Management Challenge 8:
Effectively Using Data and Technology to Protect Program Integrity
Why This Is a Challenge
The Department compiles an enormous amount of data related to Federal health insurance programs, public health and human services, and the beneficiaries whom they serve. It continues to face challenges in effectively using these data to detect and prevent improper payments and to ensure consumer and patient safety and quality of care. It also faces challenges to protect the privacy and security of the data it collects and maintains.
Improving the Effectiveness of Medicaid Data. Federal Medicaid payments are expected to increase an average of 8 percent each year from 2013 through 2023, according to recent Congressional Budget Office estimates. As Medicaid expands, it is imperative that CMS have a functional, national Medicaid database so that CMS may monitor Medicaid payments and services. OIG work has found that the current national Medicaid data are not complete, accurate, or timely and that additional data are needed to conduct national Medicaid program integrity activities. OIG has recommended several actions for improvement, including that CMS establish a deadline for when national Medicaid data of sufficient completeness and quality will be available and ensure that States submit required data. CMS has attempted to improve the access and quality of Medicaid data, most recently through the Transformed Medicaid Statistical Information System (T-MSIS) initiative. Although implementation is still early, analysis completed in January 2013 showed that T-MSIS has made limited progress in addressing Medicaid data concerns. (For additional information on challenges related to Medicaid, see Challenge 4).
Demonstrating Impact from the Fraud Prevention System (FPS). As the Department continues to implement predictive analytics technologies to help identify fraudulent claims before they are paid, it must produce reliable information demonstrating the effectiveness of these technologies. The Small Business Jobs Act of 2010 required CMS to use predictive analytics to identify and prevent the payment of improper claims in the Medicare fee-for-service program. In response, CMS implemented the FPS in 2011 and now uses the predictive analytics program to identify potential health care fraud, waste, and abuse. However, after its first year of implementation, challenges remain in demonstrating the FPS's impact. OIG found that some reporting requirements were not met and that its methodology for calculating estimates on savings, recoveries, and return on investment included some invalid assumptions that may have affected the accuracy of those amounts.
Ensuring HHS Data and Systems Are Secure. All information collected, processed, transmitted, stored, or disseminated by HHS agencies, their contractors, States, and hospitals must be adequately protected pursuant to the Privacy Act, Office of Management and Budget (OMB) guidelines, and other authorities. OIG has identified vulnerabilities in a variety of information systems controls, including implementation of directives and guidance on information security controls, access controls, and configuration management controls, which may lead to unauthorized access to and disclosure of sensitive information or disruption of critical operations and limit the ability to ensure the confidentiality, integrity, and availability of critical information and systems. As discussed in Challenge 1, the Department also faces challenges in the development of systems for and effective operation of the Marketplaces, which require rapid, accurate, and secure integration of data from numerous Federal and State sources and individuals who use the Marketplaces.
Protecting Information Contained in Electronic Health Records (EHR) and Guarding Against Fraud. With the enactment of the Recovery Act and the HITECH Act, the Department has played a leading role in the nationwide adoption of EHRs and other health IT. These innovations offer opportunities for improved patient care and more efficient practice management. However, as the volume of electronically-stored medical information grows, protecting the privacy, security, and integrity of EHRs has become more critical. Data security breaches and medical identity theft are growing concerns, with thousands of cases reported each year.1 The Department faces challenges as it maximizes implementation of promising health IT while maintaining the privacy and security of sensitive health information.
Experts in health information technology caution that use of EHRs can make it easier to commit fraud. In the Department's efforts to promote EHR adoption, it focused largely on developing criteria, defining meaningful use, and administering incentive payments. It has given less attention to the risks EHRs may pose to program integrity. Certain features, such as cut-and-paste and auto-fill templates may be used to mask true authorship of the medical record and distort information to inflate health care claims. An examination of hospitals that received Medicare incentive payments as of March 2012 revealed that while nearly all hospitals had recommended audit functions in place, they may not be using them to their full extent. For example, nearly half of hospitals reported being able to turn off audit logs, and few hospitals report using audit logs to identify potentially fraudulent or abusive practices.
Progress in Addressing the Challenge
CMS has taken action to improve its data and technology capabilities. Beginning in 2012, CMS partnered with 12 volunteer States on the planning and development of T-MSIS. OIG found that the 12 States had made some progress in implementing T-MSIS. CMS stated that all States are expected to participate in T-MSIS by the end of 2013 and to demonstrate operational readiness to submit timely T-MSIS data by July 1, 2014. CMS issued a letter to State Medicaid Directors in August 2013 that included a deadline for when all States are expected to demonstrate operational readiness to submit T-MSIS files, transition to T-MSIS, and submit timely T-MSIS data. CMS also reports that it has added terms and conditions to various Medicaid funding mechanisms to provide incentive for States to report timely, complete and accurate data. CMS created a set of tools to help States prepare to submit T-MSIS data, including establishing a CMS liaison for States and the creation of a T-MSIS State collaboration workgroup.
In implementing FPS in July 2011, CMS met legislative timeline requirements and implemented the largest scale predictive analytics program used to identify potential health care fraud, waste, and abuse ever developed. With regard to demonstrating the impact of FPS, CMS has shown leadership by coordinating and leveraging relationships with public and private entities to discern best practices for measuring the impact of program integrity activities. CMS has also continued to take steps to refine its methodologies for calculating cost savings from costs avoided due to FPS.
Some HHS agencies, States, and hospitals have made progress in addressing recommendations made by OIG in audits of information security systems. However, CMS continues to have significant deficiencies in its planning, implementation, and execution of its overall information security directives and guidance; and implementing controls to prevent unauthorized access to sensitive information.
Through its EHR adoption incentive programs regulations and its EHR certification criteria regulations, HHS has addressed privacy and security matters in limited ways. The Office of the National Coordinator for Health IT (ONC), which coordinates the adoption, implementation, and exchange of EHRs, awarded a contract to develop recommendations to enhance data protection; increase data validity, accuracy, and integrity; and strengthen fraud protection in EHR technology; however, the Department did not directly address all recommended safeguards through certification criteria and meaningful use requirements. CMS has acknowledged the potential for EHRs to be used to commit fraud and intends to develop guidelines to ensure appropriate use of the copy/paste feature in EHRs. Additionally, CMS audits providers who received EHR incentive payments to gauge the accuracy of, among other things, attestations that risk analyses designed to protect electronic health information were conducted. If the Department takes steps to that ensure meaningful use requirements include necessary safeguards, these audits may be a helpful oversight tool.
What Needs To Be Done
CMS and the 12 volunteer States participating in T-MSIS have made some progress, particularly toward planning for T-MSIS implementation. However, early implementation outcomes raised questions about the completeness and accuracy of T-MSIS data upon national implementation. CMS should continue to work with States to ensure the submission of complete, accurate, and timely data. It should also establish a deadline for when T-MSIS data will be available for use. If States fail to begin submitting T-MSIS data by the implementation deadline, CMS should use its statutory enforcement mechanisms or seek legislative authority to employ alternative tools to compel State participation.
To ensure effective operations during the planned expansion and enhancement of FPS over the next few years, CMS will need to address FPS's reporting and measurement vulnerabilities. OIG will continue monitoring the FPS and analyze future modifications or refinements to it.
The Department, States, and hospitals should continue improving systems controls to help ensure that system assets are protected from unauthorized usage and that only authorized personnel are granted access to data and programs.
The Department should continue to focus on oversight and enforcement of privacy and security protections to ensure that sensitive data are protected. It should also do more to ensure that EHRs contain safeguards and that providers use these safeguards to protect against health care fraud involving electronic systems. The Department should also provide additional guidance on information technology security standards and best practices that the health care industry should adopt for EHRs.
Key OIG Resources
- Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology. December 2013
- Early Outcomes Show Limited Progress for the T-MSIS. September 2013
- The Department and CMS Financial Statement Reports which can be found on the HHS website after December 16, 2013. Fiscal Year 2013
- Security Gaps May Threaten Electronic Health Records. June 2011
- Protect Yourself Against Medical Identity Theft.
- CMS Response to Breaches and Medical Identity Theft. October 2012
- OIG report on implementation predictive analytics. September 2012
1CMS tracks nearly 300,000 compromised Medicare-beneficiary numbers. The Office for Civil Rights has received more than 77,000 complaints regarding breaches of health information privacy and completed more than 27,000 investigations, which have resulted in more than 18,000 corrective actions.
Management Challenge 9: Protecting HHS Grants and Contract Funds from Fraud, Waste, and Abuse
Let's start by choosing a topic
Priority recommendations summarized.
FY 2016 Work Plan
OIG projects planned for 2016.
Significant OIG activities in 6-month increments.