EHRs, Upcoding, Overpayments, and the False Claims Act – Understanding the Risks

Vol. 10 No. 3

AuthorAuthorHealthcare providers and organizations should be mindful of the processes and procedures used when interacting with electronic health record (“EHR”) systems. Given the exponential expansion of EHR systems, the federal government has started to take action to curb abuses. A little over one year ago, Secretary Kathleen Sebelius and Attorney General Eric Holder informed five national hospital and health center associations of their concerns with EHR abuse.1 The letter explains “there are troubling indications that some providers are using this technology to game the system, possibly to obtain payments to which they are not entitled.”2 The American Hospital Association was quick to respond, arguing that better guidance on these rules may assist hospitals to focus more on care rather than potential audits.3 Regardless of the response, the federal government continued its investigation of possible abuse.

The 2013 Office of Inspector General (“OIG”) Work Plan listed EHR abuse as an area of focus. The OIG explained that it “will identify fraud and abuse vulnerabilities and electronic health record systems as articulated in literature and by experts and determine how certified EHR systems address these vulnerabilities.”4 These enforcement measures include increased audits and extensive medical record reviews. In fact, in July 2013 an HHS official speaking anonymously with a news source explained that “targeted audits will continue and CMS is considering other steps.”5

EHR Concerns and Abuses

In the letter, Secretary Kathleen Sebelius and Attorney General Eric Holder stated that they have reason to believe “potential ‘cloning’ of medical records in order to inflate what providers get paid” was occurring.6 Cloning, according to Palmetto GBA, “refers to documentation that is worded exactly like previous entries. . . [T]his type of documentation will lead to. . . recoupment of all overpayments made.”7 Below are two primary examples of how cloning may occur:

Template Example: A two (2) year old comes to the clinic for a well-child exam. The provider copies her generic two (2) year old well child exam template onto the patient’s chart. The copied information states that the provider asked the family about certain symptoms and provided appropriate education for patients at a two (2) year old’s level. However, the provider did not discuss choking hazards for two (2) year olds as was documented in the template.

Copy and Paste Example: A patient comes to see his provider for a sinus infection. The same patient returns a week later with similar complaints, including no improvement regarding the sinus infection. However, upon this visit the patient sees a different provider within the practice. The new provider copies the first provider’s note with no changes.

Both instances represent examples in which providers and healthcare organizations may be at risk for government enforcement and, at a minimum, recoupment of all overpayments.

Possible Evidence of EHR and Upcoding Abuses

A report from the Department of Health and Human Services (“HHS”) released in May 2012 shows the reason for concern.8 The report analyzed physician billing from 2001 to 2010. The report found that physicians increased their billing of higher-level codes during these years. In particular, the three lowest codes for office visits decreased by two percent, seven percent, and eight percent, respectively. But, the second highest billing code increased 15 percent over this period of time and the highest billing code increased two percent. The report concluded that continued education for proper billing needs to occur and CMS should encourage contractors to review physician billing for these types of services. The report did not conclude that these billings were inappropriate, just that the increase is suspect.

Farzad Mostashari, who has just resigned as the National Coordinator for Health Information Technology explained at a hearing that “we don’t know if the shift reflects appropriate coding or inappropriate coding.”9 What is clear is that money, resources and time is likely going to be spent in an attempt to understand what this means and to curb fraudulent activity. Providers, on the other hand, are advocating that any concerns or trends are the result of providers actually starting to be more accurate with their coding through EHRs.10

What are the Risks Healthcare Organizations Face?

Since the Fraud Enforcement Recovery Act of 2009 (“FERA”), False Claims Act (“FCA”) liability has increased immensely.11 In particular, organizations should be concerned a FCA violation may occur due to the retention of overpayments. FERA amended the FCA to impose liability when a party “knowingly and improperly avoids or decreases an obligation.”12 Obligation is broadly defined to include an established duty from the retention of any overpayment.13 This is commonly referred to as a “reverse false claim” as “knowledge” may not have existed when the claim was filed but was later known after the claim was paid. "Knowingly," with respect to overpayments, is broadly defined to mean “actual knowledge . . . deliberate ignorance . . . or acts in reckless disregard of the truth.”14 In addition, the definition clearly stipulates that it does not require “proof of specific intent to defraud.”15

An overpayment from a federally funded healthcare program can become an “obligation” under the FCA if the overpayment is not “reported and refunded” within “60 days after the date on which the overpayment was identified.” Identification is not defined; however, there are varying opinions as to when an overpayment is “identified.” For example, some experts believe that an overpayment is not identified until the organization knows the amount of overpayment. However, then-New York State Medicaid Inspector General James Sheehan has stated that “identified for an organization means that the fact of an overpayment, not the amount of the overpayment has been identified.”16

This creates a dilemma for providers in which upcoding moves beyond simple billing errors to create actual overpayments due to improper billing methods, possibly due to EHR cloning or inappropriate use of templates. The case of U.S. ex rel. Keltner v. Lakeshore Medical Clinic, Ltd. (“Lakeshore”) is a primary example of this issue.17 In Lakeshore, a former employee (the “Relator”) brought a qui tam case against Lakeshore. The Relator alleged FCA violations based on audits that highlighted upcoding. The medical group had identified and repaid some of the overpayments, but not all of them. The court in March 2013 denied Lakeshore’s motion to dismiss the case; the lawsuit is still pending. Lakeshore may be just the first of other legal actions stemming from upcoding that lead to overpayments where any inaction on the part of people with knowledge of such overpayments may lead to FCA liability.

Solutions to Mitigate the Risk of Upcoding and Other Abuses

  • Develop a Compliance Plan: Medical providers and their counsel should focus on developing compliance plans that include regular internal audits. Often the plan itself is established, but organizations fail to follow through with training, education, and enforcement of disciplinary standards.
  • Discuss Fraud Issues with EHR Vendors: Often EHR vendors explain that their system is audit proof and contains methods to deter upcoding. Providers and counsel should ensure that they have addressed concerns of upcoding, copy and paste features, and templates with the vendor.
  • Analyze EHR Vendor Agreements: Counsel for providers using an EHR system should review the vendor agreement. Often these agreements limit the liability of the vendor to the point in which the provider may be at risk for overpayments or false claims, even if the auto-coding features installed by the EHR vendor are the primary cause of billing issues.
  • Audit Notes and Voice-Transcribed Notes: Organizations should understand the ways in which providers are interacting with their EHR systems. This includes auditing how notes are entered into the system from start to finish.
  • If Substandard Care and Upcoding is Found in Some Cases, Expand the Audit: The Lakeshore case seems to indicate that if an organization knows of upcoding or EHR abuses, there may be an affirmative duty to act upon that knowledge.
  • Educate Physicians Regarding EHR Risks: Physicians are “sold” on EHRs on the belief that EHRs will save them time, thus permitting them to be more efficient. Physicians should be educated regarding fraud risks, including inappropriate use of templates and cloning. Provide examples to make the point.


Attorneys and providers should be mindful of the changing aims of the federal government when it comes to EHRs. The federal government is doing everything it can do to reduce costs, increase transparency, and maintain compliance among entities that interact with federal healthcare programs. EHR systems offer huge opportunities to increased care quality, efficiency, and reduced waste. However, understanding the risks and taking a proactive approach to limit liability are a necessity given the recent focus on potential EHR fraud and abuse.

1Kathleen Sebelius and Eric Holder Jr., Letter From Obama Administration on Hospital Billing, The New York Times, September 24, 2012, available at
3Rich Umbdenstock, Letter to HHS and DOJ, American Hospital Association, September 24, 2012, available at
4U.S. Department of Health and Human Services, Office of Inspector General, Office of Inspector General Work Plan – Fiscal Year 2013, available at
5Rich Daly, HHS Auditors Target Upcoding of Medicare Bills via EHRs, Modern Healthcare, July 19, 2013, available at
7Palmetto GBA, Medical Record Cloning, November 6, 2012, available at this link.
8Daniel E. Levinson, Coding Trends of Medicare Evaluation and Management Services, Department of Health and Human Services, Office of Inspector General, May 2012, available at
9Fred Schulte, Electronic Medical Records Probed for Over-Billing,, February 14, 2013, available at
10Shadowfox, MD, The Upcoding Firestorm: Why doctors are unfairly targeted, KevinMD.Com, October 17, 2012, available at
1131 U.S.C. § 3729(a)(1)(G).
13“established duty, whether or not fixed, arising from an express or implied contractual, grantor-grantee, or licensor-licensee relationship, from a fee-based or similar relationship, from statute or regulation, or from the retention of any overpayment.” See 31 U.S.C. § 3729(b)(3).
1477 Fed. Reg. 9182.
16James G. Sheehan, Getting Serious About Medicaid Compliance: Section 6402 of PPACA and the Duty of Disclosure of ‘Identified’ Overpayments, New York Medicaid Inspector General, 7/14/2010.
17U.S. ex rel. Keltner v. Lakeshore Med. Clinic, Ltd. , No. 11-CV-00892 (E.D. Wis. Mar. 28, 2013).


  • Health eSource