- A recent Office of the Inspector General (OIG) report titled “Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology” gave some insight into EHR technology audit and access control capabilities and how healthcare providers are taking advantage of these functions.
The annual cost of healthcare fraud is between $75 billion and $250 billion, according to 2009 CMS estimates, and OIG administered an online questionnaire to 864 hospitals between October 2012 and January 2013 to learn about the Certified EHR Technology hospitals are using. OIG found that nearly all hospitals with EHR technology had contractor RTI International (RTI)-recommended audit functions in place, but they may not be maximizing their potential. And hospitals were found to use a variety of RTI-recommended user authorization and access controls, with most using RTI-recommended data transfer safeguards. OIG also found that a copy-paste feature in EHR technology that, if used improperly, could turn into a fraud vulnerability, and only one quarter of hospitals had policies to prevent this technology.
Audit logs: Privacy or fraud tool?
96 percent of hospitals reported that their audit logs remain operational at all times despite reporting barriers, including limited human resources, a lack of vendor-provided audit log user guides, and inadequate training on audit log functionality. OIG explained that because audit logs monitor user activity, they’re an important tool against EHR fraud. In fact, one-third of RTI’s recommended safeguards concern audit log operation and content. About 44 percent of hospitals delete their audit logs, which is against RTI advice for them to be available for fraud detection. Most hospital use their audit logs for privacy and not fraud monitoring purposes.
EHR vendors confirmed that their hospitals use the audit log as a HIPAA compliance tool rather than a tool to detect fraud. One vendor reported that hospitals were generally not aware of all the audit log features available to them. For example, all four EHR vendors explained that they provide standard product implementation and training and that hospitals do not commonly ask for additional audit log training.
According to OIG, all responding hospitals reported that they authenticate EHR users via a unique user identification and password. Some hospitals had implemented stronger user authentication tools, such as tokens (21 percent of hospitals), public key infrastructure (14 percent), and biometrics (7 percent). 22 hospitals also reported implementing additional safeguards to ensure appropriate access to the EHRs.
Although the copy-paste feature in EHRs can enhance efficiency of data entry, it may also facilitate attempts to inflate, duplicate, or create fraudulent health care claims. RTI acknowledges the potential for misuse of the copy-paste feature in EHRs and suggests that specific warnings directed to EHR users be considered. Further, RTI recommends that the use of such tools be captured in the audit log. However, only 24 percent of hospitals had policies in place regarding use of copy-paste, and only 44 percent of hospital audit logs recorded the method of data entry (e.g., copy-paste, direct text entry, speech recognition) when data are entered into the EHR.
OIG recommends that audit logs be operational whenever EHR technology is available for updates or viewing and that ONC and CMS collaborate for create a comprehensive plan to address fraud vulnerabilities in EHRs. And it requested that CMS develop guidance on the use of the copy-paste feature in EHR technology. CMS and ONC agreed with all of its recommendations.
Although ONC contracted with RTI to develop a list of recommended safeguards for EHR technology, the Department did not directly address all of these safeguards through certification criteria or meaningful use requirements. This review found that, on their own initiative, hospitals were employing EHR fraud and abuse safeguards to varying degrees. However, the Department must do more to ensure that all hospitals’ EHRs contain safeguards and that hospitals use them to protect against electronically enabled health care fraud.