Post-Payment Audit Guidance


The Security Risk Analysis (SRA) of the certified EHR system should be performed no earlier than the start of the reporting year and no later than the date of attestation. It is to be noted that this is a mandatory measure for which an exclusion cannot be claimed. It is recommended that providers consult with an IT professional to ensure HIPAA protection and preventive measures are taken to safeguard all devices associated with the certified EHR system from any potential threats.

The analysis must be in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption and security of data stored in the EHR in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3). The testing can occur prior to the beginning of the EHR reporting period. However, a new review would have to occur for each subsequent EHR reporting period. Documentation submitted for a post-payment audit should also show that the provider conducted security updates as needed and corrected identified security deficiencies. Additional information is listed in the below tip sheet from CMS.