MU Fraud On The Rise, OIG Warns

Vulnerabilities in electronic health records systems are creating opportunities for fraud among healthcare providers and contractors working to achieve Meaningful Use attestation, says the Office of Inspector General.

With CMS spending at least $18.8 billion through December on Meaningful Use electronic health record projects, a pair of recent critical inspector general reports and a federal fraud case filed last week in Texas are raising alarm about the healthcare IT reform effort.

In a US grand jury indictment filed Jan. 22, Joe White, former CFO of a now defunct rural hospital chain in Texas including Shelby Hospital, was charged with bilking nearly $800,000 from the EHR incentive program for Medicare. White is accused of falsely attesting to compliance with the first stage of Meaningful Use, which requires hospitals to meet 18 of a possible 23 EHR objectives, including 13 core objectives.

In addition to the false attestation charge, White is accused of aggravated identity theft for allegedly forging a colleague's identifying information on Meaningful Use attestation documents. The former financial officer faces as many as five years in prison on the attestation charge, two years in prison on the identity theft charge and fines totaling $500,000.

According to the grand jury indictment, EHR contractors and others were allegedly directed to enter information from paper records into Shelby Hospital's EHR to help satisfy the requirements for stage one of Meaningful Use.

''I'm aware of allegations of some providers attesting to Meaningful Use even though they have not satisfied the Meaningful Use objectives," said Rick Rifenbark, a Los Angeles-based partner in the law firm Foley & Lardner. "With respect to EHR systems more generally, there are also concerns of fraud committed through the use of cut and paste features, so called 'cloned documentation,' templates, and 'check the box' features. While these features may increase the efficiency of the EHR system, they can result in fraud to the extent that medical record entries are not tailored to specific medical visits."

In two reports released in December and January, the Office of Inspector General the US Department of Health and Human Services criticized CMS and healthcare providers over fraud safeguards. Both reports singled out the cut-and-paste feature of EHR systems as problematic.

In the IGO report released last month, titled "CMS and Its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs," the IG states the "transition from paper records to EHRs may present new vulnerabilities."

The December IGO report found many hospitals unprepared to guard against abuse of the cut and paste feature. "Only about one quarter of hospitals had policies regarding the use of the copy paste feature in EHR technology, which, if used improperly, could pose a fraud vulnerability."

CMS officials offered written responses to both IGO reports.

"Given its potential for use in fraud, CMS intends to develop appropriate guidelines to ensure appropriate use of the copy paste feature in EHRs," CMS reported in a letter to the IOG dated Nov. 22, 2013. "The CMS has been engaged … to consider the unique issues presented by digital clinical data, including determining authenticity of information in EHRs."

In a response to the December IOG report dated Nov. 1, 2013, CMS officials wrote they were "conducting prepayment and postpayment audits to determine whether providers are properly receiving Meaningful Use incentive payments and complying with program rules."

Rifenbark said federal authorities are not the only officials trying to catch Meaningful Use fraud. "States will also conduct audits with respect to their Medicaid EHR incentive programs," the member of Foley & Lardner's healthcare industry team said. "All of these efforts are designed to detect and prevent Meaningful Use scams."

The California lawyer said maintaining proper documentation is crucial for healthcare providers to avoid Meaningful Use fraud liability at their facilities.

"Providers should be sure to carefully document their satisfaction of the meaningful use objectives and quality measures and retain such documentation in the event of audit," he said. "With respect to the Medicare EHR incentive program, such documentation should be retained for at least six years post attestation. State Medicaid EHR incentive programs may require a longer documentation retention period."