Electronic Health Records (EHR) is big business. Healthcare organizations know they will struggle to be competitive without this technology, yet many lack the necessary security to ensure they adhere to proper data management. In fact, the Department of Health and Human Services’ Office of the Inspector General (OIG) suggests that the Centers for Medicare and Medicaid Services and the Office of the National Coordinator for Health IT should have a comprehensive plan to address vulnerabilities in EHR.
While HIPAA guidelines have tightened in recent years to protect the public from unwanted eyes on their private medical information, the widespread adoption of EHR appears to have the potential to make it easier than ever before to commit fraud. When this happens, programs like Medicare and Medicaid are at risk of significant revenue losses and the individuals impacted will also suffer.
To ensure the enhancement of proper data management, research firm RTI International developed recommendations, including increasing accuracy, data validity and integrity. The firm also suggested an increase in the strength of fraud protection within EHRs. According to auditors, however, these methods have been ineffective. For the majority of hospitals using EHRs, they have RTI-recommended audit functions in place, yet aren’t using them to their full extent.
In fact, it was found by the OIG that only about 25 percent of hospitals actually had policies in place regarding the use of copy-paste features within EHR technology. When used improperly, this activity could create fraud vulnerabilities. This is just one example of an area where proper data management is falling short and putting people and systems at risk.
While a comprehensive study does need to be developed to detect and reduce fraud in EHRs, the right approach may also include standards in development, implementation and training. While IT departments are concerned about the vulnerabilities that technology places on the network, they may not have fraud vulnerabilities in mind when implementing EHR, simply because it leverages different elements within the organization. A properly informed and trained IT department may be a next important step.
Likewise, hosted options may be an important consideration. More often than not, managed providers extend greater security capabilities than companies can provide on their own. While HIPAA must be a top priority, these companies can also instruct the proper use of data and put controls in place that prevent fraudulent activity.
Internal controls may be the most important in this situation. There is always going to be human error and without the right oversight and controls, it could expand with the use of EHRs. An organization-wide standard in data management could help prevent abuse.