Vulnerabilities in EHRs

The HHS Office of the Inspector General on January 7 released the report “CMS and Its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs”. The report found that certain EHR technology features may be used to mask true authorship of the medical record and distort information to inflate healthcare claims.

The report found that CMS and their contractors have not changed their program integrity strategies in light of EHR adoption and are not are reviewing EHRs differently from paper medical records. Also, not all contractors are able to determine whether providers have copied language or over documented a medical record.

The report makes two recommendations. First CMS should provide guidance to their contractors on detecting fraud associated with EHRs and should address EHR documentation and electronic signatures in EHRs.

Secondly, CMS should direct their contractors to use providers’ audit logs. Audit log data can distinguish EHRs from paper medical records and may be valuable to CMS contractors when reviewing medical records. CMS is in agreement with the first recommendation and partially in agreement with the second recommendation.

During a podcast held January 8, Joyce Greenleaf, Regional Inspector General for the Office of Evaluation and Inspections in Boston discussed healthcare fraud safeguards as it involves EHRs with Program Analyst Danielle Fletcher.

According to Fletcher, HHS contracted with RTI International to come up with recommendations to strengthen fraud protections in EHRs. Although, it was found that hospitals captured most of the recommended data and stored their audit logs according to RTI recommendations, problems still exist.

Nearly half of the hospitals reported that they could delete audit logs and a third of the hospitals reported that they could disable their audit logs. By deleting or disabling audit logs, it is harder to prevent and detect fraud. Secondly, most hospitals didn’t analyze audit logs with the intent to try to identify duplicate and fraudulent claims or to determine inflated billing.

Although hospitals are doing well with recommended user authorization practices and data transfer standards, fewer than half of the hospitals said they allowed patients to view their EHRs so patients aren’t able to flag mistakes or fraudulent activity. Another problem is that although RTI acknowledges the potential for misuse of copy-paste, only a quarter of hospitals report having polices governing the use of copy-paste.

To view the report (OEI-01-11-00571) go to and go to to view the podcast.

Share Button