This entry is part 38 of 60 in the series HIPAA Security Risk Analysis Tips

CMS announced in January, after a critical OIG audit report, that Eligible Providers, Eligible Hospitals and Critical Access Hospitals who have purchased and implemented an electronic health record (EHR) system and attested to meaningful use of that EHR may be subjected to an audit before they see an incentive payment. Here’s today’s big TIP — Learn the exact requirement for Risk Analysis documentation.  


HIPAA Risk Analysis Tip – Eligible Provider EHR Pre-Payment Audit Document Request

Several of our clients have learned that they have been chosen by The Centers for Medicare & Medicaid Services (CMS) that they will be audited before CMS will be making incentive payments.

As we report in a post entitled HIPAA Risk Analysis Tip – EHR Pre- and Post-Payment Audits, CMS has targeted 5 to 10 percent of those who attested to Meaningful Use in January 2013 to be audited before receiving any payments.

Providers who receive an EHR incentive payment for either the Medicare or Medicaid EHR Incentive Program potentially may be subject to an audit. Eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) should retain ALL relevant supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses.

The specific CMS Eligible Provider EHR Pre-Payment Audit Document Request List covers the requirements related to a HIPAA Risk Analysis (Core Objective #15 for Eligible Professionals and Core Objective #14 for Eligible Hospitals and Critical Access Hospitals) along with other general information, core objective and menu set objectives/measures.

As a reminder, post-payment audits are not going away.  An additional 5 to 10 percent of physicians and others will be subject to post-payment audits, according to Holland. The audits are being conducted by Garden City, NY-based CPA firm Figliozzi and Company.

Watch Our Recorded, On Demand Webinar

Download HIPAA Risk Analysis Buyer’s Guide Checklist

We are often asked, “How do I go about selecting a reputable firm to complete a bona fide HIPAA Security Risk Analysis?”  This HIPAA Risk Analysis Buyer’s Guide Checklist is an easy-to-use tool to assist you in comparing alternative solutions and making your selection.

Other Help Getting Started With Your Bona Fide HIPAA Risk Analysis

Over the years, we’ve helped 100s of organizations complete their HIPAA Risk Analysis. Please benefit from our HIPAA Risk Analysis expertise by:


Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group:
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Series Navigation<< HIPAA Risk Analysis Tip – EHR Pre- and Post-Payment AuditsHIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and Scanners >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.