The American Recovery and Reinvestment Act of 2009 created a federal electronic health-record incentive payment program. The goal was to encourage adoption and meaningful use of health information technology. Centers for Medicare and Medicaid Services (CMS) recently reported that so-called "meaningful use" payments to hospitals and providers have now topped $28 billion. What have we gotten for that much money?
Once fully integrated, the consolidated data will provide invaluable analytical capabilities to CMS. Huge data sets like these can be used for trending and predicting outcomes, customizing delivery of healthcare, allocating resources, and, perhaps most importantly, identifying the best treatments and protocols for patients based on past experiences. Patients and healthcare advocates, however, have expressed concerns over fraud, risk of data breaches, misuse of personal health information, and the potential for unfair rationing of healthcare resources.
Patients and healthcare advocates, however, have expressed concerns over fraud, risk of data breaches, misuse of personal health information, and the potential for unfair rationing of healthcare resources.
Fraud
Anytime the government disperses $28 billion, it can be expected that a good bit of fraud will be included. There have already been a handful of actions to recover meaningful use payments based upon fraud. CMS has contemplated audits to ensure the program measures are met, but they can’t actually audit everyone. It is likely that whistleblowers will emerge to report about false attestations and misuse of the funds. The Affordable Care Act is clear concerning overpayments, which must be returned within 60 days of being identified. Providers that fail to comply are in violation of the False Claims Act. We have been made aware of some providers attesting to meaningful use even though they have not satisfied the meaningful use objectives. For example, during a meaningful use lecture Dr. Williamson presented to a group of physicians, he asked if they completed the attestation for Stage I, and they all raised their hands acknowledging they did. When he queried the group if they completed a Security Risk Analysis (Required Core Measure 15), no one responded in the affirmative. Meeting the meaningful use measures is an "all or nothing" requirement, so if one measure of the attestation is not met, the provider must return all of the money they received.
In 2014, Joe White, a CFO for a medical center in Texas, was indicted for making false statements and committing aggravated identity theft in connection with Medicare MU payments. Although this is the first case where a meaningful use violation of the law has resulted in the government prosecuting the offender, it appears that the government is interested in prosecuting cases involving false attestations. The indictment alleges that the CFO forged the signature of the center’s Director of Nursing on the MU attestation after she refused to sign because she knew the center’s EHR technology was not compliant. We fully expect enforcement in this area to grow in response to the enormous amount of money which has been paid based upon these attestations.
If in fact the attestation is incomplete, the security mechanisms may be as well, increasing the vulnerability of the data and placing the organization and patients at risk.
Data Breach Risk
The information being collected is not significantly different than what has been historically captured by medical providers. The difference, of course, is that now the information is both electronic and consolidated or centrally accessible. We know that no data is safe and the more critical information the data contains, the bigger the target it will be for hackers. As previously mentioned, one of the core requirements for meaningful use attestation requires healthcare providers to attest to having implemented security mechanisms for assessing the potential risks and vulnerabilities to their data. If in fact the attestation is incomplete, the security mechanisms may be as well, increasing the vulnerability of the data and placing the organization and patients at risk. In such cases, hospitals and healthcare providers may face both government enforcement for false attestations and private class action negligence cases for failure to properly protect the data.
Misuse of Health Info
Can the government sell my information? Most people are not aware that their prescription information is already being bought and sold by pharmaceutical companies in order to target drug marketing efforts. The limits on what the government can do with the data and resulting analysis are unclear. There are numerous privacy advocates that are monitoring this situation. We are in uncharted waters here with broad access to such robust data sets.
Rationing of Healthcare
Leading up to the passage of the Affordable Care Act, we heard critics claim that government "death panels" would decide who lives and who dies. Is it possible that this data will enable the government to do exactly what we all feared? Not exactly, but we are putting too much faith in the oversight and accountability mechanisms to ensure the best decisions are made on an individual rather than societal basis. Is it fair to expect that treatment options for government insureds will be limited to those which are both effective and cost efficient? We know that drug companies have been incredibly effective at convincing prescribers to write scripts for “newer and better” drugs even though the older (cheaper) drugs may be just as safe and effective. The data and corresponding analysis will provide our government with the ability to discern the difference, but whether they openly do so remains unclear.