Jeffrey R. Helton
An electronic health record can reduce a healthcare provider's exposure to risk posed by the fraudulent use of healthcare data, but only to the extent that the provider has established proper controls within the system.
At a Glance
- Fraud associated with electronic health records (EHRs) generally falls into two categories: inappropriate billing by healthcare providers and inappropriate access by a system's users.
- A provider's EHR system requires controls to be of any significant help in detecting such fraudulent activity, or in gathering transactional evidence should such activity be identified.
- To protect against potential EHR-related healthcare fraud, providers should follow the recommendations established in 2007 by RTI International for the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services.
Fraud in the healthcare industry is a large and growing problem, and with the expanded use of electronic media for healthcare transactions, the pace at which the problem is increasing may well pick up substantially. Faced with this growing problem, potentially exacerbated by the use of electronic health record (EHR) technology, healthcare organizations would do well to proactively seek solutions. It is possible that when used properly, EHR technology could actually serve as a layer of protection against fraudulent activity. But if implemented without proper controls, EHR systems could make it easier for bad actors to perpetrate fraud in a healthcare organization's name.
EHR technology can be used in the conduct of fraudulent actions through misuse of data captured in the EHR to prepare false claims for payment. Such actions could be committed by anyone within the provider organization who has access to the system. Conversely, the power of the EHR can be harnessed to prevent fraud through implementation of control mechanisms that protect data that could otherwise be used to perpetrate fraud, and that validate data used for legitimate provider reimbursement.
Healthcare providers that do not implement strong controls over the access to and use of EHR technology may unwittingly be subject to prosecution by authorities for a fraudulent billing action. Hence, it is critical that the EHR adopter examine both the EHR application and the associated business practices to eliminate such risks to the extent possible. By implementing appropriate controls, a provider demonstrates its honest intent in the event of a possible billing or collection error-potentially eliciting a more favorable view from investigators and prosecutors in such an event.
Although no current or recent prosecutions cite EHR technology as a contributor to a fraudulent action, the data collection is still evolving. The perpetration of a fraud entails a need (or desire) for additional money, an opportunity to defraud (through lax controls), and then the action itself. EHR technology can represent the opportunity for fraudulent action-something not always specifically cited in a prosecution action.
Fraud Risks Associated with EHR Use
Fraudulent use of EHR technology can be grouped into two broad areas of concern:
- Inappropriate billing by providers, including unbundling of services or the inaccurate description of clinical services provided to a patient during a legitimate patient encounter
- Inappropriate access by a system user resulting in modification of existing patient data to create a false claim for services.
(These areas are described in two separate reports issued by RTI International, an independent not-for-profit research institute, for the Office of the National Coordinator for Health Information Technology [ONC] of the U.S. Department of Health and Human Services [HHS] and by Kroll Fraud Solutions, a global risk consulting company, for the Health Information Management Systems Society [HIMSS].) a
Inappropriate billings. Providers may create inappropriate billings for services as a result of how the services are described using the EHR system. In the absence of any validating controls to ensure each service is correctly described in the broader context of the patient's presenting condition, medical history, and generally accepted billing protocols, erroneous data could be compiled and integrated into claims for reimbursement. In particular, the use of standardized templates in an EHR system could lead a provider to commit inadvertent errors in documentation if the provider does not thoroughly review and complete the template for each patient in every clinical encounter. Errors in documentation also can occur through use of clinical notes, where standard language and phrases are added to a clinical note through selection of menu choices in the EHR user interface.
That is not to say that such errors could never exist in a paper-based system or one using dictated notes. However, the fact that clinical documentation is intended to seamlessly feed data to a provider billing application without human intervention presents a somewhat greater risk of an error in documentation becoming an error in billing without detection.
The use of default templates, standardized notes, copy/paste, defaults forward, and import functions are additional examples of timesaving functions critical to user adoption of EHR technology. Yet, as noted in the RTI report, those benefits also open the EHR application to potential fraudulent use without proper edits, controls, or user attentiveness to the task at hand. As a result, the very functionality hoped to improve accuracy of documentation and efficiency of clinical operations could create a potential legal hazard to the provider if controls to mitigate risk are not built into the EHR application or in supporting business practices.
Inappropriate access. Inappropriate access to an EHR system poses the risk of users creating false claims for services using existing patient records to generate billings for "phantom" patient encounters. Employees who have access to EHR modules and billing modules in a provider entity could be able to enter fraudulent encounters, generate billings, and then delete documented encounter data (thereby "covering their tracks").
A basic tenet of many business processes is one of segregation of duties where employees in a business have limits placed up on job functions to prevent potential misappropriation of cash and other assets. Yet according to a 2008 article by Donald W. Simborg, MD, provider offices often represent an exception to this practice: Employees of providers often may cover multiple functions, leading to increased risk from conflicting duties or password sharing ("Promoting Electronic Health Record Adoption. Is It the Correct Focus?" Journal of the American Medical Informatics Association, March-April 2008, pp.127-129.) This situation creates a fertile ground for scenarios to develop in which employees can access clinical documents, make entries to a false clinical record, and then generate a billing for payment that can be fraudulently directed to that employee's benefit. This risk could be heightened in a situation where the EHR and patient accounting functions have separate applications and vendor service contracts. b
Notwithstanding the criminal intent inferred by such actions, a further complication for the provider-noted in the RTI and Kroll reports for ONC and HIMSS, respectively-arises from a potential violation of HIPAA should EHR data be shared with parties outside of the organization to generate fraudulent bills. Employees with legitimate access to EHR data could copy such data and share it with parties outside of the provider organization for use in fraudulent billing schemes. Although the provider in this case may not have perpetrated a fraud, the associated violation of HIPAA is an important risk concern.c
Recommended Risk Mitigation Steps
No fraud control effort or internal control mechanism is foolproof or capable of preventing every possible act of fraud. If employees with properly segregated duties were to collude in a fraudulent scheme, systems cannot prevent such activity. However, providers whose EHR systems include basic business controls are likely in the best position to detect fraudulent activity or to gather transactional evidence should such activity be identified.
Actions to mitigate the risks mentioned in this paper can be grouped into process-related internal controls and system-based controls. Process-based internal controls generally include the aforementioned segregation of duties, which-to paraphrase 2008 Fraud Examiner's Manual of the Association of Certified Fraud Examiners-refers to the division of tasks among employees in a way that prevents any employee acting alone from committing an error or concealing a fraudulent act in the normal conduct of work. Under this approach, for instance, an employee who can admit a patient should not be able to process any additional transactions on a patient account and should not handle payments received on a patient account. System-based controls can enforce those process controls through assignment of specific roles to a user and preventing user transactions that are outside of assigned roles.
As a practical matter, a single provider office or small rural facility may not be in a position to hire the extra staff needed to properly separate admitting, patient record updates, and billing/collection functions. In such a circumstance, mitigating controls such as random unannounced audits by an outside party, outsourcing of billing/collection functions, or random follow-up with patients to verify encounters and services billed by the provider may be useful to deter a potential fraudulent act.
Both internal and system-based controls can be easily integrated into the control framework of an EHR installation. Specifically, user access to set up a patient record in the EHR system should be segregated from user access to make clinical entries on that patient record. To implement such controls, the provider would require an EHR application with user-specific role definitions.
RTI International in its 2007 work commissioned for HHS's ONC offered 14 recommendations that, if implemented, would ensure data accuracy and establish reasonable controls against fraud in an EHR. The recommended controls are as follows.
1. Audit functions and features. This control includes creating internal audit trails that capture types of user accesses, by user, with specifics of the time, date, and location of access.
2. Provider identification. Providers with access to enter clinical data should be discretely identified either by national provider identifier or some other unique identifier to segregate transactions in the EHR clinical history.
3. User access authorization. The EHR should include functionality to discern users and prevent unauthorized user entry by maintaining robust logon credentials with a user identification and password.
4. Documentation process issues. All encounter notes should be date/time stamped and be able to be entered by a variety of means, including keyboard entry, speech, automated defaults, copy/paste from other notes, and import from outside sources.
5. Evaluation and management (E&M) coding. The system should prompt users to validate entries that support assignment of E&M codes that would later be used in billing.
6. Proxy authorship. The identity, time/date, and content of any transactions entered on behalf of a licensed provider should be clearly documented.
7. Record modification after signature. The provider should retain "before" and "after" copies of record elements that were modified after closing of a patient encounter by the provider's electronic signature.
8. Auditor access to patient records. Payer auditors' access to the system should be limited to view-only access for review of records associated with a given patient covered by that payer.
9. EHR traceability. The provider should have the ability to affix a tracking number to any documents (electronic or paper) created from EHR data.
10. Patient involvement in antifraud. Each patient should have access to his/her own record, thereby enable the patient to cross-check actual provider records with payer explanation of benefits information.
11. Patient-identity proofing. Data should be stored to verify the identity of patients presenting for care to eliminate risk of medical identity theft, where persons masquerade as legitimate patients to access care.
12. Structured and coded data. Clinical data should be maintained in a structured and coded fashion that allows the data to be analyzed for fraud prevention.
13. Integrity of EHR transmission. Data transmission should be permitted only using standard methods, such Health Level 7 standards used to verify accurate transmittal of clinical data.
14. Accurate linkage of claims to clinical records. An audit trail of data from the EHR to the patient billing system should exist that can be used to verify the accuracy of clinical data supporting a claim for payment.
Provider organizations are not alone in the effort to combat fraud in health care. Medicare and most private insurers normally send an explanation of benefits (EOB) to a patient as an alert to a bill for services. The EOB also encourages a patient to contact the insurer if the services listed there were not provided. Through use of the EOB notification, the patient can be a valuable ally in combating fraud.
Preparing for Even Greater Risk
Healthcare fraud presents a large and growing risk to the government, insurers, and individuals in the United States. As the value of payments for healthcare services increases and the use of EHR technology expands, so too does the risk of additional fraud losses to the healthcare industry. Providers may be held accountable for innocent errors in documentation or coding just as much as they would for overt actions of fraud in our current regulatory environment. For this reason, fraud prevention actions become more important when providers implement EHR technology. There are clear steps that providers should take with both general business processes and EHR system functionality to mitigate fraud risk exposures in the healthcare provider operation.
The 2010 healthcare reform legislation raises the stakes for EHR operations even more. Much of the operational change in that legislation focuses on improving efficiency in healthcare delivery through use of accountable care organizations (ACOs). The medical home concept upon which the ACOs are based relies on EHR technology for improving exchange of medical data among ACO providers. The ACO concept should further expansion of EHR use-and with it the risk of illicit action. The increased risk calls even more for the implementation of EHR technology with proper business controls.
Jeffrey R. Helton, CHFP, CFE, is director, Healthcare and Public Sector Advisory Services, MFR, PC, Houston (firstname.lastname@example.org or email@example.com).
a. See RTI International, Recommended Requirements for Enhancing Data Quality in Electronic Health Records, May 2007; and Kroll Fraud Solutions, 2008 HIMSS Analytics Report: Security of Patient Data, 2008.
b. For discussions of this risk, see Revenue Cycle Management Guide, Salt Lake City, Utah: Ingenix Publishing Group, 2006; and Fraud Examiner's Manual, Austin, Texas: Association of Certified Fraud Examiners, 2008.
c. Booz Allen Hamilton, Medical Identity Theft Final Report, report prepared for ONCHIT, HHS, January 2009.
Sidebar: Fraud in Health Care: The Scope of the Problem
Healthcare services provided in the United States resulted in over $2.26 trillion in payments for more than four billion health insurance benefit claims in 2007, according to a 2008 Consumer Alert from the National Health Care Anti-Fraud Association (NHCAA).a An industry with that amount of money flowing through it is almost certain to attract the attention of unscrupulous people intent on some act of dishonesty or outright fraud. Meanwhile, the extent of controls over the evaluation of provider claims for payment is being challenged, as insurers are pressured to expedite payments and use automated payment processes (Busch, R., Healthcare Fraud: Auditing and Detection Guide, Hoboken, N.J.: John Wiley & Sons, Inc; 2008). This situation could lead to an increased likelihood of fraudulent claims going undetected.
Although estimates vary as to the extent of fraudulent activity in the healthcare industry, the very size of the industry itself suggests that the risks of loss to fraud are significant. The NHCAA's Consumer Alert also presented a "conservative estimate" that 3 percent of all healthcare spending (an amount totaling $68 billion) was diverted to fraudulent ends.
In 2008, the Association of Certified Fraud Examiners (ACFE) presented some collected quantitative estimates of the value of fraudulent activity in health care:
- About $133 billion, or 7 percent of all payments governed by the Centers for Medicare & Medicaid Services (CMS), were disbursed improperly due to the filing of illegitimate claims (CMS estimate).
- An estimated $50 billion (10 percent) of payments made by The Blue Cross and Blue Shield (BCBS) associations estimate were for fraudulent payments (BCBS estimate).
- $100 billion in other private insurer or patient payments (20 percent of that payment population) were for some form of improper billing (NHCAA estimate).
Despite the extent of this fraudulent activity, however, healthcare provider awareness of the risk posed by fraud is perhaps less than it should be. A recent survey conducted for the Health Information and Management Systems Society indicated a higher degree of provider and provider staff awareness of and attention to risks associated with a violation of the Heath Insurance Portability and Accountability Act than to the risks of a fraudulent act.b
Healthcare provider organizations face a variety of different types of fraud risk:c
- Patient fraud-insured patients submitting false claims for reimbursement or allowing others to use benefits for payment for services
- Provider employee fraud-employees of provider organizations using data obtained through employment to fraudulently obtain payments from insurers
- Provider billing fraud-providers submit claims for services not actually provided, including falsifying data submitted as a part of a claim for payment
- Payer fraud-insurance plan administrators modifying submitted claim data and applying incorrect payment amounts to fraudulently altered claims
Despite the extent of this risk, however, it is important to note that not all payments for healthcare services that are made in error are a result of fraud. Payment errors can arise simply from mistakes in coding or description of services, data errors, or user confusion over appropriate coding procedures to apply. But the current regulatory environment essentially presumes guilt by a provider for submittal of a false claim for payment.d Today, that presumption is significant enough that even the identification of a pattern of billing errors or inaccurate claims may be considered an action
subject to prosecution by authorities.e
a. "The Problem of Health Care Fraud," accessible as of May 26, 2010, in the NHCAA Anti-Fraud Resource Center at www.nhcaa.org.
b. Kroll Fraud Solutions, 2008 HIMSS Analytics Report: Security of Patient Data, Health Information Management Systems Society, 2008.
c. See Busch, R., Healthcare Fraud: Auditing and Detection Guide, Hoboken, N.J.: John Wiley & Sons, Inc., 2008; and RTI International, Recommended Requirements for Enhancing Data Quality in Electronic Health Records, Report prepared for the Office of the National Coordinator for Health Information Technology, U.S. Department of Health and Human Services (HHS), May 2007.
d. HHS, Office of Inspector General, "OIG Compliance Program Guidance for Hospitals," Federal Register, Feb. 23, 1998, pp. 8987- 8998, and "OIG Supplemental Compliance Program Guidance for Hospitals," Federal Register, 70:19, Jan. 31, 2005, pp 4858-4876.
e. "E-records May End Fraud," The Information Management Journal, January-February 2006, p. 16.
Publication Date: Thursday, July 01, 2010