OIG Report finds CMS and its contractors failed to address fraud vulnerabilities in electronic health records

A recent report by the Office of Inspector General (OIG) concluded that CMS and its contractors have failed to adopt program integrity measures focused on fraud vulnerabilities with the use of electronic health records (EHR).  Recognizing that EHR technology may make it easier for individuals to perpetrate fraud, the OIG found that CMS and its contractors had not adequately adjusted their review practices.

The report addressed several specific ways in which EHR documentation practices can make it easier for individuals to commit fraud.  The “copy-pasting” function in an EHR system can allow a user to select information from one location and replicate it in another location.  If this information is replicated but not updated or reviewed to ensure its accuracy, it may result in inaccurate information in the patient’s chart as well as inappropriate or inflated charges billed to patients or payers.  Similarly, the OIG detailed the practice of“overdocumentation,” which involves inserting false or irrelevant documentation in an effort to support billing for a higher level of service.  Some EHR systems aid in overdocumentation by auto-populating fields in EHR templates, making it appear that more comprehensive services were performed.

Despite the ways in which EHR technology may make it easier to perpetrate fraud, the OIG found that the Medicare contractors have not adjusted their review practices in order to identify and investigate fraud.  Specifically, only a few contractors were found to be reviewing electronic records differently than paper records, including practices such as confirming electronic signatures or requesting the provider’s EHR protocols.  Likewise only 3 of the 18 contractors surveyed reported using audit log data, which tracks any changes made to a record chronologically by capturing data elements for each change. The contractors also reported issues related to identifying instances of “copy-pasting” and “overdocumentation”.  Since MACs and RACs typically examine single claims rather than multiple claims from a single patient, it is more difficult to identify copied language. ZPICs were found to be more likely to identify these inappropriate practices given that they often review multiple claims for an individual patient.  The contractors also reported receiving limited guidancefrom CMS on EHR fraud vulnerabilities.

In light of its findings, the OIG recommended that CMS work with its contractors to develop guidance and tools to help detect fraud in EHRs, noting that specific guidance is needed related to EHR documentation and electronic signatures.  The OIG also recommended that CMS direct its contractors to use provider audit logs in connection with their reviews of electronic medical records.   CMS acknowledgedthat audit logs are one tool to ensure the accuracy and validity of the information contained in EHRs but noted that the use of audit logs may not be appropriate in every situation and required special training.

In recognition of this increased scrutiny on EHR documentation, we recommend that providers review their compliance program to ensure that EHR issues are adequately addressed in compliance policies and employees receive appropriate training.

Speak Your Mind