1 / 59

Compliance & Fraud Prevention In The EHR

Compliance & Fraud Prevention In The EHR. Terri Hall, MHA, RHIT, CPC, CAC Billings Area Office Indian Health Service HIM/RM Coordinator. Definition of Healthcare Fraud.

kueng
Download Presentation

Compliance & Fraud Prevention In The EHR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compliance & Fraud Prevention In The EHR Terri Hall, MHA, RHIT, CPC, CAC Billings Area Office Indian Health Service HIM/RM Coordinator

  2. Definition of Healthcare Fraud Intentional deception or misrepresentation, or deliberate omission that the individual or entity makes, knowing that the misrepresentation could result in some unauthorized benefit to the individual, or the entity or to some other party. (National Healthcare Anti-Fraud Association)

  3. Definition of Healthcare Fraud • HIPAA legislation says “known or should have known.” • “Due Diligence” obligation to identify, report and prevent fraud.

  4. Identified Areas of Concern - EHR • Authorship Integrity • borrowing from another source. Inflating services. • Auditing Integrity • Inadequate audit functions. • Documentation Integrity • Automated insertion of clinical data and visit documentation (templates, pull forward, copy and paste, etc.) • Patient Identification and Demographic Accuracy • Automated demographic or registration entries generating erroneous patient identification, leading to patient safety and quality of care concerns and unjust care for profit. (location of service, technical, professional, global billing)

  5. Fraud Can Be Detected • Through a variety of technology capabilities. • Abnormal pattern recognition. • Powerful system audits. • Practice pattern monitoring. • Tracking of controlled substances.

  6. Definition of the Legal Health Record • Remember: EDNA HUFFMAN, RRA, 1941, 6TH EDITION REVISED BY AMRA!, Elizabeth Price, RRA, Editor • The medical record is the who, what, why, where, when and how of patient care during hospitalization. It stores the knowledge concerning the patient and his care. To be complete, the medical record must contain sufficient information to clearly identify the patient, to justify the diagnosis and treatment, and to record the results. (Oh! How times have changed)

  7. The Legal Paper-Based Health Record Definition 2001 AHIMA Practice Brief Definition of the Health Record for Legal Purposes defines the legal health record as “the legal business record generated at or for a healthcare organization. This record would be released upon request. (M. Amatayakul AHIMA 72, no.9 (2002): 88A-H)

  8. Definition of the Health Record for Legal Purposes • It used to be “straightforward” (Contents of the paper chart together with radiology films or the results of other imaging studies formed the healthcare provider’s legal business record). • NOW – it is more COMPLEX • The EHR is evolving both in development pace and design prioritization. • Therefore each organization has to define the content of the legal health record that best fits their system capabilities and legal environment.

  9. Definition of the Legal Health Record • LHR is the organization’s business record. • Record that would be disclosed upon request. • The LHR IS NOT Peer Review, Incident Reports, (however these can be discoverable) • The custodian of the LHR is the HIM Director. (However, IT may be called upon for technical infrastructure of EHR) • HIM oversees the operational functions related to collecting, protecting, and archiving the legal health record while IT managers the technical infrastructure of the EHR……………

  10. The LHR is Expected to meet… • CMS, Medicare Conditions of Participations. • Federal regulations, state laws, and standards of accrediting agencies, such as JCAHO, AAAHC, etc., • Policies of the healthcare organization.

  11. The Legal HybridHealth Record • Paper documents and electronic media = Hybrid • Identify the “source” (paper or electronic) • Matrix - identify the source legal record. • Policies should indicate when the record is considered complete. • The paper portion of the LHR is collected and archived. • Electronic portions of the record are collected and archived in source systems. There must be a clear indication of the location where portions of a patient record are located.

  12. So, What is Not Part of the LHR? Data/Documents/Tools – NOT Part of the LHR • Alerts/Reminders/Pop-Ups – however, associated documentation is considered a component of the LHR. • Continuing Care Records – received from another healthcare provider, unless they are used in the provision of patient care.

  13. Do you have a Plan when the EHR goes down?Downtime Procedure Documents • EHR is unavailable is there a process in place for providers to continue with their documentation of patient care? • Once the EHR function is restored, the information from the downtime documents must be made part of the EHR, data entry, scanning, or recreating documents in various subsystems

  14. What are Administrative Data/Documents? They are NOT Part of the LHR… • Abbreviation lists • Authorization forms for ROI • Audit trails related to EHR • Correspondence – ROI • Databases containing patient information • Event history/audit trails • Financial and insurance forms • Incident or patient safety reports • Indices (diseases, operation, death) • IRB lists • Logs • NPP • Patient identifiable claims • Patient identifiable data for QI • Protocols/Clinical pathways, practice guidelines • Psychotherapy notes • Registries • Staff roles and access rights • Work lists/work in progress

  15. What are Derived Data/Documents? They are Not Part Of The LHR. • Definition:Derived Data consists of information aggregated or summarized from patient records so that there are no means to identify patients . • Accreditation reports • Anonymous patient data for research • Best practice guidelines created from aggregate patient data • OASIS reports • ORYX, quality indicator, Quality Measure or other reports • Public Health reports • Statistical reports • Transmission reports, MDS, OASIS, etc. (documentation is LHR)

  16. Data/Documents = LRH Advance directives, allergy records, documentation from alerts and reminders, analog and digital photographs, anesthesia records, care plans, consent forms, consults, images, discharge instructions, DS, e-mail messages containing patient-provider or provider/provider communications regarding care, ER records, fetal monitoring strips, functional status assessments, graphic records, immunizations, instant messages, I&O, med orders and profiles, (MDS, OASIS, GPRA, ORYX - used in the course of patient care) progress notes, nursing assessments, OP reports, Patient Identifiers, patient submitted documentation, path, education, psychology, post it notes, practice guidelines or protocols, problem lists, H&P, research records, respiratory, PT, Speech, Occupational, results of tests, studies, standing orders, telephone messages, telephone orders, trauma tapes, verbal orders, wave forms ECG, EMG, EKG, M&M-COP required by CMS. BROKE ALL OF THE POWER POINT RULES!!!!

  17. Have you really thought about the New Technologies? Are they part of the LHR? Examples of documents/data that should be evaluated for inclusion or exclusion from the LHR… Audio files of dictation Audio files of patient telephone calls Nursing shift to shift reports handwritten or audio Videos of office visits Videos of procedures Videos of telemedicine consultations Videos of Behavioral Health telemedicine visits

  18. Are Data/Documentation that reside in Data Source Systems part of the LHR? • Records from Source Systems • X-ray, Lab, Pharmacy, etc. • Result of Tests • Documents that are kept in a separate system of record • Behavioral Health • Substance Abuse

  19. The determining factor in whether something is to be considered part of the LHRis not where the information resides, or the format of the information, but rather how the information is used and whether it is reasonable to expect the information to be routinely released when a request for MR information is received.

  20. Electronic Health Record Systems (EHRS) vs.Legal Health Record EHRS is a concept that consists of numerous integrated, component information systems and technologies. The electronic files that make up the EHR system’s consist of different data types, and the data in the files consist ofdifferent data formats. • Portions of the legal EHR may be located in various electronic systemsthat provide input to the Electronic Health Record, i.e., lab, pharmacy, PACS, Cardio, Results Reporting, CPOE, Nurse care plans, word processing, fetal trace monitoring, etc.

  21. EHRS - Compliance Auditing & Monitoring Do you have a system/process in place to ensure the integrity of the data in the EHR?

  22. Do You Know Where & How The Data is Stored? • May store structured, patient clinical, administrative data in a database or clinical data repository. • May store unstructured, patient clinical data in separate databases or repositories (PACS-X-Ray) and provide pointers from the clinical portal to these various repositories. (Architecturally, these databases are logical, but not physically linked). • The challenge for HIM in defining a legal health record in an EHRS is to determine which data elements, electronic structured documents, images, audio files, and/or video files become part of the legal electronic health record.

  23. Is This Your EHR Team? • Clinical – Those who use the tools. • IT/CAC – The information technology experts who create, maintain, and improve the tools. • HIM – Those who assure the technology “fits” the environment formed within the medical-legal, regulatory, and information management standards domains. Working together to ensure that the technical tools fit the tasks and the environment for all uses of health care information.

  24. HIM Professionals are…. Ideally suited to provide domain expertise and leadership. Conscientious advocates, ensuring that the EHR system is optimally planned, chosen, implemented, and managed. The traditional and continuing custodian of the medical record and medical record system, regardless of the media! Trained to ensure the quality, privacy, and integrity of the EHR, whether on paper or electronic!

  25. Today, the HIM Professional is an integral part of the team that maintains vigilance over the health information technology realm, so that health information management standards are consistently applied across all systems in order to maintain the level of integrity of the data which is necessary for the clinical, risk management, and medical-legally sound operations of the healthcare organization.

  26. Are The Organization’s Leaders On Board? In complying with all laws and regulatory requirements and to operate in an ethical manner? Defining and prohibiting the entry offalse information? Definingindividual responsibility and accountability for the accuracy and integrity of information/data? For notifying management of errors which are discovered? Promoting mandatory training covering the falsification of information and information security? Has assigned responsibility to someone for the organization’s information security program?

  27. Does the Organization Establish EHR and HIM related policies? • Specific clinical documentation requirements? • Defining requiredlogging of activity on EHR systems? • Defining howchanges, corrections, amendments, retractions occur in the EHR and by whom?

  28. Does the EHR Education Program meet the following objectives? • Communicate & inform the organization’s P&P, individual responsibility, and the capabilities and functions of the EHR system? • Explain staff responsibilities for maintaining the integrity and accuracy of information? • Define personal responsibilities for protecting system access information? • Define personal responsibility for creating accurate records?

  29. Education Program, continued… • Staff responsibility to notify management of problems? • Cover the proper use and features and functions of the EHR? • Defines penalties for falsifying any organizational records? • Provide instruction on how to use the system security features for preventing unauthorized access? • Inform all EHR users that their activities are being logged by the system? • Address software design and other techniques that may be used to cause system users to enter false information? (Copy/Paste/Fill In The Blank Templates)

  30. Does the EHR System Provide Access Control Functions? • That define the management of user authentication? (scribes, assistants, auto authentication (many documents at one time (NO). • Many authenticators, not one signer for visit functionality. • That define the management of extensive privilege assignment and control features?

  31. EHR Fraud Prevention • Does the EHR system have the capability/functionality to… • Attribute the entry to the original signer? • Modification/addendums made to documents? • Deletion of information (retraction) by a specific individual or subsystem? • Do bells and whistles sound when someone tries to pull forward a large section of a H&P done by another provider? Warning message, lock down of record? • Does the EHR system have the capability to log all activity? • How do you know who did an addendum, amendments, retraction of note?

  32. Audit Logs – What Events Should Be Recorded? • Start-up and shutdowns of systems • Successful and unsuccessfullog in and log-out. • User actions to open, close, create, execute, modify, or delete programs or files. • Actions taken by system administrators, system security administrators, or other super users. • Changes or attempts to change privileges and access controls for users and objects.

  33. Does the EHR system have the capability to use a common date and time stamp across all components of the system? • Date and time when orders were signed • When visit was signed • When orders were transcribed • Date & Time for addendums • Date and time and attribution of copy and paste documentation done by another provider?

  34. Does the EHR system have data entry editing capabilities? • To validate information on entry when possible? (edits to alert provider of values out of range, dosage based on age and weight) • To check for duplication and conflicts? (PCC Error report – coding queue reports) • To control and limited automatic creation of information? (template check boxes)

  35. Does the EHR system establish a process for logging of all activity on EHR systems? • That determines which logging features should be used? • That assigns responsibility for auditing of log entries and reported exceptions? • That defines retention periods and procedures for log records? • That define system related performance issues?

  36. EHR Matrix = Hybrid = P/E How will you keep track of what is still on paper and what is in the EHRS?

  37. Sample Legal Source Legend – Hybrid Environment Matrix

  38. Defining the Legal EHR – Tracking Data/Document Types - Matrix

  39. Maintaining the Legal EHR: Verification Legend X = Prohibited & MonitoredO = Allowed & Monitored

  40. What does the HCCA think are the Top 12 Hot Topics For Compliance? • Medical appropriateness of coding and DRG services • Unbundling of hospital outpatient services • Outpatient department payments • Evaluation of “incident to” services • Inpatient Only services performed in an outpatient setting • Physical and occupational therapy services • Inpatient rehab facility compliance and Medicare requirements. • Outpatient outlier and other change-related issues. • Payments for observation services vs. inpatient admissions for dialysis. • Cardiography and echocardiography • Review of E&M services during global surgery periods. • Inappropriate payments for interpretation of diagnostic x-rays in hospital emergency departments.

  41. Selecting EHR System Features To Prevent Fraud • Access Control –To verify authorship there are two concepts: authentication & access management. • User Authentication – is the process of determining whether someone or something is, in fact, who or what it is declared to be. • Something the user is – Biometric I.D., Fingerprint or Retinal or DNA sequence voice pattern, signature recognition. • Something the user has – ID card, security token, or software token. • Something the user Knows – password or a personal I.D. number (PIN). A duel element authentication should be considered as a reasonable control policy.

  42. EHR System Features To Prevent Fraud • Extensive Privilege Assignment & Control Features – Access Management – AKA – Authorization, is the process of verifying that a known person has the authority to perform a certain operation. • Logging of all activity – the EHR system must have the ability to record all activity that occurs within the system. • Data Entry Editing – Verify validity of information – warn, male/female ICD codes, billing codes, medical necessity documentation. • Checks for duplication and conflicts – MR #s, medical management options (life threatening drug interactions), system prompt capability – (system controls the prompt occurrence – lack of use or misuse by provider).

  43. Case Study/Worst Case Scenario I Electronic Tools that Enable “Borrowing” Data from Another Source • Electronic tools make it easy to copy and past documentation from one record to another or pull information forward from a previous visit. • Borrowed datacannot be trackedback to the original source creating both a legal and a quality of care concerns.

  44. Worst Case Scenario II Professional Services – E&M Code A patient had a number of medical tests and diagnostic evaluation in an outpatient clinic over a two week period. The patient requested a copy of his MR along with the bills for services. The E&M codes he found were consistently at the highest level (5). The patient was a retired auditor for health plans and he noticed that the medical history was “pulled through”within departments, between department and in subsequent visits with the same provider using the EHR system, even when the visits did not include the clinician taking a history! He reported this to the fraud division.

  45. Behavioral Health Service III “Cookie Cutting” A state department of health surveyoridentified a nurse at the community hospital documenting the same text on progress notes completed for several patients on her caseload. This practice involved copying and pasting the same text from one record to another, neglecting to accurately document the variations from one patient to another. Example: the patients response to meds may differ, request for follow up date and time may differ. Thus, Medicaid Fraud Division imposed fines and penalties for payment for care which was not rendered at the level of service claimed.

  46. Academic Medical Center & Physician Services Worst Case IV Patient admitted to hospital for workup to determine Hypertensive episodes. Patient is status post mitral valve replacement with porcine graft and also with pacemaker. The physician progress notes in a hospital based EHR were copied and pasted multiple times by the attending physician, consulting physician and residents, using a convenient “macro” feature available in the software. The teaching physician made this a regular practice to copy and past the resident notes as his own, thus saving time. A new resident misdiagnosed the patient with adrenal insufficiency and recorded the incorrect diagnosis in the MR. Due to the normal routine of “borrowing” documentation higher E&M codes were assigned based on the diagnosis and treatment, and at the same time creating a patient safety and quality of care issue from reliance on inaccurate MR documentation. The patient died from a med error in an attempt to treat the adrenal insufficiency which she did not have!

  47. Best Case Scenario – Example IV This hospital made sure that their EHR had specific patient safety and documentation integrity tools built into the design. • Orientation to new staff and students on how to use the tools for accurate and complete documentation. • Entries include the date and time stamp and the author of the note. • Teaching physicians must sign into the system so the appropriate authentication is attached to their chart entry and any templates must be modified to reflect specific conditions and observations unique to the service. • Teaching physicians must be physically present to report services for health plan claims. • Medical necessity and intensity of service documentation is unique to each visit, so when EHR templates and macros are not modified, they are clearly identified both by a different screen color and by a watermark across the text saying “ Unmodified Documentation Template”

  48. Best Case Scenario continued.. • Info buttons provide the documentation guidelines and reporting requirements for teaching physicians, available at the click of the mouse • Alertsare generated when a copy and past function is used warning the EHR user about Plagiarism. • Creation of a full slate of documentation guidelines, P&P for EHR and EHR tools. • Records get “locked down’ for either pulling forward or copying text content to another location. • Policies about surrogates and scribes. • Creation of a clinical documentation improvement program

  49. Best Case Scenario continued… The integrity of data is of extreme importance because it is used to identify and track patients as they move from one level of care to another. Data is used to verify the identity of an individual to insure that the correct patient is receiving the appropriate care and to support billing activity.

  50. Data Integrity – Worst Case Clinical Notes with difficulty in date association… Patient seen on September 2, 2006 and informed the physician of a possible reaction to a prescribed medication. Physician is side tracked and does not enter visit information. On September 5th the same physician is back on duty and realizes he did not made an entry for the September 2nd visit. The physician decides that he wants the date to reflect the actual date the patient was seen, so he changed the date to Sept. 2, 2006 @ 11:30 am. He proceeds to enter the documentation, documenting the symptoms the patient described surrounding the medication reaction as best he could. When another provider reviewed the record, he saw the “new” note. This provider worked over the weekend and did not recall seeing this information. Upon further review the clinician sees that the date displayed is Sept. 2, 2005 @ 11:30 am.

More Related