The promised audits have begun for providers receiving electronic health records (EHR) incentives available under the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

In order to receive Medicare EHR incentive payments, providers must attest to CMS that they meet Meaningful Use (MU) criteria using certified EHR technology.  Any provider attesting to receive an EHR incentive payment for either the Medicare EHR Incentive Program or the Medicaid EHR Incentive Program potentially may be subject to an audit.  If an audit finds a provider is not eligible for an EHR incentive payment because it does not meet MU criteria, then the incentive payment will be recouped.   Here’s what providers need to know to prepare for an audit:

Save Supporting Documentation.   CMS recommends saving the supporting electronic or paper documentation that supports your attestation and saving the documentation to support your Clinical Quality Measures (CQMs).  CMS also recommends that hospitals maintain documentation to support their payment calculations.  CMS will use this documentation to validate that the provider accurately attested and submitted CQMs, as well as to verify that the incentive payment was accurate.

Review Supporting Documentation.   Providers should review supporting documentation for attestations before any audit request, especially if the attestation was completed by a contractor. 

Ensure Security Risk Analysis Was Conducted. 

Performing or reviewing an existing Security Risk Analysis of your certified EHR technology in accordance with the Health Insurance Portability & Accountability Act (HIPAA) is one of the explicit MU criteria for receiving the Medicare EHR incentives.  In particular, ensure that a Security Risk Analysis of your certified EHR technology was conducted or reviewed in accordance with the requirements at 45 CFR 164.308(a)(1).  The objective of this MU criterion is to ensure that confidential patient information created or stored in the EHR is adequately protected.  Any identified security updates (such as updated certified EHR software) or security deficiencies (such as in the workflow process or storage methods) must be addressed before or during the EHR reporting period in order to meet this MU criteria.

In its Guide to Privacy and Security of Health Information, the Office of National Coordinator for Health Information Technology (ONC) stated:  “If you attest prior to actually meeting the meaningful use security requirement, you could increase your business liability for federal law violations and making a false claim. From this perspective, consider implementing multiple security measures as feasible, prior to attesting. The priority would be mitigating high-impact and high-likelihood risks.”  If, during attestation, you or your EHR contractor answered “yes” that you were in compliance with this MU criteria without first ensuring complete compliance with the Security Risk Analysis requirements, not only is your HITECH incentive payment at risk, but you also may be subject to liability under the Federal False Claims Act.

For additional information on the MU requirements, see CMS’s Official Web Site for the Medicare and Medicaid EHR Incentive Programs.