The U.S. Department of Health and Human Services inspector general (IG) released a report this week that stated that the U.S. electronic health record (EHR) incentive program administered by the Centers for Medicare & Medicaid Services (CMS) is “vulnerable” to fraud. The IG says that CMS “has not implemented strong prepayment safeguards” to keep healthcare providers from claiming that they are meeting the meaningful use standard required, and CMS’s “ability to safeguard incentive payments postpayment [i.e., conduct audits] is also limited.”
As I noted a few weeks ago, CMS has already paid out over US $7 billion since January 2011 to over 100 000 healthcare providers claiming to meet federal EHR meaningful use standards. To get the incentive payment, healthcare providers in essence self-certify (“self-attest”) to the CMS that they meet the standards. However, the IG says, CMS does only minimal cross-checking to see whether the self-certifications it receives pass a reasonableness test, and its audit capability is weak to say the least. For instance, the IG report notes that so far, “CMS had not yet completed any postpayment audits.”
Nor would the audit approach that CMS proposes to use conclusively determine in all cases whether a healthcare provider’s EHR system met the meaningful-use criteria, the IG reports. The IG wants CMS to set up a more robust and fraud-resistant self-certification process that it can apply before incentive payments are made, as well as for CMS to start conducting audits using a rigorous process that could accurately measure the EHR meaningful-use achievement being claimed by a health provider.
Interestingly, when the EHR incentive program was set up, there was no requirement “to verify the accuracy of this [self-certification] information prior to payment," the IG report stated. Apparently, CMS set the program up under a “trust, but verify approach,” but it has yet to do its verification bit.
CMS agreed with the IG that it needs to start auditing healthcare providers to confirm that they are indeed meeting the meaningful use criteria, but disagrees that it should do more than the minimal cross-checking to see whether healthcare providers are being truthful or not before sending out the claimed incentive payments. CMS told the IG that conducting “prepayment reviews would increase the burden on practitioners and hospitals and could delay incentive payments.” The CMS argues that its current cross checking is sufficient, and that the threat of audits is sufficient to keep healthcare providers truthful.
CMS is looking at EHR systems as an important means to cut down on Medicare/Medicaid fraud, which is estimated to be over $60 billion dollars a year. The faster the EHR rollout, the faster fraud can be reduced seems to be the thinking. It looks like CMS is willing to accept some potential fraud in its $27 billion or so EHR incentive program in a bid to reduce the much larger pool of Medicare/Medicaid fraud.
The ironic fly in the ointment is that CMS is also majorly concerned that healthcare providers are using their new EHR systems for perpetrating Medicare and Medicaid fraud.
It may take a while to see whether the CMS’s rapid trust-but-verify EHR rollout strategy is a good bet, or one that creates as many problems as it solves.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.