Guidelines for EHR Documentation to Prevent Fraud. Appendix D: Electronic Health Record Fraud Checklist

This practice brief has been updated. See the latest version here. This version is made available for historical purposes only.


EHR Fraud Prevention Yes No NA
Comments
         
1. Does the organization communicate its ethics and commitment to complying with laws and regulations through its policies?        
         

A. The organization has policies and procedures that indicate the organization's intent to comply with all laws and regulatory requirements and to operate in an ethical manner.

       

B. The organization has policies and procedures that define and prohibit the entry of false information into any of the organization's records.

       

C. The organization has policies and procedures that define individual responsibility and accountability for the accuracy and integrity of information and for notifying management of errors which are discovered.

       

D. The organization has policies and procedures that define specific consequences for the falsification of information.

       

E. The organization has policies and procedures that define mandatory periodic training covering the falsification of information and information security.

       

F. The organization has policies and procedures that define management level responsibility for the organization's information security program.

       
         
2. Does the organization establish EHR and HIM related policies?        
         

A. The organization has policies and procedures that specify administrative documentation requirements.

       

B. The organization has policies and procedures that specify clinical documentation requirements

       

C. The organization has policies and procedures that define required logging of activity on EHR systems.

       

D. The organization has policies and procedures that define how changes, i.e., corrections and amendments, are made to all records.

       
         
3. Does the organization establish and maintain an education program? The education program must be designed to communicate the organization's policies, the individual's responsibilities, and the capabilities and functions of the EHR system to each individual who works with electronic health records.        
         
4. Does the EHR education program meet the following objectives?        
         

A. The organization has procedures that will inform all individuals associated with the organization of the organization's policies.

       

B. The organization has policies and procedures that explain staff responsibilities for maintaining the integrity and accuracy of information.

       

1. The organization has policies that define personal responsibilities for protecting system access information.

       

2. The organization has policies that define personal responsibility for the creating accurate records.

       

3. The organization has policies and procedures that define staff responsibility to notify management of problems which are discovered.

       

C. The organization has policies and procedures that cover the proper use and features and functions of the EHR system.

       

D. The organization has policies and procedures that address methods for preventing erroneous entry of information and the importance or preventing errors.

       

E. The organization has policies and procedures that define penalties for falsifying any organizational records.

       

F. The organization has policies and procedures to provide instruction on how to use the system security features for preventing unauthorized access to systems.

       

G. The organization has policies and procedures that inform all EHR users that their activities are being logged by the system.

       

H. The organization has policies and procedures that address software design and other techniques that may be used to cause system users to enter false information.

       
         
EHR System Features        
         
1. Does the EHR system provide access control functions?        
         

A. The organization has policies and procedures that define the management of user authentication

       

B. The organization has policies and procedures that define the management of extensive privilege assignment and control features.

       
         
2. Does the EHR system have the capability to attribute the entry, modification, or deletion of information to a specific individual or subsystem?        
         
3. Does the EHR system have the capability to log all activity (refer to the section on Logging of Activity on EHR Systems for specific logging requirements)?        
         
4. Does the EHR system have the capability to use a common date and time stamp across all components of the system?        
         
5. Does the EHR system have data entry editing capabilities?        
         

A. The organization has policies and procedures to validate information on entry when possible.

       

B. The organization has policies and procedures to check for duplication and conflicts.

       

C. The organization has policies and procedures to control and limited automatic creation of information.

       
         
EHR Implementation        
         
1. Does the EHR system establish a process for logging of all activity on EHR systems?        
         

1. The organization has policies that determine which logging features should be used.

       

2. The organization has procedures in place to enable system logging.

       

3. The organization has procedures that assign responsibility for auditing of log entries and reported exceptions.

       

4. The organization has policies that define retention periods and procedures for log records.

       

5. The organization has defined policies relating to system performance issues.

       
         
2. Does the EHR system define and implement the business rules relevant to the responsibility of each functional role and each type of information?        
         
3. Does the EHR system preserve data produced in response to a specific request,
or can it be re-created reliably?
       

Article citation:
AHIMA e-HIM Work Group: Guidelines for EHR Documentation Practice. "Guidelines for EHR Documentation to Prevent Fraud. Appendix D: Electronic Health Record Fraud Checklist." Journal of AHIMA 78, no.1 (January 2007): [web extra].