HITECH Act Payment Scrutiny Under WayWatchdog Agency Will Also Review Security Measures
Making good on a promise to beef up scrutiny of the HITECH Act financial incentive program for electronic health records, a federal watchdog agency says a recent audit found that the Massachusetts Medicaid program overpaid 13 hospitals a total of nearly $2.7 million.
The review by the Department of Health and Human Services' Office of Inspector General of the Massachusetts Medicaid program follows a similar report OIG released about Louisiana's Medicaid agency in August.
OIG doesn't allege that Massachusetts or Louisiana made incorrect payments due to fraud, but rather mostly because of various miscalculations. Nevertheless, OIG plans to expand its scrutiny over HITECH payments in other state Medicaid programs.
"OIG is currently reviewing HITECH EHR payments in a variety of states," an OIG spokeswoman tells Information Security Media Group.
In addition to scrutinizing Medicaid payments to providers receiving HITECH incentives, OIG also says it will review Medicare HITECH incentive payments to eligible healthcare professionals and hospitals. Plus, it will review the Centers for Medicare & Medicaid Services' safeguards to prevent erroneous incentive payments.
"We will also assess CMS's plans to oversee incentive payments for the duration of the program and corrective actions taken regarding erroneous incentive payments," the OIG work plan says.
Focus on Security
In addition, OIG said in its recently issued 2015 work plan that it will also examine the information security of covered entities receiving HITECH payments, as well as those healthcare providers' vendors (see Medical Devices Security: More Scrutiny).
"We will perform audits of various covered entities receiving EHR incentive payments from the Centers of Medicare and Medicaid Services and their business associates, such as EHR cloud service providers, to determine whether they adequately protect electronic health information created or maintained by certified EHR technology," says the OIG work plan.
"A core meaningful use objective for eligible providers and hospitals is to protect electronic health information created or maintained by certified EHR technology by implementing appropriate technical capabilities," the OIG work plan notes. In fact, a requirement for healthcare providers participating in the HITECH Act meaningful use program is to attest to conducting a HIPAA security risk assessment.
"Furthermore, business associates that transmit, process, and store EHRs for Medicare and Medicaid providers are playing a larger role in the protection of electronic health information," notes the OIG work plan. "Therefore, audits of cloud service providers and other downstream service providers are necessary to ensure compliance with regulatory requirements and contractual agreements."
In its new report, OIG says it recently conducted a review to determine whether the Massachusetts Medicaid agency made EHR incentive program payments to eligible hospitals "in accordance with federal and state requirements."
The OIG review of 25 hospitals found that the Massachusetts state Medicaid agency overpaid 13 hospitals a total of nearly $2.7 million and underpaid 6 hospitals a total of $564,000, for a net overpayment of $2.1 million.
In its earlier evaluation of Medicaid payments to some of Louisiana's hospitals, OIG found Louisiana's Medicaid agency overpaid 13 hospitals a total of $3.1 million and underpaid six hospitals a total of $1.3 million, for a net overpayment of $1.8 million.
The financial incentives paid by state Medicaid agencies to hospitals participating in the EHR "meaningful use" program is funded by the federal government through the HITECH Act. OIG has recommended that the Medicaid agencies in both Massachusetts and Louisiana repay the federal government the incorrect HITECH payments made in error to hospitals.
OIG notes in its Massachusetts report that another government watchdog agency, the Government Accountability Office, "has identified improper incentive payments as the primary risk to the EHR incentive programs." The HITECH Act programs "may be at greater risk of improper payments than other programs because they are new and have complex requirements," OIG says. "Additionally, oversight obstacles faced by units of the HHS, including the Centers for Medicare and Medicaid Services, which oversees HITECH payments to healthcare providers, "leave the programs vulnerable to paying incentive payments to providers that do not fully meet requirements," notes the OIG report.
OIG made several recommendations to the Massachusetts Medicaid program, including adjusting the 19 hospitals' remaining incentive payments to account for the incorrect calculations.
OIG also recommended the Massachusetts Medicaid agency review the calculations for the hospitals not included in the 25 facilities OIG reviewed to determine whether payment adjustments are needed, review supporting documentation for the numbers provided in the cost reports, and refund any overpayments identified.
OIG made similar recommendations to Louisiana in August.
To address the various OIG recommendations, the Massachusetts agency in its comments says it has begun recalculating the payments and will refund to CMS any overpayments made to these hospitals. "The state agency also agreed with our recommendation to modify the hospital calculation worksheet and has already implemented this corrective action," OIG notes.
The intensified government scrutiny of healthcare providers receiving HITECH payments, especially when it comes to safeguarding patient information, is needed, some security experts say.
"I believe HHS will need to step up audits of EHR meaningful use attestations because I continue to find organizations falling short on even the basics to adequately meet these requirements," says Brian Evans, senior managing consultant IBM Security Services. "Conducting a risk analysis continues to be a challenge for many healthcare providers. But there are eight other security requirements for MU Stage 1 that organizations fall short on as well," he says.
"I have worked with organizations who incorrectly assumed they automatically met the meaningful use security requirements because their EHR was 'certified,'" he says.
"Conducting a risk analysis continues to be a challenge for many organizations," he says. "The weakest areas of HIPAA compliance that I still find for both covered entities and BAs are a lack of adequate or up-to-date policy, procedure and plan documentation."
In addition to being more closely scrutinized by OIG for their HITECH attestations, healthcare providers as well as BAs also face the possibility of being audited by HHS' Office for Civil Rights next year for their HIPAA compliance.
"I believe the OCR audits serve as an additional incentive for CEs and BAs to protect patient information more effectively," Evans says.