Skip to main content
  • Practice Perfect

    Be Prepared: How to Ace an EHR Audit on Meaningful Use

    By Leslie Burling-Phillips, Contributing Writer
    Interviewing Jeffery Daigrepont, CMPE, Denise Fridl, COT, COE, and Kelsey A. Lang, MPP

    Download PDF

    If you applied to receive the incentive payments for meaningful use (MU) of electronic health records (EHRs), you may be selected for a compulsory pre- or postpayment audit.

    Although having your records scrutinized may seem an intimidating prospect, it does not have to be a daunting experience. Proactive preparation will help you to meet the auditing requirements on time.

    Who Will Audit You

    Although the auditing procedures of Medicare and Medicaid are quite similar, the auditing entities are different.

    Medicare audits are initiated by the accounting firm Figliozzi and Company on behalf of CMS, and the auditing terms are consistent throughout the country.

    Conversely, there is no one company responsible for all Medicaid audits; each state contracts with a firm of its choice. If you participate in the Medicaid program, contact your state’s Medicaid agency to learn about its auditing requirements and procedures.

    Steps to Take Before You Get Audited

    If your practice isn’t already taking the following four steps, make sure that it does so as soon as possible.

    Run reports regularly and review them for accuracy. Whether you evaluate your EHR-generated reports daily, weekly, or monthly, you should examine your data frequently enough to ensure that you are meeting each of the MU attestation requirements. “Closely monitoring your reports enables you to become familiar with all of the information that the auditors will request,” said Denise Fridl, COT, COE, who was recently the point person for an MU audit at an 18-physician practice in North Carolina (see “A Successful Audit” below). “Due to the size of our practice, our clinical manager reviews these reports daily to look for outlying occurrences within the system. If we find that someone is not following the necessary protocols or if any objective is not completed, the issue can be quickly identified and resolved.

    A Successful Audit

    Ms. Fridl, chief performance officer at Asheville Eye Associates, submitted her practice’s final attestation documentation for the year last December. In March, her practice was randomly selected to participate in a prepayment audit. “At first I thought that if the procedure was anything similar to the meaningful use attestation process, it would be a time-consuming endeavor. In reality, it only took us a couple of days to organize the requested documentation and obtain all the necessary signatures. Submission was trouble-free because our documents were already in order and the system was very easy to navigate with the instructions that were provided by the auditing agency,” said Ms. Fridl, who uploaded her practice’s information to the auditor’s Web portal.

    Meet all of the required thresholds. For each of the MU criteria that a practice attests to achieving, the auditors want to confirm that the threshold was met. “If a particular threshold is set at 60 percent, only achieving it 59 percent of the time will not be enough,” said Jeffery Daigrepont, CMPE, a consultant whose firm, the Coker Group, participates in the AAOE’s Consultant Directory. “I advise our clients to meet and exceed the CMS-mandated thresholds so there is no doubt whatsoever that each one was achieved. Many of our clients have decided to strive for 100 percent compliance to avoid potential shortfalls.”

    Likewise, if you decided to take an exclusion from any of the MU objectives, you should “maintain documentation that supports your eligibility for that exclusion,” said Kelsey A. Lang, MPP, who is the Academy’s manager of quality and payment policy. “For example, if you are taking the e-prescribing exclusion, you should have a report prepared in your EHR that supports that you wrote 100 or fewer prescriptions during the reporting period.”

    Assemble and maintain a repository of all the information you’ll need in an audit. “The Academy recommends that practices participating in MU attestation maintain a compliance binder that includes all of the documentation used to complete their attestation,” said Ms. Lang. The Academy website has a sample audit request list that itemizes the documents that auditors may ask for, as well as a link to CMS guidance on the types of documentation that would support your attestation for the various MU objectives (see “Online Resources” below). “The MU requirements are largely the same between the Medicare and Medicaid programs, so practices can use the Medicare list of documentation as a guide even if they are participating in the Medicaid incentive program,” said Ms. Lang. The supporting documents should be retained for six years after MU attestation.

    Ms. Fridl’s audit experience highlights the types of documentation that should be in your compliance repository. “We were asked to provide the licensing agreement from our EHR vendor, an invoice stating which product and version we were using and that both were certified,” she said. “Figliozzi also requested a summary of our attestation report to prove that all of our physicians had met each of the core- and menu-set objectives. Each objective had to be further broken down by numerator and denominator. We were also asked for the numbers of patients each physician treated and how many objectives were completed for each of those patients.” Keeping this information organized, updated, and accessible will expedite an audit.

    Online Resources

    Get ophthalmic-specific information. The Academy and the AAOE have created a Web page devoted to meaningful use audits. Go to, select “Meaningful Use,” and then “Meaningful Use Audits page.”

    How to document exclusions. The above resources include documents you can download to support the two exclusions most commonly taken by ophthalmologists: vital signs and immunizations.

    Check your security analysis. The HIPAA Security Risk Analysis is the most frequently cited problem area encountered during an audit, according to Ms. Lang. “It is essential to document the procedures that a physician took to complete the analysis, as well as to retain a copy of the report showing the results of that analysis. This is not just a requirement of the EHR incentive program, it is also a requirement of the HIPAA Security Rule.”

    When You Are Selected for an Audit

     Between 5 and 10 percent of practices submitting attestation documentation will be selected to undergo an audit every month—either randomly or because a compliance error or inaccuracy was identified in a submission.

    Time will be of the essence. Practices are allotted 14 days to respond after receiving an engagement letter from Figliozzi or their state Medicaid auditing organization. “With such a short turnaround time, I suggest taking a proactive approach,” said Mr. Daigrepont, emphasizing the importance of taking preparatory steps as outlined above. “The ideal situation is to simply retrieve a file that is ready with all the required documentation.”

    Watch for the audit notification. If your practice is selected for an audit, “an information request will be sent to the e-mail address that CMS has on file. Unless you’ve updated it, this will be the e-mail that was provided when the practice was first registered to participate in the incentive program—so keep your contact e-mail address current,” said Ms. Lang. “The e-mail query will include a letter that explains the audit, states whether it is a pre- or postpayment audit, and lists documents that the auditor is requesting.”

    Respond promptly. “Immediately acknowledge that you are in receipt of the notice and will be complying and responding to the request,” said Mr. Daigrepont. “Also, ask any questions that you may have. If you anticipate that you might need more time to respond, let the auditor know and seek an extension as soon as possible.”

    Take advantage of vendor assistance. Contact your EHR vendor as soon as you receive an audit engagement letter; the company’s support staff may include someone who will guide you through the process. “Our EHR vendor has a designated employee who does nothing but help their clients through an audit,” said Ms. Fridl. “It was a tremendous advantage to have someone supporting us along the way. They had already assisted with so many audits before helping our practice, it was easy for them to tell us exactly what we needed to submit.”

    If You Fail the Audit, What Next?

    If inconsistencies are found during an audit, you may receive a request for follow-up information. If the problem is critical, an onsite audit may be conducted. “If it is determined that you are ineligible for the incentive payment, CMS will either deny the incentive payment [in a prepayment audit] or seek to recoup it [in a postpayment audit]. Depending on the finding, there could also be consequences that are more serious. If the audit demonstrates an attempt to defraud the government, CMS can pursue additional enforcement actions against a physician that include criminal penalties and/or temporary exclusion from Medicare participation,” warned Ms. Lang. If you fail an audit, you will have an opportunity to appeal with CMS.


    Jeffery Daigrepont, CMPE, is senior vice president at the Coker Group in Atlanta. Financial disclosure: Is employed by a consulting firm.

    Denise Fridl, COT, COE, is chief performance officer at Asheville Eye Associates in North Carolina. Financial disclosure: None.

    Kelsey A. Lang, MPP, is Academy manager of quality and payment policy. Financial disclosure: None.