Regulators are taking a closer look at deleting audit logs and using cut-and-paste in EHRs.
Healthcare providers are using electronic health records
in ways that could foster fraud
and cover up medical malpractice
, a federal watchdog agency reported last week.
EHRs hold great promise in the struggle to tamp down healthcare fraud, but that potential is largely unrealized today, according to the report from HHS' Office of the Inspector General
. It found that most providers use the electronic systems to look for violations of patients' protected health information, but not for fraud.
The report documented several trends that allow hospitals and physicians to cover up fraud or negligence. The main concern involves the EHR audit log, which can record who enters data into a patient's file, whether the information was typed or cut-and-pasted from templates, and who accessed the file after it was created. Audit logs may show whether any part of the patient record was changed retroactively, which could be key evidence in fraud investigations and malpractice cases.
Surveying nearly 900 hospitals, the OIG found that 44% said their EHR systems allowed users to delete the audit log. Another 33% said their EHRs allowed disabling the log, while 11% said users could edit records at will.
“Considering the conflict of interest a hospital has regarding hiding potential fraud or malpractice that could cost them millions of dollars, a capability to 'delete the contents of their internal audit logs whenever they'd like' and to edit audit trails … is simply alarming,” Dr. Scot Silverstein, adjunct faculty member in health informatics and information technology at Drexel University in Philadelphia, wrote on the Health Care Renewal blog.
Indeed, several experts said that if anything, the OIG's percentages were probably too low since they came from self-reported survey results instead of an investigation.
The issue is unfolding in the context of rising concern about the role of EHR systems in the growing use of higher-cost Medicare claims for services like outpatient evaluation and management, where more-intensive services are supposed to have larger reimbursements.
In response to the OIG report, the administrators for the two agencies that regulate EHRs—the CMS and HHS' Office of the National Coordinator for Health Information Technology—promised to step up efforts to set clear standards on audit logs and the controversial practice of doctors cutting-and-pasting clinical information from templates and past records.
“CMS is planning to work with ONC to develop a comprehensive plan to detect and reduce fraud in EHRs,” CMS Administrator Marilyn Tavenner wrote. She promised to release guidelines on appropriate use of cut-and-paste and use of audit logs. Hospitals, doctors' offices and other providers have received federal subsidies totaling more than $17 billion to underwrite EHR installation.
RECOMMENDATIONS ON PREVENTING FRAUD IN EHR SYSTEMSUse audit logs
to record who creates and views patient health data, and what changes occur Show whether information was cut-and-pasted
into the file or typed manuallyEmploy user IDs and national provider numbers
to restrict who can change patient recordsAuthenticate patient data
through document tracking numbers and encryption standards Enable patients
to access and add comments to their recordsSource: HHS' Office of the Inspector General analysis of RTI report from 2007
Hospitals and doctors say EHRs allow them to better document the work they have always done, generating more accurate claims than before while meeting growing demands for efficiency. Critics say functions such as cut-and-paste make it too easy to bill for work that wasn't actually performed, especially when the copied material comes from a different patient's record.
That has led to studies to see whether EHRs are enabling illegal upcoding. Officials at the U.S. Justice Department and HHS jointly published an open letter to healthcare providers in September 2012 warning that there are indications some companies were using the technology to game Medicare. “Certain EHR documentation features, if poorly designed or used inappropriately, can result in poor data quality or fraud,” according to the report from the OIG.
The cut-and-paste function sometimes is implicated in problems with the quality of care, such as when incorrect information gets entered into a patient record by mistake. “Every once in a while, a 75-year-old gentleman will turn into a 30-year-old woman, on the basis of cutting and pasting the wrong information into the chart,” said Dr. William Bria, chairman of the Association of Medical Directors of Information Systems. “I've seen this personally.”
But Bria said most providers who use cut-and-paste are simply trying to be more efficient. “Most people really do try to do the right thing, but it hasn't been easy,” he said. “Why would I type in my (patient's) history every single time? That's crazy.”
Not all of the potential solutions to these problems involve greater regulation. Dr. Adrian Gropper, chief technology officer of the not-for-profit Patient Privacy Rights, in Austin, Texas, said it would help if patients were allowed to view the audit logs on their own records.
“The logs exist,” he said. “And patient portals exist. And the software for doing the automated access to the portal already exists. If there was simply access to the logs in real time … it would make upcoding a lot more risky. This level of sunshine on the logs would directly address some of the concerns related to the inspector general's report.” Follow Joe Carlson on Twitter: @MHJCarlson