The CMS EHR Incentive Program is going full bore. Over $390,000,000 was paid out in November alone by Medicare to Eligible Professionals (EP) and Eligible Hospitals (EH). That doesn’t even include the Medicaid incentives. Seems like every possible EHR is certified, EPs and EHs are registering, and we’ve even seen the Stage 1 early 2011 adopters be given a present of not having to reach Stage 2 until 2014. Certification, registration, meaningful use, attestation, incentives. Where is the fly in the ointment? Two word: potential audits.
CMS clearly states there will be audits and says so here: “All providers attesting to receive an EHR incentive payment for either Medicare or Medicaid EHR Incentive Programs should retain ALL relevant supporting documentation (in either paper or electronic format used in the completion of the Attestation Module responses). Documentation to support the attestation should be retained for six years post-attestation. Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes.”
CMS even tells you how to prepare for an audit: “To ensure you are prepared for a potential audit, save the supporting electronic or paper documentation that support your attestation. Also save the documentation to support your Clinical Quality Measures (CQMs). Hospitals should also maintain documentation to support their payment calculations.”
I won’t be the one doing these audits but if I was I would tell you what I would examine as soon as I walked through your door. I would ask to see a Security Risk Analysis documentation for either EPs or EHs: “Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.” If you can’t produce this analysis, or it’s incomplete then you do not have the documentation to support the incentives you have received.
During the attestation I suggest you pause before you check that attestation box that reads: “Yes, I have conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies”. There is real risk here and many EHR vendors don’t understand what the issues are. The RECs know what is involved and can provide direction and clarification.
2012 will see the first audits and there will be some real horror stories coming out when incentives are taken back because of incomplete or missing security documentation. Don’t be one of those. As Aunt Bee used to say: “a stitch in time saves nine”.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
