OIG Report Estimates CMS Overpaid $729M in MU Payments; How Concerning are the Findings?

June 14, 2017
During a three-year span starting in 2011, CMS overpaid an estimated $729 million in Medicare EHR incentive payments to eligible professionals who did not comply with federal meaningful use requirements, according to an OIG report.

During a three-year span starting in 2011, the Centers for Medicare & Medicaid Services (CMS) overpaid an estimated $729 million in Medicare electronic health record (EHR) incentive payments to eligible professionals (EPs) who did not comply with federal meaningful use requirements, according to a report released this week from the Department of Health and Human Services’ Office of Inspector General (OIG).

In addition, CMS paid $2.3 million in inappropriate EHR incentive payments to eligible professionals who switched incentive programs, according to the report from OIG, the largest inspector general's office in the federal government.

As part of the federal EHR incentive program, the government has made $6 billion in payments as of June 2014 to EPs who demonstrate “meaningful use” of the technology (This specific report did not include eligible hospitals, as CMS had paid out some $36 billion in incentive payments to all program participants). But after a random sample of 100 EPs who received at least one payment during the three-year audit period and reviewed support for their attestations to meaningful use measures—as well as a review of all payments made to deceased EPs and to EPs who switched between Medicare and Medicaid programs—OIG revealed that CMS did not always make EHR incentive payments to EPs in accordance with federal requirements. 

On the basis of the sample of 100 EPs, OIG identified 14 EPs with payments totaling $291,222 that did not meet the meaningful use requirements “because of insufficient attestation support, inappropriate reported meaningful use periods, or insufficiently used certified EHR technology.” On the basis of these sample results, OIG estimated that CMS inappropriately paid $729,424,395 in incentive payments to EPs who did not meet meaningful use requirements—or 12 percent of total payments made in this time period.

According to the report, these errors occurred because sampled EPs “did not maintain support for their attestations.”  Furthermore, CMS conducted minimal documentation reviews of self-attestations, “leaving the EHR program vulnerable to abuse and misuse of federal funds.” CMS also made EHR incentive payments that were not in accordance with the program-year payment requirements when EPs switched between Medicare and Medicaid incentive programs, OIG reported. Specifically, they identified 471 EHR incentive payments totaling $2,344,680 that CMS made to EPs for the wrong payment year. “These errors occurred because CMS did not have edits in place to ensure that EPs who switched from one program to the other were placed in the correct payment year upon switching,” OIG reported.

Drilling down into the specifics of the report, and why the sampled EPs should not have been awarded these incentive payments, some of them did not maintain or provide attestation support when OIG asked for it. Of the 100 EPs in the sample, 12 could not provide support for the measures to which they attested: six EPs could not provide a security risk assessment; four EPs could not provide support that they had generated at least one report listing patients with a specific condition; and three EPs could not provide required documentation in the form of patient encounter data for the measures to which they self-attested. This resulted in $253,622 in “inappropriate” incentive payments, according to OIG.

Meanwhile, another statistically sampled EP based his attestation of meaningful use on 90 days of encounter data instead of a full calendar year, as required, resulting in an inappropriate incentive payment of $11,760. Another had less than 20 percent of his patient encounters at a location that used certified EHR technology and did not meet the 50 percent or more threshold, resulting in faulty payments of $25,840.

What’s the Fallout?

When he first heard about OIG’s findings, Jeffrey Smith, vice president of public policy at the Washington, D.C.-based American Medical Informatics Association (AMIA), thought about how these results compare to those of other CMS programs. He referenced a 2015 Government Accountability Office (GAO) report on Medicare which found that roughly 10 percent of the program’s budget was lost to fraud, abuse and improper payments. So in that sense, the 12 percent estimation in this OIG report is in line with previous findings, Smith notes.

But Smith also ponders a key question that many others are likely wondering too: are the results of this report more a problem of EPs receiving inappropriate payments or is it an issue of failing to provide sufficient enough proof when audited? He notes that on the physician side, the meaningful use program requirements from 2011 to 2014 were very similar to what was required for hospitals. “So having worked with CIOs around the audit issue for a while, it was an intensive program and you needed to have a lot of systems and controls in place to ensure that your audits went smoothly,” says Smith.

For example, he notes that one thing the meaningful use program used to require was having clinical decision alerts; to meet the threshold physicians had to have five of these alerts, such as having your system flag a high medication dosage. So if an auditor comes into the organization and asks the provider to show that these alerts are working, the provider might be able to prove it at that point in time, but then the auditor might ask to prove that these alerts have been in effect throughout the entire meaningful use reporting period. And in that case, the EP would have had to take a screenshot of the alert every day of the year to prove that. “So you can see where this might become a problem,” says Smith.

As such, Smith feels that for this OIG report, the findings were probably a mix of inappropriate payments from the government along with the inability of EPs to prove to the inspector that they attested—even if they did. “There were folks in 2011 or 2012 who didn’t know they had to be [complying] in this manner,” says Smith. “EPs were at a distinct disadvantage when it came to compliance. One can be forgiven for spending a lot of time working with vendors to make sure the technology works how it’s supposed to, but essentially not having their compliance data and proof to back it up. Hospitals have much more resources and probably have a compliance team to back them up,” he notes.

Smith adds that if there was a magical, all-inclusive audit log in which providers can submit all the data they have accumulated, that would be more foolproof, but without that, fraud, waste and abuse are simply part of the system that’s in place. “Self-attestation lends itself to a whole bunch of problems,” he says. “It’s just something that’s going to happen. I think it would be a waste of time to overreact to this if you’re the federal government, but it should serve as a warning call—especially if there are egregious cases. So energy should be focused on those who are clearly doing bad things,” he says.

Smith also wonders if the sample size used in this report is representative enough of the bigger picture. As mentioned above, OIG only sampled 100 EPs to come up with its estimate of $729 million in program overpayments. But, Smith also says that while it’s fair to question the sample, because CMS and OIG have been very focused on fraud, waste and abuse in federal programs in the past, “You’d have to assume their methodology is sound.”

In this report, OIG offers several recommendations to CMS given the above findings, including:

  • Recovering the $291,222 in payments made to the sampled EPs who did not meet meaningful use requirements
  • Reviewing EP incentive payments to determine which EPs did not meet meaningful use measures for each applicable program year to attempt recovery of the $729,424,395 in estimated inappropriate incentive payments
  • Reviewing a random sample of EPs’ documentation supporting their self-attestations to identify inappropriate incentive payments that may have been made after the audit period,
  • Educating EPs on proper documentation requirements
  • Recovering $2,344,680 in overpayments made to EPs after they switched programs,
  • Employing edits within the NLR (National Level Repository) system to ensure that an EP does not receive payments under both EHR incentive programs for the same program year. 

Finally, as CMS implements MACRA (the Medicare Access and CHIP Reauthorization Act of 2015), OIG recommends that any modifications that any modifications to the EHR meaningful use requirements “include stronger program integrity safeguards that allow for more consistent verification of the reporting of required measures so that CMS can ensure that EPs are using EHR technology consistent with CMS’s goal of Advancing Care Information under MIPS.”

In response to this report, CMS told OIG that the agency concurred with the first, fourth, fifth and sixth of the above recommendations, and partially concurred with the second and third suggestions, stating that it has implemented targeted risk-based audits to strengthen program integrity and will continue to do so in 2017.

Healthcare Informatics reached out to CMS for an official statement from the agency, to which they replied, “This Administration is committed to turning the page and ushering in a new era of accountability.  Providing high-quality care to Medicare beneficiaries while being responsible stewards of taxpayer dollars remains a top CMS priority, and we recognize the value data validation and auditing bring to our programs.  We stand committed to safeguarding federal funding by leveraging proven and new program integrity tools to prevent and identify waste, fraud, and abuse,” CMS officials said.