EHR Incentive Programs/Supporting Documentation For Audits

Contact Matthew L. Kinley, Esq at Tredway, Lumsdaine & Doyle if you are subject to audit or need advice about your compliance program.


According to the Centers for Medicare and Medicaid Services, about 10% of the healthcare providers who took advantage of the meaningful use incentives will be audited by a private contractor hired to look for errors.


Under the 2009 HITECH Act, health care providers who demonstrate meaningful use of certified electronic health records will receive incentive payments through Medicaid and Medicare. States can receive a 90% federal funding match for incentive payments distributed to Medicaid providers who adopt EHRs under the meaningful use criteria.  Eigible physicians who see Medicare and/or Medicaid patients, as defined by the HITECH Act summary, will be compensated from $44,000 to $63,750 over a 5 year term for fulfilling the recently defined ‘meaningful use’ criteria. To further promote the use of certified systems, if these same physicians do not utilize healthcare IT that meets the Federal requirement by 2015, they will be faced with increasing penalties of up to 5%.

Providers started receiving Medicare or Medicaid bonuses for using certified EHR technology in 2011 and will get around $20 billion over five years. The meaningful use incentive program requires hospitals and eligible professionals (e.g., physicians) to use EHRs to improve patient safety, quality of care and patient-provider communication. Providers must buy EHRs from vendors on the Certified Health IT Product List (see If they don’t, they face a Medicare payment reduction after 2015.


Documentation to support attestation data for meaningful use objectives and clinical quality measures should be retained for six years post-attestation. Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes.


States and their contractors will perform audits on Medicaid providers. When providers are selected for an audit, they will receive an initial request letter from the auditor. The request letter will be sent electronically from a CMS email address and will include the audit contractor’s contact information.

The initial review process will be conducted at the audit contractor’s location, using the information received as a result of the initial request letter. Additional information might be needed during or after this initial review process, and in some cases an onsite review at the provider’s location could follow. A demonstration of the the EHR system could be requested during the on-site review

If there is any deficiency in the audit, providers will have to give back their entire meaningful use incentive payment.  That means their payments for the audit period are at risk unless their electronic health records show they kept every promise they made to the government when they accepted the money.

One letter from the EHR HITECH Incentive Payment Center said a meaningful use audit had determined that “an overpayment of HITECH funds has been determined and is owed.” CMS gave the provider 30 days to repay the money, although it had the right to appeal.

Most providers are having negative audit findings and owing the money back, often because they thought they met most of the core elements, but they didn’t get them all done, or they weren’t all properly documented. If you miss a core element, they ask for all the money back.


The security risk analysis is a problem area in meaningful use. Providers must attest that they conducted a risk analysis, which is a core measure as well as required by the HIPAA security regulation.  Most providers fail to do such an analysis.


The following practices should be employed as soon as possible by all providers.  Those who worked for and obtained benefits for meaningful use are particularly vulnerable.

Best Practices

• Enter accurate numbers when you attest to meaningful use of an electronic health record (EHR).

• Keep your supporting documentation.

• Know that dated screen shots provide a good source of documentation.

• Save paper or electronic copies of reports used to attest if the practice’s EHR automatically changes numerator and denominator values after the reporting period ends.

• Turn on, for the entire reporting period, EHR features that track functionality issues, such as drug interaction checks and clinical decision support.

• Understand that the security risk analysis must be specific to the EHR and the practice and is required every year.

By Matthew L. Kinley