http://www.meaningfulusemonitor.com | Chapter 1 of Meaningful Use Monitor's E-Book guide

1. Recoupment - The ticking time bomb within Meaningful Use
What is Recoupment?
It all starts with the concept of Recoupment. There are no choices in the event of a failed audit.
It would take an Act of Congress to change the rules. Meaningful Use has multiple formulae that
determine how hospital stimulus funds will be calculated, or how physicians will be paid. One
common thread in each formula is the notion of “all or nothing”. There is no mechanism
allowing partial payment for partial compliance. So … in the event of any single shortfall in
Meaningful Use, a provider becomes ineligible to retain their funds. A shortfall could be as
simple as the inability to put hands on a document proving that drug interaction checking was
turned on during any specific reporting period, or as subtle as failure to account for a subset of
patients whose records did not make their way into the EHR.
There is a “delayed double whammy” in recoupment as well. If a provider fails audit for a year’s
Meaningful Use, the provider will be subject to reduction of their Medicare reimbursement
(penalty), in a period two years after the failed audit period.
The same rule applies to audits regardless of whether they are conducted pre-payment, or after
the fact. Any single shortfall makes a provider completely ineligible, regardless of how minor
the provider may see the shortfall to be. Shortfalls are equally as likely to be lack of proof, as to
be actual lack of compliance. In fact, we’ll see soon that what it takes to document proof of
compliance is far less well defined than the rules around compliance itself, and that Certification
of technology is no guarantee of organized proof.
Bombs, Fuses and Bombers
What’s the Ticking Time Bomb? The Bomb is Recoupment. It is delivered by CMS Auditors,
and has a fuse that is up to six years long (although we will see a little later on that the length of
the fuse could be changed at any time). What it means is that any money the government gave
you could be taken away, at any time up to six years after you have spent it.
Although the Auditors deliver the bomb, the “boom” is really out of their hands. Any single
trigger event, no matter how small, causes a full recoupment of any Stimulus paid in a year being
audited. The Auditors simply look for triggers.
The triggers they look for are not necessarily whether a hospital or physician was compliant in a
given year, but simply evidence showing proof of compliance. And therein lies the real issue.
The Government (CMS) has never really defined what it takes to fully prove compliance, and in
fact has actually issued a statement that they really can’t predict all the documentation that a
provider should have.

2. What this means, is that Auditors are put in the position of making some impactful “judgment
calls”. An auditor, in reviewing a Provider’s attestation of Meaningful Use from some time in
the past, must decide whether the Provider can prove they were truly in compliance with each of
24 or 25 complex rules. Providers, although generally quite diligent in becoming compliant,
have often been far less worried about the paperwork.
Here’s a good example. Let’s consider CPOE (Computerized Provider Order Entry). CPOE is
neither more complex, nor less complex than most of the other rules, so it forms a good example.
To fully understand CPOE, a diligent professional needs to read at least five separate documents.
This simple four letter acronym is supported by 21 columns of fine print in the Stage 1 Federal
Register, and another six columns of the Stage 2 Federal Register, eight FAQ’s (buried in a list
of 300 on a CMS Website), and several pages of technology specifications in each of two
separate issues of the Federal Register dedicated to what functionality a Certified EHR must
have. Sound complicated yet? And yet it is quite common for a provider to rely on a single line
item on a summary report from their EHR system that shows a single summary percentage.
Now, put yourself in an Auditor’s shoes for a moment. CMS has contracted with Auditors,
under Congressional direction to be the steward for Program Integrity over Meaningful Use.
After all, Congress authorized gross expenditures of over $30 Billion … and they expect a
couple things. First of all, they expect a return on that investment. That ROI should primarily
consist of increased efficiencies in healthcare delivery (remember that on average, Congress pays
for about 40% of healthcare in the form of Medicare and Medicaid claims). Since those
efficiencies are, at best somewhere in the future, it will be impractical to try to measure ROI
directly.
What this means is the Congress’ stewards (the Auditors) have only one yardstick to use in
measuring Program Integrity, and that yardstick is the body of regulation supporting Meaningful
Use. Using CPOE as an example, an Auditor should be familiar with the entire body of
regulations and use that familiarity to judge whether each provider was compliant with all of it.
Auditors, being skeptical by nature (in fact, “professional skepticism” is actually a formal
requirement of being a CPA), are unlikely in their Stewardship role, to accept a single line item
on a summary report as evidence of compliance with any single rule so complex as CPOE.
What this means, is that when an audit happens, providers will be asked to produce
documentation proving compliance with complex regulations, some of which have changed,
using EHR Technology which almost certainly has changed, against patient data that is also
time-sensitive. Further, some of what it means to be compliant with a rule will be quite hard to
prove with a report. For CPOE, providers may be asked to prove that each entry was made by a
“licensed healthcare professional”, and that it was input to the EHR in a sufficiently timely
fashion that a physician could react to any alerts generated by the entry … before the associated
medications are administered.
Remember, the auditor has the right to expect this kind of proof.
Of course, the Auditor has some latitude. Some of their latitude is based on the normal judgment
implicit in the job. Every day, Auditors have to decide how likely it is that their current “target”

3. is to be non-compliant. Based on that judgment, each individual Auditor makes a choice to dig
either deeply or shallowly. But even beyond that judgment call audit practices will be shaped by
the policies and politics of their current “client”.
The Auditor’s “client” of course is the Federal Government, but the practicalities are a bit more
complicated. CMS is part of the Executive Branch. But Meaningful Use is a recent invention of
the Legislative branch, which continues to deploy their oversight agencies (GAO and OIG for
starters), to make sure the Executives are administering the Congressional Mandate consistently
with Congressional Intent. Does all this sound as if there could possibly be some conflicting
agendas?
In 2013, the Executive Branch is eager to be part of Stimulating the Economy. Relative to
Meaningful Use that translates into making sure as many providers as possible receive as much
Stimulus Payment as possible. Congress, of course passed the law and is (largely) of the same
mind. At the moment, anyway. But even so, Congress has already initiated multiple reviews of
CMS’s administration of the Meaningful Use Program, and has at times been critical of some
aspects.
All this plays into the Auditor’s “latitude” when reviewing proof of compliance. If Congress
and/or the Executive Branch wanted to be sticklers on making sure every attestation was squeaky
clean, the complexity of the regulations opens a lot of doors for denial of compliance, based on
whether or not a provider, up to six years in the past, developed, organized and deployed
adequate documentation to support attestation to a complex set of regulations, in a complex
organization.
So far, Auditors seem to be taking the position of only looking for egregious or intentional non-
compliance. Still, when faced with a lack of documentation, they have little latitude other than
to judge a provider as non-compliant. In a case of non-compliance, CMS has little latitude other
than to demand recoupment, based on the law passed by Congress.
The Ambiguity of Documentation Requirements
CMS has published over 1,600 pages defining and describing Meaningful Use. In none of those
pages is there a definition of what documentation a provider is required to produce in the event
of an audit. In spring of 2013, almost three years after passage of the Meaningful Use law, CMS
finally published a five page briefing on how providers should document their compliance.
While this booklet gives some direction, one single sentence puts providers on notice that they
should expect no definitive structure, and that significant individual judgment is the only
standard:
“An audit may include a review of any of the documentation needed to support the
information that was entered in the attestation. The level of the audit review may depend
on a number of factors, and it is not possible to detail all supporting documents that may
be requested as part of the audit.”

4. As time passes, providers will share their experiences with audits. We will all learn more about
what documentation techniques and strategies best mitigate audit risk, and what cost is
reasonable to incur in developing defensive documentation. The problem will always be that
“today’s audit program is not necessarily tomorrow’s audit program”. CMS’s policy is to review
their audit program each calendar quarter and make adjustments, based on their success in
defending program integrity.
It could be simple, in an environment of “easy audits” to assume that all future years will be
equally as easy. The danger in this perspective is that CMS could decide, at any point, to reach
back to the initial years of the Meaningful Use program and audit aggressively.
The Difficulty of Documenting Compliance
EHR’s are certified to be able to support Meaningful Use. Supporting Meaningful Use is quite a
different story than proving it, though. Remember back to CPOE? In order to become Certified,
an EHR is required to correctly calculate a percentage from a numerator and denominator.
Certification testing does not extend to exhaustively proving that the population in either the
numerator or the denominator is correct. In cases where hospitals (or even physician staff) use
multiple EHR technologies during a reporting period, it is often necessary to combine data from
multiple systems. We refer to this numerator / denominator calculation as the “Certified EHR
Report”.
The Certified EHR Report is not in itself acceptable proof to an auditor that a provider is
compliant – for multiple reasons. First, it only shows summary statistics for each measure, and
auditors are notorious for wanting to see the details making up those summaries. It is important
to understand that there is no assumption that simply because software is certified, that its
reported Meaningful Use percentages are accurate. The certification process is not required to
exhaustively test for completeness or accuracy, but simply to verify that the EHR will create
percentages. Second, the existence of a measure, even if accurate, does not in itself assure that
the underlying processes were compliant. In one well-known case, a hospital officer was
prosecuted fraud when he loaded his Meaningful Use content into the EHR after patients were
discharged from the hospital.
How Meaningful Use Audits differ from other compliance audits
Consider the example of Joint Commission Audits in hospitals. The auditor conducts a review,
issues a report, and provides the opportunity for any procedural shortfalls to be remediated. The
hospital corrects its documentation, and the actual non-compliant processes, then invites the
auditor to return and verify. In the case of Meaningful Use, though, audits are always “after-the-
fact”, and it is not possible to correct a process that was flawed in a prior year. And if you can’t
prove what your process was in a prior year, you may have difficulty refuting an auditor’s
assertion of non-compliance.

5. What are the Chances?
Not everyone gets audited. But of those
who fall under CMS scrutiny, a surprising
number fail. A colleague of ours recently
received data from CMS on their audit
experience as of fall of 2014.
In this data, we learned that in general,
24% of physician audits resulted in
recoupment; average recoupment was
$16,863.
Hospitals performed a lot better on audits on a
pass/fail basis, but because the incentive
payments are so much higher, the average
recoupment was over $1million.
In all, CMS recouped nearly $33 million over
the year and a half of early-stage audits.
Anecdotally, we hear that audits are generally
pretty easy. The auditors so far have been less
aggressive than what they could be, in closely
scrutinizing attestations, based on explicit
readings of Meaningful Use Regulations.
A recent report from the Office of the Inspector General hints that things might be changing. A
report in September, 2014 states:
"OIG work has demonstrated vulnerabilities in oversight controls for EHR incentive
payments, as well as the accuracy of EHR incentive payment calculations. OIG also found
that CMS and states did not implement strong prepayment controls and relied primarily on
post payment audits of high-risk participants to confirm that payments were appropriate.
Additionally, OIG found that CMS and states lacked adequate data to verify participants’
self-reported attestations about their eligibility and meaningful use of EHRs. ONC requires
EHRs to generate audit reports for some, but not all, meaningful use measures; this

6. requirement may create some oversight obstacles for CMS to verify payment during post
payment audits."
It is reasonable to expect that CMS will react to this assessment with more stringent audit
guidelines in an attempt to further reduce “inappropriate payments” to providers who did not
comply with the spirit, or the letter of Meaningful Use regulations.