HITECH EHR Oversight Needs Improvement

Report Says Better Risk Assessment Proof Also Needed
HITECH EHR Oversight Needs Improvement

A new report recommends the Centers for Medicare and Medicaid improve oversight of the HITECH Act's incentive program for the meaningful use of electronic health records, including requiring better proof from healthcare providers that risk assessments have been performed.

See Also: Privileged Identity Management for the Decentralized Organization

This suggestion is among the findings of "Early Assessment Finds CMS Faces Obstacles in Overseeing Medicare EHR Incentive Program," a new Office of Inspector General report. This document reviews CMS oversight of the HITECH Act EHR incentive payment program, which has healthcare providers self-reporting data to demonstrate that they meet meaningful use requirements for the financial rewards.

"CMS faces obstacles to overseeing the Medicare EHR incentive program that leave the program vulnerable to paying incentives to professionals and hospitals that do not fully meet the meaningful use requirements," the report says. "Currently, CMS has not implemented strong prepayment safeguards, and its ability to safeguard incentive payments post-payment is also limited."

Risk Assessments

The report spotlights risk assessments as an example of where more guidance from CMS might be needed so that healthcare providers can provide better documentation, such as screen shots, to prove they've met meaningful use requirements.

"CMS should bolster its current guidance by detailing the types of supporting documentation it expects professionals and hospitals to maintain for specific meaningful use measures," the report says. "This guidance could explain, for example, that CMS expects professionals and hospitals to keep documentation such as screen shots and proof that a security risk assessment was performed."

The report lays some blame on the Office of the National Coordinator for Health Information Technology, saying that ONC's requirements for EHR reports "may contribute to CMS's oversight obstacles." ONC, which like CMS is a unit of the Department of Health and Human Services, sets the technology certification standards of EHRs product qualified for use in the HITECH incentive program.

In addition, OIG recommends that ONC add to its EHR certification requirements that the software be capable of producing reports for yes/no measures that could help professionals and hospitals prove compliance in the event of an audit and simplify CMS's oversight.

In particular, these reports could help CMS conclusively verify that professionals and hospitals had the relevant EHR technology functions enabled for the entire 90-day reporting period, says OIG. However, the OIG also acknowledges: "Producing reports may not be possible for some measures that include information not contained in the certified EHR technology, for instance that a security risk assessment was conducted."

Beyond recommending that CMS issue guidance with specific examples of documentation that professionals and hospitals should maintain to support their meaningful use compliance, OIG also recommends that CMS verify accuracy of the self-reporting. Specifically, CMC should obtain and review the supporting documentation from healthcare providers prior to payment.

Mixed Response

In its response to the report, CMS agreed with the recommendation for issuing improved guidance. However, CMS did not concur with the notion of prepayment reviews, saying that would "increase the burden on practitioners and hospitals and could delay incentive payments."

OIG isn't the first to question HHS processes related to payment of incentive money to healthcare providers. In a letter to HHS secretary Kathleen Sebelius in October, four GOP lawmakers questioned details of the meaningful use program, including asking HHS plans for recouping "inappropriate" incentive payments. (see: GOP Legislators Question HITECH Merits.)

The OIG report says "CMS's ability to safeguard incentive payments postpayment is also limited. CMS's planned postpayment audits may not conclusively verify the accuracy of professionals' and hospitals' self-reported information because supporting documentation may not be available."

As for OIG's other suggestions, ONC concurs with the recommendation that ONC require that certified EHR technology be capable of producing reports for yes/no meaningful use measures where possible and that it improve the certification process for EHR technology to ensure accurate EHR reports.

"ONC will continue to improve the accuracy of EHR reports as the testing and certification process becomes more rigorous over time," says Farzad Mostashari, M.D., national coordinator for health IT in his response letter to the inspector general.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network