(Photo credit: Wikipedia)
Whether referred to as electronic medical records, electronic health records, or electronic patient records, there is no doubting the tremendous potential benefits that the digitization of medical data holds for the health care industry and the public at large. EMRs can make a patient’s medical information readily accessible to a range of treating professionals, whether for routine visits or emergencies in which a patient cannot personally provide the critical information practitioners require. EMRs also permit doctors to preserve information about a patient visit during the visit itself rather than hours later, when clinic impressions may no longer be as precise; allow automated identification of potential drug interactions; enable medical practitioners to spend less time with paperwork and more time with patients; and make medical information easily transferrable for those patients who relocate or seek to change physicians. In fact, these and other benefits of EMRs are so readily apparent that as part of the $787 billion financial stimulus package that President Obama signed into law in February 2009, the so-called HITECH Act included billions of dollars in government incentives for medical providers that transition from paper records to EMRs.
However, a more problematic aspect of EMRs has recently come to the fore – namely, the potential for such electronic records to become a uniquely pervasive and powerful means for committing health care fraud. Indeed, in a turn of events that is both ironic and notable, the most strident expressions of concern regarding the potential abuse of EMRs have come from the very same federal government that vigorously promoted their use less just a few years ago.
Three recent events underscore the government’s heightened concern regarding the use of EMRs as a vehicle for health care fraud. First, in a much publicized letter that was sent on September 24, 2012 to the heads of five associations of hospitals and academic medical centers, Attorney General Eric Holder and Health and Human Services Secretary Kathleen Sebelius noted the potential benefits of EMRs, but then pointed to “troubling indications that some providers are using this technology to game the system, possibly to obtain payments to which they are not entitled.” In referring to “indications” of the abuse of EMRs, the Holder-Sebelius letter appears to have been based at least in part on a front-page article that had appeared two days earlier in the New York Times, in which the Times notes that EMRs “can automatically generate detailed patient histories, or allow doctors to cut and paste the same examination findings for multiple patients — a practice called cloning — with the click of a button or the swipe of a finger . . . .” Similarly, in an investigative report issued on September 15, 2012, the nonprofit Center for Public Integrity reported that medical professionals have increased their billings to the Medicare program by at least $11 billion over the last ten years, and that the use of more remunerative billing codes “may be accelerating in part because of increased use of electronic health records, which make it easy to create detailed patient files with just a few mouse clicks.” Based on these reports, Attorney General Holder and Secretary Sebelius bluntly warned in their letter that “[l]aw enforcement will take appropriate steps to pursue health care providers who misuse electronic health records to bill for services never provided.”
Second, as the use of EMRs has grown, so has concern about the ability of hackers and others to infiltrate EMR systems and steal the protected information of individual patients. In October 2011, for example, the Department of Defense announced that an extensive number of backup tapes had been stolen from a contractor for TRICARE, which provides health insurance services to members of the armed services, and that the personal information and medical records of 4.9 million patients treated at military hospitals over the course of 20 years may have compromised as a result. More recently, Howard University announced in March 2012 that the theft of a contractor’s personal laptop compromised the confidential health information of over 34,000 patients, and on April 4, 2012, the Utah Department of Health disclosed a breach of its computer servers that was later determined to have resulted in the apparent theft of the personal information of nearly 800,000 individuals. And, in a twist on the usual scheme involving the theft of EMRs, in August 2012 hackers accessed the medical records of a small medical practice in Illinois, encrypted the records, and demanded a ransom payment in order to unlock the files. Events like these have increasingly drawn the attention of HHS’s Office for Civil Rights, and the scrutiny has focused not just on perpetrators, but on the health care providers who maintain confidential information in EMRs. In fact, in an “Enforcement Highlights” section of the HHS Health Information Privacy website that was last updated on October 31, 2012, HHS notes that one of the most frequently investigated issues regarding medical privacy involves health care providers’ “lack of administrative safeguards [for] electronic protected health information.”
Third and most recently, the federal government has expressed increasing concern that the medical providers who have shifted to EMRs and are claiming incentive payments under the HITECH Act may themselves be committing fraud. Just last week, in fact, HHS’s Office of the Inspector General issued a report in which it noted that while the government expects to pay $6.6 billion in incentive payments to those medical professionals and hospitals that report their “meaningful use” of certified EMR technology, sufficient safeguards are not currently in place to ensure that those medical professionals and hospitals in fact meet the relevant standards. In other words, as HHS-OIG reported, the incentive program for the transition to medical records has been and, absent significant new safeguards, will continue to be vulnerable to making billions of dollars in incentive payments to which providers are not actually entitled.
To be sure, whether EMRs are the new frontier of health care fraud is hardly a foregone conclusion. The response of the American Hospital Association to the Holder-Sebelius letter regarding the “cloning” and upcoding of EMRs vigorously questioned the government’s fundamental premise, noting that “more accurate documentation and coding does not necessarily equate with fraud.” The seeming increase of security breaches regarding EMRs has not been correlated to a significant increase in the submission of fraudulent claims, and the potential for health care providers and hospitals to abuse the “meaningful use” requirements and fraudulently obtain incentive payments has thus far been limited to the realm of risk assessments and hypothetical studies. Yet as has always been the case, with technology comes risk – and for the medical providers that utilize and rely upon EMRs, that risk may include increased scrutiny, investigation, and even prosecution by the very government that promoted the switch to EMRs in the first place.
To read more from Robert Radick, please visit www.maglaw.com.