Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology
Danielle Fletcher, a program analyst for the Office of Evaluation and Inspections, is interviewed by Joyce Greenleaf, Regional Inspector General in Boston.
WHY WE DID THIS STUDY
Electronic health records (EHRs) replace traditional paper medical records with computerized recordkeeping to document and store patient health information. Experts in health information technology caution that EHR technology can make it easier to commit fraud. ONC, which coordinates the adoption, implementation, and exchange of EHRs, contracted with RTI International (RTI) to develop recommendations to enhance data protection; increase data validity, accuracy, and integrity; and strengthen fraud protection in EHR technology. This study determined how hospitals that received EHR Medicare incentive payments, administered by CMS, had implemented recommended fraud safeguards for EHR technology.
HOW WE DID THIS STUDY
We administered an online questionnaire to the 864 hospitals that received Medicare incentive payments as of March 2012. The questionnaire focused on the presence of features and capabilities in Certified EHR Technology based on the RTI-recommended safeguards regarding audit functions, EHR user authorization and access, and EHR data transfer. We also conducted onsite structured interviews with hospital staff and observed a demonstration of the hospitals' Certified EHR Technology in eight hospitals. Finally, we conducted structured surveys with four EHR vendors and asked them the extent to which they had incorporated recommended fraud safeguards into their products.
WHAT WE FOUND
Nearly all hospitals with EHR technology had RTI-recommended audit functions in place, but they may not be using them to their full extent. In addition, all hospitals employed a variety of RTI-recommended user authorization and access controls. Nearly all hospitals were using RTI-recommended data transfer safeguards. Almost half of hospitals had begun implementing RTI-recommended tools to include patient involvement in anti-fraud efforts. Finally, only about one quarter of hospitals had policies regarding the use of the copy-paste feature in EHR technology, which, if used improperly, could pose a fraud vulnerability.
WHAT WE RECOMMEND
We recommend that audit logs be operational whenever EHR technology is available for updates or viewing. We also recommend that ONC and CMS strengthen their collaborative efforts to develop a comprehensive plan to address fraud vulnerabilities in EHRs. Finally, we recommend that CMS develop guidance on the use of the copy-paste feature in EHR technology. CMS and ONC concurred with all of our recommendations.