Can your practice pass a Meaningful Use audit?

To prepare, keep in mind: An ounce of prevention is worth much more than a pound of cure.


Can your practice pass a Meaningful Use audit?

To prepare, keep in mind: An ounce of prevention is worth much more than a pound of cure.

Darla Shewmaker, Villa Hills, Ken. Jeff Grant, Shell, Wyo.

As of August 2014, more than 400,000 providers have participated in the meaningful use program for certified EHRs, equating to more than six billion dollars in payouts, according to CMS. With such a substantial dollar figure, you can be sure audits are taking place. The question becomes, how does a practice pass the audit, ensuring it receives incentive payments and is not assessed penalties for errors in reporting?

To answer this question, we’ll explain the basics: who performs the audit, how you will be notified, your responsibilities as an eligible professional (EP) and the required documentation. Note that under the CMS Final Rule, audits can occur up to 10 years after attestation. However, most occur within one year (post-payment audit) or after attesting and prior to payment (pre-payment audit). If you attest and receive MU money from a state-funded Medicaid program, check your state program’s policies and criteria for audits.

There are two types of audits: a comprehensive review and a limited scope audit.

The limited scope audit

The limited scope audit asks for “proof you had access to an EHR system during the attestation period for the program year.” Proof includes:

■ A copy of your certified EHR technology (CEHRT) licensing agreement with your EHR vendor.

■ A copy of one or more invoices for the EHR system you had in place during the attestation period.

CMS acknowledges a successful outcome with a notice, which confirms that you had access to a CEHRT system during this period. The limited scope audit does not preclude future audits, even within the same payment year.

The comprehensive audit

Medicare chooses the practices to audit at random. In fact, a North Carolina provider was audited yet had $0 in Medicare-allowed charges (and thus could not earn an incentive). Comprehensive audits are performed by Figliozzi & Co., a certified public accountant contracted by CMS. The contractor notifies the EP via the e-mail address that the EP provided when it registered for the incentive program. (See the website version of this article at for a copy of the cover letter that accompanies this notification.) There are key directives common to each audit request:

Practice Tip 1:

Tip: The auditor contacts the e-mail address the EP used to register for MU, so consider using a generic e-mail address ( that is always accessible, even if someone departs your practice.

Practice Tip 2:

Tip: Your denominator should be the same for medication list, allergy list and problem list measures.

Practice Tip 3:

Tip: During an audit, you must produce your security risk analysis, as well as a written plan, including dates, to address any deficiencies.

■ A copy of your licensing agreement with the vendor or invoices that identify the vendor, product name and product version number of the CEHRT system utilized during your attestation period. If the version number is not present on the invoice/contract, a letter from the vendor attesting to the version number is acceptable.

■ Answer these questions:

    ■ At how many offices or other outpatient facilities do you see your patients?

    List each facility (office and outpatient) where you see patients, and indicate whether you utilize CEHRT in each facility.

    If you utilize more than one facility, document that 50% or more of your patient encounters during the EHR reporting period have been seen in facilities where you use a CEHRT system.

    ■ Do you maintain any patient medical records outside of your CEHRT system?

    If yes, document that more than 80% of the medical records of unique patients seen during the attestation period are maintained in a CEHRT system at each facility where you use a CEHRT system.

■ Core or menu measures that report a numerator and a denominator: Provide the documentation (either paper or electronic) used in the completion of the attestation module responses (i.e., a report from your EHR system that ties to your attestation). When you provide a summary report from your EHR system as support for your numerators/denominators, ensure the report displays your EHR logo or step-by-step screenshots that demonstrate how your EHR generated the report. The report should also display the attestation time period and the name of the eligible professional.

    ■ Non-percentage based measures: Screen images taken from your EHR will be the best option to prove your compliance for these measures.

    For example when providing proof for drug-to-drug Interactions, drug formularies or clinical decision support rules, you will need something to show that the functionality was activated during the reporting period. For detailed information on screen shots and documentation, review “EHR Incentive Programs Supporting Documentation for Audits” at

■ Security risk analysis: (See the section, “Security risk analysis.”)

Generally, your assigned auditor will have questions or make follow-up requests, especially when report numbers do not match the attestation. Don’t hesitate to contact your EHR vendor for assistance (the vendor surely has others who have gone through the process). Maintain documentation that supports any exclusion taken during the attestation process. If a measure is outside of your scope of care, be sure to have documentation from a recognized entity that supports that assumption.

Be sure two or more people in your practice know where to locate these documents, so that if someone leaves, others know where to find the documents.

Security risk analysis

Performing a security risk analysis during the MU reporting period is a core measure and no exclusions are available. The risk analysis is not a function of your CEHRT, so parts of the risk analysis could be performed by your IT vendor, but these will not fully address all required elements.

There is not one specific form or method you must follow. However, some valuable tools are available to assist you. The HIPAA Security Rule established standards to protect health information that is used, created, received or maintained by a covered entity (i.e., your medical practice). This information, Protected Health Information, includes PHI kept on paper and electronic PHI (e-PHI). HIPAA requires that covered entities “implement policies and procedures to prevent, detect, contain and correct security violations” by conducting “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the [organization].”

The five components of a security risk analysis include:

■ Physical safeguards refer to any location where e-PHI is stored or accessed, including your practice. Examples of steps taken to secure data would be alarm systems, door locks, and inventories of all devices where e-PHI is stored.

■ Administrative safeguards include policies, staff training, discipline policies for misuse and on-going review of possible risk. Policies must address the access and disclosure of e-PHI. Review logs on a regular basis. Implement roles-based access, a best practice where the degree to access provided to e-PHI is defined by roles (doctor, technician, etc.). Put contingency plans in place to respond to emergencies or restore lost data.

■ Technical safeguards to secure e-PHI include passwords, virus protection, back-ups, VPNs for remote access, firewalls and data encryption. Controls should be in place to prevent improper e-PHI alteration or destruction. Technical safeguards also detail transmission security measures to protect e-PHI when transmitted over an electronic network and proper encryption of data transmitted outside the network to another physician or patient portal.

■ Policies and procedures are written policies that assure compliance, such as protocols to authorize users and retention of records regarding these policies.

■ Organizational requirements include breach-notification policies and procedures, and systems to gather and store business associate agreements.

Take the following steps to perform a risk analysis: Review security of PHI, identify threats and vulnerabilities, access the likelihood and the impact of each threat, mitigate security risks, and then monitor your results. Remember: During an audit, you will be asked to produce your security risk analysis, as well as a written plan, including dates, to address deficiencies.

Risk-assessment help

The Office of the National Coordinator for Health Information Technology, in collaboration with the HHS Office for Civil Rights and the HHS Office of the General Counsel developed a downloadable Security Risk Assessment Tool (SRA Tool) to help guide you through the process. After completing a detailed questionnaire, the tool produces a comprehensive report.

Access the SRA Tool at

Also, you can access the Guide to Privacy and Security of Health Information at

Your practice — your plan

Keep copies of the EHR reports used during attestation to help substantiate your numbers. The best time to prepare is during attestation when everything you need is at your finger tips. This ounce of prevention is better than a pound of cure and the loss of thousands of dollars for your practice. OP

Ms. Shewmaker has spent 17 years on the front lines of EHR design and implementation. She recently left her position as VP of product development at Compulink and is focusing on ophthalmic practice consultations, education and compliance. E-mail her at

Mr. Grant is founder of HCMA, Inc., which specializes in management, operations and IT consulting for medical practices. E-mail him at