The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics held a round table discussion on health care fraud and abuse on September 15, 1998, in the Hubert H. Humphrey Building, Washington, D.C. Present:
On September 15, 1998, the Subcommittee on Privacy and Confidentiality held a round table discussion on the operational activities and related issues involved in health care anti-fraud activities vis-a-vis confidentiality of health information. The following experts presented:
Following the panel members' presentations, discussion of the issues ensued. The following major points were raised:
Ms. Fyffe convened the round table on health care fraud and abuse at 1:20 p.m., September 15, 1998. Participants introduced themselves. The meeting was broadcast on the Internet.
Ms. Fyffe presented an overview of the problem of health care fraud. The General Accounting Office estimates that approximately 10 percent of health care dollars are lost annually to fraud and abuse. The problem, which affects public payers, private payers, and consumers and taxpayers, relates to two dueling consumer concerns -- confidentiality of individually identifiable health information and health care anti-fraud activities. The purpose of this round table is to identify and discuss the operational activities and related issues involved in health care anti-fraud activities vis-a-vis confidentiality of health information.
William Mahon, National Health Care Anti-Fraud Association, described the costs of health care fraud: approximately $30 billion in the United States, or 3 percent of the nation's total health care spending annually. The greatest offenders are dishonest health care providersÄa very small minority of the provider communityÄand criminal ring-type organizations that enlist dishonest providers. Health care fraud invariably involves exploitation and falsification of private medical information, and medical record privacy constraints offer an effective shield to investigation.
Mr. Mahon stated that the greatest impact is made by people who are or purport to be health care providers and who capitalize on their access to people's health care information and their billing identities to make false claims amounting to tens of millions of dollars. Because of this impact, there is reason not to establish too great a barrier to a law enforcement's ability to obtain medical information. In many cases, falsified medical records may come to haunt the patients in the future in terms of insurability, employability, security clearances, etc.
Mr. Mahon urged that the term "information sharing" be construed correctly. Information sharing, a key ingredient in early detection of health care fraud, involves cooperation in identifying and sharing the names of individuals suspected of billing fraud, not in sharing patient claims, identities, medical conditions, etc.
Susan Callahan, Department of Health and Human Services, Office of Inspector General, highlighted aspects of the testimony of John Hardwig, Deputy Inspector General for Investigations, at the Committee's January 1997 hearings on the subject. As a backdrop, Ms. Callahan presented the findings of several comprehensive audits of the Medicare program: For FY 1997, approximately 11 percent of Medicare claims were improper, representing about $20 billion of Medicare outlays. Data for recent years show a marked increase in participation by traditional criminal elements in Medicare fraud schemes.
Ms. Callahan described the multidisciplinary program of audits, evaluations, and investigations linked with other law enforcement agencies to maximize limited oversight resources. This coordinated health care fraud and abuse control program, mandated in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), has proven to be highly successful. Law enforcement agencies such as Medicaid fraud control units, Federal Bureau of Investigation, Internal Revenue Service (IRS),the U.S. Postal Service, and the Department of Health and Human Services Office of the Counsel to the Inspector General serve on regional health care task forces around the country.
Ms. Callahan outlined the operational aspects and results of several successful investigations. A health care investigation of three chiropractic clinics, conducted jointly with the Defense Department, U.S. Postal Service, IRS, and state Medicaid investigators, reviewed more than 2,000 medical records in addition to Medicare claims records; the result was seven convictions and restitution of more than $265,000. In a joint investigation of a psychiatric hospital chain, agents examined thousands of patient records and identified a patient referral kickback scheme; a settlement of $300 million was reached, and the Medicare Trust Fund recovered $109 million.
Ms. Callahan asserted that oversight cannot be performed successfully without access to individually identifiable information. She referenced Mr. Hardwig’s testimony on evidentiary problems and the inability to convict or otherwise sanction on the basis of sanitized records. Moreover, investigations, audits, and evaluations would not be possible without the ability to compare medical records with billing records. Even if there were value to sanitized records, the process of sanitizing hundreds to thousands of records would "cripple" the holder of the records.
In conclusion, Ms. Callahan stated that the IG is aware of the sensitive nature of health information; the office has an excellent record of protecting it from misuse; the IG believes it is not in the public interest to place significant new procedural restrictions on health care oversight; and meaningful penalties should be imposed for misuse of health care information.
Ian DeWaal, Department of Justice, whose background involves health care fraud investigation and policy issues with an emphasis on patient privacy concerns, referenced the February 1997 testimony before the Committee by Acting Deputy Assistant Attorney General for the Criminal Division Robert Litt. Mr. Litt had emphasized law enforcement sensitivity to privacy issues vis-a-vis health care records, but also the necessity to rely on health care information in fraud and other cases.
As background, Mr. DeWaal described the phases of health care fraud casesÄinitial investigation, development of complaint or indictment, post-charging discovery, and trialÄand enumerated the multiple federal, state, and local government agencies that investigate health care fraud at every governmental level. He characterized health care fraud cases as "document intensive and extremely complex"; tens of thousands of pages of billing records may require review, complexity arises from close regulation of the health care industry, and an additional element of time criticality (vis-a-vis statutes of limitation) is added to the pot. Initial investigation can be triggered by whistle blowers, patient complaints, health insurance providers, and private health insurance fraud units.
Mr. DeWaal discussed the critical role of health care records in a number of successful health care fraud investigations and cases. These cases included fraudulent blood testing, ambulance transportation for ambulatory patients, and mental health services to uncommunicative Alzheimer patients. In each investigation, a review of patient records was essential to show diagnosis or symptoms. In a national psychiatric hospital case, fraudulent billing was uncovered for services the patients were physically unable to receive based on documentation in the records, and in other cases, so many procedures were billed by an individual provider on a single day that it would not have been physically possible to administer them. These situations, Mr. DeWaal asserted, require examination of medical records. Upcoding procedures or misrepresentation of the length of appointments are other schemes that can be investigated properly only by review of records. Mr. DeWaal also asserted that nursing home patient abuse and substandard quality of care demand review of records in order to investigate, initiate, and prosecute cases of health care fraud and abuse.
Barbara Zelner, National Association of Medicaid Fraud Control Units, described the structure and function of MFCUs. MFCUs, which investigate and prosecute Medicaid provider fraud but not recipient fraud, are 75 percent federally funded and 25 percent state funded. Oversight is provided by the Office of Inspector General, DHHS. MFCUs work cooperatively with other federal and/or state agencies.
Ms. Zelner asserted that it is "absolutely critical" for the units to have access to patient medical information, which is provided by the state Medicaid agency. She stated that law enforcement should have no additional restrictions placed on it. Existing safeguardsÄgrand jury secrecy, existing state privacy acts, court review of evidence-gathering devices such as search warrants, law enforcement internal standards and guidelines for handling evidence, and specialized federal and state restrictions for sensitive medical information such as psychotherapy and drug and alcohol abuseÄare adequate. Patient authorization should not be necessary for providers and payers to provide law enforcement MFCUs patient information for health care provider fraud investigations.
In response to a question by Mr. Scanlon, Ms. Callahan stated that health care fraud by beneficiaries is rare in Medicare programs. Mr. Mahon asserted that there is great disparity between the impact of providers versus dishonest insureds.
Dr. Fitzmaurice asked the panelists what types of controls on access are encountered in investigations. Ms. Callahan replied that in the Office of the Inspector General, monitoring or undercover activities determine review levels, but access is a given; statutory restraints include the Privacy Act. Mr. DeWaal explained that patients routinely sign releases authorizing disclosure to verify validity of the claim, which voids concerns of breach of confidentiality or privacy. Once the records have been disclosed to a third party in an investigation, law enforcement agencies operate under different privacy formulas. Internal procedures are governed by statutes and regulations, and attorneys must comply with evidentiary rules; federal, state, and local jurisdictions operate under specific laws to safeguard the privacy of disclosed records.
Dr. Fitzmaurice questioned whether an agency can share information learned from patient records, such as the lab test results of illegal drugs in a person's blood. Ms. Callahan stated that agencies are bound by different regulations on redisclosure, but that the Inspector General's Office never has made such a disclosure. Mr. DeWaal added that federal employees are mandated by statute to report the discovery of a crime of any nature. For example, if in a Medicaid investigation an immigration fraud scheme were discovered, that might fall into the category of a crime bearing investigation; but stringent substance abuse patient protection statutes would prohibit the use of that type of information.
Dr. Fitzmaurice asked about the private-sector response to health care fraud. Mr. Mahon described the disparity in legal treatment; the private sector patient is less protected against fraud. Nevertheless, the release signed by the patient empowers an insurer to acquire medical records. A private insurer who suspects fraud can make a criminal referral, file a civil suit to seek recovery, or confront the provider. Insurers generally do not disclose records outside of a legal action, and those disclosures are regulated by privacy laws.
In response to a question from Dr. Fitzmaurice concerning the ramifications of a requirement for a subpoena and notice to the person whose records would be subpoenaed, Mr. Mahon asserted that this practice might impede proper investigation. It would enable a patient to alert a suspected provider and that provider to advise that patient to petition to quash the subpoena. The use of subpoenas would also negatively impact the timeliness of an investigation. Mr. DeWaal echoed Mr. Mahon's comments, asserting that petitions to quash subpoenas from potentially thousands of patients would substantially delay an investigation and divert significant resources in order to address each petition individually. Mr. DeWaal also raised the issues of protection of the provider's privacy in an ongoing investigation and the likelihood of alteration nationwide of court rules on evidence presentationÄwith unforeseen consequences. Mr. Mahon noted that adding this extra barrier would have a chilling effect on private insurance anti-fraud efforts.
Queried by Dr. Fitzmaurice on desirable features of a federal privacy law applied to law enforcement that would make the jobs of the panel members easier, Mr. Mahon responded that from a private- payer perspective, additional privacy protection is not necessary. It is, however, important to distinguish between patient information and provider investigation implications; private payers would benefit from greater law enforcement commitment to sharing generic information on providers under investigation. Ms. Callahan stated her Office's position: to defend the status quo. Mr. DeWaal would value a federal privacy law that clarified the application of Jaffe v. Redmond.
Another continuing issue arises over the substance abuse statute and applicability regulations: If a patient is suspected of illegally obtaining controlled substances through a methadone clinic but is not receiving treatment, is that a substance abuse record or not, and under what circumstances can law enforcement acquire those records or not? In addition, court decisions on health care fraud and privacy of medical records have not been uniform nationwide, which has led to problems in fraud investigations.
Dr. Cohn commented that he had expected the panel to describe methodologies that minimize risk of privacy invasion on individuals. Ms. Callahan explained that even though some investigations are narrowly focused, they may involve thousands of claims. Mr. DeWaal stated that changes in regulation can precipitate new fraud schemes, which may be identified through general audits. Once a potential fraud scheme is identified, patient records must be consulted in an investigation. In large cases, the time required to sanitize records would exceed the statute of limitations. In cases for which selected, and not all, records are sanitized, lack of evidence would preclude recovery of all funds fraudulently paid out. Mr. Mahon stated that when matters become cases, it becomes an issue for private insurers, who use a sophisticated methodologyÄprovider behavior profiling software, auditsÄto help them look for potential fraud. Ms. Callahan stated that IG auditors and evaluators also use screening programs, and that records must be cross-referenced.
To Mr. Scanlon's question on how access to medical records is negotiated, Mr. Mahon responded that in fee-for-service health insurance situations, the patient confers the right to the records when he/she signs the release. In a managed care network, the contract provides for access. Mr. Mahon stated that the nature of the activity determines whether investigators request records by telephone or mail, or appear in person to avoid doctoring of the records.
Mr. Scanlon raised the issue of Medicare and Medicaid. Ms. Callahan stated that the law requires providers to justify payment. In recent large cases, however, search warrants and grand jury or IG subpoenas have been used to obtain records. Mr. DeWaal explained that the Department of Justice uses new administrative investigative demand procedures that limit use of the records to the health care fraud investigation. Ms. Fyffe clarified that these procedures are mandated in HIPAA, Title II; Mr. DeWaal added that the procedures are also provided for in Title 18, U.S. Code, 3000 series. Mr. DeWaal observed that health care records used in non- health care fraud cases are subject to different statutes and regulations.
Mr. DeWaal responded to Mr. Scanlon's question about uniformity across the 50 states regarding access, confidentiality, and protection provisions for providers. In federal practice, district courts may use state confidentiality law in two contexts to determine what records should be disclosed: permission for disclosure of substance abuse records prior to contact with the provider, and litigation to quash a subpoena or to return confiscated records, based on privilege that may attach to the records. Ms. Zelner stated that confidentiality protection in Medicaid cases differs throughout the 50 states. Mr. DeWaal asserted, and Ms. Callahan concurred, that the diversity of provisions has not led the law enforcement community to conclude that a uniform approach that would impose new restrictions would be desirable.
Mr. Scanlon asked about the mechanism for access to substance abuse records regulated by SAMHSA. Mr. DeWaal replied that they must be armed with a court order, made at the time of application for a search warrant, or a grand jury subpoena for disclosure. Mr. Mahon added that the process is similar for private payers; in psychiatric and substance abuse cases, it is extremely difficult for a private payer to elicit records from a provider.
In the context of informed consent, Dr. Harding inquired about the practice of using patient records as controls for comparison in suspected upcoding investigations. Ms. Callahan responded that private-pay patient records are checked to see if they are treated the same way as Medicare patients, and that consent is impractical in light of the difficulties discussed earlier. Mr. DeWaal concurred that fraud is likely to take place irrespective of the nature of the patients' insurance coverage. Mr. Kochinski suggested that an investigation may focus on billing data and medical records of private-pay patients to ensure that Medicare charges are the same for both groups. Mr. Mahon stated that he had never encountered a defined control group of specific patients as a yardstick for other providers' performance. Mr. Mayes noted that upcoding matters are investigated using expert opinion comparisons based on a single record. Mr. DeWaal suggested that an overall billing pattern would be compared as opposed to individual record- to-record comparisons.
In response to Mr. Burke's question, Mr. Kochinski stated that the physician who signs a claim form is responsible for the submission and is legally liable for its veracity. Mr. Mahon explained that this presumption is also valid in the use of electronic claim submittal authorization forms.
Mr. Scanlon asked the panelists about how they deal with other fraudulent public program practices revealed in a health care fraud investigation. Ms. Callahan stated that multi-agency task forces collaborate to identify all types of fraud. Ms. Zelner said that in the states, the MFCUs refer those cases to the appropriate state or federal agency. Mr. DeWaal stated that the FBI, with jurisdiction over all federal crimes, pursues such matters or refers them to an appropriate agency.
Mr. Mayes observed that unusual code activity is not automatically deemed problematical; it could be an artifact of quality improvement. Ms. Zelner commented that MFCUs must prove, beyond a reasonable doubt, intent to defraud. Mr. Mahon and Ms. Callahan agreed that evidence of wrongdoing must be investigated before criminal fraud can be alleged. Mr. DeWaal stated that it would be highly unusual to seek substantial numbers of patient medical records based on statistical patterns alone.
Ms. Callahan noted that substantial funds leave the Medicare program from improper payments that are not fraudulent, and while audit and evaluation oversight attempts to solve those problems, law enforcement is not involved.
Mr. Scanlon questioned the panelists about the difficulty in explaining to the privacy community, which believes medical records are easily obtainable if there is a target, the existing controls on law enforcement access to medical records. Ms. Callahan responded that most legislation introduced recently reflects understanding for the need for broad access for health oversight. However, she continued, the law enforcement sections in many bills required a compulsory process such as a court order, a procedural restriction she does not view as the best way to protect patient privacy; strong penalties and Privacy Act-type protections would be more effective, especially in view of the small likelihood of an individual hiring a lawyer and going to court if the individual is not the subject of an investigation. Mr. Mahon pointed to the experience of the MFCUs, which have been extremely conservative in their activities, and to errors by local police departments and judges unaware of the legal limitations on access to medical records.
Mr. DeWaal set the day's in-depth discussion in the context of concerns over the establishment of a single health care medical record keeping system and such a system's enormous opportunity for misuse of access to medical records and "snooping." Although the debate has been ongoing for five years, Mr. DeWaal asserted, no testimony has been given of systematic abuses by law enforcement of the privacy rights of individuals either in obtaining medical records or in misusing those medical records once they have been obtained legitimately. He cautioned that unanticipated events may flow from implementation of substantial hurdles to legitimate investigations and prosecutions. In closing, he suggested a similar round table discussion be conducted on how health care records are used in non-health care fraud investigations, in order to promote further common understanding of how medical records should be handled in the future.
Ms. Fyffe thanked the participants for their contributions and concluded the discussion at 3:15 p.m.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/
Kathleen A. Frawley - 3/5/99
Chair - DATE