Mistaken EHR incentive payments may have been unavoidable

After it was announced that the CMS potentially made mistaken payments to providers for meaningful use, healthcare policy advisers questioned the agency's oversight capabilities. But some wondered whether the overpayments, which totaled an estimated 12% of incentive payments, may have just been the price of doing business.

"Twelve percent sounds pretty alarming," said Jeff Smith, vice president of public policy for the American Medical Informatics Association, "but I would imagine that it's probably within one or two standard deviations of the mean for other CMS programs." He cited a 2015 Government Accountability Office report that estimated that fraud, waste and abuse made up more than 10% of Medicare's budget.

Between May 2011 and June 2014, the CMS paid providers an estimated $729.4 million in incentive payments that shouldn't have been distributed, according to HHS' Office of Inspector General. The money went to providers who had EHRs that putatively met federal standards. But, it turns out, according to the OIG, some of those providers didn't meet meaningful use criteria through the use of certified EHRs. They either failed to support self-reported information, failed to report meaningful use periods, or improperly used the EHRs. Those mistakes led to payments that shouldn't have ever gone out.

"This kind of thing happens in new programs," said former CMS head Gail Wilensky of the overpayments. "When it happens, you want to get it fixed, and if it continues to happen, that's more disturbing than having surfaced it early in its existence."

One solution could be better audits, Wilensky said. "There's no reason the CMS can't do spot audits," she said.

But those aren't working, according to OIG, which found that "targeted risk-based audits are not capturing errors" identified in the report. As such, OIG recommends that the CMS figure out which providers didn't meet meaningful use criteria and try to recover the overpaid money. The agency can do so, OIG said, by looking over its incentive payments and by conducting a random sample of providers' documentation.

Some meaningful use criteria are particularly burdensome to verify, though, Smith said, especially for small practices that don't have dedicated staff for meaningful use. Take, for instance, the requirement for EHRs to have clinical decision support capabilities, including alerts. EHRs must be able to do this throughout the reporting period. As such, should the CMS require a daily screenshot of an alert? "Self-attestation is more or less the only option you have," Smith said.

Other meaningful use requirements are unclear, said Claire Miley, a healthcare attorney with Bass Berry and Sims. "There was a lot of confusion when the regulations first came out about the standards," she said, which may have led to problems in self-attestation.

In the future, the CMS might build compliance tests into the policy itself. But right now, the tendency is to develop policies first and figure out compliance later, Smith said.

As such, it might be wise, for instance, to take payment mistakes into account in its budget calculations, Smith said, much as credit card companies do.

Beyond the money, though, is patient safety, which is negatively affected by providers who don't meet meaningful use requirements with their EHRs, said William Marella, executive director of patient safey organization operations and analytics for the ECRI Institute. "If there are providers who were not actually using the EHR in the way the meaningful use criteria would dictate, there could potentially not be benefits to quality and safety," he said. It's tough to say how broad the effects are, though, since, Marella says, "you can't tell from this report whether they actually didn't meet meaningful use criteria or whether they just couldn't prove it."