The Office of Inspector General is once again calling out CMS for failing to adequately address fraud vulnerabilities in electronic health records. Despite submitting recommendations back in 2013, a new OIG report underscored that the agency is still dragging its feet with implementing EHR fraud safeguards.  

 

Part of the Office of Inspector General's role is to audit and evaluate HHS processes and procedures and put forth recommendations based on deficiencies or abuses identified. Turns out, a lot of these recommendations are ignored, disagreed upon or unimplemented, according to OIG's new Compendium of Unimplemented Recommendations report. And EHR fraud is on that list. 

 

[See also: CMS called out for EHR fraud failings.]

 

"HHS must do more to ensure that all hospitals' EHRs contain safeguards and that hospitals use them to protect against electronically enabled healthcare fraud," OIG officials wrote in the report. 

 

Specifically, audit logs should actually be operational when an EHR is available. And CMS should also develop concrete guidelines around the use of copy-and-paste functions in an electronic health record. According to OIG data, most hospitals using EHRs had RTI International audit functions in place, but they were significantly underutilized. What's more, only some 25 percent of hospitals even had policies in place regarding copy-and-paste functions. 

 

These recommendations have come up repeatedly in recent OIG reports, and despite CMS officials agreeing with the outlined recommendations, the agency is still not making it enough of a priority.  

 

In a January 2014 report, OIG also called out CMS for failing to make EHR fraud a priority. Specifically, OIG said, the CMS neglected to provide adequate guidance to its contractors tasked with identifying said EHR fraud, citing the fact that the majority of these contractors reviewed paper records in the same manner they reviewed EHRs, disregarding the differences. Moreover, only three out of 18 Medicare contractors were found to have used EHR audit data in their review process. 

 

[See also: EHR copy and paste? Better think twice.]

 

When it came to identifying copy-and-paste usage or over documentation, many contractors reported they were unable to do so. Considering some 74 percent to 90 percent of physicians use the copy/paste feature daily, according to a recent AHIMA report, the implications are significant. 

 

As Diana Warner, director of HIM practice excellence at AHIMA, recounted back at the October 2013 MGMA conference, that dueto copy-and-paste usage, they had a patient at her previous medical practice who went from having a family history of breast cancer to having a history of breast cancer. The error was caught by the insurance company, which thought the patient had lied, was poised to change her healthcare coverage. "We had to work for months to get that cleared up with the insurance company so her coverage would not be dropped," Warner said. "We had to then find all the records that it got copy and pasted into" incorrectly and then track down the locations the data was sent to.