The term “Meaningful Use” is the federal government’s way of describing the use of certified Electronic Health Record (EHR) technology, in a meaningful manner to achieve specific standards, namely:
- Improve quality, safety, efficiency, and reduce health disparities
- Engage patients and family
- Improve care coordination, and population and public health
- Maintain privacy and security of patient health information
Ultimately, it is hoped that the meaningful use compliance will result in:
- Better clinical outcomes
- Improved population health outcomes
- Increased transparency and efficiency
- Empowered individuals
- More robust research data on health systems
Final Rule Issued For Meaningful Use
In 2010, the Centers for Medicare and Medicaid Services (CMS) issued the final rule for the Meaningful Use program, the federal government’s program which encouraged health care providers to implement or upgrade EHR technology and standardize the exchange of patient clinical data between healthcare providers, between healthcare providers and insurers, and between healthcare providers and patients.
As an enticement for adopting EHR technology and satisfying the Meaningful Use requirements, eligible professionals (which includes physicians, nurse practitioners, dentists and certain physician assistants at federally qualified health centers or rural health clinics, as well as optometrists in certain states) would receive up to $44,000, while eligible hospitals would receive a base payment of $2 million.
According to CMS, as of March 2015, more than 447,000 health care providers received EHR incentive payments. From May 2011 to March 2015, health care providers received more than $20.2 billion in Medicare EHR incentive payments. Health care providers that participated in the Medicaid Meaningful Use program received more than $9.4 billion in EHR incentive payments between January 2011 and March 2015.
How Do Health Care Providers Qualify For Incentive Payments?
In order to qualify for payments, CMS required health providers to attest that they had met all of the EHR program requirements for at least a 90-day period within the 2011 or 2012 federal fiscal year and for the entire year thereafter.
The stakes are high for EHR program participants. If a health care provider fails to meet every single Meaningful Use requirement, they must forfeit the ENTIRE incentive payment. Additionally, if the health care provider KNOWINGLY failed to meet all of Meaningful Use requirements but attested that all requirements had been met, ALL Medicare and Medicaid claims paid during the period of Meaningful Use compliance are deemed a violation of the False Claims Act.
False Claims Act
The False Claims Act imposes penalties on anyone who knowingly falsifies, forges, alters, or destroys documents to secure payment. A person found to have violated the False Claims Act is liable for a civil penalty for:
- Each claim of not less than $5,500 and not more than $11,000, plus
- Three times the amount of damages sustained by the federal government (treble damages).
For example, a health care provider that submitted $2,800 Medicaid claims (about 2.4 claims per six day work week, excluding holidays) from 2011 to 2015 could be liable for $15.4 to $30.8 MILLION in penalties PLUS THREE TIMES the government’s damages.
How Does The Government Prove Fraud?
In order for the government to prove fraud, it must demonstrate
- A person makes a material false statement;
- The statement is false, and the person making the statement knows that it is false;
- The person making the statement intends to deceive or mislead the person to whom the statement was made with the expectation of receiving something of value;
- The person to whom the false statement is made is expected to rely on the statement to his/her detriment.
Meaningful Use Fraud Is On The Government’s Radar
In 2013, the Department of Health and Human Services’ Office of the Inspector General (OIG) identified fraudulent payments for Meaningful Use as an area of focus and investigation. CMS deputy director Robert Anthony stated that his organization would conduct compliance audits on 5% of all Meaningful Use program participants. According to Anthony, while CMS would use “desk audits” for the majority of reviews, it would conduct on-site audits as well.
Past audits identified several common findings including:
- Failure to conduct a data security risk assessment.
- Lack of adequate documentation to support attestation responses.
Also, Anthony mentioned that some providers were facing possible fraud investigations.
Recent Enforcement Activity
In April 2015, Joe White, the former Shelby Regional Medical Center (Shelby Regional) CFO was ordered to pay more than $4.5 million in restitution for committing Meaningful Use fraud. White plead guilty to directing the medical center’s EHR vendor and hospital employees to manually enter data from paper records into the EHR system to meet the MU thresholds criteria.
Also, White made false statements that other hospitals owned by Tariq Mahmood, MD had successfully completed the EHR conversion. In January 2013, White’s false attestation obtained over $785,000 in incentive payments to Shelby Regional.
Dr. Mahmood’s hospitals, including Shelby Regional, received almost $17 million in Meaningful Use incentive payments for fiscal years 2011 and 2012. Dr. Mahmood received nearly $313,000 in Medicare reimbursements from false claims and was sentenced to more than 11 years in prison for healthcare fraud, conspiracy to commit healthcare fraud and identity theft.
What’s HIPAA Got To Do With Meaningful Use?
One of the requirements to receive Meaningful Use incentive payments is to perform a data security risk assessment. One of HIPAA’s core requirements is that entities that create, receive, maintain or transmit electronic protected health information are required to conduct a risk assessment. In order words, complying with the HIPAA risk assessment requirement satisfies the Meaningful Use risk requirement. That should be a good thing, right?
In 2011 and 2012, OCR hired KPMG, one of the world’s largest audit, tax and advisory firms, to develop an audit tool and conduct onsite audits of 115 organizations. One of the audit findings were that almost 80% of audited health care providers lacked complete or accurate risk assessments.
Also, KPMG found that smaller health care providers had the most difficulty demonstrating compliance with all three of the HIPAA Standards.
In other words, there is a high probability that a smaller health care provider that has received Meaningful Use incentive payments lacks a complete or accurate risk assessment and, therefore, does not meet the minimum requirements to qualify for Meaningful Use payments.
HIPAA Audit Could Trigger Meaningful Use Audit And False Claims Act Penalties
A few weeks ago, the National Law Review reported that OCR had begun sending pre-audit screening surveys to covered entities for its next round of HIPAA audits (Phase 2 Audits). The focus of these audits will be selected HIPAA provisions and other HIPAA compliance “weak spots” identified in the earlier 2011-2012 audits.
Needless to say, assessing whether organizations have performed risk assessments will be a high priority given the health care providers’ wide spread non-compliance with this particular requirement. If an audit determines that a health care provider has not conducted a risk assessment, there is a possibility that the finding will be shared with CMS, OCR’s fellow HHS stablemate.
If OCR were to share its findings with CMS, this information would trigger repayment of Meaningful Use incentives and False Claims Act penalties and potential imprisonment. Also, OCR identifies major compliance issues (not conducting a risk assessment is considered a major compliance issue), it will open an investigation that may result in settlements and financial penalties.
In short, not conducting a risk assessment has the potential of costing millions of dollars, imprisonment, exclusion from Medicaid and Medicare and loss of reputation.
What Should You Do?
In order to minimize the potential fines, penalties, imprisonment and exclusion that could result from not adhering to HIPAA’s risk assessment requirement, minimally, take the following steps:
- Review your organization’s most recent HIPAA risk assessment. If the risk assessment is over one year ago, conduct another HIPAA risk assessment as soon as possible.
- Review your risk assessment’s management action plan for remediating the identified findings. Determine whether the time-line for remediation is appropriate, given the risk associated with the finding.
- Review your organization’s most recent vulnerability tests, which assessed whether your organization is up to date on its software patches and malware protection. Ensure that your organization’s vulnerability remediation plan is prioritized to address the findings that impose the biggest and most harmful threats. If your organization’s vulnerability test is over one year ago, conduct another vulnerability test as soon as possible.
- Review your organization’s most recent penetration tests, which identifies your computer systems security weaknesses, which would allow hackers to gain access to your system, its functionality and data. Ensure that your organization’s penetration remediation plan is prioritized to address the findings that impose the biggest and most harmful threats.
- Ensure that your organization has an inventory of its information system assets, including mobile devices (whether corporate-owned or personal) that have access to PHI.
- Determine whether your system utilizes HHS-approved encryption technology to protect your organization’s protected health information.
- Engage a company that specializes in HIPAA compliance to review your organization’s risk assessment, remediation activities and overall compliance posture. Remember, an ounce of prevention is worth more than a pound of cure.
- Lastly, review the Meaningful Use requirements and ensure that your organization can provide documentation to support its attestation of compliance.
About The Author
Gregory Ewing is an attorney and a founder of Star Compliance Services, a compliance training and services company that provides simple training and materials that virtually anyone can understand and apply. He has more than 17 years of experience in health care compliance, transactional health law, health information technology, and privacy and security compliance, assessment, and remediation. Greg has worked in a variety of settings and provides general counsel, corporate compliance and HIPAA services to numerous health care organizations. His passion is helping Medicaid and Medicare providers successfully navigate the ever-evolving compliance landscape.
For more information on the compliance seminars being led by Greg in Houston, San Antonio and Dallas in the next few weeks, go here.