There’s no question that EMR can be a tremendous resource for your patients and the practice. However, did you know EMR systems have security, privacy, financial and malpractice risks as well? In particular, beware of “cloning.”

Q. What types of issues should we be aware of?

A. In EMR systems, it has become particularly easy to code visits as level 4 or 5 merely by “clicking” on various examination elements that appear on the computer screen. The resulting chart printouts look like all elements of the history and exam have been performed at each and every one of the patient’s visits — and we know that’s rarely true. Payers are watching closely for fraud and abuse, so it behooves us to be sure the chart accurately represents the work and thoughts of the providers on that particular visit. I’ll delve into this issue further below.

As for security, we all know how it can be compromised on EMR. Just as we don’t leave paper records out for others to see, it makes sense not to leave electronic records “open” — even for just a moment. Additionally, mobile devices such as smartphones, tablets and laptops with access to your EMR are under constant threat of theft. In an unusual twist, hackers have even held some practices’ EMR data hostage.

Q. What else should we know?

A. These real and serious threats are easily understood, but some aspects of EMR that we take for granted are creating a new risk.

Let’s go back to the problem of inadvertently coding visits as level 4 or 5 with the result that it appears all the elements of the history and exam have been performed at each visit. While it may seem more efficient, documentation that does not represent what actually transpired during a patient encounter can threaten a practice.

CMS and other payers have been warning about cloning notes in EMR for several years. But, as EMR use expands, investigators with the Office of the Inspector General (OIG) as well as most payers have taken notice.

The 2012 OIG Work Plan noted the agency would “review … services for the same providers and beneficiaries to identify electronic health records (EHR) documentation practices associated with potentially improper payments. Medicare contractors have noted an increased frequency of medical records with identical documentation across services.”

This statement of concern speaks specifically to the tendency to “copy-forward” information from a previous visit and “clone it.”

Some EMR systems even have options that allow copy-forward in commonly cloned areas such as the “problem list” or the history. It’s a key time-saver for EMR users, and EMR vendors would not sell many systems without this feature. While not entirely bad (think how similar most cataract operative notes have been for years), it does call into question the veracity of notes where things may change. If all of the history elements, such as all 14 Review of Systems areas, are not actually asked or they don’t all apply to the day’s visit, it would be improper to create a note that misrepresents the service.

Be sure you can defend the need for all cloned information or, if you doubt the note’s believability, start from scratch and ask the patient directly. It may not be as easy as cloning, but it will be more accurate.

Now let’s look at an unintended consequence of the move to EMR. Some providers have the capability (because the notes appear to show everything was done) to choose a higher-paying code. These may or may not be justified. Some providers did not document well on paper, although the services they delivered were at a higher level than they billed. For them, EMR is a more accurate note.

It’s also likely that many practices are providing documentation for the sole purpose of meeting higher service levels.

Payers know what practices have billed in the past, and they already have a high index of suspicion of fraud and abuse upon seeing sudden changes in billing patterns. They might request “proof,” which may begin as a request for a number of visits or as a notice from the payer that their utilization of certain codes is “outside the norm.”

Q. What can we do to prevent this?

A. The answer is to have the EMR show only the work that is done and relevant for that particular visit. Anything copied forward should actually be used in the examination, diagnosis and treatment of the patient. Medical necessity, the number one driver of your services, is then fully supported. Proper code selection follows and is made more accurate.

Payers who ask for your documentation may not tell you when you’ve done well, but they may quit asking. You can take that as evidence they believe what you document. OM

Suzanne L. Corcoran is vice president of Corcoran Consulting Group. She can be reached at (800) 399-6565 or www.corcoranccg.com .