At a recent conference on Medicare and Medicaid law, officials from the Centers for Medicare & Medicaid Services (CMS) responsible for administering "meaningful use" payments to hospitals and "eligible professionals" (physicians, nurse practitioners, and the like) reported on the results of Stage 1 and Stage 2 audits. Not surprisingly, hospitals fared better than individual providers, with only about 200 hospitals being required to repay meaningful use incentives. However, over 236,000 individual providers are being hit with repayment demands and downward adjustments in Medicare reimbursement, which seems to be a staggeringly large number.
That is, until you know (as Paul Harvey would say) "the rest of the story."
For both Stage 1 and Stage 2 meaningful use attestations, one of the top three reasons for recouping payment was the failure of the attesting provider to "conduct or review a security risk analysis" in accordance with 45 CFR 164.308(a)(1) and to "implement security updates as necessary and correct identified security deficiencies as part of its risk management process," in each case PRIOR TO the attestation of compliance for the applicable meaningful use reporting period. 42 CFR 495.6(d)(15)(ii). The attesting provider must have completed these processes before sending the attestation; doing so after the attestation but before the audit is not sufficient. CMS and its audit contractor are looking at the "snapshot" of compliance as of the time of the attestation. This is very different from the Joint Commission and others who will permit a "plan of correction" to reach back in time to cure deficiencies.
For Stage 2, the second and third most frequently occurring deficiencies were the failure of the electronic health record (EHR) system to "generate at least one report listing patients of the EP with a specific condition" as required by 42 CFR 495.6(j)(8), and the failure to send a "secure message . . . using [certified electronic health record technology] by more than 5 percent of unique patients" seen by the EP during EHR reporting period. 42 CFR 495.6(j)(17). This last failure appears to verify the concerns of many providers about the challenge involved in getting five percent of patients to use a patient portal or secure messaging function to communicate with their doctors.
But the most amazing common deficiency for Stage 1 meaningful use attestation was the failure of the attesting provider to actually have certified electronic health record technology. 42 CFR 495.6(a)(1). In other words, many of these providers just lied to CMS about their meaningful use, and they got caught. For others, perhaps the technology they used wasn't certified or wasn't in place for the entire reporting period. Whatever the reason, the CMS representative very clearly pointed out that attestations for meaningful use, which are designed to cause CMS to pay money to the attesting providers, are "claims submitted to the government" that would, when enforcement becomes less forgiving, be treated as a false claim if objectively untrue statements about the nature of the provider's compliance are included in future attestations. To this participant, it did not appear that the CMS comments about the False Claims Act were limited just to these outright untruths about acquiring and using certified technology; such comments (and enforcement) easily could be extended to a willful failure to conduct and update security risk assessments in the future.
In this case, the usual Latin maxim of "caveat emptor" doesn't really apply. Instead, "let the NON-buyer beware."