Skip Navigation Change Font Size

Challenge 6: The Meaningful and Secure Exchange and Use of Electronic Health Information

Why This Is a Challenge

A grid of encrypted characters with a lock on top

The American health care system increasingly relies on health information technology (health IT) and the electronic exchange and use of health information. Health IT, including electronic health records (EHRs), offers opportunities for improved patient care, more efficient practice management, and improved overall public health. The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) provided for Medicare and Medicaid incentive payments to eligible professionals, eligible hospitals, and critical access hospitals (CAHs) for adopting, implementing, upgrading, or demonstrating meaningful use of EHRs and established a variety of grant programs to encourage widespread adoption of EHRs. HITECH also included requirements for public reporting of breaches of unsecured protected health information. Although participation in the Medicare and Medicaid EHR Incentive Programs is high and has led to widespread adoption among eligible providers, significant challenges exist with respect to overseeing the EHR Incentive Programs, achieving interoperability of EHRs, and keeping sensitive health information secure. Additionally, as the Department works to link payments with care quality, health outcomes, or performance as part of health care delivery system reforms, it will need to ensure that EHR and other health information data are accurate and reliable and are protected from misuse. (For more information on linking health care payments to value, see Management Challenge 4.)

Medicare and Medicaid EHR Incentive Programs. As of September 2014, the EHR Incentive Programs have paid out $25.4 billion in incentive payments. Although program interest has been high among those eligible, recent data suggest that not all those currently participating will continue in the programs. If the number of program participants were to decrease, fewer eligible professionals, eligible hospitals, and CAHs would progress to Stage 2 meaningful use, which includes a focus on health information exchange. For example, a recent Office of the National Coordinator for Health Information Technology (ONC) report shows that a substantial number of the first cohort of participants may be dropping out of the Medicare EHR Incentive Program. Of those that received a payment in 2011, 16 percent did not return for 2012. Further, 19 percent of participants dropped out of the Medicare EHR Incentive Program in 2013.

Challenges in program oversight also leave the EHR Incentive Programs vulnerable to inappropriate payments to participants that do not meet program requirements. OIG work has demonstrated vulnerabilities in oversight controls for EHR incentive payments, as well as the accuracy of EHR incentive payment calculations. OIG also found that CMS and states did not implement strong prepayment controls and relied primarily on postpayment audits of high-risk participants to confirm that payments were appropriate. Additionally, OIG found that CMS and states lacked adequate data to verify participants' self-reported attestations about their eligibility and meaningful use of EHRs. ONC requires EHRs to generate audit reports for some, but not all, meaningful use measures; this requirement may create some oversight obstacles for CMS to verify payment during postpayment audits.

An OIG audit of Medicaid EHR incentive payment accuracy in Louisiana found that the state did not always pay Medicaid EHR incentive payments, in accordance with federal and state requirements. OIG found incorrect incentive payments including both overpayments and underpayments, totaling $4.4 million.

Interoperability. Those who adopt health IT must be able to use their systems to exchange and meaningfully use health information in order to achieve the broader policy objectives and cost savings to the health care system. Health information is still not commonly exchanged between groups of health care providers that use different EHR products. For example, most Health Resources and Services Administration (HRSA) health centers had the capability to capture data, but few were able to meet the Stage 1 meaningful use standard for sharing data. As of September 2014, only 93 hospitals and 2,282 doctors had successfully progressed to Stage 2 meaningful use, which includes functionalities related to exchanging data, including for transitions of care between inpatient, outpatient, and postacute care providers. This may mean that patients' electronic health information is not shared across organizational, vendor, and geographic boundaries. A June 2014 study published in the Journal of the American Medical Informatics Association found that customized health history documents in certified EHRs lead to errors in transmissions between EHR systems, often necessitating manual data entry?a counterproductive outcome. Sharing of data may be impeded by several factors, including costs to establish the capability to share data, complex federal and state privacy and security rules, and system variation.

Further, many health care delivery system reform initiatives envision providers, suppliers, and others coming together in new or enhanced ways to better coordinate patient care and increase efficiency. These reform initiatives include the Medicare Shared Savings Program, the Pioneer ACO Model, and the Bundled Payments for Care Improvement initiative, among others. To improve care coordination and meet performance goals, many participants in these and other reform initiatives will share data across settings and use data received from outside their own systems. A lack of data exchange and incompatibility across systems presents challenges to achieving the benefits promised by EHRs and other health IT and could undermine the goals of some reform initiatives. Data created, maintained, or transmitted using EHRs or other health IT are used to ensure correct Medicare and Medicaid payments, including value-based payments. Participants in some of these payment initiatives also receive Departmental data for their use in improving the care they furnish. Those data similarly must be accessible and accurate.

Protecting Sensitive Information. Safeguarding privacy and data security is, and should remain, a top priority in health IT adoption and health data exchange, storage, and use efforts. Health care data breaches can have serious consequences, including medical identity theft, misdiagnoses, delays in treatment, and mistreatment of illness. Following HITECH's enhancements of breach notification requirements, HHS's database of major breach reports affecting 500 people or more has tracked nearly 950 incidents affecting the personal information of about 30.1 million people. OIG consistently finds gaps in adherence to security standards set by the Health Insurance Portability and Accountability Act and the National Institute of Standards and Technology. During our audits of hospitals and covered entities, we identified weaknesses that included inadequacies in access controls, patch management, encryption of data, and Web site security vulnerabilities. Such weaknesses could result in unauthorized access to sensitive health information.

Safeguarding EHRs From Fraud. Some of the beneficial characteristics of EHRs, including efficiency and ease of storage and access, may also make them tools for fraud. OIG work in examining fraud safeguards in EHRs found that protections designed to improve validity, accuracy, and integrity in EHRs were not being used to their full extent. Only about one-quarter of hospitals have policies regarding the use of copy-paste, a feature that could be used inappropriately to add documentation to a patient's record to support a fraudulent bill for services that were never provided. Deleting or disabling audit logs could make it harder to prevent and detect fraud. Furthermore, CMS and its program integrity contractors have done little to update their practices to address EHR vulnerabilities.

Progress in Addressing the Challenge

The Department has made great strides in developing a foundational health IT infrastructure by making inroads with EHR adoption, establishing privacy and security guidance and standards, and offering services to support health information exchanges (HIE) and interoperability. As of September 2014, 95 percent of eligible hospitals and CAHs and 92 percent of physicians and other eligible professionals have registered to participate in the EHR Incentive Programs, amounting to more than 500,000 eligible professionals, eligible hospitals, and CAHs.

With respect to oversight of the EHR Incentive Programs, CMS has audited Medicare providers who received EHR incentive payments to gauge the accuracy of, among other things, attestations that risk analyses designed to protect electronic health information were conducted. CMS also reports that it began conducting pre-payment audits in 2013. If the Department continues to takes steps to ensure that meaningful use requirements include necessary safeguards, these audits will be a helpful oversight and enforcement tool.

ONC has issued a document entitled " Connecting Health and Care for the Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure" (10-Year Vision Paper), which describes future efforts to expand the sharing of information for health beyond EHRs and identifies privacy and security protections for health information as a building block for a nationwide interoperable health information infrastructure.

What Needs To Be Done

The 10-Year Vision Paper states that, "[b]y 2024, individuals, care providers, communities, and researchers should have an array of interoperable health IT products and services that allow the health care system to continuously learn and advance the goal of improved health care." The desired "learning health system" should, according to the 10-Year Vision Paper, also enable lower costs, improved population health, and other benefits. To fully realize the value of an over $24 billion investment, the Department must do more to ensure that systems are interoperable in order to realize these goals.

As the Department progresses through the development and implementation of meaningful use stages, it should continue to consider feedback from stakeholders to ensure that adopted policies advance the Nation towards the Department's stated goals, while appropriately reflecting the changing health IT landscape. Guidance and technical assistance should be issued to address adoption, meaningful use, and interoperability barriers and program integrity safeguards. It is also essential that privacy, security, and fraud prevention remain at the forefront of the Department's, ONC's, and CMS's health IT efforts.

Finally, given the magnitude of the investment in EHRs and other health IT programs, it will become increasingly important to demonstrate and measure the extent to which EHRs and health IT have actually achieved the Department's goals, which include improved health care and lower costs. Ongoing OIG work is examining the accuracy of Medicare and Medicaid EHR incentive payments for the first stage of meaningful use and attempting to determine whether Medicaid safeguards prevent improper payments. Future work may examine health IT interoperability across providers, across HHS, and between providers and patients, as well as examine outcomes from health IT investments.

Key OIG Resources

Challenge 7: Effectively Operating Public Health and Human Services Programs To Best Serve Program Beneficiaries

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201