Acting CMS Administrator Marilyn Tavenner, in a letter responding to a draft of the report, said the suggested pre-payment validations are unnecessary and would “significantly delay payments to providers.”
The inspector general's report also noted that the CMS had not performed post-payment audits of providers' attestations that they'd met the program's meaningful-use requirements. The inspector general's study covered only the first eight months of the Medicare EHR incentive program's payment period, May 2011 through December 2011. A CMS spokesperson said it started doing post-payment audits this June.
Meanwhile, the inspector general's office said it would be conducting its own “series of audits of Medicare and Medicaid EHR incentive payments” to “verify the accuracy of professionals' and hospitals' self-reported meaningful-use information, as well as eligibility and payment amounts.”
Thus far, the Medicare and Medicaid EHR incentive programs have paid out more than $8.4 billion. Medicare accounts for more than half that sum; the most recent figures reported don't specify the split.
Some industry experts question the wisdom of putting more obstacles in providers' paths to EHR incentives.
“It's already onerous,” said Robert Tennant, senior policy adviser for the MGMA. “You do, obviously, want to catch those folks that are just trying to slide by,” but “adding more burden to the program is not going to help.”
The inspector general's report also found fault with the incentive program's EHR testing and certification, which is overseen by the Office of the National Coordinator for Health Information Technology at HHS.
In a response to a draft of the report, ONC chief Dr. Farzad Mostashari concurred with two of the recommendations. One was to add tests to ensure the capability of an EHR to record and report results of compliance with meaningful-use criteria requiring either yes or no answers. Mostashari said he would ask two federal advisory committees for help in assessing “the appropriate scope and feasibility of a certification criterion focused on 'yes/no' reports.”
The inspector general also recommended, and Mostashari agreed, that ONC agents “comprehensively test EHR reports for accuracy as part of the certification process” as well as not rely on “vendor-supplied data” for its tests.
The Electronic Health Records Association, an affiliate of the Chicago-based Healthcare Information and Management Systems Society, said in an e-mail that it was still reviewing the report and declined further comment.
One of the yes/no criteria under meaningful use is to report to the CMS whether or not a provider has performed a security risk assessment, which is also a requirement under the Health Insurance Portability and Accountability Act. The inspector general's office recognized that producing reports with an EHR for some yes/no measures “may not be possible.” This is one of them, according to Lisa Gallagher, director of privacy and security for HIMSS.
“There are products out there that walk you through—in quotes—a HIPAA compliance assessment process. Therein lies the problem,” Gallagher said. The HIPAA and meaningful use “requirement is not to do a checklist. The requirement is to do a risk assessment. A security risk assessment means you take a look at your own environment and you identify the threat and the vulnerability and you walk through a risk assessment process.”
“I don't see an EHR having inherent functionality for doing a risk assessment,” she said. “There isn't one now, and I don't see that happening.”