SecureState Blog

Read SecureState's award winning blog.

The Department of Health and Human Services’ (HHS) Office of the Inspector General (OIG) announced its first investigation into alleged fraud of the 2013 EHR Financial Incentive Program, by the now-shuttered Shelby Regional Medical Center (SRMC), in Center, Texas. Specifically, their former CFO may have filed false attestations of meeting the program’s requirements and subsequently SRMC received $785,000.

The Meaningful Use program provides financial incentive to eligible professionals,EHRIncentiveLogowebhospitals and critical access hospitals (CAHs) to adopt, implement, and demonstrate certified Electronic Health Record (EHR) technology, processes, and security. To qualify, organizations must attest to meeting specific Meaningful Use criteria, no later than March 31, 2014.

It appears regulators no longer assume attestation equals compliance!


How big is the issue?

Per the Center for Medicare & Medicaid’s EHR Incentive Report: through December 31, 2013, some 4,400 hospitals and over 335,000 healthcare professionals participated, receiving in excess of $19.2 billion in payments. Given recent regulatory settlement trends, aggressively taking action and/or reaching a settlement for speculative compliance might be seen as a strong revenue stream, as well as an opportunity to proactively clean-up potential compliance issues.

In the past, Meaningful Use attestation, including Medicare and Medicaid financial incentives, faced little regulatory scrutiny, possibly reminiscent of HIPAA compliance in the late 1990’s. But times are quickly changing.


What’s Next for EHR?

In an interview with the Information Security Media Group, the representative from the OIG said, “This is one of the first cases… of submitting false HITECH Act EHRMeaningful Use attestations.”

Authorities are ready to take action against fraud, and according to reports, the OIG has submitted its work plan for 2014, which includes “more intensified scrutiny of HITECH Act Meaningful Use attestations.” This will include audits of healthcare providers and their business associates.

Per Meaningful Use, the audits will evaluate the migration to EHR systems, as well as validate that adequate security controls are in place to safeguard the data. Meaningful Use attestations of compliance are legally binding.


Protect your Organization, Review your HIPAA Program

If you haven’t fully vetted your HIPAA program (including Meaningful Use), then attest at your own risk. If you have already attested and aren’t sure of your compliance posture, now would be a good time to revisit your program.


Here are just a few risk-based steps for managing the compliance risk:

1)      Determine who attested and their level of involvement in the process

2)      Locate supporting documentary evidence used to substantiate compliance

3)      Determine thoroughness of the documentation

4)      Validate compliance (yes, review all of the required controls, including retention periods)

5)      If there are gaps in compliance and/or documentary evidence, determine magnitude of scope gap

6)      Construct a remediation roadmap and high level timeline

7)      Given scope and expected timeline, analyze the risk of noncompliance

8)      Make risk-based decision if shortcomings and time to remediate suggest an egregious violation and if so consider retracting attestation and refund the incentives; otherwise remediate


Comply or Pay the Price

The monetary consequences of not being able to substantiate adherence toHIPPA ComplianceMeaningful Use are difficult to determine. But noncompliance, if audited, might place your organization in an unfavorable position, similar to SRMC. HIPAA audits are already planned for later this year, but even if you are not selected to participate, your organization is just one patient allegation or material data breach away from having to substantiate compliance. Ignoring compliance means your organization is risking huge settlements, government scrutiny and patient backlash.


HIPAA Compliance and Security: When the Levee Breaks (Whitepaper)

HIPAA: Ripping Off the Bandage (Case Study)

Contemplating a HIPAA Compliance Seal (Blog)