August 20, 2007

Detouring Deception
By Selena Chavis
For The Record
Vol. 19 No. 17 P. 18

New antifraud requirements for electronic health records are designed to head off potential problems.

It falls somewhere between $50 billion and $170 billion. That’s the wide-ranging havoc that healthcare fraud is estimated to wreak on the nation’s economy each year.

And whether the most factual estimate lies somewhere toward the low or high end of those numbers doesn’t change the compelling nature of the problem for industry experts, many of whom believe that the widespread adoption of electronic health records (EHRs) will only make matters worse.

When it comes to healthcare fraud, statistics vary widely. The low-end estimate comes from the National Health Care Anti-Fraud Association (NHCAA), suggesting that fraud accounts for at least 3% of the nation’s annual healthcare outlay, which equates to more than $50 billion. “Fraud in healthcare tends to be defined differently by different authorities, but all definitions share certain things in common (ie, a false representation of fact or a failure to disclose a face that is material to a healthcare transaction), along with some damage to another party that reasonably relies on the misrepresentation or failure to disclose,” says David K. Nace, MD, chief medical officer at McKesson Health Solutions.

Then, there are the larger estimates offered by government and law enforcement agencies that place the loss as high as 10% of the nation’s annual expenditure, or $170 billion. “Fraud is experiencing an unprecedented growth in many regions of the country—New York, Los Angeles, for example—and has gotten the attention and interest of organized crime, who see this as an alternative to more dangerous and risky activities of the past, as healthcare fraud is both safe and very lucrative,” says Nace.

The schemes for healthcare fraud are becoming more systematic, thoughtful, and organized and are a moving target—constantly shifting to more sophisticated schemes, according to Nace. For this reason, as electronic records and transactions become more commonplace, he says it is imperative to install protections against what is a potential for more abuse, given the mobility, power, and greater potential for fraud.

As the first proactive step toward implementing prevention functions designed to combat the potential for fraud in new technology, the Office of the National Coordinator (ONC) for Health Information Technology recently awarded RTI International of Research Triangle Park, N.C., a $500,000 contract to develop antifraud requirements for EHRs. The requirements, scheduled to be released last month, cover a detailed range of risk areas and will be presented to certification bodies for inclusion in their criteria as the next step in the process.

“We cannot be neutral and allow emerging technology to come out without being proactive,” says Don Simborg, MD, chairman of the project’s executive team appointed by the AHIMA. “The experts felt that the potential for fraud greatly increases in an electronic environment when we don’t build safeguards proactively.”

Jeff Young, MPH, director of the clinical investigation unit for Utah-based Healthcare Insight, a company providing fraud prevention services, concurs, noting that electronic records can facilitate a dependency. “If the user of an EHR is dependent on just what’s on the screen, it can lead to inaccurate coding,” he emphasizes. “The process tends to be less thorough and more programmatic.”

Offering examples of typical problems he has seen with EHRs, Young notes, “We’ve seen cases where the same entry is used over and over again. It gets suspicious. You would expect to see some variation in the information.”

The contract with RTI was awarded following an ONC-funded research initiative in 2005 that resulted in the AHIMA’s Foundation of Research and Education (FORE) identifying 10 guiding principles for preventing fraud—one specifically speaking to the need to address EHRs. Under terms of the contract, RTI researchers worked with FORE and SPSS, Inc., a leading analytics solutions provider.

An Opportunistic Reaction
Adding transparency to the process of developing the requirements, a public comment period was offered in early 2007. Don Mon, PhD, the AHIMA’s vice president of practice leadership, recalls that most comments were supportive of the endeavor. “These [proposed requirements] were good practices to maintaining records … it would protect you from inadvertently engaging in fraudulent activity,” he says, adding that initially, there was concern the industry as a whole may respond the wrong way, perceiving the requirements as “accusatory.”

According to Mon, stakeholders, including entities such as law enforcement agencies, technology vendors, healthcare and hospital associations, and social services groups, offered a wide range of comments to RTI regarding the initial draft, the majority of which addressed such areas as cost to physicians, usability, and whether the additional requirements would discourage EHR adoption. “We did respond to the public comments and made many changes,” Simborg says.

Wannetta Edwards, RHIA, MS, HIM product manager with Siemens Medical Solutions, participated in the public comment period, noting that her concern was to “make sure the requirements were attainable.” Also a member of the AHIMA, Edwards believes that adoption of the requirements will provide an opportunity to not only address the potential for fraudulent activity in EHRs but also reduce the kinds of fraud seen in the past.

“It will be more difficult because of audit trails and secure access to patient information,” she suggests. “You have less chance to have certain kinds of errors that may have occurred with paper-based records.”

Young agrees, citing that audit trails will eliminate the potential for back-dating documents or adding details to previously documented entries. Having a legible, consistent process will also decrease the opportunity for human error, he says, further adding that “it will be interesting to see if once the requirements come out, if we will see a decrease in some of the trends.”

In addition, Nace says the move to EHR systems represents a “truly unique opportunity for improving billing accuracy and reducing healthcare fraud and improper payments.”

The Devil’s in the Details
Whether the requirements will have the intended impact depends largely on how they are adopted by certification and standards organizations—specifically the Health Information Technology Standards Panel (HITSP) and the Certification Commission for Healthcare Information Technology (CCHIT), says Kathy LePar, RN, MBA, senior manager of consulting services with Massachusetts-based Beacon Partners. “Now that there is the CCHIT, this is the best way to bring [the requirements] into play … bring it in through the certification process,” she notes, adding that most of Beacon’s clients are focused on products that have completed the certification process. “I think this will be pretty much a core stand with the CCHIT.”

Since they are not government mandated, Simborg expresses concern that the “requirements” may become no more than suggestions. “My feeling is that they [CCHIT and HITSP stakeholders] are not going to adopt most of these unless something is done to force them to do this,” he says. “Neither of these organizations have anti-fraud on their priority list.”

According to CCHIT spokesperson Sue Reber, the organization has just begun its 2007-2008 development work, and it is premature to determine how the requirements may fit into the certification process. “Naturally, the CCHIT will be considering all potential sources of requirements. It’s too early to say which of those external requirements will become criteria or where they will appear on the roadmap,” she notes. “That will depend on the work of the volunteer workgroups, the public comment process, and the commission deliberations during the coming year.”

The requirements provide for extensive fraud detection and prevention components within an EHR, including provisions such as a comprehensive audit trail, user authentication, availability of user-friendly audit reports, identity tracking for all copies of a record, patient access, and the ability to maximize structured and coded data. Another requirement provides a standard that ensures the national provider identifier (NPI) is used to prevent common fraud schemes involving the theft of provider numbers to submit false claims.

Simborg suggests that the audit trail component plays a crucial role to fraud prevention in that it “tells us the metadata” about the record. Metadata is the structured data describing a resource’s characteristics—in the case of healthcare records, it could identify the user at any given time, as well as provide important background referencing.

“There were a lot of things we felt an audit trail would be useful for after the fact,” he says. “They [auditors] look at patterns of behavior. There are certain things that look out of the norm.” In the case of audit trails, Simborg notes that it was also important to establish a requirement allowing for a clear way of linking any claim back to the original encounter.

“An EHR can detect trends as if it can look across patients and/or providers,” Nace says. “As such, the EHR can also have the ability to provide trending and analysis. A truly effective fraud-and-abuse system needs to provide a capability for detection and analysis across patients and providers. The use of advanced analytics software that is built into an EHR and eventually into an NHIN [national health information network] will be critical to continuing our vigilance against new, creative fraudulent schemes. By developing a system that can not only tie into activity that is linked to the same provider, same clinic, same patient, etc, we need to have a system that can track and follow patterns that become aberrant or unusual that the system can flag as an alert or suspicious behavior. Thus, a system of interoperable EHRs can help move fraud management from a ‘pay-and-chase’ model to a ‘validate-and-deny’ model, powered by advanced analytics.”

The requirements call for not only a system of authenticating the user but also the need for developing functionalities that go beyond the typical ID and password approach. “The requirement needs to progress over the years well beyond the current method,” emphasizes Simborg, suggesting that in the future, considerations should be made for such things as a biometric identifier.

According to John Grimm, director of market strategy for Massachusetts-based technology vendor Courion, automating the user-provisioning process in the healthcare setting should be a given anyway. “The whole issue of who has access to what has a major bearing,” he says, adding that the requirements will raise awareness of the importance of having control of who is accessing what on the front end. “Healthcare organizations get huge value from automating that process,” Grimm says.

Also enacted as part of the requirements is a clear tracking system identifying important information when notes are copied and pasted within a chart, a practice often used as a shortcut to updating information. Now, physicians would have to retain the date, time, and user stamp of the original author. Still, there remain concerns. “Unfortunately, this does not prevent individual providers from entering false notes, overutilizing services that are not medically necessary, or upcoding E&M (evaluation and management] codes intentionally,” says Nace.

Young points out that repetitive entries—sometimes the result of sloppy copying and pasting—often lead to suspicion. “It does raise the question as to what’s really happening on a particular day,” he says.

Simborg recalls that it became apparent that requirements were needed to address coding when “we saw problems with certain software features that could potentially prompt a physician to inappropriately raise the E&M code.” The requirements provide for a method where the system may inform physicians when their E&M codes—the current system for computer coding—do not match their documentation.

From the opposite perspective, LePar believes the standardized requirements addressing coding in EHRs will also help physicians avoid lost revenue because “in many cases, providers are undercoding as well.”

Simborg notes that the committee also wanted to maximize the structured and coded data as much as possible to eliminate the potential for errors. “We want to make sure that as much of the record as possible be coded,” he says.

According to Mon, now that the major components have been identified, it’s up to industry voices such as the CCHIT and HITSP to make the requirements an agenda item.

While the requirements are detailed and extensive in nature, Mon believes that a great deal of overlap exists in standards and criteria that are already accepted by these bodies. “When you take a look at a lot of the things we are proposing, you are essentially killing two birds with one stone with many of these requirements,” he says.

The Cost Factor
Simborg says most audit trail requirements do not overlap, and there will be costs associated with implementation. “I don’t think it’s huge, but I think there is some,” he notes.

Emphasizing that the CCHIT is part of an open, public process, much like that used to formulate the antifraud requirements, Simborg suggests the possibility exists that stakeholders will not be open to the changes. “You cannot dictate to an open process like that. Their constituency consists largely of the vendor industry, and it’s not something their customers are asking for,” he says. “There would be a natural resistance on the part of the vendors.”

On the other hand, Nace says payers (commercial, state Medicaid agencies, Centers for Medicare and Medicaid Services) are invested in making sure that whatever system they are using to interact with the EHR include fraud detection and management. Since the payer market—given its larger investment in ensuring effective fraud management and scale of operations—is more likely to influence this market, it may end up being the tipping point to define the market requirements, he says.

Edwards says making the transition to the requirements should not be that cumbersome to vendors. “I would like to think that with the types of systems we are building … we are providing flexible tools that will accommodate the requirements,” she says, noting that when changes come down that are more regulatory in nature, the cost usually does not get passed down to the customer. “Many times, as [a technology vendor] is presenting new [product] releases, they are introducing several new features. Hopefully, you can build it in so that it is somewhat more seamless.”

While cost may be a deterrent to some in the vendor community, Simborg suggests it may also come down to priority. “They all have more on their plates than they could possibly ever develop,” he emphasizes. “It’s not so much the cost, but where does it fit in their priorities.”

Nace sees other issues that need to be addressed. “Of most importance is that, although the requirements are termed ‘anti-fraud,’ what the standards represent are really about developing a system to allow for high-quality data in healthcare—data that is reliable, accurate, and has integrity—and is supported by a system that is ‘smart’—able to protect the integrity of data and, thus, protect the quality and affordability of healthcare for generations to come.”

— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications covering everything from corporate and managerial topics to healthcare and travel.

Scheme a Little Scheme
According to the National Health Care Anti-Fraud Association (NHCAA), healthcare fraud is the deliberate submittal of false claims to private health insurance plans or tax-funded public health insurance programs such as Medicare and Medicaid. It has been viewed as a serious nationwide crime phenomenon since the 1990s.

While some fraudulent activity may be linked to human error, the NHCAA offers the following examples as the most common types of fraud committed in a malicious manner by dishonest providers:

• Billing for services that were never rendered, either by using genuine patient information to fabricate entire claims or padding claims with charges for procedures or services that did not take place.

• Billing for more expensive services or procedures that were not actually provided or performed, commonly known as “upcoding.”

• Performing medically unnecessary services solely for the purpose of generating insurance payments, often seen in nerve-conduction and other diagnostic-testing schemes.

• Misrepresenting noncovered treatments as medically necessary treatments for purposes of obtaining insurance payments—widely seen in cosmetic-surgery schemes in which noncovered procedures such as nose jobs, tummy tucks, liposuction, and breast augmentations are billed to patients’ insurers as deviated septum repairs, hernia repairs, or lumpectomies.

— SC