[THIS TRANSCRIPT IS UNEDITED]
TABLE OF CONTENTS
Page
Call to Order 1
Health Oversight Issues 2
Discussion 70
Health Oversight Discussion Continued 112
P R O C E E D I N G S (9:05 a.m.)
Agenda Item: Call to Order
MR. GELLMAN: This is the second day of our hearings. This is the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics. Yesterday we were here all day talking about health research and public health uses of health information. Today's focus is on oversight.
We will at the end of the day, I'm not sure exactly when that will be, be accepting public comments. If people want to speak, there is a sign-up sheet over on the table and we will accommodate you at that point.
This morning we're going to hear from all of our witnesses. I'm going to ask the witnesses to limit their remarks to five minutes, and as I did yesterday I will cut you off at the five minute mark. We're going to be here all morning and we have lots of questions and there will be lots of opportunity to speak.
We are going to begin by going around the room -- one point for the witnesses, it's very hard to hear in here so if you would speak up it will help the people in the back to be able to hear. We're going to begin by going around asking everyone if they would identify themselves and we will start off here.
[Introductions were made.]
MR. GELLMAN: Thank you all. I think we're just going to begin. We will start with Mr. Hartwig. I will let you introduce yourself and explain where you come from. We will just go right down the line and please proceed.
Agenda Item: Health Oversight Issues
MR. HARTWIG: Good morning. I would like the thank the subcommittee for the opportunity to address you on an important issue of health privacy and law enforcement. My name is John Hartwig. I'm the Deputy Inspector General for Investigations at the United States Department of Health and Human Services Office of Inspector General. My office and other federal law enforcement agencies have always been aware of the sensitivity of health information obtained in the course of our health oversight activities. I believe it is very important to note at the outset that the federal law enforcement community has an excellent record in protecting such information from misuse and unnecessary release.
The HHS Office of Inspector General has a wide range of health oversight responsibilities. We were established to assume responsibility for directing the department's efforts in controlling fraud, waste and abuse in all programs funded and administrated by the Department of Health and Human Services. Health related programs within our jurisdiction include Medicare, Medicaid, Indian Health Services, Centers for Disease Control and the National Institutes of Health programs.
The OIG carries out its oversight responsibilities through a comprehensive program of audits, program evaluations and investigations. It is impossible to carry out these responsibilities without access to personally identifiable health information. While we strictly limit the collection and maintenance of information to that which is relevant and necessary to our activities as required by the Privacy Act, we often must have access to even very sensitive health information to conduct an investigation, to audit within federal auditing standards, or to adequately evaluate the effectiveness of a department program.
Examples of the types of Medicare fraud and abuse we investigate, audit and evaluate are issues of whether services were billed but not rendered, intentionally miscoding of laboratory services, billing for unnecessary services and quality of medical services provided. We have recently had several large cases involving incontinent care kits being billed for patients who were not incontinent. Potential losses to the Medicare program just from cases identified to date total approximately $200 million. I would add that when we started our investigations and evaluations, incontinence supply kits were billed at the tune of about $200 million a year to Medicare. Those billings after some of the investigations of audit have dropped to next to nothing. The problem was first identified through an OIG evaluation. It really could never have been uncovered without the ability to review identifiable patient health records.
In another major OIG effort, the Office of Audit Services conducted audits of teaching hospitals and found medical services of residents being billed as services of a teaching physician. Settlements relating to that audit to date in just two hospitals total $42 million and that audit has received nationwide attention.
It is equally important that we have access to health records without unnecessarily and potentially crippling restrictions. Health care programs lose billions of dollars a year to health care fraud and abuse. The General Accounting Office has estimated health care losses to fraud and abuse as approximately 10 percent of outlays. At the same time, the resources we have to identify and investigate these crimes and other abuses are limited. If we burden our enforcement staff with time consuming record access requirements, it will significantly hinder our fight against large scale fraud.
To put this in perspective, our recent investigations of laboratory billings in the Medicare program has already led to settlements with major laboratory chains totalling over $500 million. Other settlements are pending. This effort took the combined resources of not only the investigation side of our office, but audit services, Justice Department, U.S. attorneys, other inspector generals throughout the country, the Federal Bureau of Investigation and other agencies within federal and state law enforcement.
In order to maximize limited health oversight resources, federal and state law enforcement agencies must work closely together. We have the ability not only to have prompt access to records, but we also must have the ability to work jointly, which requires the ability to share information.
Some recent health care privacy bills drew a distinction between disclosure for law enforcement based on whether the subject of the medical record was the target. While infrequent, we do occasionally have Medicare beneficiaries participate in fraudulent schemes. Furthermore, HHS is responsible for several programs such as Medicaid and AFDC where the recipient is sometimes involved in a scheme to defraud. Also, the same individuals frequently are simultaneously defrauding several federal health and state and private benefit programs. It is crucial to successful anti-fraud efforts to be able to work with other law enforcement agencies.
In commenting on recent health privacy proposals, we have urged that legislation address real, not theoretical abuses. We have expressed concern with some proposed legislative provisions which were complex and would produce unnecessary and burdensome litigation rather than create a true balancing of interests.
We also have generally objected to any provision which would absolutely bar access to health information for law enforcement purposes as not in the public interest. Regardless of the type of medical information or the purpose for which it was collected, we believe that there needs to be some mechanism for providing for its use and disclosure for legitimate law enforcement inquiries. We believe that the federal Privacy Act provisions with meaningful penalties for misuse is a good starting point for the issue of access to health records for law enforcement.
I would certainly be happy to answer any questions you may have on my comments or any other questions.
MR. GELLMAN: Thank you very much. Mr. Diegel.
MR. DIEGEL: Good morning. How are you? I would also like to thank the committee for inviting the Coalition Against Insurance Fraud to testify this morning. My name is Mike Diegel. I'm the Director of Communications for the Coalition.
We are a broad-based national organization of insurance companies, consumer groups, regulators, prosecutors and other public interest parties dedicated to combatting all forms of insurance fraud through education and advocacy. Our insurer members include State Farm, the American Insurance Association, Nationwide, Fireman's Fund, the Hartford, AIG, USF&G and General Accident. The consumer groups and government organizations include the Consumer Federation of America, Consumer Fraud Watch, Consumer Action, the National Association of Insurance Commissioners and the National District Attorneys Association.
We applauded the Congress for enacting the anti-fraud provisions of the Health Insurance Portability and Accountability Act of 1996 and we're pleased this committee is taking the responsibility for the interest of privacy in medical records. Insurance fraud affects all of us, whether we're consumers, government, businesses or insurance. We believe that fraud in health care clearly is a contributing factor to the high cost of health care. We estimate that all types of insurance claims fraud costs Americans nearly $80 billion in 1994. Health care claims fraud alone at nearly $54 billion is the largest single component.
We strongly believe that patients' medical records are personal and should not be open for public scrutiny upon a whim or out of curiosity. However, we also believe there has to be a better balance between the admittedly conflicting interests of investigating suspected fraud and patient privacy.
A major element of fraud affecting the health care system is committed by providers of health care, whether they are medical doctors, chiropractors, diagnostic labs or other providers. Fraud is committed against all federal programs, Medicare, Medicaid and Champus, as well as against third party private payers. In the health arena, we see providers submitting bills to insurers for services not rendered, treatments not performed for test not given. In workers compensation, we see scam operations where the health care providers are billing insurers for non-existent injuries for workers or for treatments not performed. In automobile accidents, we see scam operations where the bills are being submitted for non-existent injuries to phantom patients. These raise the cost of insurance to honest consumers in the nation.
To properly investigate suspicious claims submitted by health care providers, it may be necessary for law enforcement to have access to a central database of patient records in a manner that's not intrusive to the patient. Such a review can quickly assess the question of whether the billing records match the information in the patient records. In addition, checking a patient's records to ascertain whether the bill submitted to the insurer is an honest account of services rendered is in a way to prove a provider's intent to commit to fraud.
The coalition believes that exemptions to the absolute privacy of patient records will help fully and accurately investigate fraud being committed by health care providers. This exemption should be limited to cases in which the investigation is bona fide and is conducted without malice and with minimal disclosure of any information. We don't want to see medical records open in a capricious manner or available on the Internet for anyone to read.
We also think it's important that this committee consider the history and track record of these types of investigations. Over the years, many local investigations have been conducted and access to private records has been permitted. In no case that we are aware of has there been a violation or abuse of patient privacy. We have no reason to believe these high standards will not remain in force in the future.
Legislation considered in Congress over the past several years would have set high hurdles for good fraud investigations to clear. Is it really necessary for investigations to seek notice and approval in advance from patients prior to reviewing the records? In some instances, patients are part of the fraud, even acting as partners with the medical provider defrauding the insurer.
In a case that's just come to light in New Jersey, more than 800 people were named in the largest auto accident scam known to date. The parties involved include a large number of clinics and medical providers as well as the patients. Clearly, asking permission to view the records would have given the principals ample time to alter or destroy the records or simply disappear during the initial investigations only to resurface later in another state ready to set up a similar scam.
The coalition is not here today to tell this committee that medical records should be open for all purposes at all times. The coalition strongly believes we can balance the need for access to records with the desire for privacy in a way that's beneficial to both sides. Our consumer members recognize the need to balance these concerns.
There are two reasons for the acceptability of fraud investigations. One is simply a desire to lower the high cost of fraud, which is eventually paid out of the consumer's pocket. The second reason is this. Computer aided fraud investigations can speed up the settlement of honest claims by separating suspicious claims from legitimate ones far more quickly than human investigators. That increase in efficiency benefits all honest patients and providers.
We hope this committee will be able to come up with a standard that protects the individual without opening the door to increased fraud and diminish the ability to conduct proper fraud investigation. Thank you very much.
MR. GELLMAN: Thank you.
MR. MAHON: Thank you, Mr. Chairman. Good morning, everyone. My name is Bill Mahon. I'm Executive Director of the National Health Care Anti-Fraud Association here in Washington. We appreciate the invitation to come and speak with you today. NHCAA is a 12-year old private/public non-profit organization that comprises in the private sector approximately 75 third party payers as corporate members, commercial insurers, Blue Cross and Blue Shield plans, third party administrators, self-insured corporate health plans. On the public sector side, we cover virtually the entire range of federal law enforcement agencies who have investigative and prosecuting jurisdiction over health care fraud, including Mr. Hartwig and Mr. Broadaway who participate in our organization on behalf of their inspector general's offices.
In the five minutes, I would like to just sketch out a few key points in support of what your correspondence very aptly called the tradeoffs that are involved in reconciling the need for privacy and confidentiality of individually identifiable health information with the equally compelling public interest in deterring what has come to be recognized as a very significant crime problem against the health care system.
As Mr. Hartwig indicated, estimates run as high as 10 percent of what we spend on health care being lost to outright fraud. No one knows that that's true, nor will anyone know precisely how much is lost, but the experts in our organization who do this for a living estimate that at a minimum, if you want to measure it that way, we can probably rest assured that we lose three percent of our total expenditure of $1 trillion annually, or $30 billion. In all likelihood, they indicate it's probably somewhat more than that, perhaps the $54 billion that Mr. Diegel cited, or five percent roughly.
Within that, there are certain realities that I think have a bearing on the privacy considerations vis a vis private payers. Of the nation's total health care expenditure, 55 percent remains a private sector expenditure between third party payer benefits and patient out-of-pocket benefits. When HCFA projects health care spending through the year 2005, it envisions that private/public split with the private sector predominance remaining in place in our health care spending.
It has always been, and it still is, legally more risky to defraud Medicare, Medicaid, Champus, a Labor Department Program than it is to defraud a private payer. Certain things that are illegal when Medicare, Medicaid and Champus are involved are not illegal in the private sector, paying kickbacks for patient referrals for example, or routinely waiving a patients' copayments as a marketing hook with which to get them into a fraudulent billing scheme. So the private payers have a key role to play in fighting fraud and they are at least equally as victimized as are the government programs in this.
What are the realities that come into play? Mr. Hartwig alluded to a couple. You almost never find a dishonest provider defrauding one payer at a time. The only smart way to commit claims fraud is to spread your false claims among enough payers so that you stay below the radar for as long as possible with each one. You almost never find anyone defrauding a private or a public target exclusively. Typically if they do it to Medicare, to Champus, to Medicaid, they do it to Blue Cross/Blue Shield of Tennessee, to Employer's Health and Aetna and so forth.
What do they do? The most commonly encountered type of fraud is billing for things that were never done. You either fabricate charges to add to otherwise legitimate claims and you bill for lab work or EKGs or x-ray that never happened with the rest of the bill that was done, or you simply obtain patient names, patient Medicare numbers, insurance information, what have you, and you make it up.
That leads to a key privacy consideration that represents the patient protection side of the privacy and anti-fraud coin. When you fabricate claims as the basis for committing fraud, generally speaking as a provider, you are fabricating a medical history or a portion of a patient's medical record.
A psychiatrist in Newton, Massachusetts was convicted of 136 counts of mail fraud, money laundering and witness intimidation. He was using real patient's names, patients whom he had counseled as the basis for billing for many more counseling sessions than he actually performed. In cases where he knew the names of their spouses, their children, their siblings, et cetera, he was fabricating claims for psychiatric counseling in the names of people whom he had never met, let alone ever treated. The mother of two young boys whose names were used as the basis for these fraudulent claims said to the Boston Globe last year, somewhere in a bit insurance company computer both my sons have a record of psychiatric treatment. It's not right and it's not fair.
So I think the key consideration I'm trying to highlight is that in seeking to protect all of our confidential health care information, we have to be aware that in a fraud scheme, if a dishonest provider is fabricating claims, some of that protected health care information may be inaccurate, it may be fraudulent. That may dog me throughout my employment history, throughout my future insurability and so forth. We have to be very careful in drawing privacy boundaries that we don't rule out the possibility of bringing those falsehoods in patients information to light and rectifying them.
In the staged accident schemes that Mr. Diegel alluded to, we have to be aware that the so-called patients whose medical claims are aimed at the bodily injury component of auto insurance policies are in fact among the crooks. They're part of the scheme. Four people pile into a car, they get on the beltway, one car boxes you in, the other car slams its brakes on in front of you, the four occupants of the car each file the maximum in medical claims against the auto insurer. One very large such scheme --
MR. GELLMAN: Can I ask you to stop there and we will come back to you later.
MR. MAHON: Sure. I would invite any questions and look forward to talking with you in more detail.
MR. GELLMAN: Dr. Buck.
DR. BUCK: Yes, Mr. Chairman and members, thank you for the opportunity of being here this morning. I'm speaking on behalf of the Joint Commission on Accreditation of Health Care Organizations, the nation's oldest and largest accrediting body now managing the accreditation of approximately 16,000 organizations of all types and sizes.
The Kassebaum-Kennedy bill makes an attempt to separate financial administrative data from clinical data, and we feel that this is not possible in the fullest sense of the word, nor is it constructive. For this reason and the very broad definition of health information that is provided in the act, the Joint Commission comes to you with the position that confidentiality legislation is supported. Such legislation should build on PL-104161, perhaps with some refinement and such legislation should provide a comprehensive framework for confidentiality policy and operational rules.
We would make four recommendations to you. The first is that national accrediting entities, when appropriate, should be referenced as standard setting organizations. The standards set by national accrediting bodies for the collection, use and transmission of data by health care organizations and other providers must be considered and the needs of the national accrediting bodies for relevant, reliable and valid data with appropriate protections should also be structured into such legislation so that these organizations and ours can meet our public responsibilities for health care quality and oversight.
I would say in passing that the application of standards developed and promulgated by the Joint Commission are applied at a level higher, for example, than that which is dealt with in the ANSI group such as X12 and HL7.
The second recommendation is that clinically oriented data elements, whether individually identifiable or in aggregate, need comprehensive treatment to facilitate integration as appropriate with financial and administrative data. Under some circumstances, aggregate data not specifically identifiable back to an individual is, and will be, sufficient to support performance needs of accreditation. However, in some circumstances such as in the evaluation of a sentinel event occurring at an accredited organization, there can be a need for review and analysis of patient specific data and other related information.
Also, in regard to the generation, use and aggregation of individually identifiable data, the Joint Commission has pioneered efforts to clarify and resolve issues about data quality, auditing standards and techniques and risk adjustment methodologies. Such efforts and other related concerns are moving to center stage in improving a variety of activities including oversight, management and education.
A third recommendation is that external comparative metrics providing high level organizational comparisons should be stringently defined. Disclosure of these metrics should not produce a risk for discoverability or other data or other database content on the part of the health care provider. We would also make an associated recommendation to you that a task force of national accrediting bodies might serve the subcommittee well in addressing this extremely significant and contentious report card, or so-called report card issue.
Increasing need for statistically meaningful data, audit standards and processes is mentioned above, whether to verify aggregate data or perhaps in some cases to investigate potential fraud or other unlawful activities that have already been referenced. There must be a structured protected process to go backwards from aggregate data and to regenerate individually identifiable data from which it has been derived.
A fourth and final recommendation is that national accrediting entities should be included in the definition of data clearinghouse if that concept and term are carried over from PL-104161. Given the comments above, such inclusion or other better specific clarification concerning the status of accrediting bodies is recommended.
For example, national accrediting bodies might be better designated as health care quality oversight organizations. Regardless, basic functions of accreditation, that is standard setting, evaluation, consultation, education and comparison are and will become more databased and performance focused. Essential to the support of quality oversight and accountability, these functions must fit with those of other entities into the comprehensive constructive dynamic framework that we hope will be offered by confidentiality legislation.
The Joint Commission endorses the subcommittee's charter, invites further discussion in any area of concern, is happy to submit helpful materials and we welcome additional discussion and questions. Thank you very much, Mr. Chairman.
MR. GELLMAN: Thank you. Mr. Broadaway.
MR. BROADAWAY: Mr. Chairman and members of the subcommittee, my name is Fred Broadaway. I'm the Assistant Inspector General for Investigations at the U.S. Department of Labor. I appreciate this opportunity to speak to you this morning about the protection of an individual's privacy concerning medical information. With the numerous information technology advances that are occurring today, the need for protection of personal medical information increases. However, a careful balance must be struck between the protection of an individual's need for privacy and law enforcement agencies' need for access to records in order to detect, investigate and prosecute health care fraud and related claimant fraud. Overly broad protections could have the unintended result of hindering legitimate law enforcement efforts against health care fraud.
I have been asked to provide the subcommittee with the perspective of my office as the law enforcement agency tasked with protecting several health care programs under the jurisdiction of the U.S. Department of Labor. Since its inception in 1978, the Office of Inspector General has been heavily involved in combatting fraudulent claims relating to health. As yo may be aware, the Department of Labor administers, operates or oversees many worker related health care and benefit programs. These include the administration of the Federal Employees Compensation Act Program which provides medical benefits and disability compensation to federal employees who are injured during the performance of their official duties, the Black Lung Benefits Program which provides medical care and monthly compensation to former coal miners disabled from black lung disease, and the Longshore and Harbor Workers Act Program which provides benefits to certain injured and disabled maritime employees.
The OIG is responsible for conducting audits and reviews of these programs and conducting criminal investigations arising from allegations of fraud or corruptions by claimants, medical providers or program administrators. The department also has oversight responsibility for all employee health benefit plans that are covered under the Employee Retirement Income Security Act, ERISA. The OIG conducts criminal investigations concerning ERISA employee plan fraud which relate to our Labor Racketeering Program.
I certainly support the goal of protecting an individual's privacy by placing limits on the collection and disclosure of medical information. However, I am concerned that any restrictions on access to personal medical information should also recognize the needs of law enforcement agencies. My office routinely uses medical information obtained by grand jury subpoena, OIG subpoena, search warrant, review of agency claimant files or individual waivers while conducting a wide range of health care fraud investigations. These investigations are generally claimant or provider based.
Many of the claimant schemes relate to workers compensation fraud in which federal employees claim to be disabled as the result of a workplace injury but are not. Most generally, these dishonest claimants lie to health care professionals regarding their conditions and the degree of their disability when treated for their workers compensation claim. In some instances, where our investigation has documented the workers compensation claim as a fraud, other medical records can be useful as evidence confirming the original claim was fraudulent.
A substantial portion of our investigations involve unscrupulous medical service providers who, often without claimant's knowledge, fraudulently bill for services or equipment that was never provided. As a result, our special agents at times require access to a wide assortment of records from individual claimant medical records to bills submitted by doctors and other medical providers in order to interview claimants as to whether services were rendered or equipment was delivered.
I'm also concerned that excessive restrictions on health information access could hinder our investigations of private health and welfare plans covered under ERISA. The OIG conducts criminal investigations into union and non-union employee health benefit plans covered under ERISA. These investigations require the OIG to review literally thousands of documents and records. For example, when OIG special agents are conducting an investigation into a union sponsored health plan or multiple employer health plans, they may have to review the records obtained by a search warrant or grand jury subpoena of a plan that processes hundreds of claims per month.
Fraudulent activity in ERISA health plans varies from outright embezzlement cases to cases where groups of claimants are not bona fide members of the plan and thus not entitled to the plan's benefits, to the cases where a medical service provider to the plan is double billing or billing for services not rendered. The variety in these types of schemes makes access to all types of records relating to the plan a necessity for our special agents.
During the last Congressional session, Senator Bennett introduced S-1360, the Medical Records Confidentiality Act of 1995. This legislation proposed some significant changes to the current treatment of medical information. The OIG, along with the Department of Justice, forwarded comments to the Senate Labor and Human Resources Committee outlining our concerns over several of S1360's provisions.
Specifically, the OIG was concerned with S1360's provisions on the access to information by law enforcement agencies. In order to conduct a thorough investigation of health care fraud, it is essential that we examine certain medical records during the investigative process. However, S1360 required a finding of probable cause before a grand jury or administrative subpoenas could be issued. This was a departure from existing standards since neither inspector general subpoenas nor grand jury subpoenas presently require a finding of probable cause.
The bill also contained a notice provision and a formal challenge procedure which we believe would have encouraged litigation at the investigative stage. We were also of the opinion that the probable cause standard, coupled with the notice and challenge procedures, would have severely obstructed the effectiveness of IG and grand jury subpoenas and our ability to conduct criminal law enforcement investigations into health care fraud.
The OIG was also concerned that S1360's restrictions may have precluded us from accessing medical information that was paid for with DOL funds. The bill would make those departmental agencies in possession of medical information health information trustees, thereby limiting their ability to provide protected information or possibly even refer suspected fraud cases to the OIG.
In conclusion, we are hopeful that the committee will recommend a law enforcement exemption to any general protection of health care information. This exemption should provide for investigative access to government agency records and access to records under current practice and search warrants. Thank you very much.
MR. GELLMAN: Thank you. Thank you all. Let me begin by trying to sort of outline what the problem, at least why we've got a couple of different issues raised here at the same time. The legislation that's been proposed -- and I'm not necessarily talking about one bill, but just the general structure of the three main bills that have been proposed -- deals with a variety of users of medical information that can make a case recognizes that there is a tradeoff between privacy and other functions. So for example, yesterday we talked about the use of medical records in health research and that's reflected in all of the bills in a variety of different ways, but it's there, and the same thing with public health.
All of the bills sort of have a catchall category which is called oversight, because there are really lots of different institutions and organizations that use medical records in a variety of ways, and you're all prime examples of this, that are really hard to categorize specifically. One of the ideas behind the language that was in the bills was we wanted to put some limits around who could get records, but we weren't sure that it was possible to really identify every institution and every possible use, so some kind of a general standard was written in an attempt to be both flexible and limiting at the same time.
So I want to explore some of the problems that come with that, the difficulties in figuring out what health oversight function in legislative terms isn't necessarily very easy. I want to begin with licensing and certification and the accreditation function.
The bills tend to include language to describe a person who performs and assessment -- and we're not going to do wordsmithing of the bill, but just for background -- and assessment, evaluation, determination, or investigation relating to the licensing, accreditation or certification of health care providers. Are these well understood terms? Do they all have significant meaning? Does that help define your sphere of the world and those people who do things like you?
DR. BUCK: Mr. Chairman, it does. I would say that it's on target, but if I may it's perhaps incomplete in the sense that these terms are well understood, they're in common usage and generally they apply to the processing or evaluation and ongoing assessment of people functioning in the system. There's another whole activity that needs to be looked at, at least from the accreditation perspective, and that is direct review of medical records, which is an important part of assessing administrative activities and other perhaps data collection functions within an accredited organization, be it a hospital or a long-term care facility or a health plan.
In terms of dealing with that data piece that may derive from the examination of medical records, I would venture that accrediting organizations have a most direct concern and interface with the process of developing data from individual patient records so patient identifiable data, which is then transformed in some way to aggregate data and potentially back again. So the accrediting organization is concerned, my point here is focused both on the individual unit data piece if you will, all the way to the use and description of aggregate collections to define organizational performance.
MR. GELLMAN: Okay, at the moment I want to come back to the individual record use and explore that a little. I'm just talking about that this is the threshold requirement. Who qualifies under this legislation, at least being able to -- there are exceptions here that allow these organizations to look at records. The question is really whether that threshold has been well defined and whether -- what's to stop anybody, the law doesn't say that you have to be an officially recognized accreditation -- that you have to have a license to be an accreditation organization from the secretary or from some organization. Could anybody just come along and say I'm accrediting hospitals, show me records?
DR. BUCK: No, I think that over time there has been a clarification of what constitutes a national accrediting body. Further, we in our initiative to recognize other accrediting bodies in our work to reduce duplication have developed a set of criteria which we would be happy to share with the committee that establish common practices and certain functions such as standard setting that we feel are part and parcel of the accreditation activity and other requirements of function such as disclosure.
MR. GELLMAN: One of the things we're doing at this hearing is, and this has been yesterday and today, the description of all of the witnesses from yesterday and today they're all users of medical information and they all have an argument. One of the things I'm trying to get on the record here is your justification for getting access to records. I would like you to explain if you would why your functions are important. How do people benefit from the work that you do?
DR. BUCK: I would say that the key here is both an oversight activity on the part of accrediting agencies and a broader related activity that would be described as perhaps organizational improvement, perhaps consultation, education, that type of thing. So there's an oversight piece to it clearly and then there's a perhaps more subtle educational consultative piece that goes along with accreditation.
In terms of need to know, we have developed, and pioneered the development of data management standards that are applicable to health care organizations. I will share a copy of these with the committee. They're in two main chapters or our accreditation manuals. One is information management and the other is improving organizational performance. The review of the medical record which is done as part of an accrediting --
MR. GELLMAN: Let me come back to that in a second. Can you explain a little more the benefits of your function? I mean, do you improve the quality of health care, do you lower costs? I mean what are the benefits to the system here?
DR. BUCK: I think the benefit is establishing accountability for satisfactory administration and medical care as documented in medical records. It speaks to content, it speaks to format, it speaks to transmission of information from provider to provider, continuity of care, that type of thing.
MR. GELLMAN: That helps. Now, let me go back to the question of records. Why do you require identifiable records? Why can't most or all of your functions be carried out without getting access to identifiable records?
DR. BUCK: The point is made in our written presentation that for most purposes accreditation needs can be served by aggregate data. I think that is true today and I think it will be true in the future. However, there are certain circumstances when we feel it is a necessity that we have access to individual identifiable patient data. One example perhaps which is familiar to most of the committee would be in the investigation of sentinel events.
MR. GELLMAN: Can you explain what a sentinel event is?
DR. BUCK: A sentinel event is generally an adverse event that has had, or could have, very significant potential injury to patients, one or more, or has resulted in such injury to one or more patients. As you know from the newspapers and other media sources, these things are a constant concern. We would like to think that the incidence of such significant adverse events is somehow as low as it can be in a statistical sense, but each of these really that comes to our attention -- I shouldn't say each, but many of these, most of them do require specific surveys, specific reviews, specific reevaluations of the facility.
MR. GELLMAN: Can you give a specific example of the kind of event you're talking about?
DR. BUCK: One that was, I think it's okay to talk about because it's a matter of public record was in Boston at the Dana Farber Institute. It involved not one, but as I recall two very significant tragic situations involving the chemotherapy of cancer patients. One of them I know resulted in a fatality. That prompted not only a specific reevaluation of things that heavily involved our organization, but we worked with that organization over a substantial period of time to create what probably is today one of the best record systems and automated support operations in the country. So there was a kind of silver lining. But that could not --
MR. GELLMAN: What was the nature of the event? What happened that caused this?
DR. BUCK: Through a series of errors, an overdose of a toxic substance, a massive overdose was administered. I want to tell the group here, because it wouldn't be fair not to mention this, that out of that tragic event, acknowledged publicly involving our review and other organizations as well, there was a silver lining, because out of that process has come a wonderful improvement.
MR. FANNING: Can I ask a question? What is the actual technique of investigation? Does your organization send an employee to the facility or what actually happens as a record review and inquiry matter?
DR. BUCK: We try to match the resource involvement with what the circumstances seem to justify, but in a situation such as I've just described, we send in basically a full survey team. They do a focused investigation of that event in the context of prior accreditation findings and current findings as we determine, and that very frequently, almost always, involves getting significantly into individual patient specific data, perhaps more than one patient, usually several, and almost always associated financial and administrative data as well.
MR. GELLMAN: In the course of your sort of routine activities, including this kind of investigation, how many individual records might be reviewed? Are we talking about dozens, are we talking about thousands?
DR. BUCK: It depends on the size of the facility.
MR. GELLMAN: You might be looked at thousands of records?
DR. BUCK: All accreditation surveys and decisions involve review of medical records, whatever program. We have now seven programs with three kind of modifications, call it 10, that really cover every type of health care organization in the United States.
MR. GELLMAN: So you might be looking at thousands of individually identified --
DR. BUCK: In a year's time, absolutely.
MR. GELLMAN: I understand. And you need to be able to -- the sentinel event you explained the need to look at a very specific incident. But as part of a general review you still need to look --
DR. BUCK: Absolutely.
MR. GELLMAN: Can you explain why?
DR. BUCK: That includes everything from office review of practicing health care providers, perhaps in a clinic setting, all the way to large university hospitals, medical centers, that type of thing. The number of records would depend of course on the size of the facility and other factors.
MR. GELLMAN: Right, I understand that. Why do you need identifiers in these reviews?
DR. BUCK: You mean to get to the individual patient? Basically to track perhaps disparities or questions that are noticed at the time.
MR. GELLMAN: Let me ask a different question. Suppose that all the records are fully computerized, I know that's not the case everywhere yet and it will be a long time before it is, but suppose all the records are computerized so that the stripping of identifiers is administratively simple, the computer can be told --
DR. BUCK: And it could be regenerated in a simple way.
MR. GELLMAN: Right. Would that reduce your need?
DR. BUCK: I think that would reduce the need, if we had the option on occasion based on indication to require that the real identification be regenerated so that it could be tracked.
MR. GELLMAN: Do you track records across institutions? If I can give you a complete record within an institution, what kind of tracking -- where would you go from that record to pursue other information about that particular incident?
DR. BUCK: Generally, it is limited to the institution, to the organization.
MR. GELLMAN: But giving you the complete record without an identifier, what are you missing that you need to follow? Who do you need to talk to about this in order to proceed?
DR. BUCK: I think it would be in the setting you're describing important on occasion to be able to go to other departments that were involved in this, other sections that were involved in this care.
MR. GELLMAN: Will you be talking to the physicians or other people involved in the care?
DR. BUCK: Yes, indeed. In fact, it's a feature of the survey now, we say it's performance and function focused, meaning that the evaluation is far more integrated than it used to be. We strive to do exactly what you just said, that is to go to other treating related parts of, or within the organization to assess that care, as opposed to perhaps years ago when we used to say stick in the surgery department or the medicine department or what have you.
MR. GELLMAN: How would you feel if the law were written to say well, you can have access to identifiable records, but establish some kind of a standard, in other words it wasn't unlimited or unrestricted discretionary access on your part but said you could only do it if you met a certain word test. The need for identifiable medical records was clearly determined to be essential to the function you're carrying out -- I'm just making up words now, but the question is --
DR. BUCK: I think the credibility of the process must be preserved. That means the option for random selection, it means the option for unannounced surveys, we do make unannounced surveys, five percent, where we literally walk in and say here we are.
MR. GELLMAN: I'm really only getting to the issue not of whether you can have access but identifiers.
DR. BUCK: I understand. I would say that if in an extremely short time frame on a random unannounced basis a verifiable individual patient record could be produced, which given certain indications could be then specifically identified for sure, that would be sufficient. But I can say I emphasize the words short time frame, unannounced, random, all the things that you need to build a credible verifiable audit process, if you will.
MR. GELLMAN: Do you have the need in your functions to retain identifiable records? I mean you come in, you do a review, you do an audit, do you take away identifiable records? Do you maintain them on a permanent basis in some fashion?
DR. BUCK: We do not maintain such records on a permanent basis, no.
MR. GELLMAN: To your knowledge, is there any record of misuse of patient records by licensing or accreditation authorities? Have any problems arisen, any people been disciplined or fired?
DR. BUCK: Yes.
MR. GELLMAN: Can you explain some of the circumstances.
DR. BUCK: The circumstances we're concerned about I think are exactly the circumstances that have been touched on here this morning in the panel. Sad to say, although it is not common, there are circumstances of fraud, there are circumstances of falsifying records.
MR. GELLMAN: I'm not sure you caught my question. Are there instances of misuse of records by the accreditation people, not by the underlying facilities?
DR. BUCK: To the best of my knowledge, there has not been a breach of either process within the organization or in process in those situations that have involved our central office.
MR. GELLMAN: So you've never been in a circumstance where you've had to discipline any of your employees for confidentiality breaches?
DR. BUCK: I personally do not know of such a circumstance, however I would be more than happy to have our legal counsel provide you with a statement. To the best of my knowledge, there has never been such a case.
MR. GELLMAN: I'm going to next move on to the audit, but if people have questions and want to follow up on this, go right ahead.
MS. WARD: I just wanted to comment, do you ever take charts or information about what you've seen away with you? I wasn't sure whether you ever do that.
DR. BUCK: It is, I would say very rare. There have been on a rare occasion times when we have had copies, certifiable copies of patient specific charts that have been used to arbitrate and resolve difficulties in our institution that say pertain to the removal of accreditation status of an organization, evaluation of sentinel events and other things that have been presented to us. We get specific examples of deficiencies from HCFA for instance and other organizations, fire marshals and all kinds of other, but the answer --
MS. WARD: They've been kept almost like court material, protective.
DR. BUCK: Yes indeed, but they are treated as such. I mean they're treated very stringently, they're kept in a locked situation and so on. I think the best general answer that I can give to your question is very rarely.
MR. SCANLON: Let me follow up with Dr. Buck. Does the accreditation process that the Joint Commission operate include provisions for -- clearly it includes provisions from records management, does that include privacy and confidentiality access and other policies?
DR. BUCK: Yes, we have standards for that in our manual, yes indeed.
MR. SCHWARTZ: Do you provide any type of training or education programs for your employees regarding privacy and confidentiality.
DR. BUCK: Yes, Sir. Our entering surveyors go through an orientation and training course and then they have that refreshed periodically throughout their employment, and updated as appropriate.
MR. GELLMAN: I'm not through with you totally, but I'm going to --
[Laughter.]
That's one part of this oversight dilemma. Of course, the other side is what the rest of you do, some sort of an auditing function. You look in the legislation and you will find a definition something like this, that you're talking about a person who performs an audit, assessment, evaluation, determination or investigation relating to the effectiveness of, compliance with, or applicability of legal, fiscal, medical or scientific standards or aspects of performance related to the delivery of or payment for health care. That could be anybody. That's almost anything. Does that sound like a meaningful definition? Does that sound like -- that just doesn't seem like much of a definition at all to me. Again, I'm not trying to get into wordsmithing, but --
DR. BUCK: It's a very comprehensive statement.
MR. GELLMAN: Right, that just seems much more broad than perhaps may be necessary. Is there a way to be more specific in defining the kinds of activities that you're engaged in?
MR. MAHON: If I read one bill 1360 correctly, in order to meet the definition, the entity had to be a public agency is that correct?
MR. GELLMAN: Well, that may be in 1360, it's not necessarily the case in other bills.
MR. MAHON: As you just outlined the definition, a private payers anti-fraud unit or a portion of its claims processing unit certainly does perform this assessment and in the case of an anti-fraud unit the investigation. If it's a civil prosecution, as it were, filed by the company against a provider, then they would meet the definition related to the delivery of or payment for health care, health services or equipment or in 1360 health care fraud or fraudulent claims regarding health care. The key question is would the intent be to make that only a public function or would it also be applicable to private sector people who do this.
MR. GELLMAN: I'm not sure I want to get into the details of any of the bills at too great a level. It does say public agency, acting on behalf of a public agency or carrying out activities under a federal or state law governing whatever. So it's not strictly narrowly limited in its own terms. I know that the Condit(?) bill is not so limited either. So there's some flexibility there.
How do we get a handle on this problem? How do we write some kind of a definition that's comprehensive enough? I mean I think it's clear that you all perform a valuable function, we will get into some of the details in a while, but how do we try and put some kind of boundary around who is allowed to have medical records? Who qualifies this threshold test of whether you're entitled to get records? Is there a way to limit this?
MR. MAHON: I'm not an attorney nor am I an expert in privacy matters, but looking at the general lay of the land in health insurance for example in the private sector, private insurers run up some pretty hard and fast privacy and confidentiality barriers at this point. If it is a case of investigation involving psychiatric treatment or drug and alcohol abuse, rehabilitation and so forth, in many cases a private payer who is subpoenaed by law enforcement still will not turn over patient records of psychiatric treatment or drug and alcohol treatment absent a court order for the treatment, because many lawyers advise them that the subpoena not withstanding, if you turn it over you're in clear violation of the privacy statutes.
In dealing with routine matters, I called my own insurance, Blue Cross and Blue Shield, yesterday to find out why they didn't pay a claim of my wife's for emergency room treatment. They said well the procedure code on the record isn't consistent with what you just described as the situation. What did they put as the procedure code, oh, we can't tell you that, sorry, confidentiality. I'm the one who is out the $700. But I think my point is private insurers who conduct fraud investigations, who share information with law enforcement currently expose themselves to varying degrees of civil liability for, in the case of a provider, defamation, libel, slander, malicious prosecution and so forth.
Most of the anti-fraud work, until it gets to a law enforcement referral stage, does not involve a discussion among private payers of patient specific information. Most private payers are investigating suspected fraudulent providers. It's perfectly legal for company A to say to company B I'm investigating chiropractor Brown on suspicion of billing for more expensive things than he actually did.
Where these privacy issues and potential new legal hoops through which to jump come into play are at the criminal referral stage. Once an insurer has investigated and assembled evidence of suspected claims fraud, if as the government wants it to do it then turns around and makes a criminal referral to the FBI or to the U.S. Attorney's Office or a state AG's office, that is the point at which the insurer has to assemble an evidence package consisting of individually identifiable claims.
MR. GELLMAN: I understand that, we will come back to that, but you're further down the process. I'm trying to decide who qualifies in a sense as an auditor. Is there some way to put a limit? We can say government agencies, that's clear. But the inspector generals and perhaps other government offices are playing a role in this, and the formal law enforcement stuff is also treated separately. I know that distinction between one or the other is an issue that needs to be explored. But are there other important players? I want to get specific, not in terms of names of specific people or institutions, but generically, other than people like government agencies or the industry fraud activities, is there anyone we've missed just by those two categories that you know of who are engaged in the same kind of functions?
MR. HARTWIG: Maybe I don't -- I will speak for the panel because we're all silent -- I don't know if I understand the question. If the question is how do we define a health care oversight agency?
MR. GELLMAN: In effect, yes, that's what I'm trying to get at. There's a definition here that's so broad that anyone in the world could qualify. It's not much of a limitation, it's not much of a restriction. How do we get at the people that we ought to define as performing this function?
MR. HARTWIG: I don't know that I wouldn't argue that maybe we do want to -- but the health records are defined very broadly under most of the acts that I look at. So you have a very broad definition of what falls under the act of what would be considered a health record. I don't know that health oversight doesn't deserve a very broad definition as well. It's very -- I can name the agencies that I know that are responsible and you could certainly name inspectors general, you could name health insurance companies.
But the question I would ask back I don't know that it doesn't deserve a very broad definition, especially considering the fact that abuse of health care programs, health insurance payments isn't a very timely -- it's not a big issue as well. The question is one of where do we draw the limit. I don't know that I might not argue that health care oversight isn't a very broad definition. If we're broadly defining a health record, then maybe the health oversight doesn't deserve a broad definition.
Law enforcement works with a lot of individuals when we conduct investigations. Audits, evaluations are just as important a function in many respects as investigations. I don't know that I wouldn't argue that a broad definition isn't a good definition.
DR. BUCK: Just another comment. I don't think I can solve the dilemma, but I think some of the problems here go back to the Kassebaum-Kennedy bill frankly because that will have to be considered in whatever is developed. The definition of health information there is very broad, as was mentioned here, it's very, very broad.
The activities of a health information clearinghouse, I think I understand the intent, but in my view do not successfully carve out that specific let's say more easily dealt with aspect that you might describe as finance and administration. The reason is, as I mentioned in the first part, has to do with claims data itself and the fact that to many times, the transmission of those claims are in fact integrated as I think perhaps is best and should be, clinical, finance, administrative. Also, the routine, so we're advised, that in the so-called claims attachment, basically the patient's medical record is copied and transmitted right now.
So that I think I sense the frustration. We share that frustration, but I'm not sure there's necessarily a better way to deal with this, given the already, how should I say, massive involvement of people and entities dealing with this information right now.
MR. DIEGEL: I think I just want to point out that the discussion revolved around insurance companies anti-fraud units, I think it goes beyond that. I think you have to begin with the claims adjusters themselves. The companies recognize that these are the people on the front lines that handle the initial information and review that information. The anti-fraud units of the companies do not get involved until and unless there is a referral of a suspicious claim from an adjuster. So I think in terms of oversight and auditing, that's where it begins.
MR. MAHON: I will throw my two cents worth in and say that I think the definition is too broad here, because in a sense under this definition the assistant United States attorney who is prosecuting a health care fraud case, the FBI agent who is investigating a health care fraud case now suddenly has a health oversight agent hat to put on. Why do that? They are acting in their capacity as law enforcement officers and prosecutors. Private insurers or health plans are acting in their responsibility for ensuring the integrity of the claims they're paying or their fiduciary responsibility under an ERISA plan. Why create this secondary or this dual legal status for them?
MR. GELLMAN: Well, I have an answer for that but it's not necessarily a completely satisfactory one even for me. The attempt in the legislation is to identify categories of users and define the circumstances under which their use is justified. One category of user that all the bills attempt to restrict the most are law enforcement people. That's clearly the most adverse use of records potentially against an individual. It's not -- I won't say none of the bills, but several of the bills allow for law enforcement access, not necessarily under the most onerous possible conditions in recognition of the need, but there are still higher limits.
The problem here has to do with defining what's going on. We can't hold everybody to that high standard without -- and this is your argument -- without unduly interfering with your basic audit activities. So the goal here is to set up some kind of a lower standard for a different, less structured, less threatening, less invasive nature, activity here, the audit, as opposed to a law enforcement criminal prosecution which is clearly at a higher standard. So that's part of what's going on here is an attempt to deal with that.
MR. HARTWIG: Except that distinction is becoming less and less a reality today. The distinction, especially in the inspectors general community, the distinction between and audit and an investigation is becoming less and less. The issue also for law enforcement is the litigation issue. If you try to cut the pieces very finely, you don't deal with what the reality is of law enforcement today. I'm a law enforcement officer, although I come from an agency that has an audit and evaluation responsibility as well, as Mr. Broadaway does.
But auditors are used to conduct criminal, not to conduct, but to assist in criminal investigations. Some of the larger cases that we have investigated started as an audit. What some of the legislation generally does is when you try to say okay here is the wall, it could very burden bringing about necessary legal action against some people because the distinction today between an audit and an evaluation and an adverse criminal investigation isn't what it might have been 10 years ago.
MR. GELLMAN: Is there any way to make a distinction here? I mean the problem is that if the argument is that everything is the same and audits are the same as investigations are the same as prosecutions, and therefore everybody has to have the broadest possible access under all conditions, that's a hard argument to sustain. The goal of the legislation is to try and put some limits here. If the argument is we have to have completely unrestricted access to and use of records, that --
MR. HARTWIG: We don't have unrestricted access today. I think it's important to realize that there are restrictions on access to records today, so it's not that we have an unrestricted environment. Certainly on the law enforcement side, there's not an unrestricted environment to records. So the question is do we have enough controls today not requiring more controls or more legal limits on access to records. I think that's the issue. That's why most of the speakers have pointed out today that I don't believe there has been large scale abuse on that side, but there are limits today as to what records we can access, how we can access them. There are Privacy Act constraints that relate to auditors as well as criminal investigators.
I just wanted to draw the distinction is that drawing that fine line, especially when you look at inspectors general, if I can speak parochial, I don't know that there is a quick line between oversight of an audit capacity and then oversight of an investigative capacity or adverse action.
MR. GELLMAN: Let me make a point that I don't want to debate at great length here, because I want to get back to this definitional issue. But you're getting access to records, inspectors general, any of you getting access to records by itself is an invasion of privacy. I'm not saying it's not justified, but anyone getting access to somebody's record is invading their privacy in some regard. The goal is to try to limit that to the greatest extent possible. So you have to recognize that that's what all of these bills are trying to do is to set limits. It's not we've gotten access but we haven't abused it, that's fine and that's relevant and I don't dismiss that as not a factor, but anyone getting access at all -- I mean if the National Enquirer says we got access to Elizabeth Taylor's medical records but we didn't print it all, that doesn't make a difference, they still got access.
MR. HARTWIG: I would argue that they got access, the individual that gave them the record had legal access to it to begin with. That's an abusive situation. To say that somebody who has legal access and then abuses that privilege, I don't know that we then have to change the system. I'm not here to debate it, I hope.
MR. GELLMAN: It's okay. I mean I just wanted to make that point that that is a problem, that is a concern. It may be a justified access and you may have justified use under conditions but that's what we're talking about.
Within your office, or your office, is there some point at which an audit turns into a criminal referral? Do you have standards for that? Are there distinctions within your office between civil and criminal investigation? Do you have separate components within your offices?
MR. HARTWIG: We have a separate audit component, we have a separate evaluation component, we have a separate investigative component. I think the ability to those components to deal together would probably vary between different inspectors general. We have a policy in the office about when an auditor will contact the investigative side about possible either criminal wrongdoing or civil wrongdoing and in many instances the distinction between the two is made later on in an investigation.
The difference many times between a civil prosecution and a criminal prosecution relates more to the burden of proof than the underlying factors of what has occurred. It relates more to the government's ability to prove a criminal offense than maybe the actual conduct itself. But I think most offices will have guidelines to tell an auditor, to tell and evaluator when to turn an audit or a review over to investigators.
Then what I was trying to say is many of those are worked jointly. There's not necessarily a fine line. An audits may not stop at the time a referral was made. It's not necessarily you drop the audit, you stop the audit and you refer. There may be good reasons to continue that audit review prior to actually what you might think of as an official criminal inquiry.
MR. GELLMAN: Mr. Broadaway.
MR. BROADAWAY: I think one of the things that Jack was referring to earlier is if in our experience, Jack and my experience, if you go back 15 or 20 years, there possibly was clear lines of demarcation. In the history of the inspector general's offices, I believe those disciplines have been much more cohesive working around problems that are being addressed. So that we have criminal investigators as a portion of an assignment maybe assigned to an audit project for some -- in terms of an overall course of a year insignificant amount of time but to gain particular information. There's a project structure where information is sorted out or discovered during an audit review that is criminal in nature that the criminal investigators then take over. Likewise there are criminal investigations that the allegations are not sustained and it easily moves back to audit.
In our organization, there are segregated functions. There is not a single stewards(?) of records, what have you. The criminal investigative record case files, which could include medical information, financial information, what have you, there's a keen awareness of the need to protect those records that are obtained during an investigation.
MR. GELLMAN: Let me ask private folks, do you have some kind of distinctions between the nature of your activities, audits, investigations? You obviously can't do law enforcement stuff directly yourselves.
MR. MAHON: Private insurers, one point to make is that in most cases when you talk about a private insurer obtaining the medical record, they would be obtaining a medical record of treatment of their own insured person from the provider, which is either a contractual rate they have with the provider or what have you. I don't know of cases where private health insurers are delving into the records of other insured patients other than their own company's patients.
So no, I don't envision a situation where you're going to have massive insurer to insurer exchange of patient related information. I think what our members would be more concerned about protecting is their ability to go into a provider's office with legitimate reason and say you've billed us for a patient Mary Jones, we're here to examine the medical record of your treatment of Mary Jones before making a decision on the claim. Those are the key functions that need to be protected. If down the line that winds up in a suspicion of fraud that results in turning over those records of the treatment of Mary Jones as part of an evidence package, the insurer needs to be able to exercise his legal right to do that.
One of the complications that arises of bills, if as a couple of our folks indicated, if patient Mary Jones happens to be in collusion with the provider in exchange for a share of the proceeds, some of the notifications of the turning over of information in response to a subpoena and Mary Jones' ability to petition to quash the subpoena and so forth simply worked to the dishonest people's advantage in this case.
MR. GELLMAN: We will come back to that. Do you have anything you want to add?
MR. DIEGEL: Just to go back to the way that most of the private insurers are set up and to try to get to what you were saying about standards a little while ago, most of this action as I said happens in the front lines of the claims adjusters. Most of the companies, the more sophisticated ones that I'm aware of have in effect computerized training that leads the adjuster through a series of questions designed to uncover whether there are certain indicators of whether there's a low, moderate or high risk of fraud in connection with this claim. Then there would be a standard by which that claim should be either further investigated by the adjuster itself answering additional questions or asking for more information, or then turned over to the investigative unit for additional investigation at a more sophisticated and involved level.
I think what seems to be missing in a lot of these things that might get to some level of standard in the definition and how it's used is a phrase with the absence of malice. In the case that you mentioned where the National Enquirer has Elizabeth Taylor's records, it probably came from someone -- it would be very difficult for anyone to prove that there was an absence of malice and for anyone to just simply be rooting around in the records for no discernable reason. Again, the burden of proof then would be to prove that there was in fact no malice intended. I think that that needs to be considered.
MR. GELLMAN: Could I ask you a question, Mr. Hartwig? You talked about audit, evaluation and investigation. Could you explain what evaluation is and how that's distinguished from the other two functions?
MR. HARTWIG: I've asked the Director of our Evaluation Office to explain it to me on a number of occasions.
[Laughter.]
I know it's not an audit, it's not an investigation. I think the evaluation function, if I can define it, audit tends to be a very detailed looking at a reimbursement policy and it's very detailed. An evaluation -- and they tend to take time, criminal investigations take time. Evaluations, I think, were designed to give users of information a little quicker feedback. So it's more of a broader evaluation, more of a broader program evaluation. You would find that it's not really the detail that an audit would go through. It takes a quick look at a program, how is it reaching its beneficiaries.
They use a lot of -- whereas audit may look at a program to see if it's being operated in compliance with the rules and regulations, evaluations would be more of how is the program reaching its intended users. Is there some broader mechanism? Is it being successful, is it not successful? The best way that I could define it is evaluation is a much quicker study of just the general area as opposed to a very detailed investigation or a very detailed audit.
MR. GELLMAN: This just illustrates another part of the dilemma here. Yesterday we were talking about public health functions, research functions, outcomes research and utilization reviews and the evaluation sounds like it somewhat has a flavor of some of that. All of these functions shade off one into another. You can probably lay them out on a continuum if I had a better understanding of them all. Starting at one end perhaps with criminal prosecutions, audits, investigations, all the way across the spectrum without any clear demarcation between any of these functions. That's very difficult if you're writing a bill and you're trying to make distinctions between these functions and you have to say something falls in this category as opposed to that category. That's the problem that's faced with the bills. This is part of the struggle over this. You look at it and say we don't like being in this category because it's too restrictive, we're more like that, and everybody else sort of like you tilt the field and everybody falls in the bottom. Everybody wants to be in a category with the broadest access and the least restrictions and all of a sudden you don't have a privacy bill any more. You don't even have a clue about protecting -- that's the problem here.
It's not that no one has made a case for being able to see records at least in some circumstances and under some conditions. It's how do you distinguish between these and build some kind of layered approach to say -- that's the definitional issue that I've been trying to struggle with here. It's hard. I'm not trying to be critical of you for not being able to solve the problem. I can't solve the problem, but it's sitting there and maybe somewhere out there is someone with a better idea.
Let me go back to the issue of the use of identifiable records in your audit/investigation, whatever. Can you be more specific in terms of describing why you need -- the extent of your need for identifiable records. You gave an example before about the incontinent kits. Can you talk about that and the role that individually identifiable records played in that sort of thing? Or pick another example if you think it's better. I want you to draw the connection between what you do and the need for identifiable -- I want you to make the case for being able to see the records.
MR. HARTWIG: I will talk about the criminal cases first, because I think that, I won't say it's the easiest to justify, but I think a criminal prosecution is the most adverse action anybody can undergo generally, except testifying.
[Laughter.]
A criminal prosecution and a civil prosecution, let's say an administrative remedy which my office also does, exclusion of providers is a very adverse action. It requires due process. Certainly when you are charging someone with either a criminal crime or through civil prosecution, you're looking to take away their ability to bill federal health insurance programs, those individuals have to be advised with some specificity as to what it is they're being charged with.
So if you take incontinence supplies where the government was alleging that the individuals that were provided incontinence supplies were not incontinent, it would be impossible to gauge that by saying to some subjects we have unidentified individuals that we believe you shouldn't have billed for because the first defense or the first thing they will come back with is prove it, which is what everybody says. It would be almost impossible to say we have these unidentified patients that we are arguing, and I think a lot of it would fall through.
If you look at the types of health care fraud, billing for services not rendered, the patient record is some of the most important evidence in that case. Either the patient record is going to disclose if there is no service provided on that date, which would be important for law enforcement, or it is going to show that there was some kind of a notation that services were performed on that date. Then if you could show that the provider was either out of town or unavailable, then you have some excellent evidence as to the intent of the individual, because now he's doctoring medical records.
So, I think on the adverse action type, if I can mention the civil, criminal and administrative, if we were to exclude a provider through an administrative procedure, there has to be some very specific charge so that the individual can answer. I think it would be important on both sides of the fence, not just for my side, the investigative side. But certainly for an individual to defend himself against charges for unknown beneficiaries that we allege you didn't perform the service, it would be very difficult as well for the defense side. But I would point out that the burden of proof is always on the individuals charging.
For the audit side, you get much of what an audit, and even an evaluation might look at gets to eligibility. Is the individual, is the program being operated under the parameters that the Congress set out or the program was established for. So you many times would get into eligibility criteria from an audit issue, and eligibility again gets down to individual eligibility. It's very difficult to perform that kind of a review with unidentified individuals.
Much of what an audit function looks at is the Medicare program is supposed to reimburse for incontinence supplies under certain procedures, where certain diagnoses are present. It would be important to establish whether or not the patient had that diagnosis. You have to know who the patient is to do that.
So I'm not saying that every audit would require an individual identifiable patient record, but when you get down to eligibility or reimbursement criteria, even some of the audit functions would look at was the service actually performed, you have to have some kind of an identifiable patient or name of a patient to proceed.
I would also talk on the audit side that much of what audit and investigations does as well is confirmation. So in order for an auditor to reach a conclusion, he has to confirm that what he's looking at is accurate. In many instances to perform that confirmation function he has to have an identifiable -- they have to have an identifiable patient record.
MR. GELLMAN: In some ways, I mean yesterday in talking about research in public health, there was a lot of talking of linking of records for various purposes. In a way, some of the functions that you've described sound very much similar in terms of you need to link records to make sure that the billing record and the medical record match essentially.
MR. HARTWIG: Match, yes, I mean what was billed for is what was done. When you get to hospitals today, hospitals are reimbursed based on diagnosis. It would be also important to have an identifiable patient record to verify a diagnosis. Patient records form an important part of the evidence on an adverse action and they can be an important -- practically all the audit evidence.
MR. GELLMAN: Does anyone else want to add to this? Dr. Buck.
DR. BUCK: I would like to add, not to make it even more confusing, but if we can get into shades of gray, I think that we as an organization would prefer to be categorized as a health care quality oversight organization as opposed to a health care oversight organization. There's a subtlety there, but I think that would be a more comfortable label for what we see ourselves accomplishing.
One other comment on this is that as I've sat here and heard this discussion, I'm coming down to three basic areas that I think I just can't see -- well, I think are essential to our accreditation activities, regardless of the setting, regardless of the organization. These are the access to randomized selected medical records during the survey, hands-on medical record review during the survey. The second is in the sentinel event setting which we've discussed, and the third is the occasional evaluation that we do to address complaints, usually known to us through a complaint process of falsification of data. To me, that's kind of the irreducible minimum.
In relation to that, one last concern which will be of increasing concern I think to not only accrediting bodies but to all of the people represented here today, has to do with some process whereby submitted data, even if aggregate, can be audited in a statistically meaningful way. It certainly could be done by a third party, kind of a neutral in that sense data clearinghouse, no question. But it would have to be a process that everybody could say yes, that's going to stand scrutiny.
MR. GELLMAN: Well, I think for good or bad, you're easier to distinguish and to perhaps draw a fence around than everybody else. I think --
DR. BUCK: I found this discussion, to me anyway, very helpful.
MR. GELLMAN: Let me talk about -- I think the case that you present for the need for identifiable records is a sound one. I mean I don't dispute that you need to have those records for those functions. Certainly when you get down to the prosecution level, taking action against whoever, you know, that you need to prove your case, but as you're moving back -- I mean that's the end of the process, it's the end of the funnel. There are lots fewer prosecutions than there are audits.
At the front end of this, it's the same question I asked before about computerization, assuming that we had fully computerized records, and I know we don't, which would enable the stripping of identifiers or coding of records in a way so that identifiers just aren't routinely available, but they might be available later on for the cases where you need them, is that possible? Is that something that -- I'm assuming a lot of technology that isn't in place yet.
MR. HARTWIG: I don't think every audit and I don't know that every investigation requires identifiable health records. I would hope that that wasn't what I was saying. I think that the need may arise in an audit or an investigation to have identifiable health records, but I am not saying that every time we have an audit that an auditor goes out and says I want to look at the patient records. So it would have to be related to the review.
There are audit reviews that are done exactly what you say, using computer tapes, evaluations are, it's quicker. The supplies that I mentioned to you, I can give you a better example, a more current example, is we are looking at contraindicated drugs. The Medicare program pays for drugs under certain circumstances and our evaluators just by looking at unidentified computer billings have found out that patients were getting drugs that if they were taken would evidently have a very adverse effect on patients. The drugs, if you take one, you can't take another, you shouldn't take another and so we've identified some of those drugs and are looking at Medicare beneficiaries being indicated for, contraindicated I think it's called the Drugs Anomaly Project or something. But in that case it wasn't necessary, at least in the evaluation phase, to actually have an identifiable patient. I think they used Medicare billing records and didn't look at identifiable data, they just looked at billing data. So that is done.
Now, I would also say that once we've identified them, then you have to actually start to identify patients for the office to make a recommendation to the Health Care Financing Administration about correcting it. Some of it can be done maybe with this, but as you start to move into the process, confirmation becomes important. Is it really, the first question that you would ask is is it really going on. Okay, you've matched this computer program, what's the first question everybody -- somebody hands you and says the computer has given you this -- what's the first question you generally ask? Is it true. So the questions that we're now asking, we've identified an area, is that's what's really happened. To do that, to confirm that and to actually verify that, that's where you need to start to be able to identify a particular patient and determine is that actually what went on with that patient or is there an anomaly with the computer system I guess is the best way to put it.
MR. GELLMAN: Let me try something on you, this is just very informal. We start out with this problem of a very broad definition of oversight and if you look in I think most of the bills, oversight access gets the easiest and least restrictive kind of access. It's just like access -- in at least one of the bills, payment, treatment and oversight are all the same, it's the broadest kind of access to records. So we've struggled with this problem of what is oversight and we can't quite get our hands on it. It's sort of maybe oversight is like obscenity, we know it when we see it, but we can't define it.
You've made a case that in at least some of your activities you clearly need identifiable records in order to carry out your function. I don't think there's any question about that. Suppose that you wrote a standard in the bill that said you can only have identifiable records and we had a principle there. It could be a substantive standard, or it could be a procedural one.
I will give you an example of a procedural one. In the law enforcement section of some of the bills, it says that cops can get certain kinds of records under certain conditions, they just have to walk into the hospital with a piece of paper signed by a supervisor. So we're saying any cop on the beat can't just walk in and say give me this information. There's a procedure. They've got to have a supervisory statement. In other words, this is something that has been gone through some kind of a process. What if there were a standard that said for you guys to get identifiable records for your audit or investigation functions, it had to be, the request had to be certified by someone within your own office, a supervisory person.
MR. HARTWIG: I don't know that that would be a burdensome standard. I think it's already done on the investigation side because very few people are going to give you a patient record without some kind of a compulsory process. It's just a protection thing. So we either have to use an IG subpoena, which I approve every IG subpoena going out so there would be a supervisory approval process. I don't think that that's particularly burdensome.
Some of the problems we had with some of the standards you mentioned, in some of the bills talked about, when it went to the law enforcement side you needed probable cause, which is the same standards for a search warrant. I think that becomes burdensome. I would just also argue in some of it, if the standard is a supervisory review, that's fine. If it starts to get to be a probable cause standard or you have to go before a judge or you have to have a panel of five people, you really open up law enforcement and oversight for unnecessary, I think, litigation is one of the problems that we had with some of the standards in some of the bills were somewhat onerous. That just leads to what I would believe is unnecessary litigation. Part of the Kennedy-Kassebaum bill also addressed the need I think to have oversight on health care programs, both from an audit and certainly from an investigative point of view. It would almost counteract the standard.
MR. GELLMAN: Well, the point I made before about having higher tests for more intrusive uses of records is still a principle. What I'm looking for is some kind of a test at the lower end, some kind of I don't want to call it a casual limit, but some kind of a showing that's just not -- so maybe there's something there to be explored.
MR. HARTWIG: Actually I think under the Privacy Act, it talks about if the federal government acquires records, they have to be relevant and necessary.
MR. GELLMAN: Yes, that's not much of a test.
MR. HARTWIG: I would argue that -- I mean I don't know that relevant and necessary isn't a very good test.
MR. GELLMAN: Well in any event, I'm sort of getting at a different level. I think that's something that maybe could be explored at some point in terms of -- I think writing a substantive standard at the law enforcement end, there is going to be some kind of substantive standard. Whether it's probable cause or something else is obviously something to be discussed, but we're here down at the lower end. We're not at the -- I'm looking for something. It may be not be a substantive standard, it may be a process. That's another way of doing it. The idea is to have some restriction without necessarily -- balance the different interests here.
Anyway, I'm encouraged that that might work. You guys don't have the same problem. You've already got access to records you need to begin with.
MR. MAHON: People have the records of their own insureds. That's what they work with every day. When you get into other implications, if I change jobs and have to take a physical or demonstrate that I'm in good health and so on, presumably I want someone to disclose my medical records to whoever is going to examine them and so forth. There's that aspect to it that is a consumer or patient type aspect.
I still think just based on all the comments that you all have made that it might be too problematic to try to come up with a catchall definition of oversight agency for a legislative purpose. People might argue or split hairs in eligibility for that definition ad nauseam.
MR. GELLMAN: What I'm fishing for here is if we can't define it, maybe we can in the process put in some kind of a limit that provides -- anyway, that's what I'm fishing for.
Dr. Buck, you're still easy to deal with, you've given me three requirements you have and I'm not saying --
[Laughter.]
MR. DIEGEL: Putting on the consumer's side of the organization now for a minute. You talked about as we move toward a perfectly computerized world, and many of the larger companies are doing just that. The way some of these things work, it's not -- from a consumer's perspective, it's not necessarily, even though the lower level is the front line in terms of investigations and identifying, it's not necessarily the case where they would have to have access to a number of personal information to conduct these kinds of investigations or necessarily oversight. It's a different issue from whether the claim should be paid or not.
But it would be acceptable to the consumers especially to have that coded so that when companies are beginning to use more sophisticated data mining tools, to uncover patterns and practices to make linkages not between patient's treatment and their records, but the number of providers and lawyers and everybody else, all the information that shows up on the claims form that's relevant to that claim.
Nationwide has a system that was developed by a company that originally created this for federal drug interdiction efforts to make linkages between people that might be sharing phone calls and that sort of thing. They've adapted it so that it overlays their claims database and can quickly identify patterns in a way that one FBI agent was shown how they did this and watched it graphically draw up. His comment was you just did in 15 minutes what it takes me a year to do.
One of the things that that uncovered in the case in Florida where every patient that walked into a certain doctors office was given, or billed for three x-rays, regardless of what their complaint was, three x-rays, boom, boom, boom. The only way they found that was through this data mining. But at that stage it's not necessary to know what patients, or any personal information about the patients. So as these things become more sophisticated and there are more pieces of information that go into these databases, I think that's where the consumers side of our organization begins to have a concern. That's when you talk about the identifiers and codes and the patterns and practices, the absence of malice and those kinds of standards for access to the personal information.
MR. GELLMAN: Why don't we take a break at this point for 10 minutes and then we will come back and do some more.
[Brief recess.]
MR. GELLMAN: I want to talk about the scope of everybody's authority to get access to records. Dr. Buck, I assume you have no powers of compulsion to get access to records, is that true?
DR. BUCK: I'm sorry, could you repeat that?
MR. GELLMAN: I assume you have no powers of compulsion to get access to records. People provide records to you voluntarily.
DR. BUCK: I think that's a true statement. What's going through my head, and I can't cite you the actual quotation here, but I would be happy to review that and provide you with the information, there is in the beginning of each of the accreditation manuals for the accreditation programs an extensive statement that cites specifically conditions for accreditation, which precede everything. I believe that one of them is a commitment to having an improvement program within the organization. I want to say that there are implications of that statement, such as medical record review by us. But I can't tell you here that that's a fact.
MR. GELLMAN: That sounds like it would be a contractual obligation at best. You don't have powers of legal compulsion. You can't issue subpoenas.
DR. BUCK: Correct, that's absolutely true. Certainly the precedent is going back to 1918, that health care organizations that are seeking accreditation by precedent certainly do agree to that.
MR. FANNING: Is there a formal contract that you and the organization --
DR. BUCK: An application for accreditation. If the committee would like a copy of that, I would be happy to provide one.
MR. FANNING: That would be helpful.
MR. GELLMAN: For the private people, you obviously don't have subpoena power. You've got contracts, you've got probably patient consents for accessing, you've got possession of the records in any event, or at least many of the records. Am I right?
MR. MAHON: You wouldn't have possession of the actual medical records of the provider's treatment, but those are the records to which you theoretically have access, either contractually or by patient consent or what have you. If you are launching a civil action against a provider involving a certain patient's claims, then you can subpoena those things for evidence, for discovery in the process, or if you've made a criminal referral to law enforcement, they of course can issue a grand jury or an administrative subpoena.
MR. GELLMAN: Okay. Mr. Hartwig, I want to ask you about your powers to obtain access, your legal powers to obtain access. Are there any medical records in the country that you don't have the ability to get access to?
MR. HARTWIG: I'm sure there are some records that would require a court order to get access to, you cannot compel the production. Excuse me if -- I have attorneys to help me with what they are -- substance abuse records, thank you. They always whisper in my ear. But absent legal prohibitions, we have an administrative subpoena authority that rests in the inspector general and then there are other ways to compel.
MR. GELLMAN: So you can get Medicare and Medicaid records, you can get records of private patients for which there are no federal funds?
MR. HARTWIG: We cannot get records of private patients for which there were no federal funds, unless we link them to a Medicare investigation, but that was actually changed under Kennedy-Kassebaum, and now we do have the authority to subpoena records of private insurance. I would also say however, legally the Office of Inspector under its statute, its authority relates to programs funded through the department, or in some way related to the department.
MR. GELLMAN: Mr. Broadaway, what about your legal authority?
MR. BROADAWAY: We also utilize the IG subpoenas, grand jury subpoenas, search warrants. It's a compulsory process. We also on occasion use claimant waivers or individual waivers to access medical records.
MR. HARTWIG: I would also say that most inspectors general have inspection rights. The Act gives the inspectors general the same access to records as the secretary. So within the department, we have an inspection right.
MR. BROADAWAY: I was referring to third party records. Within the agency, under the Privacy Act, right.
MR. GELLMAN: That's a good qualification. Let's talk about Medicare records. All the claims come in, to what extent -- what is the nature of your access to those records? I assume this is all a computerized process in terms of claims processing?
MR. HARTWIG: I don't want to speak for HCFA. I think somewhere around 10 percent of the claims are actually tape to tape, an entirely computerized process. That percentage is going up all the time. I really am not familiar with the percentage of claims that are totally electronic in nature, electronic from the sending source and electronic at the payment source. For the other claims, it would be a hard copy claim form that would go to the insurance carrier or the insurance intermediary and then it would be committed to some kind of electronic data.
MR. GELLMAN: So there's a computer system that contains all of this?
MR. HARTWIG: Yes.
MR. GELLMAN: You have routine access to that system?
MR. HARTWIG: Yes.
MR. GELLMAN: You share the same system?
MR. HARTWIG: We don't share the same system, no. The systems are actually operated by different carriers, although the Health Care Financing Administration is trying to go to one nationwide medical transaction system, but we don't have direct access to each of those carrier's systems.
MR. GELLMAN: What kind of access do you have?
MR. HARTWIG: I think our auditors have access in that they will have historical tapes, our auditors and evaluators. We would get it on a case by case basis and with some carriers we do have some means of getting into their systems to get limited amounts of data.
MR. GELLMAN: So when you need data, you have to make a request to get access to it. You have to say this is what you want and someone has to give it to you?
MR. HARTWIG: For a carrier, yes. In some of the cases it would come directly from the insurance carriers in the first place and then they would already have that data. But if let's say you called up an agent and you had good information on a case that would lead him to begin an investigation, his first step would probably be to request information about the billings of whoever it is you're complaining, from either the insurance carrier or in the case of an institution, part A intermediary.
MR. GELLMAN: Okay, but in each case there's a request to somebody to get records. What's your experience?
MR. BROADAWAY: On the automated records question, at this point in time I believe that the audit(?) programs are manual record based, the form 1500. They are exploring going to the data, electronic submission. The ERISA plans are all over the board. The agency access to records are upon request of the overseeing program. Our agents don't go in under the cover of darkness and help themselves to the records.
Something else that I think is certainly true and probably understood here, but I want to state it for the record. An investigative use of records is not a random walk. There are accreditations for --
PARTICIPANT: I'm sorry, could you speak up?
MR. BROADAWAY: Yes, a criminal investigator's access to records is not a random walk. It's based on a particular investigation which was opened based on the accreditation allegation of misconduct of some type that's under our jurisdiction.
MR. GELLMAN: So the same thing about audit access?
MR. BROADAWAY: By their very design, many times they are random, to portray accurately the population that's being looked at.
MR. GELLMAN: Sure, absolutely. I understand the scope of your access. It's obviously -- your access rights have been enhanced by Kennedy-Kassebaum, is that right?
MR. HARTWIG: Yes.
MR. GELLMAN: Obviously, Congress supports that. We're also moving toward computerized systems more and more, computer based patient records is a major effort. At some point well down the road clearly, and it's not something that's going to happen overnight, we could well have either a centralized computer system or a series of network computer systems with medical records. I mean we're probably part way to that right now, and it's clearly going to increase. With your broad right of access to all of that, I can envision an circumstance in which you can sit in your office and your staff and under your existing authority simply plug into that computer and pull down any records that you need.
MR. HARTWIG: The Social Security Administration was a part of the department before it was split off. We did have that kind of access to Social Security data. So we had terminals in an office to access Social Security records for the purposes of investigation.
And I agree with what Mr. Broadaway said, there is a predication to conducting criminal inquiries. It's not something that you just decide to target somebody.
MR. GELLMAN: I understand. I'm not sure where I'm headed with this other than sort of linking the observation that basically with limited exceptions you could access any medical records in the country and that when records are becoming increasingly computerized, the prospect of you being able to just sit at a screen and pull up any record you want may exist. I'm not saying that that's necessarily --
MR. HARTWIG: I look at that as making access to the records easier, not necessarily that we would be looking at more records. The situation that you described, I don't necessarily view it as now we will be sitting before a computer screen and just leafing through medical records. I think that I look at those as just taking advantage of technology. When I was a criminal investigator, we used to use 14 column papers and hand write things. Now agents sit at a computer screen and they do what I did, and I can understand it used to take me a year. So I don't know that what you described to me is not making the record access easier is what I'm saying, not necessarily that we would now be accessing more medical records.
MR. GELLMAN: It falls in the category of viewing with alarm, yes?
MR. MAHON: Let me ask a question that may clarify something, at least for me. When you talk about the IG's office or anyone else logging onto a computer and pulling down any medical record they want, the Health Care Financing Administration has records of what was billed, what treatment was billed on patient Mary Jones, but no one that I know of has the ability to log onto any computer and go in and view the medical record of Mary Jones' treatment. That remains within the provider's office. So you're looking at --
MR. GELLMAN: When the provider's office is also computerized on another computer, the linkage between the various computer systems is likely to expand and the possibility may exist in the future. That's as far as I'm willing to do with this.
MR. MAHON: I would be very surprised if that were the case, simply because of the need to protect privacy, but I think we run a risk if we paint with a broad brush the idea that there are people in this country who have the automatic ability to look at any medical record they want. They can look at a billing record of what was billed and what was paid for. That record of what was billed is an indicator of the type of treatment that was provided, but it is not the medical record. I think we have to be very careful in the use of that particular term.
MR. HARTWIG: Even today, those records are covered under the Privacy Act. When you look at a Medicare record, there's already an -- and an individual who abuses them is personally liable, even if he's a criminal investigator.
MR. GELLMAN: I'm glad you brought that up. Let me ask you a question about the Privacy Act. Under the Privacy Act, some record systems can be exempted from some parts of the law. There are exempted systems under J2 or K2 for law enforcement records or for other investigative records. Has your office -- and I will ask you the same thing, Mr. Broadaway -- made use of the authority in the Privacy Act to exempt itself from civil law suits for violation of the law?
MR. HARTWIG: Can I lean back?
MR. GELLMAN: Sure.
MR. HARTWIG: No.
MR. GELLMAN: How about you?
MR. BROADAWAY: No.
MR. GELLMAN: Interesting.
MR. BROADAWAY: I'm informed that we use the exemptions, but it doesn't exempt us from lawsuits.
MR. GELLMAN: That authority exists under some of the exemptions.
PARTICIPANT: We haven't done that.
MR. GELLMAN: You haven't done it.
PARTICIPANT: We use the exemptions but we --
MR. GELLMAN: Okay, we will look into that.
I want to talk about reuse of records. I want to talk about reuses that are -- this is mostly in the law enforcement oversight investigative context -- reuses that have the potential to be detrimental to the patient, because that's what this bill is trying to protect. Whatever bills we're talking about, that's the focus of protection is the patient's privacy interests. Some or all of the bills perhaps include language that first of all gives oversight authorities in a lot of ways, very broad redisclosure ability, relatively broad at least compared to most other people.
But there is a provision in the language that says essentially oversight authorities, investigators can have records, but they cannot use the record in any administrative, civil or criminal action against the patient, the subject of the record, unless the patient is engaged in some kind of health care fraud. Do you have any problem with that?
MR. HARTWIG: In a law enforcement, I can't see what else we would use it against the patient -- the problem you get to is the definition of health care fraud. People litigate such terms all the time. I would just ask that as we -- on the reading of it, if you can't use it against the patient unless they've engaged in some kind of health care fraud, I don't know of any other use that would put them in any adverse action, unless it was some kind of a fraud scheme. To deny a benefit, is that?
MR. GELLMAN: Let me give you an example -- perhaps, more likely for example, I go to my doctor and I'm being treated for illegal drug use. I go to my doctor and I reveal other activity that I'm engaged in that is a criminal violation of the law. I could be involved in some kind of crime pertaining to sexual activity. I could go to my doctor and say I'm under a lot of stress at work, I'm embezzling money and I think they're onto me, anything along those lines. I could reveal almost anything to a doctor along those lines. I have from time to time discussed this issue with people who are police or law enforcement area, and they say absolutely we want to use that. I've always been very troubled by that. I think that at a minimum, the tradeoff between the need for oversight of the health care system and patient privacy has to draw a line somewhere. The bills propose, I think they all have the same kind of language, propose to say well we're going to allow you to have access because you're conducting health care oversight, but we are going to protect the patient with the one exception and we can quibble over the definition when you get there. If the patient is engaged to some degree in the fraud that you're investigating, that we're not going to protect the patient, but otherwise the patient is protected.
MR. HARTWIG: I just have two things. Criminal investigators that work with me carry a firearm and are subject to random drug testing. So if you're saying to me if I had an agent and the drug test came back positive and I couldn't have access to that, that would concern me very much and that's where I was --
MR. GELLMAN: That's not a medical record.
MR. HARTWIG: I don't know that under the Act --
MR. GELLMAN: It's not a medical record. We may quibble over the definition, it's not intended to be a medical record.
MR. HARTWIG: Okay. I'm here as an oversight agency. I don't know, if you're asking my personal opinion, that I wouldn't agree with local law enforcement, that we weigh the privacy of a patient against the needs of society as a whole to be protected against people who commit crimes. I think if you have any of those things, the only thing that law enforcement always asks for, even under probable cause for a search warrant, even under the fourth amendment of the Constitution there are exigent circumstances, there are circumstances under which a law enforcement officer can search a vehicle or search a premise without getting a court authorized search warrant. The courts have made those kinds of exceptions. So I don't know as I look at that if it's a hard and fast rule.
From an oversight perspective, and that's the purpose of the committee, that we would only be using the records that I can think of for some kind of health care fraud, for somebody defrauding a program, a beneficiary entering into a conspiracy with a provider or those kinds of things. The need for local law enforcement, I know there's going to be a panel, I think, to address those issues. I don't know that as a law enforcement officer that I wouldn't see some kind of exclusions for them to have access to that data, even if it's going to be used adversely against the individual.
MR. GELLMAN: Let me pull all the threads together and sort of put all the cards on the table. You've got extraordinarily broad rights of access to medical records, to virtually every medical record in the country at some point, and that's premise number one. Number two is that we're dealing with a very broadly defined set of oversight activities that we've already decided we are really having a hard time drawing a boundary around, and that it clearly shades off on one end into serious law enforcement activities. We're moving to a situation where more and more records are being computerized and more and more computer systems are being networked. So if we don't have some protections here, we have the prospect of the police at some level, someone sitting there being able to sift through every medical record every day on computers to find out if anyone has revealed any criminal activity to their physician. If that is a circumstance that is permitted, then not only is there no privacy, but the medical record system becomes a police surveillance system.
I'm not trying to lay that on anybody as a realistic thing or that anyone is advocating that, but when you put the pieces together that is the circumstance that could fall out without some kind of very express protection. I'm not saying that anyone who tells anything to their physician can't be prosecuted for whatever activity it is if you can find out about it in another way. If I go and tell my doctor that I just robbed a bank, you can still prosecute me if you've got my picture on the tape or someone can identify me. You just can't use the physician record for that. Anyone have a comment on this?
MR. MAHON: As a lay person, I would just say my interpretation of the law has always been that citizens have a duty to report crime of which they're aware. If a physician finds out that in treating a patient for stress the cause of the stress is that the patient sexually assaulted someone two weeks ago and is having trouble living with himself or herself after the fact, what is the physician's obligation? If this person is the type of person who can be assumed will do it again, I'm not sure I want any hard and fast restraints on that person's judgment as a person who is in a position to prevent a crime.
I think the specter you raise of the police scrolling through every medical record in the country to look for that sort of scenario theoretically perhaps, but in the real world as your correspondence indicated, I don't think the system is going to operate that way. No one has the resources or the time to devote to such endeavors.
MR. GELLMAN: We will have a nice automated criminal investigation review program that will sift the records automatically. It's not beyond the realm of discussion at least.
MR. MAHON: But who is going to allow it to be put together?
MR. GELLMAN: That's what I see, step by step putting everything together. I'm hoping at least that everyone at least recognizes this is a troubling development.
MR. HARTWIG: I think if you look at any system in the least favorable to mankind, you can always think of abuses. I think we have to weigh -- what I'm saying is there aren't two extremes. There isn't Jack Hartwig sitting at his computer screen scrolling through, let's see I'm going before the committee, what are their names. Between saying you can't have access to anything, you can't view anything and then this other world where all we do is look at records. I don't know that there isn't some kind of a ground in between there where we can have both sides.
MR. GELLMAN: That's what I'm talking about to say okay you can have access for the purpose for which you claim you need access and for which you've made a case, you just can't use the records in other ways. That's the tradeoff.
MR. HARTWIG: During the course of an investigation you find out that the individual has confessed to the doctor, that's what I'm saying. You don't look at it through the medical record, but your interview -- this is where you're also, I would just argue a little bit about somebody in the course of an investigation finds out that the -- through whatever means, he tells his best friend, and I told my doctor, or this has come out with a doctor. You're saying you can never get the medical record or you have a -- that's where my confusion sets in. What are we talking about here?
MR. GELLMAN: Those kinds of circumstances can be dealt with one way or another in terms of exactly how you define the line. For example, if the police want to get a medical record for an investigation, they have other powers and other processes, it's that you cannot use this oversight mechanism which is designed to assist in oversight of the health care system as a tool for other purposes. That's the goal. If you can subpoena the records in another way, you may or may not be able to get them because there may be legal protections for those records. If you try to get a physician to testify against his patient in some jurisdictions at some time, the courts will not allow that physician to testify because of the physician/patient privilege. It's not very valuable and it's not applicable all the time, but it is there some of the time. There are principles of law that say -- and ultimately we will have some doctors here talking about their views on this about whether they feel they have an obligation that they clearly have some kind of an ethical obligation not to disclose information.
MR. HARTWIG: Let me give you just the other side of the story. I'm conducting an investigation of medical billings of a provider and I find out they're a child abuser, what happens in that case? I'm using my oversight authority and I find out that now he's conducting a violation clearly outside my authority as an inspector general. The reason that we have always asked for some kind of wide redisclosure is for those kinds of situations because I think in that case I don't know that the benefit to society doesn't maybe outweigh the privacy of the record.
The other question that I bring up is as a law enforcement officer, you are there now with evidence of a crime and what is it that you can do with it.
MR. GELLMAN: That is in fact the question. On the first one, I have an easy answer to that. I believe in every state reporting of child abuse is required, so the issue is not whether you would --
MR. HARTWIG: Maybe it was a bad example.
MR. GELLMAN: No, I'm sure you can come up with a better one, but the answer is -- the question is whether the physician has reported the child abuse in accordance with whatever his legal obligation is. The patient is not the issue. In drawing a line here, there's no question this happens all the time. I mean we can play the same game with the fourth amendment in terms of limitations on ability to get things. We're going to have a circumstance in which there is some tremendous self incrimination, take your pick, in which somebody is going to get away with something that we don't like and it's terrible because we're trying to protect people's rights generally and some things fall through the cracks. That will happen here and there will be no doubt there are sitting in medical records today evidence of crimes that we all think are terrible and people belong in jail for. It doesn't mean that the records should be used as the source of that when you're coming in doing a health investigation. That's the reason we're allowing you to go in and get the records. But that's the issue here.
MR. FANNING: Can I ask a question? Does it often happen that evidence of some wrongdoing unrelated to the health system shows up in IG type audits or investigations?
MR. HARTWIG: I am not familiar with any medical record that has evidence of another crime, I'm just not. I'm not that familiar. We've had cases where the patient is part of a criminal activity, where the patient and the provider --
MR. FANNING: Related to the health transaction.
MR. HARTWIG: But that relates to health oversight. That doesn't get to where somebody has an accident and a police officer goes to the hospital and says what was the blood alcohol content of the driver -- one of the examples that I can think of. Again, this is an oversight town, but I do know that we have always argued where we have access to the records, there should be some mechanism for the redisclosure of that data.
MR. GELLMAN: Well, at least some of the bills provide for certain direct disclosures to law enforcement of certain information. Others are more restrictive here. My answer, and we can't get into this in too much detail without quibbling over language, but that's the way you provide for that and not that you look at a medical record and discover someone had a high blood alcohol and therefore you turn them in. The police have to get that record directly themselves. They're either entitled to it or they're not and that's a different issue than the one we're talking about here.
MR. SCHWARTZ: This might be a little bit broader, but I'm just wondering about a shade of gray and that is whenever any of you or your organizations access medical records with individual identifiers, do you always access all the information on the record in its entirety or is there some way of restricting access to certain information? Do you ever do that and could that be a way of working in the computerized world? Anyone.
MR. BROADAWAY: The need for any information has to be relevant to the inquiry. It's little different than financial records with regard to fraud at a specific point in time. That doesn't give you the latitude to reach back 20 years to see how you got through college or whatever else might exist. Record requests are still relevant.
MR. SCHWARTZ: Do you need all the information in the record for every single review?
MR. BROADAWAY: No.
MR. SCHWARTZ: So to what extent do you limit -- how do you currently go about limiting the information that you might receive and review whether it's an investigation, an audit or an evaluation? How does that work currently?
MR. BROADAWAY: The compulsory processes, and the protections that that affords records custodians, the process whether it be a search warrant or a subpoena sets out in detail as to what records are sought.
MR. SCHWARTZ: And all the information within the record, if it's a medical record, is accessible. You don't need to limit, say we need to have information on whether or not a particular procedure, a particular treatment, a particular diagnosis was performed or was assessed or anything like that. You get all the information. Is that the same for everyone?
DR. BUCK: No, it's not. I would say that we need, and do now have, complete access to these random samples, if you will, of records, but the records in entirety. The reason for that is that we're going from that to another level of assessment, which is to form impressions and track other organizational functions. However, I think the key to -- so one answer I would have for your question, I think that a focused segmental abstraction of a record would not support our survey process at all. However, it is also a true statement to say that -- I'm trying to think here and I can't think of an example where one of our surveyors would actually abstract identifiable information from that record and then use it for some other purpose. I think the closest it would come to that would be to discern some either very good performance or very bad performance and track that through the survey process. I think that's as far as it would go.
MR. SCHWARTZ: Let me just ask with the survey process, would you actually need the original record or could you have read(?) only access to these records for example?
DR. BUCK: Again, in this hypothetical ideal state that is still some years off, where everything in all detail is computerized, I think if there were a stringent process whereby we could be assured that what we were seeing was real, and that in fact if necessary this could regenerate back to an identifier, that would be sufficient. I would caution however, I think the committee in recommending at this point legislation that assumes a capability that really doesn't exist and won't exist for -- your guess is probably better than mine, but it certainly won't exist for several years.
MR. GELLMAN: Dr. Harding.
DR. HARDING: Dr. Buck, just in that area two things. If I was the patient who was the sentinel incident or was just one that you were reviewing, would I know that my chart had been copied and taken to Chicago?
DR. BUCK: In almost all circumstances, the chart would not be copied and taken to Chicago, and in that situation the chart presented to us, and in these circumstances frequently the real chart is available for the surveyors on sight to review, from which they would abstract whatever information or notations they did. But in a literal sense, as I mentioned before, it is extremely rare that we would literally physically have an intact identifiable patient record in Chicago, very, very, very rare.
DR. HARDING: Okay, yesterday we had researchers here and they were talking about having numbers of patients and patient groups. Sometimes oversight officers would come to them and say we would like to look at some of your data or a patient chart because there is something going on in a legal away and in your cohort of research subjects, we want to look at that. They told us, I believe, and my impression was that they do not release information to oversight committees in the research process. Instead, they would refer the person back to the primary care, or the provider. Is that your understanding? Have you ever had an experience like that where you tried to look at something in a research way and that research was protected in some special way?
DR. BUCK: I'm not quite sure I follow this example. MR. SCHWARTZ: In other words, there was an original source of the information as opposed to your secondary source. Would you ever refer authorities to the original source as opposed to providing the information directly?
DR. HARDING: They felt they had special status. That was my impression that I got from listening to them, and that they said no you can't look at our research data, but you can go back to the provider, the original referring provider and see if you can get him or her to let you see that stuff.
MR. MAHON: I have no experience in that area on which to comment.
DR. BUCK: The only comment I would make is that in most organizational settings that do involve themselves or sponsor clinical research, these are already covered by very stringent confidentiality protections. I think probably that's what they were alluding to.
DR. HARDING: The other question I had is the access door. When you want to go look at Dr. Smith's practice because something looks like it's not quite up and up with his practice or some billing procedure and so forth, who do you go to to get access to his patient's charts? Do you go to him, do you go to the insurance intermediary? Where do you open the door?
MR. HARTWIG: I think you access legally who has possession of the records. In that case it would be the physician. The only time that you might not go to the physician is if he's given his medical records up to someone else, and I can't see that --
DR. HARDING: That would be in like the case of a managed care company where the physician doesn't really have control of those charts, that's a company control. You would go to the company and go in to the -- get access through the company so the physician may or may not know, the patient may or may not know that you're looking at them.
MR. HARTWIG: If the managed care company has the records under their possession and they are the ones that maintain and control the records, then that would be the place that we would go to obtain the record.
MR. GELLMAN: I thought you were going to say something.
MR. MAHON: Just that in the case of an insurer, if it gets a -- if an insurer gets a call from a chiropractor's billing clerk and says you really ought to look at Dr. Brown, he is fooling around with the billing day in and day out here, that insurer is probably going to do a claims paid run to see what kinds of claims volume it has paid out to chiropractor Brown. Second, if it goes so far, it will show up at Brown's office and say we're here to examine the records of your treatment of patients A, B, C and D by name. But the only such records they can request are those of their own insureds. They can't say we want to see all your records of chiropractic treatment for the last year. They don't have that authority.
If the billing clerk has reported the suspicion and the insurer requests medical records on that basis, then generally speaking, no, the patient is not going to be aware that the insurer is in there looking at that particular medical record of its insured. In other cases, if it's a broader based investigation, the insurer itself will send out form letters to X percent of its insureds who have been treated by that chiropractor saying this is just a simple audit letter, would you please verify, our records indicate that X dollars was paid on your behalf for such and such a treatment on such and such a date, would you please verify that this is the case. So without being explicit that they're conducting the preliminary stages of an investigation or an evaluation as it were, they in some cases are giving the insured some heads up that something is going on.
MS. LEATHERMAN: Can I just add some clarification? I sit in a very large managed care company. There are two issues here. One is it is a very unusual circumstance that a managed care organization has the records. That would occur really only in staff models, which is really the minority of managed care enrollment in this country.
Secondly, regarding the health plan's access to the records, the process you've described I think is very accurate for what would occur in that kind of investigation. At the time that a patient or member enrolls with the health plan, they are signing at that point of enrollment consent for the health plan to access the medical record. That's what the health plan would usually rely on at the point that they want to go to a physician's office, whether it be for some kind of audit regarding the financial integrity or any type of quality review or outcomes research.
MR. GELLMAN: The issue of whether the consent process gives the patient a fair break is an issue for another day. But you're absolutely right.
Let's talk about preemption. This is one of the hot button issues in any legislation. Kennedy-Kassebaum already enacted law says that a federal privacy law should not supersede a contrary provision of state law that imposes requirements that are more stringent than the requirements imposed under federal law. So that more stringent, more privacy protective state laws would still be valid. Anyone have any views on that? Do you like that, do you not like it? Do you think it's a good policy?
MR. HARTWIG: I don't know whether we've had any experience.
MR. GELLMAN: You haven't because basically that provision doesn't really apply to anything yet, but there's clearly a sentiment expressed in the law in favor of more stringent state laws.
MR. HARTWIG: I think it would be a constitutional issue when you get down to it, but it's hard for me to comment, we've never gone up against where there is a state -- there is no physician patient privilege under federal law. So the issue is if that were to be invoked in the state where we had a prosecution --
MR. GELLMAN: Privilege law wouldn't apply to you anyway, it only applies in testimonial activities. But in any event, did you want to comment Dr. Buck?
DR. BUCK: I did. It's certainly my hope that -- and again, anticipating this glorious future that we hope does come about eventually where we really do have not only meaningfully automated, fully good automation infrastructure and data to work with. The whole trend clearly though is that various domains of health care data, whether it be clinical, financial or administrative, however you want to describe it, are in fact becoming A, more integrated, and B, are being used across state borders.
I personally, if I had to tilt, I would say that that's mostly a good thing. Perhaps you could come up with examples where it's not a good thing, but I think in general that is a trend that we probably all would support.
That being the case, I would hope that this preemption issue could be resolved in such a way that a federal legislation could minimize let's say any really significant functional differences in levels of confidentiality protection, because I think basically it could become self defeating. So I would vote that personally I feel we've noticed that, and I think that that perhaps might retard the achievement of the kind of future that you were alluding to before.
MR. GELLMAN: Let me ask a specific hypothetical under this policy. Suppose state passes a law that says fraud investigators, federal, state, private, before they can get health records have to get a court order. They have to notify all the patients and they have to meet a probable cause test. How would that affect your operations?
MR. HARTWIG: And we had to follow it? There are a few issues that I would say.
MR. GELLMAN: Sure, there are tons of issues.
MR. HARTWIG: The Constitution -- that's what I'm saying.
MR. GELLMAN: Congress has passed a law that says state laws take effect.
MR. HARTWIG: That's why I said it was a constitutional issue. First it would be whether or not the government would allow itself to be regulated by the state, that's an issue that would be made far above me. I think if you make any -- where you make it too restrictive, I think it would just have a chilling effect on health care enforcement in that state and you would probably find a lot of the providers that are now scattered throughout the country would all move to whatever state you're looking at. I don't know that I wouldn't move to that state and do the same thing. I think if you put two -- again, the scales of justice if I will -- if we are bound by a very strict state statute that says you won't have access to our medical records in this state unless you have a court order and a showing of probable cause or beyond a reasonable doubt, they could make whatever standard they want, I think it would have a chilling effect on health care oversight in that particular state.
We have seen, as an organization, some of the defrauding providers move to areas where they believe they're not going to come under scrutiny. If they think that they move to wherever it is, that there aren't going to be very many criminal investigators or there aren't going to be any criminal investigators there and they aren't going to look and they can stay under the radar, that's where they're all going. So I think what you would have, we would probably see a lot of what we would consider fraudulent providers moving to that states, and a lot of attorneys telling their fraudulent providers to move to the state. I've said it before, I think the price we pay on some of these, if we make access too stringent, is that oversight could be hindered, greatly hindered in some respect.
MR. GELLMAN: Mr. Broadaway, any thoughts?
MR. BROADAWAY: Yes, I certainly concur with what Jack has said. I'm not sure that there would be any practical implications. Something that certainly exists today, many states have laws where they call one party consent to recording conversations a wire tap. But operating in a federal environment in a prosecution in federal court, the state law doesn't apply to causes brought there. But it does prohibit any of my investigators from proceeding in a state court.
MR. HARTWIG: Let me also point out one other aspect of it is probable cause is the standard for a search warrant. You would not see in that state, I would think, very few subpoenas. What you would be doing is agents now when they would want records, and if you gave an agent, a criminal investigator a choice as to whether you would want to be in there searching the place yourself for the records you felt were necessary or whether you want the subject to provide you with the ones, I know I would vote that I would rather be in the office.
The other impact I think of that kind of standard would be that law enforcement would now be looking to execute search warrants when they needed medical records. If we were forced to come up with a probable cause standard, which is the standard for a search warrant, to get a judge to approve it, why would you ever have a subpoena? You would have a search warrant. So what you would find in that particular state when law enforcement was looking to access those records, we wouldn't be saying to the provider here's a subpoena. You would find the other effect, I think, which would be a negative one, would be law enforcement would be executing more search warrants to obtain records, a much more intrusive record of getting them.
MR. GELLMAN: If that wasn't also regulated by the state. Dr. Buck.
DR. BUCK: For conceptual development anyway, considering this legislation, I would recommend if some of you I know have seen it, but for those who haven't, I would recommend that the committee or interested parties review the so-called Dartmouth Atlas. This is John Winberg's(?) milestone contribution, mostly from a public health standpoint, but also from a policy development standpoint of analyzing health care in the United States with the best data that's available.
One of the, I just will mention one conclusion or visible achievement of this work is to show that in the manner that he's defined them, health care in the United States is actually delivered by 303 functional health care regions. Now, you might argue how he's defined functional health care region. But one of the many contributions of this milestone work is to show you graphically that in point of fact virtually none of the functional health care regions follow geopolitical boundaries. Not only is that an insight to a whole slew of problems that we have in this country with health care, but it strikes to the kind of issue that we're talking about here.
So I would say that again there is not only I guess personal opinion, but there is now growing some of the best scholarly work that I know of anyway that would suggest that this issue of preemption is something that needs to be resolved, and I think in favor of a more comprehensive approach from federal legislation.
MR. SCANLON: Let me ask Dr. Buck a question again. The Joint Commission as part of its accreditation does employ this concept of a report card, or at least some indicators about individual plans and hospitals. Has state to state variation in access to medical records created a problem when you try to have common indicators across --
DR. BUCK: My response to that would be not yet. I say that very seriously, because one of my recommendations to the subcommittee would be to consider having a group of accrediting bodies visit this issue of report cards. It is the whole notion on the one side is very appealing, but there are some very legitimate reservations about it, which are going to, if they haven't already, I think they've come to center stage already, but they certainly will. One of the keys to resolving what is I think a legitimate issue here is the issue of data quality. Again, we all, all that is not just the accrediting bodies, but all the organizations have to sort of play by the sheet. So this is an issue that if in my book is on center stage, it soon will be.
MR. GELLMAN: Let me sort of follow up on that. We've got classes of laws both at the federal level, I'm thinking here of the alcohol and drug abuse rules that impose pretty strong restrictions on access to that class of records. Then at the state level there are some state laws, and a good example are state AIDS laws that impose stricter limits on how these records can be used. Does this create problems for any of you? Do you run into this? Does this make records unavailable? How do you get around it? How do you deal with it?
MR. BROADAWAY: I have not encountered it in the course of my experience.
MR. GELLMAN: Dr. Buck?
DR. BUCK: Not yet.
MR. GELLMAN: Do you accredit alcohol and drug abuse clinics?
DR. BUCK: We do under the behavioral health care accreditation program we do.
MR. GELLMAN: How do you get records to look at? Is it a problem?
DR. BUCK: We survey records. Maybe this is just by precedent as I mentioned before.
MR. MAHON: Private insurers have two problems at either end of the transaction. When they suspect that a provider of drug and alcohol rehabilitation treatment of psychiatric treatment is the one perpetrating the fraud, and they need patient records with which to document that, the provider is smart enough to know what the prevailing privacy and confidentiality restrictions are and generally speaking is immediately going to cite that as a shield behind which to hide and refuse to disclose any patient records. So on the one hand the insurer may have to get those by subpoena ultimately or court order. On the other hand, as I mentioned earlier, when subpoenaed for those treatment records, the insurer faces a legal liability absent a court order if it goes ahead and discloses them in response to a subpoena. So they get it at both ends, getting the information and then doing something with it.
MR. GELLMAN: Mr. Hartwig, do you have any problems with this?
MR. HARTWIG: I hate to say I have problems with everything, so I will just say that we're very sensitive to the issue. I don't know that we've had a large caseload in that area to really -- there's a question of if you don't have problems, because in the scheme of our total caseload there are just a few related to that. But if you extended the prohibition to our total caseload it means something entirely different.
MR. DIEGEL: I was just going to add that in terms of preemption and state by state regulations, in general the insurance companies prefer not to have to meet a varying set of standards in every state. On the other hand, any federal legislation, they run the danger of opening the door to federal regulation which is not a promising prospect from the company's point of view. They prefer to deal with that in model legislation developed by and in concert with the National Association of Insurance Commissioners to achieve standards.
MR. GELLMAN: If you're talking about life insurance, I think that's certain fair, but if you're talking about health insurance, I think the health business is at least slightly regulated by the federal government already.
MR. DIEGEL: I understand. But you get into the issue of claims fraud and how that's regulated and whether it's a federal crime, et cetera, et cetera.
MR. MAHON: If your panel or anyone else comes up with the appropriate way to reconcile these privacy issues, then philosophic and practically, I think one federal standard would be easier for all parties to conform to than 50 varying standards. We see parallels now in two aspects of insurers anti-fraud work. When you report a suspected case of fraud, the degree of immunity from civil liability for defamation, libel, slander, et cetera, malicious prosecution is entirely a matter of state law. In some states, if you turn over a suspected case in good faith to the state insurance fraud bureau, you're immune from being sued for those liabilities. If on the other hand you take it down the street and turn it over to the FBI, you have no civil immunity protection under that state's law. Most states have now gotten to the point where they're improving it and they're getting very comprehensive the longer they go.
The other place where it comes into play is in what states are requiring of insurers. More and more states are now saying to insurers we will improve the legal environment in which you can pursue fraud, but at the same time we're going to make you do more to detect and investigate and prosecute it. We're going to make you have a fraud plan, a fraud unit, train the unit, refer suspected cases. In New Jersey, you have to have one investigator on staff for every 60,000 lives covered by your health policies. They're the only state that's gotten that specific, but you're dealing with an increasing mix of claims form and application fraud warning language, or statements rather, that may or may not be substantially similar across state lines. I think this is another area where a federal standard would be useful if one can arrive at it.
MR. GELLMAN: Let me do one more subject before we adjourn for the morning. I want to talk about identifiers, identifying numbers. Roughly there seem to be sort of three options out there, the use of social security numbers as an identifier, the use of some kind of modified social security number has been recommended with a check digit or some new identifier. Anyone have any preferences? Do you care? Does it matter to you?
MR. HARTWIG: I don't know for law enforcement unique identifiers of the beneficiaries is an issue, but under the Medicare program most beneficiaries operate through a social security number. I know for data processing, it's better to have a particular number. I think from an audit oversight, that kind of oversight perspective, when you're manipulating data, I think it's better to go with a number. I know the Medicare system has one. But I also know that Medicaid systems have different identifying numbers. The thing that I would argue is it may be better to have a unique one just for comparison purposes. It's more of an issue with us on providers where we don't have unique provider numbers. It's a bigger issue for us than unique patient numbers.
MR. GELLMAN: A unique number is useful, but you don't necessarily have a preference as to what it would be.
MR. HARTWIG: No.
MR. GELLMAN: What about the private guys, do you care?
MR. DIEGEL: Keep it simple.
MR. HARTWIG: Three digits.
[Laughter.]
DR. BUCK: I think there have been studies off and on done that evaluate the accuracy of social security numbers and so on. I think that would be a good decision to leave to a consensus body. However, in terms of supporting the notion at all, we do. There are compelling reasons today in the health care field that are really related to but distinct from the confidentiality issues. We simply have to be able to track care across settings, and facilitate that process. I frankly don't know of any better other way to do it with the problems that we face nationally and the capabilities that are being built every day. It seems to me that this is not an unreasonable thing to do. We need it I think.
MR. GELLMAN: Anybody else comments? I thank the panel. It's been a long morning and I think it's been productive. You've all been very helpful and I think you really help us do a better job in trying to figure all of this out.
This afternoon, we have one witness this afternoon, so it will probably be a little bit of a shorter session for those who are going to hang around. We will reconvene at 1:15 p.m. Thank you.
[Whereupon at 12:05 p.m., the meeting recessed for lunch, to reconvene at 1:15 p.m.]
A F T E R N O O N S E S S I O N
MR. GELLMAN: Our witness this afternoon is Cary Sennett. I'm going to let you identify yourself and proceed as you please.
DR. SENNETT: Thank you. I'm Cary Sennett. I'm the Vice President for Performance Measurement at the National Committee for Quality Assurance. First, I would like to thank you for the opportunity to provide testimony to this group and tell you a little bit about my organization and then speak directly to the issues of confidentiality that are on your minds.
NCQA, as you may know, is a not-for-profit organization headquartered just across the river. Our primary business is evaluating and reporting on the quality and performance of managed care organizations. We believe that there are very substantial differences with respect to the capability of organizations and the success with which organizations deliver managed care and our objective is to try and move information into the marketplace to help individuals and purchasers recognize and make purchasing decisions and consuming decisions based upon objective evidence and information about the relative performance of these different organizations.
We do this in two ways, during an accreditation program which is standards based which produces a summary judgment about how a plan is organized and how well it operates to meet the needs of its covered population and through a set of performance measures collectively known as HEDIS which attempt to assess the results that plans actually achieve.
If I might speak to the issue of confidentiality and the role and use of information in a managed care environment, I would suggest that we have a vision for the future and our vision for the future is one in which health plans and providers act as responsible medical information trustees, accountable to patients. That vision is built on a foundation of trust among patients, providers and plans. That trust depends on four things. Number one, an absolute commitment to confidentiality of the medical record, improved procedures for obtaining access to that information, communications to patients regarding the commitment to confidentiality and demonstration of appropriate use of information by health plans and providers.
If I might speak a little bit about what we think is required to accomplish those. To demonstrate absolute commitment to confidentiality, the following will be required. Number one, there need to be improved mechanisms and releases, improved mechanisms for the release of patient information. Patients have to have a better ability to control the release of information. There need to be major investments in technology. There need to be improvements in the technology that provides security to electronic systems. There need to be dedicated staff, staff resources who are accountable for the security of information. We have in mind, for example, a position which will be called the Information Security Officer. And there need to be strong sanctions for violations, for violations of patient trust and confidentiality. There need to be mechanisms to identify violations, but also powerful negative reinforcement for violations when they occur.
To achieve improved procedures for obtaining information, that will require among other things mechanisms for patients to assess and verify the accuracy of their medical records. To achieve better communications to patients regarding the commitment of confidentiality, there will need to be means by which to explain to consumers, to patients, how security systems operate, how they protect confidentiality. Those explanations will need to be in terms obviously that members, patients, consumers understand. Most importantly, it will require demonstrations that health plans and providers use patient information responsibly to offer increased value through care management to the populations for which they are accountable.
We worry about the prospects for any world other than one in which these information trusts exist. Without them, the information required for patient care, for accountability assessment, and for quality improvement will not be available. NCQA is working, although not at the center, but NCQA is working to help make such a world possible.
We are, as I think you know from this morning's discussion, working with our colleagues at the Joint Commission to organize a conference on patient confidentiality that will bring some of the special issues that we face as accrediting organizations to the fore for public discussion and debate. We have, and always will, emphasize the need for strong and effective policies and procedures to protect the confidentiality of patient records. Our health plan accreditation standards speak directly to this.
Finally, we have identified patient confidentiality as one of the seven critical determinants of an information systems framework for the managed care industry for the future. Our information systems road map for health plans, which NCQA's President Peggy O'Cannon(?) I believed described to you in brief in a subsequent meeting, and which will be released late next month, clearly points out that confidentiality is a critical requirement for more capable information systems in the managed care industry and that health plans will have to build into their systems the safeguards that are needed as they build systems that enable better care management and better performance measurement.
I know that my time is limited, so I would like to end my formal testimony at this point. Thank you for the opportunity to speak on these issues and present NCQA's perspective on this critically important matter. I would be delighted to answer any questions that you may have.
MR. GELLMAN: Thank you. Can you tell me more about what you actually do?
DR. SENNETT: What NCQA does?
MR. GELLMAN: Yes.
DR. SENNETT: We really operate two distinct programs. We accredit health plans. Now there's a process for evaluating how a health plan is organized, how it operates. The product of that evaluation is an accreditation determination which is in the public domain. That process involves some review of documents prior to an on site review, and then a review of the health plan on site by a team of three to five experts in managed care, most of them physicians, who evaluate the organization against a set of standards which we publish, which we believe describe the business practice in managed care.
If I might, I would elaborate to suggest that good business practice here does not mean cost effective practice, but means business practice that conforms to the need or responds to the needs of the covered populations. I would be happy to go into as much detail about the accreditation program as you would like.
MR. GELLMAN: Did you hear Dr. Buck's testimony this morning?
DR. SENNETT: I'm sorry, I did not.
MR. GELLMAN: Okay. Is your process of accrediting plans in a rough sense the same activity as his organization is involved in?
DR. SENNETT: It's difficult for me to speak expertly about the Joint Commission, but I think most would suggest that we are in the same business and that we proceed in largely the same way. Our program is about five or six years old and we've evaluated about half of the managed care organizations in the country at this point.
MR. GELLMAN: Okay. So as part of your accreditation process, to what extent as part of your process do you need to have access to identifiable records?
DR. SENNETT: In general, we do not need access to identifiable patient information. We do need access to medical records. There is no reason that those records need to be identified. The health plan is given leave to provide us with blinded records and we assess the integrity of the medical record as a clinical and quality assurance document, but there is no need for patient identifiers in that information for us to make that assessment.
MR. GELLMAN: Do you normally get records that have been blinded or someone's got a paper record that thick that you want to look at, blinding it sounds like it's a difficult activity?
DR. SENNETT: Actually it could be straightforward in terms of there are xerox machines for example that will automatically white out sections. I don't know to what extent we actually receive blinded records typically and to what extent we do not. We are, in our communications to the reviewers that NCQA hires or the staff reviewers who participate on reviews, very clear of the need to protect the confidentiality in any setting in which a patient is identified. So our guidelines for reviewers are very direct as well as our guidelines for managed care organizations.
MR. GELLMAN: When you are reviewing a record, identified or not, let's just assume some of them are identified, will you retain the record? Will you take it away from the facility?
DR. SENNETT: No.
MR. GELLMAN: So you don't have any need to have a copy of the record outside of the facility that you're auditing?
DR. SENNETT: That's correct.
MR. GELLMAN: In the course of an audit, accreditation, whatever, how many records might be looked at?
DR. SENNETT: It depends on the size of the organization, but typically it would be between 50 and 100.
MR. GELLMAN: Okay. You said that you have two functions, one of them was the accreditation. What's the other side?
DR. SENNETT: The other is the development of performance measurement systems that try to move statistical information about health plan performance into the marketplace. We have a standardized set of measures called HEDIS which we hope is beginning to meet the need that purchasers and consumers have for information about the results that health plans achieve.
If I might give some examples, among the HEDIS measures that have been out for two or three years are measures that look at the effectiveness of the plan in delivering preventive care, rates of mammography, rates of immunization of children, rates of pap testing. There are measures that look at other aspects of performance than the clinical performance.
We have in the new version of HEDIS introduced a standardized survey instrument for evaluating member satisfaction. We have measures that look at the extent to which the health plan is helping educate its consumers, or educate its members to equip them to make informed choices. We have measures that look at how services are used, largely procedure rates to help a purchaser primarily understand where the purchaser's dollars are going and so on.
MR. GELLMAN: Do your accreditation functions overlap at all with the Joint Commission? Do you compete for customers? Do you compete with anyone for customers?
DR. SENNETT: We do compete with the Joint Commission. There are other organizations that also accredit managed care organizations, URAC being the notable other --
MR. GELLMAN: Who?
DR. SENNETT: The Utilization Review Accreditation Committee. I'm sorry, I'm not able to speak terribly knowledgeably about our competitors, but I know there are other organizations that are in the same business. We do have the lion's share of the market at this point, but there are other organizations that are prepared to offer a similar set of services.
MR. GELLMAN: And you're a non-profit organization?
DR. SENNETT: We're not-for-profit. We have a self-perpetuating board that is broadly constituted representing largely the stakeholders to our work.
MR. GELLMAN: If I'm a health care facility, I can go to any of these organizations to be accredited?
DR. SENNETT: We accredit, we have a managed care organization accreditation program. We also recently introduced a behavioral health care organization accreditation program, but if I might focus on the managed care organization accreditation program. Any organization that declares itself to be a managed care organization could apply for NCQA accreditation. Historically, it has been almost exclusively HMOs that do so. But it is theoretically that a medical group, for example, might feel that it was prepared to undergo NCQA accreditation. The truth is that the standards are really quite challenging even for a tightly managed and relatively mature HMO. About one out of every 10 organizations that voluntarily undergoes the process fails outright. We think that there are a number of entities that theoretically might apply that have chosen not to because they feel they wouldn't be able to meet the standards.
MR. GELLMAN: You said confidentiality was one of seven -- I'm lost here -- seven standards or criteria, principles? I can't remember exactly what it was.
DR. SENNETT: In reference to a document that will be released at the end of February or probably in early March, truth be known, that is our efforts to communicate to the managed care industry what types of changes need to take place in the information systems environment in order to enable them to deal with the types of performance measures we will be putting forth in the future. We've identified seven key areas for problem resolution. One of them is patient confidentiality. So it is one of the I think cornerstones that we've identified to an improved and capable information system or information system framework for the future.
That is a policy document, if you will. It's distinct from our accreditation standards. We do have accreditation standards that speak directly to the need for health plans to have policies and procedures that govern medical records confidentiality.
MR. GELLMAN: Will that be enhanced or improved in some way as a result of this new document you're preparing or is that just really a description of what you're doing already?
DR. SENNETT: It is very likely, we have not completely gotten our arms around this, but we are increasingly aware of the importance of information systems in general and in some issues such as confidentiality in particular that we need to address and probably need to address more aggressively and more affirmatively. A first step towards that is this conference that will help us understand what are the issues and help us lay out our strategy or help us understand what our strategy ought to be probably in the context of what others need to do as well.
MR. GELLMAN: Can you describe in any level of detail when you're looking at somebody's confidentiality problems, confidentiality compliance today what you look at, how you go about doing it?
DR. SENNETT: We look to see that there are policies that describe how medical records are handled and we look for evidence that there's compliance with those policies.
MR. GELLMAN: What constitutes evidence of compliance?
DR. SENNETT: If there are grievances or complaints from providers or patients about violations of policy, that would clearly suggest that the policies are not effective, the policies are not implemented adequately.
MR. GELLMAN: Do your activities involve any kind of review of security systems, examination of, if they're available, audit trails, of access, anything at that level of detail? Is that too detailed for you to be able to do?
DR. SENNETT: It's not necessarily too detailed for us to be able to do, but the information systems management function has not been a primary focus of our work in the past. As I suggest, it is an area in which we're aware that we probably need to move forward.
MR. GELLMAN: How does the work that you do looking at confidentiality compliance compare in terms of difficulty or expense or how time consuming it is compared to the other parts of an accreditation?
DR. SENNETT: That would be very difficult for me to answer. Largely the accreditation process is a non-linear one. Documents are reviewed, management is interviewed, physicians are interviewed. Information is collected around a whole range of issues simultaneously, so it would be very hard for me to estimate that. It is a non-trivial issue. Each of the standards is very important. We hope that we walk away from the accreditation review with solid information about each of those, but I'm not sure I could quantitatively estimate how important it is relative to the others.
MR. GELLMAN: In some respects, Dr. Buck has softened us up on this issue from this morning, because he was on a panel with some other people and we were talking about the boundaries of oversight activities and it became clear from talking to him, and I'm sure a lot of this applies exactly to you in the same way, that the legislative difficulties of defining this activity are -- it's an easier thing to do than some of the other kinds of oversight activities that go on. Your need for records is fairly limited. I don't know what the answer is exactly, but there's a way of addressing that more specifically that meets your needs and still builds a fence that you can live within and provide a degree of protection.
I'm sort of wondering, and it's a new thought from this morning, is whether the accreditation process can be used perhaps in a more formal way as some kind of independent oversight mechanism of whatever confidentiality rules happen to ultimately be enacted into law. I don't know enough about the legal basis for accreditation and the legal requirements, so I don't know if that's sort of going beyond what's already there or if this would just be an amendment to that or further sort of push in the direction of making this something to be looked at. I just don't have the background to be able to guess at that.
DR. SENNETT: I probably don't have the background to be able to answer it, but if I might just take a stab and with your leave ask my colleague to comment as well. In a case where there were standards that were clearly recognized as both legal requirements and good business practice, and we would hope that many of the standards that are the former would also be the latter, I think it would be appropriate and probably even desirable that NCQA embrace those or that those be included in our accreditation process. We very much want our accreditation process to operate in a non-redundant or synergistic manner with other oversight processes. That is, to the extent that a health plan has met NCQA standards, and to the extent that there are other standards that the health plan might need to meet, or standards through other processes, and to the extent that our standards speak directly to the issues that otherwise might require independent review, we would like NCQA standards to be recognized or the plan that meets NCQA standards to be recognized as de facto meeting those standards in addition.
So it would not be inconsistent with our philosophy, nor I think would it be inconsistent with the need that exists, for us to incorporate other standards into our process, although they would be our standards. I wonder Steve, if the NAIC model is appropriate?
MR. LAMB: I know that -- Steven Lamb with NCQA. We currently have relationships with eight states that do require an external review of the HMOs operating in those states. On the 22nd of this month, we will be meeting with HCFA to begin a formal process of evaluating how our accreditation process and standards might be used in conjunction with their review for what we call an enhanced review process. That would mean that to the extent that an organization had been accredited by NCQA, performed well in certain areas, HCFA would then concentrate its energies elsewhere and be better able to focus its oversight resources. To the extent that additional requirements were placed on HCFA to oversee new requirements for issues of confidentiality, I think it would be easily rolled into that same model.
MR. GELLMAN: I think what I hear from both of you is that if there are new legal standards established for confidentiality, that they would be incorporated basically automatically by your own activities into your own oversight, your own accreditation process, maybe not -- you might do things a little differently than required, but that would become part of your process. It would happen automatically without the need for a piece of legislation to say you have to do this or a facility has to do this.
MR. LAMB: I was going to say every organization as a condition of applying has to be in full compliance with all state and federal regulations. So to the extent we take some of that for granted, and it does occur when we go into an organization and find that they are not, we immediately notify the appropriate authorities. But I think your model is correct in that if there are new federal standards established for the confidentiality of medical records, you could expect that we would treat that as a floor. Depending on where the standards are set, depending on the work that comes out of this conference, I think it's conceivable that you might even see more rigorous standards from NCQA, again depending on where they're set at the federal level.
MR. GELLMAN: So my view is we get it for nothing, we don't have to deal with it. If you can pass a bill, there will be -- the existing oversight mechanisms will incorporate it and deal with it and perhaps improve upon it, but that will just become part of the process.
DR. SENNETT: And we would like to work that way. It's been our effort to try to make it work that way.
MR. GELLMAN: That makes it easier from a legislative point of view. It's something you don't have to worry about because it's already there.
I would like to expand your empire. I'm thinking of we've got the health care providers being reviewed here through various mechanisms, whether they're meeting standards, legal or otherwise. I'm really fishing now in very deep waters. You've got all these other users of health records, people who come along and say we have a justifiable case to be made that we should be able to get identifiable records that you should strike the balance between privacy and public interest, but public interest justifies giving records to public health agencies, to health researchers and perhaps to other oversight activities. There isn't any accreditation process for any of these, there isn't any kind of independent oversight in the same way that there is for health care providers, I assume that's correct.
DR. SENNETT: I assume it's correct as well. We sort of know about the business that we're in. We don't know about the businesses that we're not.
MR. GELLMAN: I'm just wondering, does this process of accreditation of independent review have any utility -- I mean I may be asking the wrong people here and I recognize it -- does this make any sense for any of the other players who are getting access? I mean one way to look at this is to say if the federal government, whoever, can pass a bill with confidentiality standards that applies to health care providers, you guys are going to come along and oversee them, at least to a certain extent. But the other people that are getting access there isn't anyone doing that at all. It's just fortuitous that you happen to exist and were able to subsume these standards under your own activities. I just don't know whether for anybody else that makes sense. I'm really out here fishing for a thought. I don't know whether a piece of legislation like this can justify the creation of a whole new oversight mechanism for all of these other entities. I don't know if you have a thought on that at all. DR. SENNETT: My thought is that there may well be a need for -- presumably at every point at which someone is interested in information about an individual patient, there's a need for some protection to the patient and some process for assuring that number one responsible users have access, and number two that the information that's accessed is used responsibly. I don't think that it's our role to go beyond where we are, or as we think about expanding our field of view, it will be into the delivery system, but not outside of the delivery system. We're not interested in building an empire, but we are an organization that's growing very rapidly. We find that the demands for our time, the demands for our work exceeds our capacity to meet those right now. We need to stay focused on our primary business and that is the evaluation of managed care organizations and the entities that work with them.
MR. GELLMAN: I'm willing to give you a couple years to gear up to audit the rest of the world.
In the course of auditing health care facilities, I assume that some of those facilities engage in research activities?
DR. SENNETT: Yes the do.
MR. GELLMAN: Do you deal with those in any particular way? You may have just basic records type research, you may have clinical trials going on. Do any of those activities fall especially within your purview and get any special attention?
DR. SENNETT: No, they don't. For the most part, our focus is on the medical management activities of managed care organizations. I believe, as someone who used to be a researcher and someone who has done research in a managed care environment, that there are, at least to the extent that those research activities are federally funded, there are protections in the federal process.
MR. GELLMAN: IRBs.
DR. SENNETT: IRBs, for example.
MR. GELLMAN: But IRBs are on the front end. You guys basically are at the back end.
DR. SENNETT: The short answer is that we don't specifically look at the research use of patient information.
MR. GELLMAN: Anybody else?
MR. SCANLON: If I may make an observation that there is precedent in federal law for deeming -- if there is a widely accepted industry accreditation group, it's not unusual to have that group have the status of acting on behalf of federal agencies. In other words, if it's a safety issue or other issues like that where an industry has more or less a dominant accreditation process which meets the same objectives as a new federal one might, it would not be unusual for a law to say that this accreditation could be met through this other process.
On the other hand, the federal government has to be careful about conferring monopoly status if there isn't such a group. Obviously there would be other considerations.
DR. SENNETT: If I might, our position is that we would like to be deemed in that way in the following manner. We would like to be able to serve the need and eliminate potential redundancy, but we would in general not be comfortable as a monopoly provider. That is we think that there should always be at least one other alternative mechanism for an organization to demonstrate its compliance with a federal standard.
MR. SCANLON: I have another question. In the performance measurement side of the NCQA's activities, both in terms of consumer satisfaction surveys and in terms of some of the performance measures, what are the sources of that sort of information in a plan?
DR. SENNETT: The data typically come from one of three sources, administrative data sets, claim encounter data, medical records or a survey of the patient or the member.
MR. SCANLON: And is it usually the plan that gathers the information itself or does a third party come in and sort of aggregate the measures or the surveys or whatever?
DR. SENNETT: In general it's the plan. There are some -- well, for most of the measures, in general it's the plan -- there are some markets in which a third party has been retained because of efficiency, not because of confidentiality. For the survey, the survey actually is a new standard or a new specification that was introduced last fall and will be implemented for the first time next year. The requirement there is that it be completed by a third party external to the plan, a third party vendor. But in general, the plans collect the data, summarize the data, report the data.
You've not asked about this, but we are building sort of a back-end process for evaluating the integrity of the data that are released, which will not look so much at issues of how the medical records are handled, except to determine that there's concordance between one reviewer's assessment from the medical record and another's.
MR. SCANLON: But in general, the case is that it's the plan itself that would be looking at some information, administrative or clinical, not so much survey data to develop the aggregate measures.
DR. SENNETT: That's correct.
MR. SCANLON: One more question. On the accreditation side of the house, in the area of records management, you indicated that what is looked for in the case of the health plan that's applying for accreditation, is that there is a policy for confidentiality, a policy. You don't come in with a standard per se to compare the policy to. As long as there's a written and explicit policy presumably in compliance with it, that would be acceptable.
DR. SENNETT: That a reasonable person would believe would assure the confidentiality of the information.
MR. SCANLON: Are there any activities or interests in terms of developing more or less uniform or model policies across plans or is it still too early in the process? The variation is inherent.
MR. SENNETT: I think in general our position is that we do not want to micromanage. We do not want to drive the plans to specific solutions, recognizing that there are -- in different environments different solutions may be appropriate and in other situations other solutions may be. I don't know that that means that there aren't some general characteristics of information security systems for example that aren't necessary. We have in other areas provided some fairly clear prescriptive guidelines about how a quality improvement study, for example, needs to be done. To the extent that there are well accepted and generally useful standards, we would want to offer those to plans as a way of helping them understand what they need to do in order to meet our standard.
MS. LEATHERMAN: I wanted to ask a few questions about what you consider from your point of view in NCQA that need to consider not only protection of data, but also ensuring appropriate access to data for the right reasons. So for example, in the ability of health plans to put together good HEDIS data, one of the things we talked about yesterday is do we need to consider what's the ability of health plans to potentially access other sources of data, for example, immunization registries at a health department. So could you kind of speak to that issue in terms of trying to give data to consumers, what's the need for good reliable data and what's the need for health plans, or other entities but you're speaking for health plans to be able to access additional sources of data.
DR. SENNETT: We believe that health plans should manage care. That's an active not a passive process. It's also a very information intense process. We believe, in order for a health plan to effectively manage care on behalf of a covered population, it does need information about the population that it serves. Therefore, there is an appropriate need for information from a variety of sources and appropriate uses for that information.
We think that there is some very substantial variation out there right now with respect to the extent to which health plans use information and use it to accomplish what it is that we are hoping to drive them to accomplish, which is better care and service for the covered population. So to say that there is an appropriate use and to suggest that all health plans are in fact using that information that way, I would not like to be misunderstood. I think that those are different statements.
But we would agree that there is a need for information, that health plans need to have access to data. Implicit in that is that there's an appropriate use for that data and that the use should be limited to that, and there is an appropriate need for confidentiality as data moves from one point to another.
Now, we haven't specifically considered accessing information from public data sources. I just have not thought about that, but we do believe that health plans should have access to, for example, medical record data that typically lives in a contracted provider's office, because that is information that the health plan needs in order to be able to effectively manage care on behalf of that patient or its covered population. Is that responsive? I feel like I may not have answered.
MS. LEATHERMAN: Let me press a point of repetition yesterday, since we were using the immunization example. There was a public health panel which did a very good job I think of trying to stipulate what was the need for them to be able to gather public health data for all the traditional reasons and to safeguard it. In the HEDIS requirements, you have immunization reporting as one of the requirements that the health plan, and I'm sure all the research that you've done in various settings have been able to see that health plans cannot do complete and accurate reporting over that data that they have direct access to either in the medical record and/or administrative data sets, and that in a number of cases that the health of the public and accurate reporting of that function would probably be facilitated by having access to immunization registries for example. Is that accurate in your mind?
DR. SENNETT: That's accurate. Can I just elaborate? I do think that one of the mechanisms that until there is a virtual medical record that incorporates registries as a component of it, it may be that the most desirable short-term outcome may be that information move from the registry to the medical record and then conceivably move from the medical record to the health plan. It's difficult to imagine how the care of a child could in fact be optimized if information moves from a registry to the health plan without ever moving also to the medical provider. So when we think of the medical record as that full set of electronic and paper sources and it's managed as an integrated synthetic and coherent whole, I'm not sure I would need to specify, but clearly we're not there.
So I just worry about the potential for information to move from point A to point B without ever getting to the provider who clearly needs to be in the loop. Our thinking about the medical record is that it has to be in the short run, a paper medical record, has to be sort of the primary document not only for care measurement, but for care management.
MS. LEATHERMAN: I think that's a very good point and it segues to the next question I wanted to ask you. I think you referenced in your formal remarks that one of the principles or strategies or objectives or values -- I got a little confused in the typologies there too -- was that patients should have the ability to assess and verify their medical records. Is that what I understood you to say?
DR. SENNETT: Yes.
MS. LEATHERMAN: Can you talk a little bit more about that?
DR. SENNETT: We simply worry about the potential for misinformation. If there is something in the medical record that's inaccurate and it becomes propagated from point to point, and particularly -- well, then there is a need for additional concern. So perhaps a condition -- I can't say I've specified this precisely -- but a condition of release of information from point A to point B would be that a patient has the opportunity to verify that the clinical information is correct. Yes, I am a diabetic, or yes I do have a condition that is reported in my medical record.
MS. LEATHERMAN: So you would build that into some kind of release of information process that the patient is specifically contacted and given that opportunity?
DR. SENNETT: Not necessarily. There may simply be a statement in the medical record that the patient has verified the information and that it's accurate as of such and such a date. I'm not sure I have a specific process in mind that I could lay out for you, rather the objective here is to address the concerns that I think patients have about the propagation of inaccurate information in their medical record, much as those of us who have recently purchased homes are aware of inaccuracies in our credit reports that we would not want to have propagated and that often times come to our attention only when there's some adverse determination.
MS. LEATHERMAN: So I understand, so it's really more of a value statement, values statement that in the processes we're trying to protect the integrity of the patient record that we need to recognize that they are an additional source of validating information and should keep in mind that part of the process might at some point invite that kind of active participation, but you're not suggesting that it's kind of a routine process that gets incorporated into records release?
DR. SENNETT: I'm not sure I could specify a precise process for that at this point.
MR. GELLMAN: Let me follow up for a second. All of the proposals in some form provide for right of patient access and correction of records. Are you suggesting something beyond that? Might that be enough to satisfy if everyone had the right, as opposed to some affirmative?
DR. SENNETT: Right, I think that would be sufficient.
MR. GELLMAN: Okay.
MR. SCANLON: Cary, you made the distinction between the provider and the plan, and in some cases the provider is the same as the plan presumably, in other cases the plan is separate from the provider, in which case there is some sort of contractual relationship between the plan and the provider. The contractual relationship includes typically some access to the actual clinical medical record information that would be needed by the plan itself? Did the Bennett bill or any of the previous proposals create problems for that kind of a concept? Was the plan considered to be basically part of the treatment, same access to treatment that providers will have?
DR. SENNETT: May I ask legal counsel to respond? Steve is more aware of the regulatory and legislative issues.
MR. LAMB: I believe the concern that we had had with the Bennett bill was the definition of accrediting body. We wanted to make sure that to the extent that we did have access to medical records and through some fluke they might be unblinded, we could be included in the definition of an organization that would be allowed to receive those. I don't remember a specific concern that we had with the definition of plan. We were concentrating our focus on whether or not the accrediting body would be an acceptable organization to receive that information and felt strongly that we should be.
MR. GELLMAN: I think you're onto a potential problem. The Condit bill and the Bennett bill both sort of divide the world into categories here of providers and insurers at some level. Those overlap in some degree. Basically if you pick apart certain activities, and I think the answer is it's probably not as clear as it ought to be, although in fact for most respects those two groups are treated the same, but there are some circumstances in which disclosures for treatment are broader than disclosures for other purposes. That may need to be thought through a little bit better.
Let me ask a relatively detailed question about one of the bills. I don't know if this is also in the Bennett bill, maybe it's in the Condit bill. But all the bills have a requirement for basically audit trails. When you make a disclosure of a medical record, anybody who is a health information trustee, and that could be any of the people who have gotten information through the process, has to make a record of the date and purpose and identity of a disclosure, what happened. Do you think that's a good requirement?
DR. SENNETT: A shooting from the hip answer is yes I do.
MR. GELLMAN: The Condit bill has an exemption, or potential exemption here, it basically says the secretary can write rules that exempt a trustee from doing accounting when disclosures are being made to accreditors, licensors, whatever. The argument that was presented for this was that access to records in the accreditation process is an unusual event from the perspective of you're looking at a tiny fraction -- we've just talking about identifiable records of course. So that there would be in any facility a relative handful of records that might be examined and that for this information to be recorded in the file and then ultimately made available to the inquiring patient, if we have an inquiring patient, would be unnecessary, upsetting, sort of unrepresentative because the information is accessed for such a limited purpose. How do you feel about that? Do you think that makes a difference? Do you think exemption is important? I'm not asking for you to sign it in blood, I'm just looking for a reaction here.
DR. SENNETT: But you are recording.
[Laughter.]
Do you mind?
MR. LAMB: I think we had supported the inclusion of that language because it's left to the secretary's discretion whether or not an accrediting body, whether the secretary believes an accrediting body should be given that exemption. We felt it was important that the secretary be given that option because it's taken for such a limited, as you've heard, for our accreditation program, it's a very, very limited amount of time that the records -- they're never taken off site. I think there were concerns about the issues that you just raised. So we were supportive of it, not as a requirement, but rather that the secretary could look at the situation and balance the two interests between upsetting patients and the limited need for the record. Then I think it could be evaluated on an ongoing basis and that was the notion as well. But if two years out to this, we begin a process of accreditation that was more focused on medical records, well then the secretary might want to reexamine his or her decision to give that exemption.
MR. GELLMAN: I don't know -- the ultimate question is, it may not be very important in any given case with respect to particular patients, it may be the kind of thing that a patient either sees or even asks about in extremely rare circumstances. The risk of this, if you will, that's a bad word, but the consequence of this is that the record of the disclosure history you have created all of a sudden isn't complete any more. Once you create exemptions, somebody else comes along and says well we don't want to be in there either. Of course, no one else has, this is the only one -- anyway, I just thought since the opportunity arose, I would ask and I think your answer was a reasonable one maybe in one way or another. Anyway, it's a detail we're not likely to deal with but I thought I would take the opportunity.
Anybody else?
MR. SCHWARTZ: Do you have confidentiality privacy educational programs for your employees?
DR. SENNETT: I think probably not specifically. Again, our employees for the most part are not out in the health plans evaluating. Most of the reviewers are physicians or others who work with us, although there are employees, but all of our reviewers go through a training program that provides guidelines for the review both what the standards are, what they mean, how they should be interpreted. And it's clearly communicated to our reviewers in those training programs the need to protect the confidentiality of all information that is discovered through the process of a review, including but not limited to information about individual patients.
DR. HARDING: Just a point to bring up, your issue of the openness of charts and the openness of the medical record. It's certainly a valuable thing to have a patient who will go over it and look at it carefully. It takes a great deal of time and effort to go over that with a patient. I think the thing you would have to be careful on is that the patient and anybody else looking at the record that the doctor will start writing a different chart and that the chart will be only objective, no subjectivity, no thoughts but only white count 8,000, sore throat, penicillin, that kind of thing and no statements that might be helpful to him or her in the future. While I understand that the patient should have access to their own charts and correct things that are wrong, I think the downside of that is that the charts are going to change dramatically. That may be for the better or it may not, that's yet to be seen.
MR. FANNING: There's been a certain amount of attention in the press and concern in the privacy community about the amount of information that managed care organizations were asking of psychiatrists as an aspect of managing the care, making determinations as to how much further care is needed and so on. Does the work you're doing address any of this? Is any of this going to be taken up in your conference for example?
DR. SENNETT: There are a number of possibly special issues or issues that are likely to be more sensitive in the area of behavioral health. Yes, I think we will consider that in our conference. We do have standards for the evaluation of behavioral health organizations and issues of confidentiality there are addressed somewhat more thoroughly than they are in the managed care organization standards. I can't, unfortunately I'm not as familiar with those standards. They're brand new and I've not been part of that process so I can't speak to them.
I know from the conversations that I've been part of that we're very concerned about the potential for information to be used unadvisedly and for the patient's trust and relationship with the provider to be compromised, and that the standards consider that and that we need to be very thoughtful and probably will need to do some additional thinking in the future and probably some revisions in order to deal with the special issues that relate to mental health care.
DR. GELLMAN: There are laws either at the federal level or the state level that establish special confidentiality rules for alcohol and drug abuse records or AIDS records or what have you, does this create any problems for you?
DR. SENNETT: I don't know that it has yet. It's possible that it has, but as I say I don't know that it has yet.
DR. GELLMAN: Just fishing. Anybody else? If not, thank you for coming. It's been very helpful to us.
We don't have any people who have signed up to make public comment, so that concludes today's hearing. We will reconvene on February 3 back in the Humphrey Building and there will be further details whenever we can make them available about the agenda for that day. Thank you all very much.
[Whereupon at 2:10 p.m., the meeting was adjourned.]