Recently, the Office of Inspector General (“OIG”) released a Work Plan to identify the reviews and investigations that the OIG intends to pursue in 2013. Notwithstanding the federal government’s initiatives to encourage the adoption of Electronic Health Record (“EHR”), EHR systems will be a focus of several OIG reviews. The OIG’s goal is to protect the integrity of the Medicare program and evaluate the Department of Health and Human Resources (DHHS) programs. Ultimately, the OIG Work Plan highlights areas where the government enforcement actions are historically focused and areas that providers should address through their compliance programs.
In 2009 the American Recovery and Reinvestment Act (“Stimulus Act”), created the DHHS EHR financial incentive program. This program provided financial incentives to healthcare providers, including hospitals and physicians, that adopt, implement and meaningfully use certified EHRs. Over $20 Billion was dedicated to this EHR financial incentive program and payments commenced in 2011. The Stimulus Act also included the Heath Information Technology for Education and Clinical Health Act (“HITECH”) which enhanced the obligations and penalties under the Health Insurance Portability and Accountability Act (“HIPAA”).
In 2013, the OIG will be focused on determining whether the EHR meaningful use payments were correctly paid and whether EHR systems are susceptible to causing fraud in the Medicare payment system. In addition, the OIG intends to evaluate how the enhanced penalties and obligations of HIPAA are enforced by the Office of Civil Rights (“OCR”) as well as providers’ compliance with the breach notification rules created by HITECH. The reviews outlined by the OIG for 2013 turn the table from the Stimulus Act financial incentives being a reward for implementing and using EHRs to a vulnerable area where providers may be subject to a governmental audit.
Specifically, the OIG intends to “review Medicare incentive payment data from 2011 to identify payments to providers that should not have received incentive payments (e.g., those not meeting selected meaningful use criteria).” Further for the Medicaid program, the OIG will review whether the Medicaid financial incentives to “providers to purchase, implement, and operate EHR technology were claimed in accordance with Medicaid requirements”. Therefore, the same providers who proactively engaged in this program may be required to respond to government inquiries and audits to ensure the funding was proper.
Further, when a provider adopts an EHR, the EHR is often designed to serve as tool to ensure the providers capture all of the documentation necessary to describe the services rendered and support reimbursement. The government has historically taken the position that if a medical record lacks documentation, the provider should not be paid for the service. Moreover, in order to receive payment, healthcare providers must code the claims submitted to the government with specific codes that describe the services rendered. Coding for a service is a very complex process that requires specialized skills and expertise. Because there are so many rules related to documentation and coding, coding can be a very confusing and difficult task for any provider. The EHR systems often assist providers in ensuring the proper documentation is present and that the information necessary to support the coding rules is captured. These EHR capabilities appear to have raised concerns and in 2013, the OIG will review the potential fraud vulnerabilities created by the EHR systems through the functionality that was intended to assist providers.
In addition to monitoring EHRs and the financial incentive program, the OIG will also review the OCR investigation policies and review whether OCR is complying with the enhanced penalty rules created by the Stimulus Act. OCR also enforces the healthcare provider’s obligation to notify individuals when the patients protected health information is unsecure and there is a breach. The OIG will evaluate how OCR has investigated breaches and determine if providers have adequate policies and procedures to address the breach notification requirements. The OIG will also focus upon whether providers have policies and procedures in effect to mitigate the potential harm caused by a breach. Within the last several months, OCR instituted multi-million dollar penalties against healthcare providers ranging from physician practices to large hospitals and insurance companies, due to failure to comply with HIPAA or HITECH. These requirements included maintaining policies and procedures that comply with HIPAA and HITECH.
Due to this increased emphasis on reviewing the Stimulus Act programs, the OCR and providers compliance, it is essential for all healthcare providers to ensure their policies and procedures related to HIPAA, HITECH and the breach notification rule are complete and compliant. Likewise, in order to mitigate the risk of an extensive government audit on the meaningful use payments, Providers should stay focused upon the OIG Work Plan and proactively conduct internal audits through their compliance programs. The compliance program audits should include a review that determines whether the provider complied with the meaningful use requirements and whether there is adequate documentation to establish compliance with the laws. A provider’s compliance program is essential to prevent improper activities and to proactively address potential vulnerabilities prior to government enforcement actions commence.