On December 11, 2013, the HHS Office of Inspector General (OIG) released a report examining provider use of certain fraud controls in certified electronic health record (EHR) technology.  OIG’s survey of 864 hospitals found that most rarely employed functions such as audit logs to their fullest extent and even fewer have the ability to regulate copy-paste functions within a patient’s electronic medical record.  OIG concludes that limited use of audit logs and unclear copy-paste rules can facilitate fraud by failing to ensure that accurate and truthful information is logged into each individual patient’s electronic medical record.

OIG based its conclusion on a survey sent to a sample of hospitals that received Medicare EHR Incentive payments under the HITECH Act Meaningful Use Program.  (King & Spalding reported on the survey’s contents in the October, 29 2012 edition of Health Headlines, available here).  The questionnaire asked hospitals to respond to a series of questions regarding provider use of audit logs, security features such as secure logins, and EHR copy-paste functions.  OIG also made eight on-site visits to observe hospital practices, and conducted interviews with EHR vendors regarding fraud prevention features in their products.

OIG found that while most hospitals had audit log capabilities (96 percent), the hospitals were not using the logs to their fullest capabilities.  For instance, the logs recorded the date and time of user entries but did not record when an individual released a patient encounter for billing, exported or imported an EHR document, or disabled the logs themselves.  Monitoring these activities, OIG claims, could help hospitals identify potential fraud.  Indeed, OIG found that hospital review of audit log entries was mostly concerned with protecting patient privacy (e.g., identifying access of patient information that a user was not authorized to view) rather than identifying potentially fraudulent billing.

Only one-quarter of responding hospitals had policies regarding the use of EHR copy-paste functions, though 44 percent of hospital audit logs had the ability to track the use of copy-paste.  Fifty-one percent of hospitals reported that they did not have the technical capability to limit or restrict copy-paste use, and those with policies governing its use often instruct users only to avoid “indiscriminately” copy-pasting information from one patient medical record into another without considering the information’s accuracy and applicability.

OIG’s report is available here.