EHR Audit Trails – OIG Encourages Contractors to Dig Deeper

Written by Jana Weis, MA CPC

By now, most of the medical industry has made the transition to electronic health records (EHR) to store patient health information.  Most platforms have a multitude of options to contain information through tabs, templates, and working documents. Although this may create a better means of sharing and cataloging data, it also enables new functionality that that changes the role of traditional auditing.  Back in January 2014, Inspector General Daniel Levinson conducted a study to understand contractor audit practices relating to identification of improper billing practices and billing fraud (see EXECUTIVE SUMMARY: CMS AND ITS CONTRACTORS HAVE ADOPTED FEW PROGRAM INTEGRITY PRACTICES TO ADDRESS VULNERABILITIES IN EHRSOEI-01-11-00571).  The results were somewhat surprising given the technologic capabilities of the government and the push for meaningful use compliance across the US.  Bottom line, the OIG concluded that CMS contractors have adopted few practices to address EHR vulnerabilities.

Although CMS uses ‘data mining’ to identify trends and outliers thus issuing investigational audits, most contractors review live information no different than a paper chart.  Authentication practices were at the top of the OIG’ executive summary regarding these challenges.  CMS started issuing guidelines for acceptable EHR authorship back in 2008 yet according to the study, contractors continue to treat the stand alone record for ‘face value’.  No different than a paper record, distinguishing authorship can be reviewer specific and up to the contractor to decipher its authenticity.  As the study pointed out, EHR’s have backside ‘audit logs’ that not only capture time of service but also includes user login/out, and identifies those who might add or modify information.  Our findings often times show that record ‘output’ (e.g. progress notes) frequently only tell part of the story of who documented.  Not only is the information critical for validating authentication, its also reveals a deeper level of questioning to include ‘scope of practice’ for ancillary providers.

Copy-pasting or cloning was another significant documentation practice that CMS neglected to analyze.  This practice is all but prolific with the ease of EHR functions.  Although certain areas of a medical record are routinely looked at each visit, other parts of the record (interval history, exam, assessment/plan) should be unique to a patient visit and help support the medical necessity/payment for the service.  Further, copy/pasting data accuracy is another vulnerability both within the same record and across un-associated patient charts.

The OIG concluded with two recommendations that can translate to ‘self audits’.  First, using the audit log capability to validate authentication of users.  If this is an area of your EHR that isn’t turned on or reviewed by compliance, talk to your vendor about training, and use this as a tool for provider education.  Second, CMS was encouraged to provide better guidance to its contractors to detect and understand how to recognize trends such as copy-pasting.  Again, compliance departments should not only be reviewing stand alone records to ensure proper documentation and billing, but also pulling patient information over spans of time to analyze the impact of templating and accurate ‘interval’ information.