Federal audit reveals EHR ‘cut-and-paste’ fraud vulnerabilities

A federal audit released today concluded that a lack of tight controls over electronic health records makes it easier to commit fraud.

The Department of Health and Human Services’ Office of Inspector General (OIG) said some EHR documentation features can result in “poor data quality or fraud.”

Auditors administered an online questionnaire to 864 hospitals and conducted onsite structured interviews with hospital staff, including a demonstration of EHR technology at eight hospitals. Their goal was to determine how hospitals that received EHR Medicare incentive payments had implemented fraud safeguards recommended by RTI International (RTI). The Office of the National Coordinator for Health Information Technology (ONC) contracted with RTI to develop data protection guidelines. Auditors also surveyed four EHR vendors about recommended fraud safeguards incorporated in their products.

The audit cited two EHR practices — copy-pasting and overdocumentation — as primary areas for concern.

“Only about one-quarter of [audited] hospitals had policies regarding the use of the copy-paste feature,” the auditors wrote in the report, and 61% of surveyed hospitals “shifted the responsibility to the EHR user to confirm that any copied-pasted data were accurate.”

The audit also found that 51% of surveyed hospitals reported that they are “unable to customize the copy-paste feature in their EHR technology by restricting its use or disabling it.”

Among the audit’s other findings:

Nearly all hospitals had RTI-recommended audit functions in place, but “may not be using them to their full extent.”
All hospitals used a variety of RTI-recommended user authorization and access controls.
Nearly all hospitals used recommended data transfer safeguards.
Nearly half of the hospitals had started to implement recommended tools to involve patients in anti-fraud efforts.
Only about one-quarter of hospitals had policies on the use of the copy-paste feature.

The OIG report raised several warning flags about overdocumentation or the practice of “inserting false or irrelevant documentation to create the appearance of support for billing higher level services.”

Some EHR platforms automatically fill in fields when using built-in templates while other systems “generate extensive documentation on the basis of a single click of a checkbox, which if not appropriately edited by the provider, may be inaccurate,” wrote the auditors.

The OIG report urges that audit logs always be kept and stored to better track EHR access and changes. It also recommends that ONC and CMS “strengthen their collaborative efforts to develop a comprehensive plan to address fraud vulnerabilities in EHRs … and develop guidance on the use of the copy-paste feature in EHR technology.”

Marilyn Tavenner, CMS administrator, said in response to the audit that “CMS is planning to work with ONC to develop a comprehensive plan to detect and reduce fraud in EHRs.”