"For every core and menu objective, we have screenshots, and we have a standardized template, but we came across a challenge in trying to show that we had enabled the drug formulary check for the entire reporting period," said La Grange. "Our solution was recorded demonstration."

Their pharmacist developed a script, then identified the key points he wanted to highlight, proceeded to use WebEx, which was ultimately converted to a Windows Media file and voilà. They used a test patient in a live environment, with all the protected health information eliminated. The entire recording was less than two minutes long. "It is an effective way to demonstrate compliance," La Grange added.

"First, we have all of our recommendations and key decisions along with accountability and rationale to support our decision," said La Grange. “This makes us feel very comfortable knowing that we could be audited at any time in the next six years."

The next part in creating the book of evidence is crucial, she opined. After thinking they were all set and covered for their mock audit, the folks on Scripps' internal audit team came back and recommended that La Grange and her crew reach out to the system's legal counsel on the subject of vendor agreements. The legal counsel eventually advised La Grange to ask their vendors if they would give the green light to share the vendor agreement, as they often have "a certain level of confidentiality." Turns out, it was a good thing they asked.

"Neither of our two key health information system vendors wanted us to share their agreements," said La Grange. "Instead they preferred that we use a vendor supplied letter."

So bottom line? Go back and check.

The second step of developing a mock audit program involved clearly defining the role of the internal audit, which should operate as an independent function.

Next, it was a matter of developing guiding principles for their process. This, La Grange said, involved establishing a single point of contact for the CMS auditor to deal with, that way you're eliminating the possibility of providing conflicting information, she said. Part of Scripps guiding principles include only providing specific information requested, logging all communication with the auditor, de-identifying patient data and ensuring all relevant documentation is maintained at least six years following attestation.

Then, La Grange and her team created audit-tracking tools, essentially a checklist of items to be done and audit request forms.

Next, it's about clearly defining stakeholder and roles in the audit process.

[See also: What not to do in a meaningful use audit.]

"We found it helpful to compartmentalize the roles," she said. "There are some participants who really need to be actively involved in the process, where others just want to keep the finger on the pulse of our progress." At Scripps, there were three key roles, La Grange pointed out: mock auditor, key audit contact and internal audit role.

Now, you're ready for the mock audit. La Grange recommends doing this part in two phases, with the first phase including proof of certified EHR, source documents, summary report, evidence report, security risk assessments and procedures performed during the risk analysis.

The next phase included core and menu objectives with thresholds, with the supporting documentation in addition to attestation measures.

The final step, La Grange said, is just a matter of incorporating lessons learned and examining feedback.

Ultimately, these mock audits "took some of the organization's fear away from the real audit, added La Grange. "When we got our first audit request, our heart rate went up. I'll admit it, but we got out our audit tracking tools, and we followed our pre-defined methodology."