OIG Reports on CMS Failure to Address EHR Vulnerabilities

The U.S. Department of Health and Human Services Office of the Inspector General (OIG) recently released another report on the use of electronic health records (EHR). This new report takes aim at the lack of integrity practices CMS and its contractors have established to address vulnerabilities in EHR technology. Last month, the OIG targeted hospitals that could be putting themselves at risk of fraud by using the copy-paste feature in their EHR systems when it shared the results of a questionnaire of hospitals receiving Medicare EHR Incentive Program payments.
The more recent OIG report was based on a questionnaire sent to CMS administrative and program integrity contractors, as well as CMS EHR guidance and EHR documents and Medicare claims CMS provided to its contractors. The OIG found that few contractors review data in their EHR differently from the way they review paper records.
The report also revealed that not all contractors could identify copied language and over documentation in EHRs. In general, contractors reported having an easier time identifying over documentation in a single claim. Investigating copied language requires a reviewer to go through multiple claims in search of information that was copied and pasted whereas they can often identify over documentation by reviewing a single claim, according to the report. Of the contractors surveyed, Zone Program Integrity Contractors (ZPIC) were more likely than Medicare Administrative Contractors (MAC) or Recovery Auditors (RA) to identify these issues.
Over the past two years, CMS has failed to provide its contractors with sufficient guidance on the fraud vulnerabilities that EHRs pose, the report stated. In particular, ZPICs reported receiving no guidance on this matter from CMS, whereas MACs and RACs reported receiving limited guidance.
Because EHRs can lead to more opportunities for creating fraudulent records, CMS and its contractors should revise practices for identifying and investigating medical record fraud, according to the report. The OIG recommended that CMS work with its contractors to develop guidance for addressing this issue and tools for detecting EHR fraud. Just three out of 18 Medicare contractors surveyed reported using EHR audit logs to investigate potential fraud. CMS should also encourage its contractors to review the audit logs of their providers, according to the report.