OIG Report on CMS’ EHR Audit Practices Concludes The Practices Are Not Very Sophisticated

By Ann Triebsch and Kathie McDonald-McClure

Female HCP viewing a computer screenFollowing our blog post on December 11, 2013 about Part One of a report from the Office of the Inspector General for the United States Department of Health and Human Services (OIG) about fraud safeguards in electronic health records (EHRs), the OIG recently issued Part Two of its report.  Dated January 2014, the report is entitled, “CMS and Its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs”.  That title pretty well sums up the report’s findings about the audits conducted by contractors for the Centers for Medicare and Medicaid Services (CMS).

The OIG’s January 2014 report and the earlier December 2013 report both rely heavily on a 2007 study by RTI International (RTI), which was performed under a contract with the Office of the National Coordinator for Health Information Technology (ONC).  The RTI Study made recommendations for enhancing data quality and integrity in EHRs. The recommendations were aimed at both strengthening some EHR benefits and providing tools within the EHR for detecting inappropriate documentation practices that are unique to EHRs.  The OIG investigated whether those tools have been put into full force.

RTI asserted that audit logs are among the most helpful tools in the anti-fraud arsenal, citing the logs in nearly 1/3 of their fourteen recommendations to ONC.  Audit logs track changes within an EHR by capturing certain data elements including, at a minimum, the date, time and user/author of a change to an EHR patient record.  In the words of RTI, “[t]he audit log provides the who, what, when, where, why, and how in [the] cycle” of EHR documentation changes. (RTI report, pp. 4-7.)

Given the importance of audit logs, and the fact that they are obviously non-existent in old-fashioned paper medical records, OIG surveyed several of its contractors about their claim review procedures, including reviews specific to EHR documentation.  The OIG conducted the survey in January 2013 using an on-line questionnaire that was completed by eight Medicare Administrative Contractors (MACs), six Zone Program Integrity Contractors (ZPICs), and four Recovery Audit Contractors (RACs).  OIG found that while EHRs “may make it easier to perpetrate fraud”, only 3 of the 18 contractors reported using audit log data as part of their investigations, one of each type of contractor.  Two MACs reported confirming electronic signatures and requesting EHR protocols, and two ZPICs reported requesting information about the EHR technology and ability to alter EHR data.  ZPICs appeared most able to identify entries that appeared copied.  All contractor types reported an ability to identify overdocumentation.

Most of the contractors defended their limited use of EHR-specific claim review procedures on the basis of having received only “limited guidance” from CMS about the vulnerabilities of EHRs.  ZPICs reported having received no guidance whatsoever from CMS on the matter.  The guidance given apparently was very general in nature, such as “medical record keeping within an EHR deserves special considerations.” (See OIG January 2014 Report, Table 3, pg. 8.) True enough, but hardly instructive.

OIG recommended to CMS that it provide specific guidance to its contractors on detecting EHR fraud, including working with them to identify best practices, and focusing on EHR documentation and electronic signatures in EHRs.  OIG also recommended that CMS instruct contractors to use a provider’s EHR audit logs to authenticate the medical record supporting a claim.  CMS agreed with the first recommendation, stating specifically that it plans to produce guidance on appropriate use of the “copy-paste” feature in EHRs.  Regarding the use of audit logs, CMS acknowledged their usefulness but stated that they are not always appropriate and that such a review requires special training.

So the sophistication of EHR audits is really just in its infancy.  Based on these two OIG EHR fraud reports, we should expect new audit techniques to be rolled out by CMS and its contractors.  Guidance regarding the use of the “copy-paste” might be welcome, assuming it is reasonable.  While providers should not be completely deprived of the time-saving benefits of word processing capabilities for entries that appear routine and rote, copying large amounts of text from prior records does not appear to be a best practice by OIG standards.

Until further guidance is issued, one thing is clear per the OIG report:  Keep audit logs on at all times and never alter them; to do otherwise could raise a red flag with an auditor.  As for the copy-paste, carry forward, and similar EHR features, such features may have been necessary in the beginning to encourage providers to consider making the transition from paper to electronic patient record-keeping.  EHR developers and their sales representative essentially were faced with “teaching an old dog new tricks”, and absent the offer and promise of efficiency to learn these new tricks, EHR-documentation may have been a trick too hard to learn.  But denying claims on the sole basis of the similarity in documentation to other documentation in the EHR presumes that the documentation is inaccurate when that may not be the case.

As with most new technology, EHR development is an evolutionary process.  The somewhat “rote” and standardized vocabulary or value sets used in the documentation of patient care is necessary to some extent in order to achieve the ONC’s goal of interoperability between different EHR platforms.   Effective interoperability requires that, when patient data is transferred from one EHR to a different EHR, the data be appropriately and consistently interpreted by the provider on the other end for safe and effective clinical decision-making.  A use of the EHR’s cut and paste, carry forward and similar features, when used properly, can help ensure that aspects of a patient’s history that are static are fully and accurately documented.   Although such EHR efficiency features might be somewhat curtailed over time as EHR vendors fine-tune the EHR computer language for interoperability, completely turning off such functions at this stage of EHR development could be an impediment to care and deserves careful consideration.   As Dr. Doug Fridsma notes in his February 8, 2014 post on the HealthITBuzz blog, “interoperability is complicated”.

Stay tuned to Wyatt HITECH Law for further guidance from CMS on EHR documentation best practices.

One thought on “OIG Report on CMS’ EHR Audit Practices Concludes The Practices Are Not Very Sophisticated

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.