Healthcare fraud can be as easy as hitting Control-C, Control-V.
Federal officials say the cut-and-paste features common to electronic health records
invite fraudulent use of duplicated clinical notes and that there is a need to clamp down on the emerging threat. That concern is enhanced by the fact that it's too easy to turn off features of EHR systems that allow tracking of sloppy or fraudulent records.
In an audit report released Tuesday morning (PDF)
, HHS agencies confirmed that they are developing comprehensive plans to deter fraud
and abuse involving EHRs, including guidelines for cut-and-paste features. The issue arises at a time when critics say federally subsidized digital patient record systems are sometimes being used inappropriately by providers to drive up reimbursement.
“Certain EHR documentation features, if poorly designed or used inappropriately, can result in poor data quality or fraud,” according a report from HHS' Office of the Inspector General.
Since 2011, hospitals, doctors' offices and other providers have received federal subsidies totaling more than $17 billion to underwrite the high expense from ditching their familiar color-coded manila folder systems in favor of new computerized patient-record systems. Hospitals and doctors say EHRs allow them to better document the work they have always done, generating more accurate claims than before while meeting growing demands for efficiency.
But adoption of the new systems has coincided with a rapid rise in higher-cost Medicare claims
. That has led to studies to see whether EHRs are enabling illegal upcoding. Officials at the Justice Department and HHS jointly published an open letter to healthcare providers in September 2012 warning that there are indications some companies were using the technology to game Medicare.
Critics say functions such as cut-and-paste make it too easy to bill for work that wasn't actually performed, especially when the borrowed material comes from a different patient's record.
Cut-and-paste is also implicated sometimes in problems with the quality of care, such as when incorrect information gets entered into a patient record by mistake. “Every once in a while, a 75-year-old gentleman will turn into a 30-year-old woman, on the basis of cutting and pasting the wrong information into the chart,” said Dr. William Bria II, chairman of American Medical Directors of Information Systems. “I've seen this personally.”
On Tuesday, HHS' inspector general released the first of two new reports on fraud vulnerabilities in EHR systems, concluding that too few hospitals have policies defining the proper use of cut-and-paste. A voluntary survey of all 864 hospitals that had received subsidies for the EHR systems as of March 2012 found that only 24% of hospitals had any policy regarding improper use of cut-and-paste.
“Even the hospitals that had policies seemed to have limited control over the use of the copy-paste feature,” the OIG report said. “Most of these policies (61%) shifted the responsibility to the EHR user to confirm that any copied-pasted data were accurate.”
In addition, only 44% of hospitals' “audit log” systems could record whether cut-and-paste was used to enter data, and an identical percentage of hospitals reported that they can delete the contents of their internal audit logs whenever they'd like. A 2007 report (PDF)
from a government contractor, RTI International, recommended that users on the EHR systems should not be able to delete audit logs so that the information is always available for fraud detection.
“Audit logs being wiped away, from my standpoint, is tantamount to saying, 'Don't look here,'” Bria said.
CMS Administrator Marilyn Tavenner and Jacob Reider, acting national coordinator of HHS' health information technology office, said in responses to the OIG report that they are already developing a “comprehensive plan to detect and reduce fraud in EHRs,” as well as national policies on audit log functionality and copy-paste features.
A second report from the OIG on weaknesses in how CMS' payment contractors monitor for fraud in electronic health records is slated to be published soon.Follow Joe Carlson on Twitter: @MHJCarlson