OIG Criticizes CMS For Lack Of Adequate Fraud Detection Practices in Electronic Health Records

In early January, 2014, the Office of Inspector General (“OIG”) for the Department of Health and Human Services (“HHS”) issued a report criticizing HHS’s Centers for Medicare and Medicaid Services (“CMS”) for failing to adopt stronger integrity practices governing electronic health records (“EHRs”). “CMS And Its Contractors Have Adopted Few Program Integrity Practices To Address Vulnerabilities In EHRs,” oig.hhs.gov/oei/reports/oei-01-11-00571.pdf. Here are some of the OIG’s challenges and concerns: “…clues within the progress notes, handwriting styles, and other attributes that help corroborate the authenticity of paper medical records are largely absent in EHRs. Further, tracing authorship and documentation in an EHR may not be as straightforward as tracing in a paper record. Health care providers can use EHR software features that may mask true authorship of the medical record and distort information in the record to inflate health care claims.” These are legitimate issues for EHR users. Government health care programs such as Medicare and Medicaid, many insurance laws, and private payer contracts require prior documentation for every encounter as a matter of patient safety and proper billing. Also, under recent federal law, providers are receiving $22.5 billion in incentive payments to adopt EHRs and must attest to their compliance with EHR standards. The OIG recommends that CMS, working with their fraud detection contractors, develop more sophisticated EHR integrity and fraud detection standards and tools, and issue best practices and guidance. The OIG specifically recommends that CMS and contractors look at providers’ EHR audit logs to help authenticate records, and develop approaches to detecting inappropriate cutting-and-pasting. In its response, CMS indicates that it is aware of these issues and is working diligently to address them. The agency has also initiated investigations of a number of providers on the grounds that the attestations they provided in order to obtain the EHR incentive monies were not sufficient, which could result in takebacks. Most hospitals, physicians and others have deployed EHR systems that have been designed and are maintained by third party vendors. Many providers may not have the sophistication to determine whether, for instance, an audit log system is adequate to detect abuse. Nevertheless, it is incumbent on all providers with EHRs to be aware of potentially unlawful uses; to work with EHR vendors that will represent that their products are fully compliant and that they have installed tools, such as audit logs, access controls and export controls and others as may be required by CMS; and to properly train all staff and clinicians that use EHRs.