OIG Wants Medicare to Probe EHR Audit Logs for Fraud

January 09, 2014

For the sake of detecting fraud, private companies that process or investigate Medicare claims on behalf of the government should examine the audit logs of electronic health record (EHR) systems to see who did what and when to the chart, a federal watchdog agency announced yesterday.

This recommendation from the Office of Inspector General (OIG) of the US Department of Health and Human Services (HHS) is the latest in a series of government moves to prevent physicians and hospitals from misusing EHRs in various ways to commit fraud.

One method, called cloning, is copying information on a wholesale basis from a previous patient encounter and pasting it into the note for the latest one. If the cloned information — which also can come from another patient's record — is not edited and updated for accuracy, it may help a provider justify a higher fee than warranted.

A similar EHR trick is overdocumentation, which means padding a patient's record with false or irrelevant information to give the impression that a higher-level, higher-paying service has been rendered. For example, a physician might overdocument to bump up an evaluation and management service from a level 3 to a level 4. The OIG said that in some EHRs, clicking a checkbox can automatically insert big chunks of text that, if unedited, may suggest a physician did more work in the exam room than what actually occurred.

The OIG also expressed concern that Medicare scammers can use certain EHR features to "mask" who exactly entered data into the record.

In a report issued last month on hospital EHRs and their vulnerability to fraud, OIG recommend that the Centers for Medicare and Medicaid Services (CMS) regulate the technology's copy-and-paste function. CMS said it would do so. In addition, OIG said that an EHR's audit log should never be disabled as long as someone is using it to view or update a patient chart.

What an Audit Trail Reveals

An audit log is a record of how information is entered, revised, or deleted in an EHR. In its program to reward physicians for "meaningful use" of EHRs, HHS specifies what an audit log should do in software it deems acceptable. According to the government's 2014 standards for meaningful use, an EHR's audit log must:

  • capture the date and time of a change or use of the record;

  • identify the patient;

  • identify the EHR user;

  • identify the type of action, such as printing or copying data, submitting data queries, or entering, revising, or deleting data; and

  • identify the patient data being accessed.

The OIG said in its December report that only 44% of the hospitals it studied have EHRs that record the method of data entry, whether it is copy-and-paste, voice recognition, or keyboarding, in their audit logs. This audit capability is one of many recommended by a private research firm that HHS hired to tighten its defenses against high-tech fraud. However, federal certification criteria for EHRs "do not specifically address this requirement," the OIG said.

In the report issued yesterday, the OIG said most private contractors that help CMS operate the Medicare program do not avail themselves of EHR audit logs when they review claims from physicians and hospitals. Those contractors fall into 3 categories: Medicare Administrative Contractors, typically private health insurers, process and pay claims; Zone Program Integrity Contractors detect and deter Medicare fraud; and Recovery Audit Contractors focus on ferreting out and recouping improper payments.

The blind eye turned toward audit logs, the OIG report stated, is just a single example of how CMS and its contractors treat EHRs as paper records in their efforts to identify and investigate scams. The OIG recommended that CMS direct its various contractors to dig into the audit data. It also advised CMS to give contractors more guidance in general on spotting EHR-enabled fraud.

In a reply incorporated in the OIG report, CMS said it concurred with the recommendation to bring its contractors up to speed on EHR fraud, noting it had already decided to develop guidelines on electronic copying and pasting. CMS only partly bought into the idea of telling contractors to crack open EHR audit logs, however. Although audit logs are "one of several important tools" in double-checking EHR data, CMS said, their use may not always be appropriate in claim review and investigation.

The OIG report is available on the agency's Web site.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as: