The U.S. Department of Health & Human Services Office of Inspector General (the “OIG”) recently released a report regarding how electronic health records (“EHRs”) may contribute to health care fraud, entitled “CMS and Its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs” (the “Report”). The Report describes a study performed by the OIG, which explains how EHRs may be contributing to health care fraud and makes recommendations to mitigate this issue.
The Report describes two unique features of EHRs that may facilitate fraud. First, health care providers may utilize copying and pasting when entering information into patients’ EHRs. The ability to copy and paste, as opposed to having to write out information, increases the risk that inaccurate information will be entered into a record and corresponding inappropriate charges will be billed to payors. Second, EHRs enable overdocumentation – “the practice of inserting false or irrelevant documentation to create the appearance of support for billing higher level services.” Certain EHR technologies auto-populate fields, and others generate documentation automatically upon the click of a single checkbox, both of which may lead to overbilling.
According to the Report, there are techniques that may be used to curtail improper billing that results from these features, such as the use of audit logs – EHR features that track changes to a record chronologically. Audit logs may be used “to analyze historical patterns that can identify data inconsistencies.” However, in its study, the OIG found that few CMS contractors review EHRs differently from paper medical records. For example, only 3 of the 18 Medicare contractors involved in the study reported utilizing audit log data in their reviews. Furthermore, the Report states that CMS has only issued general guidance to its contractors regarding EHRs, such as that “medical record keeping within an EHR deserves special considerations.” More specific instructions have not been disseminated.
The Report concludes by issuing two recommendations to CMS. First, the OIG urges CMS to “provide guidance to its contractors on detecting fraud associated with EHRs.” In its response to OIG, CMS concurs with this recommendation and states that it “intends to develop appropriate guidelines to ensure appropriate use of the copy paste feature in EHRs.” Second, the OIG asks CMS to “direct its contractors to use providers’ audit logs.” CMS stated that it “partially” concurs with this recommendation, because “audit logs can be one of several important tools in ensuring that information included in EHRs are valid and authentic…[that] may not be appropriate in every circumstance.”