CMS doing little to address EHR vulnerabilities, OIG says

The Centers for Medicare & Medicaid Services and its contractors have done little to address vulnerabilities in electronic health records, according to a new report from the U.S. Department of Health & Human Services Office of Inspector General.

According to the report, OIG sent an online questionnaire to CMS administrative contractors that use EHRs to pay claims, pinpoint improper Medicare payments and investigate fraud. OIG also reviewed guidance documents and policies on EHRs and fraud vulnerabilities on EHRs and Medicare Claims that CMS itself gave to healthcare providers.

"CMS and its contractors had adopted few program integrity practices specific to EHRs. Specifically, few contractors were reviewing EHRs differently from paper medical records," the report states. "In addition, not all contractors reported being able to determine whether a provider had copied language or over-documented in a medical record. Finally, CMS had provided limited guidance to Medicare contractors on EHR fraud vulnerabilities."

Copy-pasting and overdocumentation, the report's authors say, are two easy ways for fraud to occur in EHRs; sometimes, it's the fault of pre-population by EHRs and sometimes, it's a lack of oversight from doctors and nurses who enter information via copy-paste and don't review or correct it.

OIG recommends that CMS 1) provide guidance to its contractors to figure out best practices and to develop guidance for detecting EHR fraud and 2) direct its contractors to use audit logs, which distinguish EHRs from paper medical records.

According to Leon Rodriguez, director of the U.S. Department of Health & Human Services' Office for Civil Rights, speaking at the American Bar Association's annual Emerging Issues Conference in Miami last February, only 25 percent of the security breaches that have been reported to HHS have involved paper records. He also stated that the breaches were caused by human errors, such as unauthorized access.

"The failures are not due to technology," Rodriguez said.

Rodriguez also said then that the audit program found that entities were lax about encrypting data, with many of them not even thinking about doing so.

To learn more:
- read the OIG report (.pdf)

Related Articles:
OCR officials: Electronic data the 'most vulnerable' 
OCR's Leon Rodriguez: HIPAA enforcement more critical with transition to EHRs
EHR users could have trouble with new HIPAA provision
Use of 'free' EHRs may violate new HIPAA mega rule
HIPAA mega rule thrusts EHR users into uncharted territory