Kusserow on Compliance: EHR incentive program attestation is serious business

The American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5) authorized providing incentive payments to eligible health care professionals, hospitals, and Medicare Advantage Organizations (“MAOs”) to promote the adoption and “meaningful use” of health information technology and electronic health record (“EHR”) systems. CMS established the Medicare and Medicaid Electronic Health Record Incentive Programs (EHR Incentive Programs) to make incentive payments to health care professionals and providers that meet specified requirements for the meaningful use of certified EHR technology (CEHRT). The EHR Incentive Programs are intended to bring about improved clinical outcomes and population outcomes, increase transparency and efficiency in health care, empower individuals to make decisions regarding their care, and generate additional research data on health systems. Program participants must report on their performance pertaining to certain clinical quality measures (CQMs) and objectives to CMS (for Medicare) or the authorized state agency (for Medicaid) through an attestation process. Since 2011, the EHR Incentive Programs have made incentive payments to numerous eligible professionals, eligible hospitals, and critical access hospitals (CAHs) that qualify as “meaningful users” by meeting the objectives and CQMs outlined in the various stages of the applicable programs.

Annual attestations required

Eligible providers must annually attest to meeting the specified objectives and measures in order to receive incentive payments under the EHR Incentive Programs. Once they have attested to meeting the identified objectives and measures, they are deemed to be meaningful users and eligible for incentive payments.  CMS, its contractor, and state Medicaid agencies conduct both random and targeted audits to detect inaccuracies in eligibility, reporting, and receipt of payment with respect to the EHR Incentive Programs.  Eligible hospitals may be selected for pre- or post-payment audits. CMS has required that eligible hospitals retain all supporting documentation used in completing the Attestation Module responses in either paper or electronic format for six years post-attestation. Eligible hospitals are responsible for maintaining documentation that fully supports the meaningful use and CQM data submitted during attestation. Those hospitals undergoing pre-payment audits will be required to provide supporting documentation to validate submitted attestation data before receiving payment.

Unsupported and false attestations

Making false statements, including attestations to the federal government, could implicate federal law (18 U.S.C. § 1001), which generally prohibits knowingly and willfully making false or fraudulent statements or concealing information. Although eligible hospitals receiving incentive payments under the Medicare and Medicaid EHR Incentive Programs are not required to follow any particular parameters when spending the payments, they must annually attest to meeting the relevant measures and objectives in order to be entitled to incentive payments. It is critical that eligible hospitals maintain documentation that supports their attestations.  Supporting documentation needs to make clear that the hospital is meeting the terms and conditions of the EHR Incentive Program. A checklist document by itself would be insufficient as supporting documentation. Failure to maintain such supporting documentation creates potential liability. Although no significant enforcement activity has taken place, compliance officers are advised to verify that proper supporting documentation is maintained.  In fact, the responsible program manager should be maintaining documentation as part of ongoing monitoring. As part of ongoing auditing, the compliance office should ensure that monitoring is conducted and validate that it is adequately meeting regulatory requirements.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.



NQF report helps providers HIT their way through patient safety

Effective health information technology (HIT) that adequately considers patient safety can be measured by nine key metrics, according to a report from the National Quality Forum. The nine factors measure proper design, implementation, and use of HIT to reduce medical errors and inefficiency while improving quality of care. The NQF identified a need to develop a set of measures to help providers and vendors identify HIT related patient safety risks so that those concerns can be mitigated and HIT can begin to reach its potential. The NQF believes with a set of high-priority areas of focus, a more efficient process can develop to improve HIT.

Key measurements

The key measurements include:

  • clinical decision support (CDS);
  • system interoperability;
  • patient identification;
  • user-centered design and use of testing, evaluation, and simulation to promote safety across the HIT lifecycle;
  • system downtime (data availability);
  • feedback and information-sharing;
  • use of HIT to facilitate timely and high-quality documentation patient engagement; and
  • HIT-focused risk-management infrastructure.

Clinical care

The report explains that while CDS is one of the most promising aspects of HIT, because it allows clinicians access to tools to quickly and efficiently analyze patient data, CDS can also greatly disrupt patient safety and care efficiencies if it is poorly designed. The interoperability of HIT systems is also considered a crucial measure because “complete information” about patients allows providers to make safer and more cost-effective care decisions. For the same reason, patient identification is an important factor in the effectiveness of HIT. If HIT systems are not able to reliably identify patients, providers run the risk of duplicating records, overlaying one patient’s information onto the wrong patient, or ordering care for the wrong patient.


The NQF determined that the user-friendly nature of a HIT system is critical to its success because it can reduce the risk of errors and subsequent threats to patients. The ability to engage in system simulations is also important to identify breakdowns and inefficiencies in system processes. System “downtime” is an important factor in the usefulness of an HIT system because if systems go offline in an unscheduled manner, providers can be forced into a sudden and unexpected change in clinical processes, which can threaten patient safety.

Sharing, timeliness, and engagement

The report suggests that information sharing between vendors and providers is an important and effective way to identify HIT system problems before they become patient safety issues. Additionally, the NQF believes that the timely use of HIT, specifically through electronic health records, is important to ensure efficient, complete, and quality care. Specifically, the report indicates that timeliness is an important factor because it allows for safe care transitions between providers. In terms of emerging concerns, the report suggested that providers place emphasis on patient access to HIT. The NQF acknowledged that patients who engage in their care tend to have more favorable health care outcomes. Finally, the NQF believes that effective HIT requires a comprehensive risk management program that can address and resolve patient safety problems in real time.

Effective HIT

The report identifies HIT as a cause and solution of patient safety issues. Although it poses some risks, the NQF considers HIT an important way to drive efficiencies and improve the quality of care. To reach the potential of emerging HIT, however, providers need to develop a multi-step process taking the nine factors into consideration. The report also reminds stakeholders that effective HIT does not fall on any one entity’s shoulders. HIT is a shared responsibility, which calls on the influence on clinicians, health care organizations, vendors, and even patients.