HIGHLIGHTS:

• Starting in 2015, eligible physicians and hospitals participating in the Medicare Electronic Health Records Incentive Program who do not adopt "meaningful" use" certified electronic health record (EHR) technology will no longer receive incentive payments but will face penalties in the form of a percentage reduction in their overall Medicare reimbursement.
• The Centers for Medicare and Medicaid Services (CMS) has proposed a number of revised regulations allowing eligible entities an extended timeline to upgrade the latest certified version of current EHR technology.

Since 2011, the Centers for Medicare and Medicaid Services (CMS) has provided incentive payments to eligible physicians and hospitals that adopt and "meaningfully use" certified electronic health record technology (CEHRT). However, multiple recent developments, including penalties for failure to achieve meaningful use objectives and increasingly high-stakes audits, have significantly altered the landscape for participating providers.

Background of EHR Incentive Programs

The EHR Incentive Programs were established in 2010 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act.¹ Through these programs, CMS distributes incentive payments to eligible professionals (EPs) and eligible hospitals (EHs) that adopt and meaningfully use CEHRT, EHR technology certified by the Office of the National Coordinator for Health Information Technology (ONC). "Meaningful use" is based on specific objectives and clinical quality measures that pertain to the use of certain CEHRT functions. Each EP and EH must meet a specific set of "core" objectives, as well as a selection of "menu" objectives. For example, in Stage 1 of the Medicare EHR Incentive Program, every EP is required to meet 13 core objectives and five out of nine menu objectives.²

To demonstrate meaningful use of CEHRT, every EP and EH must attest to having met every applicable core objective and the required number of menu objectives as well as associated clinical quality measures. Attestation must be completed annually and is required in order to receive a meaningful use incentive payment for the applicable reporting year. Since 2011, CMS has paid over $23.4 billion in incentive payments to more than 608,000 entities.³

New Penalties for Failure to Meaningfully Use CEHRT

Currently, EPs and EHs that are not meaningful users of CEHRT do not receive the associated incentive payments. However, starting in 2015, such EPs and EHs participating in the Medicare EHR Incentive Program will incur potentially significant penalties, which CMS has characterized as "adjustments" to their overall Medicare reimbursements.⁴

Starting on Jan. 1, 2015, EPs that do not meaningful use CEHRT will be subject to a percentage reduction in their overall Medicare reimbursement under the Physician Fee Schedule (PFS) for the year. This reduction will begin at 1 percent in 2015 and will increase up to 5 percent by 1 percent increments each year. Therefore, EPs that are still not meaningful users of CEHRT in 2020 would receive only 95 percent of the amount specified in the PFS for that year. CMS will impose these penalties based on meaningful use in previous years, therefore EPs must have demonstrated meaningful use no later than 2014 in order to avoid these penalties in 2015. Specifically, EPs who first demonstrated meaningful use in either 2013 or 2014 must have been meaningful users for at least 90 days during their first year of use, and EPs who first demonstrated meaningful use in 2011 or 2012 must have been meaningful users for the entire year of 2013. To avoid penalties in subsequent years, EPs must have demonstrated meaningful use for the entire year for the two prior years.⁵

EHs that do not meaningfully use CEHRT will incur reduced updates in their Medicare reimbursements under the Inpatient Prospective Payment System (IPPS) starting on Oct. 1, 2014, when the fiscal year 2015 IPPS becomes effective. These reductions will begin at 25 percent in fiscal year 2015 and increase up to 75 percent by 25 percent increments per year.⁶ As with EPs, CMS will impose these penalties based on meaningful use in prior years. Specifically, EHs that first demonstrated meaningful use in 2011 or 2012 must have demonstrated meaningful use during the entire fiscal year 2013, while EHs that first demonstrated meaningful use in fiscal year 2013 must have done so for at least 90 days during that year. All other EHs must meaningfully use CEHRT for a period of at least 90 days during the first nine months of fiscal year 2014 (by July 1, 2014) to avoid penalties in fiscal year 2015. To avoid penalties in subsequent years, EPs must have demonstrated meaningful use for the entire year two years prior.⁷

In the event that they are unable to demonstrate meaningful use for reasons beyond their control, EPs and EHs that are granted a hardship exemption by CMS will be able to avoid any penalties, despite not being able to demonstrate meaningful use. However, these exemptions are only available in limited and very specific circumstances.

EPs may claim a hardship exemption based on the following circumstances:

• Lack of Infrastructure: The EP practiced in an area without sufficient Internet access to comply with the meaningful use objectives requiring Internet connectivity and faced insurmountable barriers to obtaining a sufficient Internet connection.
• Extreme or Uncontrollable Circumstances: The EP experienced a natural disaster, practice closure, bankruptcy/debt restructuring or EHR vendor issues, including loss of EHR vendor certification, closure of EHR vendor or 2014 EHR vendor certification issues and delays.
• Lack of Control Over Availability of CEHRT: The EP works at multiple locations and is unable to control the availability of CEHRT at one or more such locations that account for more than 50 percent of the EPs total patient encounters.
• Lack of Face-to-Face Interaction: The EP has a complete lack of face-to-face patient interaction and follow-up or such interactions are extremely rare and not part of the EPs' ordinary scope of practice.

In order to claim one of these exceptions, EPs must submit an application to CMS no later than July 1, 2014.⁸ If granted, the exception is valid for one year, and EPs may reapply annually for up to five years.

EHs may claim a hardship exemption based on the following circumstances:

• Lack of Infrastructure: the EH was located in an area without sufficient Internet access to comply with the Meaningful Use objectives requiring Internet connectivity and faced insurmountable barriers in obtaining sufficient Internet connectivity.
• New Eligible Hospitals: The EH was newly eligible to participate and thus did not have time to become a meaningful user for the entire attestation period.
• Unforeseen Circumstances: The EH experienced a natural disaster, closure, bankruptcy/debt re-structuring or EHR vendor issues, including loss of EHR vendor certification, closure of EHR vendor, or 2014 EHR vendor certification issues and delays.

The deadline for EHs to claim a hardship exception for fiscal year 2015 passed on April 1, 2014. However, the application to claim an exemption for fiscal year 2016 is expected to become available soon.

Meaningful Use Audits

Since 2012, CMS – through its contractor, Figliozzi and Company – has audited the meaningful use attestations of EPs and EHs that participate in the Medicare EHR Incentive Program or that are eligible for both the Medicare and Medicaid EHR Incentive Programs.⁹ However, with more entities participating and more incentive payments being distributed, the stakes of these audits have never been higher. A failed audit could result in CMS' recoupment of its incentive payments, and the discovery of knowingly false claims could lead to additional civil penalties and criminal prosecution.

An audit of a meaningful use attestation may be conducted either prior to or after (and potentially many years after) CMS' distribution of the associated incentive payment. The audit may be limited to verifying that the EP or EH had access to CEHRT during the attestation period or may encompass every core and menu objective and clinical quality measure to which the entity attested. Regardless of its timing and scope, every meaningful use audit will focus on the documentation that was used as the basis for the attestation. Therefore, in order to successfully complete the audit process, all EPs and EHs should maintain sufficient documentation to validate their attestations regarding every core and menu objective as well as every clinical quality measure. Certain objectives can be validated based on information generated by the CEHRT, but other objectives require alternative documentation. CMS has provided guidance on the type of documentation that is necessary to validate these objectives.¹⁰

Protection of Electronic Health Information Through a Security Risk Analysis

Of all meaningful use objectives, EPs and EHs alike have particularly struggled to document their efforts to protect electronic health information, a core objective that requires EPs and EHs conduct or review any security risk analysis and implement necessary updates.¹¹

The security risk analysis requirement is borrowed from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.¹² This rule requires covered entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI), and to implement security measures to reduce those risks.¹³

The government has published extensive guidance outlining how security risk assessments should be conducted. For example, in 2011, the National Institute of Standards and Technology (NIST) published a HIPAA Security Toolkit Application,¹⁴ and in Dec. 2013, CMS issued a tip sheet for conducting a data security risk analysis.¹⁵ Most recently, in March of 2014, the Department of Health and Human Services published a security risk assessment tool designed to help small- to medium-sized healthcare providers comply with HIPAA's risk analysis requirement.¹⁶

Under the Security Rule, most covered entities were required to conduct a documented risk analysis by April 21, 2005.¹⁷ However, many covered entities, including current participants in the EHR Incentive Programs, are likely not in full compliance with this requirement. Such entities may have not recently conducted a security risk analysis; have conducted an analysis that does not comply with NIST standards; or have conducted an analysis, but have not implemented the necessary updates to reduce the identified risks. Any such issues could potentially lead to a failed meaningful use audit.

Lessons Learned

In assisting many clients with security risk analyses and guiding others through meaningful use attestation and audits, a number of good lessons and best practices have been formulated. Although none of these lessons can guarantee a successful audit, they may ease the burden of the audit process and increase the chances of a successful outcome.

• In preparing an attestation, clearly understand exactly what documentation and other information will be necessary to meet each core and menu objective and clinical quality measure that will be included in the attestation. The provider should collect this information under the assumption that the attestation will be audited. This effort may require additional resources upfront, but entities will have much more difficulty identifying and collecting this information months or years later during an audit.
• Maintain all attestation documentation in a well organized, centralized location. CMS has recommended maintaining these records for at least six years following attestation. Due to the outside statute of limitations under the federal False Claims Act, it is typically recommended that these records be maintained for at least 10 years.¹⁸
• Do not rely on their EHR vendors to certify that they have met certain objectives or clinical quality measures in lieu of the proper documentation. Other than verifying that their customers have access to certified EHR technology, vendors generally do not have the ability to verify their customers' use of the technology.
• Check regularly for notification of an audit. Notifications are issued via email to the address provided during registration in the EHR Incentive Program, which may not be the email address of the administrator who coordinated the attestation that is subject to the audit. Thus, for example, notification of an EP's attestation could be sent directly to the physician, rather than the physician's office manager or administrative assistant. Moreover, audit notifications may come with no advance warning or follow-up reminders. It is therefore very easy to fail an audit simply for having missed the notification email.
• Upon receipt of an audit notification, understand the exact scope of the audit and the applicable deadlines to respond. Figliozzi may grant a short extension, but this could be limited to special circumstances.
• IIf unable to validate the attestation with the recommended documentation, it is critical to gather all documents that indicate that the EP or EH did, in fact, achieve the objective or clinical quality measure at issue. For example, if an EP did not perform a NIST-compliant security risk analysis during the attestation period, it may be able to document that an appropriate risk analysis and corrective actions, as necessary, were conducted with EHR maintenance logs, invoices from EHR vendors and other computer consultants, documented office protocols, minutes of internal compliance committee meetings or partner meetings, or staff training materials regarding data security. Such documents may be located among those records maintained in connection with the organization's other compliance documents from the HIPAA security official or privacy official's records, or the records related to selection of the EHR vendor. The entity's malpractice insurer may have reviewed the entity's EHR and conducted a risk assessment in connection with setting insurance premiums. Although not ideal, such alternative documentation may be sufficient to satisfy the audit, as long as it is responsive to the objective and pertains to the EP or EH with regard to the audit during the correct attestation period.
• Do not under any circumstances knowingly provide false information as part of a meaningful use attestation. Knowingly providing false information, such as attesting to an objective that the entity knows it has not actually achieved, could lead to civil penalties or criminal prosecution under the federal False Claims Act, among other federal statutes.

Ultimately, it is not possible to predict with certainty whether a given attestation will be audited or whether the response to an audit will be successful. However, these lessons could potentially ease the burden of responding to an audit and increase the likelihood that the response will be successful.

CMS Proposes Additional Flexibility in Meaningful Use Attestation

To date, EHR systems have been certified under standards established by the ONC in 2011. However, under current regulations, all EPs and EHs participating in either the Medicare or Medicaid EHR Incentive Program must upgrade their systems to be certified under new 2014 standards.¹⁹ However, since the 2014 standards were issued, many EHR vendors have not been able to upgrade their products or obtain certification of their upgraded products from ONC. Moreover, the large number of EPs and EHs in need of upgraded software has created significant backlogs for vendors, who simply have not been able to install their upgraded products fast enough for EPs and EHs to meet upcoming attestation deadlines. In response, CMS has proposed revisions to its regulations that would extend the timeline EPs and EHs have to adopt EHR technology certified to 2014 standards and attest to certain meaningful use objectives.²⁰ Specifically, CMS has proposed:

• EPs and EHs that cannot attest to meaningful use based on 2014 standards in the current reporting cycle may attest to meaningful use based on 2011 standards or a combination of 2011 and 2014 standards. Exclusive use of 2014 CEHRT will not be required until the 2015 meaningful use attestation cycle.
• To avoid incentivizing adoption of an outdated product, EPs and EHs that seek to adopt, implement or upgrade to certified EHR technology in their first year of participation must adopt, implement or upgrade to 2014 CEHRT. As a result, EHR vendors will not be able to sell 2011 CEHRT as certified EHR technology.
• EPs and EHs that attest to meaningful use in 2014 based on 2011 standards will be required to attest to 2013 Stage 1 objectives and associated clinical measures, regardless of their current stage of meaningful use.
• EPs and EHs that utilize a combination of 2011 and 2014 standards may attest to meaningful use in 2014 based on either 2013 or 2014 Stage 1 objectives and associated clinical measures.
• EHs and EPs that are scheduled to begin Stage 2 in 2014 may attest to meaningful use in 2014 based on 2014 Stage 1 objectives and associated clinical measures.
• EPs and EHs that began participating in the EHR Incentive Program in 2011 or 2012 may continue to attest to meaningful use based on Stage 2 objectives and measures for an additional year before having to transition to Stage 3 objectives and measures in 2017, rather than in 2016 as currently required.
• EPs and EHs would be given additional flexibility in their reporting of certain clinical quality measures as part of their 2014 meaningful use attestation.

In order to take advantage of any of these changes, EPs and EHs would have to attest that they were unable to fully implement 2014 standards because of issues related to delays in its availability from EHR vendors.

CMS is currently accepting comments in response to these proposed changes until July 21, 2014. Because the changes that CMS has proposed could substantially impact the attestation process for 2014 and subsequent years, all interested stakeholders (including EPs and EHs) should consider commenting on these proposed rules.

Higher Stakes of Participation in EHR Incentve Programs Require Greater Diligence in Demonstrating Meaningful Use

CMS has distributed billions of dollars to EPs and EHs to incentivize the adoption of EHR technology, and these incentive programs have attracted significant participation among eligible EPs and EHs. However, the transition to penalties for failure to meaningfully use CEHRT and the increased stakes of meaningful use audits have substantially altered the landscape for participating entities. They must now be more diligent in rigorously documenting their achievement of all applicable core and menu objectives and clinical quality measures. Failure to adhere to these recordkeeping standards could lead to forfeiture of previously issued incentive payments, civil penalties or criminal prosecution. Moreover, the terms of these requirements remain subject to change throughout the rulemaking process. All participating entities should carefully consider the potential impact of these rulemakings on their ability to attest to meaningful use of CEHRT and the possible value of submitting comments to CMS.

Notes

¹See Pub. L 111-5, Tit. XII, 123 Stat. 115, 111^th Cong, Feb. 17, 2009.

²The lists of core and menu objectives for EPs and EHs were revised for Stage 2 of the Medicare EHR Incentive Program and are expected to be revised further for Stage 3, which is not scheduled to begin until 2016. EPs and EHs participating in the Medicaid EHR Incentive Program are subject to similarly structured sets of core and menu objectives, although specific objectives many vary between the two programs.

³See CMS, Combined Medicare and Medicaid payments By State, Jan. 2011 - Apr. 2014 (Apr. 2014), available at http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/April2014_
PaymentsbyStatebyProgram.pdf.

⁴These penalties do not apply to participants in the Medicaid EHR Incentive Program.

⁵Penalties in 2016 will be based on only 90 days of meaningful use in 2014.

⁶Thus, if an EH is not a meaningful user on Oct. 1, 2015 and the fiscal year 2015 IPPS provides for a 2 percent increase, then that EH will receive an increase of just 1.5 percent. If that EH still fails to become a meaningful user by Oct. 1, 2016 and the fiscal year 2017 IPPS provides for a 2 percent increase, the EH will receive an increase of just 0.5 percent. Moreover, these reduced increases are cumulative for each year that the EH fails to become a meaningful user.

⁷Penalties in 2020 will be based on meaningful use in 2019, not 2018.

⁸See CMS, Eligible Professional 2015 Hardship Exception Application, available at http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/HardshipException
_EP_Application.pdf.

⁹Entities that participate in the Medicaid EHR Incentive program and are not dually eligible for the Medicare program are subject to audit by the states.

¹⁰See CMS, EHR Incentive Programs: Supporting Documentation for Meaningful Use Audits (Feb. 2013), available at http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_Supporting
Documentation_Audits.pdf. For example, documentation of objectives related to conducting drug-drug interaction checks or drug formulary checks should be validated by screenshots of the EHR system showing the appropriate information and dated within the applicable attestation period.

¹¹See 42 C.F.R. §495.6(d)(15).

¹²HIPAA is codified at 42 U.S.C. §1320d through d-9. The HIPAA Security Rule is found at 45 C.F.R Parts 160 and Subparts A and C of Part 164. The specific parameters of the security risk analysis are set forth in 45 C.F.R. §164.308(a)(1)(ii).

¹³See 45 C.F.R. §164.308(a)(1)(ii).

¹⁴See NIST, HIPAA Security Rule Toolkit, available at http://scap.nist.gov/hipaa/.

¹⁵See CMS, Security Risk Analysis Tipsheet: Protecting Patients' Health Information (Dec. 2013), available at http://cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SecurityRisk
Assessment_FactSheet_Updated20131122.pdf.

¹⁶See ONC, Security Risk Assessment, available at http://www.healthit.gov/providers-professionals/security-risk-assessment.

¹⁷See Centers for Medicare & Medicaid Services, Health Insurance Reform: Security Standards, 68 Fed. Reg. 8,334 (Feb. 20, 2003).

¹⁸ See 31 U.S.C. §3731(b) (indicating that a civil action under §3730 may not be brought more than six years after the date on which the violation of section 3729 is committed, or more than three years after the date when material facts are or should have been known, but in no event more than 10 years after the date on which the violation is committed, whichever occurs last).

¹⁹See 45 C.F.R. §170.102.

²⁰See Centers for Medicare & Medicaid Services, Modifications to the Medicare and Medicaid Electronic Health Record Incentive Programs for 2014, 79 Fed. Reg. 29,732 (May 23, 2014).