Electronic Healthcare Records , Governance & Risk Management , HIPAA/HITECH

What Happens If Some HITECH Payments Must Be Returned?

Experts Discuss Impact of Carrying Out Senators' Request for Certain Repayments
What Happens If Some HITECH Payments Must Be Returned?
GOP Senators Charles Grassley of Iowa and Orrin Hatch of Utah sent letter to CMS.

Two GOP senate committee chairmen are asking federal regulators to take action to recoup potentially millions of dollars of allegedly inappropriate incentive payments made under the HITECH Act to healthcare professionals who failed to provide proof of meeting requirements for making "meaningful use" of electronic health records systems. Those requirements include conducting a security risk assessment.

See Also: OnDemand | Driving Security, Privacy, & Compliance Goals by Accelerating HITRUST Certification

The move comes after the Department of Health and Human Services' Office of Inspector General issued a June report estimating that as much as $729 million worth of HITECH Act incentive payments might have been paid to doctors and other healthcare professionals who failed to provide proof that they were meeting the program's requirements.

Meanwhile, the OIG Tuesday said it in its updated work plan that in fiscal 2018, which begins Oct. 1, it plans to "review hospitals' incentive payment calculations to identify potential overpayments that the hospitals would have received as a result of the inaccuracies."

If some doctors and hospitals are forced to pay back HITECH incentive payments, it could have a significant impact on their ability to spend money to enhance data security for EHRs and other systems, some security experts say.

Senators' Inquiry

In a July 12 letter to Seema Verma, administrator of the Centers for Medicare and Medicaid Services, Sen. Orrin Hatch of Utah, chair of the Senate finance committee, and Charles Grassley of Iowa, chair of the Senate judiciary committees, ask whether CMS has taken action to "recover taxpayer money that should have not been spent" for EHR incentive payments to those that did not comply with the program's requirements.

The June OIG report noted that a random sample of 100 eligible healthcare professionals, including physicians, who received HITECH Act incentive payments from May 2011 to June 2014 found that 14 could not provide "adequate support for their meaningful use attestation." That included six healthcare professionals who could not provide documentation of conducting a security risk assessment of EHR systems.

OIG said those payments made to the 14 healthcare providers by CMS totaled about $291,222. Based on that sample, OIG estimated CMS inappropriately paid $729 million in incentive payments to other eligible providers who did not meet meaningful use requirements.

In addition, OIG said that CMS overpaid or incorrectly paid other healthcare professionals' EHR incentive payments.

Details Demanded

In the letter to CMS, the senators ask for an update on the actions the agency has taken to recover overpayments and asks the agency to review a random sample of eligible providers' self-attestation documentation to identify if inappropriate payments may have been made since the OIG audit period.

The senators also ask CMS to describe how "targeted-risk audits" might be used to recover "inappropriate payments already made and prevent inappropriate payments made in the future."

A CMS spokesman declined to comment on the letter's requests. "CMS is in receipt of the letter you mentioned, and it is still under review for response," he told Information Security Media Group.

Potential Impact

Kate Borten, president of the privacy and security consulting firm The Marblehead Group, says that it's important that HHS hold healthcare providers participating in the HITECH Act program - as well as other government programs - accountable.

"Government failure to audit and respond to problematic findings - such as the discovery of overpayments and inappropriate payments - will suggest to some healthcare organizations that they can get away with less than full compliance," she says.

Recovery of EHR incentive money paid to healthcare providers could have a major impact on tech-related investments - including security investments - made by those resource-strapped organizations, Borten adds. "Government claw-back of meaningful use incentive payments definitely could affect an organization's budget. And, potentially, the pain would be felt in the security program."

Privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek, notes: "If CMS were to require healthcare providers and hospitals to repay meaningful use monies, there might be significant consequences on the operations of the practice or facility. For example, many healthcare organizations operate on a lean financial plan. An organization may not have the funds readily available to repay the government while continuing day-to-day operations or investing in planned initiatives like new technologies to safeguard health information technology from cybersecurity threats."

The Medical Group Management Association, which represents managers of physician practices, says it could be "financially devastating" to some healthcare professionals if CMS demands repayment of meaningful use financial incentives.

"MGMA does not condone willful fraud in any federal programs," says Anders Gilberg, senior vice president of government affairs with MGMA. "The OIG report, which extrapolated from only 14 practices, highlighted the single biggest problem with meaningful use: the programs' 'all or nothing' approach. A clinician could accomplish all but [a small percentage] of the criteria and theoretically be required to give back 100 percent of the incentive if they missed or failed to document a single item. Given the complexly of the now extinct Medicare meaningful use program, CMS should weigh the advantages of conducting an audit process against the very negative consequence it could have on physicians' ability and willingness to participate in the Advancing Care Information component of the brand new Merit-Based Incentive Payment System program," which begins replacing the meaningful use program this year, Gilberg says.

If eligible providers are demanded to return the maximum $44,000 [per provider] they received under the HITECH program, "it could affect everything from future technology investments to even the most basic clinical functions of a practice given the size of the financial liabilities involved," Gilberg says. "A 10-physician practice might have to fire clinical staff to offset nearly a half-million dollar reduction to their bottom line."

Nevertheless, Borten says it's important for providers to see that HHS takes compliance with the HITECH incentive program's requirements seriously. "CMS should consider recouping payments in cases where the payback is reasonable," she says. "Government auditing is essential to regulatory enforcement - whether the topic is meaningful use or HIPAA compliance. While many organizations take these regulations seriously and are compliant, unfortunately, some others do not."

CMS Audits

Holtzman, a former advisor at the Department of Health and Human Services' Office for Civil Rights, notes that CMS relies on contractors to perform audits of eligible physicians and hospitals that have received payments through the HITECH ACT's incentive program. "It is not clear from the CMS response to the OIG audit that there are the personnel or contractors in place to carry out a program to perform additional audits other than those already planned," he says.

The OIG report recommended, among other things, that CMS should review a random sample of eligible providers' documentation supporting their self-attestations to identify inappropriate incentive payments that may have been made after the audit period.

CMS' response to OIG, included in the report, notes: "CMS partially concurs with OIG's recommendation. CMS has implemented targeted risk-based audits to strengthen the program integrity of the EHR incentive program, which include non-statistical random sampling, and continues to perform these targeted risked-based audits in 2016 and 2017."

Holtzman points out additional audits would prove costly. "Implementing an audit program that would review the meaningful use attestations submitted by 360,000 eligible physicians and hospitals could cost over $260 million. It is far from certain if Congress would appropriate the necessary funds to support an audit program of this size."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.