May 2013 
The Importance of Retaining Supporting Documentation  
As hospitals and eligible providers attest to Meaningful Use, it is important that they retain all evidence supporting their attestation in preparation for a potential Centers for Medicare and Medicaid Services (CMS) audit. Documentation to support attestation data for Meaningful Use objectives and clinical quality measures should be retained for six years post-attestation.
Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes. States and their contractors will perform audits of Medicaid providers. Please contact your State Medicaid Agency for more information about audits for Medicaid EHR Incentive Program payments.  
Pre- and Post-Payment Audits  
There are numerous pre-payment audit checks built into the EHR Incentive Programs’ systems to detect inaccuracies in eligibility, reporting, and payment. Beginning with attestations submitted during and after January 2013, Medicare providers may also be subject to pre-payment audits. These pre-payment audits will include random audits, as well as audits that target suspicious or anomalous data. For those providers selected for pre-payment audits, CMS will request supporting documentation to validate submitted attestation data before releasing payment.
CMS will also continue to conduct post-payment audits during the course of the EHR Incentive Programs. Providers selected for post-payment audits will also be required to submit supporting documentation to validate their submitted attestation data.  
Audit Review Process  
“It is the provider’s responsibility to maintain documentation that fully supports the Meaningful Use and clinical quality measure data submitted during attestation.”
Jim Deren
Strategic IT Planning
CareTech Solutions

If you are selected for an audit, you will receive an initial request letter from the CMS audit partner with the CMS and EHR Incentive Program logos on the letterhead. The request letter will be sent electronically from a CMS email address. The initial review process will be conducted at the audit contractor’s location, using the information received as a result of the initial request letter. Additional information might be needed during or after this initial review process, and in some cases an onsite review at the provider’s location could follow. A demonstration of the certified EHR system could be requested during the on-site review. A secure communication process has been established by the contractor, which will assist the provider to send any information that could be considered sensitive.

Audit Determination and Additional Measures

Once the audit is concluded, the provider will receive an Audit Determination Letter from the audit contractor. This letter will inform the provider whether they were successful in meeting Meaningful Use of electronic health records. If, based on the audit, a provider is found not to be eligible for an EHR incentive payment, the payment will be recouped.

CMS may also pursue additional measures against providers who attest fraudulently to receive an EHR incentive payment. It is a crime to defraud the Federal Government and its programs. Punishment may involve imprisonment, significant fines, or both. Criminal penalties for healthcare fraud reflect the serious harms associated with healthcare fraud and the need for aggressive and appropriate fraud prevention. In some states, providers and healthcare organizations may lose their licenses. Convictions also may result in exclusion from Medicare participation for a specified length of time. Medicare fraud may also result in civil liability.
Preparing and Maintaining Documentation
It is the provider’s responsibility to maintain documentation that fully supports the Meaningful Use and clinical quality measure data submitted during attestation. To ensure that you are prepared for a potential audit, save any electronic or paper documentation that supports your attestation. Also save the documentation that supports the values you entered in the Attestation Module for clinical quality measures. Hospitals should also maintain documentation that supports their payment calculations.
Primary (Source) Documentation and Other Support  
The primary documentation that will be requested in all reviews is the source document(s) that the provider used when completing the attestation. This document should provide a summary of the data that supports the information entered during attestation. Ideally, this would be a report from the certified EHR system, but other documentation may be used if a report is not available or the information entered differs from the report.
Providers should retain a report from the certified EHR system to validate all clinical quality measure data entered during attestation, since all clinical quality measure data must be reported directly from the certified EHR system.  
Providers who use a source document other than a report from the certified EHR system to attest to meaningful use data (e.g., non-clinical quality measure data) should retain all documentation that demonstrates how the data was accumulated and calculated.  
This primary document will be the starting point of most reviews and should include, at minimum:  
  • The numerators and denominators for the measures
  • The time period the report covers
  • Evidence to support that it was generated for that EP, eligible hospital, or CAH (e.g., identified by National Provider Identifier (NPI), CMS Certification Number (CCN), provider name, practice name, etc.)
Because some certified EHR systems are unable to generate reports that limit the calculation of measures to a prior time period, CMS suggests that providers download and/or print a copy of the report used at the time of attestation for their records.  
Summary Document and Additional Reviews  
Although the summary document is the primary review step, there could be additional and more detailed reviews of any of the measures, including review of medical records and patient records. The provider should be able to provide documentation to support each measure to which he or she attested, including any exclusions claimed by the provider.