CMS May Want Their Money Back

Aug 1, 2017 10:37:00 AM |

Megan Hudson

Social Share:

AdobeStock_132890350.jpegThe old adage ‘Money can make you do crazy things’ can easily be applied to both our personal and business lives. Within the healthcare industry, HITECH incentive payments were offered by the US government several years ago to implement electronic health record systems at hospitals and other healthcare organizations. In order to qualify for these government incentive payments, healthcare organizations were required to carry out regular security risk assessments in order to show that they were meeting the HIPAA Security Rule requirements. As is the case with many government incentives, a large number of healthcare organizations properly followed the rules and carried out the security risk assessments while a select number received the HITECH incentive payments without doing so.

We learned last week that two US Senators, Orrin Hatch of Utah and Charles Grassley of Iowa, had recently sent a letter to the Centers for Medicare and Medicaid Services (CMS) requesting that further action be taken to recoup inappropriate HITECH incentive payments that have been made over the past several years. The letter was written in response to alleged inappropriate HITECH incentive payments of up to $729 million dollars (according to the June report from the Department of Health and Human Services) to healthcare organizations that failed to show evidence that they met the meaningful use requirements that were required with the implementation of electronic health record (EHR) systems. As mentioned earlier, typically this evidence involved the performance of annual HIPAA security risk assessments and providing evidence of remediation efforts for any deficiencies identified from the risk assessment. In combination with the letter from the Senators, the Office of the Inspector General (OIG) indicated in its June 2017 report that it had updated its fiscal 2018 work plan to more thoroughly review the HITECH incentive payments to healthcare organizations to identify where there could have been overpayments.

Though healthcare organizations are very much aware that the OCR performs annual HIPAA audits to verify that risk assessments were performed, it does lead healthcare leaders to consider whether a new presidential administration and a push to recoup HITECH payments could lead to an increase in audits in 2018. If this does come to fruition, healthcare organizations may want to consider the financial impact that repayments would have if it is determined that a HITECH overpayment occurred or if it is discovered that insufficient or no evidence was provided to support the security risk assessment requirement.

Though time will tell, we suggest that healthcare organizations continue to perform an annual security risk assessment and thoroughly document a remediation plan for those high and medium risks identified. If a healthcare organization has never performed a security risk assessment or fears their current assessment is insufficient, it would be wise to team with an experienced independent firm to review or perform an assessment in the near future.


For weekly insights, please sign up here:

Subscribe to Blogs



Megan is a Manager for HORNE Cyber where she specializes in cyber risk related assurance services. She provides analytic expertise regarding policy design and implementation as well as IT and data governance. Megan also consults on information systems environment compliance and management for public and middle market clients.

Find me on: