Well surprise, surprise, it did happen. I only attested once to stage 1 in 2012, and have been subjected to an audit. They can, and will, audit you up to 7 years after you attest. Despite the upcoming demise of MU, the Feds want their money back. You may get something like this in your email:
-------
You have been selected by CMS for a HITECH EHR Meaningful Use Audit for payment year 1. We are the CMS Contractor authorized to perform the audit.
Please confirm your receipt of this e-mail. Also, please confirm whether you will be the contact person for this audit. If you will be the contact person, please supply your preferred contact information for future correspondence. If you are not the contact person for this audit, please advise us who at your facility is the correct contact person and furnish their e-mail address.
I am the assigned auditor. The attached documentation addresses most of the questions you may have. Please consult it thoroughly before contacting me. If you still have questions that need to be addressed, I can be reached via email at xxxx@xxxxxxxxx.com.
Please see the attached documents and submit all requested information by xx/xx/xxxx. You may submit documentation by mail or by uploading via our secure file sharing utility. Please clearly identify the Eligible Professional's NPI on each document uploaded. Please click on the link labelled 'Click Here' at the bottom of this email to begin the upload process. I will be automatically notified when your upload has been completed. As such, there is no need to contact me for confirmation that I have received your documentation.
------
Well, it took me about 2 days of work to respond to this. I went back into my old files and could hardly remember what we had done. The papers required were scattered into various folders. I had to get letters from the state attesting that we did not have secure exchanges at the time, from the vaccine administration, and so on. If you have attested, I suggest you have everything ready for an audit, because it will probably happen. The biggest sticking point, from what I've been told, is that many practices did not get the Security Risk Analysis done. If you didn't do this, get ready to scrape back together 17,000 dollars, or whatever the payout was. Thankfully, the work paid off and I got this:
------
"We performed a review of your meaningful use attestation for the Program Year 2012 and Payment Year 1. Based on our review of the supporting documentation furnished by you, we have determined that you have met the meaningful use criteria."
Please also note that this audit does not preclude you from future, prior or subsequent year audits.
-------
That's okay, I don't intend to EVER get involved with you in such a program again!
