Despite repeated warnings, pervasive EHR fraud vulnerabilities remain

The push for healthcare providers to adopt electronic health records (EHRs) has been fueled by promises of improved efficiency and usability, greater accessibility to health information, and in some cases, better patient care.

But the implementation of EHRs has produced mixed results. Despite repeated warnings from government watchdog agencies, vulnerabilities within EHR systems continue to provide a conduit to improper billing and sometimes shockingly brazen fraud schemes.

This is not a new issue. For years, researchers and experts have been pointing to vulnerabilities with EHRs that could contribute to upcoding or facilitate outright fraud. A 2012 report by the Center for Public Integrity found that the rapid implementation of EHRs led to aggressive billing by providers. That same year, a New York Times article revealed similar concerns about a rise in Medicare payments from providers that adopted EHRs.

Although a 2014 study published in Health Affairs found "no evidence" of updoding in hospitals that used EHRs, the Office of Inspector General (OIG) has repeatedly called on the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator (ONC) to address fraud vulnerabilities linked to EHRs.  

Despite these warnings, experts say EHRs remain vulnerable to multiple layers of improper billing and fraud that has evolved into a complex, systemic problem with a number of significant roadblocks for auditors and investigators.

"The OIG and the inspectors I've worked with are stand-up people, but there is more work they can do," Dan Bowerman (right), of Expert Opinions Consulting in Philadelphia, told FierceHealthPayer: Antifraud in an exclusive interview. "I think that it's unfortunate that we haven't funded more oversight and we are still operating in a system of trust when the days of trust have left us."

Fraudsters "don't even have to try"

When hospitals used paper records, creating fraudulent or counterfeit medical records took more effort than it was worth. If an insurer requested records to back up a claim, the sheer time it would take to type up a fake patient record was hardly lucrative.

With EHRs software, however, users have tools at their disposal to instantaneously create hundreds, even thousands, of fraudulant patient records, said Reed Gelzer, M.D., an EHR/HIT systems and policy analyst at Provider Resources Inc., in an exclusive interview with FierceHealthPayer: Antifraud.

Compounding that problem is the fact that payers are behind the curve when it comes to detecting overtly counterfeit records.

"Payers have not adapted their record review policies and procedures to respond to some of things that EHRs do that create counterfeit medical records," said Gelzer (right).

In one particularly egregious example, Gelzer encountered a patient who exhibited identical vital signs in multiple records over a period of several months, including height, weight--down to a tenth of a pound--blood pressure, pulse, respiration and temperature.

"What that tells you is the fraudsters know that they don't have to commit any effort at all," he said. "They don't even have to try."

In a slight twist, some counterfeit medical records feature similar verbiage to describe the same condition, Bowerman said. When CMS conducts Comprehensive Error Rate Testing to identify improper payments, it will often look at three or four patient visit records rather than the entire patient encounter.  

"From an audit or special investigative perspective, you need to look carefully and you need to look at a fair number of records in order to see this," he said.

Some dead giveaways of fraudulant records, according to Bowman: Abnormal spacing, more than one gender change within the patient record, the exact same block of text that shows up in different patient records or dates that don't align with when the service was provided.

"Information in the note should be contemporaneous with the other notes," Bowerman says. "I have one case where [the provider] reported the results of an MRI four days before it occurred."

For payers, detecting certain billing trends can also point to potentially fraudulent EHRs. For example, payers can look at the historical distribution of coding to see if there are changes or anomalies that might lead to improper billing. If a provider normally billed at a mid-level service and suddenly jumped to higher level services, it may be an indication that it has transitioned to a new EHR system, Bowerman says.

Utilization patterns across a diverse patient population can also serve as a jumping-off point.

"Nobody in their right mind would think that everyone needs the same care and the same services in the same time frame," he said. "A 10-year-old and an 80-year-old are physiologically different and you'd expect different services."

Metadata presents a tricky roadblock

The digital transformation in all industries--not just healthcare--has spurred new discussions about how to define a digital record. Paper records were easy to define, as all the information is right there on the page.

But with EHRs, the metadata found within audit logs plays an increasingly important role when it comes to looking at the identifying characteristics of a record, such as when it was created, who it was created by and if it was altered. Audit logs within EHR systems offer a backend view of how the record was changed or accessed, and by whom, which can be valuable information for fraud investigators.

Unfortunately, that data is not easily accessible or accurate. A 2013 survey conducted by OIG of 864 hospital providers found that 44 percent of respondents reported they could delete their audit logs. Another 33 percent of hospitals said they could disable audits and 11 percent indicated they had the ability to edit audit logs.

CMS recommends providers maintain an audit log "that remains operational whenever records are available for updating or viewing," and the OIG says "audit logs should be operational whenever EHR technology is available for updates or viewing." However, under current Meaningful Use requirements, audit logs can be disabled by a "limited set of identified users."

"When I used to give a lot more presentations, one of the questions I would pose to the audience was, can anyone give me a legitimate reason why you should be able to disable the auditing functions in a digital record system?" Gelzer says. "In several years of posing that question, I never once had anyone offer a legitimate reason."

The lack of accessible EHR metadata creates huge implications for improper billing. Without an audit log, dates and times can be freely changed, along with who provided the service. For services that were provided by a clinician without the proper qualifications, the opportunity exists to simply change the record so the services were provided by an appropriately credentialed practitioner, Gelzer says.

Even if the audit data is accessible, fraud investigators can have a difficult time accessing it, primarily because there are no strict definitions that tie audit data to the EHR record in question.

"In most situations, people are still trying to sort out what is an EHR record," Gelzer says. "And if you're a hospital and you get a record request form an attorney, you're not going to send them everything possible, you're going to send them everything reasonable."

Furthermore, private payers may find it difficult to force providers to turn over audit logs, Bowerman adds. In some cases, it could require litigation and a court subpoena. Even then, medical record requirements vary by state.

"Historically, when providers have been asked to send in records, they send in the patient record," he said. "Now what you're asking for is something above and beyond. You're asking for the computer printout of how that record system was constructed, when it was constructed, and who entered that information."

Plus, if the audit trail isn't turned on, that data may be even harder to access, he added.

"While the audit trail is mandated, the fact is, it has not been mandated to be turned on."