June 13, 2017. On June7, 2017, the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) released a Report of an audit of incentive payments to eligible providers (EPs) for adoption and meaningful use of certified electronic health record technology, entitled: Medicare Paid Hundreds of Millions in Electronic Health Record Incentive Payments That Did Not Comply With Federal Requirements. The Report describes how the audit was conducted:
“Our review covered EHR incentive payments totaling $6,093,924,710 that Medicare made to 250,470 EPs from May 2011 to June 2014 (audit period). We selected a simple random sample of 100 EPs who received 1 or more payments during the audit period and reviewed support for their attestation(s) to meaningful use measures. In addition, we reviewed all payments made to deceased EPs and to EPs who switched between Medicare and Medicaid programs to determine whether Medicare made inappropriate payments during our audit period.”
The Report also describes a summary of findings:
“CMS did not always make EHR incentive payments to EPs in accordance with Federal requirements. On the basis of our sample of 100 EPs, we identified 14 EPs with payments totaling $291,222 that did not meet the meaningful use requirements because of insufficient attestation support, inappropriate reported meaningful use periods, or insufficiently used certified EHR technology. On the basis of our sample results, we estimated that CMS inappropriately paid $729,424,395 in incentive payments to EPs who did not meet meaningful use requirements. … Furthermore, CMS conducted minimal documentation reviews of self-attestations, leaving the EHR program vulnerable to abuse and misuse of Federal funds.” [emphasis added]
Later in the Report, the focus is on insufficient attestation support, with the following results:
“Generally, to satisfy stage 1 meaningful use, Federal regulations require EPs to meet all core measures and to select 5 of 10 menu measures to satisfy. One core measure requires EPs to ‘[c]onduct or review a security risk analysis….’ Two menu measures that EPs can choose require EPs to ‘generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, or outreach,’ and ‘generate at least one report listing patients of the EP with a specific condition.’ Finally, to demonstrate meaningful use ‘[a]ll EPs … must keep documentation supporting their demonstration of meaningful use for 6 years.’
“Some EPs did not maintain or could not provide adequate support for their meaningful use attestation. Of the 100 EPs in our sample, 12 could not provide support for the measures to which they attested:
- Six (6) EPs could not provide a security risk assessment.
- Four (4) EPs could not provide support that they had generated at least one (1) report listing patients with a specific condition.
- Three (3) EPs could not provide required documentation in the form of patient encounter data for the measure to which they self-attested.
“The $253,622 in incentive payments to these EPs was inappropriate because the EPs did not maintain or could not provide the documentation to support their attestations to satisfy core menu measures for stage 1 meaningful use.”
With regard to the security risk assessment deficiency in the first bullet above, extrapolating from the sample to the population suggests just over 15,000 EP participants could not provide evidence of having conducted or reviewed and documented a security risk assessment as part of the Meaningful Use Incentive program.
Whether for compliance with the HIPAA Privacy and Security Rules, HITECH Act Breach Notification Rule, or Meaningful Use Security Measure, the HIPAA Integrity® Safeguard Compliance Tools are designed to facilitate self-assessment of a security risk assessment and documentation maintenance.