Copy & Paste: Is It Fraud or Not?

imagesElectronic medical records require a lot of interaction on the part of physicians and other providers to get all necessary information entered. There are drop down menus, boxes to check, and other information to fill in. With the well documented complaints about impact on workflow, a number of workarounds have been mentioned for a long time. Foremost among the workarounds is the use of copy and paste. Copy and paste can come in many forms including taking the entire contents of one note and bringing it forward, using templates to fill in predetermined information based upon a set of standards, or other similar uses. The premise is to make use of the EMR easier and more user-friendly. However, like most actions within healthcare, there are risks.

Let’s explore the benefits and arguably permissible uses of copy and paste first.  On the positive side, copying and pasting through the use of templates lets providers input a baseline of information, such as all normal results in a systems check. For example, a fact sheet produced by the Centers for Medicare and Medicaid Services suggests that templates or auto-fill can improve physician documentation and lead to more complete information being included in the medical record. An appropriately utilized template can potentially prompt the physician to include relevant information from a patient examination, which in turn ensures a fuller picture of the patient is present for future visits. Such positives can be achieved through careful, considerate and deliberate use of templates.

While the positives suggest the ability to enhance patient care, there are also numerous negatives. For example, the Office of the Inspector General has made its position well-known that copy and paste functionality can lead to fraud and abuse. The argument is that copying and pasting from one note to another can result in additional information being included resulting in claims being coded at a higher than justified level. The argument rests upon an assumption that information not actually collected or services not rendered would be included and billed. Such an assumption to some degree assumes guilt as opposed to innocence in provider activities. Such usage would more accurately be described as cloning and could lead to complications. Trying to be optimistic, hopefully the majority of providers are not using copy and paste functionality with an intent to defraud a governmental or private payor.

Another less obvious drawback from copy and paste is the creation of confusion within a medical record. If information is continuously carried forward, it may be difficult to determine when the information was first collected and whether the information is still accurate. Such a scenario could arise where copy and paste is used, but then not modified to reflect a patient’s current status or if it is used to build upon prior information in a repeating and lengthening record. Either way, the muddying of the medical record could give rise to potential liability in the event of an adverse patient outcome. For example, the confusing medical record could make it difficult to demonstrate that a standard of care was met or be the root cause for a bad outcome. Both scenarios are not ones that a physician or other provider would want to discover in the context of litigation.

Much more could be said about the benefits and dangers of copy and paste. Many will and likely do use the functionality. The key is to be considerate in such usage and not use it as an excuse to be complacent.

Posted in Business, CMS, Compliance, EHR, EMR, Health IT | Tagged , , , , | Leave a comment

To Record or Not to Record: Should Visits Be Taped?

Recordingphoto2-185x185A patient walks into a physician’s exam room with an ever present smartphone or another digital device. The patient is especially concerned for the information that could be discussed during this visit and wants to be sure that they can remember everything that is discussed and presented during the visit. With that in mind, when the physician walks into the room, the patient asks, “Can I record this visit?” With that question, the physician is not sure how to respond.

Traditionally, the response would often be an absolute refusal to permit recording of a visit. Fears over liability or misapplication of the information at a future time were primary drivers for the response. The liability fears can be summarized as follows: a recording can capture everything that is said; some piece of information could be misstated or mistakenly left out; the missing information was a key issue and was arguably connected to some harm the patient suffered; after suffering the harm the patient listens to the recording and decides to do something against the physician; and lastly the patient uses the recording against the physician in the legal action. That chain of feared events stems from a recording coming back to haunt the physician. The other side of the coin would be a patient listening to what the physician says while at home, not fully comprehending everything or only picking out certain bits of information and pursuing a course of action not suggested by the physician. In both instances, the fear of the physician is that the recording will hurt the patient and then the physician will be blamed.

While that is the traditional response, things are beginning to change. Some physicians are becoming more open and accepting of recordings now. The changing attitude makes sense because recording can be analogized to Open Notes or any other movement to more actively engage and involve patients. From this perspective, a recording can be a tool to help promote better health when the patient spends the majority of their life outside the physician’s office or otherwise interacting with the physician. Arguably a recording could be used to clear dictate out the steps a patient needs to follow or be used as a reminder of issues discussed. The recording could encourage clearer communication and focus on breaking ideas down so everyone really understands.

Before hitting record though, there are still issues to consider. First, is the recording going to occur out in the open. Specifically, is the patient asking the physician if recording is ok, or is the patient doing the recording without the physician’s knowledge? This question anticipates the next point of discussion, a general overview of wiretapping laws, but raises a different question before getting there. If the physician is unaware of what is occurring, is a breach of trust occurring? If one party to a conversation does not know what is happening and later learns what did in fact happen, there can be irreparable damage to the relationship. Since the patient and physician relationship is one fundamentally built upon trust, deliberately undermining that foundation seems counterproductive.

The response to the whether a visit can be recorded question also implicates wiretapping laws. Each state has its own version, so parties will need to know what their own state permits. However, the laws can generally be broken into two categories: one party consent and all party consent. One party consent laws only require one party to a conversation to consent to the recording. In a situation where one party wants to record, that consent will always be present. As such, one party consent laws could permit secret recordings since the party doing the recording is ok with it occurring. All party consent laws require all parties to a conversation to consent to the recording. All party consent laws are the genesis for the message everyone gets when calling any company that says this call may be recorded. The party using that message is notifying of its consent to recording and by staying on the line, the other party is implicitly agreeing to a recording.

Taking the types of wiretapping laws into the physician exam room, knowing what your state allows becomes very important if there is a concern about recording. If the physician is in an all party consent state, then the patient needs to ask and the physician can then decide what to do. In a one party consent law, that option is pretty much rendered moot. What can be done? As with most issues, having a policy can alleviate many of the issues. Developing a policy forces the physician and the practice to think about the issues and determine feelings about recordings. A policy can then be used to proactively inform everyone coming into the practice of what will be permitted. Further, if a patient or other person does not comply with the policy, then a firmer basis exists for taking action to stop the disfavored behavior.

With some of the legal issue on the table, the question still comes back to should a recording be allowed. While some may hope for a clear answer to that question, it really depends. The determination depends upon the feels of the physician and patient and the nature of each relationship. Ultimately, raising the issue and having an open, frank discussion will often be best. That way each side can hear the other out and hopefully come to a consensus.

Posted in Business, Compliance, Health IT, Physicians, State Law | Tagged , , , , , | Leave a comment

Rocket Pace, But To Where?

sea-2312623_640Not a day goes by (or many posts on The Pulse Blog) without a discussion of the rapid increase in data breaches impacting the healthcare industry. Information and statistics in this regard are inescapable. For instance, the so-called “Wall of Shame,” which is the public posting of breaches, recently crossed the 2,000 breach threshold.  The Wall of Shame first came online in 2009 and took almost five years to hit the 1,000 barrier, but just another 3 years to hit 2,000. Clearly, the data show more breaches are happening and more frequently.

The previous statement about more data concerning breaches though is a fairly recent development. While the Wall of Shame has now been around since 2009, there has not been a consistent, comprehensive source for information about healthcare data breaches. Sources are developing though, with the Protenus Breach Barometer being one of my favorites. The Breach Barometer is typically published on a monthly basis and highlights totals of known breaches from the previous month. Tracking the Breach Barometer reveals trends, which were highlighted in the recent mid-year Breach Barometer.

The highlights from the mid-year Breach Barometer are that insider issues and hacking incidents account for the vast majority of incidents. Insider issues can be broken into two large categories: inadvertent mistakes and malicious activities. The inadvertent mistakes could be sending to the wrong address, an email error or some other unintentional act. To some degree, the inadvertent mistakes are unavoidable because no one can be perfect. A key with an inadvertent mistake is to catch the problem early, which can enhance the impact of any resulting mitigating act. While inadvertent mistakes are arguably a part of human nature, preparing individuals with comprehensive, consistent and ongoing education and training may reduce the risk. When individuals are aware of an issue and know how to address it, the likelihood of occurrence can be reduced as well as building in a natural response.

The second side of insider breaches, malicious intent, is harder to control for because, as the name implies, the individual has some bad intent that will motivate attempts to get around defenses. When malicious intent is present, the individual is clearly trying to profit individually or through organized efforts. The bottom line though is a willful disregard for an organization’s policies and the requirements of law and regulation. Awareness of the growing number of malicious intent incidents is the first step in combatting and stopping or preventing. Up until a couple of years ago, stories that individuals were stealing medical information to sell for profit or otherwise taking advantage of trusted information were rare. Unfortunately, that is no longer the case. Multiple times per year a story of a criminal prosecution or other outcome are reported. Further, malicious intent breaches can often take the form of a “small” breach where only one or a few individuals have their information accessed. Many times, such breaches are done because the individuals know each other, or some personal relationship influences a decision. Small breaches were well-documented in a December 2015 ProPublica article, but it is unclear what, if any, change has resulted.

Even though the malicious intent is designed to elude preventive efforts, tools and methods do exist to help address. For instance, organizations would be well advised to regularly monitor and audit medical record access. Such efforts are arguably easier for electronic medical records because a log file is often present and some portions of the review can be automated. However, it is unclear how well such efforts are undertaken. Additionally, specific records, such as a “V.I.P.” patient, could be reviewed when a higher degree of concern could be present. Ensuring access is appropriate is a baseline requirement under HIPAA, so the organizational ask is not going too far.

Hacking, the other major reason for an increased number of data breaches is harder to address. Suffering a hacking attack is largely beyond a single organization’s control. It is a sad but true reality that hackers and other outsiders with bad intent are likely more sophisticated technologically. While the disparity may exist, organizations should not resign themselves to being hacked. Intrusion can be made more difficult by implementing countermeasures, regularly updating and being proactive. Further, no organization should be deluded that it is too small to be attacked. Practices of all sizes, whether single practitioners to multi-state systems, have been attacked and will continue to be attacked.

Despite the increasing frequency of attacks and reports, it is a time for optimism. Why is optimism justified? Because data breaches (though usually just hacking or ransomware) garner major news headlines and are a topic of frequent discussion. Additionally, more sources are quantifying, examining and breaking down the breaches. As such, the explosion of healthcare data is not just the medical information, but how that information is being used and how it is vulnerable. As more analyses are conducted and distributed, all will benefit. A data breach is not suffered by an organization alone and quiet, but, for better or worse, out in the open. The ability to collectively learn from each incident is one of the reasons for optimism about the future. The first step to doing something is to be aware.

What will happen in the future? No answer can be known today. However, my honest feeling is that healthcare as an industry and organizations as individuals do care about protecting healthcare information. No one is satisfied with a reality where more than one breach per day is occurring. Such consistent failings of trust are not acceptable, especially when that reality can be influenced through easily controlled actions. It is easy to complain and highlight the issues without applauding the everyday work that is improving the situation. It is important not to forget the progress that has been made and the efforts that are ongoing. It is impossible to expect that all breaches will be stopped, but we should at least bring the number down and that groundwork exists.

Posted in Healthcare, HIPAA, Physicians, Regulations | Tagged , , , , , | 1 Comment