Wyatt HITECH Law

A legal blog about consumer and business data privacy and security in a high tech world

Get Ready for Audits on EHR Incentive Payments

Leave a comment

The promised audits have begun for providers receiving electronic health records (EHR) incentives available under the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

In order to receive Medicare EHR incentive payments, providers must attest to CMS that they meet Meaningful Use (MU) criteria using certified EHR technology.  Any provider attesting to receive an EHR incentive payment for either the Medicare EHR Incentive Program or the Medicaid EHR Incentive Program potentially may be subject to an audit.  If an audit finds a provider is not eligible for an EHR incentive payment because it does not meet MU criteria, then the incentive payment will be recouped.   Here’s what providers need to know to prepare for an audit:

Save Supporting Documentation.   CMS recommends saving the supporting electronic or paper documentation that supports your attestation and saving the documentation to support your Clinical Quality Measures (CQMs).  CMS also recommends that hospitals maintain documentation to support their payment calculations.  CMS will use this documentation to validate that the provider accurately attested and submitted CQMs, as well as to verify that the incentive payment was accurate.

Review Supporting Documentation.   Providers should review supporting documentation for attestations before any audit request, especially if the attestation was completed by a contractor. 

Ensure Security Risk Analysis Was Conducted. 

Performing or reviewing an existing Security Risk Analysis of your certified EHR technology in accordance with the Health Insurance Portability & Accountability Act (HIPAA) is one of the explicit MU criteria for receiving the Medicare EHR incentives.  In particular, ensure that a Security Risk Analysis of your certified EHR technology was conducted or reviewed in accordance with the requirements at 45 CFR 164.308(a)(1).  The objective of this MU criterion is to ensure that confidential patient information created or stored in the EHR is adequately protected.  Any identified security updates (such as updated certified EHR software) or security deficiencies (such as in the workflow process or storage methods) must be addressed before or during the EHR reporting period in order to meet this MU criteria.

In its Guide to Privacy and Security of Health Information, the Office of National Coordinator for Health Information Technology (ONC) stated:  “If you attest prior to actually meeting the meaningful use security requirement, you could increase your business liability for federal law violations and making a false claim. From this perspective, consider implementing multiple security measures as feasible, prior to attesting. The priority would be mitigating high-impact and high-likelihood risks.”  If, during attestation, you or your EHR contractor answered “yes” that you were in compliance with this MU criteria without first ensuring complete compliance with the Security Risk Analysis requirements, not only is your HITECH incentive payment at risk, but you also may be subject to liability under the Federal False Claims Act.

For additional information on the MU requirements, see CMS’s Official Web Site for the Medicare and Medicaid EHR Incentive Programs

Author: Margaret Young Levi

Margaret Levi is Counsel for Wyatt Tarrant & Combs' Health Care Service Team. She concentrates her practice in the area of health care law. Ms. Levi advises health care providers in the areas of fraud and abuse, Anti-Kickback Act, Stark Law (physician self-referral), compliance programs, clinical trial matters, medical records, The Joint Commission standards, EMTALA, end of life and other patient care matters. Her clients include hospitals, medical device manufacturers, nursing homes, physicians, home health agencies, and other health care providers. She is the author of "The Impact of Health Care Reform on Kentucky Employers". She earned her J.D. at University of Kentucky College of Law, M.A. (English) at The College of William and Mary and B.A. (English) from Centre College (National Merit Scholar). 250 West Main Street Suite 1600 Lexington, KY 40507 F 859-259-0649 250 West Main Street Suite 1600 Lexington, KY 40507 (859) 288-7469

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 1,629 other followers