CMS not addressing EHR vulnerabilities, says OIG


The Centers for Medicare and Medicaid Services and its contractors have paid little attention to addressing potential fraud and abuse vulnerabilities in electronic health records, according to a report from Health and Human Services Department's Office of Inspector General.

"Although EHR technology may make it easier to perpetrate fraud, CMS and its contractors have not adjusted their practices for identifying and investigating fraud in EHRs," found the report.

The HHS OIG reviewed guidance documents and policies on EHRs and fraud vulnerabilities that CMS and its contractors released for healthcare providers, as well as documents on EHRs and Medicare claims that CMS provided to its contractors. In addition, OIG provided online questionnaires to CMS administrative and program integrity contractors that use EHRs to pay claims, identify improper Medicare payments, and investigate fraud. 

In response to the OIG questionnaires, contractors reported receiving limited guidance from CMS in the past two years about fraud vulnerabilities, such as copied language, over-documentation and electronic signatures. Auditors found that few contractors were reviewing EHRs differently from paper medical records, and that not all contractors reported being able to determine whether a provider had copied language or over-documented in a medical record.

"Our findings show that CMS and its contractors have not changed their program integrity strategies in light of EHR adoption," states the OIG. "Some CMS contractors reported that they were unable to identify copied language and over-documentation in a medical record. This is a particular concern with EHRs because such documentation practices are made easier in an electronic environment. In addition, few CMS contractors have adopted additional review procedures for EHRs."

To address these issues, OIG recommended that CMS provide guidance to its contractors on detecting fraud associated with EHRs, as well as direct its contractors to use providers' audit logs. CMS concurred with OIG's first recommendation and partially concurred with its second recommendation.

While CMS acknowledged that audit logs can be one of several tools to ensure the accuracy and validity of information in EHRs, it also stated that the use of audit logs may not be appropriate in every circumstance and that review of audit logs requires special training. 

"We agree that audit logs should be part of a comprehensive approach to reviewing authenticity of EHRs and understand the challenges that CMS and its contractors face to use audit logs," OIG stated in response. "We reiterate our recommendation that CMS make audit logs part of its contractors' reviews of EHRs."

For more:
download the report, OEI-01-11-00571 (.pdf)

Related Articles:
CMS looking to leverage data for health outcomes 
ONC: More than half of eligible recipients receiving incentives for Meaningful Use of EHRs 
Health data exchange needs new policy push, say ONC and CMS

Filed Under
, ,