Post-Payment Audit Guidance

DRAFT AUDIT REPORT

A Draft Audit Report will be issued if a provider is determined to be in non-compliance with one or more program requirements. The Draft Audit Report will reiterate the objective and scope of the audit, and identify the program requirements that were determined to be in non-compliance. The report will include the regulatory citations related to all program requirements not met. Possible findings for AIU audits include: failing to meet the required patient volume threshold, or not having a certified EHR system during the payment year attested to. Requirements for MU audits are more extensive due to the number of Core and Menu objectives needed for each payment and, thus, there's a greater number of potential audit findings. Possible findings for MU audits include: not completing a Security Risk Assessment, or failing to meet the required threshold for a Core objective.

The Draft Audit Report will identify the overpayment amount. Typically, the overpayment is the full amount of the incentive payment received by the provider. There are instances where a partial amount has been overpaid; this would only apply to pediatricians who attested to meeting the 30% Medicaid patient volume threshold but they can only support meeting the 20% threshold.

Providers have 35 days from the date of the Draft Audit Report to submit a response. If a response is not received within 35 days, a Final Audit Report will be issued with no changes to the audit findings. If there is a provider response, the auditor will review the response and adjust the audit findings as appropriate before issuing a Final Audit Report.

When a Draft Audit Report is issued, providers should consider the questions below if he or she is having difficulty obtaining documentation:

  • Is it possible the provider used another certified EHR system during the payment year under audit?
  • Did the provider submit all documented attempts made with the vendor to obtain a certified EHR system?
  • Did the provider work with an agency to attest? If yes, did the provider reach out to them for documentation?
  • Did the provider work for a group during the payment year under audit that may have had a certified EHR system?
  • Did the provider contact his or her EHR vendor to allow the OMIG auditor to contact them in regards to the provider's account?
  • Does the provider understand the findings listed in the Draft Audit Report? If no, has provider asked the auditor for clarification?