RTI report includes controversial EHR requirement

The Bush administration has signed off on 14 recommendations in a federally funded report by RTI International on how to use electronic health-record systems to detect healthcare fraud and to gather evidence for fraud prosecutions.

The 115-page report, enigmatically titled Recommended Requirements for Enhancing Data Quality in Electronic Health Record Systems, is posted on the RTI Web site. It includes a controversial call for requirements that EHRs be designed to provide payers, acting as fraud auditors, remote access to patient records, including the records of a patient over a period of time and not just to verify care for a specific claim.

The work was funded by a $488,000 contract awarded in October by the Office of the National Coordinator for Health Information Technology at HHS, which reviewed and approved the recommendations. The report carries a May 2007 date, but was released by RTI last week.

While the stated objectives of the RTI study were to identify certification requirements for EHR systems that would help increase data validity, accuracy and integrity, overwhelmingly, the focus of the report was on fraud detection and prevention. Specifically, it laid out a series of proposed requirements for EHRs to be picked up and incorporated into the activities of two separate, federally funded IT promotional organizations, the Healthcare Information Technology Standards Panel, and the Certification Commission for Healthcare Information Technology.

Some of the recommendations would be aimed at preventing fraud from occurring before care is given. Other recommendations would identify fraud after the patient record is documented in the EHR, but before payment is made. Others would be retrospective and identify fraud after a claim has been paid.

“The activities undertaken in this project are simply the latest steps in an ongoing process to develop and integrate effective anti-fraud measures in the evolving EHR (system) requirements,” the report said. While the scope of the RTI study was limited to EHRs in ambulatory care, the report concluded that its recommendations could apply to the other healthcare IT systems and to the proposed national health information network, or NHIN, a linkage of local and regional health information exchange organizations.

The report defined fraud as "a deliberately false representation of fact or a failure to disclose a fact that is material to a healthcare transaction."

The RTI authors acknowledged that they relied on an earlier work, a 2005 report done under federal contract by the Foundation of Research and Education of the American Health Information Management Association, a Chicago-based professional association for medical records personnel, and research by the National Health Care Anti-Fraud Association, an insurance industry-supported trade group.

The AHIMA foundation's report concluded that "use of advanced analytics software built into the NHIN is critical to fraud loss reduction" noting that the movement to an electronic record-keeping environment "without proactive fraud-management capabilities built in has the potential to greatly increase fraud. The NHIN policies, procedures and standards must proactively prevent, detect and support prosecution of healthcare fraud rather than be neutral toward it."

According to the anti-fraud association, losses due to fraud run between 3% and 10% of healthcare expenditures, or $51 billion to $170 billion a year, based on 2003 total expenditures of $1.7 trillion.

The report authors said RTI study group members had discussions with members of the CCHIT and the Healthcare Information Technology Standards Panel in preparing their recommendations. CCHIT tests and certifies healthcare IT systems. Up to this point, the commission has developed its own test criteria. Only recently has it begun formally coordinating its efforts with the HITSP.

On the other hand, the HITSP has recommended healthcare IT data standards and implementation guidelines to carry out data transmission "use cases" exclusively at the behest of the American Health Information Community, a federal advisory panel established in 2005 by HHS Secretary Mike Leavitt. The report notes that fraud-fighting is "not a mandate" of either CCHIT or the HITSP, and neither has addressed it directly in their work, although there has been some inadvertent overlap in CCHIT criteria and HITSP data standards that could do double duty for fraud-fighting, according to the report.

In that sense, the RTI recommendations on standards and IT testing delivered directly to CCHIT and the HITSP represent something of a policy shift for ONCHIT, and, particularly in the case of the HITSP, appears to be jumping the queue on AHIC, which, according to previous procedure, decided what data transmission tasks were to be the focus of its various work groups. Those AHIC work groups developed "use cases" to depict those tasks. The use cases were then handed over to the HITSP, which sets about finding and “harmonizing,” in effect, anointing, existing data transmission standards needed to achieve those ends.

According to the RTI report, a third of its recommendations for fraud-fighting and data security did not match any of the current or planned criteria by CCHIT, while 45% of the recommendations were at least addressed by current or planned criteria, and another 22% were fully addressed by CCHIT, according to the report. Just five of the recommendations were mirrored in standards already approved by the HITSP, the report said. Perhaps the most controversial of the recommendations was one of several regarding auditing, specifically, creating auditor access to patient records.

The recommendation stated, "The system shall have the capacity to allow authorized entities read-only access to the EHR according to agreed-upon uses and only as part of an identified audit subject to appropriate authentication, authorization and access control functionality. Such access controls shall also support the applicable release of information protocols, local audit policies, minimum necessary criteria and other contractual arrangements and laws."

While access would remain controlled by the EHR user facility, "Remote access may be offered if agreed to by the organization." The report notes that the Health Insurance Portability and Accountability Act's privacy rule as amended in 2003 by the Bush administration allows access to patient medical records without patient consent for "other healthcare operations," which, by definition, include auditing. In a "rationale" section accompanying the recommendation, the report goes on to explain that access to patient records need not be limited to the record of the current patient encounter for which a claim is being submitted, but previous encounters as well.

"Detection of a fraudulent claim is often difficult when a payer has access only to EHR information for a single encounter," the report said. "Reviewing information over an entire episode of care for a single patient allows greater ability to detect fraud."

Urgency has been a characteristic of the RTI effort.

The report itself describes a "rigorous production schedule" that allowed for only a "fairly short" public comment period of 14 days, from Jan. 11, when the recommendations were made public on an RTI Web site used to gather comments, to Jan. 24, when the comment period closed. It was a process that generated comments from 75 individuals and organizations. Only one of 31 organizations that commented could be considered a consumer group—the American Association of People with Disabilities. None were privacy advocacy organizations.

The report stated that "throughout the process, it was understood that anti-fraud requirements had a likelihood of sparking intense discussion from multiple stakeholders." It noted "There were a number of requirements offered for discussion that were not further pursued because it was believed consensus could not be achieved" by a review panel that was handpicked by RTI and approved by ONCHIT.

In an e-mailed response to a request for comment, Twila Brase, president of the Citizens' Council on Health Care, a patient advocacy group based in St. Paul, Minn., blasted the RTI report. According to Brase, the RTI statement that the report is about addressing fraud control is, in itself, a ruse.

"Fraud prevention is not the purpose of the initiative," Brase said. "More likely, it's meant to cajole a resistant public and worried policymakers. Who can argue against fraud prevention? The focus on fraud prevention is meant to impede public resistance to broad data collection and access.

"The real issue is not cost, it's profit," Brase said. "There's a burgeoning health data industry dependent on access to everyone's information. Data is a gold mine for those who want to aggregate it, build treatment protocols with it, get government contracts for quality monitoring using it, and sell it in various forms to others. Profit is also the motive for those who want to use the data to cut their costs by controlling the practice of medicine and decreasing patient access to care.

"Data provides profits and power over patient care, sometimes both at the same time," Brase said. "If the NHIN succeeds, or if electronic medical records are mandated (as in Minnesota), except for intrepid doctors who will not bend, succumb to pressure or be compromised, there will be nowhere to get medical treatment outside the watchful eyes of 'the system.' EHR system data will be used to ration care. The decisions will be called 'data-based.' "

Brase also criticized the report for citing protections supposedly provided by HIPAA's privacy rule, which allows the exchange of a patient's personal healthcare information without that person's consent for treatment, payment or "other" healthcare operations.

"It is a farce to reference HIPAA as addressing the privacy issues," Brase said. "HIPAA is a 'no-privacy' rule. These HIPAA-authorized releases without patient consent or knowledge are privacy breaches in the truest sense of the word."

"Electronic medical records are not inherently bad. The problem is centralized or linked systems without informed voluntary patient consent that can limit the types of data, the use of data and the recipients of data," she said. "Those who understand the link between the loss of privacy and the loss of personal power are necessarily worried about online, linkable, electronic medical records that can find you and monitor you from anywhere."

What do you think? Write us with your comments at Please include your name, title and hometown.