CMS lax in EHR-enabled fraud, OIG says
Although electronic health records are becoming more appealing to pharmaceutical marketers, the Office of the Inspector General says the Centers for Medicare and Medicaid Services could do a better job of using them to ferret out fraud.
The OIG's two major problems with CMS, spelled out in a report, are that CMS contractors are letting cloned claims and over-documentation slide by. The contractors include Medicare administrative contractors (responsible for processing and paying claims), zone program integrity contractors (fraud detectors) and recovery audit contractors (who detect and recover improper payments).
OIG says document cloning lets users duplicate information in another location, which could “facilitate attempts to inflate claims and duplicate or create fraudulent claims.”
Over-documentation is as much a documentation issue as a semi-automated one: the OIG report notes that some EHR systems auto-fill information if a checkbox is clicked, but unnecessary information needs to be manually deleted. If not, the record suggests “the practitioner performed more comprehensive services than were actually rendered.”
The latest CMS estimates put healthcare fraud at between $75 billion and $250 billion, adding fuel to the OIG's concerns, as well as the OIG's findings that contractors were not necessarily reining in fraud when they came across it. Instead, OIG researchers found that follow-up was patchy and that CMS has failed to provide a sufficient instruction about how to review EHRs to prevent fraud and cites as an example CMS manual instructions that “medical record keeping within an EHR deserves special consideration.”
The OIG's recommendations for reducing EHR-based fraud include providing guidance about fraud and having contractors use audit logs which it says can authenticate medical claims. OIG said only three of the 18 surveyed Medicare contractors currently use audit logs, a percentage that gains significance when considering a 2012 OIG survey which found 57% of Medicare physicians used EHRs at their practices in 2011 and that 75% used a certified system. Further, a 2011 OIG study found that Office of the National Coordinator for Health Information Technology certification controls focused on how EHR systems communication but did not include general IT security controls.”
The OIG report also notes CMS has provided $22.5 billion in incentives to professionals and hospitals that show "meaningful use of certified EHR technology."
The report also included the November response from the CMS. The agency wrote that is has been “actively considering the issue of preventing fraud, waste and abuse in EHRs” and intends to “develop appropriate guidelines to ensure proper use of the copy and paste feature.”
CMS is partly onboard with the audit-log recommendation, but notes they should be part of an overall review, not the sole tool for authenticating records.