1

AUDITING AN AUDITING AN ELECTRONIC MEDICAL RECORDLORI LAUBACH, PARTNERLORI LAUBACH, PARTNERSTEVE SHOFNER, MANAGERMOSS ADAMS LLP

AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PAwww.ahia.org

Agendag

Documentation Risks in an EHRDocumentation Risks in an EHRAHIMA Areas of Concern Other Areas of Concern

Confidentiality & AccessData integrityData access and Reporting Meaningful UseThoughts on PoliciesAuditing or Monitoring

From Testimony of L i M i OIG“For example, electronic health records (EHR) may not only

3

Lewis Morris, OIGp , ( ) y y

facilitate more accurate billing and increased quality of care, but also fraudulent billing. The very aspects of EHRs that make a physician’s job easier cut and paste features and templatesphysician s job easier—cut-and-paste features and templates—can also be used to fabricate information that results in improper payments and leaves inaccurate, and therefore potentially dangerous, information in the patient record. And because the evidence of such improper behavior may be in entirely electronic form, law enforcement will have to develop new investigation , p gtechniques to supplement the traditional methods used to examine the authenticity and accuracy of paper records. “

http://oig.hhs.gov/testimony/docs/2011/morris_testimony_07122011.pdf

AHIMA A f CAHIMA Areas of Concern1

Documentation RisksAHIMA Areas of ConcernAHIMA Areas of Concern

1. Authorship integrity risk: Borrowing record entries from another source or author and representing or displaying past as current documentation, and sometimes misrepresenting or , p ginflating the nature and intensity of services provided

2. Auditing integrity risk: Inadequate auditing functions that k it i ibl t d t t h t difi d make it impossible to detect when an entry was modified or

borrowed from another source and misrepresented as an original entry by an authorized user

http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_033097.hcsp

Guidelines for EHR Documentation to Prevent Fraud

Documentation RisksAHIMA Areas of ConcernAHIMA Areas of Concern

3. Documentation integrity risk: Automated insertion of clinical g ydata and visit documentation, using templates or similar tools with predetermined documentation components with uncontrolled and uncertain clinical relevanceuncontrolled and uncertain clinical relevance

4. Patient identification and demographic data risks: Automated demographic or registration entries generating Automated demographic or registration entries generating incorrect patient identification, leading to patient safety and quality of care issues, as well as enabling fraudulent activity i l i ti t id tit th ft idi j tifi d involving patient identity theft or providing unjustified care for profit

http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_033097.hcsp

Guidelines for EHR Documentation to Prevent Fraud

1 - Authorship Integrityp g y

Inaccurate representation of authorship of Inaccurate representation of authorship of documentationDuplication of inapplicable information p ppIncorporation of misleading or wrong documentation due to loss of context for users available from the original sourceAbility to take over a record and become the authorInclusion of entries from documentation created by others without their knowledge or consent

Authorship Integrity continued…p g y

Inability to accurately determine services and Inability to accurately determine services and findings specific to a patient’s encounterInaccurate, automated code generation associated Inaccurate, automated code generation associated with documentationLack of monitoring open patient encountersLack of monitoring open patient encountersCut, copy and paste functionalityIncident toIncident to

Copy and Pastepy

Two varieties: Word (Ctrl C)

Computer generatedCo pu e ge e a ed

Concern: Copying and pasting is not noncompliant. It is how the information is

d “ dused or “counted.”

For example, according to Trailblazer's September 30, 2002, bulletin, Medicare is also concerned that the provider's computerized documentation program defaults to a more extensive history and physical examination than is typically medically necessary to perform, and does not differentiate new findings and changes in a patient's

diti ”condition.”

TWO MACs’ Policies on CloningFirst Coast Services Options, Inc.

10

TWO MACs Policies on Cloning

• Cloned documentation does not meet medical necessity requirements for coverage of services rendered due to the lack of specific, individual information. All documentation in the medical record must be specific to the patient and her/his situation at the time of the

t Cl i f d t ti i id d i t ti f th di l encounter. Cloning of documentation is considered a misrepresentation of the medical necessity requirement for coverage of services. Identification of this type of documentation will lead to denial of services for lack of medical necessity and recoupment of all overpayments made.

Cahaba Government Benefit Administrators LLC

• The medical necessity of services performed must be documented in the medical record and Cahaba would expect to see documentation that supports the medical necessity of p pp ythe service and any changes and or differences in the documentation of the history of present illness, review of system and physical examination

LCD guidance on templates

Noridian Administrative Services, LLC11

g p

Documentation to support services rendered needs to be patient specific and date of service specific. These auto-populated paragraphs provide useful information such as the etiology, standards of practice and general goals of a particular diagnosis standards of practice, and general goals of a particular diagnosis. However, they are generalizations and do not support medically necessary information that correlates to the management of the particular patient. Part B MR is seeing the same auto-populated

h i h HPI f diff i C di b paragraphs in the HPIs of different patients. Credit cannot be granted for information that is not patient specific and date of service specific.

Source: https://www.noridianmedicare.com/shared/partb/bulletins/2011/271_jul/Evaluation_and_Management_Services_-_Documentation_and_Level_of_Service_.htm

Copy and Pastepy

Examples:Examples:Nurse was updating her resume (using Word) and copied a portion of her resume into a patient chartED nurse copied part of Patient A’s record into Patient B’s record—drug use and bi-polar diagnoses showed on Patient B’s medical record and billing information

In an EMR, the error never truly goes away

Copy and Paste: Options to Minimize RiskOptions to Minimize Risk

Option 1: Eliminate all (then leave town).p ( )Option 2: Allow all Copy and Paste, but audit and count inappropriate use as an error. Option 3: Hybrid of 1+2:

Eliminate “Copy Previous Note Forward” and other high-risk duplicationduplication.Leave traditional Word copy and paste alone. Count as an error any inappropriate use of the copy and paste functionality (in audits and feedback).

Exploding Notes: Explosive Topicp g p p

Check a box, get a sentence. The same one every time.P f dl blProfoundly troublingExploding notes & Natural Language Processing that

d d i d t th t t d i f tireads and assigns code to the automated informationDoes not sort out Medically Necessary informationEHR Assigns code on word quantity not PERTINENCEEHR Assigns code on word quantity not PERTINENCE

“Things can get even more perilous with the use of exploding notes, the compliance officer E l di l di i l h k ff f ‘ l’ says. Exploding notes or exploding macros means a simple check off of ‘normal’ or

‘negative’ prompts the documentation of a complete organ system exam.”

“Smart Tools” (shortcuts for better documentation)

Smart Sets - Templates for Complete Documentation of S a Se s e p a es o Co p e e ocu e a o o Encounter and related procedures or tests

Allow documentation and coding for entire problem

Smart Text - Problem Specific documentationMore specific problem/guidance

Smart Phrases: “dot” phrases - common pretexted phrases

bmi: (calculates and pulls in last body mass index) .bmi: (calculates and pulls in last body mass index). .nexheart: (pulls in negative exam for CV system).negneuro: (pulls in negative neuro ROS questions)

Exploding Notes: H t Mi i i Ri kHow to Minimize RiskRecommendation: Do not implement non-editable canned pstatements linked to check boxes.

Most physicians do not enjoy coding or documentation. They b h id i li i kembrace shortcuts, not considering compliance risks.

Your role:Point out these competing tensions: short cuts/compliancePoint out these competing tensions: short cuts/compliance

Turn up the light, not the heat!

Mitigate the risk if you do implement note writer functionalityMust have the capability to be edited

Phrases should be in each provider’s own words

2 - Auditing Integrityg g y

Authentication and amendment/correction issuesAuthentication and amendment/correction issuesAddition of more text to the same entryAuto authenticationAuto authenticationLack of monitoring activity logs

AHIMA EHR Guidelines

1 Access control functions1. Access control functionsa) User authenticationb) Extensive privilege assignment andb) Extensive privilege assignment and

control features2 Capability to attribute the entry2. Capability to attribute the entry,

modification or deletion of information to a specific individual or subsystemto a specific individual or subsystem

3. Capability to log all activity

AHIMA EHR Guidelines

4 Capability to synchronize a common date4. Capability to synchronize a common date and time across all components of the systemy

5. Data entry editinga) Verify validity of information on entry whena) Verify validity of information on entry when

possible, b) Check for duplication and conflicts) pc) Control and limit automatic creation of

information

Auditing Access to the Chartg20

Logs who enters, section touched, exit timeg , ,Link at bottom of every note typeSteps:p1) Determine Which Logging Features Should Be Used

Capabilities:2) Assign Responsibility for Auditing of Log Entries and2) Assign Responsibility for Auditing of Log Entries and

Reported Exceptions:3) Define Retention Periods and Procedures for Log Records:4) Determine areas for Monitoring or Auditing for detecting

alleged fraud and abuse related to EMR Documentation:

Sample Audit Trail Report

User Access Module Actions Time stampUser Access Module Actions Time stampFine, Lawrence Encounter View Mon Jan 7, 2008

11:06 AMHoward, Moe Chief Complaint View Mon Jan 7, 2008

11:14 AMi Chi f C l i A 2008Fine, Jerome Chief Complaint Accept Mon Jan 7, 2008

11:32 AMMarx Julius Vitals Section View Mon Jan 7 2008Marx, Julius Vitals Section View Mon Jan 7, 2008

11:38 AMMarx, Julius LOS Activity Accept Mon Jan 7, 2008

12:22 PM

3 - Documentation Integrityg y

Automated insertion of clinical dataAutomated insertion of clinical dataTemplates provide clinical information by default and designgAll templates and auto-generated entries are

potentially problematicpotentially problematicBeneficial feature of EHR is auto population of discrete clinical datadiscrete clinical dataProblem list maintenance is inconsistent

Templates: A N E ilA Necessary Evil

Reminders for important “red flag” questionsReminders for important red flag questionsFor example, strep throat template would have the prompts below:prompts below:

Fever? HA? Rash? Heart Valve? Kidney Problem? Consistency and medical/legal liability coverageConsistency and medical/legal liability coverage

Despite the well-intended questions, all the visits look exactly the same.y

Templates: Challengesp g

Templates generate canned phrases, which makes them lose uniqueness Multiple consecutive canned statements causes a poor read that may misconstrue the intended meaningthat may misconstrue the intended meaningOne-size-fits-all templates are incomplete, not comprehensive enough and only work for one problem Subjective observations go undocumented. AVA study saw increased errors with templates.Templates drive more unnecessary documentation. Many p y ytimes they cannot be closed until all boxes are checked, which then drives higher E&M levels.

Templates: How to Minimize Riskp

Embed placeholders for free textpOffer all code ranges for procedures and visits. Visits must allow all levels (not just the probable ones). All multiples of the procedures should also be offered.M k j b i b b ddi dd Make your job easier by embedding add-on codes and multiples of J-Codes so you do not have to add them on the back end.have to add them on the back end.

4 - Patient Identification & Demographicsg p26

Demographic and insurance information may beDemographic and insurance information may be defaulted for a patient’s encounterPatient identity theft is a vulnerable areay

Patient ID & Demographic Accuracy Questions27

What processes are in place to ensure that the availability of p p ysystem functionality would not lead to clinical issues not being updated to reflect a clear change in patient’s condition?

H i thi t ll d?How is this controlled?How is this monitored?

h i l h h il bili fWhat processes are in place to ensure that the availability of system functionality would not lead to or prevent the propagation of misinformation or error?p p g

O h Ri k AOther Risk Areas28

Other Risk Areas

Monitoring of coding by EMR is not doneMonitoring of coding by EMR is not doneAssume EMR coding matches billing systemCoding “assistance” via the EMR product itself (CPT Coding assistance via the EMR product itself (CPT & ICD)Coding in EMR is valid although based on preCoding in EMR is valid although based on pre-determined design

Other Risk Areas

Tracking of user’s changes, deletions or modification Tracking of user s changes, deletions or modification to a specific subsystemLack of policies and procedures related to coding Lack of policies and procedures related to coding and documentation related to EHRLack of EHR retention policiesLack of EHR retention policies

D I iData Integrity31

Risks to Data Integrityg y32

Improper Change ManagementImproper Change ManagementMetadataApplications, Databases, Operating SystemsApplications, Databases, Operating Systems

Interface Issues Between SystemsImproper IT OperationsImproper IT Operations

Change Management: Metadata Riskg g33

Provider Master FileInvalid providers

LicensureSpecialty mismatchDeparted organizationDead?Dead?

RiskFraudLawsuitsReputation damage

Change Management: Metadata Riskg g34

Pharmacy and Master filePharmacy and Master fileMapping and Synchronization of drug database with chargemasterDispensing of drugs in the correct venue of care

RiskFraudulent billingPatient DissatisfactionReputation damage

Change Management: Metadata Riskg g35

LabCommon Mapping Errors

Ambiguity of order description in EHRIncorrect linkageReflex testingReflex testingPanels & profiles

Use of “smart sets” within EHR to create custom order sets for provider ease

May lead to bundling/unbundling issuesUse of non-AMA panelsMedical necessity issues

Ri kRiskFraudulent billingPatient DissatisfactionR t ti dReputation damage

Application, Database, Operating S t Ch Ri kSystem Change Risk

36

Other Types of ChangesOther Types of ChangesCode: Application / ProgramPatches: Vendor Supplied (Application, Database, & Patches: Vendor Supplied (Application, Database, & Operating System, and Metadata)Data: Data & Data Structure

RisksFast and Widespread Data CorruptionFraudulent BillingDissatisfied Customers

Interface Issues Between Systemsy37

InterfacesInterfacesImproper Field-MappingTransmission / Receipt FailureTransmission / Receipt FailurePartial Transmission / Receipt FailureProcessing Failureg

RisksData Corruptiona a Co up oFraudulent BillingDissatisfied Customers

Improper IT Operationsp p p38

IT OperationsIT OperationsJob SchedulingMonitoringMonitoringProblem / Incident ResponseOperator SkillpAvailable Resource

RisksFraudulent BillingDissatisfied Customers

Data Integrity Controlsg y39

Data InputData InputAutomated Data ValidationAutomated Approvals or OverridesAutomated Approvals or OverridesAutomated Segregation of Duties

Data Integrity Controlsg y40

Change ManagementChange ManagementChanges requests are evaluated for their impact on data and automated controlsChanges are developed and tested in a non-production environmentSuccessful testing is completed before change in promoted Successful testing is completed before change in promoted to the production environment

Use of automated test suites is recommended

All changes to the production environment are approvedSegregation of duties between development, testing, and

d iaccess to production

Data Integrity Controlsg y41

IT OperationspJobs are evaluated and approved before scheduled to evaluate impact and ensure no processing issues are i t d dintroducedAll job success and failures are loggedJobs are monitored for failures and addressed timelyJobs are monitored for failures and addressed timely

Use of automated tool strongly recommendedIT Operations personnel have skills, knowledge, and resource needed to address failures appropriately, completely, and timely, following an established communication and escalation planp

Interface Controls42

File IdentificationAuthorization

BalancingError Reporting

Receipt / Read Confirmation

LoggingBackups

Duplicate CheckEdit / Validation

pQueue Management

/Check

C fid i li & AConfidentiality & Access43

External Risks of the EMR

New opportunities for New opportunities for New opportunities for practitioners to share medical information

New opportunities for people with nefarious motives.

Helps with documentation and

VirusesWorms

billingPatient managementEl i P ibi

Trojan HorsesAdware

Electronic PrescribingInformation exchange

Spyware

44

Data Breaches45

“ the number of data breaches among healthcare …the number of data breaches among healthcare organizations participating in the 2010 and 2011

studies is still growing—eroding patient privacy and studies is still growing eroding patient privacy and contributing to medical identity theft.” *

*Ponemon Institute LLC, Second Annual Benchmark Study on Patient Privacy & Data , y ySecurity, December 2011

Data Breaches46

“On average it is estimated that data breaches On average, it is estimated that data breaches cost benchmarked healthcare organizations

$2,243,700.” *$ , 3,700.

*Ponemon Institute LLC, Second Annual Benchmark Study on Patient Privacy & Data Security December 2011Security, December 2011

Hackers Are Only One Threaty47

Nature Of Root Causes Of Data Breach Incidents

*Ponemon Institute LLC, Second Annual Benchmark Study on Patient Privacy & Data Security, December 2011

Data Breach Notification Laws48

Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.p

For example, California’s SB1386 requires an agency, person or business that conducts business in California person or business that conducts business in California and owns or licenses computerized 'personal information' to disclose any breach of security (to any resident whose unencrypted data is believed to have resident whose unencrypted data is believed to have been disclosed).

http://www ncsl org/issues-research/telecom/security-breach-notification-laws aspxhttp://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx

Data At Rest

Where is the data Where is the data saved/stored?Desktop PC’s or Laptops?Desktop PC s or Laptops?Can data be accessed from home (e.g., from home (e.g., PCAnywhere)?Portable storagePortable storageMobile devicesEncryption?

49

Encryption?

Data In Transit

EncryptionEncryptionSecure Socket Layer (SSL)Virtual Private Networks (VPN)

Professional IT maintenance and monitoring

50

Data In Use

Were is data accessed from?Were is data accessed from?A secure room or one others can potentially oversee information?

Is data accessible to everyone, or only certain users?How is this enforced?

Network securityIf the information is on a file share directory, is it secured to prevent transmission to unauthorized users?

Intrusion Detection System (IDS) with a formal Incident Intrusion Detection System (IDS) with a formal Incident Response Process in place to follow-up on alerts

51

Protect Your Computer and Networkp

Install FirewallsOn workstations and laptopsOn networks (possibly creating ‘De-Militarized Zones’ or DMZs)M )

Use network segmentation where appropriateUpdate your computer regularly (e.g. Security patches f Wi d iOS UNIX Li IBM i t )for Windows, iOS, UNIX, Linux, IBM i, etc.)Implement an anti-virus software package on servers, workstations, and laptops and update it regularlyp p p g yImplement an anti-spyware (a.k.a. “Malware”) software package on servers, workstations, and laptops and update it regularly

52

update it regularly

Educate Users

Create and maintain an Awareness ProgramCreate and maintain an Awareness ProgramAppoint a security officer to implement your practice’s policy and conduct training.Make sure all users in you organization perform smart computer practices.Continuously reassess your security procedures and train personnel.P hibi h i d i hi h ffiProhibit unauthorized computer access within the office.

53

D A & R iData Access & Reporting54

Controlling Access to Datag55

Access should be granted on a need-only basisAccess should be granted on a need only basiscommensurate with each user’s current job responsibilities p

System permissionsLogical access

Adding, modifying, and removing user accountsReviewing all user accounts at least quarterly

Monitoring

Importance of Monitoringp g56

Sources of InformationSources of InformationNetwork LogsServer LogsServer LogsNetwork Activity

ChallengesChallengesEnormously large volumes of information

Resource necessary to store informationyResource necessary to reviewResource necessary to follow-up on incidents identified

Intrusion Detection Systemsy

Protects your networks Different Types57

and servers by:Monitoring activity logsInspecting all inbound

Network basedHost (Server) based

Inspecting all inbound and outbound network activity Identifying suspicious

IDS ToolsCheck Pointy g p

patterns that may indicate a network or system attack from

Cisco Secure IDSHP OpenviewSnortsomeone attempting to

break into or compromise a system

SnortSourceFireTripWire

Privacy Breach Monitoring Systemsy g y58

Systematically identifies users who are engaging in y y g g gpatient access patterns indicative of snooping, identity theft, or other risky behaviorsCan be performed for all crucial EHRs and applications providing access to Protected Health Information (PHI)Information (PHI)Filters out known false positives and alerts remaining potential incidents to appropriate remaining potential incidents to appropriate privacy personnelFairWarning is a leading application in this area

How Much Security / Monitoring Is Enough?/59

nito

ring

urity

/ M

onnt

rols

($)

Target level of control

Cos

t of

Secu

Con

C

Volume of Security Breaches / Incidents

M i f l UMeaningful Use60

ARRA: Qualifying for incentivesy g

“Meaningful Use” criteria must be metgDivides the requirements into a “core” group of requirements that must be met, plus an additional “menu” of procedures from which providers may choosefrom which providers may choose.This “two track” approach ensures that the most basic elements of meaningful EHR use will be met by all providers

l f f h l h qualifying for incentive payments, while at the same time allowing latitude in other areas to reflect providers’ needs and their individual path to full EHR use.

What criteria affects the EHR?62

CPOECPOESpecific data elementsSecurity Risk AssessmentSecurity Risk Assessment

Make Meaningful Use Meaningfulg g

Requirement: Computer Physician Order Entry (CPOE)q p y y ( )

80% of all orders must be done via the computerOptions for the display names of the orderable procedures

Use software’s display namesMake your own and manage the display name file

Advantage of creating your own display names: Embedded coding hintsE l i d f dd dExample: reminders for add on codesReminders for quantities of J CodesReminders to give size of lesionReminders to give size of lesion

Make Meaningful Use Meaningfulg g

Requirement: Problem Lists: must be up to date80% of all patients seen must have Problem List entries

“N ” i k b i b d “None” is ok but it must be structured textThe compliance issue with Problem Lists not up to date

Most EMR’s have a key stroke that loads the Problem List Most EMR s have a key stroke that loads the Problem List into the Progress NoteDiscrepancies occur as the Problem List diagnosis is not consistent with free text documentationconsistent with free text documentationExample: Pt is declared free from cancer in the text of the note but the “blown in” Problem List states: Breast Cancer.

This conflicting information requires a query

Make Meaningful Use Meaningfulg g

Requirement: Clinical Decision Support5 significant CDS must be implemented

Example: Doctor orders a drug and gets a pop-up that the patient has concurrent Chronic Kidney Disease and the p ydose of the antibiotic should be decreased

“Borrow” the technology for coding supportInstead of clinical help, the doctor gets coding helpInstead of clinical help, the doctor gets coding helpExample: doctor types in “Stroke” for the diagnosis. A pop-up appears telling them they should not use this code unless this is an acute event. Hyperlinks in the pop-up unless this is an acute event. Hyperlinks in the pop up direct them to late effect choicesUsed for cancer/history of cancer as well

A di d M i iAudit and Monitoring66

Auditing and Monitoringg g

Risk AssessmentRisk AssessmentWork QueuesData MiningData MiningDocumentation Integrity Team

Audit Procedures Authorship Integrityp g y

User accessRights testingR l i t d it i t i tRole assignment and security point consistency

Determine the capability of user log in/passwords used simultaneously and different workstations used simultaneously and different workstations

Review user access listing – 1 person – multiple login/passwords?Medical students

Audit Procedures - Auditing Integrityg g y

Determine EHR editing capability Open versus closed recordsCreate test patientCreate test patientExamine audit logs for audit trail

EHR capability to use common date/time stamp across all components test to determine if this can be manipulated in components—test to determine if this can be manipulated in any way either in Epic or in the background.

Select one encounter and edit or add informationT d d Test date and time stamp

Audit Procedures - Documentation I t itIntegrity

Wh i h l d i i l f i l What is the volume and timing to closure of typical encounter documentation?

Obtain and review Patient Billing reports to identify volumes, aging, and types of open encountersSelect a sample of encounters which are “closed” and have no progress note documentation and determine the amount of time progress note documentation and determine the amount of time from open to closed timeframeReview the EMR and identify if progress notes were written in the correct section

Cut & PasteC & P tCopy & Paste

Audit Difficulty: Identifying if this function was usedDocumentation Integrity Risk:

Bring forth information which is not specific to the patient Fail to edit information that is not applicable to the subsequent encounter

Utilized software originally designed to detect plagiarism t i itiat universities

Using encounter data, compared the following EHRSame provider, same primary diagnosis All visits for one day for a providerAll visits for one day for a provider

Plagiarism software download: http://plagiarism.phys.virginia.edu/

AHIMA article: http://library.ahima.org/xpedio/groups/public/documents/ahima/bok3_005520.hcsp

Templatesp

Identify sample of patient encounters where a template y p p pwas selected for the encounter documentation (frequent template users – GI, cardiology, urology, respiratory, and primary care)primary care)Review EMR documentation to ensure that any default information was verified or updated (patient name, symptoms, medication, etc.)Review the EMR audit logs /dark side to ensure that the defaulted information was edited (inquire how this should defaulted information was edited (inquire how this should look prior to examination)

Make Me the Author

Audit Difficulty: Identifying when this function was usedud cu y: de y g w e s u c o was usedTest EMR system controls by creating a patient encounter using another provider user ID (or RN) and create documentationReview EHR documentation & audit logs (dark side) to

h d b bl h ensure that test documentation is attributable to the correct providerTurn off / remove this functionality if the EHR does not Turn off / remove this functionality if the EHR does not have the capability to attribute an entry, modification or deletion to a specific individual

Th k Y

Lori.laubach@mossadams.com

Thank You74

Steve.shofner@mossadams.com

A di P li iAppendix - Policies75

1.Timeliness of documentation

EMR’s = Big Brother ReportingEMR s Big Brother ReportingNormal standard of 24 hours97% of all notes closed within 24 hours97% of all notes closed within 24 hoursInbox warning when chart not closedMessage to supervising MD at 7 daysMessage to supervising MD at 7 daysReport to Executive Team at 30 daysW k I t Pl f F t FliWork Improvement Plan for Frequent Fliers

2. Close Visit Validation

Mandatory tasks to close noteMandatory tasks to close noteOrders signedE&M dE&M doneDiagnosis EntryProgress Note CreatedDiagnosis/Order Association (medical necessity)

3. Evaluation & Management Codingg g

Point of Care RemindersPoint of Care RemindersHover Text States RulesOnce each level selected the computerOnce each level selected, the computer assigns the codes based on the level picked for History/Exam/MDM or Timefor History/Exam/MDM or Time

4. Diagnosis Accuracyg y

Cancer/History of Cancer – Pop Up appears y p p ppwhen enter specific diagnoses

Provides a best practice alert about the use of the diagnosisdiagnosis

Etiology/Manifestation CodesEMR allows creative display namesEMR allows creative display namesCaptures clinical essence in coding termsDoesn’t keep the clinician guessing

Document what you see. Code what you document

5 Compliant Addenda to EMR

Watermarked fingerprint

5. Compliant Addenda to EMR

Watermarked fingerprintNotification sent to original doctor of change

6. Compliant Physician Queriesp y Q

Compliance approves the query languageCompliance approves the query languageEach query is inserted via EHR toolResponse MonitoringResponse Monitoring

Positive responses audited for accuracyNegative responses tracked/reportedNegative responses tracked/reported

Bad query language? Unresponsive clinician?p

7. “Smart Tools”

Smart SetsSmart SetsAllow documentation and coding for entire problem – example joint injection; cryop p j j y

Smart TextMore specific problem/guidancep p gAbd pain – pregnant < 20 weeks; sports PE

Smart Phrases: “dot” phrasesp.gfr; .nexheart; .negneuro

Save the Date: August 25-28 2013August 25-28, 2013

32nd Annual Conference Chi ILChicago, IL

83