A new report from the U.S. Department of Health and Human Services’ (HHS) Office of the Inspector General (OIG) indicates that the Centers for Medicare & Medicaid Services (CMS) has not adopted practices that would protect fraud vulnerabilities in electronic health record (EHR) systems.
The report details the protections CMS has given for EHR facilitate fraud activities such as copy-pasting and over documentation. It also looks at how EHRs could protect against fraud including audit logs, access controls, and export controls. Overall, it found CMS has provided limited guidance to contractors on fraud vulnerabilities
For the report, which can be found online, the HHS OIG sent a questionnaire to CMS officials and program integrity contractors who use EHRs to pay claims, identify improper Medicare payments, and investigate fraud. They asked about policies and procedures specific EHR-related fraud. The researchers from HHS OIG also reviewed guidance documents and policies on this subject.
Overall, the report states how despite the HHS spending considerable time and resources to promote the widespread adoption of EHRs, not much attention has been given to fraud and abuse vulnerabilities in the systems. CMS has not changed their program integrity strategies in light of EHR adoption.
According to the report, few contractors for CMS review digital records beyond what they do for paper medical records. Additional reviews are not required by CMS, according to the report. The researchers also discovered that not all contractors were able to determine whether or not providers had copied language in the EHR or over-documented.
“Opportunities for a provider to inappropriately copy-paste language and over-document in a medical record for higher payment exist in paper medical records as well as EHRs. However, features in EHR technology make it easier for providers to copy-paste and over-document in EHRs,” it says in the report.
This is the second report in as many months on EHR-related fraud. Last month, HHS OIG suggested there was a lack of urgency on the part of provider organizations about protecting patients from the potential misuse of their data. It also touched on the copy and paste, over-documentation vulnerabilities.
HHS OIG made two recommendations: To have CMS provide guidance on detetcing fraud associated with EHRs and to direct its contractors to use providers' audit logs. CMS agreed with the first and partially agreed with the second.
In the report, CMS officials stated that it intends to develop guidance on the appropriate use of the copy-paste feature in EHRs. It also stated that it will work with its contractors to identify best practices for detecting fraud associated with EHRs. On audit logs, it said they could be used to ensure accuracy but also they may not be appropriate in every circumstance and that review of audit logs requires special training.