The Office of the Inspector General found that nearly all of the more than 800 hospitals it surveyed in late 2012 had federally recommended EHR audit functions in place, but "may not be using them to their full extent," while only a quarter of them had policies on the notoriously problematic practice of copy and pasting -- and many couldn’t even disable copy-and-paste if they wanted.
Those recommendations, issued in June 2007 by the Office of the National Coordinator for Health IT and RTI International, laid out standards for audit functions (such as documenting update methods and retaining original documents), user authentication, data transfers (including encryption) and patient-involvement in fraud prevention.
At the time of the OIG’s survey, between October 2012 and January 2013, 96 percent of the hospitals reported operational audit logs as recommended and almost half were starting to implement the tools to include patients in anti-fraud efforts.
Still, the OIG noted that just over 75 percent of those hospitals surveyed did not have policies for copying-and-pasting, and more than half were using EHR audit logs without recording the method of data entry (such as copy-paste, direct entry and speech recognition).
[See also: EHR copy and paste? Better think twice.]
The OIG found that 44 percent of the hospitals said they can delete audit logs. All of the four vendors surveyed said audit logs cannot be disabled in their systems, but one did note that a programmer could disable them. EHR vendors added that the costs of storage space for audit logs could be a burden, although 67 percent of the hospitals surveyed maintain them indefinitely.
Depending on how EHRs are used, they can make it easier or harder to commit outright fraud, or deliberate or inadvertent overbilling. Certain EHR documentation features, "if poorly designed or used inappropriately, can result in poor data quality or fraud," the OIG said.
When clinicians copy and paste wholesale, without updating patient data or double checking, records can become inaccurate, with potential adverse health consequences, and patients and third parties can end up with inappropriate charges.
Although more than 20 percent of the hospitals surveyed advised their clinicians to avoid "indiscriminately copy-pasting" and to cite the original source, the OIG said that even hospitals with policies for the practice "seemed to have limited control over the use" of it and that more than 60 percent "shifted the responsibility to the EHR user to confirm that any copied-pasted data were accurate."