Building a HIPAA Toolbox: Part 7

Building a HIPAA Toolbox: Part 7

EHR vulnerabilities can lead to overpayments.

By Julie Roth

With the adoption of the Medicare and Medicaid Electronic Health Records (EHR) Incentive Programs, collectively known as meaningful use, there has been a steady increase of providers who have transitioned from a paper-based medical record to an EHR. Regardless of which format your office uses, the government expects your medical record documentation to be timely, accurate and complete, properly authenticated, and safeguarded from unauthorized access or disclosure. If you’re considering making (or have already made) the switch from paper records to an EHR, you should be aware of the unique compliance issues this newer technology creates for providers.

Certified Professional Compliance Officer - CPCO

Risky Business

Government enforcement efforts have been primarily focused on providers who failed to properly implement HIPAA security standards in their EHR, which resulted in electronic protected health information (ePHI) breaches. The government’s attention is turning to other vulnerabilities in EHR systems, however — particularly fraudulent or abusive documentation practices.

Although the government has recognized that EHRs, when used appropriately, have the potential to reduce healthcare system costs and improve patient care, there is increasing concern that certain EHR documentation features may result in healthcare fraud and poor data quality.

Activities of particular concern to the government are:

Copying and Pasting: In September 2012, the U.S. Department of Health & Human Services and the U.S. attorney general wrote an open record to the nation’s hospitals warning of “troubling indications that some providers are using [EHR] technology to game the system, possibly to obtain payments to which they are not entitled.” The letter specifically addressed the “cloning” of medical records to inflate the amount providers are paid, and states, “A patient’s care information must be verified individually to ensure accuracy: it cannot be cut and pasted from a different record of the patient, which risks medical errors as well as overpayments.”

This concern was echoed in a January 2014 Office of Inspector General (OIG) report entitled CMS and Its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs:

When doctors, nurses, or other clinicians copy-paste information but fail to update it or ensure accuracy, inaccurate information may enter the patient’s medical record and inappropriate charges may be billed to patients and third-party health care payers. Furthermore, inappropriate copy-pasting could facilitate attempts to inflate claims and duplicate or create fraudulent claims.

User Identity and Overdocumenting: The OIG also expressed concern that EHR technology may be used to mask true authorship of medical records. “For example,” the OIG wrote, “clues within the progress notes, handwriting styles, and other attributes that help corroborate the authenticity of paper medical records are largely absent in EHRs.”

According to the OIG, tracing authorship and documentation in an EHR is not as straightforward as tracing in a paper record; EHRs allow providers to use software features that may mask true authorship of the medical record and distort information in the record to inflate health care claims.

The OIG also cited concern about systems that permit “overdocumenting” to occur, such as EHR technologies that auto-populate fields when using templates built into the system, and systems that generate extensive documentation based on a single click of a check box.

Best Practices

Healthcare providers can reduce the risks associated with inappropriate EHR documentation and authentication by implementing policies that integrate both billing compliance and HIPAA Security Rule standards.

Avoid Cloned Documentation

Although a copy-paste feature may enhance the efficiency of data entry, healthcare providers should be aware that documentation indicating a patient had the exact problem and symptoms, and required the exact same treatment as another patient (or the same patient had the same problem/situation on every encounter), will raise a red flag for impermissible cloned documentation in a medical record audit.

From a HIPAA security standpoint, providers should assess the extent to which their EHR technology allows for importing and exporting copied data from one patient encounter to another, and determine what controls are available to limit or track the use of this function.

From a billing compliance standpoint, train providers to understand that cloned documentation will not support medical necessity requirements for coverage of services, and may lead to recoupment or an assertion that the provider has knowingly submitted false claims. Medical record documentation policies may advise users to avoid indiscriminately copying and pasting and, in cases where data has been copied, to cite the original source of the copied-pasted data.

Avoid Masked Users and Overdocumentation

The HIPAA Security Rule requires providers to determine which individuals will be granted access to patients’ EHRs, and to assign a unique name and/or number identifying and tracking the identity of every individual who has been granted such access.

To deter documentation by a “masked” user, a provider’s HIPAA security policies should clearly prohibit any individual from logging in under another individual’s login information and prohibit individuals from sharing password information for this purpose. Providers also should ensure audit logs are enabled. Ideally, audit logs should track changes in a record by capturing data elements such as date, time, and users stamps for each update to an EHR.

Providers should consider carefully the implications of using any product that auto-creates medical record documentation. In any case where text is automatically created or pulled forward from previous entries, providers should be required to specifically review, edit, and update the information to assure it accurately reflects the services performed during the encounter.

Although the implementation of EHRs often is seen as a way to increase the efficiency and quality of the healthcare system, there is growing concern about the potential for EHR technology misuse and abuse leading to overpayments and fraudulent claims. Providers should assess the risks unique to their organizations, and explore the methods through which they can best demonstrate the accuracy of their medical record documentation.


Julie Roth is a partner in Lathrop & Gage, LLP, and represents healthcare providers on regulatory compliance, Medicare & Medicaid reimbursement issues, self-disclosure matters, government investigations, HIPAA privacy and security standards,  the Stark law, the Anti-kickback Statute, the False Claims Act, and a variety of federal and state laws.


Leave a Reply

Your email address will not be published. Required fields are marked *