Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

A New Look for HHS-OIG. Learn More >>

U.S. Flag An official website of the United States government.
Change Font Size

Report (OEI-01-11-00570)

Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology

Complete Report

Download the complete report

Adobe® Acrobat® is required to read PDF files.



Electronic health records (EHRs) replace traditional paper medical records with computerized recordkeeping to document and store patient health information. Experts in health information technology caution that EHR technology can make it easier to commit fraud. ONC, which coordinates the adoption, implementation, and exchange of EHRs, contracted with RTI International (RTI) to develop recommendations to enhance data protection; increase data validity, accuracy, and integrity; and strengthen fraud protection in EHR technology. This study determined how hospitals that received EHR Medicare incentive payments, administered by CMS, had implemented recommended fraud safeguards for EHR technology.


We administered an online questionnaire to the 864 hospitals that received Medicare incentive payments as of March 2012. The questionnaire focused on the presence of features and capabilities in Certified EHR Technology based on the RTI-recommended safeguards regarding audit functions, EHR user authorization and access, and EHR data transfer. We also conducted onsite structured interviews with hospital staff and observed a demonstration of the hospitals' Certified EHR Technology in eight hospitals. Finally, we conducted structured surveys with four EHR vendors and asked them the extent to which they had incorporated recommended fraud safeguards into their products.


Nearly all hospitals with EHR technology had RTI-recommended audit functions in place, but they may not be using them to their full extent. In addition, all hospitals employed a variety of RTI-recommended user authorization and access controls. Nearly all hospitals were using RTI-recommended data transfer safeguards. Almost half of hospitals had begun implementing RTI-recommended tools to include patient involvement in anti-fraud efforts. Finally, only about one quarter of hospitals had policies regarding the use of the copy-paste feature in EHR technology, which, if used improperly, could pose a fraud vulnerability.


We recommend that audit logs be operational whenever EHR technology is available for updates or viewing. We also recommend that ONC and CMS strengthen their collaborative efforts to develop a comprehensive plan to address fraud vulnerabilities in EHRs. Finally, we recommend that CMS develop guidance on the use of the copy-paste feature in EHR technology. CMS and ONC concurred with all of our recommendations.

Copies can also be obtained by contacting the Office of Public Affairs at

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201