OIG recommends fraud safeguards in hospital EHR technology

Doctors Using EHROn December 10, 2013, the Office of Inspector General for the United States Department of Health & Human Services (OIG) issued a report finding that hospital implementation of fraud safeguards in electronic health records (EHRs) falls short of the recommended standards. The report carries out one of the OIG’s 2013 Work Plan objectives to study how EHR technology may lead to improper payments by federal healthcare programs.  In its Work Plan, the OIG had noted that: “Medicare contractors have noted an increased frequency of medical records with identical documentation across services.”

The OIG’s findings were extracted from the responses to an on-line questionnaire to 864 hospitals that had received Medicare EHR incentive payments as of March 2012. The questionnaire focused on four EHR fraud safeguards: 1) EHR audit functions; 2) EHR user authorization and access; 3) EHR data transfer; and 4) patient involvement via the ability to access and comment within their EHR.   The OIG criticized the Centers for Medicare and Medicaid Services (CMS) and the Office of National Coordinator of Health Information Technology (ONC) for failing to incorporate recommended safeguards into meaningful use criteria and EHR certification standards.

The OIG found that almost all of the hospitals had EHRs with audit functions but not all hospitals were using these functions to their full extent. Nearly all of the hospitals, the OIG said, had employed user authorization and access controls and data transfer safeguards. However, the OIG found that only about one-fourth of hospitals had employed policies regarding the EHR documentation directed at preventing fraud, such as the cut and paste function.

The OIG made 14 recommendations which included the following: a) audit logs be operational whenever EHR technology is available for updates or viewing; b) CMS and ONC address EHR vulnerabilities to fraud; and c) CMS develop policies on EHR documentation and specifically on the use of the cut and paste function. Table 1 on page 7 of the Report summarizes all 14 of the EHR controls that the OIG identified and further details each of these controls throughout the remainder of its report.

Of note, the OIG noted the following two types of potentially fraudulent EHR documentation practices:

Copy-Pasting. Copy-pasting, also known as cloning, allows users to select information from one source and replicate it in another location. [fn] When doctors, nurses, or other clinicians copy-paste information but fail to update it or ensure accuracy, inaccurate information may enter the patient’s medical record and inappropriate charges may be billed to patients and third-party health care payers. Furthermore, inappropriate copy-pasting could facilitate attempts to inflate claims and duplicate or create fraudulent claims.”

Overdocumentation.  Overdocumentation is the practice of inserting false or irrelevant documentation to create the appearance of support for billing higher level services. Some EHR technologies auto-populate fields when using templates built into the system. Other systems generate extensive documentation on the basis of a single click of a checkbox, which if not appropriately edited by the provider, may be inaccurate. Such features can produce information suggesting the practitioner performed more comprehensive services than were actually rendered.”

In May 2013, Lisa A. Erama provided a good review of the dangers of the EHR cut and paste function in her article titled “Read Between the Lines,” For the Record (Vol. 25 No. 8 P. 18).  Ms. Erama noted that providers were, at that time, developing cut and paste policies.  Her article sets forth key elements for inclusion in such a policy.  (See section on “Finding a Fix”.)

With the OIG’s report, providers should prepare for heightened scrutiny by Medicare payment contractors.  The bar is now set: Get your EHR vendor together with your HIM Director, HIT staff, medical staff, quality assurance team, risk management director, and your coders to review your EHR’s cut and paste function.  Determine whether and how to scale back this function or to otherwise establish limits and guidance for its use.  Then put a policy in place that aligns with your EHR’s cut and paste function and that provides clear guidance on its use.  If you have turned off the cut and paste function, and you say this in your policy, be sure to review any vendor upgrade to your EHR to be sure that this function has not been turned back on.

 To read the full OIG Report, click here.

One thought on “OIG recommends fraud safeguards in hospital EHR technology

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s