The company decided to do so after an internal compliance review spotted an error in its data reported to the CMS, a hospital official said.
The company said in statement Tuesday that the company “made an error in applying the requirements for certifying its EHR technology under these programs.” But the precise problem was with the data submitted to the CMS to show meaningful use of the technology, said John Merriwether, vice president of investor relations at HMA, in an interview.
HMA has developed, tested and certified three versions of its own modular EHR technology to the standards necessary for meeting the program's Stage 1 meaningful use criteria.
Merriwether called it “a very technical data issue” and said HMA intends to correct and submit data for some of the hospitals to recoup some of the money. He declined to name the hospitals involved or give a target date for when they will be able to resubmit their information.
While HMA's error was caught by the company's own compliance department, the CMS may uncover similar problems in its ongoing series of state and federal audits of the program.
So far, hospitals, office-based physicians and other eligible providers have received nearly $16.6 billion dollars in EHR incentive payments under the program created by the American Recovery and Reinvestment Act of 2009. Auditor started looking into program operations last fall. According to the CMS, it plans to audit 5% to 10% of recipients post-payment and 5% to 10% of pre-payment provider applications. The CMS has not made public its audit findings.
“It does happen,” said Robert Tennant, senior policy adviser for the Medical Group Management Association. “I've talked to a couple of practices that found out after they'd received the money, there had been a problem with a vendor and their numbers were not in order and they returned their money voluntarily.”
Tennant said several medical groups have been audited by the CMS as well, and two “failed it because of security risk assessment issues.” Under meaningful use, providers must have an up-to-date data security risk assessment, also a requirement under the HIPAA security rule, a common source of failure despite the dual mandate, according to Tennant.
Surviving an EHR program audit was the subject of a well-attended educational session of the College of Healthcare Information Management Executives' 2013 Fall CIO Forum last month in Scottsdale, Ariz. By a show of hands, a half-dozen session attendees indicated their organizations had already undergone audits.
One of the presenters was Pamela McNutt, senior vice president and CIO at Methodist Health System, Dallas, whose hospital was audited twice—once by CMS contractor Figliozzi and Co. for the Medicare portion of the program and a second time by the state of Texas for Medicaid incentive payments.
Methodist passed both audits. McNutt recommended keeping detailed records of EHR versions and certifications for use under the program and when the systems were first turned on and used in a production environment.
She also noted that auditors require that providers show how they calculated their numbers when attesting that they met the criteria.
Follow Joseph Conn on Twitter: @MHJConn