Because electronic health record (EHR) workflows may not have been set up properly to ensure compliance with certain Medicare regulations, some classic compliance risks may carry over.[1] “We are seeing this across the country,” said Nancy Perilstein, specialist senior manager at Deloitte & Touche. Here’s a list of risks for hospitals to consider as they develop or change their EHR systems, according to Christine Anusbigian, specialist senior manager at Deloitte & Touche; David Yarin, a principal at Deloitte & Touche; and Perilstein. Contact Anusbigian at canusbigian@deloitte.com, Perilstein at nperilstein@deloitte.com and Yarin at dyarin@deloitte.com.
EHR Risk Checklist
As many as 3,000 acute care hospitals have implemented or exchanged electronic health records (EHR) in recent years. While regulatory compliance issues are similar, EHRs—as a different platform than their predecessors—require new means of assessing and mitigating regulatory compliance risk. Steps can be taken to proactively establish controls and workflows that will mitigate risks.
Controls include workflows to route documentation for additional attestations or signatures, hard stops that prevent billing without required documentation, supporting policies and procedures, and testing of interfaces.
Compliance area | Description |
---|---|
Physician orders | Orders are signed by physician or nonphysician practitioners where required by regulatory guidance, such as diagnostic procedures, drug orders and ancillary services. Orders entered by nonphysician personnel—such as verbal orders, telephone orders and per protocol orders—should be verified to be compliant with regulatory guidance and internal policies, including only entry by approved personnel and routed for physician signature within time frames per regulatory (including state board of pharmacy) and/or hospital requirements. |
Orders for patient status | Controls to verify that signed physician admission orders are in place and timely and consistent with patient status and regulatory requirements (inpatient, outpatient/observation). |
Services outside of acute care hospital | Workflows designed to support the specific regulatory requirements for services that are not hospital based, such as psychiatric hospital, rehabilitation hospital, home health, hospice, and outpatient dialysis. Examples are certifications signed within specific time frames, recertifications, election notices, standing orders and others. |
Critical values | Flagging of abnormal results or critical values and routing to the patient’s physician with verification of appropriate follow-up, including communication to the patient. |
Teaching physician | Workflows established to allow for attestations in accordance with Medicare, Medicaid and other payor requirements. |
Nonphysician practitioner | Controls to support accurate incident to, split shared billing for NPP services in allowed settings (place of service) following workflows and requirements specific to each payor. |
Templates | Physician documentation templates are reviewed and approved by HIM and compliance to support complete, accurate and compliant documentation. |
Copy/paste/cloning | Copying notes from prior dates or other providers can allow for efficient documentation, however, can also lead to errors if not closely reviewed and monitored. |
Access rights/credentialing | Establish access rules to various system functions specific to role and credential. Verify credentialing system is in sync with EMR so that only appropriately credentialed individuals have EMR access. Routine review of access rights and process to remove access when the individual is terminated, changes positions or no longer needs access. |
System interfaces | Separate systems may interface within the EMR such as lab and pharmacy. Correct and tested mapping supports accurate and complete billing. |
Reflex testing | Set up as approved by Medical Executive committee, medically necessary and ordered by the treating physician. |
Electronic signatures | To include provider credentials, clearly indicate that the documentation has been electronically authenticated and verified that only authorized providers have access to sign with username and password. |
Advance beneficiary notices (ABN) and notice of noncoverage | Electronic means to identify if based on procedure and diagnosis if a service or item is covered based on payor guidelines. Process should be in place to ensure accuracy and updating as policies are revised. |
Organization of scanned documents | Conventions should be established around labeling and dating of scanned documents so that they can be easily identified and retrieved (e.g., scanned provider notes, paper orders, lab reports from outside labs) |
System edits and alerts | To include, but not limited to, design of clinical decision alerts, hard stops, soft stops, drop downs, payor-specific billing requirements, bundling, order sets, modifiers, units of service, place of service, and coverage requirements that meet each payor’s requirements. |
System upgrades | Transfer of information required for ongoing management of patients as well as maintaining and storing documentation from legacy system. |
Copyright © 2020 Deloitte Development LLC. All rights reserved.