Program Year 2021 is Closed
The NC Medicaid Electronic Health Record (EHR) Incentive Program is no longer accepting Program Year 2021 attestations.
Program Year 2021 attestations are being processed in the order they were received. Attestations received in Oct. may take up to eight weeks to be processed from the date the signed attestation was received.
Eligible professionals (EP) may check the status of their attestation on the Status Page on the NC Medicaid EHR Incentive Payment System (NC-MIPS).
While EPs are subject to audit for at least six years post-payment, Program Year 2021 marks the end of the NC Medicaid EHR Incentive Program.
The NC Medicaid EHR Incentive Program staff would like to thank all the Medicaid providers that participated throughout the years. It was our pleasure to work with the NC Medicaid provider community and to assist in incentivizing providers to adopt and meaningfully use EHRs within their practice.
The Security Risk Analysis (SRA)
SRAs must be completed by Dec. 31, 2021. EPs that submitted their attestation in NC-MIPS before completing their SRA are still responsible for submitting the 2021 SRA regardless of whether it was completed by, or after, the date of attestation in NC-MIPS.
States must comply with federal requirements to ensure EPs who attest for EHR incentive payments do so in accordance with the CMS rules and regulations. The NC Medicaid EHR Incentive Program investigation team serves the purpose of detecting improper payments and takes corrective action in the case improper payments were issued. All EPs who receive an EHR incentive payment are subject to audit and must keep all documentation supporting their attestation for six years post-payment.
NC Medicaid EHR Incentive Program investigators are sharing tips from CMS to prepare for Objective 1: Protect Patient Health Information.
Every EP must include, at minimum, the following five items in her/his SRA. These items must be completed during the calendar year of her/his MU reporting period:
- Define the scope of the risk analysis.
- Identify potential threats and vulnerabilities to patient privacy.
- Describe how to protect against potential threats (physical, administrative and technical safeguards).
- Review and update the risk analysis on a periodic basis.
- Develop a corrective action plan.
EPs selected for audit who cannot provide documentation that their SRA included the above five items will fail the audit and will be required to return the incentive payment received for that program year.
Please note, SRAs are not synonymous to a practice’s operating procedures or policies. The SRA is an independent security review and analysis of an individual or practice’s EHR.
HHS’ Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) created an SRA tool, which when completed, satisfies the objective’s requirements. Program investigators recommend EPs review HHS’ guidance and/or complete the SRA tool prior to attesting to ensure compliance.
ONC updated the SRA tool to Version 3.2 on Sept. 17, 2020. This version includes the following enhanced features: flexible section navigation, improved user interface scaling, risk report export, addition of “Details” field to each question, preventative measures for file corruption/file recovery system and “Save as” functionality. The updated features do not change the content of the SRA.
Contact
NCTracks Call Center: 800-688-6696