Member Update
December 17, 2015
Meaningful Use Audits
Currently between 5% and 10% of eligible professionals are being targeted for a Meaningful Use audit. CMS has contracted with Figliozzi & Company, CPAs P.C. to perform audits of Medicare EHR Incentive Program attestations and Kansas Medicaid has contracted with Navigant Consulting, Inc. to perform audits of Medicaid EHR Incentive Program attestations in Kansas.
What are common reasons for failing an audit?
 
The most common cause of a Meaningful Use audit failure is noncompliance with the required data security risk assessment (SRA). Areas of noncompliance include:
  • Lack of a documented SRA for the reporting year;
  • Lack of a documented mitigation plan to correct security deficiencies found while conducting the SRA; and/or
  • Mitigation plan not followed.
Lack of adequate documentation to support some of the responses provided in attestations is also a common reason for failing an audit.
 
When should you complete an SRA?
 
The SRA must be conducted, or at least reviewed and updated (as needed), annually. For eligible professionals attesting during a 2015 reporting period, the SRA must be conducted between January 1, 2015 and December 31, 2015 to be in compliance. Current guidance from CMS for 2015 attestations states "it is acceptable for the security risk analysis to be conducted outside the EHR reporting period if the reporting period is less than one full year. However, the analysis or review must be conducted within the same calendar year as the EHR reporting period, and if the provider attests prior to the end of the calendar year, it must be conducted prior to the date of attestation."
 
What is the penalty for failing an audit?
 
A provider that fails just one element of a Meaningful Use audit must return the entire incentive payment for that year. The provider may also be subject to another audit of another participating year especially if the reason for failure (such as the security risk analysis) may have occurred in multiple attestation years.
 
 In addition, for audits failed in 2013 and subsequent reporting years, providers will be subject to applicable payment adjustments on Medicare Part B claims.
 
What can you do to prepare for an audit?

You should maintain separate "books of evidence" for each reporting year containing documentation to support that each objective and measure has been met for the reporting period. All supporting documentation should be kept for six years from the date of attestation (as that is the potential audit window). Make sure your "books of evidence" are easy to retrieve, since the time limits for responding to audit requests can be short. Also, make sure that the email address associated with the attestation continues to be monitored, even if the staff member is no longer employed. Notification of audit is sent via email first and may be followed up with mail or telephone notification.
 
For CMS guidance about audits, please refer to the CMS EHR Incentive Programs Audits Overview.
 
Contact Us
Contact Terri to request access to the Connections Resource Site,
to request access to Virtual Lecture Hall,
or to share information for a future Member Update.
 
Contact Amy or Trish for MU, HIPAA, or HIT assistance.  
Feel free to contact any member of the KAMU HCCN Grant Project Team below
for assistance with project activities.
 
Terri Kennedytkennedy@kspca.org785-233-8483
Susan Woodswood@kspca.org785-233-8483
Amy Byeramy.byer@synovim.org316-737-9743
Trish Harknesstrish.harkness@synovim.org620-874-8034
Health Center Connections is a health center controlled network organized and supported by KAMU. Current funding for Connections is through Health Resources and Services Administration (HRSA) HCCN Funding Opportunity HRSA-13-237.