NC Medicaid Electronic Health Record (EHR) Incentive Program Announcements

Monday, January 13, 2020

NC-MIPS is Open for Program Year 2019

The NC Medicaid EHR Incentive Payment System (NC-MIPS) is only accepting Program Year 2019 Stage 3 Meaningful Use (MU) attestations. To participate in Program Year 2019, all eligible professionals (EPs) must meet the following eligibility criteria:

  1. Have a 2015 Edition of certified electronic health record (EHR) technology (CEHRT). 
  2. Meet the required Medicaid patient volume (PV) threshold of 30 percent, pediatricians may qualify for a reduced payment with 20 percent Medicaid PV. Note: EPs who were paid for Program Year 2018 using a 90-day patient volume reporting period from calendar year 2018 have the option to use the same patient volume reporting period to attest for Program Year 2019. 
  3. Meet MU and clinical quality measures (CQM) requirements. In Program Year 2019, EPs will be attesting to Stage 3 MU and 2019 CQMs.

EPs who successfully attested at least once by April 30, 2017, and have not received all six incentive payments may be eligible to apply for Program Year 2019. A list of all EPs who have participated at least once, but less than six years, in the NC Medicaid EHR Incentive Program is available under the “Are You Eligible” tab on the Program website. If a practice is unsure of an EP’s past participation and that EP is not on the list, please email the EP’s National Provider Identifier (NPI) to and program staff will determine if the provider previously attested in another state.

Attestations submitted after Feb. 28, 2020, are not guaranteed to be reviewed by program staff prior to close of Program Year 2019. Providers have until April 30, 2020, to submit a complete and accurate attestation for Program Year 2019. After that no changes can be made. 

EPs can get free on-site assistance in their office from a coach from their regional area health education center (AHEC). The NC Medicaid EHR Incentive Program contracts with AHEC to provide technical assistance on meaningful use and the attestation process, so there is no cost to the EP or practice. 

Attestation assistance is also available through detailed attestation guides, an extensive library of answers to Frequently Asked Questions (FAQs), a series of short webinars explaining different aspects of the attestation process, and a dedicated help desk. Help desk hours are 8 a.m. to 4 p.m., Monday through Friday.

The Security Risk Analysis (SRA)

States must comply with federal requirements to ensure EPs who attest for EHR incentive payments do so in accordance with the Centers for Medicare and Medicaid Services’ (CMS) rules and regulations. The NC Medicaid EHR Incentive Program Investigation Team serves the purpose of detecting improper payments and takes corrective action in the case improper payments were issued. All EPs who receive an EHR incentive payment are subject to audit and must keep all documentation supporting their attestation for six years post-payment.  

NC Medicaid EHR Incentive Program Investigators are sharing tips from CMS to prepare for Objective 1: Protect Patient Health Information. Per CMS, to meet this objective, “EPs must attest YES to conducting or reviewing a security risk analysis (SRA) and implementing security updates as necessary and correcting identified security deficiencies to meet this measure.” 

Every EP must include, at minimum, the following five items in her/his SRA. These items must be completed during the calendar year of her/his MU reporting period: 

  1. Define the scope of the risk analysis.
  2. Identify potential threats and vulnerabilities to patient privacy.
  3. Describe how to protect against potential threats (physical, administrative and technical safeguards).
  4. Review and update the risk analysis on a periodic basis.
  5. Develop a corrective action plan.

EPs selected for audit who cannot provide documentation that their SRA included the above five items will fail the audit and will be required to return the incentive payment received for that program year. 

Please note, SRAs are not synonymous to a practice’s operating procedures or policies. The SRA is an independent security review and analysis of an individual or practice’s EHR. 

The U.S. Department of Health and Human Services (HHS) has developed an SRA Toolkit which provides suggestions for implementing an effective means for safeguarding electronic protected health information and further guidance to be in compliance with the risk analysis requirements:

HHS’ Office for Civil Rights (OCR) and the Office of the National Coordinator (ONC) created an SRA tool, which when completed, satisfies the objective’s requirements. Program investigators recommend EPs review HHS’ guidance, and/or complete the SRA tool, prior to attesting to ensure compliance. 

For more information about the SRA, view the four-minute webinar or email

Reminder from CMS Regarding Objective 6 and Objective 7

The Program Year 2019 Medicaid EP Specification Sheets were updated July 31, 2019, to clarify the requirements for meeting objectives 6 and 7. The language now reads, “An EP must attest to all three measures and meet the threshold for two measures for this objective. If the EP meets the criteria for exclusion from two measures, they must meet the threshold for the one remaining measure. If they meet the criteria for exclusion from all three measures, they may be excluded from meeting this objective.”

Clarification from CMS Regarding Objective 5 Measure 1: Patient Electronic Access

The Centers for Medicare and Medicaid Services (CMS) has recently provided clarification outside of the specification sheet for their intent of Stage 3 Meaningful Use’s Objective 5, Measure 1. For more information on the eight Stage 3 MU objectives, please see CMS’ specification sheets. In an email sent to states on Oct. 29, 2019, CMS specified the purpose of Objective 5, Measure 1 is to ensure that eligible professionals (EP) make a patient’s health data available and offer all four functionalities (view, download, transmit and access through API) within 48 hours of the information being available to the EP.
Objective 5, Measure 1 reads:
“For more than 80 percent of all unique patients seen by the EP:

  1. The patient (or the patient-authorized representative) is provided timely access to view online, download, and transmit his or her health information; and
  2. The provider ensures the patient’s health information is available for the patient (or patient-authorized representative) to access using any application of their choice that is configured to

meet the technical specifications of the Application Programming Interface (API) in the provider’s certified electronic health record technology (CEHRT).”

CMS is giving EPs flexibility on meeting the second part of Measure 1 for Program Year 2019 only.  EPs may meet the second part of Measure 1 if they meet all of the following requirements: 

  • Enable an API during the calendar year of the reporting period;
  • Make data available via that API for 80 percent of the patients seen during their reporting period; 
  • Provide those patients with detailed instructions on how to authenticate their access through the API and provide the patient with supplemental information on available applications that leverage the API; and
  • Maintain availability of the API; i.e., it can’t be turned on for one day and then disabled.

EPs should maintain all documentation for at least six years in case of post-payment audit.

General Reminders

EPs who attested with another state should email prior to attesting with North Carolina for Program Year 2019.

GDIT, (800) 688-6696