Although most clinical laboratories and pathology groups do not use EHR systems, the OIG’s finding should alert them to possible problems with audit integrity of their clients’ EHRs
Electronic Health Record (EHR) systems were supposed to prevent fraud, but a recent report from one federal agency states that the fraud safeguards built into EHR systems are not in engaged by a majority of users.
Pathologists and clinical laboratory managers with the responsibility to maintain security of software systems used in their medical laboratories may be interested to read “Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology,” a report issued by the Health and Human Services’ (HHS) Office of the Inspector General (OIG).
In this report, the OIG determined that the majority of organizations with EHRs do not use or can manipulate or eliminate EHR fraud safeguards. Healthcare fraud is a major concern of the federal government. For example, in 2009, CMS estimated that annual costs associated with healthcare fraud are between $75 billion and $250 billion.
EHR Fraud Safeguards Could Save Medicare Billions Annually
Lack of fraud safeguards in EHR systems may encourage providers to upcode Medicare claims to more intensive services as a way to receive higher reimbursement. Other ways that EHRs can be used inappropriately are to ‘clone’ medical records (cut-and-paste notes from previous patient visits into the system) and use templates that gather only selected information for reimbursement purposes. All of these actions by providers are Medicare fraud violations.
This is not the first report on how EHRs may be enabling fraud. In 2011, the OIG released a study of questionable Medicare billings. It determined that doctors and other medical professionals had added $11 billion to their fees over the previous decade by billing for more complex services than they had actually provided to elderly patients. (See Dark Daily, “Medicare Officials Raise Issue of Fraud as Greater Use of Electronic Health Records Increases the Number of Claims Upcoded to More Complex CPT Codes,” February 22, 2013.)
Most Hospitals Surveyed Do Not Use EHR Audit Logs to Detect Fraud
Of particular concern to federal healthcare officials is the EHR audit log. This records who enters data into a patient’s file, whether the information was typed or cut-and-pasted from a template, and who accessed the file after it was created. The EHR audit log also reveals whether any part of the patient record was changed retroactively because this could be key evidence in fraud investigatons and malpractice cases, noted a report published by Modern Healthcare. The OIG explained that audit logs monitor user activity; therefore, they are an important tool against EHR fraud.
The OIG survey of nearly 900 hospitals between October 2012 and January 2013 found that nearly all the hospitals, which use Certified EHR Technology, had the audit functions in place that are recommended by Medicare contractor RTI International. However, the majority of hospitals are not using these audit functions to their full extent. About one-third of RTI’s recommended safeguards concern audit log operation and content.
One interesting finding is that the majority of hospitals use their audit logs to look for violations of patient privacy breeches, but not to detect fraud, noted a report published by Health IT Security. Hospitals are obviously responding to the requirement that they safeguard protected health information (PHI). Penalties for violation of patient privacy laws are substantial.
Nearly Half of Hospitals Surveyed Admit Deleting EHR Audit Logs
While 98% of hospitals reported that their audit logs remain operational at all times, about 44% of them are deleting their audit files, which is against OIG advice. The Health IT Security report suggested that one reason the audit log is largely ignored is because users are unaware of its features, probably due to lack of audit log training. Four EHR vendors interviewed by Health IT Security said that they provide standard product implementation and training, but hospitals do not commonly ask for extensive training in audit log capabilities.
“Considering the conflict of interest a hospital has regarding hiding potential fraud or malpractice that could cost them millions of dollars, a capability to ‘delete the contents of their internal audit logs whenever they’d like and to edit audit trails… is simply alarming,” declared Scot M. Silverstein, M.D., Assistant Professor of in Health Informatics and Information Technology at Drexel University’s Institute for Healthcare Informatics, noted in a Health Care Renewal blog.
Moreover, 33% of hospitals surveyed by the OIG say their systems allow users to disable the audit log, and 11% of systems allow users to edit EHR records at will, according to the Modern Healthcare report.
Copy-Paste Feature in EHR Systems Facilitates Fraud
The OIG also found that a copy-paste feature in EHR technology facilitates fraud. The copy-paste feature in EHRs is intended to enhance efficiency of data entry, but also provides opportunities to inflate, duplicate, or create fraudulent healthcare claims.
RTI acknowledges the potential for misuse of the copy-paste feature and recommended capturing use of this feature in the audit log. However, only 24% of hospitals had policies in place to control use of copy-paste, and only 44% of hospital audit logs recorded the method of data entry (e.g., copy-paste, direct text entry, speech recognition) when data are entered into the EHR system, noted the Health IT Security report.
OIG Recommendations to Improve EHR Fraud Security
In light of its findings, the OIG has recommended that:
- audit logs be operational whenever EHR technology is available for updates or viewing; and,
- The CMS and HHS Office of the National Coordinator for Health Information Technology (ONC) collaborate to create a comprehensive plan to address EHR fraud vulnerabilities.
The OIG also requested that CMS develop guidance on the use of the copy-paste feature in EHR technology. CMS and ONC have agreed with all OIG recommendations. This federal watchdog also wants CMS to require contractors that process Medicare claims on behalf of the government to examine EHR audit logs to determine who did what and when to a patient chart, noted a report published by Medscape.com.
While the ONC contracted with RTI to develop a list of recommended safeguards for EHR technology, it did not directly address all of these safeguards in Stage 1 Meaningful Use certification requirements. However, Stage 2 Meaningful Use requires that EHR technology must be able to detect whether the audit log has been altered.
Why Pathologists and Labs Need to Know About OIG Fraud Initiatives
EHR fraud is not an issue for most clinical laboratories and pathology groups, which typically do not use EHRs. But since medical laboratories and pathology groups feed data into hospital and physician EHRs, it may be useful for pathologists and laboratory managers to understand the OIG’s concerns and types of investigations and compliance actions, including whether providers are meeting Stage 2 Meaningful Use requirements, that will be used to thwart provider fraud activities going forward.
—by Patricia Kirk