EHR Audits


An Eligible Professional (EP), Eligible Hospital (EH) or Critical-Access Hospital (CAH) attesting to receive an incentive payment for either the Medicare or Medicaid Electronic Health Record (EHR) Incentive Program may be subject to an audit.

The Centers for Medicare and Medicaid Services (CMS) and its contractor, Figliozzi and Company, will perform audits on Medicare and dually eligible (Medicare and Medicaid) providers who are participating in the EHR Incentive Programs. States, and their contractors, will perform audits on Medicaid providers participating in the Medicaid EHR Incentive Program.

Prepayment and Post-Payment

In addition to the prepayment edit checks that have been built into the EHR Incentive Programs’ systems to detect inaccuracies in eligibility, reporting and payment, CMS began prepayment audits in 2013, starting with attestations submitted during and after January 2013. These prepayment audits are random and may target suspicious or anomalous data. Providers selected for prepayment audits have to present supporting documentation to validate submitted attestation data before CMS releases payment.

CMS through its contractor also conducts post-payment audits during the course of the EHR Incentive Programs. Providers selected for post-payment audits also are required to submit supporting documentation to validate their submitted attestation data.

Audit Process

EPs, EHs and CAHs should retain all relevant supporting documentation—in either paper or electronic format—used to complete the Attestation Module as follows:

  • Documentation to support attestation data for Meaningful Use objectives and Clinical Quality Measures should be retained for six years post attestation.
  • Documentation to support payment calculations (such as cost report data) should follow the current documentation retention processes.

Medicaid providers can contact their State Medicaid Agency for more information about audits for Medicaid EHR Incentive Program payments.

Audit Process Overview

Initial request letters are sent to providers selected for an audit.

  • The request letter is sent electronically by Figliozzi and Company from a CMS email address to the email address provided during registration for the EHR Incentive Program.
  • The letter includes contact information for Figliozzi and Company.
  • The initial review process is conducted using information provided in response to the request letter.
  • Additional information may be needed during or after the initial review process.

In some cases, an onsite review at the provider’s location may follow:

  • A demonstration of the EHR system may be required during the onsite review.
  • Figliozzi and Company uses a secure communication process to assist the provider in sending sensitive information.
  • Any questions pertaining to the information request should be directed to Figliozzi and Company.
  • If the provider is found to be ineligible for an EHR incentive payment, the payment is recouped.


Click here for additional guidance on creating necessary supporting documentation.