Skip to Content

Electronic Health Records: The Cut and Paste Debate

on Friday, 21 November 2014 in Health Law Alert: Erin E. Busch, Editor

Two years ago, in September, 2012, the U.S. Attorney General and the Secretary of Health and Human Services issued a joint letter seeking cooperation from the America Hospital Association and other health care associations, to ensure that electronic health records (EHR) were not used to inflate claims to the Medicare and Medicaid programs. The letter identified potential problems including “cloning” of medical records and upcoding the intensity of care or severity of patient condition as a means to profit, with no commensurate improvement in the quality of care. A particular concern raised in the letter was the practice of cutting and pasting information from a different record of the same patient, without verifying patient care information individually and on each occasion. The letter resolved to ensure payment accuracy and prevent and prosecute health care fraud.

The Office of Inspector General (OIG) addressed the topic of EHR integrity on December 17, 2013, with the issuance of Top Management and Performance Challenges. The eighth identified management challenge is “Effectively using Data and Technology to Protect Program Integrity.” The OIG identified cut and paste and auto-fill templates as risks that may be used to mask the true authorship of medical records and distort information to inflate health care claims. The OIG reported that hospitals that received Medicare incentive payments in 2012 for adoption of EHR indicated that nearly all such hospitals had recommended audit functions, but they may not use them to their fullest. Nearly half of the hospitals reported being able to turn off their audit logs. Few hospitals reported using audit logs to identify potentially fraudulent or abusive practices.

According to the OIG report, the Centers for Medicare and Medicaid Services (CMS) intends to develop guidelines to ensure appropriate use of the copy and paste feature in EHRs. CMS does audit providers who receive EHR incentive payments regarding accuracy of their attestations to performance of risk analyses. OIG recommended that if the National Coordinator for Health Information (“ONC”) includes fraud and abuse safeguards in the meaningful use criteria, these audits may be a tool for government oversight.

In a separate OIG report published in December, 2013, entitled “Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology,” the OIG identified EHR features that could result in poor data quality or fraud, if poorly designed or used inappropriately:

  • Copy-pasting, also known as cloning, allows users to select information from one source and replicate it in another location.
    • When clinicians copy-paste information, but fail to update it or ensure accuracy, inaccurate information may enter the medical record and inappropriate charges may be billed to patients and third party payers.
    • Inappropriate copy-pasting could facilitate attempts to inflate claims and duplicate or create fraudulent claims.
  • Overdocumentation is the practice of inserting false or irrelevant documentation to create the appearance of support for billing higher level services.
    • Some EHR technologies auto-populate fields when using templates built into the system.
    • Other systems generate extensive documentation on the basis of a single click of a checkbox, which if not appropriately edited by the provider, may be inaccurate.
    • Such features can produce info suggesting the practitioner performed more comprehensive services than were actually rendered.

OIG has also taken an interest in the audit practices of CMS contractors with regard to EHR and monitoring of potential fraud and abuse. OIG reports that fewer than one-fourth of Medicare contractors responsible for detecting Medicare fraud are searching for EHR-specific fraud. Of the MACs, responsible for processing and paying Medicare claims, only one-fourth perform EHR-specific fraud identification procedures. Of ZPICs, responsible for detecting and deterring Medicare fraud, fewer than one-third apply such procedures. One-fourth of MACs regularly confirm physician electronic signatures on claims and request EHR protocols. Fewer than one-third of ZPICs request information on EHR systems when reviewing claims. RACs reported conducting reviews of EHR just as they review paper records. Audit logs could be used to determine if EHR data was inputted uniquely or cut and pasted. But only one-half of CMS contractors can identify copied language in an EHR. By contrast, eleven out of eighteen contractors could identify copied language in a paper record.

The OIG has recommended to CMS that it issue formal guidance to contractors on detecting fraud associated with EHRs, and that it instruct contractors to review EHR audit logs and other metadata to better uncover fraudulent claims

Interestingly, the ONC contracted in 2006 with RTI International to develop recommendations to enhance data protection in order to increase data validity, accuracy and integrity; and to strengthen fraud protection in EHR technology. So fourteen recommendations from RTI have been in place during this critical period of EHR development nationwide. Some of these recommendations have found their way into the criteria for certification of EHR for meaningful use incentives. The fourteen RTI recommendations are:

Audit Functions:

  1. Require use of an audit log function and specify audit log operation and content for tracking EHR updates
  2. Require that the methods for update to an EHR be documented and tracked (i.e., copy/paste, direct entry, import)
  3. Require that the user ID of the original author be tracked when an EHR update is entered “on behalf of” another author (distinguish entries made by an assistant and a provider)
  4. Require that EHR technology be able to record and indicate the method used to confirm patient identity (i.e., photo ID or prior relationship)
  5. Require that original EHR documents be retained after they are signed off and modifications be tracked as amendments

User Authorization and Access Controls:

  1. Require the use of user IDs and passwords to restrict unauthorized access to EHRs
  2. Require the use of a provider’s National Provider Identifier to restrict EHR access and track updates to EHRs by author
  3. Require that EHR technology support an “auditor” class of user to have read-only access to patient records

Data Transfer Standards:

  1. Require that a document ID tracking number be generated and attached to an EHR any time an EHR is exported (i.e., printed or electronically communicated)
  2. Require that EHRs be exchanged using certain data standards (encryption) to ensure that data have not been altered during transmission
  3. Require that EHR technology have the capacity to directly capture clinical information in structured and coded data and not impact EHR user productivity

Patient Involvement in Anti-fraud:

  1. Require that patients be able to access and comment within their EHRs


  1. Require that information transmitted for payment of claims be accurately linked and tracked to the appropriate EHR
  2. Require that EHR technology not prompt an EHR user to add documentation but be able to alert a user to inconsistencies between documentation and coding

Not surprisingly, the American Medical Association has taken issue with suggestions that auto-fill templates and cut and paste practices are indicative of fraud. Soon after the September, 2012 letter from the US Attorney General and the Secretary of HHS, the Chairman of the American Medical Association defended physician integrity in a four-hour “listening” session sponsored by CMS and the ONC, stating that EHR systems are not optimized to the users’ needs; they often impede provision of care. Dr. Stack asked the ONC to add usability criteria to its testing and certification program for EHR vendors and provider incentives for meaningful use of EHR systems. Dr. Stack explained that EHR systems are a widespread source of frustration for physicians, and that it can be “pure torment” for physicians to select each item on a template. He noted that in order to avoid tedious processes, macros can fill in predetermined fields for patients with similar conditions. He added that another circumvention is cutting and pasting historic patient information from a previous record into a new record. He argued that these shortcuts make a physician more efficient, but none of them constitutes fraud.

Dr. Stack stated that, prior to EHR, variation in medical records was a bugaboo, but now overwhelming homogeneity resulting from templates, macros and cut and paste is viewed by payers and the compliance community with suspicion. He called it “an appalling catch-22” to force physicians to re-engineer variation into their records simply to pass compliance standards.

Dr. Stack has since become President-elect of the AMA. On September 19, 2014, he announced eight usability priorities for EHR in order to help physicians care for their patients:

  1. Enhance physicians’ EHR as designed to fit seamlessly within the practice.
  2. Support team-based care to facilitate clinical staff to perform work and allow physicians to dynamically allocate and delegate work to appropriate members of the care team.
  3. Promote care coordination including the ability to automatically track referrals and consultations.
  4. Offer product modularity and configurability that provide flexibility to individual practice requirements.
  5. Reduce cognitive workload by supporting medical decision-making and promoting concise and real-time data adjusted for context, environment and user preferences.
  6. Promote data liquidity by facilitating interoperability across different providers and settings, including incorporating external data from other systems into the longitudinal patient record.
  7. Facilitate digital and mobile patient engagement for health and wellness and chronic disease management.
  8. Expedite user input into product design and post-implementation feedback.

It is clear that the controversy surrounding the integrity of EHR will continue. Providers can expect CMS guidance to contractors on monitoring EHR integrity, which will affect the flow of inquiries and other requests for information in support of claims. Physicians would be well-advised to be cautious in their use of cut and paste practices as well as auto-fill templates. Resulting records should be carefully scrutinized to ensure accuracy and that they do not suggest that a higher level of service was performed than in actuality.

Barbara E. Person

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500