OIG Report: Most Electronic Health Records Lack Adequate Program Integrity Practices

by Leonardo M. Tamburello

One of the Affordable Care Act’s signature objectives is the widespread implementation and adoption of Electronic Health Records (EHRs) by providers of all sizes and types.  To encourage EHR adoption, CMS will pay over $22.5 billion in incentive payments to eligible professionals and hospitals that demonstrate meaningful use of certified EHR technology.   Beginning in 2015, providers who fail to demonstrate such meaningful use will face Medicare payment reductions as a result.  In a January 2014 report, the Office of Inspector General (OIG) has determined CMS and most CMS contractors have yet to adopt program integrity practice specific to EHRs.   This is a glaring vulnerability for fraud and abuse to permeate and undermine one of the ACA’s flagship goals.

The most common vulnerabilities endemic to EHRs are “copy-pasting” and “overdocumentation.”  While opportunities for a provider to inappropriately copy and paste language or overdocument the medical record for higher payment exists in paper medical records as well as EHRs, the technology makes it easier for providers to utilize these practices in EHRs.   Without question, EHRs make it easier for providers to commit certain types of fraud.

Copy-pasting (sometimes called “cloning”) permits users to select information from one source and duplicate it in another location.   Copy-paste functionality is a familiar word-processing tool that has many legitimate uses in an EHR.  However, its unrestricted use in the EHR context has led to inaccurate medical records which could potentially lead to inappropriate charges being billed to patients and third-party health payers.   More troubling is that such functionality, if used in an intentionally deceptive manner, could facilitate inflation, duplication or submission of fraudulent claims.

Overdocumentation refers to the practice of inserting false or irrelevant documentation to create the impression of support for billing of higher level services.  Some EHR systems auto-populate fields or generate verbose text with single click.  These documentation aids, which were originally created to ease the learning curve for new users, can lead to significant inaccuracies if they are not appropriately edited by the provider by creating the suggestion that the provider performed more comprehensive services than were actually rendered.

Despite the incentive programs encouraging the use of EHR technology and its inherent fraud and abuse potential,  CMS and most of its contractors have yet to adjust their practices for identifying and investigating EHR fraud. Few contractors review EHRs differently from paper records, and additional scrutiny is not (yet) required by CMS.  Additionally, less than 20% of Medicare contractors reported using EHR audit log data as part of the reviews or investigative processes.    Medicare contractors reported varying ability to identify copied language and overdocumentation in both EHRs and paper medical records.  Overdocumentation appears to be easier to identify because it is evident within the supporting medical record for a single claim, while copied language in a single claim may not be detectable unless multiple claims from a single patient or provider are examined for such occurrences.

Although CMS has issued guidance to its contractors that “medical recordkeeping within an EHR deserves special considerations” and that “the original content, the modified content, and the dates and authorship” must be identifiable, these instructions have proven inadequate in light of the OIG’s findings, and require additional detail which takes into account the unique nature of the technology.

In response to the OIG report, CMS intends to develop guidance on the appropriate use of the copy-paste feature in EHRs.  It also plans to work with contractors to identify best practices for detecting fraud and abuse within EHRs.  Presumably, this will include addressing the automatic population of fields and generation of text instigated by a single keystroke or click.  In addition, CMS  will work with its contractors and other stakeholders to consider issues presented by digital clinical data including determining the authenticity of information in EHRs, but the exact manner in which this will occur remains uncertain.

The OIG’s full report is available from its website:  http://oig.hhs.gov/oei/reports/oei-01-11-00571.pdf

We have previously written about fraud and other vulnerabilities related to the use of EHRs:  http://www.mdmc-law.com/tasks/sites/mdmc/assets/Image/EMR%20Noncompliance%20Issues.pdf