HHS Report: Electronic Health Records Still Vulnerable to Fraud

According to a new report from the Department of Health and Human Services, many healthcare providers and hospital companies still have a long way to go when it comes to enhancing fraud protection in their electronic health records systems.

The Office of Inspector General for the Department of Health and Human Services (HHS-OIG), which conducted the report, administered an online questionnaire to 864 hospitals to assess the extent to which hospitals implemented fraud safeguards for electronic health records (EHR) and the technology used to maintain them.

The results from the report were mixed, with some progress on securing EHR and some alarming lapses. According to HHS-OIG, “nearly all hospitals” with EHR systems had in place audit functions, as well as user authorization and access controls, but many are not using them to their fullest extent.

“The concern is that electronic health records make it a lot easier to commit fraud,” says Judith Waltz, a partner with law firm Foley & Lardner, including Medicare and Medicaid fraud.

The HHS-OIG is not the only federal agency concerned with addressing fraud vulnerabilities in EHRs. In September 2012, HHS Secretary Kathleen Sebelius and U.S. Attorney General Eric Holder issued a letter to the heads of five hospital associations in which they cited “troubling indications” that some providers are using EHRs to “game the system, possibly to obtain payments to which they are not entitled,” the letter said.

It's not very often that HHS-OIG and the Department of Justice issue these joint pronouncements, says Waltz. Thus, the letter indicates just how high of a priority electronic health report fraud is with the government right now, she says.

The increased attention paid to this area comes at a time when implementation of EHRs among healthcare providers—hospitals, medical practices, and nursing facilities—continues to rise. According to a recent report conducted by the National Center for Health Statistics, 78 percent of office-based physicians used an EHR system in 2013, up from 18 percent in 2001.

“We're certainly at a place in the adoption of EHRs where more providers have them than not,” says Michelle Dougherty, director of research and development at the American Health Information Management Association, an association of health information management worldwide. At the same time, she says, “we're still learning the new rules of the road with EHRs and documentation and what some of the potential challenges might be that providers need to address.”

The driving force behind the adoption of EHRs follows enactment of the 2009 HITECH Act, which provides incentive payments to doctors and hospitals for adoption of EHR systems. By 2015, the government will begin charging a one percent fee on Medicare payments for those entities that have not implemented an EHR system, a fine that will increase to three percent by 2018.

Cloning and Over-Documentation Concerns

In order to effectively adopt EHRs, however, healthcare providers still have a lot of compliance wrinkles to iron out. Among one of the biggest potential fraud vulnerabilities cited in the report is the widespread use of copy-paste functions (also known as cloning) in EHR documentation practices. Cloning enables users to take portions of an existing medical record and replicate it in another.

“In some circumstances, cloning is very useful,” says Waltz. It simplifies the process for documenting a patient's medical history, which offers advantages for patients and practitioners alike, she says.

Where fraud vulnerabilities arise is when cloning is used in lieu of clinical decision making. “When doctors, nurses, or other clinicians copy and paste information—but fail to update it or ensure accuracy—inaccurate information may enter the patient's medical record and inappropriate charges may be billed to patients and third-party healthcare payers,” the report stated.

HHS-OIG also expressed concern that copying a patient's medical information can also “facilitate attempts to inflate claims and duplicate or create fraudulent claims.” This concern is exacerbated by the finding that “only about one-quarter of hospitals had policies regarding the use of the copy-paste feature in EHR technology,” the report stated.

“The concern is that electronic health records make it a lot easier to commit fraud.”

—Judith Waltz,

Partner,

Foley & Lardner

“You want to build in efficiencies to the greatest extent possible, but you have to be careful that you're not compromising accuracy,” says Kenya Woodruff, of counsel in the healthcare practice group of Haynes and Boone.

The second biggest concern the report addressed is the use of over-documentation, which HHS-OIG describes as “the practice of inserting false or irrelevant documentation to create the appearance of support for billing higher-level services.”

Many healthcare providers are using EHRs “not only as a tool for patient care documentation, but also patient care management,” says Woodruff. For example, EHR systems have the ability to alert a physician to suggested drugs or medical treatment. “When the system starts to suggest those things to the provider, that raises questions of medical necessity and clinical judgment,” she says.

“Other systems generate extensive documentation on the basis of a single click of a checkbox, which if not appropriately edited by the provider, may be inaccurate,” the report stated. Such features can produce information suggesting the practitioner performed medical services than were never actually rendered.

Establishing Controls

From a practical standpoint, the first step for healthcare providers is to implement an EHR system that works for them. If the system is automatically populating fields that it shouldn't be, or you get reports from staff about irregularities in the system, “there has to be a team that is immediately ready to respond to that,” says Woodruff.

From a compliance perspective, healthcare entities “need to establish internal protocols and mechanism to ensure that they have accurate documentation that reflects medical necessity,” says Dougherty.

Recommended EHR Fraud Management Safeguards

The following is a list of recommendations by the Office of Inspector General for the Department of Health and Human Services for fraud management safeguards in electronic health records.

Audit Functions. Audit functions, such as audit logs, track access and changes within a record chronologically by capturing data elements, such as date, time, and user stamps, for each update to an EHR. An audit log can be used to analyze historical patterns that can identify data inconsistencies. To provide the most benefit in fraud protection, audit logs should always be operational while the EHR is being used and be stored as long as clinical records. Users should not be able to alter or delete the contents of the audit log.

User Authorization and Access Controls. Access controls are policies and EHR technology features that require unique identifiers, passwords, and user authentication to help prevent

inappropriate access to EHRs. Such access controls discourage fraud schemes that involve stealing provider and patient information to submit false claims. These controls can also

validate claims by verifying that services align with provider profiles associated with unique identifiers.

Data Transfer Standards. These standards are technology features that restrict the printing, transferring, or exporting of EHR data by requiring a distinct authorization and additional documentation and tracking elements. Unrestricted export of EHRs could make patient information readily available to create fraudulent claims.

Patient Involvement in Anti-Fraud. EHR technology can allow patients to view their medical records and make comments in their EHRs. Patients may be able to help detect potentially fraudulent activity by identifying errors and validating the services that they receive from their providers.

Source: HHS-OIG.

Another important component of an effective EHR system is that it be user-friendly, says Waltz. A healthcare provider can have “bells and whistles that are really good from a compliance perspective,” but that doesn't mean practitioners will use the system if it's too complicated to use, or they're not comfortable using it, she says.

Beyond implementation of the right EHR system, “information governance and related audit processes are crucial,” says Dougherty. Paying attention to how practitioners make decisions, and how they are ensuring the accuracy of patient data, she says.

The next step is to implement monitoring processes, Dougherty adds, “to ensure that the information contained in a patient's EHR accurately reflects services delivered.

Additionally, a new trend cited by the report is the increasing role of patient involvement in anti-fraud practices. With easier access to their medical records as a result of EHRs, more patients subsequently are able to more easily detect potentially fraudulent activity by identifying errors and validating the services that they receive from their providers. “We're hearing from our members that there's been an increase in requests to correct records,” says Dougherty.

That's a compliance concern that should be addressed as well, she says. “What specific information is being corrected for inaccuracies? What are the underlying causes of that?” she says.

More to Come?

In January, HHS-OIG issued a second report directed at the Centers for Medicare and Medicaid Services and its contractors. In that report, HHS-OIG similarly expressed concern that CMS and contractors, like healthcare entities, are not doing enough to identify fraudulent vulnerabilities in EHRs.

“Specifically, few contractors were reviewing EHRs differently from paper medical records. In addition, not all contractors reported being able to determine whether a provider had copied language or over-documented in a medical record,” the report stated. CMS had provided limited guidance to Medicare contractors on EHR fraud vulnerabilities.”

The underlying concern is to what extent federal agencies feel regulations are necessary. “We are in an era where we are experimenting with new and innovative ideas, and we definitely want to encourage that and hope that it increases,” says Woodruff, “but there is always that balance between regulation that is necessary, and regulation that impedes progress.”