Health care fraud accounts for billions of the US health expenditure each year. This week HHS published a study addressing possible deficiencies in CMS’ capability to address fraud vulnerabilities and ensure the integrity of electronic health records (“EHR”) systems which CMS and its contractors use to pay Medicare claims. Concerns about whether CMS’ oversight and fraud detection practices have caught up with rapidly evolving medical records technology, from paper records to EHRs, prompted the Office of Inspector General (“OIG”) to conduct this study. Although the transition from paper to electronic records is projected to increase efficiency and benefit patients, experts have warned that EHRs can make the commission of fraud easier as key fraud identifiers, like the ability to trace authorship and documentation, may be lacking. The study results help exemplify that CMS has work to do if it is to thoroughly combat fraudulent EHR practices.

EHRs differ from paper medical records in many ways. Aspects of paper records that can be used to demonstrate authenticity, like handwriting styles, are not available when using electronic records. Additionally, features of EHR systems can be used to commit fraud. Documentation practices such as the copy-past function, which conveniently allows the user to “select information from one source and replicate it in another location,” can lead to medical inaccuracies that result in inappropriate charges billed to patients and third-party payors. It can also lead to inflated claims and the creation of fraudulent claims. Another feature called auto-population allows for easier “overdocumentation” where false information is inserted in the record to “create the appearance of support for billing higher level services.”

The study used surveys to question CMS administrative and program integrity contractors, who use medical records to pay Medicare claims, identify inappropriate payment and investigate fraud, about how they have adjusted their fraud identification practices when using EHRs instead of paper records. OIG also reviewed EHR guidance and policies released by CMS and its contractors regarding EHR fraud vulnerabilities.

The study found that very few contractors had altered the way they reviewed EHRs as compared to paper records, and CMS placed no requirement on them to do so. It also found that although such features like audit logs are unique to EHRs and can be used to track modifications and authenticate records, very few contractors utilized them for this purpose. Contractors also responded that they did not have the capability to determine if a provider had copy-pasted or overdocumented. Additionally, the guidance provided by CMS regarding EHR fraud vulnerabilities has been limited. CMS has indicted that record keeping “within an EHR deserves special consideration,” but has provided no additional guidance.

Based on these results, OIG made several fairly obvious recommendations: (1) to provide specific guidance to CMS contractors on detecting EHR fraud; and (2) to instruct CMS contractors to utilize audit logs to authenticate medical records for claims purposes. CMS has since responded to these recommendations and agreed that guidance and set of best practices for EHR fraud detection are needed, which it will work to provide. CMS also agreed that audit logs could be helpful authentication tools, but disagreed that contractors should be required to use them in every situation. Thus, they may be appropriate in some circumstances, but their use should not be required.

Program integrity is integral to the functioning of the Medicare program and to reducing the cost of health care fraud. This study has helped bring to light deficiencies that CMS will have to quickly address in order keep up with evolving medical records technology.

Squire Sanders lawyers have significant experience advising clients on EHR implementation and compliance issues. For more information on how we can assist you, please contact the Squire Sanders Healthcare Practice Group.