There are only two days left before the MU hardship exception timeline expires. If you qualify for a hardship exception in 2014 and have yet to file, read Dr. Ketchersid’s blog post from last week—and hurry! For those who have met the meaningful use objectives in 2014, kudos to you, but don’t get too comfortable yet.
Just when you thought you had a bullet-proof audit folder in place, along comes the Office of the Inspector General (OIG) looking for fraud. Odds are you won’t receive the same fate as Tom White, the former CFO of a Texas hospital chain who just last week received a 23-month sentence in prison for his effort to fleece the meaningful use program—but you could be required to fork over those already-spent dollars.
Why the OIG?
Earlier this year, the OIG within the Department of Health and Human Services (HHS) announced that it will actively participate in meaningful use audits, and a random selection of physicians is already underway. This announcement came on the heels of a few cases where the OIG demonstrated inappropriate payments given by both CMS and the state Medicaid programs. In one case, the OIG audited 19 Massachusetts hospitals and found the state overpaid 13 of them a total of $2.7 million for their Medicaid EHR attestations.
Up until now, a majority of audits consisted of a CMS-contracted company (Figliozzi & Company) contacting the provider after a payment was made, also known as a “pay-and-chase” technique. In this type of CMS audit, specific attestation is requested to measure documentation during a single attestation year. However, the OIG found that CMS and states lacked adequate data to verify participants’ self-reported attestations about their eligibility and meaningful use of EHRs, thus creating a work plan for the 2015 fiscal year to address this issue.
The OIG’s work plan contained a number of objectives:
- Determine whether providers that received Medicare and/or Medicaid MU payments were entitled to the money
- Assess CMS’s plans to oversee incentive payments for the duration of the program and corrective actions taken regarding erroneous incentive payments
- Assess CMS’s oversight of hospitals’ security controls over networked medical devices that are integrated with EHR systems
- Identify whether covered entities and business associates, such as cloud services and other “downstream service providers,” adequately secure electronic patient-protected health information created or maintained by certified EHR technology
It seems the objective of the OIG is not necessarily to go after individual providers, but to assess how well CMS and state agencies are doing their jobs. In other words, it’s a case of one government entity auditing the other.
In addition, the OIG added two “cross-cutting enforcement activities” that focus on conducting criminal investigations involving the misuse of Recovery Act funds:
- Evaluate credible allegations of improper expenditures of Recovery Act funds to identify cases in which criminal investigations should be opened and enforcement actions pursued
- Grant whistleblower protection to employees who reasonably believe they are being retaliated against for reporting misuse of Recovery Act funds received by their non-Federal employers
In order to fulfill the work plan, the OIG received funding for discretionary oversight of programs and operations of HHS that received supplemental funding through the Recovery Act.
What will an OIG audit look like?
Details surrounding the OIG’s audit process are still unknown. They have refused to share the scope or audit process to the public, citing confidentiality as the reason for not sharing details of the audit program. However, early indications predict the focus to be on security in general with MU being the pathway to get “in the door.”
According to Purdue Healthcare Advisors, OIG audits that have been conducted thus far have been technical in nature. The areas of interest include:
- EHR risk assessment & audit reports
- EHR security plans
- Organizational chart
- Network documentation & diagrams
- EHR websites & patient portals
- Policies & procedures
- System inventories
- Tools used to conduct vulnerability scans
- Central log and event reports
- EHR system users
- List of contractors support EHR & network perimeter devices
If you are selected by the OIG to be audited, you will receive an audit notice letter requesting specific information and documents—specifically those pertaining to the measures under review for all reporting years that you have participated in the program.
What to do in the mean time
The Medical Group Management Association (MGMA) recommends that EPs review their documentation for each measure and for each year that an incentive payment was received, such as measures calculation reports supplied by the EHR, dated screen shots that demonstrate that you successfully met a particular measure and, most importantly, your practice’s security risk analysis. The OIG audits are also multi-year, so have all your reporting period audit folders ready to go.
The Congressional Budget Office estimates that from 2011 through 2019, spending on the Medicare and Medicaid EHR incentive programs will total $30 billion. It’s no wonder another government watchdog has been added into the mix.
What do you think of the new auditor line up? Should the OIG be involved? We would like to hear your comments below!
Diana Strubler, Senior Product Analyst, Health IT Standards, joined Acumen in 2010 as an EHR trainer then quickly moved into the role of certification and health IT standards subject matter expert. She has successfully led Acumen through three certifications while also guiding our company and customers through the world of Meaningful Use, ICD-10 and PQRS.