Transcript for audio podcast: Fraud Safeguards in Electronic Health Records
From the Office of Inspector General of Department of Health and Human Services
[Joyce Greenleaf] I'm Joyce Greenleaf, the Regional Inspector General for the Office of Evaluation and Inspections in Boston. With me is program analyst Danielle Fletcher to talk about two evaluations on fraud safeguards in electronic health records, or EHRs. Danielle, what are EHRs?
[Danielle Fletcher] EHRs are computer applications and tools that document and store patient health information. EHRs replace traditional paper medical records with computerized recordkeeping.
[Joyce Greenleaf] Why is OIG interested in EHRs?
[Danielle Fletcher] Since 2011, the Federal government has paid more than $13.5 billion dollars to encourage doctors and hospitals to adopt EHRs. While EHRs can improve care and lower costs, some think it might make committing healthcare fraud easier.
[Joyce Greenleaf] Tell us about concerns related to EHRs and fraud.
[Danielle Fletcher] One concern is copy-paste, where a nurse or doctor electronically copies part of a patient's chart and pastes it into another location of that chart or another patient's chart. This feature could be used inappropriately to bulk up, or over-document, a patient's record to fraudulently bill for services that weren't provided.
[Joyce Greenleaf] What can providers do to make sure that they are using their EHRs appropriately?
[Danielle Fletcher] Well, the Department of Health and Human Services contracted with RTI International to come up with recommendations to strengthen fraud protections in EHRs. They focused on improved data protection, validity, accuracy, and integrity.
[Joyce Greenleaf] What sorts of things did RTI recommend?
[Danielle Fletcher] They focused on using audit logs. Audit logs capture information about when, where, and how data are entered into a patient's EHR. This data can help fraud investigators determine the authenticity of EHRs.
[Joyce Greenleaf] In your first report, you found that hospitals have implemented most of the recommended safeguards, but they aren't using the safeguards to their full extent. What do you mean by that?
[Danielle Fletcher] Well, let's look at the audit logs. We found that hospitals captured most of the recommended data, and stored their audit logs, according to RTI recommendations.
[Joyce Greenleaf] So what's the problem?
[Danielle Fletcher] Two things, really. First, nearly half of hospitals said they could delete audit logs and a third of hospitals said they could disable their audit logs. Deleting or disabling audit logs makes it harder to prevent and detect fraud. Second, most hospitals didn't analyze audit logs with the intent to try and identify duplicate and fraudulent claims and inflated billing.
[Joyce Greenleaf] What else did you find?
[Danielle Fletcher] Hospitals were doing well with recommended user authorization practices and data transfer standards. But, fewer than half of hospitals said they allowed patients to view their EHRs - so patients can't help flag mistakes or fraudulent activity
[Joyce Greenleaf] You also examined hospitals' use of copy-paste, meaning copying and pasting electronically on a computer. Tell us about that?
[Danielle Fletcher] RTI acknowledges the potential for misuse of copy-paste and only a quarter of hospitals reported having polices governing its use.
[Joyce Greenleaf] What about the second report?
[Danielle Fletcher] That report looked at how Medicare is adjusting program integrity efforts to deal with EHRs. It also covers HHS contractors who oversee the Medicare program.
[Joyce Greenleaf] And what did you find?
[Danielle Fletcher] We found that the Center for Medicare and Medicaid Services, also known as CMS, and its contractors haven't really adjusted their program integrity strategies for electronic records versus paper records.
[Joyce Greenleaf] Okay that sounds serious. Tell us more about that.
[Danielle Fletcher] Only a few contractors reviewed EHRs differently from paper medical records. Some contractors weren't able to determine whether a provider copied language or over-documented in a medical record, which could indicate fraudulent billing in an electronic record.
[Joyce Greenleaf] Why aren't contractors doing more, Danielle?
[Danielle Fletcher] Well, probably because Medicare hasn't given a lot of guidance to them.
[Joyce Greenleaf] Okay, given all we've discussed today, what did you recommend to prevent fraud using EHRs?
[Danielle Fletcher] We recommended that providers always keep their audit logs turned on. We also recommended that HHS address fraud vulnerabilities and that Medicare develop guidance on using the copy-paste function. Finally, Medicare needs to provide its contractors with guidance on detecting fraud in EHRs, and reviewing audit logs. And HHS agreed with all these recommendations.
[Joyce Greenleaf] Thank you, Danielle, for talking about your work on fraud safeguards in EHRs.
[Danielle Fletcher] You're very welcome Joyce.
Let's start by choosing a topic
Priority recommendations summarized.
FY 2017 Work Plan
OIG projects planned for 2017.
Significant OIG activities in 6-month increments.