OIG Releases “Best Practices” To Prevent EHR Fraud

Posted on by Frank J. Rosello

A federal watchdog says the CMS and its Medicare contractors could do more to ensure providers don’t use electronic health-record systems as a means to fraudulent ends.

The 17-page report by HHS’ Office of the Inspector General is the latest salvo in a running debate between federal regulators on the one side and providers and technologists on the other over the appropriate use of healthcare information technology.

Click here to view the HHS OIG Report. (pdf.)

The watchdog recommended that the CMS work with its contractors to develop and disseminate a set of “best practices” to guide contractors in detecting EHR-linked fraud, and that the CMS should direct contractors to use EHR audit logs when reviewing medical records as part of routine compliance operations.

Audit logs that are “always operational” and can “never be altered” provide “the most benefit” in fraud detection, the OIG said.

This fight stretches back at least to September 2012, when HHS Secretary Kathleen Sebelius and U.S. Attorney General Eric Holder fired off a letter to the heads of a handful of healthcare organizations warning them about “troubling indications” that EHRs were being used to commit billing and payment fraud.


The implied threat sparked protests from leaders of provider groups.

Dr. Scot Silverstein, a physician informaticist and frequent critic of the federal approach to promote EHR adoption, which he recently described as “the push towards EHR unicorns and moonbeams utopia,” said the OIG report, while disclosing nothing new, indicates “the federal government is incompetently tripping over its own feet.”

The OIG issued a report last month that identifies design weaknesses that render EHR systems vulnerable to abuse.

Click here to view last month OIG report.

In its latest report, the OIG concluded that the CMS and its contractors used “few program integrity practices specific to EHRs.” For example, just three of 18 contractors, in response to an OIG questionnaire, reported using audit-log data from an EHR as part of their fraud fighting reviews and only four of 18 indicated they reviewed EHR records differently than paper records, the OIG report said.

“Not all contractors reported being able to determine whether a provider had copied language or over-documented” an encounter in an electronic medical record, the OIG report authors said. Meanwhile, CMS guidance provided to its contractors on fraud vulnerabilities was described as “limited.”

The report cites two examples of electronic record documentation practices—copying and pasting and overdocumentation—that could be used to commit fraud.

Also known as cloning of a medical record, copying and pasting enables a user to take portions of an existing record and add it to another record. When clinicians cut and paste information without updating or ensuring its accuracy, “inaccurate information may enter the patient’s medical record and inappropriate changes may be billed to patients” and third–party payers, the OIG said. The practice also could be used to create fraudulent claims, the authors said.

The OIG describes overdocumentation as inserting false or irrelevant documentation to fabricate support to bill for more expensive services, a practice the investigators said can be facilitated by EHRs that “auto-populate” data fields in the record when using templates built into these systems.

Other systems, the OIG said, “generate extensive documentation on the basis of a single click of a checkbox,” which also could introduce errors in the patient record as well as facilitate fraudulent claims by making it appear as if the patient received more comprehensive services than the provider actually rendered.

These electronic vulnerabilities require that the CMS and its contractors develop new techniques for finding and investigating improper payments.

Article written by Joseph Conn

Leave a Reply

Follow GOEILLC on LinkedIn Follow GOEILLC on Twitter