Copy-and-paste’ fraud targeted by CMS and OIG
"Copy and paste" is a feature common to almost all computer programs that allows the user to quickly select text and reproduce it elsewhere instead of typing it again. Though useful, the Department of Health and Human Services’ Office of Inspector General (OIG) is warning that copy and paste can lead to fraudulent billing, and the Centers for Medicare and Medicaid Services (CMS) is vowing to pursue any providers who abuse the feature.
The OIG recently released a report critical of hospitals’ use of copy and paste in electronic health record (EHR) documentation, based on an online questionnaire to 864 hospitals and interviews with hospital staff, including a demonstration of EHR technology at eight hospitals.
OIG found that only about one-quarter of audited hospitals had policies regarding the use of the copy-and-paste feature. Also, 61% of surveyed hospitals "shifted the responsibility to the EHR user to confirm that any copied-pasted data were accurate."
Additionally, the audit found that 51% of surveyed hospitals reported that they are unable to customize the copy-and-paste feature in their EHR technology by restricting its use or disabling it. Only 25% of hospitals had policies on the use of the copy-and-paste feature.
The audit also found problems with what OIG calls "overdocumentation" in EHRs, which it describes as "inserting false or irrelevant documentation to create the appearance of support for billing higher level services." This problem can occur when an EHR automatically fills in fields for built-in templates or when a system generates "extensive documentation on the basis of a single click of a checkbox, which if not appropriately edited by the provider, may be inaccurate," the report says.
The OIG report urges that audit logs always be kept and stored to better track EHR access and changes. It also recommends that the Offfice of the National Coordinator for Health Information Technology and CMS "strengthen their collaborative efforts to develop a comprehensive plan to address fraud vulnerabilities in EHRs and develop guidance on the use of the copy-paste feature in EHR technology." (See p. 42 for more information.)
Responding to the audit report, CMS issued a statement saying it will work "to develop a comprehensive plan to detect and reduce fraud in EHRs."
Using the copy-and-paste feature should not be considered bad practice, but it must be done carefully enough that the user doesn’t veer into fraud territory, says Robert Hitchcock, MD, FACEP, a practicing ED physician and an Emergency Department Practice Management Association (EDPMA) board member. He also is vice president of T-System, a regulatory consulting company based in Dallas.
Hitchcock notes that most EHR systems include macros that can generate a significant amount of documentation with one click which enable the physician to "chart by exception." That charting technique is legitimate and can improve efficiency, he says. However, this technique requires taking the time to amend the record however necessary so that the information is accurate for that patient.
Even more troublesome are EHR features that encourage "chart cloning" in which the record is automatically filled with information that is not reviewed by the user and might have no relevance to that particular patient visit. Chart cloning can result in upcoding and documentation for services not provided, Hitchcock says.
"Poor use of these features can bloat the medical record and introduce charges for services that did not happen on that date or possibly ever," Hitchcock says. "Copying data from one patient record to another can include identifiable information, and that’s a privacy violation."
Hitchcock cautions that auditors’ interest might be piqued, which can cause them to dig deeper into individual records, if your EHR has these features enabled:
• The EHR automatically generates codes that are inconsistent with your documentation.
• The system has prompts that suggest how to obtain higher reimbursement.
• The EHR automatically inserts information that inflates the extent of the patient visit or includes care that was not provided.
Federal regulators will be able to find and pursue large cases of fraudulent billing because of these pitfalls in EHR systems, says Andrew Urbaczewski, PhD, chair and associate professor of the Department of Business Information and Analytics at the University of Denver. But that federal interest doesn’t mean that providers should junk the automation features of EHRs altogether, he says.
"One way that fraudsters have traditionally operated is by using the same X-ray or report and showing it to patients, and make it part of their record," he says. "However, physicians who are practicing medicine legally and ethically should have little fear of being incorrectly labeled as a fraudster. Shortcuts for frequently used items in the patient care workflow exist to help providers spend more time with patients and less time hung up in the EHR system."
The real risk for providers who use copy and paste is that the provider might copy and paste notes and inadvertently leave in items from other medical records, Urbaczewski says. That action would create privacy issues or incorrect data. Well-meaning providers also might produce too much information in the record, which makes the note needlessly long, perhaps drawing attention away from the crucial facts in the patient record. (See the story below for more advice on avoiding fraud with EHRs.)
"The provider must remember that ultimately the responsibility for the medical record lies solely with him or her, in its entirety, and should take care to carefully note copied and pasted material by changing its appearance in some way, such as when pasting information from an outside consultant, and note the source," Urbaczewski says. "Ultimately, the EHR interface for the provider should be designed with data fields and links to where copying and pasting can be avoided, making systems safer for patients, providers, and less prone to fraud in that manner."
- Robert Hitchcock, MD, FACEP, Vice President, T-System, Dallas. Telephone: (972) 503-8899. Email: email@example.com.
- Andrew Urbaczewski, PhD, Department of Business Information and Analytics, University of Denver. Telephone: (303) 871-4802. Email: firstname.lastname@example.org.