By Susan Boisvert, BSN, MHSA, CPHRM, FASHRM

Electronic health records (EHRs) have proven to be a disruptive technology. EHRs have introduced new functionality to the ways healthcare is delivered, documented, defended, measured, and billed. As with any disruptive technology, there are new risks and benefits associated with the new capabilities. EHR copy and paste functionality is a perfect example. Copying and pasting from paper medical records is not particularly practical and was likely very rarely done. With the advent of computer word processing, copying and pasting became relatively simple and was quickly recognized and adopted. Not surprisingly, iterations of copy and paste were soon included in electronic medical records, resulting in an array of new challenges. The following table provides an overview of the associated benefits and risks identified by The Joint Commission, the National Institute of Standards and Technology (NIST), the Partnership for Health IT Patient Safety (Partnership), and the Office of the Inspector General (OIG).

The Partnership released a toolkit for the using the copy and paste function safely. The toolkit includes four patient safety-focused recommendations to reduce risk when copying and pasting in an EHR:
  • Recommendation A: Provide a mechanism to make copy and paste material easily identifiable.
  • Recommendation B: Ensure that the provenance of copy and paste material is readily available.
  • Recommendation C: Ensure adequate staff training and education regarding the appropriate and safe use of copy and paste.
  • Recommendation D: Ensure that copy and paste practices are regularly monitored, measured and assessed.5
The Partnership recommendations fulfill and expand on recommendations made by the OIG in 2013 regarding the risks of fraud and abuse when the copy and paste function is used. Notably, the OIG recommended that the Centers for Medicaid and Medicare Services (CMS) develop guidance on the use of copy and paste in EHRs.6 Additionally, the OIG recommended, “To provide the most benefit in fraud protection, audit logs should always be operational while the EHR is being used and be stored as long as clinical records.”7
Why this information is important to you
Many of the larger EHR system vendors participate in the Partnership. One of them, Epic, has introduced audit functionality that allows user organizations to evaluate where and how the information in an EHR is generated, including the extent of copy and paste use. In a letter to JAMA Internal Medicine, Wang and colleagues describe the functionality as follows:
After a recent software update, the EHR now identifies the provenance of every character that is present in a signed note - that is, whether that character was typed fresh (“manually entered”), pulled in from another source such as a medication list (“imported”), or pasted from a previous note or elsewhere (“copied”).8

Essentially, the new functionality would assist organizations to meet the four Partnership recommendations, as well as providing an opportunity to evaluate copied and pasted material from a compliance perspective (i.e., billing, coding, and “cloning”). 
Wang and colleagues used the audit function to review more than 20,000 notes and found that 18 percent of the typical entry was manually entered, 46 percent was copied, and 36 percent was imported.9 Assuming that the findings of Wang and colleagues may be generalized to most healthcare facilities, what new risks and/or responsibilities does the provenance audit function create? A quick internal discussion at Coverys identified the following:
  • Does the organization have a responsibility to “turn on” the provenance audit?  
  • How does the organization determine how much copying and pasting is acceptable for professional documentation practices? Would rates differ by practice: supervising providers versus residents versus medical students versus nurses? 
  • How does the organization determine the line between acceptable copy and paste practices and fraud and abuse?
  • What effect will provenance audits have on medical professional liability claims if the audits are discoverable by the plaintiff’s attorney(s)?
  • How long will it take CMS and other third-party payers to start requesting provenance audits when they conduct chart reviews? 
  • How often should provenance audits be conducted and who should perform them? 
  • Should provenance audits be added to compliance programs, ongoing professional practice evaluations (OPPE), and the quality improvement metrics used at an organization?
Although Epic is the first EHR system vendor to implement provenance audits, it seems likely that others will follow. Regardless of which EHR system you have, it is probably a good idea to consider the expanding capabilities of EHR audit functions and what the ramifications might be for your organization.
  1. The Joint Commission. Preventing copy-and-paste errors in EHRs. Quick Safety. February 2015, Issue 10. Citing O’Donnell HC, et al. Physicians’ attitudes towards copy and pasting in electronic note writing. J Genl Int Med. 2008;24:63-68; and Kuhn T, et al. Clinical documentation in the 21st century: executive summary of a policy position paper from the American College of Physicians. Ann Int Med. 2015;162(4).  
  2. Lowry SZ, Ramaiah M, Prettyman, SS, et al. Examining the ‘Copy and Paste’ Function in the Use of Electronic Health Records. National Institute of Standards and Technology Report NISTIR 8166; January 2017. 
  3. Partnership for Health IT Patient Safety. Health IT Safe Practices: Toolkit for the Safe Use of Copy and Paste. February 2015. ECRI Institute.
  4. Department of Health and Services Office of Inspector General. Not all Recommended Fraud Safeguards Have Been Implemented in Hospital EHR Technology.  Report OEI-01-11-00570. December 2013.  
  5. Partnership for Health IT Patient Safety. Page 1.
  6. Wang MD, Khanna R, and Najafi N. Characterizing the source of text in electronic health record progress notes. JAMA Intern Med. Page 5. Published online May 30, 2017. doi: 10.1001/jamainternmed.2017.1548. [Epub ahead of print].
  7. Ibid. 
  8. Ibid.
  9. Ibid.
No legal or medical advice intended. This post includes general risk management guidelines. Such materials are for informational purposes only and may not reflect the most current legal or medical developments. These informational materials are not intended, and must not be taken, as legal or medical advice on any particular set of facts or circumstances.