The Bush administration has signed off on 14 recommendations in a federally funded report by RTI International on how to use electronic health-record systems to detect healthcare fraud and to gather evidence for fraud prosecutions.
Give payers EHR data: report
Privacy, security advocates oppose ‘fraud fighting’ plan
The 115-page report, enigmatically titled Recommended Requirements for Enhancing Data Quality in Electronic Health Record Systems, includes a controversial call for requirements that EHRs be designed to provide payers, acting as fraud auditors, remote access to patient records, including the records of a patient over a period of time and not just to verify care for a specific claim.
The report, posted on the RTI Web site at www.rti.org, has some in the industry crying foul. Fraud prevention is not the purpose of the initiative, said Twila Brase, president of the Citizens Council on Health Care, a patient-advocacy group based in St. Paul, Minn., in an e-mail. More likely, its meant to cajole a resistant public and worried policymakers. Who can argue against fraud prevention? The focus on fraud prevention is meant to impede public resistance to broad data collection and access, she said.
Theres a burgeoning health data industry dependent on access to everyones information, Brase said. Data is a gold mine for those who want to aggregate it, build treatment protocols with it, get government contracts for quality monitoring using it and sell it in various forms to others, she said.
The work by RTI, a Research Triangle Park, N.C., research institute, was funded through a $488,000 contract awarded in October by the Office of the National Coordinator for Health Information Technology at HHS, which reviewed and approved the recommendations. The report is dated May 2007, but was released by RTI earlier this month.
While the stated objectives of the RTI study were to identify certification requirements for EHR systems that would help increase data validity, accuracy and integrity, overwhelmingly, the focus of the report was on fraud detection and prevention.
Specifically, it laid out a series of proposed requirements for EHRs to be picked up and incorporated into the activities of two separate, federally funded IT promotional organizations, the Healthcare Information Technology Standards Panel and the Certification Commission for Healthcare Information Technology.
According to the National Health Care Anti-Fraud Association, an insurance industry-supported trade group, fraud-related losses run between 3% and 10% of healthcare expenditures, or $51 billion to $170 billion a year, based on 2003 total expenditures of $1.7 trillion.
Some of the recommendations would be aimed at preventing fraud from occurring before care is given. Other recommendations would identify fraud after the patient record is documented in the EHR, but before payment is made.
Others would be retrospective and identify fraud after a claim has been paid. The activities undertaken in this project are simply the latest steps in an ongoing process to develop and integrate effective anti-fraud measures in the evolving EHR (system) requirements, according to the report.
While the scope of the RTI study was limited to EHRs in ambulatory care, the report concluded that its recommendations could apply to the other healthcare IT systems and to the proposed national health information network, or NHIN, a linkage of local and regional health information exchange organizations.
Perhaps the most controversial of the recommendations was one of several regarding auditing: specifically, creating auditor access to patient records.
The recommendation stated, The system shall have the capacity to allow authorized entities read-only access to the EHR according to agreed-upon uses and only as part of an identified audit subject to appropriate authentication, authorization and access control functionality. Such access controls shall also support the applicable release of information protocols, local audit policies, minimum necessary criteria and other contractual arrangements and laws.
While access would remain controlled by the EHR user facility, Remote access may be offered if agreed to by the organization. In a rationale section accompanying the recommendation, the report goes on to explain that access to patient records need not be limited to the record of the current patient encounter for which a claim is being submitted, but previous encounters as well.
The recommendations got mixed reviews from Don Schoen, president and chief executive officer of MediNotes, a West Des Moines, Iowa, developer of EHR systems for ambulatory care, and chairman of the Electronic Health Record Vendors Association, a trade group affiliated with the Chicago-based Healthcare Information and Management Systems Society.
Schoen said that he supported some of the recommendations. But he also took issue with some of the procedures of the RTI work group that produced the report, including lack of vendor participation and the short public comment period, noting that only about 63 respondents, on average, voted in favor of the 14 recommendations, a response rate he called ludicrous.
Among the recommendations Schoen opposed is one requiring vendors to build into their systems portals so payers can peruse patient records. In talking about a back door, that opens it up to hackers even more, if youre allowing the payers to come in remotely. Whenever you open up the record, youre creating greater security aspects that have to be covered and built into the product. As an association, weve been trying to band together to reduce the complexity of the products. It goes against what we were talking about reducing complexity.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.