Events Calendar

Mon
Tue
Wed
Thu
Fri
Sat
Sun
M
T
W
T
F
S
S
29
30
1
2
3
4
6
7
8
9
10
11
13
14
15
16
17
18
19
20
22
23
24
25
26
27
28
29
30
31
1
2
12:00 AM - NextGen UGM 2025
Pathology Visions 2025
2025-10-05 - 2025-10-07    
8:00 am - 5:00 pm
Elevate Patient Care: Discover the Power of DP & AI Pathology Visions unites 800+ digital pathology experts and peers tackling today's challenges and shaping tomorrow's [...]
AHIMA25  Conference
2025-10-12 - 2025-10-14    
9:00 am - 10:00 pm
Register for AHIMA25  Conference Today! HI professionals—Minneapolis is calling! Join us October 12-14 for AHIMA25 Conference, the must-attend HI event of the year. In a city known for its booming [...]
Federal EHR Annual Summit
2025-10-21 - 2025-10-23    
9:00 am - 10:00 pm
The Federal Electronic Health Record Modernization (FEHRM) office brings together clinical staff from the Department of Defense, Department of Veterans Affairs, Department of Homeland Security’s [...]
NextGen UGM 2025
2025-11-02 - 2025-11-05    
12:00 am
NextGen UGM 2025 is set to take place in Nashville, TN, from November 2 to 5 at the Gaylord Opryland Resort & Convention Center. This [...]
Events on 2025-10-05
Events on 2025-10-12
AHIMA25  Conference
12 Oct 25
Minnesota
Events on 2025-10-21
Events on 2025-11-02
NextGen UGM 2025
2 Nov 25
TN

Events

Articles

Dec 13: Hospitals need better EHR audit, access guidance

medcurrent debuts emr

A recent Office of the Inspector General (OIG) report titled “Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology” gave some insight into EHR technology audit and access control capabilities and how healthcare providers are taking advantage of these functions.

The annual cost of healthcare fraud is between $75 billion and $250 billion, according to 2009 CMS estimates, and OIG administered an online questionnaire to 864 hospitals between October 2012 and January 2013 to learn about the Certified EHR Technology hospitals are using. OIG found that nearly all hospitals with EHR technology had contractor RTI International (RTI)-recommended audit functions in place, but they may not be maximizing their potential. And hospitals were found to use a variety of RTI-recommended user authorization and access controls, with most using RTI-recommended data transfer safeguards. OIG also found that a copy-paste feature in EHR technology that, if used improperly, could turn into a fraud vulnerability, and only one quarter of hospitals had policies to prevent this technology.

Audit logs: Privacy or fraud tool?

96 percent of hospitals reported that their audit logs remain operational at all times despite reporting barriers, including limited human resources, a lack of vendor-provided audit log user guides, and inadequate training on audit log functionality. OIG explained that because audit logs monitor user activity, they’re an important tool against EHR fraud. In fact, one-third of RTI’s recommended safeguards concern audit log operation and content. About 44 percent of hospitals delete their audit logs, which is against RTI advice for them to be available for fraud detection. Most hospital use their audit logs for privacy and not fraud monitoring purposes.

EHR vendors confirmed that their hospitals use the audit log as a HIPAA compliance tool rather than a tool to detect fraud. One vendor reported that hospitals were generally not aware of all the audit log features available to them. For example, all four EHR vendors explained that they provide standard product implementation and training and that hospitals do not commonly ask for additional audit log training.

User authentication

According to OIG, all responding hospitals reported that they authenticate EHR users via a unique user identification and password. Some hospitals had implemented stronger user authentication tools, such as tokens (21 percent of hospitals), public key infrastructure (14 percent), and biometrics (7 percent). 22 hospitals also reported implementing additional safeguards to ensure appropriate access to the EHRs.

Although the copy-paste feature in EHRs can enhance efficiency of data entry, it may also facilitate attempts to inflate, duplicate, or create fraudulent health care claims. RTI acknowledges the potential for misuse of the copy-paste feature in EHRs and suggests that specific warnings directed to EHR users be considered. Further, RTI recommends that the use of such tools be captured in the audit log. However, only 24 percent of hospitals had policies in place regarding use of copy-paste, and only 44 percent of hospital audit logs recorded the method of data entry (e.g., copy-paste, direct text entry, speech recognition) when data are entered into the EHR.

Recommendations

OIG recommends that audit logs be operational whenever EHR technology is available for updates or viewing and that ONC and CMS collaborate for create a comprehensive plan to address fraud vulnerabilities in EHRs. And it requested that CMS develop guidance on the use of the copy-paste feature in EHR technology. CMS and ONC  agreed with all of its recommendations.

Although ONC contracted with RTI to develop a list of recommended safeguards for EHR technology, the Department did not directly address all of these safeguards through certification criteria or meaningful use requirements. This review found that, on their own initiative, hospitals were employing EHR fraud and abuse safeguards to varying degrees. However, the Department must do more to ensure that all hospitals’ EHRs contain safeguards and that hospitals use them to protect against electronically enabled health care fraud.

source