OIG: HHS Still Needs to Act on EHR FraudNew Report Outlines 'Unimplemented Recommendations'
The new HHS Office of Inspector General report, Compendium of Unimplemented Recommendations, outlines the top 25 recommendations that OIG has made over the last several years to various HHS agencies in an effort to improve the agency's programs.
Among the recommendations not implemented are suggestions OIG made in December 2013 on how two HHS units - the Office of the National Coordinator for Health IT and the Centers for Medicare and Medicaid Services - can reduce incidents of billing fraud involving EHRs, especially fraud stemming from the technology's copy-and-paste functionality.
The EHR copy-and-paste feature can be used to falsify records or over-document a medical record by inserting false or irrelevant digitized documentation to create the appearance of support for billing higher level services.
"Fraudulent altering of EHRs not only harms the defrauded programs, it also puts patients at risk," OIG writes.
Commenting on the OIG's findings, security expert Mac McMillan, CEO of the consulting firm CynergisTek, says: "What is utterly amazing about this is that fraud is a multi-billion dollar problem in healthcare. It robs legitimate dollars from other positive initiatives. It tarnishes reputations when discovered. Other than patient safety [issues], it probably does more damage than anything else to patient confidence. Yet the industry treats it as if it is someone else's problem."
OIG has said in previous reports that healthcare fraud of all kinds totals $75 billion to $250 billion a year (see Insights On Detecting Healthcare Fraud).
In the report, OIG says that ONC and CMS need to "strengthen their collaborative efforts to develop a comprehensive plan to address fraud vulnerabilities in electronic health records." ONC oversees standards and policies of the HITECH Act EHR "meaningful use" program, under which CMS administers the financial incentives paid to eligible healthcare providers who participate.
"HHS must do more to ensure that all hospitals' EHRs contain safeguards and that hospitals use them to protect against electronically enabled healthcare fraud," the report says.
The watchdog agency says that CMS should develop guidance on the appropriate use of the copy-paste feature in EHR technology.
OIG also recommends that audit logs should be operational whenever EHR technology is available for updates or viewing so that changes to information are recorded.
Plus, OIG says that CMS should provide guidance to its contractors on detecting fraud associated with EHRs, and that CMS should direct its contractors to use providers' EHR audit logs to detect fraud.
"We found that nearly all hospitals with EHR technology had recommended audit functions in place, but they may not be using them to their full extent," OIG wrote, referring to its December 2013 report that cited statistics from an online survey of 864 hospitals between October 2012 and January 2013.
"In addition, all hospitals employed a variety of recommended user authorization and access controls. Nearly all hospitals were using recommended data transfer safeguards. Almost half of hospitals had begun implementing recommended tools to include patient involvement in anti-fraud efforts," OIG says. "Only about one quarter of hospitals had policies regarding the use of the copy-and-paste feature in EHR technology, which, if used improperly, could pose a fraud vulnerability."
OIG notes that while CMS and ONC agreed with the recommendations made in December 2013, and have had various discussions about the issues, the activities so far are not "sufficient to address this recommendation."
ONC and CMS Respond
An ONC spokesman tells Information Security Media Group that the agency proposed incorporating OIG's suggestions as part of the HITECH Act's EHR standards, but they were not well received by industry stakeholders.
"We concurred with the OIG's recommendations and proposed language in the 2014 Edition certification criteria," he says. "But, based on comments received on the notice of proposed rulemaking, and feedback and input from the Health IT Standards Committee, the final rule didn't include the proposed provisions."
ONC's role in fighting healthcare fraud is limited at HHS, the ONC spokesman contends. "Fraud falls under CMS. We have offered to help CMS, OIG and any other agencies that have enforcement authorities, even though we don't have that type of authority," he says.
A CMS spokesman tells ISMG: "CMS believes that health information technology has the potential to improve quality of care, patient safety and reduce healthcare costs through the elimination of redundant tests and procedures. We take this issue seriously, and are working to ensure we are monitoring billing associated with EHR systems and will take appropriate action if we find improper billing."
OIG's recommendations will prove to be even more important as the healthcare industry transitions to the new ICD-10 codes for insurance claims, says McMillan, the consultant. "As we move toward ICD 10, where even greater numbers of codes will be used, this and other forms of fraud become bigger issues," he says. "Any change to a patient record, an order, prescription, etc. should be able to be audited.
"Fraud is happening everywhere, most just aren't aware of it yet," McMillan says. "If you are not looking - auditing - you don't know what you don't know."
McMillan says OIG has suggested "reasonable" fixes, so HHS needs to take prompt action to ensure that healthcare organizations take the right steps.
And the EHR anti-fraud efforts aren't the only HHS project that's been delayed, he notes. For example, a permanent HIPAA compliance audit program has been under development by HHS' Office for Civil Rights for more than four years (see HIPAA Audits Are Still On Hold).
Security and privacy expert Rebecca Herold, CEO of The Privacy Professor, says more needs to be done to reduce fraud involving EHRs.
"To do this you must a) log who/how/when access to EHRs occurred, b) establish automated tools to most efficiently analyze the logs to look for fraud, and c) ensure access is logged consistently throughout all the systems where the EHRs are collected/stored/processes/used/accessed," she contends. "With this in mind, the OIG's recommendations are sound."
In addition, Herold says she would recommend "establishing accountability for EHR use, and requiring those involved to receive training and ongoing awareness, as well."
Healthcare IT innovation is also driving fraud innovation, Herold contends. "We now have thousands of times more types of technologies, data and computing devices, all of which can be used to commit fraud," she notes. "And we know personal information fraud is now even more profitable than drug trafficking. The value of patient data is like the highest quality of cocaine to the data dealers."