HHS OIG Takes Aim At CMS’ Oversight Of Electronic Health Records Incentive Program


On November 29, 2012, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued a report raising concerns about the Centers for Medicare and Medicaid Services’ (CMS) oversight of the Medicare electronic health record (EHR) incentive program.  The report was based on a review of healthcare professionals’ and hospitals’ meaningful use of certified EHR technology (i.e., the computerized systems that store health-related patient information) from May to December 2011.  The report pertains solely to the Medicare program, as an earlier OIG report focused on Medicaid incentive programs.

CMS EHR Incentive Program

Both Medicare and Medicaid EHR incentive programs were established under the American Recovery and Reinvestment Act to promote the use of EHR technology by eligible healthcare professionals and hospitals.  The federal government has paid $8 billion to providers in 2011-2012 under these incentive programs.  The government invested heavily in its effort to broaden the use of EHR on the theory that greater use of electronic records could reduce healthcare costs and improve patient care.           

The Medicare EHR incentive program started in 2011, and incentive payments under the program will continue until 2016.  Between May 2011 and September 2012, CMS has paid $4 billion to 82,535 professionals and 1,474 hospitals under the program.  The incentive plan, however, is a dual-edge sword in that providers who fail to adopt and meaningfully use EHR technology by 2015 will be subject to Medicare payment reductions.           

Under the Medicare program, professionals and hospitals qualify for incentive payments if they 
(1) possess certified EHR technology, (2) meaningfully use that technology for a 90-day period in the first year and for the entire year thereafter, and (3) demonstrate meaningful use through online self-reporting for each year they wish to receive a payment.  The program requires providers to use certain technology functions meant to improve patient care, such as computerized provider order entry, electronic prescribing, drug interaction checks, and electronic exchange of key clinical information.  Providers are then required to self-report meaningful use measures that have specified criteria for performing either a one time action (yes/no measures) or an action for a certain percentage of patients (percentage-based measures).  To obtain incentive payments, professionals must demonstrate that they meet the criteria for 20 measures and hospitals must show that they meet the criteria for 19 measures.           

CMS monitors professionals’ and hospitals’ meaningful use of EHR both before and after incentive payments.  The online system performs prepayment validations, which are automatic checks that confirm that the self-reported information meets criteria and percentage-based measures are calculated correctly.  In addition, CMS will conduct post-payment audits of professionals and hospitals that are selected based on risk analysis. 

OIG Report on CMS Oversight

The OIG conducted the review to obtain an early assessment of CMS’s oversight of the Medicare incentive program in order to identify any potential vulnerabilities.  To accomplish its objective, the OIG examined meaningful use data for 26,653 professionals and 668 hospitals, analyzed CMS’s audit processes, and interviewed CMS staff.  The OIG did not review the accuracy of incentive payment amounts or audit any provider’s self-reported information.           

In the report, the OIG concluded that CMS’s oversight of the Medicare EHR incentive program “leave[s] the program vulnerable to paying incentives to professionals and hospitals that do not fully meet the meaningful use requirements.”  The OIG found deficiencies in both CMS’s prepayment safeguards and postpayment audits.  Moreover, the OIG determined that the Office of the National Coordinator for Health Information Technology’s (ONC) requirements for EHR reports may contribute to CMS’s oversight issues.           

Specifically, the OIG found that CMS, while ensuring that required data is submitted, does not take steps (such as using independent data sources or providers’ supporting documentation) to confirm its accuracy.  The OIG also found CMS’s post-payment audits may be inadequate to verify the accuracy of self-reported meaningful use information because only a subset of the required measures (percentage-based measures but not yes/no measures) are reported, at least one prominent EHR vendor’s technology produced inaccurate reports, and CMS has not specified the documentation that may be relied upon during audits.  To correct the identified vulnerabilities, the OIG recommended that:

  1. Before payment, CMS obtain and review supporting documentation from providers identified using risk analysis to verify in advance the accuracy of their self-reported information and thereby avoid the classic “pay and chase” model that CMS has disavowed;
  2. CMS issue guidance that explains the supporting documentation that should be maintained by professionals and hospitals to demonstrate meaningful use of EHR technology;    
  3. ONC require that certified EHR technology be capable of producing reports for all meaningful use measures; and
  4. ONC improve the certification process to ensure that EHR technology produces accurate reports of meaningful use measures.            

CMS disagreed with the first recommendation.  CMS stated that prepayment reviews were unnecessary because “a number of prepayment verification edits ... ensure that providers are eligible to participate in the Medicare EHR Incentive Program.”  CMS also maintained that conducting prepayment reviews would pose timing issues for providers after their first year of participation and could delay incentive payments.  CMS, however, concurred with the second recommendation and explained that it is currently drafting an FAQ that will provide guidance on the types of documentation that should be maintained to demonstrate compliance.           

ONC accepted both recommendations with regard to EHR technology certification.  ONC explained that it will request recommendations from its two advisory committees on requiring certified EHRs to generate reports on yes/no measures as well as percentage-based measures.  In addition, ONC noted that its most recent rule included more rigorous testing requirements for certified EHR technology and it plans to work with stakeholders to develop more comprehensive test procedures.

Electronic Records Linked to Fraud

The OIG report comes on the heels of recent media reports linking greater use of electronic health records to fraudulent billing practices.  On September 24, 2012, HHS Secretary Sebelius and Attorney General Holder sent a letter to several hospital industry associations, warning that there are “troubling indications” that some providers are using technology to “game the system” and obtain payments to which they are not entitled.  The letter cited two examples of such fraud, including “cloning” of medical records to inflate what providers get paid and “upcoding” the intensity of care or severity of patients’ condition as a means to profit with no commensurate improvement in the quality of care.  The letter advised that law enforcement was closely monitoring the fraudulent use of electronic healthcare records and would take appropriate steps to pursue healthcare providers who engage in such fraud.  This is something of an ironic concern given that governmental promotion of EHR has been touted as improving care by facilitating more comprehensive medical record documentation.  Obviously, the government is concerned that the ease with which documentation can be generated may cause unscrupulous providers to document care that they do not actually deliver.


The government has made a huge investment to encourage greater use of electronic healthcare records.  Providers have substantial financial incentive to adopt and use EHR, both obtaining incentive payments and later avoiding reduced reimbursement.   While this effort may, in the long run, reduce healthcare costs, there have been unintended consequences that have raised alarm bells at HHS and DOJ.  First, CMS’s reliance on self-reported information to determine the eligibility of providers for incentive payments may force the government to employ the dreaded “pay and chase” model to recover incentive payments made to providers that did not actually meet “meaningful use” requirements.  Second, while the Medicare EHR incentive program was designed to reduce costs, it has apparently made it easier for some providers to inflate or falsify billings with the click of a mouse. 

Given the billions of dollars that the government is spending on incentive payments as well as the billions of dollars that the government spends every year on Medicare reimbursement, there is no doubt that there will be mounting political pressure for DOJ and HHS to investigate and hold accountable those who have gamed the system.  The recent warning letter sent by Secretary Sebelius and Attorney General Holder, in conjunction with the findings of the OIG report, were intended to remind providers that they must be vigilant in policing their own billing practices, including their eligibility for EHR incentive payments.  Careful analysis of meaningful use compliance will be an ongoing issue, particularly as reimbursement levels are tied to its existence and the associated provider certifications.  Providers are well advised to adopt and maintain regular and careful legal review of their policies and practices to ensure full compliance with meaningful use requirements.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Perkins Coie | Attorney Advertising

Written by:


Perkins Coie on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.