OIG Issues EHR Fraud Survey

Attention, hospitals that have attained meaningful use status: The U.S. government may be asking you some tough questions as part of its oversight mandate, and you will have to answer quickly.

Providers have until Friday, October 26, to respond to an 18-page, 54-question survey probing their electronic health record system data entry habits, security practices, and more.

The letter originated in the Office of Inspector General (OIG) of the Department of Health and Human Services, whose work plan published earlier this year includes "identifying fraud and abuse vulnerabilities in electronic health record (EHR) systems."

Recent reports in the New York Times concluded that some providers have used EHRs to inflate Medicare charges. Those reports prompted letters calling for investigation of the Meaningful Use program by Republicans in both the House and the Senate.

A growing criticism of EHRs is the ability for providers to cut and paste notes from one patient's records to the next in an effort to save time. One question in the OIG survey asks is "Does the hospital have a policy regarding the use of the copy/paste feature in EHR technology?"

Although the OIG work plan has been posted on its Web site for some time, providers noted the "interesting" timing of the survey letters, coming less than a month before the presidential election.

"I'm a little riled up right now," says Pamela McNutt, vice chair of the policy steering committee of the College of Healthcare Information Executives (CHIME), who shared her concerns in a session on Meaningful Use at CHIME's Fall CIO Forum last week in Palm Springs, Calif.

The survey is "all over the place, from HIPAA privacy and security questions to coding practices, copy and paste functions and detailed questions on audit log functionality," McNutt says. 

Asked about the timing of the survey, an OIG spokesman referred to the agency's work plan.

CEOs of at least ten hospitals received the survey last week, says McNutt, CIO at Methodist Health System in Dallas.

Among the other specific questions asked in the survey:

• How diagnoses and procedures are coded (manually, automatically with coding software, or other)
• Whether the hospital has plans to adopt computer-assisted coding
• User authorization methods (unique user ID, password, tokens, biometrics, public key)
• Access management (session time-out, minimum password configuration rules, regular changing of passwords, user agreements or contracts to prevent sharing of passwords, or other)
• Whether outside entities such as payers can access the EHR, and if so, how such access is tracked
• Barriers to allowing outside entities access (lack of software or hardware support, insufficient staffing, funding restrictions, performance concerns, privacy concerns, etc.)
• Numerous questions about audit log practices and availability
• How physician progress notes are entered into the EHR (free text, via structured templates)
• Whether narrative nursing notes are directly entered into the EHR or handwritten and scanned into the EHR, and if so, why
• Whether the Print-Screen function is disabled for the HER
• Whether patients have access to the EHR, and if so, how
• Procedures for identifying patients upon hospital check-in
• EHR copy and paste policies at the hospital