- A recent Office of the Inspector General (OIG) report titled “Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology” gave some insight into EHR technology audit and access control capabilities and how healthcare providers are taking advantage of these functions.
The annual cost of healthcare fraud is between $75 billion and $250 billion, according to 2009 CMS estimates, and OIG administered an online questionnaire to 864 hospitals between October 2012 and January 2013 to learn about the Certified EHR Technology hospitals are using. OIG found that nearly all hospitals with EHR technology had contractor RTI International (RTI)-recommended audit functions in place, but they may not be maximizing their potential. And hospitals were found to use a variety of RTI-recommended user authorization and access controls, with most using RTI-recommended data transfer safeguards. OIG also found that a copy-paste feature in EHR technology that, if used improperly, could turn into a fraud vulnerability, and only one quarter of hospitals had policies to prevent this technology.
Audit logs: Privacy or fraud tool?
96 percent of hospitals reported that their audit logs remain operational at all times despite reporting barriers, including limited human resources, a lack of vendor-provided audit log user guides, and inadequate training on audit log functionality. OIG explained that because audit logs monitor user activity, they’re an important tool against EHR fraud. In fact, one-third of RTI’s recommended safeguards concern audit log operation and content. About 44 percent of hospitals delete their audit logs, which is against RTI advice for them to be available for fraud detection. Most hospital use their audit logs for privacy and not fraud monitoring purposes.
Will Patient Privacy Violations Occur With Mental Health Law? Survey: Healthcare still working on risk-based security TriRivers Health Partners eases into new security projects NIST sends out RFI to public for cybersecurity framework Secure HIE Highlighted in DirectTrust, FHA Federal Bundle Why Healthcare Cybersecurity is a Risk Management Issue Online Security Breach Exposes PHI of 5K Medicaid Patients Potential NIST cybersecurity framework effects on healthcare Potential Health Data Breach, 40,000 Patient Records Stolen HHS Updates HIPAA Breach Reporting Tool, Empowers Consumers HIPAA omnibus responsibility focus shift: Legal Q&A Brown Offers ‘Hands-On’ Approach to Cybersecurity Threats Post healthcare data breach Dos and Don’ts Mostashari to Senate: Data security a top priority for HHS Most Wired Survey: Health Data Security Top Hospital Priority Why Vulnerable Healthcare Software Must Be Patched How HHS’ HCCIC Will Improve Healthcare Cybersecurity Staying current with healthcare BYOD security risks Hackers Access EHR Data in Potential Healthcare Data Breach How Health Privacy Regulations Hinder Telehealth Adoption UW Medicine notifies 90,000 patients of data breach Mobile App Security Top Concern for Health IT Decision Makers HIPAA Omnibus Rule compliance tips for healthcare law firms Reviewing the Council on CyberSecurity’s Top 20 Controls Mercy Health Systems, Allscripts data breach details emerge Plugging in health IT infrastructure security gaps HIE Security and Interoperability Examined in ONC Study DirectTrust meets ONC HIE security accreditation goals University of Rochester Medical Center reports data breach HIMSS Privacy and Security Forum 2014: Industry trends CIS seeks medical device security guidance with RFI Overcoming the Healthcare Cybersecurity Workforce Shortage Connecting personal health data with privacy needs Previewing ONC’s HIMSS14 privacy, security sessions EEOC Proposed Rule May Affect Health Data Security PHI Exposed in Colorado Through Discharge Paperwork Patient portal privacy: Authentication, password management Preparing for the 2017 Healthcare Cybersecurity Threats ONC Stresses Improved Patient Data Access Measures Anthem Health Data Breach Could Compromise PII of 80M How HIPAA and the military Privacy Act intersect NJ Psychologist to Fight HIPAA Violation Allegations Maximizing ONC, HHS Security Risk Assessment Tool’s uses Laptop with PHI Stolen from Oregon Employee’s Car Why Education is Crucial to Health Data Security in 2016 Business associates prepare for HIPAA omnibus compliance UPMC mails patient data breach notification letters HHS Clarifies HIPAA Regulation Patient Right of Access Costs MI Computer System Health Data Breach May Involve Data of 106K Healthcare Privacy & Security Part of ONC Vision Paper Healthcare Security and Compliance Increases, Says DataMotion Potential Healthcare Data Breach Affects Over 19K Patients GAO boosts HIT Policy Committee privacy, security expertise North Carolina VA experiences 1,100-patient data breach Patient Data Breach Fear Hinders Health Data Sharing St. Joseph Health Agrees to $2.14M OCR HIPAA Settlement NIST Mobile App Security Guidelines: Healthcare Key Points GAO identifies potential HHS security investment overlaps HITRUST Cyber Threat Briefing focuses on CHSI data breach Healthcare Data Breach in CA Caused by Impersonation Scam Managing a health data breach with a response plan IRS facing class action suit for medical record breach ONC Reviews HIE Security, Interoperability under HIPAA Congress Seeks Clarification of HIPAA Rules for mHealth Apps Colorado Medicaid notifies 1,918 patients of data breach BYOD Privacy Concerns Push Security Admins Away, Says Report Healthcare cloud authentication: Identity federation challenges Potential PHI Data Breach Follows Mich. Employee Email Hack CMS provides Meaningful Use privacy and security tips Patient Privacy Violation Questioned with Medical Records Dump Healthcare privacy and security needs: Federal perspective Why Mobile Health Security Must be a Focus Area Stolen Patient Records in Calif. Mean Possible Data Breach Creating Secure Healthcare BYOD Environments, Communication EHR and mobile device auditing, security requires vigilance VMware vulnerability patching effects on healthcare security Does Healthcare Security Interfere with Clinical Workflow? Handling healthcare SMS security between different devices Patient Right of Access: Breaking Down HIPAA Rules Majority of Healthcare Data Breaches Caused by Cyberattacks EPIC offers HIPAA Privacy Rule tips for mental health data Prioritizing BYOD Security, MDM in Evolving Healthcare Sector Patient Health Data Second-Most Stolen Data Type, Says Study Five medical identity fraud prevention tips from the Calif. AG Mobile Health App Privacy Policies Not Easily Accessible Paper records stolen from CaroMont employee car How Healthcare IT Teams Bring Value and Security to Providers Health cloud-based database security concerns Hacking Continues to Cause Majority of Reported Data Breaches HIMSS14 session preview: Meaningful use risk assessments Use Staff Training to Improve Hospital Ransomware Procedures AHIMA: Patient Data Access Through Patient Portals Increases Experts see healthcare taking proactive IT security stance VA Cybersecurity Woes Continue, 16 Consecutive Audit Fails New Business Associate Group Talks Healthcare Data Security Metropolitan Urology Ransomware Attack Affects 18K Patients Stage 3 Meaningful Use Overlaps With HIPAA, CHIME Says HHS fines Skagit, Wash. $215K in first county HIPAA settlement VA’s Roger Baker updates EHR security strategy Mass. Launches Online Data Breach Notification Archive
EHR vendors confirmed that their hospitals use the audit log as a HIPAA compliance tool rather than a tool to detect fraud. One vendor reported that hospitals were generally not aware of all the audit log features available to them. For example, all four EHR vendors explained that they provide standard product implementation and training and that hospitals do not commonly ask for additional audit log training.
According to OIG, all responding hospitals reported that they authenticate EHR users via a unique user identification and password. Some hospitals had implemented stronger user authentication tools, such as tokens (21 percent of hospitals), public key infrastructure (14 percent), and biometrics (7 percent). 22 hospitals also reported implementing additional safeguards to ensure appropriate access to the EHRs.
Although the copy-paste feature in EHRs can enhance efficiency of data entry, it may also facilitate attempts to inflate, duplicate, or create fraudulent health care claims. RTI acknowledges the potential for misuse of the copy-paste feature in EHRs and suggests that specific warnings directed to EHR users be considered. Further, RTI recommends that the use of such tools be captured in the audit log. However, only 24 percent of hospitals had policies in place regarding use of copy-paste, and only 44 percent of hospital audit logs recorded the method of data entry (e.g., copy-paste, direct text entry, speech recognition) when data are entered into the EHR.
OIG recommends that audit logs be operational whenever EHR technology is available for updates or viewing and that ONC and CMS collaborate for create a comprehensive plan to address fraud vulnerabilities in EHRs. And it requested that CMS develop guidance on the use of the copy-paste feature in EHR technology. CMS and ONC agreed with all of its recommendations.
Although ONC contracted with RTI to develop a list of recommended safeguards for EHR technology, the Department did not directly address all of these safeguards through certification criteria or meaningful use requirements. This review found that, on their own initiative, hospitals were employing EHR fraud and abuse safeguards to varying degrees. However, the Department must do more to ensure that all hospitals’ EHRs contain safeguards and that hospitals use them to protect against electronically enabled health care fraud.