When stakeholders, federal officials and proponents of electronic health records first tossed around the idea of providing incentives to help move the giant boulder of progress up the mountain, there were plenty of skeptics. How can you take physicians who are set in their ways - and patients who are used to those ways - and change all the rules? But, change they did, and in just two years since the EHR Incentive Program began, more hospitals and physicians than ever before have gone digital. The boulder has crested the hill, tout federal officials.
All seems to be going well.
Except: There's a new sheriff in town: Garden City-N.Y.-based Figliozzi and Company, a federally contracted firm responsible for conducting meaningful use audits. The audits have increased and intensified spurred by concerns in Washington from the Government Accountability Office and the Office of the Inspector General, which both called for better oversight of the program last year. More recently, six Republican senators have expressed the same concern.
Federal officials argue the audits are not meant to provide roadblocks to progress, but some in the industry are warning they are trying providers' patience and making them edgy at a time when many pressures are mounting, including other federal audit programs, the ICD-10 conversion and changing reimbursement models.

Stories of real audits from the field
Countryside Family Practice
At Countryside Family Practice Associates, a three-physician practice in Marshall, Va., a rural town in Northern Virginia with a population of 1,480, primary care physician Norris Royston, MD, is frustrated. He thought he was ahead of the game, he says. Five years ago, his practice adopted electronic health records after conducting what he thought was a thorough due diligent search for the right EHR vendor. His practice is part of Faulkier Physicians Network, which he helped form, to ensure interoperability and data exchange among them.
According to Royston, each physician in the 33-physician network, in 11 practice locations, put up $15,000 to get started with EHRs. More expenses were accrued to get the bandwidth needed to send the records electronically. All in all, the Faulkier Physician's Network spent more than $2 million to get the whole thing running, Royston says.
In 2011, Royston attested to meaningful use; qualified, and was paid $12,000. Royston proceeded to collect data for all of 2012 for his Stage 1 reporting period. Then recently, Royston was notified he would be audited, along with one of his partners. His partner passed the audit, but Royston is still waiting to hear how he did. He is baffled as to what the hold-up is: he's using the same EHR system, the same data and doing the same work as his partner.
In his first audit letter, Royston says he was asked for 12 things and given five business days to come up them. He provided the required information, and another 60 days passed. Royston then got another request for an additional four to five pieces of information, with another five-day deadline. At the time of this interview in late April, another three to four weeks had passed, and Royston still had not heard back from the auditors.
Royston is a diplomate of the American Board of Family Practice and a fellow of the American Academy of Family Physicians. He is fully licensed to perform pilots' physicals for the F.A.A. He has served as president of the Medical Society of Virginia, and is on the Virginia Political Action Committee. He says he chose to go into family medicine because there is such a great need for it in his rural community. He also adds he never turns down Medicare patients, as many physicians in the area do. He wonders if his audit has to do with his large Medicare load of patients.
"I have no personal vendetta," he says of the auditors, "but what does an auditing firm from New York have to do with access to care in rural Virginia; and what knowledge of my practice do they have?"
Royston says he is operating in the red this month, due to the audit, and his staff and he have had to take time from their daily work managing the practice and attending to patients, to accommodate the audit.
Royston's main question is: Why push a federal program only to yank the rug out from under those who try to accomplish its goals?
CentraState Medical Center
At CentraState Medical Center, a 282-bed system in Freehold, N.J., Indranil (Neal) Ganguly, vice president and CIO of information management has led his organization through both a Medicaid prepayment audit and a Medicare post-payment audit. He describes the audits as "a lengthy process."
"A lot of it was a learning process for the auditors, and perhaps there's no way around that," he says.
Ganguly said one of the frustrations he encountered, was the auditors asking for things his EHR system simply wasn't designed to provide. "They wanted us to show that some of our queries were enabled the entire 90-day reporting period, and we had to find a creative way to prove it," he says. Ganguly was able to show that drug-to-drug interactions alerts fired every day on the audit logs.
After providing auditors with the proof that the system had been running the full 90 days, via an audit report, the auditors then questioned whether the report really came from the Center's system, and not another hospital's.
The audit took a little more than four months, Ganguly says, from November 2012 until February 2013. It was conducted via email and phone calls, and the requests for additional information came "with increasingly tighter deadlines," he says. At first, he was given two weeks to produce additional information, and then five days.
The entire process was nerve-wracking and "caused a lot of panic," Ganguly says. The amount the hospital had gained in incentives was 2.7 million for 2011 and 2.1 million for 2012. The audit letter led the hospital administration to believe that if the audit failed, the hospital would have to pay the money back, "but nothing was definitive," he says.
What got Ganguly and his team through the audit? "We were confident we met the spirit and intent of the Stage 1 rule, and we had been very, very aggressive in reviewing and having outside review. It was just a question of how to best prove it," he said of the overall audit and the security assessment, one of the main requirements for meaningful use.
Despite the overall distress the audits caused, Ganguly says he's optimistic things will get better. At HIMSS13 in New Orleans in March, he said he "got the strong feeling that ONC was listening and passing those concerns along to CMS. I felt that we were being heard; that these weren't meant to be punitive audits," he says. The real test, however, will be to see what is experienced by those who get audited in the second wave, if they'll have to face the same strain, he says. Ganguly says he hopes he won't have to face another audit, even though all turned out well. Going through an audit uses up a lot of resources, he says.
Reactions from trade associations
Trade association leaders express some real concern over the audits. The American Medical Association Board Chair Steven J. Stack, MD, says it is no small feat for physicians to meet the criteria needed to achieve an incentive under the meaningful use program. "For many physicians, participation in the MU program is an enormous undertaking that requires significant workflow changes and upfront technology investments."
"The AMA opposes prepayment audits in the MU program, as they would unfairly impose additional burdens on physicians who have already made tremendous commitments to participate," Stack says. "Instead, ONC should adopt OIG's recommendations that the certification process for EHR technology be improved and certified EHR technology should be required to produce compliant and accurate reporting documents, including those needed to meet an audit to substantiate incentive payments."
Jeffery Smith, director of public policy at the College of Healthcare Information Management Executives (CHIME) says the audit program has been a concern for a while. "We knew it was coming down the pipeline," he says. "But, until recently, there was very little material on what would be needed." The best advice CHIME could offer its members was, "keep everything."
Then, reports began to come in that the audits were varying vastly - depending on the region of the country where the audits took place and depending on the Figliozzi auditor assigned to conduct the it. Smith says he is certain the contractor has an audit protocol, but he's not so sure how evenly that protocol has been implemented.
"Some of the experiences of our members would indicate that the auditors are not as knowledgeable about the technology they are auditing, and that's making things complicated," he says.
Smith says CHIME fully understands and is fully on board with the need for audits for the integrity of the program, however, "it's turning out to be much more burdensome and complicated than we anticipated." CHIME has spoken with CMS and ONC about the audits, and is pushing for further guidance. "It's a brand new program," Smith says, "there are bound to be hiccups. Over time, we are optimistic that some of the issues will be ironed out."
CMS answers questions about the audits
Recently Frank Irving, editor of PhysBizTech, a sister publication of Healthcare IT News, sat down with Elizabeth Holland director, HIT Initiatives Group, Office of e-Health Standards and Services at CMS.
Holland says the audits are not meant to cause small practices any difficulties.
"The first thing is to not panic, and always tell the truth," she advises eligible providers who receive an audit notice. "I know people are a little unsettled by the whole notion of an audit, but this is not meant to be a 'gotcha' sort of thing. It's just that we have a responsibility to make sure that the Recovery Act dollars are being spent appropriately."
"We're doing the audits to make sure that people who are receiving incentive payments are actually using certified EHR technology, and that they are actually meaningful users," Holland explains.
"That's why we have the documentation guidelines [online, CMS site]. You'll have a sense of what you need to retain. A lot of this information you should be preparing for when you attest [for MU]. So you should already have this information on hand," she says.
"When you actually get the letter [indicating] that you've been selected for an audit, I believe you have two weeks to submit the documentation that is requested. Then it becomes a back-and-forth process. Some providers are submitting the information, it checks out, and they are fine. But other providers have not submitted the appropriate documentation - or some of it is appropriate and some of it is not - so we're trying to really hone in on what is needed. But it is very much an iterative process. It's not that you submit the information and we say `yea or nay,'" she says. "If there are any issues, we try to work with the provider as much as possible."
Observations from an MU audit expert
Jim Tate, president of EMR Advocate Inc., has worked with more than 200 vendors on meeting meaningful use certification criteria. And now, he is getting involved with helping doctors and hospitals on meaningful use audits. He says he talks to MU auditors "a lot."
"It looks like pre-pay and post payment audits are going to be ongoing, no doubt about that; a lot of them - an estimated 3 percent to 5 percent of all eligible providers," Tate says.
In audits, a big stumbling block is in the security risk analysis. It's required to attest to meaningful use, but Tate estimates that well over half of the eligible providers who have attested cannot provide proof of a security risk analysis. "That is a big thing," he says. "There's a knowledge gap there."
The requirement is to protect personal health information, and that covers hardware, software and workflow, Tate explains. It's not cost prohibitive to get a professional to do this analysis, he says. Or, eligible providers can conduct their own, if they know what they're doing.
Tate is not negative about the auditors, who he has found to be "very open."
"They understand that this is an incentive program, not a big fraud kind of thing," he says. "They give every opportunity for providers to come up with the documentation and a good explanation."
Tate says it's important to have someone in a practice or system that knows what's going on. If a provider is in doubt about what they need, they should turn to their regional extension centers, medical associations or vendors, he advises.
"It's kind of messy out there for the auditors and for everybody," he says.
If the auditors come knocking: what to expect
In his May 1 blog, John Halamka, MD, chief information officer at Beth Israel Deaconess Medical Center and Harvard professor, says he has assisted one hospital and one physician practice in his organization with meaningful use audits.
Halamka says the auditors asked for: proof of ownership of a certified EHR; the reporting method used to incorporate the emergency department; core and menu measure meaningful use reports used to enter attestation data; and documentation for "yes" attestation measures to evidence the measure has been met.
"It's helpful to retain all supporting documentation used while preparing for attestation so that it can be readily available for auditor follow-up requests," he writes. "We've placed all our materials in a shared folder, which is accessible to IT and compliance staff."
According to Halamka, the type of documentation Beth Israel has stored includes:
• Our certification process and approvals (we self-certified our systems)
• Our actual attestation documents and receipts
• Reports from our EHR, which reconcile exactly to the attestations made for each Core and Quality measure.
• Documentation for public health measures with confirmation emails from contacts at the public health agencies
• A statement about change control and source code control systems which documents that functionality such as drug/allergy interaction checking, drug formularies and clinical decision support rules was enabled for the entire reporting period
• Documentation that explains the interpretations made by management for all measures.
• Documentation regarding the validation we did for quality and meaningful use measure reports
"Most EHR vendors have experienced the auditing process and can provide letters/supporting documentation that Figliozzi and Company will find suitable as proof that proper procedures were followed," Halamka notes.
"I tell my staff that there is a process for everything and no matter how daunting/irritating an audit seems, you'll get through it if you maintain your equanimity and objectively respond to each request," Halamka writes. "If you have not prepared or retained your meaningful use documentation, I recommend you prepare those binders and shared folders now. You'll be thankful when the auditors arrive."