Skip to main content

Don't Overlook Fraud in EHRs, OIG Cautions CMS

 |  By jfellows@healthleadersmedia.com  
   January 09, 2014

The Centers for Medicare & Medicaid Services has eagerly pushed EHRs onto healthcare providers without adequately addressing the risk of fraud, suggests a report from the Office of Inspector General.

Despite the increased focus on fraud and abuse of Medicare and Medicaid, the Office of Inspector General issued a report this month that found contractors for the Centers for Medicare & Medicaid Services need to do more to protect the integrity of electronic health records [PDF].

Among its findings and recommendations, the report notes that health officials have eagerly pushed EHRs without addressing the risk of fraud.

"The Department of Health and Human Services has spent considerable resources to promote widespread adoption of EHRs... It has directed less attention to addressing potential fraud and abuse vulnerabilities in EHRs despite the challenges they pose to the integrity of medical records."

CMS, OIG, the Department of Justice, and other government agencies have invested money and manpower to reduce Medicare and Medicaid fraud and abuse in recent years. In 2010, the Center for Public Integrity was created to align fraud and abuse prevention resources for both the Medicare and Medicaid programs.

Two years later, CMS unveiled a $3.6 million Program Integrity Command Center where investigators, analysts, and policy makers could work together physically in one space. And last year, CMS gave state-run Medicaid Fraud Control Units the power to data mine for fraudulent activity.

Their efforts seem to have paid off with multi-million dollar settlements and near-daily headlines touting the takedown of a fraudulent healthcare provider. According to CMS spokesperson, Rachel Maisler, the most recent figures available show year over year increases in penalties.

"Healthcare fraud prevention and enforcement efforts recovered a record $4.2 billion in taxpayer dollars in Fiscal Year (FY) 2012, up from nearly $4.1 billion in FY 2011, from individuals and companies who attempted to defraud federal health programs serving seniors and taxpayers or who sought payments to which they were not entitled," says Maisler.

But the OIG's new report exposes weaknesses of contractors who either do not understand or realize the risk of fraud that emerging technology carries when not protected properly. According to the OIG's findings, some contractors couldn't tell if a medical record contained too much information, which could lead to overbilling, or if a provider copied and pasted information, which could lead to improper billing.

In addition, OIG said in the report that "…CMS had provided limited guidance to Medicare contractors on EHR fraud vulnerabilities."

CMS primarily uses three types of contractors to help prevent fraudulent claims:

  1. Zone Program Integrity Contractors (ZPICs)
  2. Medicare Administrative Contractors (MACs)
  3. Recovery Audit Contractors (RACs)

Using online questionnaires, OIG officials asked all three types of CMS contractors' questions aimed at determining how each one had modified its anti-fraud efforts for EHRs. A total of 18 CMS contractors participated, and the OIG report notes it had a 100% response rate from all 18.

According the report's findings, ZPICs were able to more often identify when a provider used the copy and paste function, as well as overdocumenting in an EHR. ZPICs are more focused on investigating Medicare fraud than MACs, which are claims processors and payers, and RACs, which identify improper payments; however, all three contractors play an important role in fighting fraud and abuse.

At issue is whether these CMS contractors are able to apply the same type of scrutiny to EHRs as paper claims. With EHR adoption increasing, it's important that these contractors be able find flaws easily, says Riza Dagli, a partner at New Jersey law firm, Brach Eichler. Dagli also previously held positions in New Jersey as the Director of the Medicaid Fraud Control Unit and Acting Insurance Fraud Prosecutor.

"In 2014, there will be more instances where insurers and the government are getting more sophisticated in trying to detect fraud by using electronic means," says Dagli.

The contractors, according the OIG report, want more guidance from CMS on how to identify fraud in an EHR. Specifically, all six ZPICs responded that CMS did not provide help on looking for instances of overdocumentation, electronic signatures, or copied language. The other two types of CMS contractors —MACs and RACs—indicated limited guidance on those three issues from the agency.

The OIG's recommendations were twofold:

  1. Give guidance to contractors on detecting EHR fraud.
  2. Use providers' audit logs to authenticate the medical record.

Audit logs capture time, date, and user information when an EHR is updated; using it to track the changes in the record was one of the recommendations suggested by RTI International, the nonprofit researcher based in North Carolina. The Office of the National Coordinator for Health Information Technology used RTI's expertise to help develop recommendation for EHR data safeguards. Audit logs were high on the list of anti-fraud tools within the EHR, but as the OIG report notes, that ability, as well as others can be bypassed by the user.

In a letter dated November 22, 2013, CMS Administrator Marilyn Tavenner, said that it would "develop appropriate guidelines to ensure the appropriate use of the copy paste feature in EHRs," but she stopped short of agreeing to use audit logs consistently because it would require that contractors receive special training in order to interpret the information.

Dagli believes that when it comes to physicians or hospitals developing their protocols in order to protect against fraud, technology works best when paired with consistent policies.

"When I was in government and private practice, I noted the detection and use and review of data to find red flags does not have to be sophisticated," says Dagli. "With hospital practices, a lot of it is a common sense—periodic review of billing procedures, review of office protocols, a system in place to review patient files. It doesn't require a lot of technology, but it does require management principle."

Pages

Jacqueline Fellows is a contributing writer at HealthLeaders Media.

Tagged Under:


Get the latest on healthcare leadership in your inbox.