The Office of Audit Services of the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services has begun a nationwide audit of a random sample of providers that have received incentive payments for achieving “meaningful use” under the Medicare Electronic Health Record (EHR) Incentive Program from January 1, 2011 to June 30, 2014. Medicare pays EHR incentive payments for up to five years to physicians and hospitals that achieve meaningful use of certified EHR technology each year. Providers that fail to achieve meaningful use face payment reductions beginning in 2015.

The OIG announced its intention to conduct these audits in its Work Plan for FY 2015. The OIG stated that it will review certain, but not all, meaningful use measures to determine whether providers received incentive payments in error. Among the measures covered by the OIG audits is the core meaningful use measure that requires providers to conduct a comprehensive security risk analysis in accordance with the Health Insurance Portability and Accountability Act Security Rule.

OIG is sending audit notice letters requesting specific information and documents, including documentation of compliance with the particular meaningful use measures under review, to each provider in the audit sample. Providers should have documentation for each of the measures such as measure calculation reports printed from the provider’s EHR system, security risk analysis reports, and dated screen prints that demonstrate that the provider met the measure during the meaningful use reporting period or otherwise by the applicable deadline.

When responding to the OIG audits, providers should be mindful that deficiencies identified for one physician in a physician group or one hospital within a multi-hospital system, may apply to the other physicians and hospitals using the same EHR system and/or implementing meaningful use in the same way. Thus, the incentive payments at risk in an audit may be greater than the payments to the particular provider being audited.

The OIG audits are in addition to the meaningful use audits conducted by Figliozzi & Company, the outside audit contractor of the Centers for Medicare and Medicaid Services. Unlike the Figliozzi audits, which cover a MU attestation for a single meaningful use reporting period, the OIG audits cover incentive payments paid from January 1, 2011 through June 30, 2014. 2011 is the first year that Medicare paid EHR incentive payments. For more information about the Figliozzi meaningful use audits, see “What Have We Learned from Audits under the Medicare EHR Incentive Program?