Why does Internal Audit exist, if not for this issue?
Meaningful Use is almost always under the primary control of a coordinator in the IT department. This MU Coordinator studies the regulations, configures the EHR, and decides when it is time to attest.
At attestation time the MU Coordinator sits down beside a financial person authorized to update the institution's (or EP's) Medicare data on the CMS site, to complete the attestation. This is a good point to ask yourself whether your IT department, or your financial department is in the best position to make an informed, critical decision on the reliability of your documentation to stand up to a critical auditor.
We assert that a "best practice" at this point is to engage your Internal Audit team to study the regulations and review what documentation exists. They are trained in th same processes and standards of professional skepticism, audit proof, and independence as are the Figliozzi team contracted by CMS. The attestation statement points out that the provider is responsible for completeness and accuracy of the attestation data. While an IT person would assume summary reports are correct, an (internal or external) auditor is likely to demand proof.
If you don't have internal audit, bring in an outsider. Our firm regularly conducts Meaningful Use Mock audits in a day or less, so neither cost nor timeline should not be an obstacle.
Our next topic is one that has been around since years before Meaningful Use, but until Meaningful Use has had no enforcement arm. It is probably the easiest of all measures to misunderstand, so be sure to watch out for it!