It appears that hospitals and physicians will have to give back their entire meaningful use incentive payment if CMS auditors find any errors. That means their payments for the audit period are at risk unless their electronic health records show they kept every promise they made to the government when they accepted the money, experts say.
“There is kind of like a zero-tolerance policy,” says Austin, Tex., attorney Brian Flood, with Husch Blackwell. Usually after an audit, he notes, providers refund money for the mistakes they actually made. With meaningful use audits, “if you fail to document your security risk assessment but otherwise operated with a certified EHR system and documented everything else properly, they want all the money back.” That kind of all-or-nothing approach is tempting providers to forgo incentive payments, Flood says. “Some of my clients are withdrawing from the EHR meaningful use program,” he says.
However, CMS evidently won’t penalize providers for typos and other trivial errors in their documentation.
Incentives for meaningful use of EHRs are a creature of the HITECH Act in the 2009 stimulus law. Hospitals and physicians started receiving Medicare or Medicaid bonuses for using certified EHR technology in 2011 and will get around $20 billion over five years. The meaningful use incentive program requires hospitals and eligible professionals (e.g., physicians) to use EHRs to improve patient safety, quality of care and patient-provider communication. Providers must buy EHRs from vendors on the Certified Health IT Product List. If they don’t, they face a Medicare payment reduction after 2015.
Meaningful Use Funds Are at Risk
When providers accept incentives, they pledge — in signed attestations — to accomplish meaningful use objectives. There are 23 meaningful use objectives for hospitals, 18 of which must be met to qualify for the money. Of them, 13 are “core measures,” including clinical quality measures (e.g., reporting on hypertension, diabetes, heart failure), and hospitals also pick five from a list of 10 “menu set objectives” (e.g., generate lists of patients by specific conditions). Eligible professionals have to meet 19 of 24 meaningful use objectives; 14 are core, including clinical quality measurement, plus five out of 10 menu set objectives. “They are checking your answers now,” Flood says. “What appeared to be easy money isn’t.”
CMS hired a contractor — Figliozzi and Company of Garden City, N.Y. — to conduct the audits. “The purpose of auditing for the EHR Incentive Programs is to ensure that the attestation data submitted by providers is accurate and supports providers meeting the requirements of meaningful use,” a CMS spokesperson says. Some or all of the attestation data will be requested by the auditor. “Providers should retain a report from the certified EHR system to validate all clinical quality measure data entered during attestation, since all clinical quality measure data must be reported directly from the certified EHR system,” CMS says in a document on the audits.
Health care IT consultant Chris Apgar, president of Apgar and Associates in Portland, Ore., says the auditors are picky, like the HIPAA privacy and security auditors.
Small, medium and large hospitals and physician practices are facing audits, so there is no way to know who’s next. Recoupment letters come directly from CMS. One letter from the EHR HITECH Incentive Payment Center said a meaningful use audit had determined that “an overpayment of HITECH funds has been determined and is owed.” CMS gave the provider 30 days to repay the money, although it had the right to appeal.
“So far, more clients than not are having audit findings and owing the money back, often because they thought they met most of the core elements, but they didn’t get them all done, or they weren’t all properly documented,” he says. “If you miss a core element, they ask for all the money back.” He doubts most small and medium-sized providers will be able to keep their meaningful use money if they are audited.
Security Risk Analysis is Key
The security risk analysis is a problem area in meaningful use, Apgar and Flood say. Hospitals and physicians must attest that they conducted a risk analysis, which is a core measure as well as required by the HIPAA security regulation. “On more than one occasion where I am called to a large health system, they attested to but didn’t do a security risk analysis,” Apgar says.
Sometimes the EHR vendor screws the pooch, Apgar says. One of his physician-client’s got stuck with a system that continually updates information. Although the vendor was certified for meaningful-use EHRs, “it didn’t do its job and preserve the documentation or the attestation,” Apgar says. When the physician was audited, he was unable to prove that patients received information at discharge, as attested. The same thing happened with another of Apgar’s physician clients.
The risk of losing the entire incentive payment for the audit period based on one or a few mistakes is making some providers rethink its value, Apgar and Flood say. “Some providers realized the cost to them of the government oversight for their use of this money is too high and that it’s actually cheaper for them to invest in the technology themselves,” Flood says. As long as they adopt certified EHRs, they won’t face Medicare DRG penalties, he notes — or meaningful use audits. “You don’t have to participate in the EHR incentive program to have a qualified interoperable EHR. People misunderstand that,” Flood says. “If they would have known they’d be audited to a perfect standard, they would not have gotten into the program.”