HITECH EHR Oversight Needs Improvement

Report Says Better Risk Assessment Proof Also Needed

By , November 30, 2012.
HITECH EHR Oversight Needs Improvement

A new report recommends the Centers for Medicare and Medicaid improve oversight of the HITECH Act's incentive program for the meaningful use of electronic health records, including requiring better proof from healthcare providers that risk assessments have been performed.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

This suggestion is among the findings of "Early Assessment Finds CMS Faces Obstacles in Overseeing Medicare EHR Incentive Program," a new Office of Inspector General report. This document reviews CMS oversight of the HITECH Act EHR incentive payment program, which has healthcare providers self-reporting data to demonstrate that they meet meaningful use requirements for the financial rewards.

"CMS faces obstacles to overseeing the Medicare EHR incentive program that leave the program vulnerable to paying incentives to professionals and hospitals that do not fully meet the meaningful use requirements," the report says. "Currently, CMS has not implemented strong prepayment safeguards, and its ability to safeguard incentive payments post-payment is also limited."

Risk Assessments

The report spotlights risk assessments as an example of where more guidance from CMS might be needed so that healthcare providers can provide better documentation, such as screen shots, to prove they've met meaningful use requirements.

"CMS should bolster its current guidance by detailing the types of supporting documentation it expects professionals and hospitals to maintain for specific meaningful use measures," the report says. "This guidance could explain, for example, that CMS expects professionals and hospitals to keep documentation such as screen shots and proof that a security risk assessment was performed."

The report lays some blame on the Office of the National Coordinator for Health Information Technology, saying that ONC's requirements for EHR reports "may contribute to CMS's oversight obstacles." ONC, which like CMS is a unit of the Department of Health and Human Services, sets the technology certification standards of EHRs product qualified for use in the HITECH incentive program.

In addition, OIG recommends that ONC add to its EHR certification requirements that the software be capable of producing reports for yes/no measures that could help professionals and hospitals prove compliance in the event of an audit and simplify CMS's oversight.

In particular, these reports could help CMS conclusively verify that professionals and hospitals had the relevant EHR technology functions enabled for the entire 90-day reporting period, says OIG. However, the OIG also acknowledges: "Producing reports may not be possible for some measures that include information not contained in the certified EHR technology, for instance that a security risk assessment was conducted."

Beyond recommending that CMS issue guidance with specific examples of documentation that professionals and hospitals should maintain to support their meaningful use compliance, OIG also recommends that CMS verify accuracy of the self-reporting. Specifically, CMC should obtain and review the supporting documentation from healthcare providers prior to payment.

Mixed Response

In its response to the report, CMS agreed with the recommendation for issuing improved guidance. However, CMS did not concur with the notion of prepayment reviews, saying that would "increase the burden on practitioners and hospitals and could delay incentive payments."

OIG isn't the first to question HHS processes related to payment of incentive money to healthcare providers. In a letter to HHS secretary Kathleen Sebelius in October, four GOP lawmakers questioned details of the meaningful use program, including asking HHS plans for recouping "inappropriate" incentive payments. (see: GOP Legislators Question HITECH Merits.)

The OIG report says "CMS's ability to safeguard incentive payments postpayment is also limited. CMS's planned postpayment audits may not conclusively verify the accuracy of professionals' and hospitals' self-reported information because supporting documentation may not be available."

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE With Cybersecurity Summit Over, What's Next?

A key component of President Obama's executive order to encourage industry to share cyberthreat...

Latest Tweets and Mentions

ARTICLE With Cybersecurity Summit Over, What's Next?

A key component of President Obama's executive order to encourage industry to share cyberthreat...

The ISMG Network