This entry is part 37 of 60 in the series HIPAA Security Risk Analysis Tips

Some Eligible Providers, Eligible Hospitals and Critical Access Hospitals who have purchased and implemented an electronic health record (EHR) system and attested to meaningful use of that EHR may be subjected to an audit before they see an incentive payment. That’s the word from CMS’ Office of E-Health Standards and Services. Here’s today’s big TIP — Learn the Audit Validation Process and Required Documentation for HIPAA Risk Analysis.  


HIPAA Risk Analysis Tip – EHR Pre- and Post-Payment Audits

The Centers for Medicare & Medicaid Services (CMS) has begun auditing providers attesting to Meaningful Use of their electronic health record systems before making incentive payments.

CMS has targeted 5 to 10 percent of those who attested to Meaningful Use in January 2013, according to Elizabeth Holland, director of the Health IT Initiative Group’s Office of E-Health Standards and Services. Eligible professionals selected for audit were chosen both “randomly” and “based on protocols that identify suspicious or anomalous attestation data,” according to the AAFP News Now article.

Providers who receive an EHR incentive payment for either the Medicare or Medicaid EHR Incentive Program potentially may be subject to an audit. Eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) should retain ALL relevant supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses.

CMS provides guidance in EHR Incentive Programs Supporting Documentation For Audits, updated in February 2013.  This guidance covers the requirements related to a HIPAA Risk Analysis on page 4:

Meaningful Use Objective Audit Validation Suggested Documentation
Protect Electronic Health Information Security risk analysis of the certified EHR technology was performed prior to the end of the reporting period Report that documents the procedures performed during the analysis and the results. Report should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider’s system (e.g., identified by National Provider Identifier (NPI), CMS Certification Number (CCN), provider name, practice name, etc.)

Documentation to support attestation data for meaningful use objectives and clinical quality measures should be retained for six years post-attestation. Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes.

An additional 5 to 10 percent of physicians and others will be subject to post-payment audits, according to Holland. The audits are being conducted by Garden City, NY-based CPA firm Figliozzi and Company.

Watch Our Recorded, On Demand Webinar

Download HIPAA Risk Analysis Buyer’s Guide Checklist

We are often asked, “How do I go about selecting a reputable firm to complete a bona fide HIPAA Security Risk Analysis?”  This HIPAA Risk Analysis Buyer’s Guide Checklist is an easy-to-use tool to assist you in comparing alternative solutions and making your selection.

Other Help Getting Started With Your Bona Fide HIPAA Risk Analysis

Over the years, we’ve helped 100s of organizations complete their HIPAA Risk Analysis. Please benefit from our HIPAA Risk Analysis expertise by:

Series Navigation<< HIPAA Risk Analysis Tip – How To Conduct a Bona Fide HIPAA Risk AnalysisHIPAA Risk Analysis Tip – Eligible Provider EHR Pre-Payment Audit Document Request >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.