Kusserow on Compliance: EHR incentive program attestation is serious business

The American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5) authorized providing incentive payments to eligible health care professionals, hospitals, and Medicare Advantage Organizations (“MAOs”) to promote the adoption and “meaningful use” of health information technology and electronic health record (“EHR”) systems. CMS established the Medicare and Medicaid Electronic Health Record Incentive Programs (EHR Incentive Programs) to make incentive payments to health care professionals and providers that meet specified requirements for the meaningful use of certified EHR technology (CEHRT). The EHR Incentive Programs are intended to bring about improved clinical outcomes and population outcomes, increase transparency and efficiency in health care, empower individuals to make decisions regarding their care, and generate additional research data on health systems. Program participants must report on their performance pertaining to certain clinical quality measures (CQMs) and objectives to CMS (for Medicare) or the authorized state agency (for Medicaid) through an attestation process. Since 2011, the EHR Incentive Programs have made incentive payments to numerous eligible professionals, eligible hospitals, and critical access hospitals (CAHs) that qualify as “meaningful users” by meeting the objectives and CQMs outlined in the various stages of the applicable programs.

Annual attestations required

Eligible providers must annually attest to meeting the specified objectives and measures in order to receive incentive payments under the EHR Incentive Programs. Once they have attested to meeting the identified objectives and measures, they are deemed to be meaningful users and eligible for incentive payments.  CMS, its contractor, and state Medicaid agencies conduct both random and targeted audits to detect inaccuracies in eligibility, reporting, and receipt of payment with respect to the EHR Incentive Programs.  Eligible hospitals may be selected for pre- or post-payment audits. CMS has required that eligible hospitals retain all supporting documentation used in completing the Attestation Module responses in either paper or electronic format for six years post-attestation. Eligible hospitals are responsible for maintaining documentation that fully supports the meaningful use and CQM data submitted during attestation. Those hospitals undergoing pre-payment audits will be required to provide supporting documentation to validate submitted attestation data before receiving payment.

Unsupported and false attestations

Making false statements, including attestations to the federal government, could implicate federal law (18 U.S.C. § 1001), which generally prohibits knowingly and willfully making false or fraudulent statements or concealing information. Although eligible hospitals receiving incentive payments under the Medicare and Medicaid EHR Incentive Programs are not required to follow any particular parameters when spending the payments, they must annually attest to meeting the relevant measures and objectives in order to be entitled to incentive payments. It is critical that eligible hospitals maintain documentation that supports their attestations.  Supporting documentation needs to make clear that the hospital is meeting the terms and conditions of the EHR Incentive Program. A checklist document by itself would be insufficient as supporting documentation. Failure to maintain such supporting documentation creates potential liability. Although no significant enforcement activity has taken place, compliance officers are advised to verify that proper supporting documentation is maintained.  In fact, the responsible program manager should be maintaining documentation as part of ongoing monitoring. As part of ongoing auditing, the compliance office should ensure that monitoring is conducted and validate that it is adequately meeting regulatory requirements.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.



EHR adoption up, ONC discussing further plans at national convention

Almost all hospitals have implemented certified electronic health record (EHR) systems, a notable increase from 2008 survey data. In order to further the efforts to ensure transmission of health information between providers, the Office of the National Coordinator for Health Information Technology (ONC) will convene with public and private sector parties at its 2016 annual meeting, where sessions will educate those attending on current advancements and future plans.

Increased adoption

According to the ONC’s May data brief, 96 percent of reporting non-federal acute care hospitals had certified EHR systems in 2015. Eight of 10 small, rural, and critical access hospitals possessed at least basic EHR technology, although only about half of children’s hospitals and 15 percent of psychiatric hospitals had done so. Across all states, at least 6 out of 10 non-federal acute care hospitals had adopted basic EHR, a significant increase since 2008 when most either reported none or less than 20 percent.

Future of health IT

The annual meeting’s agenda includes presentations on the federal government’s commitment to better health, advances in interoperability, research, and health innovation. The government is particularly interested in precision medicine, which ensures that treatments are individualized to each patient’s needs. The presentations also cover the health IT response to the Zika virus, advancing health IT for Medicaid programs, and cybersecurity.

Kusserow on Compliance: OCR is off to the races with $5.4 million in penalties for HIPAA violations

At the end of 2015, the HHS Office for Civil Rights (OCR) took major action against Triple-S Management Corporation. Ultimately, Triple-S settled the claims, which were potential HIPAA violations, for $3.5 million and agreed to adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. So far, in 2016, two more large settlements for claims relating to HIPPA violations were announced by the HHS OCR. On March 16, 2016, North Memorial Health Care of Minnesota (North Memorial) agreed to pay $1.5 million to settle HIPAA violations by failing to enter into a Business Associate (BA) agreement with a major contractor and failing to address the risks and vulnerabilities to its patient information. The following day the OCR announced a $3.9 million settlement with the Feinstein Institute for Medical Research (Feinstein) for violating HIPAA Privacy and Security rules.

North Memorial settlement

The case involved a breach report that indicated that an unencrypted, password-protected laptop was stolen from a BA’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals. The investigation revealed North Memorial had given its BA, Accretive Health, Inc., access to the hospital database of the ePHI of 289,904 patients, as it performed services on-site, without establishing a BA agreement. An aggravating factor was that the organization failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI in its entire IT infrastructure, including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. In addition to the money penalties, North Memorial was also was required to develop an organization-wide risk analysis and risk management plan and provide training of the workforce members on all policies and procedures developed or revised pursuant to an approved corrective action plan.

Feinstein settlement

Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, in New York (Northwell), is comprised of twenty one hospitals and over 450 patient facilities and physician practices. Northwell sponsors Feinstein, a New York not-for-profit corporation biomedical research institute. Feinstein was investigated based on a breach report indicating that a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was also stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study. The OCR found Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. The organization also lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. Feinstein also failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

Tips and lessons learned from the settlements

  • Conduct a complete a security risk analysis that addresses ePHI vulnerabilities to confidentiality, integrity, and availability.
  • Ensure security management processes are adequate to address potential ePHI risks and vulnerabilities.
  • Ensure laptops and mobile devices are properly encrypted and password protected.
  • Keep track of mobile devices and employee access, both basic security requirements.
  • Ensure all contractors sign BA agreements.
  • Implement adequate policies/procedures for authorizing access to ePHI.
  • Implement safeguards to restrict access to unauthorized users.
  • Follow the basics in reviewing compliance for information security risks PHI breaches.
  • Train the workforce on all policies and procedures developed or revised.
  • Implement policies/procedures governing receipt and removal of laptops containing ePHI and for controlling access to ePHI by workforce members and users.
  • Develop a corrective action plan to promptly address any weaknesses identified.
  • Ensure all research programs meet the same compliance standards as other HIPAA-covered entities, requiring privacy/security protection assurance for participating patients in their research project.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.