- A recent Office of the Inspector General (OIG) report titled “Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology” gave some insight into EHR technology audit and access control capabilities and how healthcare providers are taking advantage of these functions.
The annual cost of healthcare fraud is between $75 billion and $250 billion, according to 2009 CMS estimates, and OIG administered an online questionnaire to 864 hospitals between October 2012 and January 2013 to learn about the Certified EHR Technology hospitals are using. OIG found that nearly all hospitals with EHR technology had contractor RTI International (RTI)-recommended audit functions in place, but they may not be maximizing their potential. And hospitals were found to use a variety of RTI-recommended user authorization and access controls, with most using RTI-recommended data transfer safeguards. OIG also found that a copy-paste feature in EHR technology that, if used improperly, could turn into a fraud vulnerability, and only one quarter of hospitals had policies to prevent this technology.
Audit logs: Privacy or fraud tool?
96 percent of hospitals reported that their audit logs remain operational at all times despite reporting barriers, including limited human resources, a lack of vendor-provided audit log user guides, and inadequate training on audit log functionality. OIG explained that because audit logs monitor user activity, they’re an important tool against EHR fraud. In fact, one-third of RTI’s recommended safeguards concern audit log operation and content. About 44 percent of hospitals delete their audit logs, which is against RTI advice for them to be available for fraud detection. Most hospital use their audit logs for privacy and not fraud monitoring purposes.
Patient Privacy Rights offers Privacy Trust Framework Common Rule’s Final Version Exempts Certain HIPAA Covered Entities Possible PHI Security Breach in FL Respiratory Facility Threat Intelligence Sharing Essential for Healthcare Cybersecurity Connecting personal health data with privacy needs How will FDA regulations affect mHealth security efforts? Misprinted Letter Leads to Affinity Health Plan Data Breach GAO challenges CMS on cost of removing Medicare SSNs Schneck Medical Center exposes patient information NY patient identity thief sentenced for HIPAA violations Managing multi-location health system internal security risks What Healthcare Can Learn from the OPM Data Breach Health privacy and security: Winning back patient confidence Using Risk Assessments, Management for OCR HIPAA Audits mHealth security stakeholders to testify Thursday in D.C. Associates in Psychiatry and Psychology Suffers Ransomware Attack Healthcare IT Security Director talks event, project focuses 2014 Cyber Security Forecast: Significant healthcare trends Prioritizing Healthcare Cloud Security in App Transitions How Will New Research Bill Affect HIPAA Regulations? Gaps Found in Healthcare Cybersecurity Threat Detection Horizon Blue Cross Blue Shield tells 840,000 of data breach Wash. Memorial VA endures 1,519-patient health data breach IT security consultant’s 2014 predictions: Healthcare impact Data Security Cited in ONC Health Data Exchange Framework Praise PHI ‘Mishandling’ by Montana VA Leads to Possible Data Breach VA risk management team expects data breach in year ahead UCLA Faces Lawsuit After Health Data Breach HHS Secretary mandates new CMS chief risk officer position Reactions to the Premera Blue Cross Breach OCR Director’s USCIS nomination: Points of clarification GOP: HealthCare.gov security still not strong enough Federal Agencies Need Better Cybersecurity Measures, Says GAO Employees file class suit against UPMC following data breach How are Healthcare Data Breach Victims Affected by Attacks? Lahey Hospital Agrees to $850K OCR HIPAA Settlement Employee Negligence Top Health Data Breach Issue, Report Says What Should Entities Expect for Healthcare Security in 2017? Former UPMC Worker Indicted for HIPAA Violations Medical Device Security Part of FDA Evaluation System Keeping Healthcare Information Security Training a Priority Layered Tech guides start-ups on HIPAA compliance AHIMA session to focus on Breach Management Toolkit uses Scrutinizing healthcare data encryption options Loyola University Medical Center reports patient data breach Understanding Medical Device Security in Healthcare Today Ponemon to present failed trust report at 2013 RSA Conference U.S. Senators: FDA healthcare regulation should be narrowed Prioritizing Data Privacy, Security in the Healthcare C-Suite Data Security Key Consideration for Healthcare Blockchain Success Secure Health Data Sharing Research Expanded with $500K Grant Medical practice notifies 3,000 patients of data breach Phishing Scam Leads to Potential Healthcare Data Breach in WY Healthcare Secure Messaging Benefits Texas Hospital, ACO Metropolitan Urology Ransomware Attack Affects 18K Patients HIPAA vendor: Omnibus final rule requires more resources What Constitutes a HIPAA Violation? Kaiser Permanente v. Surefile update: Kaiser denied data access How Cybersecurity National Action Plan Affects Healthcare OCR Releases New HIPAA Guidance on Patient Right of Access Former OCR advisor David Holtzman joins CynergisTek A healthcare vendor contract’s required security policies CIOs Report Budgets are Top Patient Data Security Risk Potential Ransomware Attack Encrypts Patient Data in KY Insufficient Staffing, Education Hinders Healthcare Cybersecurity Privacy and Security Tiger Team rounds up HIE query talks Patient Privacy Focus of NATE, Kantara Initiative Partnership Should More Patients Worry About Healthcare Data Security? Patient Privacy Addressed in Recent HHS Confidentiality Rule 5 Next-Generation Healthcare Security Solutions How a Proactive Approach Improves Healthcare Cybersecurity Potential HIPAA Violation From Minn. BCBS Nurse mHealth bills on Capitol Hill may impact privacy, security Audit Controls Underlined in $5.5M OCR HIPAA Settlement OCR readies pre-audit survey for HIPAA covered entities, BAs ONC interoperability roadmap cites privacy, security needs OIG: NC Medicaid Eligibility Data Security Measures Must Improve Data on 500K Patients Exposed in LifeBridge Healthcare Data Breach Data migration can leave your information vulnerable CAQH CORE to host HIPAA compliance session Ransomware Attack Hits KY Hospital, Patient Files Encrypted Companies Lacking Confidence in Data Breach Preparedness X-ray film scam exposes 17k patients to possible data breach Why Healthcare Security Measures Must Evolve with Technology What are Top HIPAA Compliance Concerns, Obstacles? Elements of a ‘resilient’ health IT security program McAfee Uncovers Cybersecurity Vulnerabilities in Patient Monitors Is There a Healthcare Cybersecurity Skills Shortage? Ore. Hopes to Fix Healthcare Security Issues with Ky. System Hope Family Health reports 8,000-patient data breach Using SD-WAN in Telemedicine Capabilities, Network Security Alere Home Monitoring Data Breach Class Suit Thrown Out Mobile Security Concerns Continue to Nag Health IT Leaders Utilizing a Secure Healthcare Cloud in Your Organization Eastside Medical Center loses paper patient records Data Re-Identification Top Concern in Health Data Sharing FDA issues encryption, authentication rules for medical devices How must health data security user education change? HealthShare Montana to use Coalfire’s HIPAAcentral How Parkway Works Toward HIPAA Compliance
EHR vendors confirmed that their hospitals use the audit log as a HIPAA compliance tool rather than a tool to detect fraud. One vendor reported that hospitals were generally not aware of all the audit log features available to them. For example, all four EHR vendors explained that they provide standard product implementation and training and that hospitals do not commonly ask for additional audit log training.
According to OIG, all responding hospitals reported that they authenticate EHR users via a unique user identification and password. Some hospitals had implemented stronger user authentication tools, such as tokens (21 percent of hospitals), public key infrastructure (14 percent), and biometrics (7 percent). 22 hospitals also reported implementing additional safeguards to ensure appropriate access to the EHRs.
Although the copy-paste feature in EHRs can enhance efficiency of data entry, it may also facilitate attempts to inflate, duplicate, or create fraudulent health care claims. RTI acknowledges the potential for misuse of the copy-paste feature in EHRs and suggests that specific warnings directed to EHR users be considered. Further, RTI recommends that the use of such tools be captured in the audit log. However, only 24 percent of hospitals had policies in place regarding use of copy-paste, and only 44 percent of hospital audit logs recorded the method of data entry (e.g., copy-paste, direct text entry, speech recognition) when data are entered into the EHR.
OIG recommends that audit logs be operational whenever EHR technology is available for updates or viewing and that ONC and CMS collaborate for create a comprehensive plan to address fraud vulnerabilities in EHRs. And it requested that CMS develop guidance on the use of the copy-paste feature in EHR technology. CMS and ONC agreed with all of its recommendations.
Although ONC contracted with RTI to develop a list of recommended safeguards for EHR technology, the Department did not directly address all of these safeguards through certification criteria or meaningful use requirements. This review found that, on their own initiative, hospitals were employing EHR fraud and abuse safeguards to varying degrees. However, the Department must do more to ensure that all hospitals’ EHRs contain safeguards and that hospitals use them to protect against electronically enabled health care fraud.