How to Survive a Meaningful Use Audit

By understanding your responsibilities and the documentation required by CMS, you can pass an audit with flying colors.


  MU audit

How to Survive a Meaningful Use Audit

By understanding your responsibilities and the documentation required by CMS, you can pass an audit with flying colors.



You’ve worked hard to implement EHR into your practice, and you’ve even received a little money from the government as partial compensation for your trouble. But now, CMS has sent a notice informing you that you will be audited. Are you panicking… or confident you will pass with flying colors? Fortunately, it’s fairly easy to fall into the “confident” category.

In this article, we’ll show you how by explaining the basics of meaningful use (MU) audits, including who performs the audit, how you will be notified, your responsibilities as an eligible professional (EP) and the proper documentation you will need to provide.

It’s important to note that under the CMS Final Rule, audits can occur up to 10 years after your attestation. However, most occur within one year of your attestation (post-payment audit) or within a few weeks after attesting and prior to payment (pre-payment audit).

The limited scope audit

There are two types of audits: a comprehensive review and a limited scope audit.

In the limited scope audit, CMS requests basic information about your Certified Electronic Health Record Technology (CEHRT) vendor. The audit notice asks for “proof you had access to an EHR system during the attestation period for the program year.” Forms of proof include:

▸ A copy of your certified EHR technology licensing agreement with your EHR vendor.

▸ A copy of one or more invoices for the EHR system you had in place during the attestation period.

Core and Menu Set Measures

For a complete list of meaningful use core and menu set meaures, see Jeff Grant’s article, “Just Do It… Right” in the July 2011 issue of Optometric Managment (

These documents must identify the vendor, product name and product version number for the system used during your attestation period. If your proof does not include the version number, you can supply a letter from your vendor attesting to the version number.

CMS acknowledges a successful outcome with a notice, which confirms that you had access to a CEHRT System during this period. (Note that this audit does not preclude future audits, even within the same payment year.)

The comprehensive audit

CMS engaged a contractor, Figliozzi & Co., a certified public accountant, to perform the comprehensive audits. Figliozzi & Co. sends a notice of the audit via e-mail to the address the EP used to register for the EHR Incentive Program, so be certain to use an e-mail address that can/will be monitored even if someone departs your practice.

The choice of which practices get audited is completely random. For example, for the 2012 payment year, a North Carolina organization attested for its large number of eligible EPs, including one that had $0 in Medicare-allowed charges (and thus could not earn an incentive payment). Out of all of the providers in this group, the EP with no allowed Medicare charges was audited.

Full audit details

EPs are notified of the audit, via e-mail, by a letter that includes an information request list and a deadline date for the information (see Figure 1, page 42). For the audit, the same five directives are asked of each EP:

Figure 1. The CMS contractor informs practices of a full audit through a letter e-mailed to the EP. The first page of the letter is shown above.

1. As proof of use of a CEHRT system, provide a copy of your licensing agreement with the vendor or invoices. Ensure that the licensing agreements or invoices identify the vendor, product name and product version number of the CEHRT system utilized during your attestation period. If the version number is not present on the invoice/contract, please supply a letter from your vendor attesting to the version number used during your attestation period.

2. Answer these questions:

▸ At how many offices or other outpatient facilities do you see your patients?

List each office or other outpatient facility where you see patients, and indicate whether you utilize CEHRT in each office or other outpatient facilities.

If you utilize more than one office or other outpatient facility, supply documentation which proves that 50% or more of your patient encounters during the EHR reporting period have been seen in offices or outpatient facilities where you utilize a CEHRT system.

▸ Do you maintain any patient medical records outside of your CEHRT system?

If yes, supply documentation which proves that more than 80% of the medical records of unique patients seen during the attestation period are maintained in a CEHRT system at each office or other outpatient facility where a CEHRT system is being used.

Scope of Practice Exclusion

How do you answer a question about “scope of practice” exclusion for vital signs measure? Remind the auditor that the Final Rule – “The Law” – states that vital measure(s) can be excluded if “the EP believes that the vital signs are outside the EP’s scope of practice.” So, the only real criteria is what the EP “believes.”

3. For Core Measures numbers 1 through 9, 12 and 13, provide the supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses (i.e. a report from your EHR system that ties to your attestation). If you are providing a summary report from your EHR system as support for your numerators/denominators, ensure that CMS can identify that the report has actually been generated by your EHR through a report that displays your EHR logo or step-by-step screenshots which demonstrate how your EHR generated the report. For a list of core and set measures, see the OM article at

4. Regarding the protection of electronic health information (Core Measure number 15), provide proof that prior to the end of the reporting period, your practice performed a security risk analysis of the CEHRT (i.e. report which documents the procedures performed during the analysis and the results of the analysis). If deficiencies are identified, supply an implementation plan (including completion dates) that address the deficiencies. (See the section, “Security risk analysis.”)

5. If attested to Menu Set Measures numbers 2 through 7, and/or 8, provide the supporting documentation as described in directive number 3. If you attested to Y/N Menu Set Measures number 3, 9, or 10, you must supply supporting documentation.

Generally, your assigned auditor will have questions or make follow-up requests for screen shots. Don’t hesitate to contact your EHR vendor for assistance (they surely have others who have gone through the process). For detailed information on screen shots and documentation, review “EHR Incentive Programs Supporting Documentation for Audits” at

Stage 1 Hot Item

Your denominator should be the same for medication list, allergy list and problem list measures.

Save all MU measure attestation documentation and materials. You must produce dated originals for all reports, all documentation and any items supporting exclusions you were able to take.

Security risk analysis

Performing a security risk analysis during the MU reporting period is mandatory. It is detailed in CMS Core Measure 15, and there are no available exclusions. The risk analysis is not a function of your CEHRT. Parts of the risk analysis could be performed by your IT vendor, but that will not fully address all required elements. There is not one specific form or method you must follow, and a checklist is not enough. The good news is that there are some great tools available to help you through the process. (See “Risk assessment help,” page 44.)

The HIPAA Security Rule established standards to protect electronic health information that is used, created, received or maintained by a covered entity (i.e. your medical practice). This information is referred to as electronic Protected Health Information (e-PHI). HIPAA requires that covered entities “implement policies and procedures to prevent, detect, contain and correct security violations” by conducting “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the [organization].”

There are five components of a security risk analysis:

Physical safeguards refer to your practice facility or any other location where e-PHI is stored or accessed. Examples of steps taken to secure data would be alarm systems, door locks, polices for when locks must be re-keyed and inventories of all devices where e-PHI is stored.

Administrative safeguards include the creation of policies, staff training, discipline policies for misuse and on-going review of possible risk. Put policies in place that address the access and disclosure of e-PHI. Review logs on a regular basis. Limit the opportunity for misuse by implementing roles-based access, a best practice where the degree to access provided to e-PHI is defined by roles (doctor, technician, billing, etc.). Put contingency plans in place to respond to emergencies or restore lost data.

Technical safeguards encompass the specific functionality in place to secure e-PHI, such as passwords to authenticate users, virus protection, back-ups, VPNs for remote access, firewalls and data encryption. Integrity controls should be in place to prevent improper e-PHI alteration or destruction. Technical safeguards also should detail transmission security measures to protect e-PHI when transmitted over an electronic network and proper encryption of data transmitted outside the network to another physician or patient portal.

Policies and procedures are written policies that assure compliance, such as protocols to authorize users and retention of records regarding these policies.

Organizational requirements include breach notification policies and procedures, as well as systems to gather and store business associate agreements.

In performing a risk analysis, you’ll take the following steps: Review security of e-PHI, identify threats and vulnerabilities, access the likelihood and the impact of each threat, mitigate security risks, and then monitor your results. Remember: If you are chosen for an audit, you will be asked to produce your security risk analysis, as well as a written plan, including dates, to address deficiencies.

Risk assessment help

The Office of the National Coordinator for Health Information Technology, in collaboration with the HHS Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC) developed a downloadable Security Risk Assessment Tool (SRA Tool) to help guide you through the process. The tool asks you a series of questions and provides background information for each. During the process, you will be asked to detail steps to mitigate risk. At the end, it produces a comprehensive report that can be exported as a pdf or into a spreadsheet for easy future updates.


AUGUST 2013 A Look at Cloud-Based EHR • page 22

MAY 2014 Using EHR to Its Fullest Potential • page 22

JUNE 2014 Meaningful Use Update • page 86

Access the SRA Tool at

Also, you can access the Guide to Privacy and Security of Health Information at

Your practice — your plan

Don’t let your practice’s efforts in implementing EHR and meaningful use measures get derailed. Following the guidelines specified by CMS with the advice contained in this article should allow you to confidently and successfully navigate any meaningful use audit. OM

Ms. Shewmaker has spent 17 years on the front lines of EHR design and implementation. She recently left her position as VP of product development at Compulink and is focusing on ophthalmic practice consultations, education and compliance. E-mail her at

Mr. Grant is founder of HCMA, Inc., which specializes in management, operations and IT consulting for medical practices. E-mail him at, or send your comments to