Are Your EHR Fraud Safeguards Up to Standards?

This month, HHS' Office of the Inspector General (OIG) released a report, Not All Recommended Fraud Safeguards Have Been Implemented In Hospital EHR Technology, highlighting the "extent to which hospitals that had received electronic health record (EHR) Medicare incentive payments implemented fraud safeguards." In addition to focusing on policies for cutting and pasting parts of one medical record into another medical records, four areas of fraud safeguards were highlighted: audit functions, user authorization and access controls, data transfer standards, and patient involvement in anti-fraud activity. Because CMS paid out nearly $13.5 billion in incentive payments since 2011, both the government and providers have an interest in insuring that meaningful use is demonstrated.

In contracting with RTI International (RTI), HHS approved recommendations to ehance the following: data protection, increase data validity, accuracy and integrity, and strengthen fraud protection. Many of these standards parallel those required by HIPAA and the HITECH Act for the administrative, technical, and physical safeguards. For example, one section of the RTI recommendations focuses on audit functions and requires the following:

1. The use of an audit log function and specifies audit log operation and content for tracking EHR updates;

2. Methods (i.e., copy/paste, direct entry, import) for any update to an EHR be documented and tracked;

3. The user ID of the original author be tracked when an EHR update is entered "on behalf" of another author;

4. EHR technology be able to record and indicate the method used to confirm patient identify; and

5. Original EHR documents be retained after they are signed off and modifications be tracked as amendments.

These recommendations compliment the HIPAA Standard Documentation Requirements (§§ 164.316(b)(1) and ((b)(2)(i)). Under these standards, which are required and not addressable, documentation policies and procedures must be in place and a record of the action, activity, or assessment is required to be maintained for 6 years. This six-year timeframe coincides with other government issued standards, also.

In sum, in order to avoid liability on a multitude of state, federal, and administrative fronts, covered entities, business associates, and subcontractors should assess the risk of vulnerability and threats in relation to the electronic protected health information that they are creating, receiving, maintaining, and transmitting.