What is scarier than Pennywise, Annabelle, and Jigsaw combined? Getting sued for an EHR program mistake and getting audited for EHR eligibility when the money is already spent (most likely, on the EHR programs).
Without question, EHR programs have many amazing qualities. These programs save practices time and money and allow them to communicate instantly with insurers, hospitals, and referring physicians. Medical history has never been so easy to get, which can improve quality of care.
However, recently, there have been a few audits of EHR programs that have caused some bloodcurdling concerns and of which providers need to be aware of creepy cobwebs with the EHR programs and the incentive programs.
- According to multiple studies, EHR has been linked to patient injuries, which can result in medical malpractice issues; and
- In an audit by OIG, CMS was found to have inappropriately paid $729.4 million (12 percent of the total) in incentive payments to providers who did not meet meaningful use requirements, which means that CMS may be auditing providers who accepted the EHR incentive payments in the near future.
Since the implementation of the Health Information Technology for Economic and Clinical Health Act, which rewards providers with incentive payments to utilize electronic health record (EHR) computer programs, EHR use has skyrocketed. Providers who accept Medicare are even more incentivized to implement EHR programs because not using EHR programs lead to penalties.
I. Possible Liability Due to EHR Programs
A recent study by the The Doctors’ Company (TDC) found that the use of EHR has contributed to a number of patient injuries over the last 10 years. The study highlights why it is so important to have processes in place for back-up, cross-checking, and auditing the documentation in your EHRs.
Without question, the federal government pushed for physicians and hospitals to implement EHR programs quickly. Now 80% of physician practices use EHR programs. 90% of hospitals use EHR programs. But the federal government did not create EHR standards when it mandated the use of the programs. This resulted in vastly inconsistent EHR programs. These programs, for the most part, were not created by health care workers. The people who know whether the EHR programs work in real life – the providers – haven’t transformed the EHR programs into better programs based on reality. The programs are “take it or leave it” models created in a vacuum. This only makes sense because providers don’t write computer code, and the EHR technology is extremely esoteric. A revision to an EHR program probably takes an act of wizardry. Revitalizing the current EHR programs to be better suited to real life could take years.
There are always unanticipated consequences when new technology is implemented – didn’t we all learn this from the NCTracks implementation debacle? Now that was gruesome!
TDC study found that EHR programs may place more liability on the provider-users than pre-electronic databases.
The study states the following:
“In our study of 66 EHR-related claims from July 2014 through December 2016, we found that 50 percent of these claims were caused by system factors such as failure of drug or clinical decision support alerts and 58 percent of claims were caused by user factors such as copying and pasting progress notes.
This study was an update to our first analysis of EHR-related claims, a review of 97 claims that closed from January 2007 through June 2014.”
Another study published by the Journal of Patient Health studied more than 300,000 cases. Although it found that less than 1% of the total (248 cases) involved technology mistakes, more than 80% of those suits alleged harms of medium to intense severity. The researchers stressed that the 248 claims represented the “tip of an iceberg” because the vast majority of EHR-related cases, even those involving serious harm, never generate lawsuits.
Of those 248 claims that may have been the result of EHR-related mistakes, 31% were medication errors. For example, a transcription error in entering the data from a handwritten note. Diagnostic errors contributed to 28% of the claims. Inability to access records in an emergency setting accounted for another 31%. But systems aren’t entirely to blame. User error — such as data entry and copy-and-paste mistakes and alert fatigue — is also a big problem, showing up in 58% of the claims reviewed. Boo!
- Avoid copying and pasting; beware of templates.
- Do not just assume the EHR technology is correct. Cross check.
- Self audit
II. Possible Audit Exposure for Accepting EHR Incentive Payments
Not only do providers need to be careful in using the EHR technology, but if you did attest to Medicare or Medicaid EHR incentive programs, you may be audited.
In June 2017, the Office of Inspector General (OIG) audited CMS and its EHR incentive program. OIG found that “CMS did not always make EHR incentive payments to EPs [eligible professionals] in accordance with Federal requirements. On the basis of [OIG’s] sample results, [OIG] estimated that CMS inappropriately paid $729.4 million (12 percent of the total) in incentive payments to EPs who did not meet meaningful use requirements. These errors occurred because sampled EPs did not maintain support for their attestations. Furthermore, CMS conducted minimal documentation reviews, leaving the self-attestations of the EHR program vulnerable to abuse and misuse of Federal funds.”
OIG also found that CMS made EHR incentive payments totaling $2.3 million that were not in accordance with the program-year payment requirements when EPs switched between Medicare and Medicaid incentive programs.
OIG recommended that CMS review provider incentive payments to determine which providers did not meet meaningful use requirements and recover the estimated $729,424,395.
What this means for you (if you attested to EHR incentive payments) –
Be prepared for an audit.
If you are a physician practice, make sure that you have the legally adequate assignment contracts allowing you to collect incentive payments on behalf of your physicians. A general employment contract will , generally, not suffice.
Double check that your EHR program was deemed certified. Do not just take the salesperson’s word for it. You can check whether your EHR program is certified here.
If you accepted Medicaid EHR incentive payments be sure that you met all eligibility requirements and that you have the documentation to prove it. Same with Medicare. These two programs had different eligibility qualifications.
Following these tips can save you from a spine-tingling trick from Pennywise!
Electronic health records or EHR have metamorphosed health care. Choosing a vendor can be daunting and the prices fluctuate greatly. As a provider, you probably determine your EHR platform on which vendor’s program creates the best service notes… or which creates the most foolproof way of tracking time… or which program is the cheapest.
But…what’s in YOUR contract can be legally deadly.
Regardless how you choose your EHR vendor, you need to keep the following legal issues in mind when it comes to EHR and the law:
Regulatory and Clinical Coverage Policy Compliance
Most likely, your EHR vendor does not have a legal degree. Yet, you are buying a product and assuming that the EHR program complies with applicable regulations, rules, and clinical coverage policies – whichever are applicable to your type of service. Well, guess what? These regulations, rules, and clinical coverage policies are not stagnant. They are amended, revised, and re-written more than my chickens lay eggs, but a little less often, because my chickens lay eggs every day.
Think about it – The Division of Medical Assistance (DMA) publishes a monthly Medicaid Bulletin. Every month DMA provides more insight, more explanations, more rules that providers will be held accountable to follow.
Does your EHR program update every month?
You need to review your contract and determine whether the vendor is responsible for regulatory compliance or whether you are. If you are, should you put so much faith in the EHR program?
You are required to maintain your records (depending on your type of service) anywhere from 5-10 years. Let’s say that you sign a four year contract with EHR Vendor X. The four years expires, and you hire a new EHR vendor. You are audited. But Vendor X does not allow you access to the records because you no longer have a contract with them – not their problem!
You need to ensure that your EHR contract allows you access to your documents (because they are your documents) even in the event of the contract expiring or getting terminated. The excuse that “I don’t have access to that” does not equal a legal defense.
This is otherwise known as the “Blame Game.” If there is a problem with regulatory compliance, as in, the EHR records do not follow the regulations, then you need to know whether the EHR vendor will take responsibility and pay, or help pay, for attorneys’ fees to defend yourself.
Like it or not, the EHR vendor does not undergo audits by the state and federal government. The EHR vendor does not undergo post and pre-payment reviews for regulatory compliance. You do. It is your NPI number that is held accountable for regulatory compliance.
You need to check whether there is an indemnification clause in the EHR contract. In other words, if you are accused of an overpayment because of a mistake on the part of the vendor, will the vendor cover your defense? My guess is that there is no indemnification clause.
HIPAA laws require that you minimize the access to private health information (PHI) and prevent dissemination. With hard copies, this was easy. You could just lock up the documents. With EHR, it becomes trickier. Obviously, you have access to the PHI as the provider. But who can access your EHR on the vendor-side? Assuming that the vendor has an IT team in case of computer issues, you have to consider to what exactly does that team have access.
I recently attended a legal continuing education class on data breach and HIPAA compliance for health care. One of the speakers was a Special Agent with the FBI. This gentleman prosecutes data breaches for a living. He said that hackers will pay over $500 per private medical document. Health care companies experienced a 72% increase in cyberattacks between 2013 and 2014. Stolen health care information is 10 times more valuable than your credit card information.
Obviously, I am exaggerating here. I do not believe that The Walking Dead is real and in our future. But here is my point – You are held accountable for maintaining your medical records, even in the face of an act of God or terrorism.
Example: It was 1996. Provider Dentist did not have EHR; he had hard copies. Hurricane Fran flooded Provider Dentist’s office, ruining all medical records. When Provider Dentist was audited, the government did not accept the whole “there was a hurricane” excuse. Dentist was liable for sever penalties and recoupments.
Fast forward to 2017 and EHR – Think a mass computer shutdown won’t happen? Just ask Delta about its August 2016 computer shutdown that took four days and cancelled over 2000 flights. Or Medstar Health, which operates 10 hospitals and more than 250 outpatient facilities, when in March 2016, a computer virus shut down its emails and…you guessed it…its EHR database.
So, what’s in YOUR contract?