Report: HHS Faces Fraud, Security ChallengesOIG Outlines Agency's Top Management Issues
Combating fraud and maintaining the privacy and security of health information are among the most significant management challenges facing the Department of Health and Human Services, its watchdog agency says.
Top challenges for HHS in the year ahead, according to a new annual report from the HHS Office of Inspector General include preventing Medicare, Medicaid and electronic health records-related fraud and avoiding making improper payments to healthcare providers who fail to qualify for the "meaningful use" requirements under the HITECH Act EHR financial incentive program.
"Curbing fraud is vital to conserving scarce healthcare resources and protecting beneficiaries," says the OIG report, 2014 Top Management & Performance Challenges. "Fraud schemes shift over time, but Medicare services have been consistent targets. For example, OIG investigations continue to uncover fraud schemes and questionable billing patterns by durable medical equipment suppliers, home health agencies, community mental health centers, clinical laboratories, ambulance transportation suppliers and outpatient therapy providers."
The fraud-busting activities of HHS and law enforcement agencies "have demonstrated success in investigating and prosecuting fraud and shutting down criminal networks," the report notes. But OIG says further actions are needed to protect waste and fraud. For example, it suggests that the Centers for Medicare and Medicaid Services implement more safeguards to prevent fraudulent or improper payments to healthcare providers.
"CMS has already begun leveraging predictive modeling technology to identify fraudulent Medicare claims," says Brian Evans, senior managing consultant at IBM Security Services. "Health entities should explore the feasibility of employing something similar in support of their information security programs. These technologies incorporate predictive models and other analytics, identify potential problems and create alerts for further investigation," he says.
In addition, OIG says more work is needed to safeguard EHRs from being used for fraud. "Some of the beneficial characteristics of EHRs, including efficiency and ease of storage and access, may also make them tools for fraud," OIG notes. "OIG work in examining fraud safeguards in EHRs found that protections designed to improve validity, accuracy, and integrity in EHRs were not being used to their full extent."
OIG notes that only about 25 percent of hospitals have policies regarding use of the copy-paste function, "a feature that could be used inappropriately to add documentation to a patient's record to support a fraudulent bill for services that were never provided." Deleting or disabling audit logs could make it harder to prevent and detect fraud, OIG adds. "Furthermore, CMS and its program integrity contractors have done little to update their practices to address EHR vulnerabilities."
The report notes that CMS has audited Medicare providers who received EHR incentive payments "to gauge the accuracy of, among other things, attestations that risk analyses designed to protect electronic health information were conducted. ... If the department continues to take steps to ensure that meaningful use requirements include necessary safeguards, these audits will be a helpful oversight and enforcement tool. "
When it comes to potential fraud related to the HITECH Act, OIG found that CMS and states "lacked adequate data to verify participants' self-reported attestations about their eligibility and meaningful use of EHRs," the report notes.
To receive HITECH incentive payments from Medicare and Medicaid, hospitals and physicians must attest to meeting all of the meaningful use program's requirements. The Office of the Office of the National Coordinator for Health IT, which oversees policies and standards of the HITECH Act EHR program, "requires EHRs to generate audit reports for some, but not all, meaningful use measures; this requirement may create some oversight obstacles for CMS to verify payment during post-payment audits," OIG says.
Another document recently released by OIG - its work plan for 2015 - also indicated that the watchdog agency would be stepping up HITECH Act oversight activities, including those related to health records security (see Medical Device Security: More Scrutiny).
"We will perform audits of various covered entities receiving EHR incentive payments from CMS and their business associates, such as EHR cloud service providers, to determine whether they adequately protect electronic health information created or maintained by certified EHR technology," notes the OIG work plan.
"Given the magnitude of the investment in EHRs and other health IT programs, it will become increasingly important to demonstrate and measure the extent to which EHRs and health IT have actually achieved the department's goals, which include improved health care and lower costs," says OIG's new HHS challenges report. "Ongoing OIG work is examining the accuracy of Medicare and Medicaid EHR incentive payments for the first stage of meaningful use and attempting to determine whether Medicaid safeguards prevent improper payments," the report states. "Future work may examine health IT interoperability across providers, across HHS, and between providers and patients, as well as examine outcomes from health IT investments."
Evans, the consultant, says more audits are needed to help draw attention to some important tasks that healthcare providers still neglect. "I believe HHS will need to step up audits of EHR meaningful use attestations because I continue to find organizations falling short on even the basics to adequately meet these requirements," he says. "Conducting a risk analysis continues to be a challenge for many healthcare providers. But there are eight other security requirements for meaningful use stage 1 that organizations fall short on as well."
Secure Data Exchange
Working toward ensuring the interoperability of EHRs, as well as secure health information exchange, are among the top challenges HHS faces, the OIG says.
"Health information is still not commonly exchanged between groups of healthcare providers that use different EHR products," the report notes. "A lack of data exchange and incompatibility across systems presents challenges to achieving the benefits promised by EHRs and other health IT and could undermine the goals of some reform initiatives."
While tackling issues related to interoperability, the protection of patient data is critical, the OIG stresses. "Safeguarding privacy and data security is, and should remain, a top priority in health IT adoption and health data exchange, storage, and use efforts," OIG says.