EHRs: Computer Functions Facilitate Fraud
Shed light on the dark side of electronic health records (EHRs) to safeguard your practice.
By Mary A. Inman, JD, and Timothy P. McCormack, JD
Organizations around the country—from government entities to private insurers—have been touting electronic health records (EHRs) as a way to increase efficiency, improve patient care, and reduce costs in the medical field. But new reports are shedding light on a dark side of EHRs. For the third time in just over a year, the U.S. Department of Health & Human Services (HHS) warned that the improper use of EHRs may lead to increased incidence of Medicare fraud.
EHRs have many benefits: Smoother information sharing, more legible records, and more accurate drug interactions, to name just a few. For those reasons, the U.S. government encouraged hospitals and providers around the country to transition to EHRs, offering billions of dollars in incentive payments. Many organizations took advantage of the inducement, hurriedly instituting their own EHR systems.
But rapid and widespread EHR adoption has led to extensive problems. In September 2012, the U.S. attorney general and the secretary of HHS sent a letter warning hospitals against cloning medical records, which could lead to upcoding claims and improperly inflating reimbursement. In July 2013, reports emerged that HHS is conducting audits targeting EHR-related overbilling. Most recently, on January 14, 2014, the HHS Office of Inspector General issued a report flagging EHR-related fraud as a problem.
To keep your practice from waving red flags, be sure your staff is aware of the ways EHRs can prompt erroneous billing.
Electronic “Shortcuts” to Upcoding
EHR fraud often involves the use of common computer practices originally designed to streamline record keeping, such as copying and pasting text from other medical records and using macros, menus of pre-selected options, and default settings.
Copy and Paste: The Copy and Paste commands—common in many computer programs—create serious fraud risk in EHRs. For example, doctors are paid more for office visits (using evaluation and management (E/M) codes) if they perform a more extensive examination, take a more detailed history, etc. An unscrupulous physician may copy and paste notes from prior visits into the current medical note to make it appear as though he or she performed a more intensive service.
Similarly, in the Medicare managed care context, health plans and physicians are paid more through the risk adjustment system if a patient is treated for certain (often expensive) conditions. To improperly take advantage of this system, providers or health plans may copy treatment notes, patient histories, or other information from prior patient visits to appear as though the patient received treatment in the current year. Doing so fraudulently increases Medicare payments.
Macros, Menus, and Default Settings: EHRs often have functions that allow the user to insert standardized text into the medical note. For example, macros allow the user to either copy and paste certain text from another location in the chart to the current note or automatically insert a pre-determined script into the note. Menus allow EHR users to insert text from a pre-selected list of options. Similarly, other EHR default functions may automatically enter text that affects billing, although that text may not be accurate for the patient. Such functions create a substantial risk for a physician or other EHR user to unwittingly “write” misinformation in a patient’s medical record.
For example, a physician may use a macro to copy the patient’s problem list into the current treatment note, simply for ease of reference. Often, however, such macros copy the problem list into the note in a way that makes it appear as though the physician has reviewed or otherwise treated every condition on the list. Such improper over-notation could result in a physician or Medicare managed care plan improperly claiming enhanced risk adjustment payments from Medicare.
Menus, another feature in EHRs designed for easier use, may limit the available options for diagnosis or procedure codes. For instance, a menu may only list codes that lead to the highest payment rates, which improperly leads physicians to upcode their visits. Healthcare providers and coders also need to exercise care when using the default settings of an EHR. Those settings could, for example, automatically insert certain text into a note whenever a new note is opened or another action is taken. The user may be unaware of the default text; and the default text may be inaccurate.
Difficult to Detect Fraud
Fraudulent acts such as these are difficult to catch. Often the documentation looks foolproof; copying is hard to spot and to prove. This is especially true if the physician or hospital using the EHR has turned off the “audit logs” (electronic trails showing when documentation was edited) in the software.
Finding this type of fraud often takes a trained eye. For example:
A medical coder may see boilerplate notes, where a doctor uses the same language to document 45-minute comprehensive exams with one patient at every visit, or with many different patients.
A physician may notice that when she types a simple condition into a patient’s chart, the medical record automatically adds text or makes changes so the diagnosis appears more complicated or the service more intensive.
A nurse may notice that when he tries to enter the proper diagnosis or procedure into the medical record, the system will not allow him to enter lower-valued codes without taking extra, often more burdensome, steps.
To prevent your EHR from exposing you to fraud, some possible steps include:
If you use an automated text function, such as a macro, go back and check what text was actually typed into the chart. Make sure the records show what was meant to say, and that extra, unwarranted words weren’t added.
When you use a menu to select a diagnosis, procedure, or other piece of information, make sure the EHR allows you to pick the code you want. If it has an incomplete set of options, talk to someone in your information technology department about adding the other, missing codes.
If your EHR has an “audit log” function, make sure it’s on. An audit log allows you to see who entered what information into the medical chart, who changed information, and when it was done. This information is invaluable in determining what should be in the chart, and in understanding why and how errors were made.
Prevent Fraud, or Risk Larger Penalties
Employees should be able to report their concerns about upcoding and other problems with EHRs internally to the compliance department, or by following other internal reporting guidelines. This can help your practice resolve compliance issues before government action is required.
If you find the organization is non-responsive to employee complaints, you still have options to stop the fraud. The federal False Claims Act empowers anyone who knows about fraud against the government to take action. With the help of a lawyer, a whistleblower can file a lawsuit on behalf of the United States against the company filing false claims. The whistleblower is then eligible to receive a reward, which would be 15 to 30 percent of any money the government recovers.
The government and the public are relying on those inside the medical industry to take a stand against EHR abuse. It’s up to healthcare professionals to cooperate with colleagues in finance, management, and treatment to ensure EHRs are used in an effective and compliant manner. Meeting the promise of EHRs depends on it.
Mary A. Inman, JD, and Timothy P. McCormack, JD, are partners at Phillips & Cohen LLP, an experienced law firm representing whistleblowers (www.phillipsandcohen.com). Whistleblower cases brought by the firm involve Medicare and Medicaid fraud, as well as other types of fraud against the government. Phillips & Cohen cases have returned more than $11 billion in civil settlements and related criminal fines to federal, state, and local governments.