Skip to content Skip to navigation

OIG Report Paints Disconcerting Reality of EHR-Related Fraud

December 11, 2013
| Reprints

A few weeks ago I wrote a blog about the ripe potential that exists within healthcare for identity theft.

This has been one of the stories of the year as far as I’m concerned. As I said, healthcare providers need to get consumers more involved and active about the issue of data protection. I truly believe that the more engaged consumers are with their healthcare, the more pressure will be put on providers to ensure their data is safeguarded at all costs.

Right now, there are not enough resources, both fiscal and operational, being put into this. To be frank, there is a lack of urgency on the provider side. Ask anyone in the privacy and security realm and I guarantee that’s what they will tell you.

I was once again reminded of this reality when I saw a report this week from the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG). In my opinion, it suggests more proof there is a lack of urgency on the part of provider organizations about protecting patients from the potential misuse of their data. The report touches on the issue of fraud safeguards within the electronic health record (EHR).

The OIG questioned 864 hospitals that received EHR Medicare incentive payments as of March 2012 about whether or not they embedded fraud safeguards within their systems. The safeguards are based on recommendations from RTI International, a nonprofit research group.

While some of the results of the OIG’s study are encouraging (nearly all had RTI-recommended audit functions in place, including data transfer safeguards), it was clear from the report that these hospitals could be doing much better. For instance, only one quarter of hospitals had policies regarding the use of copy and paste functions within EHR technology.

The risk of this function is that it can “facilitate attempts to inflate, duplicate, or create fraudulent health care claims,” the OIG says. RTI recommends providers that use this function record it in an audit log. Not  only did most hospitals not have policies surrounding the use of copy-and-paste EHR functionality, researchers found that only 44 percent of hospitals had audit logs that record the method of data entry (e.g., copy-paste, direct text entry, speech recognition) when data is entered in the EHR.

Moreover, 44 percent of providers can actually delete audit logs at will, which is a bit scary. None of the providers analyze their audit logs to prevent or detect fraud, such as by identifying duplicate or fraudulent claims and inflated billing. To its credit, the Centers for Medicare and Medicaid Services (CMS) and the Office for the National Coordinator for Health IT (ONC) have agreed to develop guidance on the use of the copy-paste feature in EHR technology.

One of the most alarming parts of the OIG report is where researchers state that few hospitals have added additional features to get patients to take a stronger role in detecting fraud. For example, only 9 percent of hospitals allow patients to comment in the EHR, to view where the hospital released their EHRs, or to view who accessed their EHRs.

Allowing patients to access their own EHR would go a long way in detecting fraud. Yet hospitals aren’t doing it. They cite interoperability, privacy, and--big surprise--funding issues in letting patients have access to these features. Of the four EHR vendors OIG spoke with, one told researchers that “providing patient access tends to be one of the last features a hospital implements after focusing on initiating other EHR functions.”

In light of this report, it’s good to know that CMS and ONC are promising guidance and federal oversight on EHR fraud vulnerabilities. Last year, I recall HHS Secretary Kathleen Sebelius and U.S. Attorney General Eric Holder putting provider-based organizations on notice that the government was going to prevent EHR-related healthcare fraud activities like upcoding.

While that was and is appreciated, it’s this editor’s opinion that a lot of this comes down to the providers themselves.

A few weeks ago, the Office of the Attorney General of California and the American Health Information Management Association (AHIMA) released guidelines for preventing and remedying medical identity theft. (It’s worth noting that the list of recommended guidelines for providers to prevent fraud was longer than the lists for payers, health information organizations, and policymakers.)

I won’t rehash all of their guidelines, but for providers, they center on building identity theft awareness with the patient and deploying technical fraud prevention measures.

In other words, identity theft, EHR fraud…it doesn’t matter. The buck stops with them.

What do you think? Feel free to write something in the comments below or tweet me at @HCI_GPerna.