The old adage, "Money can make you do crazy things," can easily be applied to both our personal and business lives. Within the healthcare industry, HITECH incentive payments were offered by the U.S. government several years ago to implement electronic health record (EHR) systems at hospitals and other healthcare organizations. In order to qualify for these incentive payments, healthcare organizations were required to carry out regular security risk assessments to show they were meeting the HIPAA Security Rule requirements. While a large number of healthcare organizations properly followed the rules and carried out the security risk assessment required, a select number received the incentives without doing so.

We learned last month that two U.S. Senators, Orrin Hatch of Utah and Charles Grassley of Iowa, had recently sent a letter to the Centers for Medicare and Medicaid Services (CMS) requesting that further action be taken to recoup inappropriate HITECH incentive payments that have been made over the past several years. The letter was written in response to alleged inappropriate HITECH incentive payments of up to $729 million to healthcare organizations that failed to show evidence of meeting the meaningful use requirements with the implementation of EHR systems. This evidence typically involved the performance of annual HIPAA security risk assessments and provided evidence of remediation efforts for any deficiencies identified in the assessment. In combination with the letter from the Senators, the Office of the Inspector General (OIG) indicated in its June 2017 report that it had updated its fiscal 2018 work plan to more thoroughly review the HITECH incentive payments to healthcare organizations to identify where there could have been overpayments.

Though healthcare organizations are very much aware that the HHS Office for Civil Rights (OCR) performs annual HIPAA audits to verify that risk assessments were performed, it does guide healthcare leaders to consider whether a new presidential administration and a push to recoup HITECH payments could lead to an increase in audits in 2018. If this does come to fruition, healthcare organizations may want to consider the financial impact that repayments would have if it is determined a HITECH overpayment occurred or discovered that insufficient or no evidence was provided to support the security risk assessment requirement.

Though time will tell, we suggest that healthcare organizations continue to perform an annual security risk assessment and thoroughly document a remediation plan for those high and medium risks identified. If a healthcare organization has never performed a security risk assessment or fears their current assessment is insufficient, it would be wise to team with an experienced independent firm to review or perform an assessment in the near future.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.