The Importance of Preparing for a Meaningful Use Audit Before Attestation

Kay Jackson
Kay Jackson

Guest post by Kay Jackson of Iatric Systems, Inc.

Hospitals and other healthcare organizations in the midst of the complex meaningful use attestation process often see the attestation itself as the end of the process. It is not. Today, 20 percent of hospitals are being selected for a meaningful use audit after attestation. That’s why it’s important that, while preparing for attestation, hospitals also get prepared to be audited.

Iatric Systems help to longtime customer Memorial Healthcare in their attestation process — and successfully passing their recent audit — as well as our work with other customers, has revealed how important this preparation can be. Not passing an audit results in having to pay back 100 percent of any incentive money already received.

Much of the decisions made and records kept during the process of attestation affect the outcome of an audit, as does careful attention to the details. One hospital being audited had accidently transposed a single number. This simple mistake meant many hours of extra effort to find the error and then straighten it out with the independent auditing agency.

What follows are the components currently included in an audit request to eligible hospitals from the Centers for Medicare and Medicaid Services (CMS):

Part I – General Information:

As proof of use of a Certified Electronic Health Record Technology system, provide a copy of your licensing agreement with the vendor or invoice. Please ensure that the licensing agreement or invoices identify the vendor, product name and product version number of the Certified Electronic Health Record Technology system utilized during your attestation period. If the version number is not present on the invoice/contract, please supply a letter from your vendor attesting to the version number used during your attestation period.

Provide documentation to support the method (Observation Services or All ED Visits) chosen to report Emergency Department (ED) admissions designating how patients admitted to the ED where included in the denominator of certain meaningful use core and menu measures (i.e. an explanation of how the ED admissions were calculated and a summary of ED admissions).

Part II – Core Set Objectives/Measures

For Core Measures #1,3,4,5,6,7,8,11 and 12, provide the supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses (i.e. a report form your system that ties to your attestation).

Please Note: If you are providing a summary report from your EHR system as support for you numerators/denominators, please ensure that we can identify that the report has actually been generated by your EHR (i.e. your EHR logo is displayed on the report, or step by step screenshots which demonstrate how the report is generated by your EHR are provided). 

Core #14 – Protect Electronic Health Information: Provide proof that a security risk analysis of the Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis). If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include completion dates.

As you can see from the above, it’s important for eligible hospitals to take steps during attestation that will fully prepare them for a possible audit. Here are some guidelines:

Retain certification and usage records

Healthcare organizations must be able to document that the technology solutions used to achieve attestation are certified and show that they were installed for the full date range, including the reporting period. This means retention of version numbers of the certified solutions used.

It is also important to document the method used for the patient extraction. Auditors want to see a document explaining why the ED Method was selected over the Observation Method — or vice versa.

In addition, it’s important to secure a letter from all of the software vendors used, verifying that the solution owned and used was a certified version of their software during the full reporting period. The letter should also cite the criteria for which the software is certified, cite the version numbers and be signed by a company representative.

Document numerator/denominator values for each measure

It’s important to validate and review any reporting that substantiates your N/D values and make sure they are all correct. When there is a change to any query or field that may impact your scores, be sure to include that it has been changed in the report. For measures that are Yes/No based, there must be documentation to support each measure, plus proof that the measure was tracked at the beginning and end of the reporting period.

In addition, auditors request that any proof also include logos from the vendor of record to prove that the reports were created from a Meaningful Use certified system.

Complete a security risk analysis and have a remediation plan in place

An excellent resource for information on this audit element would be the “Guide to Privacy and Security of Health Information” from The Office of the National Coordinator for Health Information Technology. It’s especially important to read page 26 about the timing for attestation. [Link to the above document is]

As mentioned earlier, small errors can mean significant additional effort toward the audit process. It’s important to have more than one set of eyes look at the numbers being entered during attestation to help prevent costly audit problems later.

Some hospitals are selected for a pre-payment audit or a post-payment audit. Medicare and Medicaid audits can take place any time for up to six years from the date of attestation. Because of this, it’s vital for healthcare organizations to retain this documentation in a safe and secure location.

Audit notices are sent via email

Currently, sites being selected for audit receive ONLY an email notification providing three weeks to respond. Here are the details of the email notification so you can be sure to see it and respond within the three weeks. The notifications currently received via email are coming from the private firm hired by CMS to conduct its audits. The current sender of the email is and the emails are signed by Peter J. Figliozzi, CPA, CFF, FCPA. Hospitals are adding this address to their email white list to be sure that, if an audit notice is sent, it is received. Usually the email notice of an audit is directed to the email address added during the attestation process. If that person is no longer with the hospital, make sure their email address is redirected to one that is still active.

Because much of the audit relates to the technology used and its certification, it’s a good idea to request assistance from the technology vendors. By providing the vendor with the full information about the audit and responding to their questions quickly, hospitals can reduce their effort during the audit process and gain a better opportunity to pass.

Hospitals that have been audited receive either a follow-up request for any additional supporting information or a notice that they have passed.

If the hospital fails the audit, CMS intends to recoup any incentive payments associated with the time period for which the hospital did not comply. Hospitals failing an audit do have an opportunity to appeal; however, they are required to repay the incentive payment within 60 days or start accruing interest and future collections.

Here are some additional resources for understanding CMS audits:

EHR Incentive Programs Supporting Documentation for Audits

[This is the link for the above item:]

EHR Incentive Programs Audits Overview

[This is the link for the above item:]

Kay Jackson, manager, software certification, compliance and financial at Iatric Systems, Inc. and her team have been involved in more than 80 attestation efforts and were recently instrumental in the successful audit for Memorial Healthcare, a 150-bed full-service hospital in Owosso, Michigan. In addition to the support provided, Memorial used Iatric Systems Meaningful Use Manager to automatically pull the appropriate data from its EHR, freeze that date for the attestation period and retain it for use during their audit. To date, more than 20 Iatric Systems Meaningful Use Manager customers have been audited and have passed the first time.

Write a Comment

Your email address will not be published. Required fields are marked *