Appl Clin Inform 2018; 09(01): 034-036
DOI: 10.1055/s-0037-1620256
Letter to the Editor
Schattauer GmbH Stuttgart

Incorrectly Performed Meaningful Use Audits Hurt Small Practices

Christoph U. Lehmann
Steven E. Waldren
Thomson Kuhn
Further Information

Address for correspondence

Christoph U. Lehmann, MD, FAAP, FACMI, MIAHSI
Vanderbilt University Medical Center
2525 West End Avenue, Suite 1475, Nashville, TN 37203
United States   

Publication History

19 September 2017

19 December 2017

Publication Date:
10 January 2018 (online)


A recent report by the Office of the Inspector General (OIG) at the Department of Health and Human Services suggested that hundreds of millions of dollars in Meaningful Use (MU) incentive payments were paid incorrectly to eligible professionals (EPs), who did not qualify for these payments.[1] Based on a sample of 100 EPs, the Inspector General alleged to have found “insufficient attestation support, inappropriate reported meaningful use periods, or insufficiently used certified EHR technology” resulting in $729,424,395 in incentive payments to EPs, who were not eligible for payments.

Claiming to the dollar how much money was paid incorrectly in a $36 billion incentive program[2] to hundreds of thousands of EPs based on a sample of 100 EPs offers more precision than the methodology would permit demonstrating scientific weakness and may be a display of overconfidence in the audit and accounting prowess. However, based on our experiences outlined below, these claims are incorrect and damaging to the reputation of eligible providers and a risk to the financial viability of their practices. Significant money was expended by EPs to meet MU requirements, and additional resources are expended by them to respond to the audits.

MU was designed to incentivize EPs and eligible hospitals to adopt certified EHR technology. The intention of the HITECH Act was to move providers from paper to EHRs. Even though MU incentives pay only for a fraction of the cost of ownership of an EHR, physicians went along trusting the promise that at least a portion of their expenses would be offset by MU.[3] The efforts by Medicare and Medicaid to “claw back” incentive monies came at great surprise and shock to many EPs, especially years after the incentives were paid. It is important to remember that the MU program was implemented without any guidance for EPs regarding documentation requirements to support audits. All of the audit documentation requirements were written after the program had been implemented.[4]

The OIG audited CMS's payments based on the attestation data provided by EPs. As written, the OIG report could be misinterpreted as evidence that EPs tried to obtain inappropriate payments by defrauding CMS. Rather, the correct interpretation is that the CMS attestation and payment authorization system was inadequately designed and tested. CMS has conducted audits of EPs looking into appropriateness and accuracy of submitted attestation data. These audits also have serious issues that need to be addressed because they have been harming EPs.

MU Audits

From the beginning of the EHR Incentive Program in 2011, CMS used a private entity, Figliozzi & Company, to conduct postpayment audits of EPs, who attested that they had completed the MU requirements for Medicare. On the Medicaid side, many states' Medicaid agencies use Myers and Stauffer Certified Public Accountants. Anecdotal reports from practices, which were subjected to early audits, claimed that the auditors were unfamiliar with the details of the MU program requirements and that documentation requirements were developed on the spot, long after the close of the audited reporting period. The first year Medicaid MU application required only an attestation by the provider of the intent to purchase a certified EHR within a year without any other documentation or auditing requirements. Any postevent auditing requirements would come as a significant surprise to practices qualifying under Medicaid.

Frequently, required documentation was impossible for EPs to produce after the close of the reporting period, as auditors demanded that the needed reports had to display dates that showed that they were created during the measurement period before the rules were available. Many similar documentation requirements were developed early in the audit program. Physicians and practices that had done their best to satisfy the complex requirements of MU found that they could not pass the audits due to lack of existence of the documentation based on requirements created after the fact. The MU program is an all-or-nothing program. Therefore, if a single piece of supporting documentation could not be produced to the satisfaction of the auditors and CMS, the EP, and in some cases all of the EPs in a practice, would fail the audit and be required to pay back the entirety of that year's incentive payment.

Professional organizations like the American Academy of Pediatrics, American Academy of Family Physicians, and the American College of Physicians have received numerous calls, emails, and letters from EPs across the United States, who complained about unfair, incorrect, uninformed, and overly aggressive MU audits and who have requested assistance from the societies in dealing with the audits. On the Medicaid side, smaller practices (fewer than 10 providers) were significantly more likely to run into problems with auditors (Personal communication with Chip Hart [Physician Computer Company] and Susan Kresly [Office Parcticum], 2017). Many EPs, who initially failed the audits, were subsequently found to be eligible for payments. These reversals frequently come at great cost to the audited EP, who has to add extensive and difficult-to-obtain information to the already submitted attestation data, and suggest that the audit data from the Inspector General may be less than accurate since they only used attestation data and they did not engage the EPs, who would have corrected many of the audit errors.

In a manner similar to the Inspector General's report, auditors find EPs ineligible for MU for a variety of causes. A very common cause for failure is that auditors force EPs to rerun reports for various reasons (in one case a hole punch took a number from a report) generating results that do not match the attestation data. The reasons for many discrepancies are easy to identify. Some reports (based on Office's of the National Coordinator [ONC] instructions) were designed to run over the lifetime of the EHR. If the EP abandoned a particular measure (i.e., did not record extra nonclinically needed data required to correctly calculate the measure by the EHR) after the MU attestation period, any rerun will produce other or failing numbers. In addition, often reports that are rerun will produce different results even for the same period and measure due to late data entry. Because software changes over time, results of reports will vary as well. The changes may be made by vendors to improve their products or they may be made to comply with changing MU requirements. CMS mandated changes to reporting when updating from 2011 to 2014 certification requirements. At no point did CMS indicate that the old reports had to be kept for auditing purposes. When EHR vendors updated the reports, the rerunning of similarly named reports ex post facto will, by federal requirement, produce a different result. Many EPs are forced to obtain letters from their vendor which state: “as enhancements or ‘fixes’ of [the EHR] are released, certain functionality may change such that previous actions cannot be recreated. For example, after subsequent releases, it may not be possible to recreate initial audit metrics generated previous to those releases.” Nonetheless, auditors continue to fail EPs for discrepancies in the reports.

Another common way for EPs to fail audits is to perform a deficient security risk assessment (SRA). In many states like Georgia, EPs were not educated by regional extension centers (RECs) until 2013 on how to conduct or document an SRA. ONC did not provide overall comprehensive guidance for practices until 2014 and has continued to revise and expand the guidance every year since. Relying on publicly available information on how to perform an SRA, practices conducted SRAs to the best of their abilities only to learn later that their efforts were not sufficient based on the auditor's assessment. Many practices have had to spend resources (sometimes unsuccessfully) to work with their vendors from 2012 (who may no longer working with the EP) to obtain documentation that shows their SRA was adequate. One example is a Massachusetts practice which was ordered to produce port scanning logs from a firewall on a retired server from a period of 5 years prior to the audit (Heart C. Physician Computer Company, personal communication, 2017).

Audits are frequently conducted in an aggressive and sometimes even hostile manner. New information is requested frequently—often associated with very short deadlines like 1 to 3 days—which can make compliance impossible for small and solo physician practices (Meyers & Stauffer LC, e-mail to, November 2016). EPs devote significant efforts and take time away from clinical care to meet the very short deadlines. In fact, many audit failures resulted from missing an aggressive deadline for documentation submission. Documentation requests for some activities require that the EP obtain official documents from third parties, such as state agencies, which are notoriously slow, making it impossible for EPs to meet auditor deadlines. Demands from auditors vary greatly from state to state with great inconsistencies regarding what is required. There are no clear guidelines on how to perform the audits and little monitoring of auditors' behavior. Many times when EPs devote significant efforts away from clinical care to meet the very short deadlines, the auditor does not respond to the EP for weeks or months with a status update. Rather, after the weeks of silence, the EP would receive another email from the auditor demanding additional information or repayment within 2 weeks. For some EPs, this happened more than once without any defined end point (one solo practitioner was audited three times, passing each time after considerable effort).

One of the most extreme examples of demands by auditors was the request that an EP produce screenshots from 2012 to demonstrate functionalities of the software. These screenshots were not required for MU attestation (or stated that would be needed in the future for audit purposes). Since software changes and functionalities of EHRs have changed, these demands are impossible to comply with after the fact.

Unfortunately, when an audit fails for one EP of a practice, auditors immediately target the other EPs in that practice leading to a series of fails with substantial amounts of money being recovered putting offices in financial peril.

While many EPs across the country are being audited, some EPs are still waiting to be paid. Pediatricians and others eligible for MU through Medicaid in NY had not been able to submit their attestation to NY Medicaid for 2015 and 2016 until a few months ago. A broken Web site made it impossible for EPs, who relied on the government's promise to pay part of the cost of switching to EHRs, to collect on that promise. For a large volume, low-margin business like a pediatric office, not being able to rely on the promised incentive payments after implementing an EHR, could mean the difference between going bankrupt or staying in business.



In summary, MU audits like the Inspector General report have been poorly supervised, are conducted heavy handedly, and produce incorrect results due to inconsistent auditing methods. The problems with the audits show the imprecision of the Inspector General's report. We challenge the Inspector General to interview the EPs, who were labeled ineligible by his report and determine how many of “failed” audits must be corrected. This step should have been done before suggesting that a whole sector of the health care industry filed incorrect claims.

Occasionally, the professional organizations have been able to request that CMS intervene and educate the auditors, resulting in changing of decisions, but for the most part, auditors have been auditing their own behavior. To correct this situation, we recommend that the CMS establish a new office and process that deals with complaints and appeals to audits that go beyond the processes that are currently available. EPs should have an opportunity to make their case to an independent third party with oversight powers. In addition, documentation requirements should be adjusted so that EPs have latitude to present the documentation their systems are capable of producing at the time of the audit. Additionally those documentation requirements should be available BEFORE the start of the program not developed in the midst of the audit process (many times years later).

Looking forward, the proper way to address MU audit problems is for CMS to specify audit documentation requirements for each measure in the MU and the new Quality Payment Program (QPP) as established by the MACRA law, and to provide this information in the published regulations along with specifications of the measures themselves. CMS has a long history of supplying detailed audit documentation requirements for other programs such as the CMS MLN Fact Sheet: Complying with Medical Record Documentation Requirements.[5] This same level of guidance regarding the entire audit process should have been available to all EPs from the start of the MU program. If such guidance had been available, the OIG report would have come to a different conclusion and participating physicians would not have had to endure the damage to their reputations. We cannot have another devastating round of audits for the remaining auditable years of MU nor for future audits under the QPP.


Multiple Choice Question

What reasons are given by auditors to fail a provider's MU audit?

  • The attestation numbers do not match the numbers from report that had to be rerun

  • Providers conducted excessive SRAs

  • EHR updates have not been performed by practitioners

  • Other physicians in the practice are exempt from audits

Correct Answer: The correct answer is a, the attestation numbers do not match the numbers from report that had to be rerun. Auditors fail eligible providers for several reasons on MU audits. Requiring reports to be rerun and then fail the provider for numbers that do not match due to software updates or altered timelines is a frequent reason for failing. Lack of SRA is another. Lack of software updates is not a reason for failure. When a physician in a multiprovider practice fails the audit, auditors immediately target other providers in the practice. The eligibility status of EPs in a practice has no impact on other EPs in the practice.


Conflict of Interest


Protection of Human and Animal Subjects

The authors declare that human and/or animal subjects were not included in the project.


The views presented do not necessarily represent the official policy of the American Academy of Family Physicians, the American Academy of Pediatrics, or the American College of Physicians.

Address for correspondence

Christoph U. Lehmann, MD, FAAP, FACMI, MIAHSI
Vanderbilt University Medical Center
2525 West End Avenue, Suite 1475, Nashville, TN 37203
United States