Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology

Related Podcast

Danielle Fletcher

Fraud Safeguards in Electronic Health Records

Danielle Fletcher, a program analyst for the Office of Evaluation and Inspections, is interviewed by Joyce Greenleaf, Regional Inspector General in Boston.


Electronic health records (EHRs) replace traditional paper medical records with computerized recordkeeping to document and store patient health information. Experts in health information technology caution that EHR technology can make it easier to commit fraud. ONC, which coordinates the adoption, implementation, and exchange of EHRs, contracted with RTI International (RTI) to develop recommendations to enhance data protection; increase data validity, accuracy, and integrity; and strengthen fraud protection in EHR technology. This study determined how hospitals that received EHR Medicare incentive payments, administered by CMS, had implemented recommended fraud safeguards for EHR technology.


We administered an online questionnaire to the 864 hospitals that received Medicare incentive payments as of March 2012. The questionnaire focused on the presence of features and capabilities in Certified EHR Technology based on the RTI-recommended safeguards regarding audit functions, EHR user authorization and access, and EHR data transfer. We also conducted onsite structured interviews with hospital staff and observed a demonstration of the hospitals' Certified EHR Technology in eight hospitals. Finally, we conducted structured surveys with four EHR vendors and asked them the extent to which they had incorporated recommended fraud safeguards into their products.


Nearly all hospitals with EHR technology had RTI-recommended audit functions in place, but they may not be using them to their full extent. In addition, all hospitals employed a variety of RTI-recommended user authorization and access controls. Nearly all hospitals were using RTI-recommended data transfer safeguards. Almost half of hospitals had begun implementing RTI-recommended tools to include patient involvement in anti-fraud efforts. Finally, only about one quarter of hospitals had policies regarding the use of the copy-paste feature in EHR technology, which, if used improperly, could pose a fraud vulnerability.


We recommend that audit logs be operational whenever EHR technology is available for updates or viewing. We also recommend that ONC and CMS strengthen their collaborative efforts to develop a comprehensive plan to address fraud vulnerabilities in EHRs. Finally, we recommend that CMS develop guidance on the use of the copy-paste feature in EHR technology. CMS and ONC concurred with all of our recommendations.