Room 505A
Hubert H. Humphrey Building
200
Independence Avenue, S.W.
Washington, D.C. 20201
Welcome and Introductions, Kathleen Fyffe
Overview of the Issue, Kathleen Fyffe
Kathleen Fyffe
Richard Harding
Jeffrey Blair
Simon Cohn
John Burke
Michael Fitzmaurice
Robert Mayes
James
Scanlon
William Mahon
Susan Callahan
Ian DeWaal
Matt
Kochinski
Barbara Zelner
MS. FYFFE: We are going to go ahead and get started. I am Kathleen Fyffe and I am going to be filling in today for Kathleen Frawley who is the official chairperson of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics. I would like for persons who are sitting around the table, beginning with Jeff Blair, to introduce themselves, and we will get started. So, Jeff, if you could please introduce yourself.
MR. BLAIR: Sure. I am Jeff Blair, vice-president of the Medical Records Institute and member of the committee and co-chair of the CPR Work Group.
DR. HARDING: I am Richard Harding. I am a child psychiatrist from South Carolina. I am a member of the committee and the subcommittee.
MR. BURKE: My name is John Burke and I am staff to the committee.
MR. SCANLON: I am Jim Scanlon from the Data Policy Office in HHS and I am staff to the full committee.
MS. FYFFE: Okay, and I am Kathleen Fyffe, member of the committee and the subcommittee and I work for the Health Insurance Association of America. Okay, Barbara.
MS. ZELNER: I am Barbara Zelner, counsel to the National Association of Medicaid Fraud Control Units.
MR. KOCHINSKI: I am Matt Kochinski. I am an inspector with the Office of Inspector General for Health and Human Services.
MS. CALLAHAN: Susan Callahan, senior counsel with the HHS Inspector General’s Office.
MR. MAHON: Bill Mahon, Executive Director of the National Health Care Anti-Fraud Association.
MR. DE WAAL: Ian C. Smith DeWaal. I am a senior counsel at the Department of Justice, Criminal Division, in the Fraud section.
MS. FYFFE: Again, this is Kathleen Fyffe, for those of you on the Internet. I am going to begin this round table discussion with an overview about health care fraud and then I am going to ask each of the persons who have been invited here today to be part of the round table, to give brief statements and then we will get into discussion.
The problem of health care fraud is a huge and perplexing one for the United States. The General Accounting Office has estimated that on an annual basis approximately 10 percent of health care dollars spent in this country are lost to fraud and abuse. In rough terms, this means that if annual expenditures on health care approximate $1 trillion, then approximately $100 billion are lost annually to fraud and abuse.
This problem affects everyone; public payers such as Medicare and Medicaid, private payers such as health insurance companies, and ultimately consumers and tax payers who end up footing the bill for health care fraud through higher insurance premiums and higher taxes. With that in mind, the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics seeks to identify the issues related to privacy of health information and health care anti-fraud activities.
In essence, there is, at times, a tension between two vitally important consumer concerns. One concern being the confidentiality of individually identifiable health information, and the other concern being health care anti-fraud activities which strive to reduce the problem of health care fraud. The purpose of today’s round table is to hear from persons who have been involved in, let’s say, the trenches of health care anti-fraud efforts, and who can discuss with us some of the operational activities and subsequent issues involved in health care anti-fraud activities in confidentiality of health information.
Now the folks that we have invited to the round table this morning represent public and private interests. We have Bill Mahon with the National Health Care Anti-Fraud Association. From the Department of Health and Human Services, Office of Inspector General we have Susan Callahan and Matt Kochinski, and from the Department of Justice, Ian DeWaal. And representing Medicaid or the National Association of Medicaid Fraud Control Units, we have invited Barbara Zelner.
I am going to ask Bill Mahon to open up the round table with some remarks and then we will ask the other folks to do the same thing.
MR. MAHON: Thank you, Kathleen. We, appreciate the committee’s invitation, too, to come and speak with you all today. As you noted, health care fraud, by anyone’s best estimate, amounts to several tens of billions of dollars per year in the United States. The lowest estimates put it at around 3 percent of what we spend as a nation on health care every year, or roughly $30 billion per year. No one will ever know with precision how much money is lost to outright fraud, but the consensus thus far is that it is a total that demands action, especially in today’s health care economy.
There is a tendency on all our parts, I think, to get too wrapped up in how much money we lose to the fraud. When you consider that the greatest impact is done by the people with the tools to do it, that is the dishonest health care providers, who are a very small minority of the provider community, and today by professional, criminal ring-type operations that beg, borrow or steal, literally, or pay for people’s health care information and enlist dishonest providers or copy their billing information as the basis for wholly fabricated false claims schemes, when you consider the way it is done, you cannot commit health care fraud without falsifying something about someone’s medical condition and/or their treatment history. So, when you are dealing with the actions of dishonest or fraudulent providers, you are dealing with situations where the patients whose medical information is to be held private, are being exploited by those providers.
Depending on the type of scheme involved, if it is a psychiatrist or a mental health facility of some sort, even under today’s privacy constraints it can be a very effective shield for the dishonest provider who can claim patient confidentiality at all costs. And from the private payer standpoint, our advice to our members is that under today’s privacy constraints, in a psychiatric or substance abuse rehabilitation case an insurer might be in direct violation of the privacy laws even if turning over medical records under subpoena to a law enforcement agency. There are some things, even today, that are difficult to reconcile in the laws.
But, our key concern is that we not lose sight of the fact that the greatest impact is done by people who either are or purport to be health care providers and are capitalizing on their access to people’s health care information and their billing identities to hit the system hard with literally tens of millions of dollars in false claims, as is currently happening in south Florida. There is a compelling reason to not establish too thick a wall between a payer or a law enforcement agency’s ability to obtain medical information in the course of an investigation in that in many cases the patients who are the tools in these schemes are winding up with fictitious medical histories that are going to dog them in years to come when it comes to insurability, employability, security clearances, you name it.
In that context, what we are most concerned about, I think, is that the term, information sharing, not be misconstrued. That is a key ingredient in detecting health care fraud earlier in its lifespan in a given scheme, but the type of information sharing that implies means company A sharing with companies B through Z and/or with law enforcement agencies that it suspects provider X of engaging in billing fraud. It has nothing to do with the patient whose medical records or condition are the subject of the provider’s fraud. When insurers exchange investigative information among themselves or with law enforcement, they never are exchanging patient claims, patient identities, medical conditions and so forth. They are exchanging the fact that they are investigating a given suspect provider. We would be very concerned that that not be misconstrued or confused with the sharing of any information or conveyance of any information on individual patient’s conditions or treatment histories. That, I think, is something to bear in mind as we move toward some new privacy protection mechanism in this country.
With that, let me close, and I will be glad to elaborate or answer questions as we go on. Thank you.
MS. FYFFE: Before we continue with remarks from Susan Callahan, I would like to introduce Dr. Simon Cohn, member of the committee and of the subcommittee, and who is a physician with Kaiser Permanente in California.
MS. CALLAHAN: We thank the subcommittee for providing us an opportunity to continue the discussion of health care anti-fraud efforts and health privacy which we began in the hearings held in January of 1997. At that time, Mr. John Hardwick, our deputy Inspector General for Investigations, testified before the subcommittee. With me today is Mr. Matthew Kochinski, who has introduced himself. He has extensive experience investigating health care fraud.
I would like to underscore today several of the most important points made by Mr. Hardwick in his testimony. I would start by giving you some idea of the extraordinary level of fraud, waste and abuse in the programs under our jurisdiction. Since Mr. Hardwick testified we have conducted several comprehensive audits of the Medicare program to more accurately measure this factor. For fiscal year 1997, we have found that approximately 11 percent of all Medicare claims were improper, representing approximately $20 billion of Medicare outlays. We have also noted in recent years a marked increase in the participation in Medicare fraud schemes of the traditional criminal elements, clearly due to the amount of money which can be stolen from these health programs.
In order to effectively contain this extraordinary level of fraud, waste and abuse, we have developed over the years a comprehensive program of audits, evaluations and investigations. These are no longer independent functions. We have increasingly relied on a multidisciplinary approach to our oversight responsibilities with a high level of coordination between investigations, audits and evaluations. We also cannot deal effectively with this level of fraud and abuse without coordinating our efforts with other law enforcement agencies to maximize limited oversight resources.
A major component of the Health Insurance Portability and Accountability Act of 1996 was the establishment of a health care fraud and abuse control program, coordinating health care anti-fraud efforts of federal, state and local law enforcement agencies. This program has proven to be highly successful. We work with a variety of law enforcement agencies with health care responsibilities, such as the Medicaid fraud control units and the Federal Bureau of Investigation. We also work frequently with other traditional law enforcement agencies such as the Internal Revenue Service and the U.S. Postal Service.
Many of these agencies serve with us on health care task forces in the various regions in the country. These task forces serve a vital function in maximizing our limited resources. We need to have the ability to work with and exchange individually identifiable health information in these cooperative efforts without damaging and time consuming restriction.
To outline an average health care investigation involving these joint efforts, we recently completed a health care investigation of three chiropractic clinics for which we worked jointly with the Defense Department, the U.S. Postal Service, the IRS and state Medicaid investigators. The case required review of over 2,000 medical records in addition to the Medicare claims records. The case resulted in seven convictions and over $265,000 in restitution.
In one of our larger projects involving several investigations of a psychiatric hospital chain we worked with other law enforcement agencies including the FBI. We reviewed thousands of patient records to identify, among other violations, kickbacks on patient referrals. We alone invested 10,000 agent hours in the investigation. The result was an over $300 million settlement, the largest in DOJ history, with the Medicare Trust Fund recovering $109 million.
We also cannot successfully perform our oversight responsibilities without access to individually identifiable information. Mr. Hardwick previously explained in detail the evidentiary problems we would have if we did not have access to identifiable information in our law enforcement activities. People cannot be convicted or otherwise sanctioned based on sanitized information.
Also, investigations, audits and evaluations would generally be impossible if medical records could not be compared with other records. In an ongoing project involving schemes to upgrade, upcode types of pneumonia to receive higher Medicare reimbursement, we cannot identify the improper claims without comparing the medical records to the billing records. There are potentially millions of Medicare dollars at issue in these cases.
Even in the limited circumstances where auditors or evaluators could review sanitized records, the task of sanitizing information is a massive undertaking typically involving hundreds to thousands of records, which would cripple the holder of the records.
In sum, the Inspector General is fully aware of the sensitive nature of health information and we have an excellent record of protecting it from misuse. We agree with Secretary Shalala that it is not in the public interest to place significant new procedural restrictions on health care oversight. We have always supported controls based on the Federal Privacy Act and we have always supported meaningful penalties for misuse of such information.
We would be happy to answer any questions you have based on this testimony and our responsibilities.
MS. FYFFE: Next is Ian DeWaal from the Department of Justice.
MR. DE WAAL: Chairperson Fyffe and members and staff of the subcommittee, I want to thank you for the opportunity to participate in this round table to discuss health care privacy issues and the critical need for health care records in health care fraud investigations. I have been working on health care fraud cases and policy issues for the past five years, including an emphasis on patient privacy concerns.
On February 18, 1997, our agency first became involved in testimony before this committee when Robert Lid, who was then serving as the acting deputy assistant attorney general for the Criminal Division presented comments to the committee. His testimony emphasized law enforcement sensitivity to privacy issues surrounding health care records, but stressed the indispensable role of health information in both health care fraud cases and other types of cases as well. Today, I look forward to discussing how health care records are used in health care fraud investigations and cases.
I hope this will be a continuing dialogue and result in a clearer understanding of the many different ways health care information must be used to investigate and prosecute health care fraud in federal, state and local jurisdictions. I also encourage the subcommittee to consider further exploration in the future of the various ways in which health care information is also critical in other types of cases beyond health care fraud cases as well.
Health care fraud cases, like most, can generally be divided into four phases. The first is the initial investigation. The second phase is the development of some form of charging document which may be a complaint in a civil case, an indictment in a criminal case or a notice of proposed administrative action in an administrative process. The third phase is a post charging discovery phase. In civil cases that is far more extensive than in criminal cases and there is some discovery that occurs as well in administrative proceedings.
Finally, the last phase I would characterize as a trial phase. This could be a civil or criminal courtroom trial. It could be an administrative hearing before an administrative hearing officer, and, in addition, I would include any further appeals which arise from the final decisions from those proceedings.
It is also important to note that multiple government agencies, as you have heard, have responsibility for investigating health care fraud at every level of government -- federal, state and local. At the federal level multiple agencies have the jurisdiction to pursue health care fraud investigations, some against federal health care programs alone, and other agencies have general jurisdiction to explore and investigate all types of health care fraud, whether against federal government programs or against the private insurance industry and providers.
Some of these agencies are the Department of Justice, Criminal and Civil Divisions, all the United States Attorneys Offices, the Federal Bureau of Investigation, the Office of Inspector General, the Department of Health and Human Services, the Health Care Financing Agency, the Defense Criminal Investigation Service, the Postal Inspection Service and the Office of Personnel Management who administers the Federal Employees Health Benefit Program.
At the state level some of the agencies responsible for these cases include state’s Attorneys General, Medicaid Fraud Control Units, local district attorneys, state and local police agencies, as well as state licensing agencies, whether for provider licenses, physician licenses or nursing home type situations where nursing homes may be licensed.
Different federal, state and local procedures apply to all these different types of agencies. For example, while grand juries may be a common investigative tool at the federal level, county district attorneys in some jurisdictions may not have ready access to grand juries for investigations and may rely, instead, on other methods of compelling testimony and production of documents.
One thing that is of paramount importance is the fact that health care fraud cases are most often document intensive and extremely complex. What I mean by document intensive is that each case may require review of hundreds or thousands or tens of thousands of pages of billing records and medical records. This is especially true where national initiatives of national health care provider corporations require investigation of patient treatment at tens or hundreds of medical facilities across the nation.
The complexity of these cases arises from the closely regulated nature of the health care industry. Different schemes can violate a wide range of statutory and regulatory provisions. In addition, these cases require an understanding of the use and misuse of numerous types of billing codes or even interstate(?) cost reports submitted by certain providers to establish billing rates. An audit of such cost reports may disclosed fraudulent statements made solely for the purpose of obtaining illegally inflated billing rates from government programs.
Even though these cases are complex and document intensive, they run against the same clock as simple civil and criminal cases. What I mean is that in every jurisdiction, whether state or local or federal, cases must be initiated before the expiration of a statute of limitations. In federal criminal health care fraud cases the statute of limitations is five years from the date of the offense. The date of the offense starts the statute of limitations clock ticking. While five years may seem like a sufficiently long time to complete an investigation and file an indictment or begin a case, it often is not. Frauds may not be initially reported or discovered until well into the statute of limitations period. The clock also keeps running during most delays in the investigation. Emergency situations such as the World Trade Center or Oklahoma City bombings may divert hundreds of investigative agencies for long periods of time thereby slowing certain investigations down.
Any delay imposed on the investigative stage of a proceeding increases the possibility that the investigation may not be completed before the statute of limitations expires. This is especially true in criminal cases where the case investigation must be completed before an indictment.
Initial investigation can be triggered in a number of ways. Some examples are whistle blowers, working or former employees of a health care provider who become aware of health care fraud, patient complaints, referral from health insurance providers who become aware of possible fraud or government agencies who become aware of aberrant billing patterns, either through audit or certain review of billing records from providers. Individual citizens can initiate key time cases in the name of the Federal Government seeking to recover health care payments by federal programs made on fraudulent claims. Some states have similar procedures. Private health insurance fraud units also make referrals.
Health care fraud is not an easily condensed topic. The scope and variety of illegal schemes appears endless. However, I would like to review a sampling of health care fraud schemes for purposes of discussion which have been prosecuted and explain how individually identifiable health information was critical to each of these cases.
One large national initiative involved blood test screens or panels of blood tests in which a number of different tests were run on blood samples far beyond what the diagnosis or symptom of the patient indicated. However, each of the tests which were performed, usually automatically by mechanical means, was then billed individually to the Federal Government even though those tests were absolutely unnecessary.
Ambulance transportation -- and in order to demonstrate that those tests were unnecessary, a review of the patient records was absolutely necessary to show what their diagnosis or symptoms were when they presented themselves.
Ambulance transportation for ambulatory patients is a common fraudulent scheme and often the medical records of the patients are necessary to show that the patients were ambulatory and did not require ambulance transportation. We have seen situations in which mental health services were billed to Alzheimer patients who were totally incommunicative and totally unresponsive. Again, only the individual patient records may document their actual condition and the fact that the mental health services were neither medically necessary or beneficial to the patient.
In the national psychiatric case in some instances patients were automatically billed for services which were never provided. The only way to know across the board that the services were never provided was to go through one-by-one the individual patient health care records. Upon doing so -- and this was a case that I worked on -- I discovered numerous day passes in patient’s files where they were billed for daily group sessions and they had not been present, and also long periods of confinement to room because patients were dangerous to themselves at the time -- sometimes it would go on for a week -- and they were billed every day for going to their group sessions, even though there was no possibility that they had attended.
We have also seen cases where so many procedures are billed by an individual provider on a single day that there were not sufficient hours in the day to have provided the services. Again, this necessitates going through the medical records, determining what procedures were alleged, what the average time was that would have been spent on the procedures. And usually, this involves falsified medical records because the patients, in fact, were never seen or the services could not have been provided.
We have also seen upcoding procedures where in order to obtain higher reimbursement rates there is a substantial overstatement of the complexity of the procedure that was administered to the patient, whether it a surgical procedure or a treatment procedure on an out patient basis. Again, only a review of the medical records would allow us to establish this beyond a reasonable doubt and be able to prove it in a court of law.
And finally, one other example is the length of mental health counseling sessions or the length of doctor’s visits. Frequently the billing rate is keyed to the length of time that is spent with the patient. Again, only by reviewing the medical records and seeing what procedures were performed and what the condition and symptoms were of the patient, can a case be put together which shows that these billing codes were misused and longer periods of time were charged for than were provided for the patient.
And finally, in a rapidly emerging field of national concern, nursing home patient abuse and substandard quality of care at nursing homes will again demand that we look at individual patient medical records in order to establish a pattern of improper or substandard care being provided to these patients. And, in order to prosecute those persons who perpetuate this on our nursing home population we will need to be able to provide specific evidence of specific patient abuse which will come from individual medical records. And, without that we will not be able to prosecute those cases.
In each of these cases identifiable health care information is necessary to investigate, initiate and prosecute each of these types of health care fraud cases and is also necessary in many types of health care fraud cases which I have not gone into right now for the sake of time.
I look forward to answering any questions from the subcommittee or to supply additional information the subcommittee might find useful subsequent to today’s round table. Thank you.
MS. FYFFE: Thank you, Ian. Next we will have Barbara Zelner of the Medicaid Fraud Control Units.
MS. ZELNER: Thank you, Kathleen, and thank you members of the committee for inviting me here today to represent the state Medicaid Fraud Control Units. Before I begin I would like to spend a minute or two on describing who the state MFCUs are and what they do.
Currently there are 47 state Medicaid Fraud Control Units. There are three states that do not have an MFCU. They are Nebraska, North Dakota, Idaho and also the District of Columbia which obviously is not a state but does receive Medicaid monies and hopefully will have a Medicaid Fraud Control Unit in the near future.
The MFCUs are required to investigate and prosecute Medicaid provider fraud. They are prohibited from investigating and prosecuting recipient fraud. They are also restricted to investigating and prosecuting provider fraud in the Medicaid program. They are 75 percent federally funded and 25 percent funded by the state. There is oversight administrative responsibility conducted through the Office of Inspector General of HHS. The units also work cooperatively joint cases not only with OIG but any number of state and federal agencies that both Susan and Ian just mentioned in their testimony as well.
It is absolutely critical for the units to conduct their job to have access to medical information, to patient information, and one of the main sources of information that a unit gets is data from the Medicaid agency, the state Medicaid agency. The state Medicaid agency is required to furnish suspected cases of fraud to the MFCU.
The way they do that is each Medicaid agency has the MMIS system which is the Medicaid Management Information System and a subpart of that data system is the SURS system or the Surveillance Utilization Review Subsystem and that is the computer system that ferrets out the fraud. And when people go through that data and see suspicion of fraud they refer that information over to the Medicaid Fraud Control Unit.
Basically we would say that law enforcement should not have any more restrictions on it than they currently do. All current restrictions on access to use and dissemination of patient information should be continued. Current law enforcement exemptions should be preserved and not restricted by any proposed patient privacy act.
Providers and payers should be able to give law enforcement MFCUs patient information without patient authorization to the course of coinvestigations of health care provider fraud. Particularly most states have confidentiality legislation; therefore there really is no need to add any additional restrictions on the states.
Existing safeguards are adequate and these include grand jury secrecy, existing state privacy acts, court review of evidence gathering devices such as search warrants, law enforcement internal standards and guidelines for handling evidence and specialized federal and state restrictions for sensitive medical information such as psychotherapy, drug and alcohol abuse.
We believe that any imposition of restrictions on obtaining this data would have a substantial chilling effect on legitimate law enforcement activities. It would interfere with the ability of law enforcement to conduct effective and efficient investigations and it will also increase burdens on federal, state and local court systems.
Certainly we agree with our colleagues in the Department of Justice and the Office of Inspector General on their positions. I thank you for your time and would be happy to take any questions.
MS. FYFFE: Thank you, Barbara. Questions?
MR. SCANLON: I will start. All of you indicated that by far, I guess, most of the health care fraud, or at least the majority, is probably perpetrated by providers. Is there any percentage --
MS. FYFFE: Jim, we cannot hear you.
MR. SCANLON: The question is about the relative occurrence of fraud, health care fraud. Providers versus recipients or clients. Is there any sense, both in the public programs and in the private health insurance programs as to what the relative percentage is?
MS. CALLAHAN: We do not have much of it in the Medicare program. I am aware of more circumstances of beneficiary collusion with providers in Medicaid, but we do not have any stats on that. It is rare. It happens, but it is rare in the Medicare program.
MR. MAHON: To give you a sense, Jim, I have always estimated that if, pick any amount you want for what we lose every year and I would venture to say that 90 to 95 percent is attributable to the acts of dishonest providers.
To give you a sense of perspective, in one case going back three years, I believe now, a number of school system employees and elected school board members in New Jersey conspired with a dishonest psychiatrist and allowed him to make up false treatment histories in their names and using their health policy numbers. He was giving them on the average of about $1700 each of the proceeds of his false claims. His total billings to the insurer in question were well over a million dollars. The patients who were colluding with him were doing so for peanuts in comparison to what he was making.
In the south Florida ring operations someone will pay a Medicaid beneficiary or Medicare beneficiary $50 or $100 for his or her Medicaid number and proceed to bill tens of thousands of dollars with that. So I think there is a great disparity between the impact of providers versus dishonest insureds.
MS. FYFFE: Mike, could you introduce yourself, please?
DR. FITZMAURICE: I am Michael Fitzmaurice. I am the Senior Science Advisor for Information Technology for the federal Agency for Health Care Policy and Research.
In the research agency we let our researchers use personally identifiable health information but only under certain conditions, and those conditions are overseen by an institutional review board. So, what I want to ask you is that as a taxpayer I can see that if someone is receiving federal or state payment, public payment for their health care dollar they have an obligation to cooperate to eliminate fraud and abuse. Is there any oversight on your use of personal health information for fraud and abuse or for other purposes? That is, is there someone, some organization you have to go to, some independent body, to say this is the methodology we plan to use in approaching this case, do you approve our accessing personal health information?
MS. CALLAHAN: In the Medicare program in any investigation, audit or evaluation it is a given, unfortunately, that we have to access personally identifiable medical information. So, it is more a matter of controls on different kinds of activities. For example, any of our monitoring or undercover activities have special review levels to determine, because of the particular sensitivity, but it is almost impossible for us to carry out any of our Medicare oversight activities without reviewing this. So, it is a given.
We are also, as I mentioned briefly and I think Ian mentioned briefly, we are already under certain statutory constraints and other constraints in exercising our law enforcement authority, the Privacy Act being the largest. So, obviously, we have to comply with that on the collection and use of information. Ian, do you have anything?
MR. DE WAAL: Well, I would say that as opposed to general research projects and proposals, the law enforcement function starts from a different place. First off, as a quid pro quo for obtaining third party insurance payments, every patient who expects to have their medical bills paid for by an insurer, by a third party, signs a release allowing their medical information to be disclosed for purposes of obtaining and verifying that the claims are valid. And I do not believe that, except in those situations where patients start off being in a research project that each time they go in for treatment, then to get payment they also authorize a research project to be conducted using their medical records.
Second, this raises an interesting dichotomy because when medical records are disclosed in these types of investigations there are two issues implicated. One is the fact of the disclosure, which is the initial, quote, breach of confidentiality or breach of privacy. But, as I said earlier, the patients have already authorized that as part of their intent to have their bills paid by someone else, and in order to prevent the types of fraud we are talking about.
The second implication is what is done to protect those medical records now that they have been disclosed to a third party? And in an investigative situation, law enforcement agencies are operating under different types of privacy prescriptions, whether it is in the grand jury context, that grand jury material must be kept secret and not disclosed. If it is internal procedures within the Justice Department or state and federal law such as the Privacy Act which direct us to keep individual records private. We have those types of laws which we deal with.
There are certain ethics prescriptions for attorneys in dealing, and court officers in dealing with medical records or any type of evidence, that it not be used improperly, and therefore if you obtain evidence for a health care fraud investigation you are barred from going out and disclosing it to the media or using it outside of a proper, judicial setting.
Beyond that, I think each federal, state and local jurisdiction has different laws which apply to it in terms of maintaining the privacy of records once disclosed, and also the manner in which that disclosure can occur in the first instance.
DR. FITZMAURICE: Could I raise a hypothetical? Let’s suppose that in the process of reviewing medical records you find someone who in a laboratory test has an illegal drug in their blood stream. Are you permitted to share that information with a law enforcement officer whose job it is to find people who are illegally taking drugs?
MS. CALLAHAN: That depends on your privacy, you know, under the Privacy Act, we both represent a federal agency and the Privacy Act requires that you publish a notice of your disclosures outside your agency in the Federal Register with public comment. And it would depend on how those are worded whether you could make that disclosure. Some agencies have very narrow restrictions on redisclosure.
As a practical matter we have never done that. We have never made such a disclosure. But it really does depend on the agency and how they have provided for disclosures under the Privacy Act.
MR. DE WAAL: Can I add something to that? I mean, I think the more problematic situation which really is worthy of discussion is the fact that law officers at whatever level, general law officers, police, FBI, Defense Criminal Investigative Services may have general criminal jurisdiction and when reviewing a certain type or investigating a certain type of potential crime they may discover that another crime occurred. And, we all may be aware of the recent arguments in the courts over whether or not there was a Secret Service privilege against disclosure of certain information, and one of the counter arguments presented was the fact that there are federal statutes which require all federal employees to report the discovery of a crime, of whatever nature.
It can be, for instance, that in investigating a Medicaid fraud situation where individuals are selling their Medicaid numbers, an immigration fraud scheme might be discovered and I would imagine that that would fall within a routine use as well as a requirement of a general law enforcement officer to investigate that fraudulent activity as well.
In terms of the illegal substance, there are specific provisions of federal law, substance abuse patient protection statute and regulations which I believe would prohibit the use of that information against, in that type of a situation. Unless those records were obtained initially with court permission to investigate a drug scheme by an individual person, I do not believe the absence of sort of an exigent circumstance which is specified by the statute and regulations, that that information could be used against that individual. And in that instance where it is specifically barred, no, the patient could not be prosecuted through inadvertently discovered substance abuse.
MS. CALLAHAN: I think Ian made an important point. When we have actually had situations where we have disclosed for other law enforcement purposes, they have been related. In a real life example, when we still had the Social Security programs in this Department, we were investigating schemes to get on the disability rolls, the SSI disability rolls, and discovered that the same schemes were also resulting in people being illegitimately put on the rolls for food stamps and also working with providers to get on the Medicaid rolls. And as they, as each level of that investigation progressed we brought in the relevant law enforcement agencies.
That is why I said, when I said it is very rare that you would just come up with something totally unrelated. And Ian is right, most of the time the substance abuse information is protected under one of the most stringent of confidentiality of federal laws.
DR. FITZMAURICE: Let me ask a question that might be outside of your jurisdiction or knowledge, but you are empowered by the taxpayer to go after the bad guys who are misusing our money when paid for fraudulent health claims. On the private side, a private insurance company dealing with a private person who pays health insurance premiums also does not like fraud and abuse because it makes their premiums higher. Do they have the same latitude that federal agents have to go after information and to access personal health information? Or does it depend upon the laws of their state, but if the state permits it there is nothing federal that would permit them from going, from accessing personal health information and performing the same kinds of analysis? Do you have special privileges that a private detective hired by an insurance company would not have?
MR. MAHON: The private sector, it is a very good and appropriate question because of the trillion dollars we currently spend on health care, 53 percent, according to HCFA, is private sector money, private insurance benefits, patient out-of-pocket. There has always been, and remains today, a disparity between the government’s legal ability to address fraud against government funded health care plans and private payers’ legal tools. Private payers, for example, lack a federal false claims act which can impose monumental damages per claim for a fraud against the government.
Some things that are explicitly illegal when it is a government plan patient such as kick backs or patient referrals or routinely waiving a patient’s copayment as a marketing device with which to get that patient and insurance information in the door are not illegal in the private sector unless state law outlaws it.
For example, I know Florida and I think one other state outlaw kick backs for referrals and privately insured patient dealings. A private insurer, as Ian indicated, has, generally has every right to request medical records backing up treatment that supposedly was performed or provided to their insured person. The insured person signs the release as part of the policy and the coverage implementation so that Company A is within its rights to say to Provider Jones, you have submitted these ten claims for treating Mary Smith, we would like to see the medical records documenting your treatment of Ms. Smith.
What they do beyond that depends on what they find and depends on state law in terms of what they can disclose. A private insurer that has established a strong suspicion that there is a fraud has several options; make a criminal referral to a law enforcement agency, file a civil suit against the provider claiming fraud and seeking recovery, or, in many cases, confronting the provider with the evidence they have amassed so far and saying we think you have taken this money from us and we want it back. Depending on which avenue it chooses an insurer may or may not ever have to turn over identifiable information to an outside party such as a law enforcement agency, or introduce it in court as evidence in a civil suit. Most of what the insurers do with information tends to be intramural-type use until and unless it gets to legal action of some sort. They do face certain constraints mandated by state and some federal privacy laws in terms of what they can disclose in certain cases, psychiatric and substance abuse.
Ironically, in some states, such as New Jersey, insurers are required to refer every suspect claim to the state Insurance Fraud Bureau. Not every case of suspected fraud by a provider but every suspect claim on the Insurance Fraud Bureau’s theory that they would not get sufficient referrals if they did not require every single claim. And that is a regulation with which if everyone complies we will not hear much from those folks for the next 20 years or so. There are quite a few quirks in state law that govern what insurers can and do do with this information.
DR. FITZMAURICE: In some of the bills that have been introduced in the past four years in Congress dealing with the privacy of medical record information, one of the caveats they put in is, yes, let’s let law enforcement officers have access to medical records, but only if they get a subpoena ahead of time, only if they let the person whose records are being subpoenaed know about it ahead of time, or know within ten days after the records have been accessed. Does that cause a problem for your ability to do your job well?
MR. MAHON: I would think it might. If I recall some of those bills, the patient who is the subject of the information would then have the ability to petition to quash the subpoena and so forth. If it is a case of patient collusion with a provider, certainly you are creating an additional opportunity for the patient to call the provider and say, I have just been subpoenaed or my records have been subpoenaed and what should I do?
In other cases, a patient who is being exploited unwittingly, not knowing how things work, might receive a notification of a subpoena and the first call he or she is going to make is to the health care provider and saying, Dr. Jones, what is going on? Why did I get this court document? Which gives the dishonest provider another opportunity to say, well, just file this petition to quash it and I will not have to tell them anything, and so forth.
My initial impression of that is that it seems to be somewhat overkill in the process that does create opportunities to defeat a legitimate investigation, particularly when you look at things like statute of limitations and other state prompt pay requirements that only give you a certain window of time to decide what to do with a claim.
MR. DE WAAL: Could I just echo those comments? For instance, in the National Medical Enterprises Investigation where 40 different subsidiaries were under investigation and, you know, I would says tens of thousands of medical records were looked at, you are talking about potentially creating tens of thousands of new court proceedings. If every patient -- and not every patient would, of course -- but if every patient did or a substantial number of patients did suddenly file motions to quash the subpoenas of their records, that would substantially delay the investigation, as well as divert tens of thousands or millions of dollars worth of resources in order to address each of those individually.
Furthermore, one of the concerns we had was that would implicate additional privacy concerns, which would be to prematurely, before any charges had been brought or any conclusions about whether charges are going to be brought, subject the provider to notoriety in the community, that there was an investigation going on of a particular provider. And that was a question which, you know, really has not been addressed. How do we maintain the confidentiality of what we are looking at in order to protect the provider as well?
The further concern was that the current system, at least vis a vis law enforcement was working well, and while there was a concern that there be some kind of a uniform, the easiest way to address this would be a uniform system which just covered anyone who ever touched a medical record, those kinds of procedures would alter the current existing functions of grand juries. It would have the possibility or the potential to create new evidentiary privileges which did not exist, and which would substantially alter, potentially, thousands of court rules in different jurisdictions which address how evidence is presented or not presented.
It would give the opportunity for providers who are ultimately prosecuted to come in and attempt to defend themselves by excluding evidence that they felt was obtained in violation of whatever new rules that there might be. There were innumerable problems it would create on every level of the federal, state, local judicial landscape, as well as investigative landscape, some of which we were concerned about because they could not be anticipated. Changes like this that potentially affect so many different aspects of so many different jurisdictions can never been fully anticipated. And in the absence of a compelling reason to change the existing system, which the law enforcement community, at least, felt was working well, that such a change should not be undertaken at the current time.
MR. MAHON: May I just elaborate on that point, too. In terms of what it would do to private insurance anti-fraud work, it is important to keep in perspective the nature of the anti-fraud activity that goes on today. Various U.S. Attorneys offices will complain that they do not get sufficient criminal referrals from private insurers. This has always been a tricky business, of sorts, for a private payer because the risks that they face in conducting this work fall into the category of civil liability for things like defamation, libel, slander, invasion of privacy, malicious prosecution and so forth. The companies that make up our private sector component generally are quite committed to a relatively aggressive anti-fraud effort, but even among them you find that they see themselves as walking on eggshells in much of this type of activity.
So, something that creates additional barriers to their being able to say, we want the medical records to see the backup for these claims you have submitted to us, I think represent another, not so much a copout, but a way that makes it easier for an insurer to say, well, we would like to do more anti-fraud work but look at what we are confronted with. We cannot practically approach this and there are too many legal risks involved in doing so and therefore we are going to ignore these claims and raise premiums and cover our costs which we know must be covered.
DR. FITZMAURICE: Let me look at a potential federal privacy law from another side. What would you like to see in a federal privacy law applied to law enforcement that would make your job easier? What change would you like to see to make it easier for you to do your job in a federal privacy law?
MR. MAHON: From a private payer perspective, you would not really need one, not related to patient privacy. What we have today are guidelines from DOJ and HHS that indicate that law enforcement should disclose to private payers information it is finding in the course of its investigations, information about suspect providers short of Grand Jury protected information.
Again, I think it is a matter of making sure we separate and understand the patient information implications from the provider investigation implications. What private payers would benefit most from is a greater law enforcement commitment to sharing information on providers who are under investigation, generic information. We think they are billing for services not rendered using the following types of CPT codes, not disclosing any patient-related information. So, I think it is more a concern for law enforcement as to what it does with patient information.
DR. FITZMAURICE: How about from the federal side? Any suggestions on what a federal privacy law could have in it that would make your job easier?
MS. CALLAHAN: Nobody ever asked us before. We were always from the side point of defending the status quo. MR. DE WAAL: I can, perhaps, provide some examples of problems that, I am kind of a point person for getting calls from the U.S. Attorneys offices when they have problems with existing privacy laws. For instance, there was a great concern about what the application of Jaffey versus Redman would be, the Supreme Court case on psychiatric records, because the Supreme Court left open what exactly the parameters of the privilege were going to be that it established. So there is some confusion out there right now on whether Jaffey applies just to situations where health care records are going to be used against the patient for some reason, but it does not apply to health care fraud situations where there is no possibility or anticipation that the records will be used against patients and where the patients have probably signed releases already.
There are continuing issues which arise over the substance abuse statute and regulations in terms of applicability. For instance, if a patient is suspected of illegally obtaining drugs or controlled substances through a methadone clinic where they are not receiving treatment but somehow they are in collusion with the operator of the methadone clinic, is that really a substance abuse record or not a substance abuse record, and under what circumstances can we get those records or not get those records?
There has been some range of decisions on the privacy of medical records generally which is not uniform across the U.S. District Courts in the country and in some instances courts have gone beyond the existing law to create new law and that has created problems in health care, some health care fraud investigations.
And in other instances ... I guess I would limit my reflection to those cases. There is clearly a developing body of case law increasing privacy of medical records. It has not proved to be any insurmountable hurdle whatsoever, but in individual cases I would say that is creating some problems in some districts in terms of pursuing cases, and also has the potential in the extreme case of having an investigation being dropped because the medical records cannot be obtained.
MS. FYFFE: A question from Simon?
DR. COHEN: Yes, I have a slightly different question. I guess I may be asking the wrong group this set of questions but I guess when I walked in I somehow expected to be hearing from all of you about how you are using sophisticated surveillance methodologies using non identifiable information to really minimize risk of privacy invasion on individuals, and really precisely localizing just that information you needed about providers or others that you had to go after. And that therefore you really were doing a good job minimizing this potential threat to privacy. I am not sure that I am hearing a lot about that in the previous discussion --
MS. CALLAHAN: You have to remember though, when we are talking about very large scale schemes, we may have focused very specifically but we are talking about thousands of claims. Like in the lab scam cases we are talking about thousands and thousands of bills that had been bundled improperly. So, even though we focused and are only looking at what we have identified, you are talking about a fraud scheme that involves thousands of records.
MR. DE WAAL: Frequently a change in regulation will precipitate an unanticipated new fraud scheme. For example, I believe at one point there was a coding change made for lymphedema pumps, and we were able to trace -- nearly immediately there was a skyrocket in the amount of money that was being billed for lymphedema pumps.
Now, that was anonymous, kind of general audit information that, you know, triggered red flags and then prompted investigatory agencies to go out and say, why is this happening? And lo and behold, a very healthy fraud scheme was discovered.
Once the fraud scheme is discovered and you know that this is occurring, you then need to go to the individual medical records and see what was the patient’s condition, you know, why was the lymphedema pump prescribed in the first instance and then look at the coding that was used in order to bill for that lymphedema pump. So, it is very difficult in a case where the fraudulent scheme is directly related somehow to billing that is related to the severity of a patient’s condition that is directly connected to how much billing you can do for that patient, it is nearly impossible to investigate the fraud scheme without looking at the patient’s medical records.
Let me just say one more, for instance in a mental health case, which is a problematic area because you are dealing with mental health records but it is something which needs to be directly addressed, if you are talking about Alzheimer patients who are receiving treatment which is totally non beneficial and not medically indicated in terms of billing for some kind of mental health group counseling, and we have seen those schemes and people have been convicted of that, if you are going to go and prosecute somebody for that, unfortunately they have to have access to those medical records and may have to, their experts may have to see those patients in order to be able for them to prepare a defense to the charges. That is absolutely required by due process and inescapable.
I think that is one example of how once you get into pursuing health care fraud it is inevitable and inescapable that you are going to be using individual health care records. They have to be identifiable. You have to be able to relate the medical records directly to the billing records. They are frequently kept separately.
In my participation in the National Medical Enterprises case, when I discovered that people were being billed or that health insurers were being billed for group sessions that people did not attend, I found that the hospital was billing for transportation charges, they were flying people up from Texas and billing the insurance companies for other diagnostic services of $1,000, whatever the plane ticket and the transportation costs were. I would have never found that out if I had not gone to the individual medical records.
I cannot conceive of how that hospital could have taken out all identifying information from those medical records, which were thousands of pages with the patient’s name on each page, relative’s names, I think there were, Social Security numbers are sometimes used as patient identifiers, patient’s names are mentioned in the middle of nurse notes -- this patient did this -- by the time anyone finished sanitizing those records, the statute of limitations would have been far gone.
That case came close to going to trial. In anticipation of trial, I did proceed to identify the 79 worst patient files that I had and had my staff and support team sanitize those files. Seventy-nine patients, it took them two months working every day, four people, to go through and white out any identifying information that I could find, just for those 79 cases. That meant I was not going to present hundreds or thousands of other potential cases because it was just too labor intensive and the case would have never gone to trial if I had set out on that task. Whether that means that we would not have necessarily recovered money -- in this case there was a national settlement so it did not apply -- but in other situations it may mean that we would never recover all the fraudulent funds that were paid out because it is simply impossible, at least in a criminal case, to get sufficient evidence covering the entire scheme.
These are the day-to-day problems that we face in these cases and in dealing with these medical records. And again, I cannot emphasize enough that they are inescapable.
MR. MAHON: I think you are right, only when matters come down to cases, literally, do these things become issues for private insurers, but law enforcement, when it is looking at medical records, either in a case that an insurer has referred to it or in an investigation that it has initiated for whatever cause it has done, I mean it is looking at, you know, potential evidence of criminal activity and there is no way around that. In some of the privately litigated psychiatric cases, you know, some records introduced as evidence have been couched as Patient A, Patient B, Patient C, and I believe patients have even testified on that basis without being named in the public proceedings in the courtroom.
Before a private payer even asks for a medical record to back up a specific claim, generally that is preceded by a number of detection or investigation steps. Private payers do use sophisticated methodology to help them know where to look for potential fraud. They will use provider behavior profiling software, for example, that lets you establish a peer group against whose norms you will measure the performance and characteristics of the various individual providers in the peer group.
You look at things like number of patients per provider, number of visits per patient, number of procedures per visit, average billing per patient or per visit, geographic distance between patient and provider. It does not tell you any one provider is committing fraud but if you have limited resources with which to detect and investigate, that kind of system at least lets you identify those that are most likely prospects.
If you get an internal tip, if one of your insureds sees a discrepancy on a benefit statement and calls you and says, I was out of town on the date of service that is reflected on this office visit claim or payment you made, you know, the first thing you are not going to do is immediately call the provider and say, we want the medical records. You are going to look a little more closely at your experience with that provider, how many other of your insureds he or she is treating.
You might take steps ranging from a simple, you know, audit letter. You know, can you confirm whether you did or did not have the services billed by Provider X on such and such a date? You are going to do quite a number of groundwork-type things before you get to the point of saying, okay, we want a medical record that proves that you did this. But then, inevitably, as Ian indicated, if you get to a criminal referral or a civil case, you are going to have to do something with an identifiable medical record at some point.
MS. CALLAHAN: And our auditors and evaluators try to develop a lot of these techniques, too. The problem is that in those types of screening programs though, that is identifiable information because there is always the need to cross-reference, to check this against that. So we have never really come up with a way in most circumstances where you could be dealing with unidentifiable information even before it became a law enforcement inquiry. The sheer numbers and the fact, like I said, most importantly because you have to cross reference, you have to go back and forth between different pieces of information to see what you have. So it is just as important for audits and evaluations that lead to many of these projects that we have been talking about today.
MR. SCANLON: In the context of a specific, targeted investigation, when you do get to the point where you do want to obtain individual medical records and you have, from your claims data or, you know, the records you want or you know the general nature, what happens at that point? How, and I realize that this may vary from state to state, but how is that actually negotiated? Is an agent -- is there some level of, is there a bar you have to provide, a threshold that you have to convince a court officer or a supervisor that you have enough here to go hit it or when you do get the provider what exactly --
MR. MAHON: Again, if it is an indemnity type policy, fee-for-service type health insurance, the insurer is acting on the right conferred by the patient when the patient signed the waiver authorizing the release of medical records.
If it is a managed care network situation generally the managed care company’s or the insurer’s contract with that network provider provides for access to data upon request, that sort of thing. Oftentimes, many investigators from insurers anti-fraud units will tell you that oftentimes they will show up in a provider’s office in person, unannounced, and say, I am so and so from such and such company and we are here to request copies of the medical records for your treatment of Mary Jones on the following dates. Again, acting perfectly within their right, it is their insured, they are the ones from whom payment is being demanded, they have the right to see the records that document the treatment.
So, no, they do not have to go outside through any circuitous route to do that generally.
MR. SCANLON: Do providers generally resist to some extent and look to legal recourse in --
MR. MAHON: In some cases, yes. Depending on the nature of the potential activity that you are looking at, if it is a lesser degree of potential severity you might request the records by telephone or by mail or what have you, but if it looks like pretty hard core fraud, you are going to show up in person so as not to give them time to doctor the records.
We had one case of a psychiatrist in Massachusetts who was ultimately convicted, but in that case he went so far as to fabricate entire, fictitious medical records for his files to back up just hundreds of claims for treatment, psychotherapy sessions that never happened. Most providers would not go that far. Suddenly they get a call for medical records and they panic. In the NME case and other psychiatric cases there were tales of so-called charting parties where the staff would come in and sit around with pizza and everything else and help fudge the records because they were on to them. But some providers will go so far as to have the whole thing backed up, but it is all fiction.
MR. SCANLON: In the case of the HHS, when, again, obviously you have claims data for Medicare and, I guess, Medicaid as well, you see a pattern developing and there is reason to look at some providers. Now you have the claims data and now you are looking for the individual medical records to look at --
MS. CALLAHAN: Remember, Medicare is a payer of services and the law is fairly clear that providers have to justify payment. And, in fact, in the old days when we primarily were looking, when we had smaller cases and we were primarily looking at just billing information to justify Medicare claims, we would use, we would be forced to resort to administrative subpoenas or Grand Jury subpoenas sometimes, but very often, because of their clear statutory obligation, the records were turned over to us.
I think that Ian will probably back me up on this, now that we are going in with much larger issues, looking at corporate records and, I mean, we are talking about extremely large schemes, we are more and more resorting to or being told that they will not turn the records over without compulsory process. And I would say now the vast majority -- I think Matt would back me up -- that the vast majority of cases we end up using compulsory process to get records.
MR. SCANLON: And that could be --
MS. CALLAHAN: It could be a search warrant. It could be a Grand Jury subpoena. It could be the IG -- the Inspector General in the Inspector General statute has an administrative subpoena authority, and Justice now has, there are some other authorities that the Department of Justice has.
MR. DE WAAL: Right, in the Department of Justice as the cases are being developed, and also the U.S. Attorneys offices, I think we proceed generally either from individual referrals of complaints from patients. We could hear from other government agencies. We could hear from private health insurers. Frequently key tom cases are filed and that is how we become aware of the existence of a potential fraud case.
As we develop general information the first thing we do is not get health care records. I mean we develop as much information as we can ahead of time, try to identify the patients for whom fraudulent billing may have been submitted, and then at some point in the investigation we will seek to obtain health care records. That may be, we may get a search warrant if we fear there is some chance or a substantial chance that the records may be destroyed or altered if we do not go in and seize them immediately. We can, also we have new authority for administrative investigative demands in the Department of Justice, and I failed to mention this earlier, when we do obtain health care records through the new administrative investigative demand procedure, any records we obtain under that procedure we cannot use for anything other than the health care fraud investigation. That is a requirement of that rule. So, even if we found another crime, in that instance we are barred from pursuing it in any manner, shape or form.
MS. FYFFE: Excuse me, Ian, that administrative subpoena authority, was that in HIPAA, Title II? Is that what you are referring to?
MR. DE WAAL: Yes, and it is in Title XVIII of the United States Code in the 3000 series. I do not have the specific number, I am sorry.
What we do not do is walk into a health care provider without some compulsory process and say, can we have your records, and they say, sure, here they are. That is not what happens.
[Laughter.]
So, I think, you know, we use similar types of compulsory process to get the records.
MR. SCANLON: And you have to deal with --
MR. DE WAAL: And I am talking about health care fraud investigations, that is the subject today, and I suggested that health care records are used in non health care fraud cases and while many of the techniques are similar, there are different requirements and statutes and regulations that apply to use and obtaining medical records in other situations.
MR. SCANLON: In situations like that, I presume that this, how much does the situation vary across the 50 states or, in terms of access and confidentiality provisions and protection provisions for providers, you know, across the nation? Is it fairly consistent?
MR. DE WAAL: Not necessarily. I mean, again I am speaking now for federal practice. The rules in federal court are different depending on what jurisdiction they are in, I mean, not withstanding the supremacy clause many federal district courts will look at the state confidentiality law in determining what records should be disclosed.
And I would say that that comes up in two contexts. First, if we are dealing with substance abuse records, we will have to go to the court to get permission for disclosure of substance abuse records prior to doing anything with the provider. In other instances, particularly in the context of the Grand Jury subpoena, or even where a search warrant has been executed and the records have been taken, a provider may move to quash the Grand Jury subpoena or may move for return of the records seized pursuant to the, with respect to the search warrant and then that case is litigated in the federal court as to whether or not there is a privilege that attaches to those records.
And that is becoming an increasing problem because providers who are being investigated more and more frequently now move to quash the disclosure of their patient records, claiming they are protecting their patients’ privileges when, in fact, they are protecting their own wrongdoing or concealing their own wrongdoing. And I think the courts, particularly in light of the existence of the patient authorizations, are more likely than not to permit, at least in the health care fraud investigation, for those records to be disclosed for that purpose.
MS. CALLAHAN: That has been our experience in enforcing our administrative --
MR. DE WAAL: That is not always the case.
MS. CALLAHAN: Well, but we have been generally successful.
MR. SCANLON: In the Medicaid area is there a standard confidentiality protection across all states?
MS. ZELNER: No, it is different in each. If you are that interested in differences, I am sure we could, you know, do a state-by-state survey but I have not done that. I would give you an educated guess that it is different in each state.
MR. DE WAAL: And I would not suggest that the lack of uniformity has caused the law enforcement community to come to the conclusion that rather than the existing standards that we need some kind of a uniform approach which would impose new restrictions in many jurisdictions on law enforcement access. I mean, that, while what you suggest, and I think what we report, is true, that there is not uniformity, to the current, at least to the current time that has not proved an insurmountable problem for which we need, which we think a solution is needed. Would you agree?
MS. CALLAHAN: That is fair.
MR. SCANLON: In the substance abuse area because of the federal regulation, this is standard, this is uniform across the U.S., I guess, access to substance abuse records that are subject to the SAMHSA regulation. What level of protection is involved there? Is that always, if you are trying to gain access to substance abuse records covered by that regulation and you approach the provider, what do you have to be armed with?
MR. DE WAAL: We have to be armed with a court order for which we have made either a concurrent application at the time we applied for a search warrant, a separate but concurrent application, or with a Grand Jury subpoena where we have gone to a judicial authority that has jurisdiction and presented sufficient evidence as to why a disclosure order should be granted. And we have to show up with that disclosure order.
MR. MAHON: That is not unlike a private payer’s position. In psychiatric and substance abuse cases there is sort of a common denominator where it is extremely difficult for a private payer even to illicit records from a provider.
MS. FYFFE: I think Richard Harding had a question.
DR. HARDING: I am kind of an informed consent person, believe in consent. If I am a Medicare patient and my doctor is upcoding, I certainly understand that my record might get looked at to see if the upcoding is occurring, and that is kind of a deal with signing up for Medicare. But, if I am a private patient who is with this doctor but had Blue Cross or something else, it is my understanding that my record can be used as a control group. So that, I did not remember kind of signing up for that when I signed Blue Cross and Blue Shield, that I would be then, could be pulled in, my medical records could be looked at by investigators, not because of anything that has happened to me, but because of another part of the practice my personal record is being used as a control group. As I understand that can happen when you sometimes look at upcoding in Medicare. You have to have a control group to see if he really is upcoding or not.
MS. CALLAHAN: It depends on the type of upcoding. We might sometimes, I will let Ian answer this, too, we might sometimes check, we have schemes where we want to see if they are treating private pay patients the same as they are treating Medicare. That would be relevant. And I suppose in some cases we would be working, you know, we have, as Ian pointed out, we have jurisdiction beyond Medicare so health care fraud is health care fraud so you might be interested in the private patients, too.
I think our problem with relying on consent is again going back to the numbers we have been talking about and the difficulty in using consent in an ongoing investigation, the difficulties that can entail. It is also very difficult to get the type of, usually what you are talking about, informed consent in certain circumstances, like with the Alzheimer patients. That is why we would prefer to see other methods of protecting patient privacy than to depend on an informed consent, because of those difficulties we have been talking about today.
It would be very difficult to identify a scheme and you have to check 100 patient records, to go out in a criminal investigation and get a signed consent. It would risk the investigation. It may be impossible. In Medicaid it could be where there is collusion.
MR. DE WAAL: Could I ask for a clarification of the idea of a control group and what you are referring to? I am just not familiar with that.
DR. HARDING: I am a patient of a cardiologist, and the cardiologist through Medicare billing has been in somebody’s opinion over billing or upcoding his procedures with individuals. Therefore he is investigated. In order to see if he is truly upcoding my understanding when we had testimony a year or two ago, was that sometimes then a control group would be looked at that was not under Medicare. It was maybe Blue Cross or Etna or some other private in order to compare if he was billing the same codes for Medicare as he was billing for Etna.
MR. SCANLON: A comparison group.
DR. HARDING: A comparison group, a control group for the billing process.
MR. DE WAAL: Well, let me suggest, maybe this would help explain why that might have happened. It has been our experience that when upcoding occurs, providers are not so sophisticated that they only upcode for Medicare patients or they only upcode for Medicaid patients. When they are engaging in that practice, they are going to do it across the board in almost all instances. Unless somebody is, a cardiologist is exclusively treating Medicare or Medicaid patients, and I cannot imagine they could survive financially if they were doing that, I just cannot imagine that they would not have an overarching fraud scheme against both private and public payers, and I do not know that we have discussed that before.
But, again, when I was doing, and this is a case I am familiar with because I did it, which was the Springwood Psychiatric Institute in Leesburg, they were fraudulently billing everybody, Medicare, Champus, Blue Cross and Blue Shield of Virginia, National Capillary Blue Cross and Blue Shield, a whole range of federal employee health benefit program plans. So that is why I was asking the question of, I just do not understand how in the context of a truly, in terms of in comparison to a research project how a truly identified control group situation would arise.
DR. HARDING: Maybe we can talk afterwards.
MR. DE WAAL: Okay.
MR. KOCHINSKI: What may have happened is, it is not a control group but in some investigations we want to see in Medicare was charged the same amount as a private insured, because under law Medicare has to be paying the same amount or less than the private insured. So that, we would look to compare with the billing data from private insurers.
In terms of looking at what upcoding is, my understanding is you do not look for medical records as a medical record. You look at an individual medical record and compare it to the CPT codes and what the criteria is for the CPT codes to see whether or not what is documented in the single medical record fits the criteria of the CPT code. You do not compare record to record. You compare code to record. So there would not be a control group of medical records.
MR. MAHON: Yes, I must say in almost eight years of doing this I have never heard of a private payer using a concept of a defined control group of specific patients as a measuring stick for other provider’s performance, this sort of thing, even on an ad hoc basis. They are much more likely to look at that provider’s billing activity and compare it to their universe of billing activity or to a defined segment of their other provider billing activity as opposed to looking into 50 other patients’ medical records to compare the provider’s activity with one patient.
MS. FYFFE: Bob?
MR. MAYES: Just as a clarification, since the Medicare DRG validation falls under my particular group, the approach that you mention is exactly what we do. We look at the medical record and we have our own coding experts who then say, based on what I have seen in this documentation, of this specific record, this is what I, as an expert coder, would have said that this should be coded as. So it is not a comparison across records. It is a comparison. It is a comparison of opinions, if you will, based on a single record. So, we do that on an ongoing basis.
MR. DE WAAL: Now, I have heard of a control group used in the concept of looking at the general billing pattern for a particular CPT code, as opposed to individually identifiable records, and comparing that between a private insurer and maybe a government program. But I just have not heard of, and it may have occurred, I do not know, I am not saying it has not, I am just not aware of it. But I would think it would be more likely to compare the overall billing pattern as opposed to individual record to record.
MS. FYFFE: Other questions?
[No response.]
Questions from the audience?
[No response.]
Okay, well,
MR. BURKE: I guess one question.
MS. FYFFE: Sure, John.
MR. BURKE: If the physician is not actually coding the medical record or the diagnosis, are they still responsible for that if it is billed?
MR. KOCHINSKI: Yes, the physician who signs the claim form is ultimately responsible for the submission of it and therefore liable under law. In practical matters, a billing clerk does not know what to put on a claim form unless the instructions are coming down from the physician or she or he is looking at a medical record saying, well, this is what was done. And usually a physician will tell the billing clerk, extended visit, or we will have a super, it is called a super checklist of possible services that are conducted in an office and they will check off what they consider they have done and that is given to the billing clerk.
MR. MAHON: That is a key ingredient also in most electronic claim submittal authorization forms. The provider accepts in writing responsibility for the veracity of the claims submitted be it through a billing service or directly from the practice.
MR. SCANLON: Just a follow-up on an earlier question. We have been talking about health care fraud. In terms of public program fraud in general, as you said, often the fraud occurring in the Medicaid or Medicare program is accompanied by fraud in other public programs as well. Separating any information you find in the, let’s say you are doing a health care fraud investigation, you have access to the medical records or the records and you see evidence or suggestion of food stamp fraud, potential food stamp fraud, potential Welfare fraud and other public program fraud as well. Do you, what is the circle of such information could be used currently? Is that, is this all viewed as legitimate for moving forward against public program fraud or do you have to sort of deal with each of those individually, you would refer --
MS. CALLAHAN: Actually, in the cases that we have had where that has come up, which has been primarily in the Medicaid program -- we have not seen nearly as much in Medicare -- what we have actually done is started working jointly with those law enforcement agencies responsible for those programs. You need to, as I said earlier, maximize limited resources, so it is far more productive when you find schemes like that to work as a task force to identify all of the frauds. And especially, like I say, in those kinds of cases where they are all tied together you get on [unintelligible] and then you can get on this and then you can get on that, you can get state welfare.
MS. ZELNER: In the states we would refer those kinds of cases to the appropriate agency. Again, just speaking for the MFCUs, we are limited to investigating and prosecuting Medicaid fraud, but if we uncovered Medicare fraud, for example, we would refer that information to the local, or the regional Inspector General, for example, or to the FBI or to the U.S. Attorneys. If it is Welfare fraud we do not have the jurisdiction to deal with that. We would refer it to the appropriate state agency.
MR. DE WAAL: In terms of the Department of Justice, the FBI is the investigatory agency with jurisdiction over all federal crimes and it could pursue it. It may determine to, again, refer to the IG’s office or the appropriate agency or work jointly with them. It depends on the nature of the fraud, how extensive it is and whether or not they think they want to pursue in conjunction with the health care fraud case.
MS. FYFFE: Bob Mayes.
MR. MAYES: I just wanted to make one other general comment. Although, obviously, we are talking about fraudulent activity in this panel, large programs, and I am sure this is probably the case in the private sector, but large programs such as Medicare do not always jump to the conclusion that an unusual pattern of coding or other things is automatically fraudulent or is the result of criminal activity. Certainly when there are significant payment or coverage changes, coding system changes it is oftentimes the case that you will see unusual activity and that is treated more as a quality improvement, quality assurance type of activity where it is actually an educational component and going out to the provider community and say, you know, this is something new, we see that maybe it is not well understood, we haven’t explained it. So we use very similar techniques in terms of the analysis and the examination of records. They fall under different legal protections, but there are those activities and it is not always everybody saying well, anything we see unusual is criminal. We do recognize there are legitimate reasons why there can be unusual patterns discovered.
MS. ZELNER: I think that is a good point. I mean, the MFCUs have to prove beyond a reasonable doubt that there was an intent to defraud the Medicaid program just because, as this gentleman said, you cannot, you know, a pattern, an unusual pattern does not necessarily mean that there is fraud. But, it certainly bears further investigation.
MR. MAHON: There is a flip side to that, too. I recall sitting at GAO several years ago and seeing a presentation by a Medicare carrier that had just adopted and had been testing this new behavior profiling, provider profiling system. And they were very enthused about the results they were getting and they showed how they had identified a transportation company that was by many multiples the outlier in the peer group of transportation companies in that state. And they said, we have established that, you know, in a three month period they billed $18 million when the average was $2 million among other providers. We also have established that they have been transporting patients in this state but billing them as patients from this state to get a higher reimbursement and so on. we know a lot of these trips never happened.
And the question arose, you know, have them been indicted yet and the answer was oh, no. Well, what have you done? Well, we have sent them a letter of correction or a corrective letter. And what are you going to do if they do not respond? Well, we will send them another letter. So, the system can be its own worst enemy in some of these cases but Mr. Mayes is quite right. I mean, it takes a lot to take a private payer and a government agency to the point of alleging criminal fraud.
MR. SCANLON: And statistical information like that, I do not know how the courts would deal with that. The fact that the probability is that the provider is maybe doing something wrong, but it is not a certainty. It is statistical information. Maybe build some probability in these profiling --
[Simultaneous comments.]
And is that enough to get access to individual, the fact that this person is outside of the profile in terms of patterns, would that be enough to get access to individual medical records?
MR. MAHON: Sure, I think it is enough to call Medicare beneficiary John Smith and say, you know, this company says it transported you in an ambulance on such and such a date, did they in fact?
MS. CALLAHAN: What Bill is pointing out is that you might not jump right into a subpoena or a search warrant but you would start at least looking deeper and then you would progress to the point where you may go and seek some kind of compulsory process.
MR. MAHON: If you find that a given ambulance company, for example, is billing for critical care with a life support on 98 percent of its ambulance runs, you know, where the average might be 36 percent, 42 percent, you certainly have cause to look at what might be underlying that sort of discrepancy from the norm. So you might well start by requesting the records, you know, show us what you did to these patients on all these trips, why life support was medically necessary and so on. Then you might get to the point of contacting a patient and/or family member.
MR. DE WAAL: I would think it would be highly unusual, I am never going to say it never occurs, but that it would be highly unusual to go out and seek, you know, substantial numbers of patient medical records based on statistical analysis alone. I mean, statistical analysis can mean a whole range of things and certainly I cannot imagine a judge signing an order for a search warrant based on, you know, kind of a generic statistical analysis.
MR. MAHON: Yes, in most cases of profiling, I mean, in most cases of suspect fraud you are going to find that there is not fraud there, that there is some legitimate explanation and that is very much the way of lot of these profiling systems work. There is a very good reason why 60 percent of this doctor’s patients come from more than 50 miles, for example.
MS. CALLAHAN: A lot of what I was trying to say in my opening statement by emphasizing audits and evaluations, too, is there is a certain percentage and a good amount of money that leaks out of the Medicare program from improper payments that are not fraudulent. It is very important not to forget the audit and evaluation oversight of these programs. That there are cases where sloppy billing, other kinds of problems are identified and those are equally important, they are not law enforcement. And it is very important that auditors and evaluators be able to identify those and stop the leaks.
MS. FYFFE: Okay, other questions or comments?
MR. SCANLON: I have one final question if I could. Obviously in the privacy debate you are often called upon to explain why you have the access that you do to individual medical records, just like other researchers are called upon to explain why they get access, and everyone else.
How difficult is it to explain this to the privacy community, that, you know, in a sense you, in a sense you can potentially get access to almost any medical record if there is, you know, a target of some sort. Do they press for, normally press for a higher threshold, that you have to convince a third party, you know, a court or a supervisor? You know, you have to present enough cause or whatever to someone else before you can proceed or how do you -- the privacy community views this, if I am reading the papers correctly -- as not a satisfactory situation. They think you have fairly easy access to everyone’s medical record.
MS. CALLAHAN: I think, actually, if you look at most of the bills that have been introduced in the last couple of years, they seem to understand that there needs to be broad access for health oversight, which is one of the reasons in my testimony I emphasized the necessity of working jointly with other law enforcement agencies, because some of the bills have not recognized that it is not a matter necessarily of redisclosure, but it is working with. And also, I think sometimes the bills have not reflected an understanding of why in the audit and evaluation context we cannot work with unidentifiable information. The majority have seemed to understand that we have to have fairly broad access to be able to conduct our business.
MR. SCANLON: It is my sense that it is not so much they are arguing --
MS. CALLAHAN: Health oversight, not law --
MR. SCANLON: -- as it is that you should have to, there should be a higher standard or threshold to allow you access. Now, whether that is an administrative subpoena or various other means, I think that seems to be to some extent the case they are making.
MS. CALLAHAN: The law enforcement sections in a lot of these bills required a court order or some kind of compulsory process and that was the thing that we have tried to argue, that kind of procedural restriction we do not believe is the best way to protect patient privacy. We think there are other methods like strong penalties and Privacy Act-type protections. I think when you were talking earlier about patients being able to challenge in court, I think if you look at that closely and if you look at bills or acts that currently provide that, it is not a very meaningful protection for a private citizen to go out and hire a lawyer and appear in federal court without any background information on the investigation. What kind of meaningful argument can they present to counteract our legitimate law enforcement inquiries? I do not think that is nearly as effective as Privacy Act-type protections on access and collection restrictions. And, I cannot emphasize enough being an attorney for agents how much they are impressed with penalties. They take criminal penalties extremely seriously.
I think those are far more meaningful and I think sometimes the privacy bills tend to be in a rut for something that is in existing law, rather than looking at it realistically and saying, is this the best way to protect patients? And I just think if you look at it, how many of us in this room, if we were a doctor’s patients, would go hire a lawyer and go into court if we are not the subject of an investigation? I mean, think of the cost. It has its weaknesses.
MR. MAHON: I think it is important to keep in perspective what it is that we are looking at here when we say fraud and the patient protection aspects of what government and the private payers do when they conduct these investigations. I think this psychiatrist in Boston, whom I mentioned earlier, he was attributing to adolescents who he had never met, let alone treated, diagnoses such as behavioral problems in school, sexual identity problems, depressive psychosis, this sort of thing and fabricating, as I say, entire records and treatment that never happened to back it up.
I think it is important to emphasize to the privacy community the experience we have all had with law enforcement thus far, especially at the federal level where the agencies, where the most jurisdiction is concentrated and the Medicaid Fraud Control Units. You do not read cases of federal and state agencies that have direct jurisdiction over this engaging in rampant abuses of their authority. I think, as Susan indicated, they are all too jittery about potential penalties for doing that.
The one case we all probably are too familiar with and caused me to choke on my coffee a couple of weeks ago was the Fairfax Police Department improperly seizing records of 79 substance abuse patients at a clinic in northern Virginia because a car theft had occurred in the parking lot nearby. They did not know what they were doing. They did not realize they could not go in and do that. The magistrate who signed the search warrant apparently did not know that you cannot do that, that it required a court order to get those kinds of records.
And we were saying before we began, we can establish whatever constraints we want on law enforcement and make the penalties as stringent as we want, so long as an agency is just acting in abysmal ignorance of what the law is we cannot prevent that sort of incident from taking place. We can penalize them very heavily after the fact, but I think you have to maintain a proper perspective on what law enforcement has already done in this area and the lack of apparent problems of this sort.
MR. DE WAAL: I would agree with that, underscore that. I think that there are several different reasons afoot which drive this debate and for one I think the privacy community is legitimately concerned with protecting the privacy of the citizens of this country and to do so as forcefully as they are able to advocate for that. And that is what they are doing.
There has not been a lot of direct dialogue between the law enforcement community and the privacy community on this issue.
I would say that this, in the five years I have been working on this this has been the most thorough exploration of how medical records are used in specific fraud investigations and different ways in which law enforcement is constrained in terms of how they obtain such records, as well as the issues of delay and diversion of resources that can effectively halt or cripple a health care fraud investigation. That kind of dialogue I do not think has occurred before today in as in-depth a fashion and I hope that continues.
In the four or five years, or five years I have been looking at this, and I think this was most recently really prompted by the Administration’s proposals to establish a single health care medical record keeping system electronically so we could all keep track of our medical records instead of losing them every time we change a provider, there was a legitimate concern that this enormous data base would provide enormous opportunity for misuse of both access to those medical records and illegal snooping. And there always has been a tension between the privacy community and law enforcement on a variety of issues, and that is driven by our constitutional protections.
Not withstanding that, and the fact that, I think it is important to look at the fact that this debate has been going on for five years and there has not been testimony that there has been systemic abuses or systematic abuses by law enforcement of the privacy rights of individuals either in obtaining medical records or misusing those medical records once they have been obtained legitimately. And I think that is important to always keep in mind in making any decisions or recommendations on whether or not new protections are needed which may in anticipated fashion or in unanticipated fashion create substantial hurdles to these legitimate investigations and prosecutions.
And, if there is any further information the committee would like on how law enforcement uses medical records for the health care fraud investigations, I know our agency, and I am sure everyone else on the panel will be happy to provide that subsequent to this hearing. And again, I would urge that it would be probably very useful for a similar session to occur on how health care records are used in non health care fraud investigations, just so we are operating on some kind of common ground of knowledge before, you know, critical decisions are made on how medical records should be handled in the future.
MS. FYFFE: Final questions and comments?
[No response.]
Okay, I want to thank the panel very, very much. We appreciate your coming today. This was a very informative session. Thank you.
We have two other points on the agenda here; one being other business and one plans for next meeting. Without our chair being here I am going to defer those two until another point in time. I think the meeting is adjourned and I think the full committee -- oh, we have a work group now -- okay, at 3:30 p.m. It is about 3:15 p.m. right now. Okay, thank you.
[Whereupon the meeting was adjourned at 3:15 p.m. on September 15, 1998.]