OIG: EHR Fraud Detection Inadequate

Report Says CMS, Contractors Need to Adopt Best Practices
OIG: EHR Fraud Detection Inadequate

The Centers for Medicare and Medicaid Services and many of its contractors need to adopt better practices to detect fraud committed using electronic health records, according to a new government watchdog report.

See Also: Recovering From a Cyberattack, Responding to the OCR, and Building a Cyber Resilient Posture for the Future: A Conversation with OrthoVirginia CIO, Terri Ripley

Although EHR technology may make it easier to perpetrate fraud, CMS and its contractors have not adjusted their practices for identifying and investigating fraud committed using EHRs, says the new report from the Department of Health and Human Services' Office of Inspector General.

Another OIG report released in December found that EHRs make it easier for healthcare providers to commit fraud. That report noted that healthcare fraud of all kinds totals $75 billion to $250 billion a year (see Insights on Detecting Healthcare Fraud).

Last month's report also highlighted the need for hospitals to make broader use of the audit log function within EHRs to help detect fraud.

New Report's Findings

The OIG report released this week was based on an online survey conducted in January 2013 of nearly 20 CMS administrative and program integrity contractors that use EHRs to pay claims, identify improper Medicare payments and investigate fraud.

For its report, OIG also reviewed guidance documents and policies on EHRs and fraud vulnerabilities that CMS and its contractors released for healthcare providers. Additionally, the watchdog agency reviewed CMS transmittals of new or changed policies and procedures relating to EHRs.

Overall, OIG found that CMS and its contractors had adopted few program integrity practices specific to EHRs.

More specifically, few contractors were reviewing EHRs differently from paper medical records, the OIG found. In addition, not all contractors reported being able to determine whether a healthcare provider had used the EHR cut-and-paste feature to falsify records or had over-documented a medical record by inserting false or irrelevant digitized documentation to create the appearance of support for billing higher level services.

Finally, OIG found that CMS had provided limited guidance to Medicare contractors on EHR fraud vulnerabilities.

Two Recommendations

OIG recommends that CMS provide guidance to its contractors on detecting fraud associated with EHRs. It suggests CMS work with contractors to identify best practices and develop guidance and tools for detecting fraud associated with EHRs.

OIG also recommends that CMS direct its contractors to use providers' audit log data to distinguish EHRs from paper medical records, providing a "valuable" tool to CMS's contractors when reviewing medical records.

In a letter included in the report, CMS' administrator, Marilyn Tavenner, notes that the agency has been discussing the issue of EHR fraud with HHS' Office of the National Coordinator for Health IT, which sets policies and standards for the HITECH Act incentive programs for electronic health records.

"CMS intends to develop appropriate guidelines to ensure the proper use of the cut-and-paste feature in EHRs," Tavenner says. "CMS will also consider if additional guidance and tools are needed to help detect fraud associated with EHRs."

As for the OIG recommendation that CMS direct its contractors to use providers' audit logs to help detect possible fraud, Tavenner notes that "the use of audit logs may not be appropriate in every circumstance and should be part of a comprehensive approach to reviewing the authenticity of EHRs."

The letter also notes audit log reviewers need to obtain training to interpret and reconstruct the history of each medical record supplied in an electronic format and support in a log.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.