Providers not required to keep EHR audit systems turned on

If healthcare providers are using their electronic health records to falsify medical billing or cover their tracks after mistakes, there's an easy way for investigators to find out: Check the audit trail.

Unfortunately, federal rules don't require healthcare providers to keep their automated audit systems turned on. A study out this week from HHS' watchdog office (PDF) finds that many healthcare providers can simply disable their logs or alter them after the fact—and experts say the problem may be far worse than what the study found.

HHS' inspector general's office this week reported the results of a voluntary survey of all 900 hospitals that had received federal subsidies to buy electronic health record systems as of March 2012. The survey, which had a 95% response rate, found that 44% of the hospitals reported having the ability to delete their EHR audit logs. Another 33% could disable the audit logs, while 11% could edit the records at will.

“Those numbers are likely low, perhaps very low considering this issue,” wrote Dr. Scot Silverstein, adjunct faculty member in health informatics and information technology at Drexel University in Philadelphia. Silverstein's post on the Health Care Renewal blog said the OIG's estimates likely low-balled the true figures because the survey results were self-reported instead of derived from a formal investigation.

“Considering the conflict of interest a hospital has regarding hiding potential fraud or malpractice that could cost them millions of dollars, a capability to 'delete the contents of their internal audit logs whenever they'd like' and to edit audit trails … is simply alarming,” Silverstein wrote.

The OIG report raised questions about weaknesses in how logs could be used in the fight against fraud. It comes amid rising concern about the potential link between rising use of electronic systems and larger proportions of Medicare bills at the most expensive tiers for services such as evaluation and management inside the hospital.

Audit logs are relevant in medical malpractice cases because they can document—or conceal—who entered patient data into a computer system and when, and who looked at the record and edited the files afterward.

Regulations from HHS' Office of the National Coordinator for Health Information Technology define what the makers of EHR systems must do in order for their customers to qualify for federal subsidies. A certified EHR system must have an audit log function that can be disabled only by authorized users, cannot be altered or deleted, and must be enabled by default. The rule stemmed from the recommendations in a 2007 report (PDF) from government contractor RTI International.

However, the federal rule does not require healthcare providers to keep the audit log turned on at all times—something HHS' inspector general urged the ONC and the CMS to change.

“CMS concurs with the finding that audit logs should be operational,” CMS Administrator Marilyn Tavenner wrote in a response to the findings. “CMS will support ONC in its development of certification criteria toward this goal.”

Follow Joe Carlson on Twitter: @MHJCarlson



Loading Comments Loading comments...