Report: HHS Needs Bolder Steps to Prevent EHR-Related FraudWatchdog Agency Offers Wide-Ranging Assessment of HHS Security Efforts
The Department of Health and Human Services still needs to take bolder steps to make sure electronic health records are not used to facilitate payment fraud, according to a new watchdog agency report.
This is an area of concern because EHRs have been widely adopted nationally thanks in large part to the HITECH Act of 2009, which has paid out more than $30 billion in financial incentives for the "meaningful use" of the technology by eligible hospitals and clinicians.
The recently released Semiannual Report to Congress, which summarizes activities of the HHS Office of Inspector General for the six-month period that ended March 31, acknowledges HHS' fraud-fighting achievements. For example, it notes that HHS fraud strike force efforts during the period resulted in the filing of charges against 49 individuals or entities, 152 criminal actions and more than $266.8 million in investigative receivables.
But in a supplemental report, Compendium of Unimplemented Recommendations, OIG says the Centers for Medicare and Medicaid Services and Office of the National Coordinator for Health IT have not yet put into place a plan to fight fraud related to electronic health records.
"Experts in health IT caution that EHR technology can make it easier to commit fraud," the compendium notes. For example, OIG "found that nearly all hospitals with EHR technology had audit functions recommended ... but these hospitals may not be using them to their full extent. HHS needs to address the risks that EHRs pose to the integrity of federal health programs."
Among the potential ways EHRs can be used to commit fraud is by upcoding, or exaggerating, the kind of care providers give patients, as well as cloning or "copy-pasting" digital records to submit falsely documented bills.
"HHS needs to address the risks that EHRs pose to the integrity of federal health programs," OIG writes. OIG found that hospitals were individually employing their own EHR fraud and abuse safeguards to varying degrees.
OIG notes that it recommended in 2013 that CMS develop guidance for healthcare providers on the appropriate use of the copy-paste feature in EHR technology in an effort to reduce fraud. While OIG points out that CMS in December 2015 published guidance that offers providers information "to recognize, report, and prevent fraud, waste and abuse associated with EHRs," it says that HHS still needs to develop "a more comprehensive plan to address fraud vulnerabilities in EHRs."
HHS did not immediately respond to an Information Security Media Group request for comment on whether it's addressing OIG's recommendation.
Privacy attorney Kirk Nahra of the law firm Wiley Rein notes that EHRs, indeed, are potential instruments of fraud.
"Because of automation, there is the possibility that certain entities [with access to] EHR systems could manipulate the records to their advantage in connection with fraudulent activities," he says. "It is like any new development in the healthcare arena - payers, providers and enforcement officials need to think about any change and develop appropriate options."
When it comes to information security, OIG notes that HHS agencies and federal health programs are making progress in efforts to improve data security and integrity. "With the sheer amount of data and its complexity ... HHS also faces challenges to protect the privacy and security of the data it collects and maintains," it states.
During the reporting period for its semi-annual review for Congress, OIG notes, it continued to work on monitoring the privacy and security of HHS data, focusing on network and web application penetration testing.
"The objective of the testing is to determine whether security controls are effective in preventing certain cyberattacks, the likely level of sophistication an attacker needs to compromise systems or data, and the agencies' ability to detect attacks and respond appropriately," OIG notes.
OIG determined in its review, for example, that security controls need to be bolstered at various state health insurance exchanges under the Affordable Care Act. It cited in particular vulnerabilities at the website of the exchange in New York, which, if exploited, "could have resulted in the disclosure of participant PII."
Nahra, the attorney, says OIG's attention to assessing how well HHS agencies protect data is a long-term project.
"Cybersecurity is its own set of issues. It is a constantly moving target," he says. "The government is putting a lot of attention into this. Many providers are also. I do sense that there is a bit of a morale issue because there's simply too much to do."
The ever-increasing and evolving cybersecurity challenges in healthcare were also spotlighted in the recent HHS cybersecurity task force report, which made over 100 recommendations for how the industry can bolster security.
"That's a problem with the recent government report - there are so many recommendations that it is hard to know where to start or how to do it all," Nahra says.