August 2011 Volume 7 Number 12

The Medicare & Medicaid EHR Incentive Programs: Preparing for a Potential Audit

By Esther R. Scherb, Dana Shank, Kathryn M. Almar, Latham & Watkins LLP, Washington, D.C.
and Preeya M. Noronha*, Washington, D.C.

AuthorAuthorAuthorAuthorThe American Recovery and Reinvestment Act of 2009 established the Medicare and Medicaid Electronic Health Record (“EHR”) Incentive Programs, which provide incentive payments to eligible professionals (“EPs”), eligible hospitals, and critical access hospitals (“CAHs”) (collectively, “providers”) as they adopt, implement, upgrade, or demonstrate “meaningful use” of certified EHR technology.1 To receive these incentive payments, providers must (1) meet “meaningful use” criteria using certified EHR technology; and (2) successfully attest to the Centers for Medicare & Medicaid Services (“CMS”) or a state Medicaid agency that they have met the criteria.2 Because providers who make the required attestations and receive payments may be subject to audits, it is critical they maintain adequate documentation of compliance. This article reviews some of the considerations for preparing for potential audits.

Overview of the EHR Incentive Programs

The EHR Incentive Programs require providers to demonstrate that they are using certified EHR technology in a meaningful manner. This “meaningful use” of certified technology is to be measured both quantitatively and qualitatively, and the criteria are being implemented in three stages over five years.3 The Stage 1 meaningful use criteria, which are applicable in 2011 and 2012, include 24 objectives for eligible hospitals and CAHs, and 25 objectives for EPs.4 These objectives include specific measures that focus on electronically capturing health information in a coded format, using that information to track key clinical conditions, communicating that information for care coordination purposes, and initiating the reporting of clinical quality measures and public health information.5 To qualify for an incentive payment, eligible hospitals and CAHs must meet 19 of the 24 objectives, and EPs must meet 20 of the 25 objectives.6 Providers must also report certain clinical quality measures, which are numeric measures of process, experience or outcomes of patient care, observations or treatment that relate to quality aims for healthcare.7 The Stage 2 and 3 criteria, expected to be implemented in 2013 and 2015, respectively, will expand on the Stage 1 baseline and will be developed through future rulemaking.8  For both the Medicare and Medicaid EHR Incentive Programs, eligible providers must successfully demonstrate meaningful use through a web-based Registration and Attestation System,9 which requires that providers (1) input numerators and denominators for meaningful use criteria and clinical quality measures that require the collection of numeric data to calculate a percentage, (2) indicate if they qualify for exclusions to specific objectives, and (3) legally attest that they have successfully demonstrated meaningful use.10 To attest for the Medicare EHR Incentive Program, providers must meet meaningful use criteria for a consecutive 90-day reporting period during their first year of participation. In subsequent years of participation, providers must attest that they have met the criteria for a full year.11 For the Medicaid EHR Incentive Program, providers may attest that they have adopted, implemented, or upgraded certified EHR technology in their first year of participation to receive an incentive payment.12  In addition, CMS requires each provider to provide a CMS EHR Certification ID or Number that identifies the certified EHR technology that the provider is using to demonstrate meaningful use.13

Projected Audits of Providers Who Receive EHR Incentive Payments

Any provider who makes an attestation statement and receives EHR incentive payments may be subject to an audit by CMS or state Medicaid agencies. In addition to numerous prepayment edit checks already incorporated into the EHR Incentive Programs’ systems—which are in place to detect inaccuracies in eligibility, reporting, and payment—CMS and States will also conduct postpayment audits to detect these inaccuracies during the course of the EHR Incentive Programs.14 CMS and its contractors will be responsible for audits on Medicare providers and providers treating dually-eligible beneficiaries (i.e., covered by both Medicare and Medicaid), whereas States and their contractors will perform audits on Medicaid providers. States are required to have an oversight plan to ensure the integrity of incentive payments, and such plan must be approved by CMS.15 In a recent report by the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) that surveyed 13 States that had approved Medicaid EHR Incentive Program plans, all 13 States responded that they plan to review and verify at least half of the eligibility requirements prior to making EHR incentive payments.16 The OIG also reported that these states indicated that they are in the process of developing plans to audit eligibility requirements after payment.17 CMS and States also will manage appeals processes for the respective incentive programs.18

According to CMS, providers attesting to receive an EHR incentive payment should retain for six years “ALL relevant supporting documentation (in either paper or electronic format used in the completion of the Attestation Module responses),” although documentation used to support payment calculations (such as cost report data) should continue to follow current documentation retention processes.19 CMS and state Medicaid agencies are still developing their audit strategies, however, so other than this general recommendation, there is limited guidance available on the specific type and extent of supporting documentation considered sufficient for an audit. Further, although CMS has indicated that audits will be performed, it is unclear when such audits will begin. Until additional guidance on audit processes and the documentation to be reviewed in the course of such audits is made available, providers are best served to retain as much supporting documentation as practicable to support their attestations.

Preparing for a Potential Audit

If CMS finds that a provider is ineligible for an EHR incentive payment based on audit findings, the incentive payment will be recouped by CMS.20 A false attestation may also be the basis for liability under the federal False Claims Act or similar state laws. Audits could be rigorous, especially if CMS decides that contractors should perform the audits and be compensated based on a percentage of unsupported incentive payments, similar to the Recovery Audit Contractor program.21 The following are considerations for providers in anticipation of possible CMS or state Medicaid agency audits under the EHR Incentive Programs:

  • Designate a specific person or committee in the provider organization to coordinate compliance with meaningful use criteria. For smaller organizations, a Compliance Officer could ensure compliance with meaningful use criteria. For larger organizations, because compliance requires coordination among many different subject-matter areas, a committee should include individuals from various areas of the organization, e.g., financial, information technology, privacy/security, legal, audit/compliance, etc.
  • The designated person or committee should establish a detailed written compliance plan for gathering and maintaining documentation to support EHR attestation requirements. This plan should identify the responsible parties designated for gathering all supporting documentation.
  • The written compliance plan should include a process for building an “EHR Attestation Binder” or other centralized repository for supporting documentation, which should be updated on a regular basis. The repository should include the following information for each meaningful use objective to which the provider intends to attest:
    • The measurement that CMS uses to validate the objective;
    • The provider’s interpretation of the objective and the measurement;
    • Any reasonable judgment adopted for the specific interpretation of the objective and an explanation of the rationales for adopting the judgment and interpretation;
    • The certified EHR technology used to meet the objective;
    • The parties within the provider organization that are responsible for meeting the objective; and
    • The provider’s policies and procedures for maintaining compliance with the goals/intent of the objective.
  • Responsible parties should gather the supporting data for each meaningful use objective and clinical quality measure, validate the data to ensure the EHR Incentive Program requirements are met, and review the information with the designated compliance person or committee at least on a monthly basis.
  • The repository should also include detailed policies and procedures regarding use of certified EHR technology. These should include instructions to provider staff regarding use of the technology consistent with the CMS criteria, such as the recording of patient vital signs, the maintenance of medication lists, and the procedures for providing patients with a copy of their EHRs upon request. To the extent that providers conduct periodic training on the use of certified EHR technology, documentation of the type of training modules and who attended should also be included in the repository.
  • If an internal audit program is established by the provider to assess its compliance with the EHR Incentive Program requirements on a long-term basis, documentation of that audit program should be included in the repository.
  • The contents of the repository should be retained for six years post-attestation.


The best time to prepare for a potential audit is at the very outset of the program. On balance, the consequences of being unprepared for an audit can be time-consuming and expensive. Taking the additional time and effort upfront to establish a robust program to document compliance with the EHR Incentive Programs, therefore, should become a part of best practices for compliance programs.

*Preeya M. Noronha is formerly with Latham & Watkins LLP.


“Certified EHR technology” is EHR technology that has been certified by the Office of the National Coordinator Authorized Testing and Certification Body pursuant to standards, implementation specifications and certification criteria adopted by the Secretary of Health & Human Services. CMS, Certified EHR Technology, available at


CMS, Path to Payment, available at


CMS, CMS EHR Meaningful Use Overview, available at





EHR Incentive Program Final Rule, 75 Fed. Reg. 44321 (Jul. 28, 2010).


Supra, note 3.


EHR Incentive Program Final Rule, 75 Fed. Reg. 44380 (Jul. 28, 2010).



Supra, note 3.


CMS, Attestation, available at















U.S. Department of Health and Human Services, Office of Inspector General, “Memorandum Report: Early Review of States’ Planned Medicaid Electronic Health Record Incentive Program Oversight,” July 15, 2011. This report is the first in a series of studies by OIG on the EHR Incentive Programs. In a subsequent review, the OIG will examine the Medicare EHR Incentive Program.






CMS, Attestation, available at


Id. For a description of current documentation retention processes, see MLN Matters Article SE1022, “Medical Record Retention and Media Formats for Medical Records,” Aug. 10, 2010, available at


Supra, note 8.


For more information, see

The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.