Vendors, privacy activists speak out on report

Part two of a two-part series: An HHS-funded study on how to use electronic health-record systems as fraud fighting tools was well-received by government information technology leaders (access part one here); the 151-page report with its 14 specific recommendations got a decidedly mixed reception from IT vendors and privacy advocates.

The RTI International recommendations got split reviews from Don Schoen, president and chief executive officer of MediNotes, a West Des Moines, Iowa, developer of EHR systems for ambulatory care, and chairman of the Electronic Health Record Vendors Association, a trade group affiliated with the Chicago-based Healthcare Information and Management Systems Society.

Schoen said that he supported some of the recommendations, particularly one that calls for vendors to not build into their systems prompts that suggest physicians could add more documentation to the record of a patient encounter to obtain a higher-paying evaluation and management code.

"I can't speak for every product that's out on the market today, (but) most members don't have products that prompt docs at a certain level," Schoen said. "Most measure what doctors have reported in their note and tell them this is the code that qualifies. The last thing the doctors want as well as the companies themselves is to stand under scrutiny to commit any kind of fraud. We're out there to help our clients get paid for what they honestly and justifiably should." But he also took issue with some of the procedures of the RTI work group that produced the report, including a lack of vendor participation and the short public comment period, both of which compared unfavorably with practices by CCHIT, he said.

"Not one of our vendors that we know of has been on that panel," he said, adding that during the two-week comment period, on average only about 63 respondents voted in favor of the 14 recommendations, a response rate he called "ludicrous."

"We talked to one of our members who did respond," he said. "What came out in the comment period, it didn't appear to them that their comments were taken very seriously."

Among the recommendations Schoen opposed is one requiring vendors to build into their systems portals so payers can peruse patient records. "In talking about a back door, that opens it up to hackers even more if you're allowing the payers to come in remotely. Whenever you open up the record, you're creating greater security aspects that have to be covered and built into the product. As an association, we’ve been trying to band together to reduce the complexity of the products."

While Chittaranjan Mallipeddi, CEO of MedPlexus, in Sunnyvale, Calif., is ambivalent about the recommendation to provider payers with EHR access, how that access is obtained and used will be key to whether the practice is acceptable to physicians. Those decisions should be made in concert with physicians, he said. Even so, adoption could suffer.

"I think EHR systems should work as a tool to reduce errors and they should help physicians to make timely decisions and catch errors at the time of prescribing or making a decision," Mallipeddi said. "But if the payers want to use (them) as a tool, that's great. That's a side benefit. But they should work with the physician. If what RTI is saying, if some of (their recommendations) make it through, I think it is certainly, for a certain section of physicians, they are going to be very concerned. The payers, or Medicare, they can impose this. It all depends on what is the methodology and what is the process. I think that makes a big, big difference. The physician community is very concerned about it; where does it lead, where does it go?"

In 1999 and 2000, physicians and medical societies in 19 states sued 10 of the largest U.S. managed-care companies, accusing them of using claims-processing technology to illegally withhold physician payments through conspiracy, fraud and violations of the Racketeer Influenced and Corrupt Organizations Act. Virtually all of the Blues Plans were targeted in a similar lawsuit in 2003. Several payers settled, others fought and won, but the lawsuits themselves pulled back the curtain on an IT arms race between payers and providers, with payers being accused of developing computerized "claims denial engines."

The lawsuits publicly revealed an ocean of mistrust between payers and providers. Thus electronic access should be "a two-way street," said Mallipeddi.

Mallipeddi, like Schoen, said he agrees with the RTI recommendation not to build into the systems prompts to recommend missing elements to obtain a higher evaluation and management code.

But Jason Mitchell, the assistant director of the Center for Health Information Technology at the American Academy of Family Physicians, sees it differently. Mitchell said EHRs should provide both clinical decision support, helping doctors do the right thing at the right time, and financial decision support, to help them bill the right way at the point of care.

Mitchell said the recommendation that EHRs "shall not explicitly or implicitly direct a user to add documentation" is not fair to physicians.

"It makes sense from the payers' standpoint, because they want to minimize the codes," he said. "But from a physician's business standpoint, this doesn't make sense.

"There should be financial decision support that enables us to get the best reimbursement that we can that is legal and any tools we can use to do that is appropriate," he said.

As for electronic access, Mitchell said the request is not unexpected.

"We figured that's going to happen on an electronic basis," he said. "Where we stand now, we get audited all the time anyway. The insurance companies send their persons around now and start pulling charts. They're looking at a number of encounters, not just the one we're billing against. These audits now are extremely time-intensive, so anyone thinking plans wouldn't one day seek to automate the process, "is a little naive."

When it comes to IT, physician privacy has been "significantly neglected," Mitchell said, noting physician prescribing patterns have been tracked on data-miners' computers for years. Now, patients will have their records tracked by payers, too, even for physician encounters that are not subject to a current claim, even for those that were paid previously by another plan and even for those that were paid by the patient themselves with cash.

Privacy consultant Robert Gellman, a lawyer based in Washington, D.C., found the RTI panel lacking on a couple of counts.

"I would feel better about the report if I saw any evidence that patients, privacy advocates or consumer representatives were actively represented on the team that prepared it," Gellman said. He also mocked a drawing that depicted healthcare information technology as a tree, with fraud detection and deterrence as one of many branches, while privacy and security were pictured beneath its roots.

"Preventing fraud is a fine goal, but I worry about facilitating more sharing of patient data with more people not directly engaged in the treatment of the patient," Gellman said. "I think that it is telling that the report reproduces a picture of health IT as a tree with privacy, security and confidentiality buried as far underground and out of sight as possible."

Austin, Texas-based psychiatrist and privacy advocate Deborah Peel, head of the Patient Privacy Rights Foundation and a member of a HITSP work group on privacy and security, is a proponent of restoring a patient-consent requirement for the movement of protected health information. Consent was amended out of the HIPAA privacy rule by the Bush administration in 2002.

"What's remarkable about (the RTI/ONCHIT report) is how much it attempts to deceive us in so many different ways," Peel said. "The innocuous report title would make anyone think that the purpose of the report has something to do with ensuring better data quality in EHRs—which sounds nice and smart.

"But the report itself (is) actually about something entirely different. (ONCHIT) proposes to violate every American's health privacy to detect healthcare fraud.

"Independent consent-management tools allow patients to determine all access to PHI and health and claims data wherever it exists, so we can prevent fraud ourselves by keeping those who have no business snooping in our health records out. Medical identity theft and identity theft would end if our right of consent to any disclosures of our health records is enforced using consent-management tools," Peel said.

What do you think? Write us with your comments at Please include your name, title and hometown.