Hospitals, clinicians and health IT companies could be doing more to control EHR copy-and-pasting and over-documentation and prevent potential fraud, according to the HHS Inspector General.

The Office of the Inspector General found that nearly all of the more than 800 hospitals it surveyed in late 2012 had federally recommended EHR audit functions in place, but "may not be using them to their full extent," while only a quarter of them had policies on the notoriously problematic practice of copy and pasting -- and many couldn’t even disable copy-and-paste if they wanted.

Those recommendations, issued in June 2007 by the Office of the National Coordinator for Health IT and RTI International, laid out standards for audit functions (such as documenting update methods and retaining original documents), user authentication, data transfers (including encryption) and patient-involvement in fraud prevention.

At the time of the OIG’s survey, between October 2012 and January 2013, 96 percent of the hospitals reported operational audit logs as recommended and almost half were starting to implement the tools to include patients in anti-fraud efforts.

Still, the OIG noted that just over 75 percent of those hospitals surveyed did not have policies for copying-and-pasting, and more than half were using EHR audit logs without recording the method of data entry (such as copy-paste, direct entry and speech recognition).

[See also: EHR copy and paste? Better think twice.]

The OIG found that 44 percent of the hospitals said they can delete audit logs. All of the four vendors surveyed said audit logs cannot be disabled in their systems, but one did note that a programmer could disable them. EHR vendors added that the costs of storage space for audit logs could be a burden, although 67 percent of the hospitals surveyed maintain them indefinitely.

Depending on how EHRs are used, they can make it easier or harder to commit outright fraud, or deliberate or inadvertent overbilling. Certain EHR documentation features, "if poorly designed or used inappropriately, can result in poor data quality or fraud," the OIG said.

When clinicians copy and paste wholesale, without updating patient data or double checking, records can become inaccurate, with potential adverse health consequences, and patients and third parties can end up with inappropriate charges.

Although more than 20 percent of the hospitals surveyed advised their clinicians to avoid "indiscriminately copy-pasting" and to cite the original source, the OIG said that even hospitals with policies for the practice "seemed to have limited control over the use" of it and that more than 60 percent "shifted the responsibility to the EHR user to confirm that any copied-pasted data were accurate."

More than half of the hospitals also said that they can’t customize or disable copy-paste features -- something the four EHR vendors surveyed by OIG confirmed, with one saying that it actively discourages copying-pasting of progress notes or identical texts.

The other issue on the inspector general’s radar is over-documentation, "inserting false or irrelevant documentation to create the appearance of support for billing higher level services," can produce information suggesting the practitioner performed more comprehensive services than were actually rendered," OIG staff wrote. The issue of over documentation can become ambiguous, though, since some EHR technologies "auto-populate fields when using templates built into the system" and others "generate extensive documentation on the basis of a single click of a checkbox, which if not appropriately edited by the provider, may be inaccurate," OIG wrote.

[See also: 'Note bloat' putting patients at risk.]

Although the full extent is unknown, the OIG said that based on CMS estimates, somewhere between $75 billion and $250 billion are lost to fraud each year.

The OIG made three recommendations based on the findings, with which the Centers for Medicare & Medicaid Services and the ONC concurred. 

• That audit logs be operational whenever EHR technology is available for updates or viewing,
• That ONC and CMS develop a comprehensive plan to address fraud problems in EHRs, and
• That CMS develop guidance on the use of the copy-paste feature in EHR technology.