Home / Blogs

Three Things You Need to Know About a Meaningful Use Audit


Providers receive advice of meaningful use audits directly from the Centers for Medicaid and Medicare or from a CMS vendor, which typically includes a document request list. As of 2015, both prepayment and post-payment audits can occur. Each audited practice must produce these required three categories of documents:

  1. A certified EHR system meeting Meaningful Use requirements is in use
  2. Documents showing that quality, core, and menu objective measures are accurate
  3. Verification that a security risk assessment was performed, and that a correction action plan is available in draft form


EHR Certification

Physicians must retain vendor documentation concerning the EHR system in use in order to satisfy certification requirements. If an older, uncertified EHR system is in use, the practice must update it.

The CMS site contains a list of currently certified products. Practices must carefully monitor system upgrades to verify that changes do not affect current certification.


Organized, auditable data sources used to register and attest to Meaningful Use must be available in an audit. Data should include evidence of the yes-no objectives as well as data available on the EHR-generated Meaningful Use reports.

Numerators and denominators should be accurate in generated reports. The report must show that the numerator achieved the required threshold. In some cases, patient population data in the practice management system must be cross-referenced to demonstrate denominator accuracy.

Yes-No Objectives

The yes-no objectives ('Y/N') refer to functionality that is activated during the reporting period duration. Providers can accomplish this goal by capturing and printing screenshots (with date/time information) from the EHR demonstrating that it was actively functional during the reporting period.

Professionals are required to show that required functions were activated but not if they were necessarily in use. It is important for providers to verify several times in each reporting period that the functions are activated and switched on. Certain functions must be turned on for the provider to receive incentive bonus funds.

Security Risk Assessment

The security risk assessment requirement confuses many providers. The HIPAA Security Rule requires that all providers should have certain requirements in place since 2005. However, not all practices have done so. Smaller practices are likely to view the requirements as excessive or costly. However, avoidance of the requirements is likely to cost the provider much more in the future.

Failure to conduct a risk assessment places providers at risk. If the failure is discovered, providers may be required to repay incentive money or incur penalties from the Office of Civil Rights. HIPAA compliance is an absolute requirement.

Professionals should understand that risk assessment is a continually evolving process. Documentation requirements are likely to continue to change.

When new technology is installed or adopted, the practice must address each change in the risk assessment. Auditors may determine that the provider’s risk assessment is invalid for seemingly small omissions, such as the EHR system brand.