Auditing Copy and Paste

For organizations that allow carrying forward clinical documentation, auditing its use is a key part of ensuring document integrity.

Copying clinical documentation can be a time-saver for busy clinicians. It also can pose a risk to document integrity. For organizations that allow use of the copy functionality in their EHR systems, part of keeping compliant with organizational, state, and federal requirements is auditing the practice for proper use.

Ensuring Documentation Integrity

Copying forward clinical documentation is the process of copying existing text in the record and pasting it in a new destination. Clinicians may use it to save time when updating notes on an existing patient. It is also known as copy and paste, cloning, and carry forward, among other terms.

Carrying existing information forward may be appropriate when the copied information is:

  • Based on external and independently verifiable sources, such as basic demographic information that is stable over time
  • Clearly and easily distinguished from original information, such as automatic summaries that populate data fields that are clearly identified as nonoriginal and cannot be mistaken for original information
  • Not actually rendered as part of the record until after a re-authentication process and also auditable for identifying actual origination

Thoughtfully and appropriately managing copy functionality requires that organizations have sound documentation integrity policies. This is especially important given that EHR implementations change operational processes and documentation and workflow practices within the organization.

The use of copy functionality without the ability to review, test, audit, and approve presents significant medical and legal risks (see sidebar). With appropriate checks and balances in place, however, prudent use of the functionality can be systematically evaluated so that documentation integrity is ensured.

Even organizations that have barred the use of copy and paste through policy will still require auditing if the copy function is available in its EHR system and cannot be turned off. HIM professionals can take a leadership role in addressing copy forward processes by listening, conversing, and collaborating with other stakeholders within the organization.

Determining System Audit Capability

Ensuring that copied documentation follows all appropriate organizational, state, and federal requirements requires system tracking (audit trails), observing organizational use, and testing system capabilities.

How an organization approaches this task depends in part on the record system it uses. Some early electronic documentation systems have allowed functionality that would not be considered acceptable today—for example, cloning encounters or copying content without attribution to the original source. More recent EHRs address this loophole. In all cases, however, organizations must confirm how the functionality works in their particular systems.

If organizational policy bars a given use of copy and paste but the system supports that action, the organization must decide how this behavior will be monitored and measured. Some systems will be capable of tracking and detecting the action and can report retrospectively on who used the functionality, as well as how and when they employed it.

(Organizations should not assume that even certified products provide the ability to audit copy functionalities. The 2008 certification criteria from the Certification Commission for Healthcare Information Technology do not require that copy functionalities of any type be auditable events.)

Developing an Audit Plan

Organizations can develop an audit plan by first determining how providers plan to use the copy functionality. If the intention is to allow the copy of documents from one system to another (e.g., from transcription import system to the EHR, from one progress note to another, from one assessment to another, across encounters, within encounters, template to template) the auditing capabilities may be complex.

The organization should test each of the proposed uses. Testing may require thorough investigation to systematically identify what can be audited and what cannot. An interdisciplinary approach including HIM professionals, IT staff, and perhaps system vendors is recommended. (See sidebar for sample testing activities.)

HIM professionals are a key participant in the development of copy audits, in part because of their knowledge of essential state, federal, organization-specific, and Joint Commission documentation requirements. To that end, they can ensure that all of these standards are identified, reviewed, and met in conjunction with the proper implementation of the copy functionality. Failure to consider these key documentation requirements can result in inaccurate or erroneous information within the health record, even potentially a deficiency from an accreditation body.

Timely reporting is also a key part of the process to ensure that the audit results are reported to the appropriate organizational committee, and it should be a part of the ongoing review process. Violations of the copy policy should be identified, validated, and rectified through factual documentation. Such action should take place in an appropriate timeframe.

Copy Risks

Using the copy functionality in an EHR system poses risk to documentation integrity, including:
  • Inaccurate or outdated information that may adversely impact patient care
  • Inability to identify authors or what they thought
  • Inability to identify when the documentation was created
  • Inability to accurately support or defend E/M codes for professional or technical billing notes
  • Propagation of false information
  • Internally inconsistent progress notes
  • Unnecessarily lengthy progress notes

Sample Copy Functionality Testing

As with any new technology, comprehensive testing of functionality should occur prior to implementation. Following are three copy functionalities recommended for testing. Ideally the system has a test environment or other means to make sure that testing does not have problematic impact on the actual patient information system.

While they are not comprehensive tests, the following three points provide a first set of screening questions to apply and target areas for further investigations:

1. Copy functionalities that originate in software other than the EHR, such as copy in Microsoft Windows

a. Can this be blocked or disabled for use in the EHR system?

b. Is there a way to monitor or otherwise identify its use?

c. If there is no way to automate use monitoring and the functionality cannot be disabled, what other alternatives are available to ensure proper documentation?

2. Copy functionalities that permit duplication of sections of a patient record for use in new documentation, such as medication or problem lists

a. Is the original source (date, time, and author) of the information visible in the record?

b. Is the original source of the information traceable in the audit functionalities?

c. Does the system require sufficient review of the copied documentation to ensure it is reviewed and intended by the clinician?

3. Copy functionalities that duplicate an entire prior encounter record from a different date, and possibly from a different author or different patient, and represents it as today’s documentation.

a. Is the original source (date, time, and author) of the information visible in the record?

b. Is the original source of the information traceable in audit functionalities?

c. Does the system require sufficient review of the copied documentation to assure it is reviewed and intended by the clinician?

Creating Work Lists

Developing a simple initial work list can introduce the copy forward concept and help with the due diligence process. Basic questions to address are:

  • Can a copy event be retrospectively identified?
  • Is an appropriately detailed audit log generated when a copy event occurs in the course of documentation?

A compliance-oriented electronic record system will have rules that feed an auditing work list. For example, many systems can provide the HIM department with a list of incomplete notes. Similarly, the system may be able to generate a list of encounters where providers have used the copy function.

The work list could also capture what is deleted, copied, retracted, or recorded as an addendum within the health record itself. This offers auditors a starting point for compliance audits. Understanding exactly what the system does and what the options are for retrospective analysis is valuable knowledge in supporting appropriate practices and eliminating improper ones.

Organizations should consider the following reports or work lists:

  • Sample of copy functionality use over a prior interval by one or more individual users, if this is available as an auditable event in the system.
  • A list of patients re-admitted within a determined amount of time (e.g., within 30 days, three months, six months). This report can be used to randomly audit documentation (e.g., review readmissions history and physicals or assessments within a certain period of time).
  • A report that compares discrete data elements in the electronic record (e.g., pain score and the comment area of the pain assessment for the entire patient length of stay).
  • Use of coding professionals or clinical documentation specialists to identify copy practices when reviewing for completeness of documentation to support coding and billing.
  • A review of patients on a “teaching service” to verify original documentation by residents and medical students.
  • Where copy use is not auditable, use of commercially available software to analyze documents and identify duplicate phrases.

Because copy functionalities are a high-risk area, organizations will be best served by developing policies and procedures that include:

  • Notification when an incorrect copy note has occurred.
  • How and when audits will be conducted for auditable events.
  • Who will perform the ongoing concurrent audits.
  • The frequency for performing the audit.
  • The time period covered by the audit.
  • The description of the review population, the group, the service, the location, etc.
  • How sample size is determined.
  • A description of the outcome indicators (e.g., patient safety indicators).
  • A description of planned analysis techniques.
  • A corrective action plan based on findings. In the EHR environment, the action plan will also include identification of system functionalities that require mitigation, correction, or elimination and reporting to the appropriate compliance officers, with periodic follow-up until both functional and operational corrections are complete.

A sample audit policy is shown in the sidebar on the right.

Sample Copy Audit Policy

PURPOSE: The purpose of the health record is to provide a basis for planning patient care and for the continuity of such care. Each record should provide documentary evidence of the patient’s medical evaluation, treatment, and change in condition as appropriate. The purpose of this policy is to provide guidance on the audits required in conjunction with the copy functionality within the EHR. For the purpose of this policy, copy shall be understood to include cut and paste, copy forward, cloning, and any other movement of documentation from one part of the record to another.

POLICY: In order to protect the integrity of the health information record and to provide quality patient care, copy functionality within the EHR should be used in conjunction with all applicable state and federal regulations. Noncompliant use of copy functionalities is considered a sanction offense in accordance with the organizational policies.


[Insert responsible party; e.g., HIM Department]:

  1. Determines how and when audits will be conducted
  2. Determines who will perform these ongoing concurrent audits
  3. Establishes frequency for performing the audit
  4. Establishes time period covered by the audit
  5. Identifies how the sample size is determined
  6. Identifies a description of the outcome indicators
  7. Determines how copy functionalities within the record are identified
  8. Designs a corrective action plan based on findings
  9. Provides a detailed list of copy functionalities as they exist within the electronic system
  10. Provides testing of copy functionalities prior to implementation and prior to version updates
  11. Identifies copy functionalities and categorizes by whether they are retained as auditable events or otherwise identifiable as copied (e.g., date and time stamps, showing that a large number of data elements or a large block of documentation was generated in the system concurrently and instantaneously)

See also: [List related hospital policies here]

Read the Toolkit Online

  • The “Copy Functionality Toolkit” is available from AHIMA [...]. It includes information on:
  • Risk of fraud, abuse, and compromise of clinical data
  • Education and training
  • Case scenarios of proper and improper use
  • Questions organizations can ask when considering the use of copy and paste
  • Sample copy policy, sanction policy, education policy, auditing policy, and testing activities

Prepared By

This article was adapted from the AHIMA publication “Copy Functionality Toolkit” [...] Authors:

Reed Gelzer, MD, MPH, CHCC
Terri Hall, MHA, BS, RHIT, CPC
Elizabeth Liette, RHIA
Mary G. Reeves, RHIA
Jennifer Sundby, MA, RHIA
Anne Tegen, MHA, RHIA, HRM
Diana Warner, MS, RHIA, CHPS
Lou Ann Wiedemann, MS, RHIA, CPEHR
Kelly McCormick

Article citation:
AHIMA. "Auditing Copy and Paste" Journal of AHIMA 80, no.1 (January 2009): 26-29-.