Have you ever used the copy/paste function on your computer when composing an email, or writing a letter, or drafting a policy? Of course, we all have!
What if you learned that your medical staff was using that function in the electronic health record (EHR) system to document patient encounters? Or, what if they were inserting false or irrelevant documentation into the record to inflate services to support billing for higher level services? Do they use templates that pre-populate fields that may lead to inaccurate notes? Does your facility have any safeguards in place to manage potential fraud?
Office of the Inspector General Report Findings
The Office of the Inspector General (OIG) for the Department of Health and Human Services recently released a report critical of hospitals’ efforts to control practices that could be used to commit fraud. The annual cost of health care fraud is between $75 billion and $250 billion, based on CMS estimates of total health care expenditures in 2009. The OIG found that nearly all hospitals with EHR technology had audit functions in place, but only one quarter of hospitals had policies that addressed the use of the copy-paste feature (also known as cloning).
Copy/Paste Isn't Always a Bad Thing...
The use of the copy/paste function can certainly save health care providers time when used properly. Some parts of the medical record may not change from encounter to encounter, such as medical history or medications. Misuse can have an impact on patient safety and quality of care (cloned information misstates a patient’s medical history, dose of medication, or a lab result.
...But, It Could Result in Medicare Denials
In fact, one Medicare contractor, National Government Services, issued an advisory in August 2012 which warned that cloned documentation could result in Medicare denials for payment.
“Whether the documentation was the result of an Electronic Health Record, or the use of a pre-printed template, or handwritten documentation, cloned documentation will be considered misrepresentation of the medical necessity requirement for coverage of services due to the lack of specific individual information for each unique patient. Identification of this type of documentation will lead to denial of services for lack of medical necessity and the recoupment of all overpayments made.”
4 Recommendations to Improve Data Protection
The OIG report details several recommendations to enhance data protection that would reduce fraud and data inaccuracies.
- Don’t Let Your Audit Logs Sit Unanalyzed
Most hospitals reported they analyze audit log data; 46% reported monthly analysis, 26% on an as-needed basis. But, audits were limited to focusing on privacy, such as detecting unauthorized viewing of EHR. Most hospitals cited limited human resources, a lack of vendor-provided user guides, inadequate training, and the inability to interpret audit log data. It is vital that the logs track access and usage and that the logs are analyzed on a regular basis.
- Require That Any Updates to an EHR Be Documented and Tracked
This includes tracking the methods used such as copy/paste, direct entry, import, and tracks the user ID of the original author when an EHR update is entered on behalf of another author (i.e., distinguish between entries made by an assistant and a provider).
- Allow Auditor Access to Patient Records
Conducting periodic reviews of patient records can identify instances of inappropriate copying/pasting that may adversely impact patient care, spread false information, or lengthen progress notes needlessly.
- Consider Hiring a Third-party to Manage Your Audits
Soyring Consulting, for example, can assist you in developing policies and conducting audits that address the use of copy/paste functions in your electronic health records. By combining experience, proven knowledge, and time-tested skills, we work with your team to create targeted opportunities, along with the plan and achievable goals to reach them.
Contact our team today to learn more »
 DHHS, Office of the Inspector General, Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology. December 2013