CMS Issues Guidance in Case of EHR Incentive Audit

Posted by

AdrienneFinal1Carey F. KalmowitzP.Toutant HeadshotBy Adrienne Dresevic, Esq., Carey F. Kalmowitz, Esq., and Phillip B. Toutant, Esq. 

May 2013—With the Centers for Medicare and Medicaid Services’ (CMS) contractor now performing post-payment audits of providers who are participating in the Medicare EHR Incentive Program, it is important for participants to maintain appropriate supporting documentation in the event that they are audited. Failure to adequately support attestation(s) could result in recoupment of payments and even civil, criminal, or licensing liability to the extent that an audit reveals fraud and abuse.

Background on the EHR Incentive Programs’ Payment Audits

In January 2013, CMS’s contractor began performing post-payment audits for professionals participating in the Medicare EHR Incentive Program. When a provider is selected for a post-payment audit, he/she will be required to submit the documentation used for attestation, at the very least. Some providers may be subjected to review of additional documents and even on-site inspections.

In February, CMS updated its guidelines for the maintenance of supporting documentation in case a provider is audited. The guidelines can be accessed here. CMS has recommended that all documentation used to support attestation be kept for six years after attestation is performed, while payment calculation data (eg, cost report data) should be kept according to existing document retention policies.

CMS also wrote that program participants will be informed of an audit by email only, and that the email notification will be sent to the email address “provided during registration for the EHR Incentive Programs.” Thus, this email address should be maintained for notification of an audit, should one occur.

Record Keeping Recommendations

The guidance issued by CMS describes the requisite supporting documentation “ideally” as reports generated by a certified EHR system. The agency’s recommendation was that there be a report from a certified EHR system for each of the attestation values and each clinical quality measure data value that is submitted. However, if a report is not available or information differs from what is on the report, other means should be used to accomplish the same goal. Irrespective, CMS further recommended that any paper or electronic documentation used to support attestation for core objectives and for clinical quality measures as well as any exclusions claimed should be retained in case a provider is the subject of an audit.

Though CMS indicates its preference for reports from a certified EHR system, the agency makes it clear that providers should play it safe when it comes to retention of supporting documentation for audits.  The agency noted that:

though the summary document is the primary review step, there could be additional and more detailed reviews of any of the measures, including review of medical records and patient records. The provider should be able to provide documentation to support each measure to which he or she attested, including any exclusions claimed by the provider.

Thus, CMS’s broad position is that there should be records to support each attestation made by a provider.

Certain EHR Systems May Increase Record Keeping Burden

For those who retain reports from certified EHR systems, the reports should be generated and retained at the time of attestation. This is because some certified EHR systems are not able to generate reports limited to a prior time period. Further, not every certified EHR system can track compliance for non-percentage-based meaningful use objectives (these are the attestations that require a “yes” attestation to meet meaningful use). An example of a non-percentage-based meaningful use objective is the Electronic Exchange of Clinical Information. For these types of objectives, the CMS publication provides suggested documentation to retain for audit purposes. However, certain EHR systems will make compliance with audit record keeping recommendations easier than others, insofar as they are able to generate reports limited to a prior time period and track compliance for non-percentage based meaningful use objectives.


Although the likelihood of a post-payment EHR Incentive Program audit is not known, participating providers are expected to maintain sufficient documentation to support their attestations during the course of the incentive program. Careful documentation of the information used to support attestation values should be retained for six years. Further, providers participating in the Medicaid incentive program should ascertain whether there are any additional document retention requirements imposed by the law of their respective states. Finally, providers looking to purchase a certified EHR system should look for report compilation tools that make it easier to comply with CMS’s record keeping recommendations.

Adrienne Dresevic, Esq. graduated Magna Cum Laude from Wayne State University Law School. Practicing healthcare law, she concentrates in Stark and fraud/abuse, representing various diagnostic imaging providers, eg, IDTFs, mobile leasing entities, and radiology and multi-specialty group practices.

Carey F. Kalmowitz, Esq. graduated from NYU Law School. Practicing healthcare law, he concentrates on corporate and financial aspects, eg, structuring physician group practice transactions; diagnostic imaging and ancillary services, IDTFs, provider acquisitions, CON, compliance, and Stark and fraud/abuse.

Phillip B. Toutant, Esq. is a graduate of Michigan State University and Wayne State University Law School. Practicing healthcare law, he concentrates on litigation of contract and other healthcare disputes, False Claims Act defense and licensing matters.

The authors are members of The Health Law Partners, P.C. and may be reached at (248) 996-8510 or (212) 734-0128, or at

Post a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s