The Centers for Medicare and Medicaid (CMS), in partnership with the consulting group Guidehouse, is ramping up its data validation and audit (DVA) process for the Merit-based Incentive Payment System (MIPS). Providers and groups are currently receiving audit notifications for the 2017 and 2018 reporting periods.
CMS’s intent is to ensure program integrity, data accuracy, and compliance. As with the ongoing meaningful use (MU) audits, these audits carry real risk for providers. At a minimum, providers who fail an audit may lose a portion, or all, of their MIPS incentives. Since the audit outcome can impact your MIPS scores, you can even become subject to a negative payment adjustment (penalty). It’s also worth reminding providers that worst case scenarios can include criminal penalties.
The first round of audits was scheduled for the June/July 2019 timeframe, but even if you weren’t among the lucky few to receive a notification, pay attention. Not only is it possible that providers could receive notifications through December, the DVA process will absolutely continue throughout 2020, and beyond, for successive reporting years.
How Does the DVA Process Work?
MIPS participants are selected randomly for DVA. Selected providers or groups will receive a letter from Guidehouse with an initial request for information. Audits correspond to the MIPS Quality, Improvement Activities (IA), and Advancing Care Information (ACI)/Promoting Interoperability (PI) performance categories.
If selected for audit, providers receive an initial data sharing request via email from Guidehouse looking for population-level reports and/or evidence of activities. Providers have 45 calendar days to complete the request or come up with an alternate timeframe agreed upon by CMS. Depending on the category (or categories) selected for audit, you may be required to provide information on a single measure or activity (such as a single Quality or PI measure or a single improvement activity) or several measures and/or activities.
After the initial request is satisfied, Guidehouse will ask for sample patient-level data to support the reports you submitted, similar to a traditional CMS chart audit.
Based on the information you supply, CMS will make a final determination. That’s right—all determinations are final— there are no appeals.
So, with DVA (as with all things audit), preparedness is key.
5 Steps to Prepare Yourself and Your Practice for Audit
1. Save documentation for each of the MIPS performance categories (Quality, Promoting Interoperability, Improvement Activities) excluding the Cost category, which is not subject to DVA. NextGen Healthcare tells clients to maintain an “audit binder” for all information related to participation in incentive programs. This includes copies of reports generated by your certified EHR, as well as other documentation and correspondence. (In accordance with the False Claims Act and CY 2019 Quality Payment Program final rule, you should keep documentation for at least six years.)
2. Stay on top of email correspondence by monitoring the email addresses associated with your MIPS submission, as well as your spam filter. Don’t count on an extension if you miss the email from Guidehouse.
3. Participating providers are required to complete a Security Risk Analysis (SRA) under the MIPS PI data protection measure. It’s likely that auditors will ask to see your SRA, so be sure to conduct and document your annual analysis based on published best practices.
4. If in doubt, ask your EHR vendor how to produce any documentation needed from your EHR.
5. Review the below MIPS DVA resources available on the Quality Payment Program Resource Library:
• 2017 MIPS Data Validation Criteria – Lists the 2017 criteria used to audit and validate data submitted in each performance category
• 2018 MIPS Data Validation Criteria – Lists the 2018 criteria used to audit and validate data submitted in each performance category
How Nextgen Healthcare Can Help
• Population-level reporting - measures easily exported to spreadsheet with unique identifiers
• Patient-level data validation - encounters and chart information easily exported to PDF
• Client education - monthly regulatory webinars and Q&A sessions with our team of regulatory experts
• Best practices - guidance for security risk analysis