By Reed D. Gelzer, MD, MPH
The Ever-Shifting Sands Beneath the Billing Enterprise
Electronic health record (EHR) systems aren’t
The records a billing company receives as outputs from electronic health records (EHR) systems are commonly accepted on trust. However, now that nearly everyone is using EHRs, we’re finding that they aren’t “records” at all. Insurers and law enforcement professionals are increasingly recognizing that EHRs are well-suited for records counterfeiting, with predictable (and long-anticipated) results. This presents special challenges (and opportunities) for billing companies seeking value-added services and risk reduction.
First of all, readers often ask, “What is an EHR?” (Or EMR,1 as often the terms are used interchangeably). For this article, to be brief, the main issue is more what an EHR (or EMR) isn’t. EHRs are not records keeping systems in that EHRs are not designed, and often are not configured, implemented, or used in a manner that meets federal or state requirements for business records. As a result, EHR “records” are commonly not records.
This profound oddity arises because there are no regulations for these systems, nor does any agency (federal or state) oversee them for accuracy, safety, or security. Furthermore, most EHR contracts stipulate that the user holds all the risk and, in some instances, even indemnifies the EHR vendor.2 EHR records systems, unregulated and without oversight, produce records-like outputs. These “record-like” objects, unless the user sees to it, frequently won’t qualify as valid, accurate, complete episode of care records according to payer agreements or to federal and state laws defining business records.
Furthermore, there’s no market transparency for EHR systems because errors, harms, and defects are not publicly reported anywhere and EHR contracts often stipulate that harms cannot be reported to anyone but the vendor. Since competitive markets require transparency, there is no normal market, and the purchaser/user is fully exposed to “buyer beware” risk, but blindfolded.
How This Applies to Your Company
One way to think of this is the dilemma of companies building cars or airplanes. These companies don’t make the steel; they buy steel based on technical specifications that assure that the steel meets the necessary requirements for safe cars and safe airplanes. What are those companies’ exposures when they learn, as GM, Ford, and Boeing did last year, that one of the major suppliers, Kobe Steel, had been faking steel specifications for years?3 We’re also all familiar with the Volkswagen “gaming” of emissions reporting systems.4
For one thing, it certainly doesn’t reflect well on your company if it turns out you simply eyes-wide-shut believed that the steel delivered was the steel expected, especially when a car crashes or a plane fails. Furthermore, if you actually observe oddities that give you concern, inaction under such circumstances produces risks to your firm, too. Among the long, long list of unenforced or under-enforced rules, there’s this key warning: Under HIPAA, the “awareness” requirement for False Claims Act was expanded from “knew” to “knew or should have known.”
The obvious dilemma for the billing company is, do you tell your customer you have concerns about the veracity of their records, and then watch them take their business elsewhere? Since the federal government has chosen to underfund fraud investigations and since payers have similarly been ill-disposed to call out records counterfeiting, it is unlikely you’ll get caught up in litigation. Nonetheless, what is the prudent path for you?
What You Should Do to Protect Your Company
Another key area will be your internal policies and procedures for what to do if you are presented with problematic records in the course of your normal business operations. One anecdote, for example, was a billing firm presented with records with “impossible” service dates, where it was known that the clinician of record was out of the country. Another common anomaly is the “nonsense” record. An example of this is the record with the presenting complaint of “headache” but the review of systems says explicitly “no headache.” This is a definitively non-accurate “nonsense” record. It is increasingly likely that payers will begin kicking out such records and some payers report doing this already.
Consider at least offering, as a service, a records quality review option that will open the door to a discussion with your client where you end up with a definitive agreement that you are accepting their records as “complete and accurate” and, by mutual agreement, keeping the burden on the client to maintain quality controls. The Association for Healthcare Documentation Integrity (AHDI), for example, offers resources for supporting clinical documentation quality assurance (not be confused with revenue-enhancement directed CDI).
Lastly, there’s at least one example where EHR companies are quietly inserting tools that will permit insurers and other investigators to easily reveal counterfeit records. They are not necessarily telling their customers those features now exist, so your customers aren’t telling you. Watch out, for example, for a new option button in the billers view that indicates something like “Hide copied.” If you see that, test it, and make sure your policies and procedures clearly define what you do with that new view.
Your business has other areas where unregulated EHRs can have substantial impact. For those of you who are looking at acquisitions, or are involved in healthcare acquisitions, similar cautions apply. Since EHRs are not regulated in any manner for fitness as business records, and since there is no market expectation that they comply with any accounting rules (e.g., GAAP), it is also prudent to add “records authenticity risk” to any due-diligence checklist. Unfortunately, in 2019 and for the foreseeable future, U.S. markets remain subject to the uncertainties of unregulated EHRs and the counterfeit records they can generate, whether intentional or not. Thus, for example, no AR valuation methodology can be safely presumed to be reliable if records counterfeiting isn’t part of the analysis.
Reed D. Gelzer, MD, MPH, has 30-plus years’ service in the healthcare field, including 11 years in rural primary care practice and in data quality and legal record attributes of medical records, then three years as an EHR vendor. At Trustworthy EHR LLC, he’s focused on clinical trustworthiness, data quality, and business record accuracy.
2 Koppel, Ross, Kreda, David, “Health Care Information Technology Vendors’ “Hold Harmless” Clause: Implications for Patients and Clinicians” in Journal of the American Medical Association, 2009;Vol. 301 Issue 12, pp.1276-1278.
3 Stapczynski, Stephen, Suzuki, Ichiro, and Suga, Masumi, “Japan’s Kobe Steel May Have Faked Data for Over a Decade” in Bloomberg News, October 17, 2017, (accessed 10/17/18 at https://www.bloomberg.com/news/articles/2017-10-17/kobe-steel-is-said-to-have-likely-faked-data-for-over-a-decade)
4 For example, see https://theconversation.com/how-volkswagen-got-caught-cheating-emissions-tests-by-a-clean-air-ngo-47951 and https://www.wsj.com/articles/volkswagen-shares-plunge-as-emissions-scandal-spreads-1446628400