Billing and Clinical Systems Integrity
EHR or EMR systems must electronically interact either with their own fully integrated practice management system, or connect or transfer specific information between the EHR and a compatible practice management system through an interface. A major source of risk in integrated or linked EHR and practice management systems is how they manage tentative or incomplete actions, such as an encounter in progress that is left incomplete, or the ordering of a test usually performed in the office. Systems that generate a billing event in an incomplete action can inadvertently lead to claims of fraudulent billing. For example, a urinalysis is ordered, the patient cannot void, but the system dutifully bills for the ordered test anyway, and the medical practice gets paid for a service never delivered.
Now that a practice or organization has a computerized set of processes in place, an auditor can come to the physician’s office or hospital facility and access all of the Medicare charge events from the practice management system (or access the explanations of benefits from the last few months) and proceed to review the documentation in the EHR and check the date and time stamps to verify when the physicians actually completed the documentation. This will also allow the auditor to inspect the documentation time stamps to verify when the providers actually completed the documentation and compare these documentation time stamps to the service submission dates in the billing system or explanation of benefits (EOBs). One EHR system actually shows on the face sheet of the system a list of all of the encounters that have been sent to billing, but which do not have closed or completed documentation. This is a government auditor’s dream come true when identifying false claims (Trites and Gelzer, pp. 3-4).
Privacy and Security Safeguards Functional Requirement
The first two years (2005 and 2006) of certification criteria from the Certification Commission for Healthcare Information Technology (CCHIT—see our previous issue) did not ensure that those systems certified even complied with basic HIPAA Security and/or Privacy Rules. CCHIT Criteria for 2007 and projected for 2008 will address this to ensure that to be certified, systems must comply with basic HIPAA Security and Privacy Rules. However, if a user purchased a system in 2007 (or earlier) which was not certified according at least to 2007 criteria, then it is possible that such a system may not even ensure HIPAA compliance. The ability to perform or retrieve audits on the information entered; who entered, viewed, or altered information; and what information has been retrieved or printed from the system is paramount to complying with the HIPAA Privacy and Security Rules, as well as to defend oneself or one’s practice in a professional liability action. This one element is significant to proving or disproving an allegation of misuse or malpractice. So just because a system is “certified,” that doesn’t mean that it will meet all of the requirements of existing laws or regulations, nor will that relieve prospective buyers and users of systems from undertaking thorough due diligence and compliant work processes (Trites and Gelzer, p. 11).
Conclusions and Recommendations
Physicians using an EHR must understand its functions and what it does or does not (or perhaps even cannot) do as an authenticating documentation system, as it interacts with an integrated or linked practice management system or as being protective (or not so protective) of patients’ rights to privacy, confidentiality and security of their personally identifiable medical information.
The purpose of this brief article is certainly not to discourage the appropriate use of electronic records, but rather to ensure that those that are used meet these basic functional requirements to protect both physicians and their patients from a variety of avoidable legal risks, while facilitating the delivery of higher quality, safer and efficient care.
Summary of Key Points
· The legal health record is the documentation of healthcare services provided to an individual during any aspect of healthcare delivery in any type of healthcare organization.
· There are three key functional requirements which electronic health and medical records must meet to be considered “legal”: Authentication, Systems Integrity and Privacy/Security Protection. Use of systems failing to meet these functional requirements may result not only in greater malpractice liability, but also greater vulnerability to claims of fraud and violations of privacy, security and confidentiality according to HIPAA Rules.
· Authentication refers to an EHR or EMR’s ability to demonstrate that the information is accurate and unaltered. Records of alterations are considered supportive data, which the user can, if needed, inspect for purposes of validation. This “data about data” is often referred to as “metadata.”
· For physicians whose practice management and electronic health or electronic medical records interact, they should make sure that these systems don’t automatically bill for services in advance of their actual occurrence. Otherwise, they may be vulnerable to charges of fraud, if those events in fact do not occur.
· The ability to perform or retrieve audits on the information entered; who entered, viewed or altered information; and what information has been retrieved or printed from the system is paramount to complying with the HIPAA Privacy and Security Rules, as well as to defend oneself or one’s practice in a professional liability action. EHR systems need to have been certified at least according to the 2007 criteria of the Certification Commission for Healthcare Information Technology (CCHIT) to have any degree of assurance that they comply with these HIPAA rules. Even then, prospective buyers should make their own independent determinations of this compliance.