Physicians Need to Be Aware of Heightened Scrutiny of EHRs

In December 2013, HHS' Office of Inspector General (OIG) issued a report entitled "Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology." The government conducted the study in response to a concern that EHRs, which are quickly replacing traditional paper medical records, can make it easier to commit fraud.

Study Methodology and Objectives

In order to complete the study, the government gathered data from hospitals and EHR vendors. It also conducted on-site interviews and observed hospitals' certified EHR technology.

The first objective of the study was to assess the extent to which hospitals that received EHR Medicare incentive payments implemented the recommended fraud safeguards for EHR technology in the following categories: audit functions; user authorization and access controls; data transfer standards; and  patient involvement in anti-fraud activity. The second objective was to assess the extent to which hospitals have implemented policies to address appropriate copy/paste functions in EHR.

Fraud Management Safeguards

Nearly all hospitals with EHR technology had the recommended audit functions in place, but were not always being used to their full extent. For example, the audit log captured the recommended data. However, almost half of the hospitals had an ability to delete their audit logs. Moreover, the audit logs' data was being analyzed to ensure privacy of patient data, as opposed to detecting and preventing fraud and abuse.

Second, all hospitals employed a variety of recommended user authorization and access controls. One of the concerns in this area, however, was limiting outside entities' access to EHR data to ensure that the appropriate individuals are actually making the entries. Third, the study found that nearly all hospitals were using recommended data transfer safeguards. However, only approximately a quarter of the hospitals reported that they require users to provide a reason before exporting, transferring or printing data. The resulting recommendation was to institute safeguards to restrict such. Fourth, almost half of the hospitals had begun implementing recommended tools to include patient involvement in anti-fraud efforts.

One of the report's most significant findings was that only about a quarter of the hospitals had policies regarding the use of the copy-paste feature in EHR technology. Recognizing this feature can greatly enhance efficiency of data entry, there is a concern that it is easier to inflate, duplicate, or even create fraudulent health claims by merely cutting and pasting a prior entry.  The second area of concern with this function is that auto-population features that generate extensive documentation on the basis of a simple click may generate information that is not accurate for the specific patient encounter and over represent what the practitioner performed. The study recommended that the use of such tools be captured in the audit log and more careful use of this function.

Report Recommendations and Future Action

HHS' recommendations were as follows, and CMS concurred with those recommendations:

1. Audit logs be operational whenever EHR technology is available for updates or viewing;

2. Office of National Coordinator for Health Information Technology (ONC) and CMS strengthen their collaborative efforts to develop a comprehensive plan to address fraud vulnerability in EHRs; and

3. CMS develop guidance on the use of the copy-paste function in EHR technology.

Based upon the report and recommendations, expect to see further scrutiny and crackdowns of EHR abuses. There will be adjustments to payments to professionals and hospitals, beginning in 2015, for failing to successfully demonstrate meaningful use of certified EHR technology. Both HHS and the U.S. Attorney General recently warned medical providers who commit billing fraud with EHR that they will be prosecuted. Additionally, insurance companies will also likely begin more closely scrutinizing EHR and possibly even reject claims if they believe that the copy-paste function is not being used appropriately. In order to protect themselves, healthcare providers should attempt to follow the recommendations in the report with a focus on the cut-paste function and potential abuses.