CMS, ARRA health IT programs slated for OIG audit
The OIG has grouped ongoing and planned reviews into two parts: “Centers for Medicare & Medicaid Services” (CMS) and “Public Health and Human Services Programs and Departmentwide Issues.”
The CMS portion relates to reviews of Medicare, Medicaid, information systems controls and the Children’s Health Insurance Program (CHIP). The “Public Health and Human Services Programs and Departmentwide Issues” group describes reviews related to agencies such as the Centers for Disease Control and Prevention (CDC), the FDA, the National Institutes of Health (NIH), the Administration on Aging (AoA) and the Administration for Children and Families (ACF).
The work plan, effective as of last month, announced OIG’s plans to review the oversight of initiatives from incentives set by ARRA in both groups.
The Congressional Budget Office (CBO) estimates, as reported by the OIG, that CMS spending for incentives and payment reductions will total approximately $30 billion--$18 billion in Medicare spending and $12 billion through Medicaid--between 2011 and 2019. The OIG plans to review CMS incentive payments to eligible healthcare professionals and hospitals for adopting EHRs, as well as its safeguards against incentive payments made in error.
“If errors are identified, we will also assess CMS’ actions to remedy incentive payments made in error and its plan for securing these payments for the duration of the incentive program,” the plan read.
Although both Medicare and Medicaid offer incentives for eligible healthcare professionals to adopt certified EHR technology, they cannot receive incentive payments from both programs. Therefore, OIG stated that it will review CMS’ oversight of the implementation and program management of Medicare and Medicaid incentive payments for EHRs and describe the procedures in place to prevent and detect duplicate incentive payments.
The OIG announced that it will also assess whether fiscal oversight and reporting mechanisms are established for CMS to determine “meaningful use” of certified EHR technology.
The OIG’s work plan not only focused on dollars and cents but also on personally identifiable information. Medical identity theft and secured personal information was consistently mentioned as a concern in many of the new reviews. OIG plans to review CMS’ compliance with new breach notification requirements for personally identifiable information in ARRA and the CMS oversight measures in cases of medical identity theft within Medicare.
Though ARRA provides financial incentives through Medicare and Medicaid to encourage healthcare professionals to adopt and use EHRs, the plan noted that Medicare incentive payments are being phased out over time and will be replaced with financial penalties for providers that are not using EHRs. While CMS systems undergo modifications to manage these new requirements, OIG plans to review health IT enhancements to CMS’ systems to ensure that they include standards adopted by HHS and that IT security controls are in place to protect sensitive EHR and personal information.
In order to track the proper use of alloted funds, the OIG will assess many of the Health Resources and Services Administration’s (HRSA) grant award and monitoring processes as well as HRSA’s efforts to promote and oversee grantees' EHR implementation.
ARRA provided HRSA with $1.5 billion for the modernization, renovation, and repair of health centers, which includes the acquisition of HIT systems.
The ARRA will provide $500 million to community health centers to meet the increased demand for services and to establish new access points. The OIG will assess HRSA’s internal controls to determine whether the process appears to be effective considering the accelerated timeline for disbursement and increased funds that will be awarded above the annual appropriation.
HRSA has $125 million available for health IT systems and network grants to support EHR for health centers. The OIG estimates that this funding will benefit more than 1,000 community health centers and will focus on the controls in place to safeguard health IT grant information pertaining to HRSA’s distribution of the grant funds and whether the awards require appropriate IT security provisions to protect sensitive EHR or personal information at the grantee level.