This past Spring, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) again identified EHR-related fraud as a problem area. Particularly in light of the OIG’s continued focus on this issue, providers would be well-advised to work on strategies to mitigate the risk of EHR fraud.

In 2014, OIG issued a report highlighting two examples of EHR documentation practices that could be used to commit fraud: (1) copy-pasting and (2) over-documentation. Copy-pasting enables practitioners to select information from one source and duplicate it in another location. Fraud can occur when practitioners inappropriately copy-paste one patient’s information into another patient’s records to inflate claims. Similarly, overdocumentation occurs when practitioners include false or irrelevant documentation to support billing for higher level services. In addition, because some EHR systems auto-populate fields when using templates or create extensive documentation after a single click of a checkbox, the medical record can be become inaccurate if kept unedited.

The OIG’s 2014 report found that CMS and its contractors had not adjusted their practices to address new risks of fraud arising from the transition from paper records to EHRs. The OIG recommended two ways CMS could better identify and investigate EHR fraud. First, the CMS should provide guidance to its contractors on detecting fraud associated with EHRs. Second, the CMS should direct its contractors to use audit logs, which help authenticate medical records.

In its 2015 Compendium of Unimplemented Recommendations, the OIG revisited its concerns about EHR-facilitated fraud. The OIG identified CMS’s failure to “address fraud vulnerabilities in electronic health records” as one of the OIG’s top 25 unimplemented recommendations. The OIG reiterated its recommendations that CMS should develop guidance on the use of the copy-paste feature and that audit logs should be used.

In its 2016 Compendium of Unimplemented Regulations, issued this past Spring, the OIG again identified the EHR program as a top challenge.  The OIG recommends that CMS collaborate with the Office of the National Coordinator for Health Information Technology (ONC) to “develop a comprehensive plan to address fraud vulnerabilities in electronic health records.”

In addition to publicly repeating its concern about EHRs for three years running, the OIG has pursued actions against providers for EHR fraud. OIG’s continued focus on this issue highlights the importance for eligible professionals and hospitals to develop strategies to mitigate the risk of EHR fraud.

* This post was co-authored by Pooja Shah, who is a law student at the American University Washington College of Law.