Any provider attesting to receive an EHR incentive payment for either the Medicare or Medicaid EHR Incentive Program potentially can be subject to an audit. Here’s what you need to know to make sure you’re prepared:
Overview of the CMS EHR Incentive Programs Audits:
- All providers attesting to receive an EHR incentive payment for either the Medicare or Medicaid EHR Incentive Programs should retain ALL relevant supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses. Documentation to support the attestation should be retained for six years post-attestation. Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes.
- CMS, and its contractors, will perform audits on Medicaid providers.
- CMS and states will also manage appeals processes.
Preparing for an Audit:
- To ensure you are prepared for a potential audit, save the electronic and paper documentation that supports your attestation. Also save the documentation that supports the values you entered in the Attestation Module for Clinical Quality Measures (CQMs). Hospitals should also maintain documentation that supports their payment calculations.
- Upon audit, the documentation will be used to validate that the provider accurately attested and submitted CQMs, as well as to verify that the incentive payment was accurate.
Details of the Audits
- There are numerous pre-payment edit checks built into the EHR Incentive Programs’ systems to detect inaccuracies in eligibility, reporting, and payment.
- Post-payment audits will also be completed during the course of the EHR Incentive Programs.
- If, based on an audit, a provider is found to not be eligible for an EHR incentive payment, the payment will be recouped.
- CMS has an appeals process for eligible professionals, eligible hospitals, and critical access hospitals that participate in the Medicare EHR Incentive Program.
- States will implement appeals processes for the Medicaid EHR Incentive Program. For more information about these appeals, please contact your State Medicaid Agency.
What information should an eligible professional, eligible hospital, or critical access hospital participating in the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs maintain in case of an audit?
An audit may include a review of any of the documentation needed to support the information that was entered in the attestation. The level of the audit review may depend on a number of factors, and it is not possible to include an all-inclusive list of supporting documents. The primary documentation that will be requested in all reviews is the source document(s) that the provider used when completing the attestation. This document should provide a summary of the data that supports the information entered during attestation. Ideally, this would be a report from the certified EHR system, but other documentation may be used if a report is not available or the information entered differs from the report.
The summary document will be the starting point of most reviews and should include, at minimum:
- The numerators and denominators for the measures
- The time period the report covers
- Evidence to support that it was generated for that eligible professional, eligible hospital, or critical access hospital
Although the summary document is the primary review step, there could be additional and more detailed reviews of any of the measures, including review of medical records and patient records. The provider should be able to provide documentation to support each measure to which he or she attested, including any exclusions claimed by the provider.
A few examples of additional support are as follows:
- Drug-Drug/Drug-Allergy Interaction Checks and Clinical Decision Support – Proof that the functionality is available, enabled, and active in the system for the duration of the EHR reporting period.
- Electronic Exchange of Clinical Information – Screenshots from the EHR system or other documentation that document a test exchange of key clinical information (successful or unsuccessful) with another provider of care. Alternately, a letter or email from the receiving provider confirming the exchange, including specific information such as the date of the exchange, name of providers, and whether the test was successful.
- Protect Electronic Health Information – Proof that a security risk analysis of the certified EHR technology was performed prior to the end of the reporting period (e.g., report which documents the procedures performed during the analysis and the results).
- Drug Formulary Checks – Proof that the functionality is available, enabled, and active in the system for the duration of the EHR reporting period.
- Immunization Registries Data Submission, Reportable Lab Results to Public Health Agencies, and Syndromic Surveillance Data Submission-Screenshots from the EHR system or other documentation that document a test submission to the registry or public health agency (successful or unsuccessful). Alternately, a letter or email from registry or public health agency confirming the receipt (or failure of receipt) of the submitted data, including the date of the submission, name of parties involved, and whether the test was successful.
- Exclusions – Documentation to support each exclusion to a measure claimed by the provider.
For Medicare eligible professionals and for hospitals that are eligible for both Medicare and Medicaid EHR incentive payments – When a provider is selected for an audit, they will receive an initial request letter from the audit contractor. The request letter will be sent electronically by the audit contractor from a CMS email address and will include the audit contractor’s contact information. The email address provided during registration for the EHR Incentive Program will be used for the initial request letter.
The initial review process will be conducted at the audit contractor’s location, using the information received as a result of the initial request letter. Additional information might be needed during or after this initial review process, and in some cases an on-site review at the provider’s location could follow. A demonstration of the EHR system could be requested during the on-site review. A secure communication process has been established by the contractor, which will assist the provider to send any information that could be considered sensitive. Any questions pertaining to the information request should be directed to the audit contractor.
States will have separate audit processes for their Medicaid EHR Incentive Program. For more information about these audit processes, please contact your State Medicaid Agency.