When it comes to regulatory programs, participation comes with an inherent risk of audit. A MIPS audit can occur up to 7 years after the program year. Most of us can’t remember what we ate for lunch yesterday, let alone 7 years ago, which is why audit preparation is an essential part of attestation preparedness.

Auditors will look for anything that proves you actually did what you attested to and/or supports the numbers you submitted. For instance, if you attest “YES” to the MIPS PDMP measure in the PI category, you’ll need screenshots proving not only that you accessed the patient’s PDMP record with 30-day look-back, but also that you did this prior to prescribing a controlled substance, which requires sequential date and time stamps.

We’ve gathered our top tips for MIPS audit binder preparation here. We’ll publish a full MIPS Audit Binder Preparation Guide Fall 2022. This guide will outline exactly what to prepare for each PI measure, as well as your IA and Quality categories. Join our email listserv to be notified of its release.

MIPS Audit Binder 101

1. Assessments Your Security Risk Analysis (SRA) is a broad and detailed analysis of the security of ePHI. This isn’t simply a checklist. You must create and document remediation plans in response to identified risks, as well as actual remediation efforts. The SAFER High Priority Practices Guide annual assessment requires a “yes” or “no” attestation in 2022. If you attest “yes,” you’ll need to demonstrate how and when you conducted your assessment. You can do this by saving all notes (available on the guide itself). If you took risk remediation efforts, you’d also need to collect documentation on this, similar to your SRA.
   

2. Screenshots Always include the computer’s date and timestamps. This proves that you performed the action on a certain date within the required reporting period.It’s especially important to demonstrate sequence with dateand timestamps if the measure requires it.For instance, always check PDMP prior to submitting an electronic prescription.
   

3. Supporting Numbers Before submitting measures that include numerators, denominators, etc., export patient-level or encounter-level data from your EHR (or Registry, if applicable) in the form of .csv or .pdf. This granular data provides substantiated integrity to quantitative metrics submitted during attestation. Make sure to also remove all test patients from this data. For PI and Quality, this data must represent all applicable encounters under the TIN. Remember, if you’re a clinic attached to a hospital, you’ll need to include aggregated data for PI measures from both the hospital and clinic, and likely some quality measures from both as well. Data completeness must be proven by running a separate (sometimes custom) report from the EHR that matches the measure Initial Population. For instance, if proving data completeness for QPP 117 / Diabetic Eye Exam, run a report that includes all patients ages 18-75 with a diabetic diagnosis and a “qualifying encounter” during the measurement period. In 2022, your Diabetic Eye Exam measure denominator needs to be at least 70% of the total number in your custom report.
   

4. Emails, Support Tickets, and Instructional Documentation When you attest to “active engagement” of a Public Health Reporting requirement, you must select the proper level of engagement: registration, testing, or production. Collect and save all pertinent email correspondence from tech vendors and public health registries to support your attestation. The Provider to Patient Exchange measure requires you to provide instructions to your patients on how to authenticate their access to their PHI via an app of your choosing. Retain all documentation from your vendor on how their API functions. Ask for a list of apps configured to work with your EHR. Take a screenshot of the API “on” switch in the EHR settings. Retain documentation on how you’re providing instructions to your patients, including screenshots if necessary.
   

5. Attestation After submitting to MIPS, download the summary reports. This is effectively your proof of everything you submitted to CMS. Take screenshots of the category scores. Since there are several iterations of “final scores” before CMS makes adjustments to payments, you’ll need these to reference in case there is an issue, data glitch, dispute, or audit. Your EHR’s CHPL information needs to be kept in the audit binder. This tells an auditor which certification criterion the vendors were approved for under the specific version of the EHR that you used to collect and report data.

MIPS Audit Support

Our first priority with our MIPS consulting clients is to obtain exceptional MIPS scores resulting in the highest positive adjustments in reimbursement. Throughout the year, we help build out our clients’ Audit Binders to ensure they’ll pass audits without question. All our Regulatory Consulting contracts also include support in the case of an audit for any year that we were contacted to provide consulting services. If you need help preparing for a potential MIPS audit, we hope you’ll contact us for support today.