compliance & fraud prevention in the ehr terri hall, mha, rhit, cpc, cac billings area office...
TRANSCRIPT
Compliance & Fraud Compliance & Fraud Prevention In The EHRPrevention In The EHR
Terri Hall, MHA, RHIT, CPC, CACBillings Area Office Indian Health Service
HIM/RM Coordinator
Definition of Healthcare Fraud
Intentional deception or misrepresentation, or deliberate omission that the individual or entity makes, knowing that the misrepresentation could result in some unauthorized benefit to the individual, or the entity or to some other party.
(National Healthcare Anti-Fraud Association)
Definition of Healthcare Fraud
• HIPAA legislation says “known or should have known.”
• “Due Diligence” obligation to identify, report and prevent fraud.
Identified Areas of Concern - EHR
• Authorship Integrity– borrowing from another source. Inflating services.
• Auditing Integrity – Inadequate audit functions.
• Documentation Integrity – Automated insertion of clinical data and visit documentation
(templates, pull forward, copy and paste, etc.)• Patient Identification and Demographic Accuracy
– Automated demographic or registration entries generating erroneous patient identification, leading to patient safety and quality of care concerns and unjust care for profit. (location of service, technical, professional, global billing)
Fraud Can Be Detected
• Through a variety of technology capabilities.
• Abnormal pattern recognition.
• Powerful system audits.
• Practice pattern monitoring.
• Tracking of controlled substances.
Definition of the Legal Health Record
• Remember: EDNA HUFFMAN, RRA, 1941, 6TH EDITION REVISED BY AMRA!, Elizabeth Price, RRA, Editor– The medical record is the who, what, why, where,
when and how of patient care during hospitalization. It stores the knowledge concerning the patient and his care. To be complete, the medical record must contain sufficient information to clearly identify the patient, to justify the diagnosis and treatment, and to record the results. (Oh! How times have changed)
The Legal Paper-Based Health Record Definition
2001 AHIMA Practice Brief
Definition of the Health Record for Legal Purposes defines the legal health record as “the legal business record generated at or for a healthcare organization. This record would be released upon request. (M. Amatayakul AHIMA 72, no.9 (2002): 88A-H)
Definition of the Health Record for Legal Purposes
• It used to be “straightforward” (Contents of the paper chart together with radiology films or the results of other imaging studies formed the healthcare provider’s legal business record).
• NOW – it is more COMPLEX
– The EHR is evolving both in development pace and design prioritization.
– Therefore each organization has to define the content of the legal health record that best fits their system capabilities and legal environment.
Definition of the Legal Health Record
• LHR is the organization’s business record.• Record that would be disclosed upon request.• The LHR IS NOT Peer Review, Incident Reports,
(however these can be discoverable)• The custodian of the LHR is the HIM Director. (However,
IT may be called upon for technical infrastructure of EHR)
• HIM oversees the operational functions related to collecting, protecting, and archiving the legal health record while IT managers the technical infrastructure of the EHR……………
The LHR is Expected to meet…
• CMS, Medicare Conditions of Participations.
• Federal regulations, state laws, and standards of accrediting agencies, such as JCAHO, AAAHC, etc.,
• Policies of the healthcare organization.
The Legal Hybrid Health Record
• Paper documents and electronic media = Hybrid
• Identify the “source” (paper or electronic)
• Matrix - identify the source legal record.
• Policies should indicate when the record is considered complete.
• The paper portion of the LHR is collected and archived.
• Electronic portions of the record are collected and archived in source systems. There must be a clear indication of the location where portions of a patient record are located.
So, What is Not Part of the LHR? Data/Documents/Tools – NOT Part
of the LHR• Alerts/Reminders/Pop-Ups – however,
associated documentation is considered a component of the LHR.
• Continuing Care Records – received from another healthcare provider, unless they are used in the provision of patient care.
Do you have a Plan when the EHR goes down?
Downtime Procedure Documents• EHR is unavailable is there a process in place
for providers to continue with their documentation of patient care?
• Once the EHR function is restored, the information from the downtime documents must be made part of the EHR, data entry, scanning, or recreating documents in various subsystems
What are Administrative Data/Documents? They are NOT
Part of the LHR…– Abbreviation lists– Authorization forms for ROI– Audit trails related to EHR– Correspondence – ROI– Databases containing patient information– Event history/audit trails– Financial and insurance forms– Incident or patient safety reports– Indices (diseases, operation, death)– IRB lists– Logs– NPP– Patient identifiable claims– Patient identifiable data for QI– Protocols/Clinical pathways, practice guidelines– Psychotherapy notes– Registries– Staff roles and access rights– Work lists/work in progress
What are Derived Data/Documents? They are Not
Part Of The LHR.• Definition: Derived Data consists of information aggregated or
summarized from patient records so that there are no means to identify patients
.– Accreditation reports– Anonymous patient data for research– Best practice guidelines created from aggregate patient data– OASIS reports– ORYX, quality indicator, Quality Measure or other reports– Public Health reports– Statistical reports– Transmission reports, MDS, OASIS, etc. (documentation is LHR)
Data/Documents = LRHAdvance directives, allergy records, documentation from alerts and reminders, analog and digital photographs, anesthesia records, care plans, consent forms, consults, images, discharge instructions, DS, e-mail messages containing patient-provider or provider/provider communications regarding care, ER records, fetal monitoring strips, functional status assessments, graphic records, immunizations, instant messages, I&O, med orders and profiles, (MDS, OASIS, GPRA, ORYX - used in the course of patient care) progress notes, nursing assessments, OP reports, Patient Identifiers, patient submitted documentation, path, education, psychology, post it notes, practice guidelines or protocols, problem lists, H&P, research records, respiratory, PT, Speech, Occupational, results of tests, studies, standing orders, telephone messages, telephone orders, trauma tapes, verbal orders, wave forms ECG, EMG, EKG, M&M-COP required by CMS.
BROKE ALL OF THE POWER POINT RULES!!!!
Have you really thought about the New Technologies? Are they part of the
LHR?Examples of documents/data that should be evaluated for inclusion or exclusion from the LHR…
Audio files of dictationAudio files of patient telephone callsNursing shift to shift reports handwritten or audioVideos of office visitsVideos of proceduresVideos of telemedicine consultationsVideos of Behavioral Health telemedicine visits
Are Data/Documentation that reside in Data Source Systems part of the LHR?
• Records from Source Systems – X-ray, Lab, Pharmacy, etc.
• Result of Tests
• Documents that are kept in a separate system of record– Behavioral Health– Substance Abuse
The determining factor in whether something is to be considered part of the LHR is not where the information resides, or the format of the information, but rather how the information is used and whether it is reasonable to expect the information to be routinely released when a request for MR information is received.
Electronic Health Record Systems (EHRS) vs. Legal Health Record
EHRS is a concept that consists of numerous integrated, component information systems and technologies.
The electronic files that make up the EHR system’s consist of different data types, and the data in the files consist of different data formats.
– Portions of the legal EHR may be located in various electronic systems that provide input to the Electronic Health Record, i.e., lab, pharmacy, PACS, Cardio, Results Reporting, CPOE, Nurse care plans, word processing, fetal trace monitoring, etc.
EHRS - Compliance Auditing & Monitoring
Do you have a system/process in place to
ensure the integrity of the data in the EHR?
Do You Know Where & How The Data is Stored?
• May store structured, patient clinical, administrative data in a database or clinical data repository.
• May store unstructured, patient clinical data in separate databases or repositories (PACS-X-Ray) and provide pointers from the clinical portal to these various repositories. (Architecturally, these databases are logical, but not physically linked).
• The challenge for HIM in defining a legal health record in an EHRS is to determine which data elements, electronic structured documents, images, audio files, and/or video files become part of the legal electronic health record.
Is This Your EHR Team?
• Clinical – Those who use the tools.
• IT/CAC – The information technology experts who create, maintain, and improve the tools.
• HIM – Those who assure the technology “fits” the environment formed within the medical-legal, regulatory, and information management standards domains.
Working together to ensure that the technical tools fit the tasks and the environment for all uses of health care information.
HIM Professionals are….
Ideally suited to provide domain expertise andleadership.
Conscientious advocates, ensuring that the EHR systemis optimally planned, chosen, implemented, andmanaged.
The traditional and continuing custodian of the medicalrecord and medical record system, regardless of themedia!
Trained to ensure the quality, privacy, and integrity ofthe EHR, whether on paper or electronic!
Today, the HIM Professional is an integral part of the team that maintains vigilance over the health information technology
realm, so that health information management standards are consistently
applied across all systems in order to maintain the level of integrity of the data which is necessary for the clinical, risk
management, and medical-legally sound operations of the healthcare organization.
Are The Organization’s Leaders On Board?
In complying with all laws and regulatory requirements and to operate inan ethical manner?
Defining and prohibiting the entry of false information?
Defining individual responsibility and accountability for the accuracy andintegrity of information/data?
For notifying management of errors which are discovered?
Promoting mandatory training covering the falsification of informationand information security?
Has assigned responsibility to someone for the organization’s information security program?
Does the Organization Establish EHR and HIM related policies?
– Specific clinical documentation requirements?
– Defining required logging of activity on EHR systems?
– Defining how changes, corrections, amendments, retractions occur in the EHR and by whom?
Does the EHR Education Program meet the following objectives?
– Communicate & inform the organization’s P&P, individual responsibility, and the capabilities and functions of the EHR system?
– Explain staff responsibilities for maintaining the integrity and accuracy of information?
– Define personal responsibilities for protecting system access information?
– Define personal responsibility for creating accurate records?
Education Program, continued…
• Staff responsibility to notify management of problems?
• Cover the proper use and features and functions of the EHR?
• Defines penalties for falsifying any organizational records?
• Provide instruction on how to use the system security features for preventing unauthorized access?
• Inform all EHR users that their activities are being logged by the system?
• Address software design and other techniques that may be used to cause system users to enter false information? (Copy/Paste/Fill In The Blank Templates)
Does the EHR System Provide Access Control Functions?
– That define the management of user authentication? (scribes, assistants, auto authentication (many documents at one time (NO).
– Many authenticators, not one signer for visit functionality.
– That define the management of extensive privilege assignment and control features?
EHR Fraud Prevention• Does the EHR system have the capability/functionality to…
– Attribute the entry to the original signer?– Modification/addendums made to documents?– Deletion of information (retraction) by a specific individual or
subsystem?– Do bells and whistles sound when someone tries to pull forward a large
section of a H&P done by another provider? Warning message, lock down of record?
• Does the EHR system have the capability to log all activity? – How do you know who did an addendum, amendments, retraction of
note?
Audit Logs – What Events Should Be Recorded?
• Start-up and shutdowns of systems• Successful and unsuccessful log in and log-out.• User actions to open, close, create, execute,
modify, or delete programs or files.• Actions taken by system administrators, system
security administrators, or other super users.• Changes or attempts to change privileges and
access controls for users and objects.
Does the EHR system have the capability to use a common date and time stamp across
all components of the system?
– Date and time when orders were signed– When visit was signed– When orders were transcribed– Date & Time for addendums– Date and time and attribution of copy and
paste documentation done by another provider?
Does the EHR system have data entry editing capabilities?
– To validate information on entry when possible? (edits to alert provider of values out of range, dosage based on age and weight)
– To check for duplication and conflicts? (PCC Error report – coding queue reports)
– To control and limited automatic creation of information? (template check boxes)
Does the EHR system establish a process for logging of all activity on EHR systems?
– That determines which logging features should be used?
– That assigns responsibility for auditing of log entries and reported exceptions?
– That defines retention periods and procedures for log records?
– That define system related performance issues?
EHR Matrix = Hybrid = P/E
How will you keep track of what is still on paper and what is in the EHRS?
Sample Legal Source Legend – Hybrid Environment Matrix
Report
Document Types
LHR Media Type (P) paper or (E) electronic
Source System Application (non-paper)
Electronic Storage Start Date
Stop Printing Start Date
H&P P/E Notes Tab or EHR template
1/2/2006 8/1/2006
Lab P RPMS-Lab
Physician Orders E EHR Orders
(CPOS) tab
X-ray P RPMS X-ray
Discharge Summary E EHR V 1.1 1/1/2006 4/1/2006
Defining the Legal EHR – Tracking Data/Document Types - Matrix
Original Analog Documents
&
Document Image Data
Discrete, Structured Data
Diagnostic Image Data
Signal Tracing Data
Audio Data
Video Data
Text Data
Hand-written notes and drawings
Signed patient consent forms
Lab Orders – Results,
Meds orders – MARs
Online Charting and documentation
Detailed charges
CT, MRI,
Ultrasound,
Nuclear Med
Pathology Images
EKG/EEG
Fetal
Monitor
Strips
Voice Dictations and
Annotations, Heart Sounds
Ultrasound
Cardiac Catheterization
Exams
Heart Sounds
Radiology reports,
Transcribed reports,
UB and Itemized bills
Maintaining the Legal EHR: Verification Legend X = Prohibited & Monitored
O = Allowed & MonitoredReport/Document Type
Audit Authentication
Visit Note –
signed by “ONE” care giver
Authorship
Many
Signers
Copy/Paste Amend Correct Clarify
Encounter History O O O X O O OEncounter Physical O O O X O O OVisit Note O O O X O O OSocial History O O O X O O OMedication List O O O X O O O
What does the HCCA think are the Top 12 Hot Topics For
Compliance?• Medical appropriateness of coding and DRG services• Unbundling of hospital outpatient services• Outpatient department payments• Evaluation of “incident to” services• Inpatient Only services performed in an outpatient setting• Physical and occupational therapy services• Inpatient rehab facility compliance and Medicare requirements.• Outpatient outlier and other change-related issues.• Payments for observation services vs. inpatient admissions for
dialysis.• Cardiography and echocardiography• Review of E&M services during global surgery periods.• Inappropriate payments for interpretation of diagnostic x-rays in
hospital emergency departments.
Selecting EHR System Features To Prevent Fraud
• Access Control –To verify authorship there are two concepts: authentication & access management.
• User Authentication – is the process of determining whether someone or something is, in fact, who or what it is declared to be.
– Something the user is – Biometric I.D., Fingerprint or Retinal or DNA sequence voice pattern, signature recognition.
– Something the user has – ID card, security token, or software token.
– Something the user Knows – password or a personal I.D. number (PIN).
A duel element authentication should be considered as a reasonable control policy.
EHR System Features To Prevent Fraud
• Extensive Privilege Assignment & Control Features – Access Management – AKA – Authorization, is the process of verifying that a known person has the authority to perform a certain operation.
• Logging of all activity – the EHR system must have the ability to record all activity that occurs within the system.
• Data Entry Editing – Verify validity of information – warn, male/female ICD codes, billing codes, medical necessity documentation.
• Checks for duplication and conflicts – MR #s, medical management options (life threatening drug interactions), system prompt capability – (system controls the prompt occurrence – lack of use or misuse by provider).
Case Study/Worst Case Scenario I
Electronic Tools that Enable “Borrowing” Data from Another Source– Electronic tools make it easy to copy and past
documentation from one record to another or pull information forward from a previous visit.
– Borrowed data cannot be tracked back to the original source creating both a legal and a quality of care concerns.
Worst Case Scenario II
Professional Services – E&M CodeA patient had a number of medical tests and diagnostic evaluation in an outpatient clinic over a two week period. The patient requested a copy of his MR along with the bills for services. The E&M codes he found were consistently at the highest level (5). The patient was a retired auditor for health plans and he noticed that the medical history was “pulled through” within departments, between department and in subsequent visits with the same provider using the EHR system, even when the visits did not include the clinician taking a history! He reported this to the fraud division.
Behavioral Health Service III
“Cookie Cutting”A state department of health surveyor identified a nurse at the community hospital documenting the same text on progress notes completed for several patients on her caseload. This practice involved copying and pasting the same text from one record to another, neglecting to accurately document the variations from one patient to another.
Example: the patients response to meds may differ, request for follow up date and time may differ.
Thus, Medicaid Fraud Division imposed fines and penalties for payment for care which was not rendered at the level of service claimed.
Academic Medical Center & Physician Services Worst Case IV
Patient admitted to hospital for workup to determine Hypertensiveepisodes.
Patient is status post mitral valve replacement with porcine graft and also with pacemaker. The physician progress notes in a hospital based EHR were copied and pasted multiple times by the attending physician, consulting physician and residents, using a convenient “macro” feature available in the software. The teaching physician made this a regular practice to copy and past the resident notes as his own, thus saving time. A new resident misdiagnosed the patient with adrenal insufficiency and recorded the incorrect diagnosis in the MR. Due to the normal routine of “borrowing” documentation higher E&M codes were assigned based on the diagnosis and treatment, and at the same time creating a patient safety and quality of care issue from reliance on inaccurate MR documentation. The patient died from a med error in an attempt to treat the adrenal insufficiency which she did not have!
Best Case Scenario – Example IVThis hospital made sure that their EHR had specific patient safety and documentation integrity tools built into the design.
– Orientation to new staff and students on how to use the tools for accurate and complete documentation.
– Entries include the date and time stamp and the author of the note.
– Teaching physicians must sign into the system so the appropriate authentication is attached to their chart entry and any templates must be modified to reflect specific conditions and observations unique to the service.
– Teaching physicians must be physically present to report services for health plan claims.
– Medical necessity and intensity of service documentation is unique to each visit, so when EHR templates and macros are not modified, they are clearly identified both by a different screen color and by a watermark across the text saying “ Unmodified Documentation Template”
Best Case Scenario continued..– Info buttons provide the documentation guidelines and
reporting requirements for teaching physicians, available at the click of the mouse
– Alerts are generated when a copy and past function is used warning the EHR user about Plagiarism.
– Creation of a full slate of documentation guidelines, P&P for EHR and EHR tools.
– Records get “locked down’ for either pulling forward or copying text content to another location.
– Policies about surrogates and scribes.– Creation of a clinical documentation improvement program
Best Case Scenario continued…
The integrity of data is of extreme importance because it is used to identify and track patients as they move from one level of care to another.
Data is used to verify the identity of an individual to insure that the correct patient is receiving the appropriate care and to support billing activity.
Data Integrity – Worst CaseClinical Notes with difficulty in date association…
Patient seen on September 2, 2006 and informed the physician of a possible reaction to a prescribed medication. Physician is side tracked anddoes not enter visit information. On September 5th the same physicianis back on duty and realizes he did not made an entry for the September 2nd visit.
The physician decides that he wants the date to reflect the actual date thepatient was seen, so he changed the date to Sept. 2, 2006 @ 11:30 am. Heproceeds to enter the documentation, documenting the symptoms the patientdescribed surrounding the medication reaction as best he could.
When another provider reviewed the record, he saw the “new” note. Thisprovider worked over the weekend and did not recall seeing this information.Upon further review the clinician sees that the date displayed is Sept. 2, 2005@ 11:30 am.
Best Case Scenario – Data Integrity
Clinical notes with difficulty in data association…
Text capability in the EHR has built in data functionality hard coding the date a note is entered or capability to “Lock Visit”- 2 days – if provider forgot to document note.
The clinician should have the ability to associate the note with a date of service to reflect both a reference date of when they saw the patient as well as an indication of a late entry/addendum/clarify.
Both of these dates are important to best practices in HIM.
Note and Event Entries – Date/Time Stamp - Peripherals
A facility has multiple biomedical peripherals connected to the EHR: Portable EKGs, IV Infusion Pumps, Etc. The main system has a synchronized clock for display with date and time stamping on notes, lab results, etc. Quality indicators say that an EKG must be performed within 10 minutes of arrival to the ER for chest pain patients. The patient is brought to the ER at 23:55 on 9/1/2006. An EKG is started and completed per orders entered at 23:57. EKG is uploaded, read and interpreted. At 00:30 on 9/2/2006 the clinician completes her documentation of the assessment and orders admission for AMI. Upon review, the EKG is reported as being ordered @ 23:57, but not completed until 9/2/2006 @ 00:45. This is 15 minutes after the note entered by the clinician, stating the EKG was done and showed ST Elevation MI.
Note: This case fell out of PI review, and would have difficulty Standing up in court. The linkage of peripherals needs to have theclocks on each system synchronized to support the integrity of thedata.
Worst Case Scenario – Med Errors
Failure of an EHR system to provide appropriate safeguards against med errors, including either the wrong patient, wrong drug, or failure to consider all available data can contribute to poor quality care.
The physician order entry software provides the capability for default self selection upon entering the first (3) letters of the drug. The physician wanted Norfloxacin (antibiotic for eye infection) and typed in NOR, but Norflex (muscle relaxant) came up. Both are oral medications. The order was signed and the meds made available for pick up .
The patient began taking the Norflex and returned to the ER by rescue squad later the same week with a septic shock due to a very serious bacterial infection of the left eye.
Best Case Scenario – Med Error
Built in safeguards in the (CPOE) software suite to prevent med errors.
The system does not allow software to self select (or default), and requires a second validation.
The system provides the user the opportunity to finish typing.
The software provides a list of options (or drop down menu) he user can select from, then provides alerts or reminders from a knowledge base.
Per policy no abbreviations are allowed in the ordering of the full name of the drug.
The system provides a warning message at the time of signature for contraindications and potential adverse effects.
The system asked the provider to verify selection of Norfloxacin as it is noted in the current med history that the patient experienced an anaphylactic reaction to another antibacterial agent.
IHS- EHR Compliance Issues• Provider did not complete the clinic note for many patient visits & weeks later created “new”
visits to document his notes.
• Outpatient Medication file (V-Med) is one big file –Inpatient drug file is in and Orders file – not the V-Med file.
• PHN visits (non-face to face) visits put into EHR using clinic code (11) Home Visit, which led to visit being billed in error.
• Missing notes after the visit was signed by provider, never found.
• Duplicate visits created in Ancillary packages, missing POV, Provider and clinic code.
• Mental Health Visits in EHR – New Business Rules are required – List Business Rules by User Class for MH Privileges. (Cover Sheet –Dx)
• Vital signs entered by others can be changed.
• Medications in EHR – lists multiple times the same dose of medication – this happens because pharmacy adds a new product/new NDC for a med that has that dose available in an existing product with it’s accompanying NDC#.
• Discontinued and expired meds still show as chronic on the meds tab.
• V 1.1 EHR –visit lock default is 2 days – but no lock on visits in PCC.
Linking Anti-Fraud & Legal EHR Functions – AHIMA March 2007
• In 2005 AHIMA Foundation of Research and Education, under contract with the HIT, researched & published a report on the use of health IT to prevent and detect fraud.
• Five work groups were formed to focus on key issues.
• The report focused on the “Key Principles for EHR Systems” as outlined by “Government Paperwork Elimination Act” (GPEA).
• GPEA is not limited to Healthcare, however there is a clear overlap with core HIM principles.
• NHIN (Nationwide Health Information Network) – Complies with Federal & State law and meets requirements of reliability & admissibility of evidence.
Michelle Dougherty, RHIA, CHP
AHIMA JOURNAL – March 2007
• Office of National Coordinator for Health Information Technology (HIT) – issued a second contract to develop model anti-fraud requirements for EHR.
• Contract awarded to Research Triangle Institute with a sub-contract to Foundation of Research & Education (3/07-Report)
AHIMA March 2007 Journal – Core HIM Principles
• Completeness• Accountability• Access & availability• Traceability• Auditable (verifiable)• Identification• Authentication• Biometric authentication• Non-repudiation• Integrity• Storage & security• Records retention
• Reliability• Digital certificate• Digital signature• Electronic signature• Public key infrastructure (PKI)
