OIG Reports Fraud Vulnerabilities in Electronic Health Records

A report entitled, “CMS and its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs,” highlighting the vulnerabilities associated with electronic health records (EHRs), which criticized the Centers for Medicare and Medicaid Services (CMS) for its failure to adopt sufficient guidelines to prevent and detect fraud associated with EHRs, was published on January 8, 2014 by the Department of Health and Human Services (HHS) Office of Inspector General (OIG).1 This January 2014 Report was not the first publication to discuss potential EHR liability. In fact, it is a companion follow up report to a December 2013 report regarding the use of the “copy-paste” feature by hospitals in their EHR technology, which “could pose a fraud vulnerability.”2

In recent years, many hospitals and healthcare providers have taken affirmative steps to digitize patient medical records, largely in response to the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The HITECH Act was enacted to stimulate the adoption of EHRs by healthcare providers in the U.S. by offering financial incentives to healthcare providers that demonstrate “meaningful use” of EHRs.3 Providers must demonstrate meaningful use of certified EHR technology by meeting specified criteria, e.g.: (1) maintaining active medication lists; (2) recording smoking status for patients 13 years and older; and, (3) maintaining up-to-date problem lists of current and active diagnoses, established by the HHS Secretary.4 Eligible providers meeting these criteria can receive up to $44,000 per physician through the Medicare EHR Incentive Program, and up to $63,750 per physician through the Medicaid EHR Incentive Program.5 Starting in 2015, all Medicare-eligible healthcare providers who fail to implement EHR and participate in the meaningful use incentive program will be subject to financial penalties, which may result in as much as a three percent annual reduction to their Medicare or Medicaid fees.6 Likely motivated by these new regulations, the number of healthcare entities that have adopted an EHR system has nearly tripled since 2009, from approximately 15% to 44% of entities.7

In its initial December 2013 study, the OIG administered an online questionnaire to the 864 hospitals that received Medicare EHR incentive payments as of March 2012 to determine whether appropriate safeguards against fraud had been implemented.8 The OIG found that, although nearly all the hospitals had audit functions in place, most of these facilities were not using the audit functions to their full extent due to: (1) limited human resources; (2) a lack of vendor-provided audit log user guides; and, (3) inadequate training on audit log functionality.9

Additionally, only about one quarter of hospitals had policies regarding the use of the “copy-paste” feature available in EHR technology.10 The “copy-paste” feature, also known as “cloning,” allows users to replicate information from one source to another location. This function can lead to fraud when users clone information but fail to update it, causing inaccurate and inappropriate charges to be billed.11  The OIG cautions that this feature could facilitate attempts by physicians to inflate or duplicate charges. In response to this issue, the OIG recommended that:

  1. Audit logs be implemented whenever EHR technology is available for updates or viewing;
  2. The Office of the National Coordinator for Health Information Technology (ONC) and CMS strengthen their efforts to develop a plan to address fraud vulnerabilities in EHRs; and,
  3. CMS develop guidance specifically on the use of the “copy-paste” feature in EHR technology.12

CMS concurred with all three of these recommendations by agreeing to work with ONC to develop a comprehensive plan to detect and reduce fraud in EHRs and to establish specific guidelines to ensure that the “copy-paste” feature is used appropriately.13

The January 2014 Report faults CMS for failing to adopt program integrity practices to address the potential for violations of healthcare fraud and abuse laws. OIG sent an online questionnaire to CMS administrative and program integrity contractors that use EHRs to pay claims, identify improper Medicare payments, and investigate fraud. The purpose of the study was to determine how, in light of the widespread adoption of EHRs, CMS and its contractors implemented program integrity practices.14 The OIG also reviewed guidance released by CMS and its contractors related to fraud vulnerabilities of EHRs, as well as Medicare claims.15

Ultimately, CMS found that, despite spending “considerable resources to promote widespread adoption of EHRs” and “paying over $22.5 billion in incentive payments,” CMS has “directed less attention to addressing potential fraud and abuse vulnerabilities in EHRs.16 According to the January 2014 Report, some contractors reported that they were unable to identify copied language and over documentation in medical records.17 The January 2014 Report also concluded that few contractors review EHRs differently than paper records, and that CMS has provided limited guidance to contractors on EHR fraud vulnerabilities.18 To address this lack of guidance, the OIG recommended that CMS:

  1. Provide guidance to its contractors on detecting fraud with EHRs; and,
  2. Direct its contractors to use the audit logs of providers to authentic medical records supporting a claim.19

With respect to the first recommendation, CMS stated that it has been actively considering the issue of fraud in EHRs, and intends to develop guidelines to ensure appropriate use of the “copy-paste” feature.20 While CMS partially concurred with the second recommendation regarding audit logs, it also noted that audit logs “may not be appropriate in every circumstance,” as review of audit logs requires special training to interpret and reconstruct the history of each medical record.21

These latest reports indicate continuing regulatory scrutiny of electronic patient records by the OIG.  The reports issued by the OIG may motivate healthcare providers to: (1) limit the use of the “copy-paste” feature in their EHR systems; (2) verify that copied material corresponds accurately to the corresponding encounter; (3) ensure that audit tools are operational whenever patient records are edited; and, (4) retain all audit records.

1
“CMS and its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs,” Department of Health and Human Services Office of Inspector General, January 2014, http://oig.hhs.gov/oei/reports/oei-01-11-00571.pdf (Accessed 4/2/2014).

2
“Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology,” Department of Health and Human Services Office of Inspector General, December 2013, http://oig.hhs.gov/oei/reports/oei-01-11-00570.pdf (Accessed 4/2/2014), Executive Summary.

3
“The ‘Meaningful Use’ Regulation for Electronic Health Records,” David Blumenthal & Marilyn Tavenner, The New England Journal of Medicine, Vol. 363, No. 6, August 5, 2010, p. 501.

4
Ibid, p. 501-502.

5
“Meaningful Use – Introduction,” Centers for Disease Control and Prevention, http://www.cdc.gov/ehrmeaningfuluse/introduction.html (Accessed 4/4/2014).

6
Ibid.

7
“Report Finds More Flaws in Digitizing Patient Files,” Reed Abelson & Julie Creswell, The New York Times, January 8, 2014, http://www.nytimes.com/2014/01/08/business/report-finds-more-flaws-in-digitizing-patient-files.html, (Accessed 4/4/2014).

8
Department of Health and Human Services Office of Inspector General, “Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology,” December 2013, p. 7.

9
Ibid, p. 9.

10
Ibid, p. 14.

11
Ibid, p. 3.

12
Ibid, p. 15-16.

13
Appendix C – Agency Comments, “Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology,” Department of Health and Human Services Office of Inspector General, December 2013, http://oig.hhs.gov/oei/reports/oei-01-11-00570.pdf (Accessed 4/2/2014) p. 21.

14
Department of Health and Human Services Office of Inspector General, “CMS and its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs,” January 2014, p. 1.

15
Ibid.

16
Ibid, p. 9.

17
Ibid.

18
Ibid.

19
Ibid.

20
Appendix A – Agency Comments, “CMS and its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs,” Department of Health and Human Services Office of Inspector General, January 2014, p. 11.

21
Ibid, p. 12.

© Health Capital Consultants
Todd A. Zigrang

Todd A. Zigrang, MBA, MHA, CVA, ASA, FACHE, ABV, is the President of Health Capital Consultants (HCC), where he focuses on the areas of valuation and financial analysis for hospitals, physician practices, and other healthcare enterprises. Mr. Zigrang has over 28 years of experience providing valuation, financial, transaction and strategic advisory services nationwide in over 2,000 transactions and joint ventures. Mr. Zigrang is also considered an expert in the field of healthcare compensation for physicians, executives and other professionals.

Mr. Zigrang is the co-author of "The Adviser’s Guide to Healthcare – 2nd Edition" [2015 – AICPA], numerous chapters in legal treatises and anthologies, and peer-reviewed and industry articles such as: The Accountant’s Business Manual (AICPA); Valuing Professional Practices and Licenses (Aspen Publishers); Valuation Strategies; Business Appraisal Practice; and, NACVA QuickRead. In addition to his contributions as an author, Mr. Zigrang has served as faculty before professional and trade associations such as the American Society of Appraisers (ASA); the National Association of Certified Valuators and Analysts (NACVA); Physician Hospitals of America (PHA); the Institute of Business Appraisers (IBA); the Healthcare Financial Management Association (HFMA); and, the CPA Leadership Institute.

Mr. Zigrang holds a Master of Science in Health Administration (MHA) and a Master of Business Administration (MBA) from the University of Missouri at Columbia. He is a Fellow of the American College of Healthcare Executives (FACHE) and holds the Certified Valuation Analyst (CVA) designation from NACVA. Mr. Zigrang also holds the Accredited Senior Appraiser (ASA) designation from the American Society of Appraisers, where he has served as President of the St. Louis Chapter. He is also a member of the America Association of Provider Compensation Professionals (AAPCP), AHLA, AICPA, NACVA, NSCHBC, and, the Society of OMS Administrators (SOMSA).

Jessica L. Bailey-Wheaton

Jessica L. Bailey-Wheaton, Esq., is Senior Vice President and General Counsel of HCC. Her work focuses on the areas of Certificate of Need (CON) preparation and consulting, as well as project management and consulting services related to the impact of both federal and state regulations on healthcare transactions. In that role, Ms. Bailey-Wheaton provides research services necessary to support certified opinions of value related to the Fair Market Value and Commercial Reasonableness of transactions related to healthcare enterprises, assets, and services.

She serves on the editorial board of NACVA’s The Value Examiner and is the current Co-Chair of the American Bar Association (ABA) Health Law Section’s Membership Committee and the Young Lawyer Division (YLD) Liaison to the ABA Health Law Section Governing Council. She has previously presented before the ABA, American Health Law Association (AHLA). NACVA, the National Society of Certified Healthcare Business Consultants (NSCHBC), and the American College of Surgeons.

Ms. Bailey-Wheaton is a member of the Missouri and Illinois Bars and holds a J.D., with a concentration in Health Law, from Saint Louis University School of Law.

Janvi R. Shah

Janvi R. Shah, MBA, MSF, CVA, serves as Senior Financial Analyst of HCC. Mrs. Shah holds a M.S. in Finance from Washington University Saint Louis and the CVA designation from NACVA. She develops fair market value and commercial reasonableness opinions related to healthcare enterprises, assets, and services. In addition she prepares, reviews and analyzes forecasted and pro forma financial statements to determine the most probable future net economic benefit related to healthcare enterprises, assets, and services and applies utilization demand and reimbursement trends to project professional medical revenue streams and ancillary services and technical component (ASTC) revenue streams.

Click Here for More Information on
HCC's Leadership and Capabilities
© Health Capital Consultants
Healthcare Valuation Banner Advisor's Guide to Healthcare Banner Accountable Care Organizations Banner