Page 1 of 10 Hospital Certified Electronic Health Record (EHR) Technology Questionnaire Thank you for taking time to complete this questionnaire. The Office of Inspector General (OIG) is conducting this survey as part of a study on fraud and abuse safeguards in EHRs. Participating will help us learn about the certified EHR technology hospitals are using. Our questions concern the presence of features and capabilities of certified EHR technology, as well as barriers to implementing certain safeguards for increased fraud protection and data integrity. If you have any questions, please contact Kim Yates at 617-565-2911 or Kim.Yates@oig.hhs.gov. Your responses will be saved every time you click the NEXT button. You can return to the questionnaire at any time, using the same link, until you click the red SUBMIT button. Click the PRINT button to print a copy of this questionnaire with your responses. Once you click the red SUBMIT button you will not be able to edit or print your responses. Click the NEXT button to begin. 1. Please provide the following information for the individual(s) completing this questionnaire: Respondent name(s) and title(s): Phone number: Hospital name: The following questions ask about the certified EHR technology this hospital has implemented and attested to meaningful use. 2. What type of EHR technology does this hospital use? One or more commercial vendor product(s) One or more internally developed product(s) A combination of vendor and internally developed products
Page 2 of 10 3. How many years has the hospital used any EHR technology? 4. Is this hospital part of a network of hospitals that use the same EHR technology? The following questions ask about the certified EHR technology's capabilities regarding coding. 5. How are diagnoses and procedures coded at this hospital? Manually by professional coders Automatically with coding software 6. Does this hospital have plans to adopt computer-assisted coding? The following questions ask about user authentication and access to the certified EHR technology. 7. Does access to the hospital EHR technology require the following user authorizations? Unique user ID Password Token-based (e.g., identification card) Biometrics (e.g., fingerprints) Public-key (e.g., PKI, digital certificates) 8. Has the hospital implemented the following policies and procedures regarding access to the EHR technology? Automatic user log-off/ Session time-out Minimum password configuration rules Regular changing of password User agreements or contracts to prevent sharing of passwords
Page 3 of 10 The following questions ask about access to the certified EHR technology by outside entities. 9. Does this hospital allow any outside entity (such as a payer) access to the EHR technology? 10. How does the hospital allow outside entities access to the EHR technology? Remotely On-site 11. Does the hospital establish unique user IDs to track outside entities' activity? The following questions ask about access to the certified EHR technology by outside entities. 14. To what extent does the hospital consider the following to be barriers to allowing outside entities access to EHR technology? EHR technology does not support the capability Hardware does not support the capability Insufficient human resources Funding restrictions/additional costs to implement Insufficient training on EHR technology Inability to integrate with existing systems Inability to limit access to specific patients, encounters, or information Concerns with EHR system performance Concerns with patient privacy Concerns with provider rights Concerns with inappropriate use by outside entities Hospital policy prevents such access Please Specify: To A Large To Some To Little t At All The following questions ask about the certified EHR technology's audit log and metadata
Page 4 of 10 features. Audit logs and metadata track access and changes within an EHR chronologically by capturing data elements such as date and time when users access or change the record. 15. Does the audit log record data for the following events? Each entry or access to the EHR Signature event (the proactive or auto default completion of a patient encounter) Export of EHR document (printed, electronically exported, emailed) Amendments, corrections, or modifications of data Import of data Disabling of audit log Release of encounter for billing Access by an authorized outside entity 16. Does the audit log record the following data? National Provider Identifier (NPI) Date/Time/User stamps Access type (creating, editing, viewing, printing, etc.) Internet Protocol (IP)/ Media Access Control (MAC) address Network Time Protocol (NTP)/ Simple Network Time Protocol (SNTP) synchronized time Method of data entry (direct entry, speech recognition, automated, copy/import, copy forward, dictation) Date/Time/User stamp of original author when data are copied Date/Time/User stamp of original author if data are entered on behalf of another (e.g., an assistant enters clinical information for a physician) The following questions ask about the certified EHR technology's audit log and metadata features. 17. Is the audit log operational whenever the EHR technology is available for updates or viewing?
Page 5 of 10 18. To what extent does the hospital consider the following to be barriers to having the audit log operational at all times? Insufficient storage space for data Impedes system performance Inability to use audit log data (i.e., cannot identify and interpret audit log data) Insufficient human resources Inadequate training on audit log functionality A lack of user guides for audit log functionality To A Large To Some To Little t At All The following questions ask about the certified EHR technology's audit log and metadata features. 19. Can the audit log be disabled? 20. Who can disable the audit log? Any EHR user EHR users who are authorized to access the audit log EHR system administrators 21. Can the audit log be deleted? 22. Who can delete the audit log? Any EHR user EHR users who are authorized to access the audit log EHR system administrators 23. Can the audit log be edited? 24. Who can edit the audit log? Any EHR user EHR users who are authorized to access the audit log EHR system administrators
Page 6 of 10 The following questions ask about the certified EHR technology's audit log and metadata features. 25. How long are audit log data stored? 26. Does the EHR technology allow for the destruction of EHR and audit log data according to the hospital's data retention policies? 27. Can the EHR technology produce a user friendly version of the audit log (i.e., a summary of audit data in a readable format or embedded in an electronic form) for transmitting, printing, or exporting? The following questions ask about the certified EHR technology's audit log and metadata features. 28. Does anyone at the hospital analyze the audit log data? 29. Which of the following individuals at the hospital analyzes the audit log data? EHR system administrator Compliance officer Privacy officer 30. How often is the audit log data reviewed and analyzed? Monthly Quarterly Annually 31. To what extent does the hospital consider the following to be barriers to analyzing audit log data? Insufficient storage space for data Inability to interpret audit log data Insufficient human resources Inadequate training on audit log data To A Large To Some To Little t At All
Page 7 of 10 A lack of user guides for audit functionality The following questions ask about how physician progress notes are entered into the certified EHR technology. 32. To what extent are physician progress notes handwritten and/or dictated instead of directly entered into the EHR at this hospital? All physician progress notes are handwritten/dictated Some physician progress notes are handwritten/dictated and some are directly entered into the EHR physician progress notes are handwritten/dictated 33. How are these physician progress notes maintained? Maintained as a hardcopy Scanned into the EHR Transcribed into the EHR 34.Why are physician progress notes not directly entered into the EHR? 35. How are physician progress notes entered into the EHR? Typed directly into the EHR as free text Entered into the EHR with templates The following questions ask about how nursing notes are entered into the certified EHR technology. 36. To what extent are narrative nursing notes handwritten instead of directly entered into the EHR at this hospital? All narrative nursing notes are handwritten Some narrative nursing notes are handwritten and some are directly entered into the EHR narrative nursing notes are handwritten 37. How are these narrative nursing notes maintained? Maintained as a hardcopy Scanned into the EHR 38.Why are narrative nursing progress notes not directly entered into the EHR?
Page 8 of 10 39. How are narrative nursing notes entered into the EHR? Typed directly into the EHR as free text Entered into the EHR with templates Please Specify: The following questions ask about the certified EHR technology's capabilities regarding exporting and transmitting EHR documents. 40. Are there limits on which EHR users are authorized to electronically export, transfer, or print EHR documents? 41. Does the EHR technology require the user to document why an EHR document was electronically exported, transferred, or printed? 42. Does the EHR technology have the capability to disable the Print Screen function? 43. Does the hospital disable the Print Screen function for the EHR technology? The following questions ask about certified EHR technology features regarding patient access. 44. Do patients have the following electronic access to their EHR data? View their entire EHR View only components of their EHR Ability to comment in their EHR View all entities to which their EHR was released View all the entities who accessed their EHR The following questions ask about certified EHR technology features regarding patient access. 45. To what extent does the hospital consider the following to be barriers to allowing patient access to their EHR data?
Page 9 of 10 EHR technology does not support the capability Hardware does not support the capability Resistance by physicians to have patients access the information Concerns with patient security and privacy Funding restrictions/ additional costs to implementation Insufficient training on the EHR technology Inability to integrate with existing systems Concerns with EHR system performance Hospital policy prevents such access To A Large To Some To Little t At All The following questions ask about the certified EHR technology features regarding patient identity management. 46. What procedures does the hospital require to identify patients upon check-in? Photo identification Established relationship (i.e., visual recognition) Verifying identity based on information an individual can verify (e.g., address, data of birth) Biometric identification 47. For each patient check-in, does the EHR technology have the capability to record which identification procedure was used to confirm patient identity? The following questions ask about additional features and safeguards that the hospital's certified EHR technology may have in place. 48. Can an EHR document be modified after it has been finalized by a "signature event" (i.e., the proactive or auto default completion of a patient encounter)? 49. Are the original unmodified EHR data retained?
Page 10 of 10 50. Can the following features be customized in the EHR technology? Copy/Paste Templates Do t Have That Feature 51. Does the hospital have a policy regarding the use of the copy/paste feature in EHR technology? 52.Please describe the hospital's copy/paste policy: The following questions ask about the additional features and safeguards the the hospital's certified EHR technology may have in place. 53. Has the hospital implemented any of the following safeguards? Policies and procedures for analysis of audit log data Written policies and agreements for EHR users Employee training on privacy Employee training on fraud and abuse prevention Employee training on EHR data integrity Routine review of EHR user privileges 54.Please describe any other procedures, policies, or capabilities specific to the EHR technology that your hospital has implemented in order to maintain data integrity and prevent fraud. Click the PRINT button if you would a copy of this questionnaire with your responses. Please click the red SUBMIT button to complete this questionnaire. Once you do so, you will not be able to change or print your responses. Thank you!