Some physicians who have received a meaningful use incentive check for adopting electronic health records may have received another piece of mail recently from the Centers for Medicare & Medicaid Services. The gist of that letter: You are being audited.

The company contracted by CMS to conduct post-payment auditing of hospitals and eligible professionals who successfully claimed meaningful use has started its work. The auditing process, a congressional requirement under the 2009 federal stimulus package that authorized the EHR bonuses, will be carried out by Figliozzi and Co., an accounting firm based in Garden City, N.Y.

The firm will audit recipients who obtained their bonuses from Medicare and hospitals that received incentive payments from both Medicare and Medicaid. States and their individual contractors will audit incentive program participants who received bonuses from Medicaid alone.

Medicare has paid more than $1 billion in bonuses to eligible professionals as of June, CMS said. More than 55,000 physicians have earned incentives for demonstrating meaningful use in 2011 or 2012.

A doctor or hospital found ineligible for an EHR incentive after an audit would be asked to return the bonus payment. The Government Accountability Office issued a report in April recommending that CMS examine its process for auditing the incentive program. The GAO suggested that CMS collect more information from physicians before bonus payments are made, so doctors won’t have to return money to the government if found to be noncompliant after the fact. CMS agreed with those recommendations but set no deadline or timetable for implementing them.

Jim Wieland, a partner at the Baltimore-based law firm Ober Kaler, said his firm started receiving calls earlier in the summer from clients who had received a letter from Figliozzi on CMS letterhead. In response, Wieland co-wrote an alert that was sent to all of the firm’s health care organization clients informing them that the letter is legitimate despite the fact that CMS did not make a formal announcement at the time the audits began.

Practices that receive the letter have two weeks to reply. But practices that retained all supporting documentation and reports used to attest to meaningful use should not have a problem, Wieland said.

The letters ask physicians to provide three things, said Wieland, who is head of the firm’s health care information privacy, security and technology group.

  • Proof that the EHR system used to meet meaningful use requirements is certified. The Office of the National Coordinator for Health Information Technology maintains a list of certified systems on its website.
  • Supporting documentation proving that core objectives were met. Fifteen core objectives must be met to achieve meaningful use during stage 1 of the initiative. EHR systems certified to meet meaningful use should generate reports showing that these objectives have been met. Electronic or paper copies of those reports should satisfy the request.
  • Supporting documentation that so-called menu objectives were met. Those attesting to meaningful use in stage 1 choose five menu objectives from a list of 10. EHR-generated reports, including those used to support clinical quality measures, can show that those objectives have been met.

In addition to providing those three things, hospitals will be asked for documentation supporting the method used to report emergency department admissions.

When asked about the audits, CMS spokesman Joseph Kuchler referred to the CMS website, which states that any eligible professional or hospital can be chosen for an audit. “Some may be selected based on specific information or risk factors, but they may also be random selections,” according to CMS. Physicians attesting to meaningful use should keep all documentation supporting compliance for at least six years after attestation, CMS said.

Physicians should be careful not to expose personal health information when sending the documentation to auditors, even though the letters say the information will be kept confidential, Wieland said. Future audits may require more detail, such as patient lists with personal information, but this round is a general survey that requires only high-level lists. “Practices shouldn’t view this as a threat,” he said.