A report entitled, “CMS and its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs,” highlighting the vulnerabilities associated with electronic health records (EHRs), which criticized the Centers for Medicare and Medicaid Services (CMS) for its failure to adopt sufficient guidelines to prevent and detect fraud associated with EHRs, was published on January 8, 2014 by the Department of Health and Human Services (HHS) Office of Inspector General (OIG).1 This January 2014 Report was not the first publication to discuss potential EHR liability. In fact, it is a companion follow up report to a December 2013 report regarding the use of the “copy-paste” feature by hospitals in their EHR technology, which “could pose a fraud vulnerability.”2
In recent years, many hospitals and healthcare providers have taken affirmative steps to digitize patient medical records, largely in response to the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The HITECH Act was enacted to stimulate the adoption of EHRs by healthcare providers in the U.S. by offering financial incentives to healthcare providers that demonstrate “meaningful use” of EHRs.3 Providers must demonstrate meaningful use of certified EHR technology by meeting specified criteria, e.g.: (1) maintaining active medication lists; (2) recording smoking status for patients 13 years and older; and, (3) maintaining up-to-date problem lists of current and active diagnoses, established by the HHS Secretary.4 Eligible providers meeting these criteria can receive up to $44,000 per physician through the Medicare EHR Incentive Program, and up to $63,750 per physician through the Medicaid EHR Incentive Program.5 Starting in 2015, all Medicare-eligible healthcare providers who fail to implement EHR and participate in the meaningful use incentive program will be subject to financial penalties, which may result in as much as a three percent annual reduction to their Medicare or Medicaid fees.6 Likely motivated by these new regulations, the number of healthcare entities that have adopted an EHR system has nearly tripled since 2009, from approximately 15% to 44% of entities.7
In its initial December 2013 study, the OIG administered an online questionnaire to the 864 hospitals that received Medicare EHR incentive payments as of March 2012 to determine whether appropriate safeguards against fraud had been implemented.8 The OIG found that, although nearly all the hospitals had audit functions in place, most of these facilities were not using the audit functions to their full extent due to: (1) limited human resources; (2) a lack of vendor-provided audit log user guides; and, (3) inadequate training on audit log functionality.9
Additionally, only about one quarter of hospitals had policies regarding the use of the “copy-paste” feature available in EHR technology.10 The “copy-paste” feature, also known as “cloning,” allows users to replicate information from one source to another location. This function can lead to fraud when users clone information but fail to update it, causing inaccurate and inappropriate charges to be billed.11 The OIG cautions that this feature could facilitate attempts by physicians to inflate or duplicate charges. In response to this issue, the OIG recommended that:
Audit logs be implemented whenever EHR technology is available for updates or viewing;
The Office of the National Coordinator for Health Information Technology (ONC) and CMS strengthen their efforts to develop a plan to address fraud vulnerabilities in EHRs; and,
CMS develop guidance specifically on the use of the “copy-paste”
feature in EHR technology.12
CMS concurred with all three of these recommendations by agreeing to work with ONC to develop a comprehensive plan to detect and reduce fraud in EHRs and to establish specific guidelines to ensure that the “copy-paste” feature is used appropriately.13
The January 2014 Report faults CMS for failing to adopt program integrity practices to address the potential for violations of healthcare fraud and abuse laws. OIG sent an online questionnaire to CMS administrative and program integrity contractors that use EHRs to pay claims, identify improper Medicare payments, and investigate fraud. The purpose of the study was to determine how, in light of the widespread adoption of EHRs, CMS and its contractors implemented program integrity practices.14 The OIG also reviewed guidance released by CMS and its contractors related to fraud vulnerabilities of EHRs, as well as Medicare claims.15
Ultimately, CMS found that, despite spending “considerable resources to promote widespread adoption of EHRs” and “paying over $22.5 billion in incentive payments,” CMS has “directed less attention to addressing potential fraud and abuse vulnerabilities in EHRs.”16 According to the January 2014 Report, some contractors reported that they were unable to identify copied language and over documentation in medical records.17 The January 2014 Report also concluded that few contractors review EHRs differently than paper records, and that CMS has provided limited guidance to contractors on EHR fraud vulnerabilities.18 To address this lack of guidance, the OIG recommended that CMS:
Provide guidance to its contractors on detecting fraud with EHRs; and,
Direct its contractors to use the audit logs of providers to authentic medical records supporting a claim.19
With respect to the first recommendation, CMS stated that it has been actively considering the issue of fraud in EHRs, and intends to develop guidelines to ensure appropriate use of the “copy-paste” feature.20 While CMS partially concurred with the second recommendation regarding audit logs, it also noted that audit logs “may not be appropriate in every circumstance,” as review of audit logs requires special training to interpret and reconstruct the history of each medical record.21
These latest reports indicate continuing regulatory scrutiny of electronic patient records by the OIG. The reports issued by the OIG may motivate healthcare providers to: (1) limit the use of the “copy-paste” feature in their EHR systems; (2) verify that copied material corresponds accurately to the corresponding encounter; (3) ensure that audit tools are operational whenever patient records are edited; and, (4) retain all audit records.
“CMS and its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs,” Department of Health and Human Services Office of Inspector General, January 2014, http://oig.hhs.gov/oei/reports/oei-01-11-00571.pdf (Accessed 4/2/2014).
“Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology,” Department of Health and Human Services Office of Inspector General, December 2013, http://oig.hhs.gov/oei/reports/oei-01-11-00570.pdf (Accessed 4/2/2014), Executive Summary.
“The ‘Meaningful Use’ Regulation for Electronic Health Records,” David Blumenthal & Marilyn Tavenner, The New England Journal of Medicine, Vol. 363, No. 6, August 5, 2010, p. 501.
“Meaningful Use – Introduction,” Centers for Disease Control and Prevention, http://www.cdc.gov/ehrmeaningfuluse/introduction.html (Accessed 4/4/2014).
“Report Finds More Flaws in Digitizing Patient Files,” Reed Abelson & Julie Creswell, The New York Times, January 8, 2014, http://www.nytimes.com/2014/01/08/business/report-finds-more-flaws-in-digitizing-patient-files.html, (Accessed 4/4/2014).
Department of Health and Human Services Office of Inspector General, “Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology,” December 2013, p. 7.
Appendix C – Agency Comments, “Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology,” Department of Health and Human Services Office of Inspector General, December 2013, http://oig.hhs.gov/oei/reports/oei-01-11-00570.pdf (Accessed 4/2/2014) p. 21.
Department of Health and Human Services Office of Inspector General, “CMS and its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs,” January 2014, p. 1.
Appendix A – Agency Comments, “CMS and its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs,” Department of Health and Human Services Office of Inspector General, January 2014, p. 11.