Members of the public will have just over a week to
comment on a list of proposed federal "model
requirements" on the functionality of electronic health
records systems that would conscript the developers of
electronic health record systems and the physicians who
use them in the fight against healthcare
fraud.
The model requirements are to be delivered to the federally funded contractor, the Chicago-based Certification Commission for Healthcare Information
Technology, with the recommendation that they be
included in future CCHIT criteria for testing and
certification of healthcare IT systems.
The recommendations would impact the use of EHRs at the
point of care as well as add fraud-detection tools to
the national healthcare IT system to be deployed after
the patient encounter.
One of the proposed requirements would bar EHR
developers from software that would electronically
prompt physicians to provide missing data elements that
could increase the level of the evaluation and
management codes for patient encounters.
Another would enable payers to have electronic access,
potentially, to information in a provider's EHR for "an
entire episode of care," not just a single encounter
for which a bill is being submitted.
The latter has privacy advocates up in arms.
"What we have here is administrative action that
violates every citizen's fundamental right to privacy,"
said Deborah Peel, an Austin, Texas, psychiatrist and the
founder of Patient Privacy Rights Foundation, in a 2½-page written response. "This draft is yet another
instance of ONCHIT/HHS putting corporate interests
ahead of the lives and health of the American
people."
The Web posting of the guidelines was announced by HHS
late Friday afternoon, although e-mails were sent
Thursday notifying interested individuals who
pre-registered with on the Web site run by RTI
International, the contractor on the project for the
Office of the National Coordinator for Health
Information Technology at HHS.
The close of the public comment period is Jan. 22.
Subtracting the Martin Luther King federal holiday, it
leaves the IT cognoscenti who had signed up just seven
business days and only five business days for the remainder of the public to review more than 60 proposed requirements in 16 categories.
RTI created two work groups to prepare the
recommendations: one looking at ways to enable
healthcare providers to detect and prevent fraud prior
to or at the creation of the EHR, the other focusing on
ways to prevent or detect fraud after the EHR has been
created, either before or after a claim is
paid.
The proposed rules deal with a number of functional
issues, and, accordingly, will be forwarded to CCHIT,
which is developing criteria for testing and certifying
healthcare IT products. CCHIT has
certified 37 EHR systems for the
physician office market. CCHIT is developing additions
to the physician office EHR testing criteria that will
be used in testing systems after May this year. In
addition, CCHIT is working on a first set of criteria
for the testing and certification of inpatient EHR
products. Testing of these hospital-based systems is to
begin later this year.
According to the RTI Web site: "The term 'model
requirements' used in this project is meant to indicate
a product that will be put forth as recommended
criteria for future EHR certifications. These criteria
will not become official requirements unless they are
adopted as such by entities in the future."
The recommended requirements cover audit trails for
information placed in EHRs, tagging every clinical
entry in the patient record to physicians or other
providers by using the national provider identification
number.
Another recommendation proposed to tighten up the
wording on existing CCHIT certification criteria that
require EHR vendors to create systems that will prompt
physicians for data required "to determine appropriate
administrative (evaluation and management) codes if
such data is not present in encounter data."
The proposed amendment aims to restrict EMR vendors
from creating systems that "explicitly or implicitly
direct a user to add documentation" for evaluation and management
coding.
In an explanation of the rationale behind the proposed
new CCHIT requirement, the authors said: "It is
appropriate for EHRs to calculate an Evaluation and
Management (E&M) code from the encounter data which has
been entered and to indicate the basis for that
calculation. However, it is not appropriate to suggest
to the provider that certain additional data, if
entered, would increase the level of the E&M code."
Copies of the recommendations are available at
ehrantifrauddev.rti.org,
although access to the documents and the ability
to post comments are restricted to those who register
on the site.
Peel said the draft does not include requirements
giving patients the right to control access to their
information, to segment access to specific portions and
to block access to other, more sensitive information,
and does not ensure that proposed EHR audit functions
also record and allow patients to know who has audited
their records.
"The draft is supposed to be designed to help
corporations and the government detect fraud, but who
better to detect fraud in his/her own record than the
patient himself or herself or record reviews by panels
of expert physicians?" Peel wrote. "Instead, the draft
is designed to grant payers access to EHRs that
patients would never agree to: open access not just to
'episodes of care,' but to patients' entire medical
records. This draft is designed to eliminate patients'
fundamental rights to control access to their medical
records, by claiming that such access is needed to
detect fraud."
In a telephone interview, Peel said, "The patient
should decide who has access and what their information
is to be used for, not ONCHIT or HHS," Peel said. "They
wave a word in front of us, fraud, woo, and we're
supposed to say, 'Sure, go ahead.' They think that
we're all opposed to fraud and we are, but that just
isn't the way to do it. There is a better way to fight
crime than violate the privacy of every law-abiding
citizen."
What do you think? Write us with your
comments at hitsdaily@crain.com. Please include your name, title and hometown.
