Your responses will be saved every time you click the NEXT button.

(1)

Hospital Certified Electronic Health Record (EHR)

Technology Questionnaire

Thank you for taking time to complete this questionnaire. The

Office of Inspector General (OIG) is conducting this survey as part

of a study on fraud and abuse safeguards in EHRs. Participating

will help us learn about the certified EHR technology hospitals are

using. Our questions concern the presence of features and

capabilities of certified EHR technology, as well as barriers to

implementing certain safeguards for increased fraud protection and

data integrity.

If you have any questions, please contact Kim Yates at

617-565-2911 or Kim.Yates@oig.hhs.gov.

Your responses will be saved every time you click the NEXT

button.

You can return to the questionnaire at any time, using the

same link, until you click the red SUBMIT button.

Click the PRINT button to print a copy of this questionnaire

with your responses.

Once you click the red SUBMIT button you will not be able

to edit or print your responses.

(2)

1.

Please provide the following information for the individual(s) completing this questionnaire:

Respondent name(s) and title(s):

Phone number:

(3)

The following questions ask about the certified EHR technology this hospital

has implemented and attested to meaningful use.

2.

What type of EHR technology does this hospital use?

One or more commercial vendor product(s) One or more internally developed product(s)

A combination of vendor and internally developed products Other

Please specify:

3.

How many years has the hospital used any EHR technology?

4.

Is this hospital part of a network of hospitals that use the same EHR technology?

(4)

The following questions ask about the certified EHR technology's capabilities

regarding coding.

5.

How are diagnoses and procedures coded at this hospital?

Manually by professional coders

Yes No

Automatically with coding software

Other

Please specify:

6.

Does this hospital have plans to adopt computer-assisted coding?

(5)

The following questions ask about user authentication and access to the

certified EHR technology.

7.

Does access to the hospital EHR technology require the following user authorizations? Unique user ID Yes No Password Token-based (e.g., identification card)

Biometrics (e.g., fingerprints) Public-key (e.g., PKI, digital certificates)

8.

Has the hospital implemented the following policies and procedures regarding access to the EHR technology?

Automatic user log-off/ Session time-out

Yes No

Minimum password configuration rules

Regular changing of password User agreements or contracts to prevent sharing of

passwords Other

(6)

The following questions ask about access to the certified EHR technology by

outside entities.

9.

Does this hospital allow any outside entity (such as a payer) access to the EHR technology?

Yes No

10 .

How does the hospital allow outside entities access to the EHR technology?

Remotely Yes No On-site Other Please specify:

11 .

Does the hospital establish unique user IDs to track outside entities' activity?

(7)

The following questions ask about access to the certified EHR technology by

outside entities.

12 .

How does the hospital limit outside entities' access?

To specific patients

Yes No

To specific claims

To view-only (i.e., the outside entity cannot print, export, transmit, or email data)

To limited information within a specific patient or encounter Other

Please specify:

13 .

Are outside entities allowed access to audit logs and metadata?

(8)

The following questions ask about access to the certified EHR technology by

outside entities.

14 .

To what extent does the hospital consider the following to be barriers to allowing outside entities access to EHR technology?

EHR technology does not support the capability

To A Large

Extent To Some Extent To Little Extent Not At All

Hardware does not support the capability

Insufficient human resources Funding restrictions/additional costs to implement

Insufficient training on EHR technology

Inability to integrate with existing systems

Inability to limit access to specific patients, encounters, or information

Concerns with EHR system performance

Concerns with patient privacy Concerns with provider rights Concerns with inappropriate use by outside entities

Hospital policy prevents such access

Other

(9)

The following questions ask about the certified EHR technology's audit log

and metadata features.

Audit logs and metadata track access and changes within an EHR

chronologically by capturing data elements such as date and time when

users access or change the record.

15 .

Does the audit log record data for the following events?

Each entry or access to the EHR

Yes No

Signature event (the proactive or auto default completion of a patient encounter)

Export of EHR document (printed, electronically exported, emailed)

Amendments, corrections, or modifications of data

Import of data

Disabling of audit log

Release of encounter for billing Access by an authorized

outside entity Other

(10)

16 .

Does the audit log record the following data?

National Provider Identifier (NPI)

Yes No

Date/Time/User stamps

Access type (creating, editing, viewing, printing, etc.)

Internet Protocol (IP)/ Media Access Control (MAC) address Network Time Protocol (NTP)/ Simple Network Time Protocol (SNTP) synchronized time Method of data entry (direct entry, speech recognition, automated, copy/import, copy forward, dictation)

Date/Time/User stamp of original author when data are copied

Date/Time/User stamp of original author if data are entered on behalf of another (e.g., an assistant enters clinical information for a physician)

Other

(11)

The following questions ask about the certified EHR technology's audit log

and metadata features.

17 .

Is the audit log operational whenever the EHR technology is available for updates or viewing?

Yes No

18 .

To what extent does the hospital consider the following to be barriers to having the audit log operational at all times?

Insufficient storage space for data

To A Large

Impedes system performance Inability to use audit log data (i.e., cannot identify and interpret audit log data) Insufficient human resources Inadequate training on audit log functionality

A lack of user guides for audit log functionality

Other

(12)

The following questions ask about the certified EHR technology's audit log

and metadata features.

19 .

Can the audit log be disabled?

Yes No

20 .

Who can disable the audit log?

Any EHR user

EHR users who are authorized to access the audit log EHR system administrators

Other

Please specify:

21 .

Can the audit log be deleted?

Yes No

22 .

Who can delete the audit log?

Any EHR user

Other

Please specify:

23 .

Can the audit log be edited?

(13)

24 .

Who can edit the audit log?

Any EHR user

Other

(14)

The following questions ask about the certified EHR technology's audit log

and metadata features.

25 .

How long are audit log data stored?

26 .

Does the EHR technology allow for the destruction of EHR and audit log data according to the hospital's data retention policies?

Yes No

27 .

Can the EHR technology produce a user friendly version of the audit log (i.e., a summary of audit data in a readable format or embedded in an electronic form) for transmitting, printing, or exporting?

(15)

The following questions ask about the certified EHR technology's audit log

and metadata features.

28 .

Does anyone at the hospital analyze the audit log data?

Yes No

29 .

Which of the following individuals at the hospital analyzes the audit log data?

EHR system administrator

Yes No Compliance officer Privacy officer Other Please specify:

30 .

How often is the audit log data reviewed and analyzed?

Monthly Quarterly Annually Other

(16)

31 .

To what extent does the hospital consider the following to be barriers to analyzing audit log data?

Insufficient storage space for data

To A Large

Inability to interpret audit log data

Insufficient human resources Inadequate training on audit log data

A lack of user guides for audit functionality

Other

(17)

The following questions ask about how physician progress notes are entered

into the certified EHR technology.

32 .

To what extent are physician progress notes handwritten and/or dictated instead of directly entered into the EHR at this hospital?

All physician progress notes are handwritten/dictated

Some physician progress notes are handwritten/dictated and some are directly entered into the EHR

No physician progress notes are handwritten/dictated

33 .

How are these physician progress notes maintained?

Maintained as a hardcopy

Yes No

Scanned into the EHR Transcribed into the EHR

34 .

Why are physician progress notes not directly entered into the EHR?

35 .

How are physician progress notes entered into the EHR?

Typed directly into the EHR as free text

Yes No

Entered into the EHR with templates

Other

(18)

The following questions ask about how nursing notes are entered into the

certified EHR technology.

36 .

To what extent are narrative nursing notes handwritten instead of directly entered into the EHR at this hospital?

All narrative nursing notes are handwritten

Some narrative nursing notes are handwritten and some are directly entered into the EHR

No narrative nursing notes are handwritten

37 .

How are these narrative nursing notes maintained?

Maintained as a hardcopy

Yes No

Scanned into the EHR

38 .

Why are narrative nursing progress notes not directly entered into the EHR?

39 .

How are narrative nursing notes entered into the EHR?

Typed directly into the EHR as free text

Yes No

Entered into the EHR with templates

Other

(19)

The following questions ask about the certified EHR technology's capabilities

regarding exporting and transmitting EHR documents.

40 .

Are there limits on which EHR users are authorized to electronically export, transfer, or print EHR documents?

Yes No

41 .

Does the EHR technology require the user to document why an EHR document was electronically exported, transferred, or printed?

Yes No

42 .

Does the EHR technology have the capability to disable the Print Screen function?

Yes No

43 .

Does the hospital disable the Print Screen function for the EHR technology?

(20)

The following questions ask about certified EHR technology features

regarding patient access.

44 .

Do patients have the following electronic access to their EHR data?

View their entire EHR

Yes No

View only components of their EHR

Ability to comment in their EHR View all entities to which their EHR was released

View all the entities who accessed their EHR

Other

(21)

The following questions ask about certified EHR technology features

regarding patient access.

45 .

To what extent does the hospital consider the following to be barriers to allowing patient access to their EHR data?

EHR technology does not support the capability

To A Large

Hardware does not support the capability

Resistance by physicians to have patients access the information

Concerns with patient security and privacy

Funding restrictions/ additional costs to implementation

Insufficient training on the EHR technology

Inability to integrate with existing systems

Concerns with EHR system performance

Hospital policy prevents such access

Other

(22)

The following questions ask about the certified EHR technology features

regarding patient identity management.

46 .

What procedures does the hospital require to identify patients upon check-in?

Photo identification

Yes No

Established relationship (i.e., visual recognition)

Verifying identity based on information an individual can verify (e.g., address, data of birth) Biometric identification Other Please specify:

47 .

For each patient check-in, does the EHR technology have the capability to record which identification procedure was used to confirm patient identity?

(23)

The following questions ask about additional features and safeguards that

the hospital's certified EHR technology may have in place.

48 .

Can an EHR document be modified after it has been finalized by a "signature event" (i.e., the proactive or auto default completion of a patient encounter)?

Yes No