OIG: CMS Should Improve Efforts To Detect, Prevent Fraud in EHRs
May 29, 2014 in News
The Office of the National Coordinator for Health IT and CMS should develop a comprehensive plan to better address fraud vulnerabilities in electronic health records, according to a report released Tuesday by the HHS Office of the Inspector General, EHR Intelligence reports.
OIG’s semi-annual report to Congress summarizes the departments’ health care fraud prevention activities from October 2013 through March 2014, including previously cited concerns about vulnerabilities in EHR systems (Bresnick, EHR Intelligence, 5/29).
In December 2013, OIG released an audit that found most hospitals lack policies governing the use of copying and pasting health information into EHRs, which could lead to fraud and abuse.
The report was based on a voluntary survey of all 864 hospitals that had received EHR subsidy payments as of March 2012.
According to the audit, 24% of hospitals reported having a policy regarding the improper use of copy-and-paste functions within EHR systems (iHealthBeat, 12/10/13).
OIG’s latest report stated, “Although EHR technology may make it easier to commit fraud, CMS and its contractors have not adjusted their practices for identifying and investigating fraud in EHRs.” It added, “CMS had provided limited guidance to Medicare contractors on EHR fraud vulnerabilities” (EHR Intelligence, 5/29).
The report also found that:
- Few Medicare contractors had different practices for reviewing EHRs and paper records (HHS report, 5/27); and
- Medicare contractors were unable to detect copied and over-documented EHR data (Durben Hirsch, FierceEMR, 5/28).
OIG recommended that CMS:
- Develop guidance on the use of copy-and-paste functions in EHRs;
- Work with ONC to develop a comprehensive plan to detect fraud associated with EHRs (FierceEMR, 5/28); and
- Ensure that Medicare contractors use provider audit logs, which could distinguish paper records from EHRs (HHS report, 5/27).
In addition, OIG recommended that Medicare contractors undergo an annual evaluation for their information security program by an independent entity (Ouellette, Health IT Security, 5/27).