LinkedInFacebook 

Meaningful Use & the False Claim Act

Meaningful Help for “Meaningful Use”

Meaningful Use and The False Claim Act

Over the past few months, much has been written about the Federal Government’s False Claim Act and how it can be applied to the attestations made by healthcare providers related to Meaningful Use. Most of what has been written has been factual but there is still a significant amount of misinformation related to this topic. Given that, please read the following and let us know if you have additional questions.

First, here is a little context to better understand the origin of Meaningful Use. Per HealthIT.gov –

The Centers for Medicare and Medicaid Services (CMS) developed the Electronic Health Record (EHR) Incentive Programs to provide financial incentives for the meaningful use of certified EHR technology to improve patient care. To receive an EHR incentive payment, providers have to show that they are meaningfully using their EHRs by meeting thresholds for a number of objectives. The EHR Incentive Programs are phased in three stages with increasing requirements.

Providers must attest to demonstrating meaningful use every year to receive an incentive and avoid a Medicare payment adjustment.

Meaningful Use is using certified electronic health record (EHR) technology to:

  •  - Improve quality, safety, efficiency, and reduce health disparities
  •  - Engage patients and family
  •  - Improve care coordination, and population and public health
  •  - Maintain privacy and security of patient health information

Ultimately, it is hoped that the meaningful use compliance will result in:

  •  - Better clinical outcomes
  •  - Improved population health outcomes
  •  - Increased transparency and efficiency
  •  - Empowered individuals
  •  - More robust research data on health systems

As an enticement for implementing a new EHR system and satisfying the Meaningful Use requirements, eligible professionals (which includes physicians, nurse practitioners, and dentists along with a few other categories of medical professionals) would receive up to $43,720, while eligible hospitals would receive a base payment of $2 million plus additional funding based on a number of factors.

Per CMS, as of April 2015, health care providers received more than $30.5 billion in CMS EHR incentive payments.  Yes, that is BILLION – with a "B".

The stakes are high for EHR program participants.  If a health care provider fails to meet the Meaningful Use requirements, they must forfeit the ENTIRE incentive payment.  Remitting the incentive payments back to CMS is certainly problematic but what can be even more problematic is having the government impose the False Claim Act.

What is the False Claims Act?

The False Claims Act imposes penalties on anyone who knowingly falsifies, forges, alters, or destroys documents to secure payment.  A person found to have violated the False Claims Act is liable for a civil penalty for:

  •  - $11,000 per claim filed, plus
  •  - Three times the amount of damages sustained by the federal government (treble damages)

In order for the government to prove fraud, it must demonstrate

  •  - A person makes a material false statement;
  •  - The statement is false, and the person making the statement knows that it is false;
  •  - The person making the statement intends to deceive or mislead the person to whom the statement was made with the expectation of receiving       something of value;
  •  - The person to whom the false statement is made is expected to rely on the statement to his/her detriment.

In 2013, the Department of Health and Human Services’ Office of the Inspector General (OIG) identified fraudulent payments for Meaningful Use as an area of focus and investigation.  CMS deputy director Robert Anthony stated that his organization would conduct compliance audits on 5% of all Meaningful Use program participants. 

Per the OIG, past audits identified several common findings including:

  •  - Failure to conduct a data security risk assessment
  •  - Lack of adequate documentation to support attestation responses

What about the Office for Civil Rights (OCR)

OCR has the responsibility for enforcing HIPAA compliance. A few weeks ago, the National Law Review reported that OCR had begun sending pre-audit screening surveys to covered entities for its next round of HIPAA audits (Phase 2 Audits).  The focus of these audits will be selected HIPAA provisions and other HIPAA compliance “weak spots” identified in the earlier 2011-2012 audits.

As part of these audits, OCR has said that assessing whether organizations have performed risk assessments will be a high priority given the health care providers’ wide spread non-compliance with this particular requirement.  If an audit determines that a health care provider has not conducted a risk assessment, there is a possibility that the finding will be shared with CMS.

If OCR were to share its findings with CMS, this information could trigger repayment of Meaningful Use incentives and False Claims Act penalties and potential imprisonment.  Also, if OCR identifies major compliance issues (such as not conducting a risk assessment), it will open an investigation that may result in settlements and financial penalties paid directly to OCR.

In short, not conducting a risk assessment has the potential of costing millions of dollars, imprisonment, exclusion from Medicaid and Medicare and of course, the loss of professional reputation.

Recent Enforcement Activity

Per FBI.gov – The former chief financial officer for Dr. Tariq Mahmood’s Texas hospitals, Joe White, 66, of Cameron, Texas, was indicted by a federal grand jury on January 22, 2014, and charged with making false statements to the Centers for Medicare and Medicaid Services (CMS) and aggravated identity theft.

According to the indictment, on November 20, 2012, White falsely attested to CMS that Shelby Regional Medical Center (Shelby Regional) met the Meaningful Use requirements for the 2012 fiscal year. However, Shelby Regional relied on paper records throughout the fiscal year and only minimally used electronic health records. To give the false appearance that the hospital was actually using Certified Electronic Health Record Technology, White directed its software vendor and hospital employees to manually input data from paper records into the electronic health record (EHR) software, often months after the patient was discharged and after the end of the fiscal year.

The indictment further alleges that White falsely attested to the hospital’s Meaningful Use by using another person’s name and information without that individual’s consent or authorization. As a result of the false attestation, CMS paid Shelby Regional $785,655. In total, hospitals operated by Dr. Mahmood, including Shelby Regional, were paid $16,794,462.66 by the Medicaid and Medicare EHR incentive programs for fiscal years 2011 and 2012.

“As more and more federal dollars are made available to providers to adopt Electronic Health Record systems, our office is expecting to see more cases like this one,” said Special Agent in Charge, Mike Fields of the U.S. Department of Health and Human Services Office of Inspector General’s (OIG) Dallas Regional Office. “The Office of Inspector General is committed to protecting the millions of taxpayer dollars used to pay providers to adopt Electronic Health Record systems.”

Consider the following to avoid issues with the Federal Government:

  1. Review the most recent attestation statement made to CMS. Evaluate any shortcomings contained in that statement and ensure that you can provide documentation to support the attestation statement.

  2. Meet with your security officer, privacy officer and compliance officer (and you may want to include your legal counsel) to review any activity/correspondence with OCR. This will help to better understand your current risk profile.

  3. Review your organization’s most recent HIPAA risk assessment. If the risk assessment was completed more than one year ago, conduct another HIPAA risk assessment as soon as possible.

  4. Review the results of your most recent risk assessment and develop an action plan to deal with any shortcomings.

  5. Ensure that you have an inventory of all information systems, including mobile devices (whether corporate-owned or personal) that have access to PHI.