Meaningful Use Prepayment Audit Notification

Prepayment and post payment audit is underway for the providers who have attested for Meaningful use incentives for the reporting year 2015Meaningful use Prepayment audit

The Centers for Medicare and Medicaid Services (CMS) has contracted with Figliozzi & Company,CPAs  technology as required in Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009 to conduct the meaningful use prepayment and post payment audits. The HITECH Act provides the Secretary or any person or organization designated by the Secretary, the right to audit and inspect any books and records of any person or organization receiving an incentive payment.

CMS is informing providers who have been selected for the audit of meaningful use of certified EHR technology for the attestation year 2015. If providers are selected for prepayment audit, incentive payment will be held pending the outcome of the audit. If providers are being audited post payment, it’s the responsibility of the provider to demonstrate meeting all the required criteria. The providers who are not able to backup the attestation data may have to return the incentive payment for the year.

Meaningful Use Prepayment Audit

Attached is a sample letter of information request list. Be aware that this list may not be all-inclusive and there could be additional information requested to complete the audit.

Along with many clinical measures requested for audits, the security risk analysis of the EHR system is a key factor. EHR 2.0, can help your organization meet this requirement. We offer consulting services to conduct a thorough security risk analysis. We also offer a simple online Do-It-Yourself toolkit for Meaningful use security risk analysis. Documentation supporting staff training and keeping up to date on the latest requirements is another key factor.  EHR 2.0 provides online staff training for all healthcare providers.

Attached is a sample supporting documentation requested by the auditors, highlighting the documentation requirement for the security risk analysis of the EHR systems.

Measure 1 – Protect Patient Health Information, provide proof that a security risk analysis of the Certified EHR Technology was performed no earlier than the start of the reporting year and no later than the date of attestation (i.e. report which documents the procedures performed during the analysis and the results of the analysis). If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.

Contact us at or call us at 866-276-8309.

Share this in :
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.