EHR Technology Vulnerable to Fraud

The federal government is spending more than $22 billion to encourage the creation of electronic health records (EHRs). Medical transcription integrated with EHRs is enhancing clinical documentation practices. However, a federal oversight agency has cautioned that electronic health record technology can make it easier to commit fraud and that there are not sufficient safeguards to prevent this is.

A recent report released by the Office of the Inspector General (OIG) for the Health and Human Services Department (HSS) found that flaws in EHR can lead to overcharging. An online questionnaire was sent to Centers for Medicare and Medicaid Services (CMS) administrative and program integrity contractors that use EHRs to pay claims, identify improper Medicare payments, and investigate fraud. These contractors include Medicare Administrative Contractors (MACs), Zone Program Integrity Contractors (ZPICs), and Recovery Audit Contractors (RACs). The reports were also based on reviews of guidance documents and policies on EHRs and fraud vulnerabilities that CMS and its contractors released for health care providers.

HSS Report Findings

The online survey found that CMS had provided limited guidance to Medicare contractors on EHR fraud vulnerabilities. The other key findings of the HSS report are

• CMS and its contractors had adopted few program integrity practices specific to EHRs
• Few contractors were reviewing EHRs differently from paper medical records
• Not all contractors reported being able to determine whether a provider had copied language or overdocumented in a medical record

How EHR Facilitates Fraud

Here are some examples of how EHR documentation practices could be used to commit fraud:

• Copy-pasting or cloning: This enables users to select information from one source and replicate it in another location. Inaccurate information may be entered in the patient’s medical record and inappropriate charges may be billed to patients and third-party health care payers, when physicians or nurses copy-paste information, but fail to update it.
• Over-documentation: This refers to the practice of inserting false or invalid documentation to create the appearance of support for billing higher level services.

Recommendations of the OIG

The Office of Inspector General reported that CMS and its contractors have not adjusted their practices for identifying and investigating fraud in EHRs. The OIG report recommends that CMS should take the following measures to prevent EHR fraud:

• CMS should provide guidance to its contractors on detecting fraud associated with EHRs and work with contractors to identify best practices and develop guidance and tools for detecting EHR-related fraud
• CMS should direct its contractors to use providers’ audit logs. Audit log data set EHRs apart from paper medical records and could useful to CMS’s contractors when medical records are reviewed

However CMS has agreed with the first recommendation and partially concurred with the second recommendation. The Office of the National Coordinator for Health Information Technology (ONC) that coordinates the adoption, implementation, and exchange of EHRs has contracted with RTI International to develop recommended requirements for enhancing data quality in EHRs. Recommendations include audit logs, access controls, including passwords, and export controls that restrict transferring information. Medicare has reiterated that it is working to develop strong standards for validating EHRs to ensure that patients receive the care they need, while protecting taxpayers from fraud waste and abuse.