Getting a hospital to the point where it appears to have qualified for Medicare bonus payments tied to the meaningful use of electronic health records can be difficult enough.

Now, some hospital executives have learned that it can be just as difficult to prove to federal auditors that their institution met those qualifications.

Smaller hospitals with less-sophisticated EHR systems, in particular, are having problems coming up with all of the information requested by Figliozzi and Co., the Centers for Medicare & Medicaid Services' contracted meaningful use auditor, experts say. Moreover, some hospitals and health systems of all sizes are questioning the relevance and clarity of certain information requests from Figliozzi.

"My understanding is that the audits continue to be pretty challenging and burdensome," says Chantal Worzala, director of policy at the American Hospital Association. "The challenge is that the auditors have not been very clear about what they need."

The audits began in July 2012 with post-payment information requests, but in February the program expanded to audit providers even before they receive an EHR bonus payment. The Medicare audits — Medicaid audits are managed by the states — are scheduled to hit 5 to 10 percent of providers that are chosen randomly or based on "protocols that identify suspicious or anomalous attestation data," according to CMS.

CMS officials won't say much more about what would trigger an audit, which is one of the complaints hospital executives have about the program. "People don't want to be tripped up," and would appreciate some guidance, Worzala says. CMS, however, would like to keep the audits "robust" by limiting knowledge of what triggers them.

Once an audit has begun, some hospitals are struggling to provide the requested information in the two- to three-week time frame demanded. "The requests from the contractor are more detailed than hospitals expected," says Kathrin Kudner, member of the law firm Dykema.

Hospitals unable to create an electronic snapshot of their EHR capabilities and use as of the date of attestation must provide the information in hard-copy form. "CMS has taken the position of, 'If you can't document it, it didn't happen,' " says Michael Dowell, health care law partner for Hinshaw & Culbertson LLP.

Another audit requirement that trips up some hospitals: the need to provide a security risk analysis of the EHR system. "A lot of hospitals have not done it annually," Dowell says, but it's something CMS has placed a lot of importance on.

Dowell believes the vast majority of audits have gone cleanly. "The problem is that providers who have a problem have a big problem," he says. It's an all-or-nothing program; a provider could lose all of its EHR bonus payment and be subject to legal action for fraud. "I think we're going to see some substantial fines and penalties in the near future," Dowell says."But as long as you tried to do your best, I don't think they're going to ding you."