HHS OIG Takes Aim At CMS’ Oversight Of Electronic Health Records Incentive Program

by Perkins Coie

On November 29, 2012, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued a report raising concerns about the Centers for Medicare and Medicaid Services’ (CMS) oversight of the Medicare electronic health record (EHR) incentive program.  The report was based on a review of healthcare professionals’ and hospitals’ meaningful use of certified EHR technology (i.e., the computerized systems that store health-related patient information) from May to December 2011.  The report pertains solely to the Medicare program, as an earlier OIG report focused on Medicaid incentive programs.

CMS EHR Incentive Program

Both Medicare and Medicaid EHR incentive programs were established under the American Recovery and Reinvestment Act to promote the use of EHR technology by eligible healthcare professionals and hospitals.  The federal government has paid $8 billion to providers in 2011-2012 under these incentive programs.  The government invested heavily in its effort to broaden the use of EHR on the theory that greater use of electronic records could reduce healthcare costs and improve patient care.           

The Medicare EHR incentive program started in 2011, and incentive payments under the program will continue until 2016.  Between May 2011 and September 2012, CMS has paid $4 billion to 82,535 professionals and 1,474 hospitals under the program.  The incentive plan, however, is a dual-edge sword in that providers who fail to adopt and meaningfully use EHR technology by 2015 will be subject to Medicare payment reductions.           

Under the Medicare program, professionals and hospitals qualify for incentive payments if they 
(1) possess certified EHR technology, (2) meaningfully use that technology for a 90-day period in the first year and for the entire year thereafter, and (3) demonstrate meaningful use through online self-reporting for each year they wish to receive a payment.  The program requires providers to use certain technology functions meant to improve patient care, such as computerized provider order entry, electronic prescribing, drug interaction checks, and electronic exchange of key clinical information.  Providers are then required to self-report meaningful use measures that have specified criteria for performing either a one time action (yes/no measures) or an action for a certain percentage of patients (percentage-based measures).  To obtain incentive payments, professionals must demonstrate that they meet the criteria for 20 measures and hospitals must show that they meet the criteria for 19 measures.           

CMS monitors professionals’ and hospitals’ meaningful use of EHR both before and after incentive payments.  The online system performs prepayment validations, which are automatic checks that confirm that the self-reported information meets criteria and percentage-based measures are calculated correctly.  In addition, CMS will conduct post-payment audits of professionals and hospitals that are selected based on risk analysis. 

OIG Report on CMS Oversight

The OIG conducted the review to obtain an early assessment of CMS’s oversight of the Medicare incentive program in order to identify any potential vulnerabilities.  To accomplish its objective, the OIG examined meaningful use data for 26,653 professionals and 668 hospitals, analyzed CMS’s audit processes, and interviewed CMS staff.  The OIG did not review the accuracy of incentive payment amounts or audit any provider’s self-reported information.           

In the report, the OIG concluded that CMS’s oversight of the Medicare EHR incentive program “leave[s] the program vulnerable to paying incentives to professionals and hospitals that do not fully meet the meaningful use requirements.”  The OIG found deficiencies in both CMS’s prepayment safeguards and postpayment audits.  Moreover, the OIG determined that the Office of the National Coordinator for Health Information Technology’s (ONC) requirements for EHR reports may contribute to CMS’s oversight issues.           

Specifically, the OIG found that CMS, while ensuring that required data is submitted, does not take steps (such as using independent data sources or providers’ supporting documentation) to confirm its accuracy.  The OIG also found CMS’s post-payment audits may be inadequate to verify the accuracy of self-reported meaningful use information because only a subset of the required measures (percentage-based measures but not yes/no measures) are reported, at least one prominent EHR vendor’s technology produced inaccurate reports, and CMS has not specified the documentation that may be relied upon during audits.  To correct the identified vulnerabilities, the OIG recommended that:

  1. Before payment, CMS obtain and review supporting documentation from providers identified using risk analysis to verify in advance the accuracy of their self-reported information and thereby avoid the classic “pay and chase” model that CMS has disavowed;
  2. CMS issue guidance that explains the supporting documentation that should be maintained by professionals and hospitals to demonstrate meaningful use of EHR technology;    
  3. ONC require that certified EHR technology be capable of producing reports for all meaningful use measures; and
  4. ONC improve the certification process to ensure that EHR technology produces accurate reports of meaningful use measures.            

CMS disagreed with the first recommendation.  CMS stated that prepayment reviews were unnecessary because “a number of prepayment verification edits ... ensure that providers are eligible to participate in the Medicare EHR Incentive Program.”  CMS also maintained that conducting prepayment reviews would pose timing issues for providers after their first year of participation and could delay incentive payments.  CMS, however, concurred with the second recommendation and explained that it is currently drafting an FAQ that will provide guidance on the types of documentation that should be maintained to demonstrate compliance.           

ONC accepted both recommendations with regard to EHR technology certification.  ONC explained that it will request recommendations from its two advisory committees on requiring certified EHRs to generate reports on yes/no measures as well as percentage-based measures.  In addition, ONC noted that its most recent rule included more rigorous testing requirements for certified EHR technology and it plans to work with stakeholders to develop more comprehensive test procedures.

Electronic Records Linked to Fraud

The OIG report comes on the heels of recent media reports linking greater use of electronic health records to fraudulent billing practices.  On September 24, 2012, HHS Secretary Sebelius and Attorney General Holder sent a letter to several hospital industry associations, warning that there are “troubling indications” that some providers are using technology to “game the system” and obtain payments to which they are not entitled.  The letter cited two examples of such fraud, including “cloning” of medical records to inflate what providers get paid and “upcoding” the intensity of care or severity of patients’ condition as a means to profit with no commensurate improvement in the quality of care.  The letter advised that law enforcement was closely monitoring the fraudulent use of electronic healthcare records and would take appropriate steps to pursue healthcare providers who engage in such fraud.  This is something of an ironic concern given that governmental promotion of EHR has been touted as improving care by facilitating more comprehensive medical record documentation.  Obviously, the government is concerned that the ease with which documentation can be generated may cause unscrupulous providers to document care that they do not actually deliver.


The government has made a huge investment to encourage greater use of electronic healthcare records.  Providers have substantial financial incentive to adopt and use EHR, both obtaining incentive payments and later avoiding reduced reimbursement.   While this effort may, in the long run, reduce healthcare costs, there have been unintended consequences that have raised alarm bells at HHS and DOJ.  First, CMS’s reliance on self-reported information to determine the eligibility of providers for incentive payments may force the government to employ the dreaded “pay and chase” model to recover incentive payments made to providers that did not actually meet “meaningful use” requirements.  Second, while the Medicare EHR incentive program was designed to reduce costs, it has apparently made it easier for some providers to inflate or falsify billings with the click of a mouse. 

Given the billions of dollars that the government is spending on incentive payments as well as the billions of dollars that the government spends every year on Medicare reimbursement, there is no doubt that there will be mounting political pressure for DOJ and HHS to investigate and hold accountable those who have gamed the system.  The recent warning letter sent by Secretary Sebelius and Attorney General Holder, in conjunction with the findings of the OIG report, were intended to remind providers that they must be vigilant in policing their own billing practices, including their eligibility for EHR incentive payments.  Careful analysis of meaningful use compliance will be an ongoing issue, particularly as reimbursement levels are tied to its existence and the associated provider certifications.  Providers are well advised to adopt and maintain regular and careful legal review of their policies and practices to ensure full compliance with meaningful use requirements.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Perkins Coie | Attorney Advertising

Written by:

Perkins Coie

Perkins Coie on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.