Some EHR Incentive Payment Recipients Lacked Risk AssessmentsAudit Finds Millions Paid Inappropriately Due to Lack of Evidence
A watchdog agency's estimate that as much as $729 million worth of HITECH Act incentive payments might have been paid to healthcare professionals who failed to provide proof that they were meeting the program's requirements for meaningful use of electronic health records is raising questions about the accountability of the program. Among the requirements apparently not met by some who received benefits was providing proof that they conducted a security risk assessment of the EHR systems.
Mac McMillan, president of the security consulting firm CynergisTek, questions why the Department of Health and Human Services' Office of Inspector General failed to make recommendations in its report "for disciplining the officials that made incentive payments with proper documentation to support them. They are suggesting that over $700 million of your tax dollars went to pay incentives that should not have been paid. Where is the accountability for oversight of the incentive payment program?"
An OIG review of a random sample of 100 eligible healthcare professionals, including physicians, who received HITECH Act incentive payments from May 2011 to June 2014 found that 12 "did not maintain or could not provide adequate support for their meaningful use attestation."
In addition, OIG reviewed all payments made to deceased EPs and to EPs who switched between Medicare and Medicaid programs to determine whether Medicare made inappropriate payments.
"We identified 14 EPs with payments totaling $291,222 that did not meet the meaningful use requirements because of insufficient attestation support, inappropriately reported meaningful use periods or insufficiently used certified EHR technology," OIG writes. "On the basis of our sample results, we estimated that CMS inappropriately paid $729 million in incentive payments to EPs who did not meet meaningful use requirements."
OIG says these payment errors occurred "because sampled EPs did not maintain support for their attestations. Furthermore, CMS conducted minimal documentation reviews of self-attestations, leaving the EHR program vulnerable to abuse and misuse of federal funds."
In addition, OIG says in the report released on June 12: "CMS also made EHR incentive payments that were not in accordance with the program-year payment requirements when EPs switched between Medicare and Medicaid incentive programs." Specifically, OIG says it identified 471 EHR incentive payments totaling $2.34 million that CMS made to EPs for the wrong payment year. "These errors occurred because CMS did not have edits in place to ensure that EPs who switched from one program to the other were placed in the correct payment year upon switching."
Security Risk Assessments
Under the HITECH Act meaningful use incentive program, conducting a security risk assessment of protected health information "created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities" is a core requirement.
In addition to meeting all 15 core measures, including conducting a security risk assessment, HITECH regulations require eligible providers to select five of 10 "menu" measures to satisfy, including generating a report with a list of all patients of the eligible provider who have a specific condition.
Of the 100 eligible professionals in the OIG sample, 12 could not provide support for meeting the HITECH Act "meaningful use" measures to which they attested. That included six EPs that could not provide a security risk assessment.
OIG reviewed a sampling of EHR incentive payments totaling nearly $6.1 billion that Medicare made to a total of 250,470 eligible clinicians during the May 2011 to June 2014 audit period. The report did not review incentives paid to hospitals or those paid to eligible clinicians participating in Medicaid. In total, CMS has paid more than $35 billion in HITECH Act incentives so far.
In the report, OIG makes a number of recommendations to the Centers for Medicare and Medicaid Services, which administers the incentive program, including that it:
- Review a random sample of eligible professionals' documentation supporting their self-attestations to identify inappropriate incentive payments that may have been made after the audit period;
- Educate EPs on proper documentation requirements;
- Recover $291,222 in payments made to the sampled EPs who did not meet meaningful use requirements;
- Review EP incentive payments to determine which EPs did not meet meaningful use measures for each applicable program year to attempt recovery of the $729 million in estimated inappropriate incentive payments overall.
OIG notes in the report that CMS concurred or partially concurred with the watchdog agency's recommendations.
An OIG spokesman tells Information Security Media Group that the six EPs that did not meet the meaningful use requirement for security risk assessment "may have conducted the assessments, but they did not provide the documentation that we rely on for proof. They self-attested. We speculate that statistically there are other [healthcare providers] out there in the same situation; that these six professionals aren't the only ones out there" that would fall short in providing documentation for proving they conducted a security risk assessment if pressed.
CMS did not immediately respond to ISMG's request for comment.
OIG's findings that some clinicians could not provide documentation backing up their attestations to having conducted security risk assessments strikes a familiar chord. During health data breach investigations and random HIPAA compliance audits, HHS' Office of Civil Rights has often found that healthcare entities lack timely, comprehensive security risk assessments.
"The OIG conclusions on security risk assessment aren't really that surprising," notes privacy attorney Kirk Nahra of the law firm Wiley Rein.
"We know that many healthcare providers are not doing a good job on security risk assessments. This doesn't mean that they aren't trying, but it means that this is very challenging and is somewhat 'out of the skill set' of many healthcare providers, at least in terms of what the government is looking for."
Although OIG found 6 percent of eligible professionals in its review sample were unable to support their attestations of conducting a security risk assessment, Keith Fricke, principle consultant at tw-Security, says the actual figure among healthcare providers who have weak security risk assessment practices is likely higher.
"It is probably a safe bet to say that more than 6 percent do a poor job of conducting or documenting security risk assessments, but I don't how much higher the metric is," he says. "Some organizations don't fully understand what a risk assessment involves. Others may conduct a risk assessment and document the findings but take no action on addressing findings. I often see documentation that states it is a risk assessment, when in fact, it is really a HIPAA gap analysis. Those are two very different things."
Because many organizations do not perform risk assessments frequently, Fricke says, "they may not become efficient at it and choose to postpone getting them done. Also, the scope of risk assessments can be large and therefore daunting. "
While the meaningful use core requirement only calls for security risk assessments related to EHR data, Fricke says, "nowadays, healthcare organizations should be conducting risk assessments on their PHI systems, their biomedical devices and on their business associates - a lot to do, often with scarce resources available."