CMS and Contractors Must Address EHR Fraud Vulnerabilities

EHR fraud is a significant concern of CMS and its contractors.

(February 7, 2014): A new report from the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) finds that the Centers for Medicare and Medicaid Services (CMS) and its contractors have adopted few Medicare program integrity practices to address electronic health record (EHR) fraud vulnerabilities. These EHR fraud vulnerabilities include improper billing practices like copy-pasting (cloning) and over documentation. The Department of Health and Human Services, Office of Inspector General (OIG) recommended that CMS provide better guidance to Medicare contractors on detecting EHR fraud and direct those contractors to use providers’ audit logs, a valuable fraud detection tool when reviewing medical records.

I. Electronic Health Records Have Largely Replaced Paper Medical Records:

EHRs are replacing traditional paper medical records with electronic records that document and store patient health information. They are patient-focused and instantly provide authorized users with real-time, secure information. EHRs may include administrative clinical data relevant to a patient’s care under a particular provider, such as patient statistics like age and weight, progress notes, medications, medical history, and clinical test results.[1] More importantly, the health information in these records can be created and managed by authorized providers in a digital format capable of being shared across various health care entities

II. EHR Fraud Vulnerabilities:

EHRs facilitate the government’s goal of a health care system that strengthens the relationship between patients and their doctors. The timeliness and availability of patient health information may enable providers to make better decisions and provide better care. However, misuse and other fraudulent practices are a significant concern with EHRs. Indeed, recently identified EHR fraud vulnerabilities will require CMS and its Medicare contractors to revise their traditional approaches to combating fraud and abuse in the health care industry.

For example, OIG recognized that “clues within the progress notes, handwriting styles, and other attributes that help corroborate the authenticity of paper medical records are largely absent in EHRs.” The report also found that tracing authorship and documentation in an EHR may not be as direct as tracing in a paper record. In fact, OIG noted that health care providers can use EHR software features to disguise the true authorship of the EHR and distort information in the record. These practices can lead to inflated health care claims and fraudulent submissions for reimbursement.

III. A Number of Program Integrity Risks are Presented by EHR Utilization:

While the full extent of health care fraud is unknown, there is no doubt it is substantial. Indeed, estimates put the cost of health care fraud between $75 billion and $250 billion. Unfortunately, the promulgation of EHRs may enable more widespread instances of deceptive practices. Specific features of EHRs, if poorly designed or misused, can result in EHR fraud and improper billing schemes.


A common EHR documentation practice used to commit fraud is known as “copy-pasting” or “cloning”. Cloning allows authorized providers to select information from one source in an EHR and replicate it in another section. For example, a health care practitioner can use cloning as a useful tool to replicate elements of a patient’s demographics on each page of the EMR. Originally seen as beneficial, cloning can be an easy way to copy forward documentation that appears to be the same, or at least unchanged from a prior visit, in a patient’s medical record. However, cloning is susceptible to misuse. When clinicians clone information but do not update it or ensure its accuracy, erroneous data may enter the patient’s medical record. In turn, inappropriate charges may be billed to patients or third-party health care payors. Likewise, improper cloning can facilitate attempts to upcode claims and duplicate or create fraudulent claims.


Another EHR documentation practice used to perpetuate fraud includes “Overdocumentation.” Under this scheme, a clinician inserts false or irrelevant documentation into the EHR, creating the appearance of medically necessary information that supports billing at a higher level of service. Overdocumentation typically occurs in EHR systems that auto-populate fields when using templates built into the system. It may also be seen in EHR programs that generate extensive documentation from the single click of a checkbox; if a provider does not properly edit the documentation, the information may be inaccurate. As a result, fraudulent records are produced and suggests that the clinician performed comprehensive services than were not actually rendered.

IV. CMS Contractors Are Supposed to Play a Vital Role in Safeguarding the Integrity of the Medicare Program:

CMS’s Medicare Integrity Program (MIP) is designed to combat fraud, waste, and abuse. Misuse and deceptive practices divert billions of dollars that could otherwise be spent on the health and welfare of Medicare beneficiaries. To facilitate its efforts to address Medicare’s vulnerabilities to fraud, waste, and abuse, CMS relies on Medicare administrative and program integrity contractors. These contractors perform various functions, such as paying claims, identifying improper Medicare payments, and investigating fraudulent activity.

Medicare Administrative Contractors (MACs) are primarily responsible for processing and paying Medicare claims. MACs educate Medicare providers on appropriate billing methods and are responsible for detecting and deterring fraud. Zone Program Integrity Contractors (ZPICs) also focus on detecting and deterring Medicare fraud. ZPICs investigate providers that have filed potentially fraudulent claims, conducting prepayment reviews, postpayment audits, as well as unscheduled onsite visits. Recovery Audit Contractors (RACs) are largely responsible for identifying and reducing Medicare improper payments by detecting and recouping improper payments made on claims for Medicare services.

Importantly, these Medicare contractors rely on beneficiary medical records for a significant amount of their program integrity work. When providers shift from paper medical records to EHRs, MACs, ZPICs, and RACs will have to adjust their current techniques for identifying improper payments and investigating fraud.

V. A Recent OIG Report Found that Medicare Vulnerabilities are not Being Effectively Addressed:

OIG undertook a study to determine whether CMS and its contractors were properly implementing Medicare program integrity practices in light of growing EHR adoption. Unfortunately, the report found that CMS and its contractors had adopted very few program integrity practices specific to EHRs.

Few CMS Contractors are Reviewing EHRs any Differently than Paper Medical Rercords.

EHR technology is making it easier to commit fraud. However, CMS and its contractors have not adjusted their program integrity practices for identifying and investing fraud in EHRs. According to the OIG report, just two MACs and two ZPICs acknowledged that they conduct additional reviews of EHR documentation beyond what they do for paper records. Moreover, the report found that audit logs are being severely underutilized. An audit log data is a unique function of EHRs. They help distinguish EHRs from paper medical records and can be a valuable tool in authenticating a medical record to support a claim. Nonetheless, the report found that only 3 of the 18 Medicare contractors admitted using audit log data in their review process.

Few CMS Contractors Reported Being Able to Determine if Cloning or Overdocumentation Was Occurring.

The report also found that varying ability of MACs, ZPICs, and RACs to identify cloning and over documentation in both EHRs and paper medical records. Generally, more contractors were able to identify incidences of overdocumentation versus cloning. OIG reasoned that overdocumentation was likely easier to identify because it is the more evident within the supporting medical record for a single claim. In contrast, examples of cloning are more difficult to identify in a single claim because it may require a single reviewer to examine multiple claims from a single patient or provider for evidence of identical language. Notably, ZPICs were the most successful contractor to report being able to identify these types of schemes. As you recall, ZPICs’ primary objective is to target fraud; as a result, they are more likely to look at multiple claims as compared to other Medicare contractors.

CMS Provided Only Limited Guidance to Medicare Contractors on EHR Fraud Vulnerabiltiies.

Finally, the report looked into the extent that Medicare contractors were receiving guidance from CMS on typical fraud vulnerabilities, such as cloning, overdocumentation, and / or electronic signatures. Unfortunately, the report found that little guidance or training was being disseminated. For example, CMS provided guidance to most MACs and RACs on electronic signatures; however, not one single ZPIC responded that it received this assistance. For the other EHR-related vulnerabilities, the help guidance provided by CMS was insufficient.

VI. Recommendation Made by OIG in its Report:

Overall, the report recognizes that CMS and its contractors have not changed their program integrity strategies during the growing adoption of EHRs. Contractors are reporting that they are unable to identify cloning or overdocumentation in both forms of medical records. Moreover, few contractors are adopting additional review procedures specifically tailored to EHRs. Finally, little guidance is coming from CMS on how to detect fraud vulnerabilities. Therefore, OIG made two recommendations. CMS must:

  1. Provide guidance to its contractors on detecting fraud associated with EHRs; and
  2. Direct its contractors to use providers’ audit logs.

OIG also argued that CMS should work with contractors to identify best practices and develop guidance and tools for detecting fraud associated with EHRs, especially as it pertains to EHR documentation and electronic signatures. Moreover, the report stressed how audit log data can be a valuable tool in authenticating a medical record to support a claim.

VII. CMS’s Response to OIG's Concerns:

In its response letter to OIG, CMS recognized that it could give better guidance to contractors to prevent EHR-related fraud and abuse. CMS also agreed that audit logs should be used more frequently. However, CMS said that the use of audit logs "may not be appropriate in every circumstance" and would require special training for reviewers.

VIII. Final Remarks:

This report is just the latest effort by OIG to determine the extent that providers are using EHRs to commit waste, fraud, and abuse in the Medicare program. Every month, we hear reports of physicians, hospitals, and other Medicare providers using EHRs to generate documentation that supports higher coding levels, which thereby inflate Medicare bills. This is fraud. As the federal government continues to encourage the implementation and use of EHRs, CMS will begin to focus its efforts, as well as its Medicare contractors, on how to prevent fraud, waste, and abuse using this technology. EHR systems may be poorly designed or implemented, which will require you to copy and paste entire sections of a beneficiary’s record or the whole note, rather than just the relevant component.

Ultimately, your ability to avoid the filing of an improper claim rests on your ability to comply with federal and state laws, regulations and rules governing the provision, coding and billing of health care services. Without a doubt, the single most important step you can take in this regard is to develop, implement and adhere to the provisions and guidelines set out in an effective Compliance Plan. Otherwise, your practice may be targeted by CMS and one of its Medicare contractors.

If you have any questions about a Medicare audit or implementing a Compliance Plan for your practice, give us a call. We would be more than happy to assist you in these matters.

Healthcare Lawyer

Robert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law. Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors. The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews. For a free consultation, call Robert at: 1 (800) 475-1906.

  • [1] CMS, Electronic Health Records. Accessed at http// on Jan. 14, 2014.