Prepare Now for Possible Meaningful Use Audits

The goal for the “meaningful use” EHR Incentive Program (MU) is to promote adoption and implementation of certified electronic health records (CEHRs) to improve quality, safety, efficiency, and reduce health disparities. In order to achieve this goal, Amy Sheide, RN, BSN, MPH, with 3M Health Information Systems, said in her Tuesday convention presentation “The Emergence of Meaningful Use Audits” that eligible healthcare organizations (HCOs) and providers must engage patients and families in their healthcare, improve care coordination, ensure adequate privacy and security protections for personal health information, and improve population and public health.

HCOs and providers must meet the MU criteria every year in order to receive incentives. To receive the incentive funds, providers must attest that they have met all the criteria. Anyone who receives an EHR incentive payment for either the Medicare EHR Incentive Program or the Medicaid EHR Incentive Program potentially may be subject to an audit.


The Audit Process Begins

The auditing has already begun. For Medicare, in 2011 there were automatic checks against the Centers for Medicare and Medicaid Services (CMS) database to verify provider information when they registered for the program and there was a comparison of the CEHR certification numbers to the Office of the National Coordinator for Health IT’s (ONC) certification numbers.

CMS began auditing providers who received payments under the MU program in 2012.  The accounting firm Figliozzi and Company was retained by CMS to conduct the audits. They requested that providers who have already received their payments submit documentation to support their attestation and further prove that they met all the MU criteria.

In 2013, select Medicare providers have been chosen for pre-payment audits that included random audits as well as post-payment audits targeting suspicious or irregular data. Providers selected for the pre-payment audit will also have to submit supporting documentation to validate their attestation.

Effective now, there are a number of pre-checks that have been built into the attestation process to detect inaccuracies in eligibility, reporting, and payment. Figliozzi and Company will also continue to conduct post payment audits.


Required Audit Documentation

The documentation that is required to support MU attestation during an audit includes the CEHRs certification number, methods of calculating emergency room admissions, the core and menu attestation responses, and the payment calculation methods. In addition, the covered attestation time period, exclusions, percentage measures, yes/no measures, and the clinical quality measures (CQMs) must all be retained to prove eligibility, time frame, and that measures were all met.


How CMS Conducts an Audit

Selected providers will receive an e-mail letter from the auditor to the attestation address. The letter will come from a CMS e-mail address and will include the auditor’s contact information. The initial review will be conducted at the auditor’s location using the information received from the provider. In some cases, an onsite review at the provider’s location may follow.

There are challenges for proving that the criteria for meaningful use have been met. There is ambiguity in the final rule that informs the MU process, unreliable CEHR reports, multiple CEHR systems and modules and multiple practice locations. The rule is not clear on what information can only be generated from the CEHR. There are no guidelines as to what documentation must be kept and provided during an audit.  Many CEHRs do not have the capability to calculate the CQMs and numerators/denominators are mismatched. Counting unique patients, a requirement for several MU measures, may be challenging between systems and for multiple practice locations since the number count may be objective or the percentage based on measures.


Failure to Meet Attestation Requirements

Once the audit is complete, the provider will be notified if they were determined to meet the MU criteria. If the provider is found ineligible, or failed to meet even one measure, the payment will be recouped.


Preparing an Organization for the Audit

Providers and HCOs must take steps now to not only prepare for MU attestation, but also prepare for a following audit. There are steps that can be taken to meet both objectives.


Trust but Verify

According to Sheide, providers and HCOs must verify the reporting from their CEHR has synchronized the data from multiple systems, validate that the CQMs have calculated correctly, and ensure compliance with standard terminologies to ensure accurate reporting across the systems.  Organizations need to monitor all the necessary sources of data for MU compliance.

Organizations also must be able to answer the following questions:

  • Are the data sources reliable?
  • Is the data organized?
  • Which fields of your CEHR system(s) must be completed for MU data collection?


Documentation for Audits

The documentation used for the attestation needs to be retained either electronically or on paper records. Keep screenshots and audit trails to show when certain criteria, such as clinical decision support, is turned on and be able to show that this is on throughout the reporting period. Record of exclusion criteria must be retained, and all information must be retained for six years.

Sheide says the biggest take way attendees should take from her presentation is that it is vital to prepare now for a possible audit.

“Ask the right questions, know where your data is coming from, test your results, and be sure it is what you expect,” she said.


Follow the news and get insights from AHIMA’s 85th annual Convention and Exhibit being held October 26-30 in Atlanta, GA. For a complete list of event coverage on the Journal of AHIMA website, click here.



  1. I am very interested in taking a course on Meaningful Use.
    Sue Woodham

    Post a Reply
  2. Great Article regarding the preparation for Meaningful Use Audits. We were just informed from the company above that we have been selected by CMS to be audited. They are giving us about 3 weeks to have all of the documented material uploaded to their portal. It was required for us to provide documentation of core measures; 1, 3, 4, 5, 6, 7, 8, 11 & 12. We are also having to provide proof that a Security Analysis has been completed as well as the identification of all of our security deficiencies. An implementation/remediation plan has to be documented for each deficiency.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!