Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

CMS and Its Contractors Have Adopted Few Program Integrity Practices To Address Vulnerabilities in EHRs

Related Podcast

Danielle Fletcher

Fraud Safeguards in Electronic Health Records

Danielle Fletcher, a program analyst for the Office of Evaluation and Inspections, is interviewed by Joyce Greenleaf, Regional Inspector General in Boston.


Electronic health records (EHRs) replace traditional paper medical records with computerized recordkeeping to document and store patient health information. Experts in health information technology caution that EHR technology can make it easier to commit fraud. For example, certain EHR technology features may be used to mask true authorship of the medical record and distort information to inflate health care claims. The transition from paper records to EHRs may present new vulnerabilities and require CMS and its contractors to adjust their techniques for identifying improper payments and investigating fraud.


We sent an online questionnaire to CMS administrative and program integrity contractors that use EHRs to pay claims, identify improper Medicare payments, and investigate fraud. We also reviewed guidance documents and policies on EHRs and fraud vulnerabilities that CMS and its contractors released for health care providers. Lastly, we reviewed documents on EHRs and Medicare claims that CMS provided to its contractors.


CMS and its contractors had not changed their program integrity strategies in light of EHR adoption. Few CMS contractors had adopted few program integrity practices specific to EHRs. Specifically, few contractors were reviewing EHRs differently from paper medical records. In addition, not all contractors reported being able to determine whether a provider had copied language or overdocumented in a medical record. Finally, CMS had provided limited guidance to Medicare contractors on EHR fraud vulnerabilities.


Our report made two recommendations. First, CMS should provide guidance to its contractors on detecting fraud associated with EHRs. CMS could work with contractors to identify best practices and develop guidance and tools for detecting fraud associated with EHRs. Specific guidance should address EHR documentation and electronic signatures in EHRs. Second, CMS should direct its contractors to use providers' audit logs. Audit log data distinguish EHRs from paper medical records and could be valuable to CMS's contractors when reviewing medical records. CMS concurred with our first recommendation and partially concurred with the second recommendation.