Regulation of Medicine


Preparing for Possible CMS Audits of EHR Incentive Programs

August 18, 2016

According to the Centers for Medicare & Medicaid Services (CMS), any health care provider attesting to receive an Electronic Health Record (EHR) incentive payment for either the Medicare or Medicaid EHR Incentive Program potentially can be subject to an audit. CMS published the following information on its website to help providers understand what they need to know to make sure they are prepared:

Overview of the CMS EHR Incentive Programs Audits

  • All providers attesting to receive an EHR incentive payment for either the Medicare or Medicaid EHR Incentive Programs should retain ALL relevant supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses. Documentation to support the attestation should be retained for six years post-attestation. Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes.
  • CMS, and its contractors, will perform audits on Medicare and dually-eligible (Medicare and Medicaid) providers.
  • States, and their contractors, will perform audits on Medicaid providers.
  • CMS and states will also manage appeals processes.

Preparing for an Audit

  • To ensure you are prepared for a potential audit, save the electronic or paper documentation that supports your attestation. Also save the documentation that supports the values you entered in the Attestation Module for Clinical Quality Measures (CQMs). Hospitals should also maintain documentation that supports their payment calculations. 
  • Upon audit, the documentation will be used to validate that the provider accurately attested and submitted CQMs, as well as to verify that the incentive payment was accurate.

Details of the Audits

There are numerous pre-payment edit checks built into the EHR Incentive Programs’ systems to detect inaccuracies in eligibility, reporting, and payment.

Post-payment audits will also be completed during the course of the EHR Incentive Programs.

  • If, based on an audit, a provider is found to not be eligible for an EHR incentive payment, the payment will be recouped.
  • CMS has an appeals process for eligible professionals, eligible hospitals, and critical access hospitals that participate in the Medicare EHR Incentive Program.
  • States will implement appeals processes for the Medicaid EHR Incentive Program. For more information about these appeals, please contact your State Medicaid Agency.

What information should an eligible professional, eligible hospital, or critical access hospital participating in the Medicare or Medicaid Electronic Health Record (EHR) Incentive Programs maintain in case of an audit? An audit may include a review of any of the documentation needed to support the information that was entered in the attestation. The level of the audit review may depend on a number of factors, and it is not possible to include an all-inclusive list of supporting documents. The primary documentation that will be requested in all reviews is the source document(s) that the provider used when completing the attestation. This document should provide a summary of the data that supports the information entered during attestation. Ideally, this would be a report from the certified EHR system, but other documentation may be used if a report is not available or the information entered differs from the report. This summary document will be the starting point of most reviews and should include, at minimum:

  • The numerators and denominators for the measures.
  • The time period the report covers.
  • Evidence to support that it was generated for that eligible professional, eligible hospital, or critical access hospital.
  • Although the summary document is the primary review step, there could be additional and more detailed reviews of any of the measures, including review of medical records and patient records. The provider should be able to provide documentation to support each measure to which he or she attested, including any exclusions claimed by the provider. A few examples of additional support are as follows:
  • Drug-Drug/Drug-Allergy Interaction Checks and Clinical Decision Support—Proof that the functionality is available, enabled, and active in the system for the duration of the EHR reporting period.
  • Electronic Exchange of Clinical Information— Screenshots from the EHR system or other documentation that document a test exchange of key clinical information (successful or unsuccessful) with another provider of care. Alternately, a letter or email from the receiving provider confirming the exchange, including specific information such as the date of the exchange, name of providers, and whether the test was successful.
  • Protect Electronic Health Information—Proof that a security risk analysis of the certified EHR technology was performed prior to the end of the reporting period (e.g., report which documents the procedures performed during the analysis and the results).
  • Drug Formulary Checks—Proof that the functionality is available, enabled, and active in the system for the duration of the EHR reporting period.
  • Immunization Registries Data Submission, Reportable Lab Results to Public Health Agencies, and Syndromic Surveillance Data Submission—Screenshots from the EHR system or other documentation that document a test submission to the registry or public health agency (successful or unsuccessful). Alternately, a letter or email from registry or public health agency confirming the receipt (or failure of receipt) of the submitted data, including the date of the submission, name of parties involved, and whether the test was successful.
  • Exclusions—Documentation to support each exclusion to a measure claimed by the provider.

Audit Process For Medicare eligible professionals and for hospitals that are eligible for both Medicare and Medicaid EHR incentive payments—When a provider is selected for an audit, they will receive an initial request letter from the audit contractor. The request letter will be sent electronically by the audit contractor from a CMS email address and will include the audit contractor’s contact information. The email address provided during registration for the EHR Incentive Program will be used for the initial request letter.

The initial review process will be conducted at the audit contractor’s location, using the information received as a result of the initial request letter. Additional information might be needed during or after this initial review process, and in some cases an on-site review at the provider’s location could follow. A demonstration of the EHR system could be requested during the on-site review. A secure communication process has been established by the contractor, which will assist the provider to send any information that could be considered sensitive. Any questions pertaining to the information request should be directed to the audit contractor.

States will have separate audit processes for their Medicaid EHR Incentive Program. For more information about these audit processes, please contact your State Medicaid Agency.  In addition, the MagMutual Patient Safety Institute has a Sr. Medicare/Medicaid Specialist on staff who is available to answer questions regarding these processes.   Source:

Created by MagMutual from materials provided by COPIC as part of MagMutual and COPIC’s alliance to improve patient safety and quality of care for all of our PolicyOwners.

Want to learn more?

Interested in how MagMutual can help?

View our products


The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.