 65

Good Practices (Contd) Verify that incentive payments were accurate (possible over-payments or under-payments). Make sure you have proxy permission from your Eligible Professionals to attest on their behalf. SAVE EVERYTHING! 66

Conduct Your Own Audits Documentation is there an automated repository? Who is responsible? Is it easy to retrieve? Process Testing are you meeting criteria over time, under different conditions, etc.? Financial Reporting can you trace the funds through the financial statements? Outcomes Reporting -- review for consistency with quality performance and outcomes reporting processes, reports of Quality Office. Get all stakeholders involved (IT, Compliance, Privacy, Informatics, Quality, Clinical Staff, IT, Security, others). 67

Adding Value to the MU Program: Opportunities and Challenges for Auditors Meaningful use is a dynamic, ongoing program and process! Conduct focused audits and use results to improve the meaningful use program, for example: Preparation for Stages 2 and 3; Vendor preparedness/EHR Upgrade process/Vendor documentation; EHR Training Programs; Patient Volume Verification MU documentation vs. patient census and billing data, other reporting requirements for same periods; Physician Practice documentation of MU funds, attestation process, security risk analysis, etc.; Financial reconciliation processes; and Preparation for and results of OIG audits. 68

Meaningful Use 2015 What Can We Expect? Catch-up for Stage 2 providers and vendors still have work to do. Status and timing for Stage 3 Core Measures will be clarified- ??? Will CMS change its position on cutting payments to providers that dont meaningfully use certified EHRs? CMS contract with Figliozzi ends. Will there be a new and/or different approach? OIG audits will continue. 69

Future CMS Audit Processes Will likely involve use of a contractor by CMS--- who will it be??? Will be more robust and comprehensive. May be process oriented, include analysis of quality reporting, testing of EHR systems, etc. MU is a dynamic, ongoing program and process! 70

Ensure Security Risk Analysis was conducted.. Perform or review existing Security Risk Analysis of your certified EHR technology Do you have copies of your vendors security policies? Has testing been thorough and documented any potential security issues have been fixed? Have you/vendor made any security updates (e.g., updated certified EHR software)? Have you/vendor corrected any security deficiencies (workflow, storage, etc.)? 71

OIG Interest Early Assessment Finds that CMS Faces Obstacles in Overseeing the Medicare EHR Incentive Program Department of Health and Human Services, Office of the Inspector General, November 2012 Included review of self-reported Meaningful Use of certified EHR technology in 2011. 72

OIG 2014 and 2015 Work Plans Review of Medicare and Medicaid Incentive Program Payments. Assessment of CMSs plans to oversee incentive payments for duration of the program and actions taken to remedy erroneous incentive payments. Audits of Security of Certified Electronic Health Record Technology of various entities receiving EHR incentive payments and their business associates, such as EHR cloud providers to determine whether they adequately protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities. Examination of security of medical devices that network with EHRs. 73

Beyond 2015 EHRs to remain one of OIGs key focus areas until 2018 or later. Establishing the audits is a core meaningful use objective. OIG will continue to: Examine EHR documentation vulnerabilities; Oversee HIPAA privacy and breach notification regulations; Focus on providers who have received meaningful use payments; and Review security of protected medical information stored on portable devices. 74

Recovery Act (ARRA) Citations Medicare incentive payments authorized over 5-year period to physicians and hospitals that demonstrate meaningful use of certified EHR technology (Sections 4101 and 4102). Incentive payments 2011 through 2016, with payment reductions to health care professionals who fail to become meaningful users of EHRs beginning in 2015 (Section 4101(b)). Medicaid incentive payments for eligible providers to purchase, implement and operated certified EHR technology, with 90 % federal match for State administrative expenses (Section 4201). 75

Security | Privacy | Culture Phyllis A. Patrick, MBA, FACHE, CHC, CISM Phyllis A. Patrick & Associates LLC www.phyllispatrick.com [email protected] 914-696-3622 76