OIG: Limit EHR copy-paste to reduce fraud risk

Hospitals are employing safeguards to prevent electronic health record fraud and abuse to varying degrees, but must do more, according to a new report from the U.S. Department of Health & Human Services Office of Inspector General.

HHS contracted with RTI International (RTI) to develop recommendations to enhance data protection. The report looks at the extent to which hospitals are following those recommendations.

It found that efforts to protect data were aimed more at ensuring privacy rather than detecting fraud and abuse. The authors were especially concerned that too little is done to limit the use of EHRs' copy-paste functions.

"Although the copy-paste feature in EHRs can enhance efficiency of data entry, it may also facilitate attempts to inflate, duplicate, or create fraudulent health care claims," the report's authors say.

EHR vendors reported that the copy-paste function in their technology cannot be customized or disabled. Hospitals complained that this limits their ability to restrict it to authorized users.

The report found:

  • Only 24 percent of hospitals had policies in place regarding use of copy-paste
  • 44 percent of hospital audit logs reported the method (copy-paste, direct text entry, speech recognition) of data entered into the EHR, as recommended
  • 61 percent shifted responsibility to the user to confirm that copy-pasted data was accurate
  • 22 percent advised EHR users to avoid "indiscriminately copy-pasting"
  • 21 percent of policies required EHR users to cite the original source of the copy-pasted data

In addition, the report found that:

  • Although nearly all hospitals with EHR technology had recommended audit functions in place, they may not be using them to their full extent
  • All hospitals employed a variety of RTI-recommended user authorization and access controls
  • Nearly all hospitals were using RTI-recommended data transfer safeguards
  • Almost half of hospitals had begun implementing RTI-recommended tools to include patient involvement in anti-fraud efforts

It recommended that the Office of the National Coordinator for Health IT and the Centers for Medicare & Medicaid Services strengthen their collaborative efforts to develop a comprehensive plan to address fraud vulnerabilities in EHRs and that CMS develop guidance on the use of the copy-paste feature in EHR technology.

A California radiologist was fined more than $7 million for fraudulent radiology reports in which untrained staff cut and pasted the signatures of board-certified radiologists without their knowledge or permission, then submitted the reports for billing.

The practice of cloning, in which providers cut and paste information from prior notes into newer records also has been under scrutiny.

To learn more:
- find the report (.pdf)