Program Year 2021 is the last year eligible professionals (EP) may participate in the NC Medicaid Electronic Health Record (EHR) Incentive Program.
The North Carolina Medicaid Incentive Payment System (NC-MIPS) is now accepting Program Year 2021 attestations. Unlike in past program years, all Program Year 2021 attestations must be submitted through NC-MIPS by Oct. 31, 2021. EPs should plan to attest for Program Year 2021 as soon as possible to ensure timely processing and payment. No Program Year 2021 attestations will be accepted after Oct. 31, 2021.
To be eligible to apply for an NC Medicaid EHR incentive payment, an EP must:
- Have a certified EHR technology (CEHRT).
- All EPs must have a 2015 Edition of certified EHR technology.
- Please see ONC’s Certified Health IT Product List (CHPL) to see if it meets certification criteria. EPs should work with their EHR vendor if they are unsure of what version of EHR they have in their practice.
- This two-minute video shows step-by-step instructions on how to pull the CEHRT ID number from CHPL and update that number on CMS' Registration and Attestation (R&A) System: An Overview of CMS EHR Certification ID Numbers.
- Meet the required Medicaid patient volume threshold.
- All EPs must have at least 30% Medicaid-enrolled encounters in a consecutive 90-day period to receive the full payment of $8,500.
- Pediatricians may qualify for a reduced payment of $5,667 if they have 20% Medicaid-enrolled encounters.
- Meet meaningful use (MU) and clinical quality measures (CQM) requirements. EPs will be attesting to 2021 Stage 3 MU and CQMs. All EPs must use a 90-day MU and CQM reporting period. The Stage 3 MU objectives and measures are unaltered from Program Year 2020. The CQMs have been slightly modified for Program Year 2021.
- Have participated successfully at least once in program years 2011-2016. Providers who successfully attested at least once by the end of Program Year 2016 and have not received all six incentive payments may be eligible to apply for Program Year 2021. Please visit the program website’s “Are You Eligible” tab for a list of all providers who have participated at least once but less than six years in the NC Medicaid EHR Incentive Program.
- EPs must have successfully attested at least once to Adopt/Implement/Upgrade (AIU) or MU by Program Year 2016 to be able to participate in the NC Medicaid EHR Incentive Program in Program Year 2021. A denied attestation does not count as a successful attestation.
- If an EP meets all the requirements listed above, but is unsure if s/he successfully attested prior to the end of Program Year 2016, please send an email with the EP’s NPI to NCMedicaid.HIT@dhhs.nc.gov, and we will look it up for you.
- Be an eligible provider type. These provider types include:
- Physicians
- Nurse practitioners
- Certified nurse midwives
- Dentists
- Physician assistants (PAs) who furnish services in a Federally Qualified Health Center (FQHC) or Rural Health Center (RHC) that is led by a PA.
The Security Risk Analysis (SRA)
SRAs must be completed by Dec. 31, 2021. Because NC-MIPS must close by Oct. 31, 2021, NC-MIPS has been updated to allow EPs to submit a Program Year 2021 attestation before having completed the SRA. EPs that submit in NC-MIPS before completing their SRA must attest that they will complete the SRA prior to Dec. 31, 2021. If selected for post-payment audit, EPs will be responsible for submitting the 2021 SRA regardless of whether it was completed by, or after, the date of attestation in NC-MIPS.
States must comply with federal requirements to ensure EPs who attest for EHR incentive payments do so in accordance with the CMS rules and regulations. The NC Medicaid EHR Incentive Program investigation team serves the purpose of detecting improper payments and takes corrective action in the case improper payments were issued. All EPs who receive an EHR incentive payment are subject to audit and must keep all documentation supporting their attestation for six years post-payment.
NC Medicaid EHR Incentive Program investigators are sharing tips from CMS to prepare for Objective 1: Protect Patient Health Information.
Every EP must include, at minimum, the following five items in her/his SRA. These items must be completed during the calendar year of her/his MU reporting period:
- Define the scope of the risk analysis.
- Identify potential threats and vulnerabilities to patient privacy.
- Describe how to protect against potential threats (physical, administrative and technical safeguards).
- Review and update the risk analysis on a periodic basis.
- Develop a corrective action plan.
EPs selected for audit who cannot provide documentation that their SRA included the above five items will fail the audit and will be required to return the incentive payment received for that program year.
Please note, SRAs are not synonymous to a practice’s operating procedures or policies. The SRA is an independent security review and analysis of an individual or practice’s EHR.
HHS’ Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) created an SRA tool, which when completed, satisfies the objective’s requirements. Program investigators recommend EPs review HHS’ guidance and/or complete the SRA tool prior to attesting to ensure compliance.
ONC updated the SRA tool to Version 3.2 on Sept. 17, 2020. This version includes the following enhanced features: flexible section navigation, improved user interface scaling, risk report export, addition of “Details” field to each question, preventative measures for file corruption/file recovery system and “Save as” functionality. The updated features do not change the content of the SRA.