February 21, 2019

QUESTION:        A physician on our medical staff has made numerous inappropriate entries into the EMR.  These include critiques of other physicians, the hospital, and its staff.  We have approached the physician several times to inform him that a patient’s medical record is not an appropriate forum for these comments, but he claims he has the First Amendment right to put whatever he wants to in the records, and continues to do so.  What can we do?


ANSWER:            The regulatory and accreditation requirements set forth by the Joint Commission and both federal and state law make it clear that they require the medical record to document objective clinical information relative to an individual patient’s medical condition that will enable a patient’s caregivers to provide the appropriate patient care.  Entering comments in a patient’s medical record that are critical of the hospital or of other individuals are inappropriate editorial statements, which do not advance the care of a patient.  In addition, they clearly create and increase legal risks to the hospital and to all individuals involved in the care of the patient.

A physician who has a complaint or concern regarding an administrative policy, the hospital’s utilization practices, or the care provided by any other individual should be advised that the medical record is not the proper forum for that issue and should be directed to register those concerns through appropriate medical staff or administrative channels.  Most times, providing this education and counseling to the physician is sufficient to resolve the concerns.  If not, however, the physician should be advised that continuing disregard of the policy concerning the proper content of medical records will be referred for review under the Medical Staff Professionalism Policy.

August 9, 2018

QUESTION:        We recently received a complaint that one of our Medical Staff members was “surfing” the EMR, looking for patients with a certain diagnosis and then contacting them to offer his services.  Should we refer this matter to our HIPAA Privacy Officer, review it under our Medical Staff Professionalism Policy, or take some other approach?

ANSWER:            There are good reasons for involving the hospital’s Privacy Officer in the review of HIPAA violations by Medical Staff members.  The Privacy Officer is responsible for implementing the hospital’s HIPAA policies, so that individual should be aware of potential privacy violations by Medical Staff members.  Also, Privacy Officers have significant experience investigating and responding to privacy violations.  They will be familiar with HIPAA’s dense regulatory requirements and know how to find information that shows if health information was improperly accessed.

At the same time, there are good reasons for using the Medical Staff process to review HIPAA complaints involving physicians:

  • Physicians may be more likely to listen to other physicians.
  • Hospital licensing regulations generally require the Medical Staff to review the actions of its members.
  • The Medical Staff process is protected by a statutory peer review privilege, which results in confidentiality and candid discussion.
  • Violations of HIPAA (or any regulation) may include a behavioral component that will be of interest to the Medical Staff leadership.

To get the best of both worlds, we recommend that the Medical Staff Professionalism Policy include a provision describing how individuals responsible for other hospital policies (such as the HIPAA Privacy Officer or the Corporate Compliance Officer) will be notified of concerns that involve their area of responsibility.  The Policy should also describe how efforts will be made to coordinate the efforts of the Medical Staff leadership and the individual responsible for the other policy (e.g., through attendance at meetings and the sharing of information).

For additional information about dealing with physician behavior concerns, please join us in San Francisco for:

The Peer Review Clinic

December 17, 2015

QUESTION:        One of our surgeons has been preparing operative reports over the weekend for his upcoming surgeries on Monday or Tuesday. He explained that he has more time over the weekend, so he copies and pastes op reports from prior, similar surgeries into the record for the upcoming surgery, then revises them after the surgery as needed. Should we be concerned with this practice?

ANSWER:          Medicare and other payors recognize the efficiencies that can result from the copy and paste feature of EMR technology. At the same time, those payors are also concerned that such technology will be used improperly in a way that is bad for patient care and leads to inflated payments.

On September 24, 2012, the federal Department of Justice (“DOJ”) and Department of Health and Human Services (“HHS”) issued a letter regarding the fraud and abuse concerns about certain EMR documentation practices. DOJ and HHS stated “[a] patient’s care information must be verified individually to ensure accuracy; it cannot be cut and pasted from a different record of the patient, which risks medical errors as well as overpayments.” The letter spoke generally about the willingness of DOJ and HHS to prosecute health care fraud based on improper EMR documentation practices. A copy of the letter is available at: http://www.modernhealthcare.com/Assets/pdf/CH82990924.PDF.

In December 2013, the HHS Office of Inspector General followed up with a report titled “Not All Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology.” http://oig.hhs.gov/oei/reports/oei-01-11-00570.pdf. The report discusses risks and benefits of the copy and paste feature in EMR technology.

Following the lead of DOJ and HHS, National Government Services (a Medicare Administrative Contractor) discussed the overpayment risks of “cloned” documentation as follows:

Documentation is considered cloned when it is worded exactly like or similar to previous entries. It can also occur when the documentation is exactly the same from patient to patient. Individualized patient notes for each patient encounter are required.

* * *

Whether the documentation was the result of an Electronic Health Record, or the use of a pre-printed template, or handwritten documentation, cloned documentation will be considered misrepresentation of the medical necessity requirement for coverage of services due to the lack of specific individual information for each unique patient. Identification of this type of documentation will lead to denial of services for lack of medical necessity and the recoupment of all overpayments made.

EMR technology can improve the content and consistency of documentation, and make it less burdensome to produce. However, using a template to prepare documentation in the EMR before the procedure is actually performed increases the risk of allegations of “cloned documentation” and “fraud and abuse” by the government or third-party payors.