Trust but verify: Medicare’s approach to detecting EMR fraud

A recent New York Times headline read that “Medicare Is Faulted on Shift to Electronic Records.”  The story describes an Office of Inspector General (OIG) report, released November 29, 2012, that faults the Centers for Medicare and Medicaid Services (CMS) for not providing adequate oversight of the Meaningful Use incentive program. Going after “waste, fraud, and abuse” always makes good headlines, but in this case, the story is not so simple.

For those not intimately familiar with the CMS policy, in 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The program, administered through CMS and state Medicaid programs, created financial incentives for doctors (and other eligible professionals) and hospitals to adopt and “meaningfully use” a certified electronic health record (EHR).  To receive financial incentives, which began to be paid in May 2011, doctors and hospitals “attest” that they have met the meaningful use requirements, providing an affirmation for which they are held legally accountable.

The process works as follows: health care providers visit a CMS website, register, and enter data demonstrating that their EHRs are “certified” and that they met each of the individual requirements for meaningful use. Then they attest that that all the data they entered is true.  For example, a physician might have to report, to meet just one of the 20 meaningful use measures, how many prescriptions she wrote over the past 90 days, and how many she wrote electronically.  My conversations with colleagues suggest that it can take a lot of time for providers to gather all the data they need to “attest” to meeting Meaningful Use.  Then, CMS runs logic checks to ensure that the numbers entered make sense and, if there are no errors, they cut the provider a check. Through September, 2012, CMS paid out about $4 billion in incentives to 82,000 professionals and more than 1,400 hospitals.

What the Office Of Inspector General recommended

The Office of Inspector General examined how carefully CMS is overseeing this program, with particular interest given the reliance on self-reporting of meaningful use, and found areas for improvement.  Several of the OIG recommendations for improving oversight are sensible, measured, and very likely to improve the integrity of the program.  For instance, OIG recommends that CMS provide detailed guidance to providers about what constitutes adequate documentation to support their attestation.  This is the equivalent of the IRS providing guidance on what documentation you need to prove that your tax deductions are legitimate.  Another reasonable OIG recommendation is that certified EHRs be able to produce automated reports about all the functions required to meet meaningful use.  I suspect this will not be particularly onerous for EHR vendors to meet.

And where OIG went wrong

Where the OIG goes astray is their recommendation that CMS “obtain and review supporting documentation” from selected doctors and hospitals prior to payment.  This is the equivalent of the IRS asking a large chunk of Americans to send in their receipts and detailed explanations along with their 1090s before they get their refund.  Based on the screening tool discussed in the OIG report, about 100,000 physicians and 800 hospitals would be subject to creating these detailed reports with a large amount of supporting evidence each year — and CMS would need to add a substantial number of staff to review all these reports before making any payments.

CMS chose not to concur with this recommendation, and I think CMS is right. There is little evidence to date of any fraud, waste, or abuse in the EHR incentive program.  Were they to follow this OIG recommendation, CMS would effectively make waste in the program more likely.

This is not to say that there are not areas in which CMS should be more aggressive in their oversight.  Indeed, CMS pays out more than $500 billion in taxpayer money each year for medical care, and there is ample evidence that a substantial proportion of that money goes to health care services that harm our nation’s elderly while providing little clinical benefit — that’s the real “waste, fraud, and abuse.” We continue to pay billions for poor quality and unsafe care.  CMS needs to develop more sophisticated and nuanced approaches to ensuring that it pays more for better care, pays less for poor quality care, and protects not only the taxpayer dollar, but also the health of Medicare beneficiaries.  That’s worth getting aggressive about.

CMS’s approach on EHR payments strikes the right balance

Given that there is no evidence that doctors and hospitals are systematically committing federal fraud by reporting that they are meaningfully using EHRs when they are not, CMS has instead planned a post-payment audit.  And if physicians or hospital executives are found to have deliberately and consciously lied in order to get incentives, they should be prosecuted.  If they made an honest mistake — and given the complexity of meaningful use criteria, this is a real possibility — they should give the money back and potentially pay a fine.  But creating a huge new burden will dissuade many providers from even adopting EHRs, and continuing to rely on paper records is no way to deliver health care.  The cost of the latter to the American public, in terms of duplicate tests, medical errors, and general poor quality care, is far more substantial.

In each regulatory decision, there is a balancing act:  have too few checks and there will be widespread fraud; be overly heavy-handed and you may end up penny-wise and pound-foolish.  The approach that CMS seems to be taking is, in the famous words of President Reagan, “trust, but verify.”  Trust that providers are being honest – but verify through selected audits.  It appears to get the balance right. This approach was good enough for President Reagan’s dealings with the Soviet Union and I suspect that it’s good enough for CMS’s dealings with doctors and hospitals.

Ashish Jha is an Associate Professor of Health Policy and Management, Harvard School of Public Health.  He blogs at An Ounce of Evidence and can be found on Twitter @ashishkjha.

Comments are moderated before they are published. Please read the comment policy.

  • karen3

    Dr. Jha, I would suggest that you review my mother’s medical records which record her iteratively as having had a CABG over the course of five hospital encounters over three months. Which she never had and should have been obvious from looking at her chest. Which was cloned from an incorrect history on the first visit. Which medicare knows about and does not care. If you talk to patients who have gotten their medical records, you would know that fraudulent medical records are rampant in the system. There is absolutely no reason to expect that doctors are honest. And that is an issue not just with billing, but when you treat a patient. Believe what your colleagues have written only at your own risk.