Tuesday, December 10, 2013

44% of hospitals reported to HHS that they can delete the contents of their EHR audit logs whenever they'd like?

Modern Healthcare published an article "Feds eye crackdown on cut-and-paste EHR fraud" on Dec. 10, 2013 by Joe Carlson.

The article is about federal efforts to reduce the amount of clinician cut-and-paste from prior notes of a patient - which can even be done between charts of different patients.  This practice can result in overbilling for work not actually performed.  The practice can also result in no-longer-accurate data being carried forward; I have been consultant to cases where that phenomenon, in my opinion, contributed to grave patient injury in cases that have settled out of court.

It is at this link:  http://www.modernhealthcare.com/article/20131210/NEWS/312109965/feds-eye-crackdown-on-cut-and-paste-ehr-fraud?utm_source=articlelink&utm_medium=website&utm_campaign=TodaysHeadlines#

Subscription required, but googling the article title may allow reading it in its entirety.

The article begins:


Federal officials say the cut-and-paste features common to electronic health records invite fraudulent use of duplicated clinical notes and that there is a need to clamp down on the emerging threat. That concern is enhanced by the fact that it's too easy to turn off features of EHR systems that allow tracking of sloppy or fraudulent records.

In an audit report released Tuesday morning (PDF), [HHS Office of Inspector General, "NOT ALL RECOMMENDED FRAUD SAFEGUARDS HAVE BEEN IMPLEMENTED IN HOSPITAL EHR TECHNOLOGY"], HHS agencies confirmed that they are developing comprehensive plans to deter fraud and abuse involving EHRs, including guidelines for cut-and-paste features. The issue arises at a time when critics say federally subsidized digital patient record systems are sometimes being used inappropriately by providers to drive up reimbursement.

“Certain EHR documentation features, if poorly designed or used inappropriately, can result in poor data quality or fraud,” according a report from HHS' Office of the Inspector General.

None of this is a surprise to me, and to readers of this blog.

However, the real "money quote" in the article, I believe, is this:


"In addition, only 44% of hospitals' “audit log” systems could record whether cut-and-paste was used to enter data, and an identical percentage of hospitals reported [to OIG] that they can delete the contents of their internal audit logs whenever they'd like."


From page 11 of the HHS OIG Report linked above (http://www.modernhealthcare.com/assets/pdf/CH92135129.PDF):

[In 2006, ONC contracted with RTI International (RTI) to develop recommendations to enhance data protection; increase data validity, accuracy, and integrity; and strengthen fraud protection in EHR technology.]

... Hospitals' control over audit logs may be at odds with their RTI- recommended use as fraud safeguards:

RTI recommends that EHR users not be allowed to delete the contents of their audit log so that data are always available for fraud detection, yet nearly half of hospitals (44 percent) reported that they can delete their audit logs. Although these hospitals reported that they limit the ability to delete the audit log to certain EHR users, such as system administrators, one EHR vendor noted that any software programmer could delete the audit log.

RTI recommends that the ability to disable the audit log be limited to certain individuals, such as system administrators, and that EHR users, such as doctors and nurses, be prevented from editing the contents of the audit log because these actions can compromise the audit log's effectiveness. Hospitals reported they have the ability to disable (33 percent) and edit (11 percent) their audit logs, although they reported restricting those abilities to certain EHR users, such as system administrators or EHR vendors. All four EHR vendors we spoke with reported that the audit logs cannot be disabled in their products, but one vendor again noted that a programmer could disable the audit log.

I further note that, being voluntarily provided, i.e., not part of a formal investigation of any specific organization, those numbers are likely low, perhaps very low considering this issue.

An audit log or audit trail is an automatically-generated dataset, invisible to most users, containing items such as who viewed records, the date/time/location of viewing, and indication of actions they may have performed on the records such as editing/changes/additions/deletions, etc.

As an EHR itself is a collection of magnetized or optically encoded bits on some computer storage medium, it cannot be authenticated as complete and free from alteration by humans.

The audit trail is the only way to authenticate an EHR printout, however (as well as EHR screenshots or any other electronic data turned into a tangible form from those bits) as complete and free from alteration.

If an EHR printout cannot be authenticated as complete and free from alteration, its trustworthiness and perhaps even court admissibility as a business record under an exception to the hearsay rules regarding evidence may be damaged or invalidated.

My concern is that, if true, and considering the conflict of interest a hospital has regarding hiding potential fraud or malpractice that could cost them millions of dollars, a capability to "delete the contents of their internal audit logs whenever they'd like" and to edit audit trails (which based on the capabilities of relational databases also implies an ability to delete sections of audit logs selectively and/or to substitute false data) is simply alarming.

I don't think the EHR pioneers intended EHRs to be used for purposes of allowing evidence spoliation without traceability ...

-- SS

Dec. 13, 2013 Addendum:

I received the following reply from EHR compliance expert Dr. Reed D. Gelzer.  Re-posted with permission:

Good morning Dr Silverstein,

Thank you yet again for the illumination that you bring to matters of truth in Healthcare Information Technology.

Regarding the OIG report’s source document, the 2007 report to the ONC, I was the Fraud Prevention Workgroup Chair for that project, working under Principal Investigators Dr. Don Simborg and Susan Hanson, former Chair of AHIMA. 

For anyone who is interested in this subject matter, I would recommend that you go to the source document and, among other things, review the list of contributors.  These were all individuals who volunteered time to attempt to mitigate harms of defective HIT, in their capacities of records management systems, nearly 8 years ago now.   Many have gone on into leadership roles in related organizations and domains, some still working towards trustworthy health information technology systems.

I believe that I can say that none of those working on the report then would have believed that it was conceivable that even our most basic recommendations regarding the fitness of audit functions would remain "novel" in the industry in 2013.  One cannot be surprised at the low level of authenticity supports in hospitals’ EHRs systems given that fitness as record management systems for patient care has, to date, been either neglected or presumed, not tested or attested.   I am gratified that our 2007 work was utilized for the OIG report to illuminate the deplorable state of integrity supports in these patient care information systems.  This will undoubtedly spur interest in supportive resources such as the HL7 EHR System Functional Model Standard and the HL7 Records Management and Evidentiary Support Profile Standard.

All of us who worked on that ONC report are, I hope, as gratified as I am that the OIG removed our work product from its designated obscurity.   We developed the guidelines via methods that were more qualitative than quantitative, entirely intended to guide initial implementation backed by more methodical research.   We represented the most informed at that time, including those like myself and my ADIC associate Patricia Trites who had performed compliance testing on over 30 among the leading EHRs at the time and found extraordinary ranges of deficiencies, including audit functions that could be disabled at will.   Standards and tools existed then to support mitigation of risks and those Standards and tools have expanded since.  Now that the events and ONC decisions that led to inactions on the report are now in the past, we can more rapidly achieve the potentials nascent in HIT by rendering it more trustworthy, usable, and safe.

Thank you again for your ongoing vigilance.

Sincerely,

Reed D. Gelzer, MD, MPH, CHCC
Trustworthy EHR, LLC
Co-Facilitator, HL7 Records Management and Evidentiary Support Workgroup

To this I add that I also would not have found it conceivable that my concerns about bad health IT and the risks of patient harm it poses, as well as common healthcare IT project mismanagement, of which I started writing about in 1998 (http://cci.drexel.edu/faculty/ssilverstein/cases/) would remain "novel" ideas in the industry in 2013.

The Obamacare healthcare exchange website debacle has made the latter issue mainstream.  The former issues still need more sunlight.

-- SS

2/4/14 addendum:

HHS is apparently starting to pay attention to the importance of robust and secure EHR audit trails.

I note in the HHS document "Meaningful Use Stage 2, 2014 Edition EHR CERTIFICATION CRITERIA 45 CFR 170.314", page 7, regarding audit trails, available at this writing at http://www.healthit.gov/sites/default/files/meaningfulusetablesseries2_110112.pdf:

§170.314(d)(2) Auditable events and tamper-resistance.

(i) Record actions. EHR technology must be able to:
(A) Record actions related to electronic health information in accordance with the standard specified in § 170.210(e)(1);
(B) Record the audit log status (enabled or disabled) in accordance with the standard specified in § 170.210(e)(2) unless it cannot be disabled by any user; and
(C) Record the encryption status (enabled or disabled) of electronic health information locally stored on end-user devices by EHR technology in accordance with the standard specified in § 170.210(e)(3) unless the EHR technology prevents electronic health information from being locally stored on end-user devices (see 170.314(d)(7) of this section).

(ii) Default setting. EHR technology must be set by default to perform the capabilities specified in paragraph (d)(2)(i)(A) of this section and, where applicable, paragraphs (d)(2)(i)(B) or (d)(2)(i)(C), or both paragraphs (d)(2)(i)(B) and (C).

(iii) When disabling the audit log is permitted. For each capability specified in paragraphs (d)(2)(i)(A), (B), and (C) of this section that EHR technology permits to be disabled, the ability to do so must be restricted to a limited set of identified users.

(iv) Audit log protection. Actions and statuses recorded in accordance with paragraph (d)(2)(i) must not be capable of being changed, overwritten, or deleted by the EHR technology.

(v) Detection. EHR technology must be able to detect whether the audit log has been altered. 

From a posting at http://healthcaresecprivacy.blogspot.com/2012/09/meaningful-use-stage-2-audit-logging.html:

... The Information that needs to be recorded: § 170.210(e)(1)(i):  These rules [in a column I did not show here - ed.] identify “sections 7.2 through 7.4, 7.6, and 7.7 of the standard specified”. This is simply the list of attributes that an audit log entry should contain that ASTM E2147 says are mandatory, and excludes the values it outlines as important but not mandatory. Below is about 90% of what is in section 7, I didn't want to copy all of it out of respect for the copyright. But, the part missing is just a one-line definition of each item, nothing more than that.
7. Audit Log Content
7.1 Audit log content is determined by regulatory initiatives, accreditation standards, and principles and organizational needs. Information is needed to adequately understand and oversee access to patient identifiable data in health information systems in order to perform security oversight tasks responsibly.
Logs must contain the following minimum data elements:
7.2 Date and Time of Event
7.3 Patient Identification
7.4 User Identification
7.5 Access Device (optional)
7.6 Type of Action (additions, deletions, changes, queries, print, copy)
7.7 Identification of the Patient Data that is Accessed(optional)
7.8 Source of Access (optional unless the log is combined from multiple systems or can be indisputably inferred)
7.9 Reason for Access (optional)
7.10 If capability exists, there should be recognition that both an electronic “copy” operation and a paper “print” operation are qualitatively different from other actions.

I am not sanguine about the "optional" components, especially 7.7 - the actual data that was accessed and acted upon.

I also note it is stunning that these audit trail 'rules' have only been promulgated recently.  It will be interesting to see how rigorous the EHR "certification" process will be regarding audit trails.

-- SS

No comments:

Post a Comment