Report: EHR-Enabled Fraud Still a ConcernWatchdog Criticizes HHS for Failing to Create a Fraud-Fighting Plan
See Also: How to Defend Your Attack Surface
That's one of the findings in the Department of Health and Human Services' Office of Inspector General's 2016 Compendium of Unimplemented Recommendations. The report focuses on the agency's top 25 unimplemented recommendations that, "on the basis of OIG's professional opinion, would most positively impact HHS programs in terms of cost savings and/or quality improvements and should, therefore, be prioritized for implementation."
The recommendations are based on findings from a variety of OIG audits and evaluations. OIG notes, however, that its compendium does not include all unimplemented OIG recommendations, especially those pertaining to "sensitive security matters."
Cutting Fraud Costs
The vast majority of the 25 recommendations cited by OIG were directed at HHS' Centers for Medicare and Medicaid Services, with the underlying themes of how to improve the quality and lower costs associated with various aspects of Medicare and Medicaid programs.
One of the recommendations called for taking action to prevent potential fraud related to EHR cut-and-paste functions, also known as copy-paste (see Insights on Detecting Healthcare Fraud).
In cut-and-paste fraud, a healthcare provider "cuts" information from one patient's record and "copies" and "pastes" it into another patient's electronic document to submit exaggerated or fraudulent claims to insurers.
OIG did not immediately respond to a request for comment on the size and scope of fraud stemming from the EHR cut-and-paste function. In 2014, however, OIG reported that healthcare fraud of all kinds costs $75 billion to $250 billion a year.
Comprehensive Plan Needed
A December 2013 report issued by OIG that was based on an online survey of 864 hospitals found that many were not using an audit log function available in most EHRs that can help detect cut-and-paste fraud.
To help address that problem, OIG recommended in 2013 that CMS and the Office of the National Coordinator for Health IT collaborate to develop a comprehensive plan to address fraud vulnerabilities in EHRs. This would also help improve program integrity and help protect Medicare beneficiary personal information, OIG writes in its new report.
"Our objective [in the survey] was to determine how hospitals that received EHR Medicare [HITECH Act] incentive payments, which are administered by CMS, had implemented recommended fraud safeguards for EHR technology," OIG writes.
"We found that nearly all hospitals with EHR technology had ... audit functions in place, but they may not be using them to their full extent. We also found that nearly all hospitals were using ... recommended data transfer safeguards, and all hospitals employed a variety of ... user authorization and access controls."
OIG says that at the time of its 2013 survey, it found that only about 25 percent of hospitals had policies regarding the use of the copy-paste feature in EHR technology, which, if used improperly, could pose a fraud vulnerability.
The new OIG report notes that CMS and ONC concurred with the OIG 2013 recommendation for the two HHS units to collaborate in developing a plan to address fraud vulnerabilities in EHRs. But the recommendation still has not been fully implemented.
"CMS stated that it continues to work with ONC to develop a comprehensive plan to detect and reduce fraud. CMS also stated that it is conducting prepayment audits as well as prepayment edit checks," OIG writes.
"Although we acknowledge the usefulness of conducting audits and prepayment checks as a strategy to detect fraud and abuse, these efforts do not address our recommendation to work with ONC on strengthening its collaborative efforts," OIG says. "ONC stated that it is committed to providing technical assistance to federal agencies that have health care fraud enforcement authority."
Reaction to Report
ONC says it remains concerned about abuse of EHR cut-and-paste functions primarily because of quality of care issues. "We are concerned that cut-and-paste could lead to quality problems. By submitting wrong information, patients could end up with inappropriate or even wrong treatments," a spokesman for ONC tells Information Security Media Group.
CMS declined to comment on the EHR-related fraud issues raised by OIG, saying that officials had not yet received the final report. "After we receive the 2016 Compendium, CMS will respond in a timely way to each of the applicable OIG top 25 unimplemented recommendations that apply to us," a CMS spokesman says.
OIG in the compendium report says it "believes that all divisions of [HHS] have a shared responsibility for the integrity of departmental programs, regardless of whether they have healthcare fraud enforcement authority."
EHRs and Fraud
Security expert Bob Chaput, CEO of the consulting firm Clearwater Compliance, says the risk of EHR-related fraud is a growing concern. "Using cut-and-paste functionality from a real patient record to create a false claim is faster and easier than creating one from scratch, and most likely more credible. As a result, fraud and abuse is on the increase, assisted by this EHR technology functionality."
But improper use of cut-and-paste can also result in other problems, he notes. "Documentation integrity involves the accuracy of the complete health record. Without safeguards in place, deliberate or unintended inaccuracies can be introduced, resulting in quality of care and patient safety issues, in addition to inaccurate billing."
In addition to making it difficult to detect cut-and-paste fraud, underutilization of EHR audit logging capabilities also makes it harder to monitor EHR corrections and additions, as well as monitor unintended or malicious unauthorized access to records, Chaput says.