Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

A New Look for HHS-OIG. Learn More >>

U.S. Flag An official website of the United States government.
Change Font Size

Report (OEI-01-11-00571)

CMS and Its Contractors Have Adopted Few Program Integrity Practices To Address Vulnerabilities in EHRs

Complete Report

Download the complete report

Adobe® Acrobat® is required to read PDF files.



Electronic health records (EHRs) replace traditional paper medical records with computerized recordkeeping to document and store patient health information. Experts in health information technology caution that EHR technology can make it easier to commit fraud. For example, certain EHR technology features may be used to mask true authorship of the medical record and distort information to inflate health care claims. The transition from paper records to EHRs may present new vulnerabilities and require CMS and its contractors to adjust their techniques for identifying improper payments and investigating fraud.


We sent an online questionnaire to CMS administrative and program integrity contractors that use EHRs to pay claims, identify improper Medicare payments, and investigate fraud. We also reviewed guidance documents and policies on EHRs and fraud vulnerabilities that CMS and its contractors released for health care providers. Lastly, we reviewed documents on EHRs and Medicare claims that CMS provided to its contractors.


CMS and its contractors had not changed their program integrity strategies in light of EHR adoption. Few CMS contractors had adopted few program integrity practices specific to EHRs. Specifically, few contractors were reviewing EHRs differently from paper medical records. In addition, not all contractors reported being able to determine whether a provider had copied language or overdocumented in a medical record. Finally, CMS had provided limited guidance to Medicare contractors on EHR fraud vulnerabilities.


Our report made two recommendations. First, CMS should provide guidance to its contractors on detecting fraud associated with EHRs. CMS could work with contractors to identify best practices and develop guidance and tools for detecting fraud associated with EHRs. Specific guidance should address EHR documentation and electronic signatures in EHRs. Second, CMS should direct its contractors to use providers' audit logs. Audit log data distinguish EHRs from paper medical records and could be valuable to CMS's contractors when reviewing medical records. CMS concurred with our first recommendation and partially concurred with the second recommendation.

Copies can also be obtained by contacting the Office of Public Affairs at

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201