Kusserow’s Corner: OIG Reports on CMS, EHR Practices; MACs; OCR Security Rule

OIG Reports that CMS/Contractors Fail to Adopt Practices Addressing EHR Vulnerabilities

The HHS Office of Inspector General (OIG) released a report raising concerns about the failure of CMS and their contractors to adopt integrity practices to address HER vulnerabilities.  As electronic health records (EHRs) replace traditional paper medical records with computerized recordkeeping to document and store patient health information, new vulnerabilities increase for protected health information (ePHI).  The OIG cited experts in health information technology caution that EHR technology can make it easier to commit fraud. The OIG notes that this requires CMS and its contractors to adjust their techniques for identifying improper payments and investigating fraud.

In conducting their review, the OIG sent an online questionnaire to CMS administrative and program integrity contractors that use EHRs to pay claims, identify improper Medicare payments, and investigate fraud.  They also reviewed guidance documents and policies on EHRs and fraud vulnerabilities that CMS and its contractors released for health care providers. Lastly, we reviewed documents on EHRs and Medicare claims that CMS provided to its contractors.  There were 5 significant findings from the review:

  1. CMS and its contractors had not changed their program integrity strategies in light of EHR adoption.
  2. Few CMS contractors had adopted few program integrity practices specific to EHRs.
  3. Few contractors were reviewing EHRs differently from paper medical records.
  4. Not all contractors reported being able to determine whether a provider had copied language or over documented in a medical record.
  5. CMS had provided limited guidance to Medicare contractors on EHR fraud vulnerabilities.

The OIG recommended CMS provide guidance to its contractors on detecting fraud associated with EHRs and suggested they could work with contractors to identify best practices and develop guidance and tools for detecting fraud associated with EHRs.   The OIG further recommended specific guidance is needed to address EHR documentation and electronic signatures in EHRs. CMS concurred with this.

The OIG also called for CMS to direct its contractors to use providers’ audit logs. Audit log data distinguish EHRs from paper medical records and could be valuable to CMS’s contractors when reviewing medical records. CMS only partially concurred with this recommendation.

OIG Report on Medicare Administrative Contractor (MAC) Performance

Medicare Administrative Contractors (MACs) are awarded millions of dollars a year and play a critical role in administering the Medicare program.  The OIG has released a report (OEI-03-11-00740) on their review of their performance noting at the outset that effective oversight of MAC performance.  They noted at the outset the importance of ensuring that they are adequately processing claims and performing other assigned tasks. In conducting the review, the OIG collected performance assessment information from CMS and determined (1) the extent to which MACs met or did not meet performance requirements reviewed by CMS and (2) the extent of CMS’s performance assessment and monitoring of MACs.

MAC standards have stringent performance requirements; a number of standards require 100 percent performance compliance. The OIG noted that MACs can earn award fees if their performance exceeds basic requirements, and metrics are included in MACs’ award fee plans to encourage improved performance. However, certain areas identified as problematic through quality assurance reviews were not always included as metrics in MACs’ award fee plans. Two MACs consistently underperformed across various CMS reviews, and CMS’s reviews of MACs, while extensive, were not always completed timely.

The OIG general finding included that MACs met the majority of quality assurance standards reviewed by CMS. However, they did not meet one quarter of the standards reviewed, and furthermore had not resolved issues with 27 percent of these unmet standards. The OIG noted that CMS did not require action plans for 12 percent of unmet standards, and unmet standards without action plans were almost four times more likely to have issues go unresolved.

The OIG recommended that CMS:

  1. Require action plans for all quality assurance standards not met;
  2. Use results of quality assurance reviews to help select award fee metrics for review;
  3. Meet timeframes for completing quality assurance reports;
  4. Meet timeframes for completing award fee determinations;
  5. Establish reasonable timeframes for issuing contractor performance reports; and
  6. Seek legislative change to increase the time between MAC contract competitions to give CMS more flexibility in awarding new contracts when MACs are not meeting CMS requirements.

CMS concurred with all six of the OIG recommendations.

OIG Reports on Medicare Claims Administration Contractor Error Rate Reduction Plans

The OIG’s Office of Evaluation and Inspection (OEI) performed a review of the CMS’s Comprehensive Error Rate Testing (CERT) program (OEI-09-12-00090).  They reviewed error rate reduction plans submitted for calendar year 2011 or 2012 to describe plan content and determine whether the plans included the required elements.  In assessing the CMS’s oversight of the plans, they analyzed interview responses about reviews of the plans by CMS staff, as well as information about the incentives that CMS offered to MACs in 2011 and 2012 to reduce their error rates.

The OIG noted that the Medicare claims administration contractors improperly paid an estimated $29.6 billion during the Federal fiscal year 2012 reporting period.  The improper payment rate (error rate) was 8.5 percent, above the target rate of 5.4 percent.  To reduce the error rate, CMS requires claims administration contractors to submit error rate reduction plans.  In these plans, contractors must describe the corrective actions that they will take to lower their error rates.  In addition to overseeing contractors’ efforts to reduce their error rates, CMS has the authority to offer financial incentives to MACs.

The OIG found in their review that:

  • Most error rate reduction plans included the required elements, but corrective actions were not always relevant to claims administration contractors’ CERT results and varied substantially in number.
  • CMS oversight of error rate reduction plans is limited and staff who reviewed the plans may have been unable to determine whether the plans addressed their most recent CERT results.
  • Although some of the sampled plans did not include the five required elements or were for contracts with high error rates, CMS approved all sampled plans without recommending different or additional corrective actions.
  • Limitations in CMS’s administration of incentives for error rate reduction may reduce their effectiveness.

The OIG made four recommendations and CMS concurred with all of them:

  1. Review its process for overseeing claims administration contractors’ error rate reduction,
  2. Ensure that contractors submit clear plans for reducing their error rates,
  3. Provide additional guidance for contractors and CMS staff who review plans, and
  4. Provide error rate reduction incentives that are aligned with the contracts’ error rates and performance periods.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Copyright © 2014 Strategic Management Services, LLC. Published with permission.