Feds Must Prioritize EHR Billing Fraud, Watchdogs Say
Medicare agency should provide better guidance to contractors on how to spot billing fraud, Inspector General says.
8 Healthcare Startups Catch Fire
(click image for larger view and for slideshow)
The Centers for Medicare and Medicaid Services (CMS) and its contractors are doing a poor job of preventing billing fraud facilitated by EHRs, said the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) in a new report. The OIG recommended that CMS provide better guidance to Medicare carriers and auditors and that it direct its contractors to use EHR audit logs to help detect fraud.
The report is the latest salvo in a long-running dispute over whether physicians and hospitals are inflating Medicare bills by using EHRs to generate documentation that supports higher coding levels. The publication of evidence indicating that some providers are doing this prompted HHS Secretary Kathleen Sebelius and Attorney General Eric Holder to issue a sharp warning letter to healthcare organizations in September 2012.
"The transition from paper records to EHRs may present new vulnerabilities and require CMS and its contractors to adjust their techniques for identifying improper payments and investigating fraud," the OIG report said. But to date, the HHS watchdog office said, little of this has occurred.
According to an OIG survey, just two of eight Medicare Administrative Contractors (MACs), which process Medicare claims, said they conduct additional reviews of EHR documentation beyond what they do for paper records; just one carrier looked at EHR audit logs, which show when and by whom records were created and altered. None of the four surveyed Recovery Audit Contractors (RACs) conducted additional reviews and just one used audit log data. Of the six Zone Program Integrity Contractors (ZPICs) polled, two conducted additional reviews and one used audit logs.
About half of the contractors said they could identify copied language, and most said they could identify overdocumentation. These are EHR features that lend themselves to fraud, the OIG report said. Copied language, also known as "copy-paste" or "cloning," enables providers to inflate their charges by copying documentation from previous notes into current notes. Overdocumentation, as described in the report, refers to "the practice of inserting false or irrelevant documentation to create the appearance of support for billing higher level services."
The report showed that, while CMS provided guidance to most MACs and RACs on electronic signatures, it supplied little training in other EHR-related areas. In a letter to OIG, CMS agreed that it could give better guidance to contractors to prevent EHR-related fraud and abuse. It also concurred that audit logs should be used more frequently, but said that the use of audit logs "may not be appropriate in every circumstance" and requires special training of reviewers.
Comments from the field Jason Mitchell, MD, director of the Center for Health IT at the American Academy of Family Physicians (AAFP), told InformationWeek Healthcare that there's nothing inherently wrong with copying portions of previous notes into current notes. In fact, it can be beneficial if it eliminates the need for physicians to reenter every element of a note from scratch and to re-interview patients again and again about their medical histories. However, he said, "there is a responsibility to make sure the information is accurate and appropriate."
Mitchell doesn't deny that physicians have submitted an increased number of level 4 evaluation and management (E&M) codes since the advent of EHRs. But he said it is not clear that this is because of "upcoding," which would constitute billing fraud. In the past, he said, many primary care physicians undercoded because it was too much work to create the documentation to justify the appropriate codes. EHRs have made it easier to document the work they do so they can code more appropriately.
The use of audit logs is problematic in a couple of respects, Mitchell said. First, the logs are very detailed, and auditors would require specially refined software to enable auditors to review them. Second, he noted, audit logs may show that records were altered after they were created, but that isn't necessarily wrong.
"Going back into records and correcting them when an error is found isn't fraud," he said. "It's essential to correct records so that errors don't propagate through," especially in a "connected data" environment where the data is flowing elsewhere.
Mitchell also noted that EHR systems may be poorly designed or implemented, requiring doctors to copy and paste an entire section of a record or the whole note, rather than just the relevant component.
Nancy Enos, a certified coder and principal of Enos Medical Coding, concurred with Mitchell on that point. But she said audit logs could be "very useful in terms of patterns and trends to detect where education is needed or where action is needed because there seems to be fraud going on."
Even where physicians are not committing fraud, she pointed out, they often rely too much on cutting and pasting. "It can become a bad habit, where they're copying information that's not relevant to the current encounter."
Regardless of whether it's copy-paste or documentation that uses automated templates to insert parts of a note, she said, "clinicians need to be trained to edit and to add remarks to personalize the note to the patient for that day. Otherwise, they come across as canned notes."
Last year, CMS did a study that compared the content of physician notes for the same patients for several visits on different dates. In some cases, she said, the notes were identical.
Is that proof of intention to commit fraud? "It's impossible for a record to be valid if it contains a full review of systems and a full physical exam on a patient who comes in for a bloody nose," she replied.
InformationWeek Conference is an exclusive two-day event taking place at Interop where you will join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from each other and honor the nation's leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. You can find out more information and register here. In Las Vegas, March 31 to April 1, 2014.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.