Healthcare News & Insights

OIG: Most hospitals’ EHRs don’t fully protect against fraud

The Office of Inspector General (OIG) has released a new report auditing hospital electronic health records (EHR) systems to review their fraud prevention safeguards, and the results aren’t particularly good.

180462622According to the OIG’s report (link courtesy of Modern Healthcare), a large number of hospitals lack the appropriate safeguards to prevent a variety of fraudulent behavior with their EHRs, including patient identity theft and cloned documentation in the patient record.

One crucial flaw: Only about a quarter of hospitals reviewed by the OIG had policies in place to prevent improper use of copy/paste technology when documenting patient encounters.

In its latest round of audits, the OIG surveyed hospitals that have received EHR incentive payments under the meaningful use program, and it discovered flaws in their technological infrastructure that may make it easier for fraud to occur.

Correcting EHR vulnerabilities

The OIG made several recommendations for hospitals to correct these issues, in conjunction with research firm RHI International. For starters, the OIG suggested that hospitals make better use of self-auditing technology already available in many EHRs.

Data points that should be audited include:

  • Update frequency. Audit logs should track when EHRs are updated.
  • Updating methods. Whether it’s via copy/paste, a direct entry or imported into a patient’s record, the way in which a patient’s record is updated should be tracked.
  • Identification procedures. EHRs should record how the hospital confirmed the patient’s identity (e.g., photo ID).
  • Person updating. Where applicable, EHRs should distinguish between the provider’s entries into the patient record and the entries made by an assistant or another party on the provider’s behalf.
  • Original v. changes. Original patient records should be retained. Any changes made to the record after the fact should be noted as amendments in the EHR.

Another way to prevent EHR-related fraud is to make patients more aware of what’s listed in their records. Nearly half of the hospitals the OIG surveyed have some kind of procedure in place where patients can access and comment within their EHRs.

What’s being done right

There are some things hospitals are doing right to stop fraud, per the OIG’s report. All hospitals surveyed are using some form of user authorization and access controls for their EHRs to protect patient info (e.g., user IDs and passwords).

Additionally, most hospitals have implemented approved safeguards for data transfer such as encryption and the use of document ID tracking numbers anytime data is printed or transmitted.

It would be wise to put these policies procedures in place to stay off the OIG’s radar, especially if your hospital’s working to attest to meaningful use with its EHR. If you’re unsure as to whether your EHR has some of these features, talk to your CIO and your EHR vendor to review your options.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.