The article is about federal efforts to reduce the amount of clinician cut-and-paste from prior notes of a patient - which can even be done between charts of different patients. This practice can result in overbilling for work not actually performed. The practice can also result in no-longer-accurate data being carried forward; I have been consultant to cases where that phenomenon, in my opinion, contributed to grave patient injury in cases that have settled out of court.
It is at this link: http://www.modernhealthcare.com/article/20131210/NEWS/312109965/feds-eye-crackdown-on-cut-and-paste-ehr-fraud?utm_source=articlelink&utm_medium=website&utm_campaign=TodaysHeadlines#
Subscription required, but googling the article title may allow reading it in its entirety.
The article begins:
Federal officials say the cut-and-paste features common to electronic health records invite fraudulent use of duplicated clinical notes and that there is a need to clamp down on the emerging threat. That concern is enhanced by the fact that it's too easy to turn off features of EHR systems that allow tracking of sloppy or fraudulent records.
In an audit report released Tuesday morning (PDF), [HHS Office of Inspector General, "NOT ALL RECOMMENDED FRAUD SAFEGUARDS HAVE BEEN IMPLEMENTED IN HOSPITAL EHR TECHNOLOGY"], HHS agencies confirmed that they are developing comprehensive plans to deter fraud and abuse involving EHRs, including guidelines for cut-and-paste features. The issue arises at a time when critics say federally subsidized digital patient record systems are sometimes being used inappropriately by providers to drive up reimbursement.
“Certain EHR documentation features, if poorly designed or used inappropriately, can result in poor data quality or fraud,” according a report from HHS' Office of the Inspector General.
None of this is a surprise to me, and to readers of this blog.
However, the real "money quote" in the article, I believe, is this:
"In addition, only 44% of hospitals' “audit log” systems could record whether cut-and-paste was used to enter data, and an identical percentage of hospitals reported [to OIG] that they can delete the contents of their internal audit logs whenever they'd like."
From page 11 of the HHS OIG Report linked above (http://www.modernhealthcare.com/assets/pdf/CH92135129.PDF):
[In 2006, ONC contracted with RTI International (RTI) to develop recommendations to enhance data protection; increase data validity, accuracy, and integrity; and strengthen fraud protection in EHR technology.]
... Hospitals' control over audit logs may be at odds with their RTI- recommended use as fraud safeguards:
RTI recommends that EHR users not be allowed to delete the contents of their audit log so that data are always available for fraud detection, yet nearly half of hospitals (44 percent) reported that they can delete their audit logs. Although these hospitals reported that they limit the ability to delete the audit log to certain EHR users, such as system administrators, one EHR vendor noted that any software programmer could delete the audit log.
RTI recommends that the ability to disable the audit log be limited to certain individuals, such as system administrators, and that EHR users, such as doctors and nurses, be prevented from editing the contents of the audit log because these actions can compromise the audit log's effectiveness. Hospitals reported they have the ability to disable (33 percent) and edit (11 percent) their audit logs, although they reported restricting those abilities to certain EHR users, such as system administrators or EHR vendors. All four EHR vendors we spoke with reported that the audit logs cannot be disabled in their products, but one vendor again noted that a programmer could disable the audit log.
I further note that, being voluntarily provided, i.e., not part of a formal investigation of any specific organization, those numbers are likely low, perhaps very low considering this issue.
An audit log or audit trail is an automatically-generated dataset, invisible to most users, containing items such as who viewed records, the date/time/location of viewing, and indication of actions they may have performed on the records such as editing/changes/additions/deletions, etc.
As an EHR itself is a collection of magnetized or optically encoded bits on some computer storage medium, it cannot be authenticated as complete and free from alteration by humans.
The audit trail is the only way to authenticate an EHR printout, however (as well as EHR screenshots or any other electronic data turned into a tangible form from those bits) as complete and free from alteration.
If an EHR printout cannot be authenticated as complete and free from alteration, its trustworthiness and perhaps even court admissibility as a business record under an exception to the hearsay rules regarding evidence may be damaged or invalidated.
My concern is that, if true, and considering the conflict of interest a hospital has regarding hiding potential fraud or malpractice that could cost them millions of dollars, a capability to "delete the contents of their internal audit logs whenever they'd like" and to edit audit trails (which based on the capabilities of relational databases also implies an ability to delete sections of audit logs selectively and/or to substitute false data) is simply alarming.
I don't think the EHR pioneers intended EHRs to be used for purposes of allowing evidence spoliation without traceability ...
-- SS
Dec. 13, 2013 Addendum:
I received the following reply from EHR compliance expert Dr. Reed D. Gelzer. Re-posted with permission:
Good morning Dr Silverstein,
Thank you yet again for the illumination that you bring to matters of truth in Healthcare Information Technology.
Regarding the OIG report’s source document, the 2007 report to the ONC, I was the Fraud Prevention Workgroup Chair for that project, working under Principal Investigators Dr. Don Simborg and Susan Hanson, former Chair of AHIMA.
For anyone who is interested in this subject matter, I would recommend that you go to the source document and, among other things, review the list of contributors. These were all individuals who volunteered time to attempt to mitigate harms of defective HIT, in their capacities of records management systems, nearly 8 years ago now. Many have gone on into leadership roles in related organizations and domains, some still working towards trustworthy health information technology systems.
I believe that I can say that none of those working on the report then would have believed that it was conceivable that even our most basic recommendations regarding the fitness of audit functions would remain "novel" in the industry in 2013. One cannot be surprised at the low level of authenticity supports in hospitals’ EHRs systems given that fitness as record management systems for patient care has, to date, been either neglected or presumed, not tested or attested. I am gratified that our 2007 work was utilized for the OIG report to illuminate the deplorable state of integrity supports in these patient care information systems. This will undoubtedly spur interest in supportive resources such as the HL7 EHR System Functional Model Standard and the HL7 Records Management and Evidentiary Support Profile Standard.
All of us who worked on that ONC report are, I hope, as gratified as I am that the OIG removed our work product from its designated obscurity. We developed the guidelines via methods that were more qualitative than quantitative, entirely intended to guide initial implementation backed by more methodical research. We represented the most informed at that time, including those like myself and my ADIC associate Patricia Trites who had performed compliance testing on over 30 among the leading EHRs at the time and found extraordinary ranges of deficiencies, including audit functions that could be disabled at will. Standards and tools existed then to support mitigation of risks and those Standards and tools have expanded since. Now that the events and ONC decisions that led to inactions on the report are now in the past, we can more rapidly achieve the potentials nascent in HIT by rendering it more trustworthy, usable, and safe.
Thank you again for your ongoing vigilance.
Sincerely,
Reed D. Gelzer, MD, MPH, CHCC
Trustworthy EHR, LLC
Co-Facilitator, HL7 Records Management and Evidentiary Support Workgroup
To this I add that I also would not have found it conceivable that my concerns about bad health IT and the risks of patient harm it poses, as well as common healthcare IT project mismanagement, of which I started writing about in 1998 (http://cci.drexel.edu/faculty/ssilverstein/cases/) would remain "novel" ideas in the industry in 2013.
The Obamacare healthcare exchange website debacle has made the latter issue mainstream. The former issues still need more sunlight.
-- SS
