OIG report says EHRs ripe for fraud
Hospitals are trying to prevent fraud in their electronic health records (EHRs), but they are not doing enough, according to a report released recently by the Department of Health and Human Services’ (HHS’) Office of Inspector General (OIG).
The report looked at the extent to which hospitals that received EHR Medicare incentive payments between January 2011 and March 2012 implemented certain fraud safeguards recommended by Office of the National Coordinator for Health Information Technology (ONC) contractor RTI International. ONC coordinates the adoption, implementation, and exchange of EHRs, and it contracted with RTI to develop recommendations to enhance data protection; increase data validity, accuracy, and integrity; and strengthen fraud protection in EHR technology.
Hospitals are not ignoring the issue. Among other actions, all hospitals were using recommended user authorization and access controls, and nearly all had recommended audit functions and data transfer safeguards in place. But the OIG report says those steps are not enough. OIG recommends that healthcare providers also keep audit logs operational whenever EHR technology is available for updates or viewing, and it recommends they develop specific policies on the use of the copy-and-paste feature in EHRs.
The report recommends that HHS strengthen efforts to develop a comprehensive plan to address fraud vulnerabilities in EHRs and develop guidance on the use of the copy-and-paste feature in EHR technology.
These were some other findings from the report:
• Nearly all hospitals with EHR technology had recommended audit functions in place, but they might not be using them to their full extent.
• Ninety-six percent of hospitals reported that their audit logs remain operational at all times despite reporting barriers, including limited human resources, a lack of vendor-provided audit log user guides, and inadequate training on audit log functionality. Audit logs monitor user activity and are an important tool against fraud in EHRs. OIG notes that they are so important that one-third of the recommended safeguards concern audit log operation and content.
• Hospitals’ control over audit logs might be at odds with their RTI-recommended use as fraud safeguards. RTI recommends that EHR users not be allowed to delete the contents of their audit log so that data are always available for fraud detection, yet nearly half of hospitals (44%) reported that they can delete their audit logs. Although these hospitals reported that they limit the ability to delete the audit log to certain EHR users, such as system administrators, one EHR vendor noted that any software programmer could delete the audit log. RTI recommends that the ability to disable the audit log be limited to certain individuals and that EHR users, such as doctors and nurses, be prevented from editing the contents of the audit log because these actions can compromise the audit log’s effectiveness.
• Hospitals reported they have the ability to disable (33%) and edit (11%) their audit logs, although they reported restricting those abilities to certain EHR users, such as system administrators or EHR vendors.
• OIG interviewed four EHR vendors, and all four reported that the user cannot disable audit logs in their products. One vendor noted that a programmer could disable the audit log.
• Most hospitals reported analyzing audit log data, but only to ensure privacy of patient data rather than detecting and preventing fraud and abuse. Hospitals cited barriers to analyzing audit logs, including limited human resources, a lack of vendor-provided user guides for audit log functionality, inadequate training on audit logs, and the inability to interpret audit log data.
The full OIG report is available online at http://oig.hhs.gov/oei/reports/oei-01-11-00570.pdf.