Skip to content Skip to navigation

Enforcement of audit trails missing from EHR guidelines

December 31, 2013
by Richard R. Rogoski
| Reprints

As more and more long-term care facilities adopt electronic health records (EHRs) and electronically bill Medicare for their services, protecting against fraud is as much a concern as protecting the data that flows through these systems. But a report by the Department of Health and Human Services (HHS) found that in many instances providers can bypass or disable certain features that were designed specifically to avoid EHR fraud. Such fraud, which is estimated to cost the healthcare industry between $75 billion and $250 billion each year, can result from a number of practices including copy-pasting, over-documentation or tampering with audit functions.

One traditionally accepted safeguard is the use of audit logs. According to the report, "An audit log can be used to analyze historical patterns that can identify data inconsistencies. To provide the most benefit in fraud protection, audit logs should always be operational while the EHR is being used and be stored as long as clinical records. Users should not be able to alter or delete the contents of the audit log."

However, in looking at EHR usage within 864 hospitals surveyed, HHS found that while nearly all hospitals had audit functions in place, most were not using them to their fullest extent and some were deleting their audit logs too quickly. 

In addition, HHS discovered that providers—not just system administrators or EHR vendors—have the ability to disable or edit their audit logs at any point. In light of that finding, HHS recommends that providers be required to keep the audit log operational whenever EHR technology is available for updates or viewing.