Stage 2 Audit Guidance

Stage 2 EHR Incentive Programs Supporting Documentation For Audits
Last Updated: February 2014



Providers who receive an EHR incentive payment for Stage 2 of the Medicare or Medicaid EHR Incentive Program potentially may be subject to an audit. Eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) should retain ALL relevant supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses.

Documentation to support attestation data for Stage 2 meaningful use objectives and clinical quality measures should be retained for six years post‐attestation. Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes.

States and their contractors will perform audits on Medicaid providers. Please contact your State Medicaid Agency for more information about audits for Medicaid EHR Incentive Program payments.

Figliozzi and Company is the designated contractor performing audits on behalf of the Centers for Medicare & Medicaid Services (CMS), and will perform Stage 2 audits on Medicare EPs and eligible hospitals, as well as on hospitals that are dually‐eligible for both the Medicare and Medicaid EHR Incentive Programs. If you are selected for an audit you will receive a letter from Figliozzi and Company with the CMS and EHR Incentive Program logos on the letterhead.


Pre- and Post-Payment Stage 2 Audits

There are numerous pre‐payment edit checks built into the EHR Incentive Programs’ systems to detect inaccuracies in eligibility, reporting, and payment. Medicare providers may also be subject to pre‐payment audits. These pre‐payment audits will include random audits, as well as audits that target suspicious or anomalous data. For those providers selected for pre‐payment audits, CMS and its contractor, Figliozzi and Company, will request supporting documentation to validate submitted attestation data before releasing payment.

CMS and Figliozzi and Company will also continue to conduct post‐payment audits during the course of the EHR Incentive Programs. Providers selected for post‐payment audits will also be required to submit supporting documentation to validate their submitted attestation data.

When providers are selected for an audit, they will receive an initial request letter from the auditor. The request letter will be sent electronically from the auditor’s email address ( and will include the audit contractor’s contact information. Click here for an example of an initial audit letter. The email address given by the provider during registration for the EHR Incentive Programs will be used for the initial request letter.

The initial review process will be conducted at the audit contractor’s location, using the information received as a result of the initial request letter. Additional information might be needed during or after this initial review process, and in some cases an onsite review at the provider’s location could follow. A demonstration of the certified EHR system could be requested during the on‐site review. A secure communication process has been established by the contractor, which will assist the provider to send any information that could be considered sensitive. Questions pertaining to audits should be directed to Peter Figliozzi at (516) 745‐6400 x302, or by email at Figliozzi and Company’s website is

States will have separate audit processes for their Medicaid EHR Incentive Program. For more information about these audit processes, please contact your State Medicaid Agency.
Once the audit is concluded, the provider will receive an Audit Determination Letter from the audit contractor. This letter will inform the provider whether they were successful in meeting meaningful use of electronic health records. If, based on the audit, a provider is found not to be eligible for an EHR incentive payment, the payment will be recouped.

CMS may also pursue additional measures against providers who attest fraudulently to receive an EHR incentive payment. It is a crime to defraud the Federal Government and its programs. Punishment may involve imprisonment, significant fines, or both. Criminal penalties for health care fraud reflect the serious harms associated with health care fraud and the need for aggressive and appropriate fraud prevention. In some states, providers and health care organizations may lose their licenses. Convictions also may result in exclusion from Medicare participation for a specified length of time. Medicare fraud may also result in civil liability. (Click here for more information about Medicare Fraud & Abuse.)

Preparing and Maintaining Stage 2 Documentation

It is the provider’s responsibility to maintain documentation that fully supports the meaningful use and clinical quality measure data submitted during attestation. To ensure you are prepared for a potential audit, save any electronic or paper documentation that supports your attestation. Also save the documentation that supports the values you entered in the Attestation Module for clinical quality measures. Hospitals should also maintain documentation that supports their payment calculations.

An audit may include a review of any of the documentation needed to support the information that was entered in the attestation. The level of the audit review may depend on a number of factors, and it is not possible to detail all supporting documents that may be requested as part of the audit. The following will outline the minimum supporting documentation that providers should maintain; however, the auditor may request additional documentation to substantiate the provider’s attestation.

Source document(s)

The primary documentation that will be requested in all reviews is the source document(s) that the provider used when completing the attestation. This document should provide a summary of the data that supports the information entered during attestation. Ideally, this would be a report from the certified EHR system, but other documentation may be used if a report is not available or the information entered differs from the report.

Providers should retain a report from the certified EHR system to validate all clinical quality measure data entered during attestation, since all clinical quality measure data must be reported directly from the certified EHR system.

Providers who use a source document other than a report from the certified EHR system to attest to meaningful use data (e.g., non‐clinical quality measure data) should retain all documentation that demonstrates how the data was accumulated and calculated.

This primary document will be the starting point of most reviews and should include, at minimum:

  • The numerators and denominators for the measures
  • The time period the report covers
  • Evidence to support that it was generated for that EP, eligible hospital, or CAH (e.g., identified by National Provider Identifier (NPI), CMS Certification Number (CCN), provider name, practice name, etc.)
  • Evidence to support that the report was generated by the certified EHR system (e.g., screenshot of the report before it was printed from the system)


Because some certified EHR systems are unable to generate reports that limit the calculation of measures to a prior time period, CMS suggests that providers download and/or print a copy of the report used at the time of attestation for their records.

Although the summary document is the primary review step, there could be additional and more detailed reviews of any of the measures, including review of medical records and patient records. The provider should be able to provide documentation to support each measure to which he or she attested, including any exclusions claimed by the provider.

Documentation for Non‐Percentage‐Based Objectives

In addition, not all certified EHR systems currently track compliance for non‐percentage‐based meaningful use objectives. These objectives typically require a “Yes” attestation in order for a provider to be successful in meeting meaningful use. To validate provider attestation for these objectives, CMS and its contractor may request additional supporting documentation.

A few examples of suggested documentation are listed below. Please note that the suggested documentation does not preclude CMS or its contractor from requesting additional information to validate attestation data.


You can download the PDF version of this article.

Do you need need a Security Risk Analysis Report?

Click here to download the  Official HSR Toolkit

*The NIST Standards provided in this tool are for informational purposes only as they may reflect current best
practices in information technology and are not required for compliance with the HIPAA Security Rule’s
requirements for risk assessment and risk management.

Call us today if you have any questions or need help getting all your documentation ready for a stage 2 meaningful use  Audit.

+1 (561) 584 9144


Leave a Reply