Author: Helton, Jeffrey R
Date published: July 1, 2010
Fraud in the healthcare industry is a large and growing problem, and with the expanded use of electronic media for healthcare transactions, the pace at which the problem is increasing may well pick up substantially. Faced with this growing problem, potentially exacerbated by the use of electronic health record (EHR) technology, healthcare organizations would do well to proactively seek solutions. It is possible that when used properly, EHR technology could actually serve as a layer of protection against fraudulent activity. But if implemented without proper controls, EHR systems could make it easier for bad actors to perpetrate fraud in a healthcare organization's name.
EHR technology can be used in the conduct of fraudulent actions through misuse of data captured in the EHR to prepare false claims for payment. Such actions could be committed by anyone within the provider organization who has access to the system. Conversely, the power of the EHR can be harnessed to prevent fraud through implementation of control mechanisms that protect data that could otherwise be used to perpetrate fraud, and that validate data used for legitimate provider reimbursement.
Healthcare providers that do not implement strong controls over the access to and use of EHR technology may unwittingly be subject to prosecution by authorities for a fraudulent billing action. Hence, it is critical that the EHR adopter examine both the EHR application and the associated business practices to eliminate such risks to the extent possible. By implementing appropriate controls, a provider demonstrates its honest intent in the event of a possible billing or collection error- potentially eliciting a more favorable view from investigators and prosecutors in such an event.
Although no current or recent prosecutions cite EHR technology as a contributor to a fraudulent action, the data collection is still evolving. The perpetration of a fraud entails a need (or desire) for additional money, an opportunity to defraud (through lax controls), and then the action itself. EHR technology can represent the opportunity for fraudulent action- something not always specificaUy cited in a prosecution action.
Fraud Risks Associated with EHR Use
Fraudulent use of EHR technology can be grouped into two broad areas of concern:
* Inappropriate billing by providers, including unbundling of services or the inaccurate description of clinical services provided to a patient during a legitimate patient encounter
* Inappropriate access by a system user resulting in modification of existing patient data to create a false claim for services.
(These areas are described in two separate reports issued by RTI International, an independent not-for-profit research institute, for the Office of the National Coordinator for Health Information Technology [ONC] of the U.S. Department of Health and Human Services [HHS] and by Kroll Fraud Solutions, a global risk consulting company, for the Health Information Management Systems Society [HIMSS].) a
Inappropriate billings. Providers may create inappropriate billings for services as a result of how the services are described using the EHR system. In the absence of any validating controls to ensure each service is correctly described in the broader context of the patient's presenting condition, medical history, and generally accepted billing protocols, erroneous data could be compiled and integrated into claims for reimbursement. In particular, the use of standardized templates in an EHR system could lead a provider to commit inadvertent errors in documentation if the provider does not thoroughly review and complete the template for each patient in every clinical encounter. Errors in documentation also can occur through use of clinical notes, where standard language and phrases are added to a clinical note through selection of menu choices in the EHR user interface.
That is not to say that such errors could never exist in a paper-based system or one using dictated notes. However, the fact that clinical documentation is intended to seamlessly feed data to a provider billing application without human intervention presents a somewhat greater risk of an error in documentation becoming an error in billing without detection.
The use of default templates, standardized notes, copy/paste, defaults forward, and import functions are additional examples of timesaving functions critical to user adoption of EHR technology. Yet, as noted in the RTI report, those benefits also open the EHR application to potential fraudulent use without proper edits, controls, or user attentiveness to the task at hand. As a result, the very functionality hoped to improve accuracy of documentation and efficiency of clinical operations could create a potential legal hazard to the provider if controls to mitigate risk are not built into the EHR application or in supporting business practices.
Inappropriate access. Inappropriate access to an EHR system poses the risk of users creating false claims for services using existing patient records to generate billings for "phantom" patient encounters. Employees who have access to EHR modules and billing modules in a provider entity could be able to enter fraudulent encounters, generate billings, and then delete documented encounter data (thereby "covering their tracks").
A basic tenet of many business processes is one of segregation of duties where employees in a business have limits placed up on job functions to prevent potential misappropriation of cash and other assets. Yet according to a 3008 article by Donald W. Simborg, MD, provider offices often represent an exception to this practice: Employees of providers often may cover multiple functions, leading to increased risk from conflicting duties or password sharing ("Promoting Electronic Health Record Adoption. Is It the Correct Focus?" Journal of the American Medical Informatics Association, March-April ?oo8, pp. 137- 139.) This situation creates a fertile ground for scenarios to develop in which employees can access clinical documents, make entries to a false clinical record, and then generate a billing for payment that can be fraudulently directed to that employee's benefit. This risk could be heightened in a situation where the EHR and patient accounting functions have separate applications and vendor service contracts. b
Notwithstanding the criminal intent inferred by such actions, a further complication for the provider- noted in the RTI and Kroll reports for ONC and HIMSS, respectively- arises from a potential violation of HIPAA should EHR data be shared with parties outside of the organization to generate fraudulent bills. Employees with legitimate access to EHR data could copy such data and share it with parties outside of the provider organization for use in fraudulent billing schemes. Although the provider in this case may not have perpetrated a fraud, the associated violation of HIPAA is an important risk concern.c
Recommended Risk Mitigation Steps
No fraud control effort or internal control mechanism is foolproof or capable of preventing every possible act of fraud. If employees with properly segregated duties were to collude in a fraudulent scheme, systems cannot prevent such activity. However, providers whose EHR systems include basic business controls are likely in the best position to detect fraudulent activity or to gather transactional evidence should such activity be identified.
Actions to mitigate the risks mentioned in this paper can be grouped into process-related internal controls and system-based controls. Processbased internal controls generally include the aforementioned segregation of duties, which- to paraphrase 3008 Fraud Examiner's Manual of the Association of Certified Fraud Examiners- refers to the division of tasks among employees in a way that prevents any employee acting alone from committing an error or concealing a fraudulent act in the normal conduct of work. Under this approach, for instance, an employee who can admit a patient should not be able to process any additional transactions on a patient account and should not handle payments received on a patient account. System-based controls can enforce those process controls through assignment of specific roles to a user and preventing user transactions that are outside of assigned roles.
As a practical matter, a single provider office or small rural facility may not be in a position to hire the extra staff needed to properly separate admitting, patient record updates, and billing/ collection functions. In such a circumstance, mitigating controls such as random unannounced audits by an outside party, outsourcing of billing/ collection functions, or random follow-up with patients to verify encounters and services billed by the provider may be useful to deter a potential fraudulent act.
Both internal and system-based controls can be easily integrated into the control framework of an EHR installation. Specifically, user access to set up a patient record in the EHR system should be segregated from user access to make clinical entries on that patient record. To implement such controls, the provider would require an EHR application with user-specific role definitions.
RTI International in its 3007 work commissioned for HHS's ONC offered 14 recommendations that, if implemented, would ensure data accuracy and establish reasonable controls against fraud in an EHR. The recommended controls are as follows.
1. Audit (unctions and features. This control includes creating internal audit trails that capture types of user accesses, by user, with specifics of the time, date, and location of access.
2. Provider identification. Providers with access to enter clinical data should be discretely identified either by national provider identifier or some other unique identifier to segregate transactions in the EHR clinical history.
3. User access authorization. The EHR should include functionality to discern users and prevent unauthorized user entry by maintaining robust logon credentials with a user identification and password.
4. Documentation process issues. All encounter notes should be date/time stamped and be able to be entered by a variety of means, including keyboard entry, speech, automated defaults, copy/paste from other notes, and import from outside sources.
5. Evaluation and management (E&M) coding. The system should prompt users to validate entries that support assignment of E&M codes that would later be used in billing.
6. Proxy authorship. The identity, time/date, and content of any transactions entered on behalf of a licensed provider should be clearly documented.
7. Record modification after signature. The provider should retain "before" and "after" copies of record elements that were modified after closing of a patient encounter by the provider's electronic signature.
8. Auditor access to patient records. Payer auditors' access to the system should be limited to viewonly access for review of records associated with a given patient covered by that payer.
9. EHR traceability. The provider should have the ability to affix a tracking number to any documents (electronic or paper) created from EHR data.
10. Patient involvement in antifraud. Each patient should have access to his/her own record, thereby enable the patient to cross-check actual provider records with payer explanation of benefits information.
11. Patient-identity proofing. Data should be stored to verify the identity of patients presenting for care to eliminate risk of medical identity theft, where persons masquerade as legitimate patients to access care.
12. Structured and coded data. Clinical data should be maintained in a structured and coded fashion that allows the data to be analyzed for fraud prevention.
13. Integrity of EHR transmission. Data transmission should be permitted only using standard methods, such Health Level 7 standards used to verify accurate transmittal of clinical data.
14. Accurate linkage of claims to clinical records. An audit trail of data from the EHR to the patient billing system should exist that can be used to verify the accuracy of clinical data supporting a claim for payment.
Provider organizations are not alone in the effort to combat fraud in health care. Medicare and most private insurers normally send an explanation of benefits (EOB) to a patient as an alert to a bill for services. The EOB also encourages a patient to contact the insurer if the services listed there were not provided. Through use of the EOB notification, the patient can be a valuable ally in combating fraud.
Preparing for Even Greater Risk
Healthcare fraud presents a large and growing risk to the government, insurers, and individuals in the United States. As the value of payments for healthcare services increases and the use of EHB technology expands, so too does the risk of additional fraud losses to the healthcare industry. Providers may be held accountable for innocent errors in documentation or coding just as much as they would for overt actions of fraud in our current regulatory environment. For this reason, fraud prevention actions become more important when providers implement EHB technology. There are clear steps that providers should take with both general business processes and EHB system functionality to mitigate fraud risk exposures in the healthcare provider operation.
The 3010 healthcare reform legislation raises the stakes for EHB operations even more. Much of the operational change in that legislation focuses on improving efficiency in healthcare delivery through use of accountable care organizations (ACOs) . The medical home concept upon which the ACOs are based relies on EHB technology for improving exchange of medical data among ACO providers. The ACO concept should further expansion of EHB use- and with it the risk of illicit action. The increased risk calls even more for the implementation of EHB technology with proper business controls.
a. See RTI International, Recommended Requirements for Enhancing Data Quality in Electronic Health Records, May 2007; and Kroll Fraud Solutions, 2008 HIMSS Analytics Report: Security of Patient Data, 2008.
b. For discussions of this risk, see Revenue Cycle Management Guide, Salt Lake City, Utah: Ingenix Publishing Group, 2006; and Fraud Examiner's Manual, Austin, Texas: Association of Certified Fraud Examiners, 2008.
c. Booz Allen Hamilton, Medical Identity Theft Final Report, report prepared for ONCHIT, HHS, January 2009.
About the author
Jeffrey R. Helton, CHFP, CFE, is director, Healthcare and Public Sector Advisory Services, MFR, PC, Houston (firstname.lastname@example.org or email@example.com).