AHLA. E. My Vendor Made Me Do It: New Compliace Risks in EHR

Transcription

1 AHLA E. My Vendor Made Me Do It: New Compliace Risks in EHR James Cannatti Office of Counsel to the Inspector General US Department of Health and Human Services Washington, DC Danielle B. Fletcher Office of Inspector General US Department of Health and Human Services Washington, DC Robert G. Homchick Davis Wright Tremaine LLP Seattle, WA Current HIT Challenges: mhealth, Big Data, and HIPAA Compliance March 28, 2014

2 My Vendor Made Me Do It: New Compliance Risks in EHRs EHR James A. Cannatti III, Senior Counsel HHS Office of Inspector General Danielle Fletcher, HHS Office of Inspector General Robert G. Homchick, Davis Wright Tremaine, LLP Robert G. Homchick Davis Wright Tremaine, LLP

3 Electronic Medical Records = Sliced Bread Since the days of George W. Bush the federal government has been promoting the adoption of electronic medical records 2006 after prompting by Congress, OIG and CMS publish Stark Exceptions and AKS safe harbors for EMR donations The exceptions/safe harbors were to expire in 2013 but the agencies pushed out the sunset provisions to 2021 Meaningful Use Funding EMRs viewed as essential to improving the coordination of care and reducing costs $17 Billion by the end of 2013 ACOs and other Clinically Integrated Networks strongly encouraged to get wired EMR = Burnt Toast? What Happened? 2

4 EHR My Vendor Made Me Do It? Cloning? Cut & Paste? Audit Logs? Are these real problems? Or the inevitable result of using EMRs? EHR Promotes Fraud? Really? Statements of CMS and OIG Meaningful Use Audits RACs, ZPICs and other Contractors What is happening on the ground when an EMR is implemented? Are Providers using cut and paste indiscriminately? Is this just another way for the RACs to make money? Danielle Fletcher U.S. Department of Health and Human Services Office of Inspector General Office of Evaluations and Inspections

5 Data Sources: Hospital questionnaire of hospitals that received incentive payments Hospital site visits CMS contractor interviews EHR vendor interviews Document review Findings Audit logs User authorization and access controls Data transfer safeguards Patient involvement in anti fraud efforts Copy & paste 4

6 Hospitals Control Over Audit Logs 100% record the date, time and user identification 99% record each entry or access to EHR 99% record each modification to EHR 92% record each signature event Audit logs 44% can delete their audit logs 33% can disable their audit logs 11% can edit their audit logs 5

7 Other Safeguards All hospitals authenticate EHR users (Tokens, PKI, biometrics) 88% of hospitals have limits of data transfer 43% of hospitals include patient involvement in anti fraud efforts 24% of hospitals have copy paste policies CMS and its contractors had adopted few program integrity practices around EHRs Few contractors reviewing EHRs differently than paper medical records Not all contractors can identify copied language or over documentation 6

8 Recommendations: Audit logs operational whenever EHR technology available for updates/viewing ONC and CMS strengthen collaborative efforts CMS develop guidance on use of copy paste CMS provide guidance on fraud/ehrs CMS direct contractors to use providers audit logs s Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology asp CMS and Its Contractors Have Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs asp 7

9 James A. Cannatti III Senior Counsel U.S. Department of Health and Human Services Office of Inspector General Office of Counsel to the Inspector General Documentation and the Importance of Data Accuracy 8

10 Compliance Considerations Questions? 9