Tag Archives: npi

Insurers’ Call Centers: a Cyber Weakness?

Two years ago, the New York State Department of Financial Services (DFS) released a report on cybersecurity in the insurance sector after surveying 43 insurers with more than $3.1 trillion in assets. The report revealed that 35% of these companies experienced between one and five data breaches within the previous three years. This statistic represents only confirmed breaches (not attempted attacks), and the consequences for affected insurers included actual financial losses from lost customer business, legal defense and damaged brand reputation.

Fast forward to today, and it’s no surprise that the DFS is preparing to launch a new regulation on March 1 that requires banks, insurance companies and other financial services institutions it regulates to establish and maintain a cybersecurity program. The first of its kind in the U.S., this regulation aims to protect New York consumers and financial institutions from the ever-growing threat of cyberattacks. But, like any other industry-wide regulation, this proposed mandate is not without its challenges.

See also: 10 Cyber Security Predictions for 2017  

A key provision in the proposal is the requirement for encrypting non-public information (NPI) — such as payment card numbers, Social Security numbers (SSN), drivers license numbers and other security codes, both in-transit and at-rest. For insurance companies that routinely capture and store this information in their call centers and other areas of business, protecting NPI will be especially challenging. Most insurers record customer calls, thereby housing payment card numbers and other NPI in their physical and IT infrastructure. While many insurers utilize the practice of “stop/start” to block this data from recordings, this method creates additional security and governance concerns. Insurers that need to record 100% of calls to demonstrate compliance to other existing legislation and are using stop/start are now not recording the entire call. That not only means that they are not compliant but that they are also opening up opportunities for illicit activity to occur while the call is stopped. Yes, NPI is kept out of the call center’s infrastructure, but it is still exposed to agents — further complicating the entire effort to secure customer data. Data will also still need to be encrypted, meaning stop/start isn’t enough….

The most effective way to protect sensitive information, eliminate insecure practices and resolve broken processes to avoid potentially costly penalties and a tainted brand reputation is to abide by the saying: “They can’t hack what you don’t hold.” In short, keep NPI and other sensitive data out of the call center altogether. Insurers should implement a solution that encrypts data as it is collected and in-flight, as well as reducing stockpiles of data at rest that is just waiting to become exposed in the next big breach.

Despite the undoubted challenges it will bring, the New York DFS cybersecurity regulation is a step in the right direction because it starts to create much-needed standardization in the way insurers and their call centers handle sensitive information. To emphasize this point, we recently spoke with call center agents at 10 of the leading U.S. insurance companies. We found that there is a lack of a uniform approach in data security measures, especially when it comes to how sensitive information is removed from call recordings (and those insurers using stop/start still have NPI data elsewhere in the estate and are now not recording 100% of calls). Agents gave a wide range of answers — from using stop/start, to redacting information after the fact, to deleting the full recording after 30 days. This is in sharp contrast to the U.K., where a growing number of call centers are adopting an operating procedure that uses dual-tone multi-frequency (DTMF) masking and a secure, separate environment for encrypting data. Shouldn’t all insurers handle their data in the same, secure manner?

See also: Data Security Critical as IoT Multiplies  

While the New York DFS regulation is the first of its kind, it most certainly won’t be the last. We will now likely see other cybersecurity regulations crop up in the coming years that help standardize how financial institutions secure their data. Because this regulation affects all who conduct business in New York, it draws parallels to the pending EU General Data Protection Regulation (EU GDPR). Taking effect in May 2018, the EU GDPR will affect all businesses that hold or process data pertaining to EU citizens — no matter where they reside. Indeed, we are seeing all signs pointing toward greater standardization of data security across industries and borders. Insurers in New York and beyond must begin looking at solutions — now — to help simplify their compliance efforts and protect their customers and their reputations.

The Secret Power of the NPI

This is a David and Goliath story about how the seemingly insignificant NPI code can fight medical fraud and have a positive impact on workers’ comp medical management. Many in the industry consider the NPI irrelevant. Yet it is a powerful factor in medical management and medical fraud detection.

The NPI is the National Provider Identifier assigned by CMS (Centers for Medicare and Medicaid Services) to individual medical providers and organizations that deliver medical services. It is required on bills for Medicare and Medicaid. Individual medical providers and medical groups must include their NPI on all bills submitted.

If the NPI is required for Medicare and Medicaid reimbursement, it follows that probably all medical doctors have an NPI number from CMS that uniquely identifies them. The problem is that many workers’ compensation payers do not ask for the NPI, do not require it and, even when the NPI is available, do not record it or transfer it to the next level.

Some, but not all, states require the NPI on workers’ comp bills. However, even if it is added to the bill, the use often goes no further.

The value of the NPI is that it uniquely identifies individual medical doctors. It carves out individual treating physicians in groups, organizations and facilities. Without the NPI associated with individuals, all those in a group are lumped together under the organization’s NPI or, worse, the entity’s tax ID. This matters. The assumption is that all members of the group practice in exactly the same way. But they do not.

The ability to parse individuals from groups in the data is essential to fair performance analysis. Individual differences seen in the data can be distinguished, even when associated with a group with individual NPIs. This is essential to creating quality preferred provider networks and directories. It is also indispensable for leveraging the data to create a teaching platform for improving provider performance in workers’ comp.

See also: Easy Way to Spot Workers’ Comp Fraud  

Physicians should be given the opportunity to see themselves portrayed in graphic reports comparing their performance to others like them. By nature, they are high achievers, and they want to show well. The graphic presentations are targets or guides for improvement.

Simply paying attention to a treating doctor in this objective manner will result in behavior change! Using the comparative data is invaluable, but success depends on accurately identifying individuals in the data using the individual NPI.

Another valuable use of the NPI is to assign medical specialties to individuals. Professional specialties can be obtained electronically from CMS databases using the NPI. Specialty is yet another data element missing in much of the bill review and claim system data. If the NPI number is available, specialties can be derived.

Specialties are important so that treating doctors are grouped with other doctors who are similarly prepared and licensed. The argument from doctors that they only treat the more difficult cases is nullified when they are compared only with others in their specialty. The best example is pain management specialists, who really do treat the more difficult cases. Their performance should always be compared with other pain specialists.

Unfortunately, there are those who twist the positive aspects of the NPI for fraudulent purposes. Close examination of the data reveals that less reputable medical doctors and other providers obtain multiple NPI numbers, using them in different locations or situations to deliberately obfuscate the data.

When multiple NPI numbers are fraudulently used, the door is open to undetectable duplicate billing. Systems cannot recognize overall performance for the individual because their performance is fragmented across multiple NPIs. To accurately analyze performance for an individual, all treatment incidences should be combined for one practitioner, thereby creating a critical mass of data for that individual.

While some will think the focus on NPI is much ado about nothing, it is not. Individual NPI numbers on all medical bills is essential; payers should insist on it. In fact, reimbursement should be withheld until the correct information is included on the bill as is done in Medicare.

See also: States of Confusion: Workers Comp Extraterritorial Issues 

Treating doctors not only drive direct medical costs but also indemnity costs, return to work and disability ratings at the end of the claim. They can also influence legal involvement. Consequently, finding the best doctors and avoiding the bad ones is crucial.

The way to determine who should be included in quality medical provider networks is to analyze past performance based on the data. The only way to accurately analyze performance is to identify individual treating doctors in the data and evaluate their performance across multiple claims based on the relevant performance factors. Correct NPI numbers included on medical bills are essential.

Workers’ comp payers must require correct individual NPI numbers on all medical bills. This is not an outrageous demand and does not add to costs. However, it does require attention to the matter. The benefits are too great to miss this simple yet powerful opportunity.

The simple little NPI is a powerful element in workers’ compensation medical management. It is the David that can effectively and affordably fight the medical fraud Goliath.

How to Find Best Work Comp Doctors?

As is the case in any professional group, individual medical provider’s performance runs the gamut of good, bad and iffy. The trick is to find good medical providers for treating injured workers, avoid the bad ones and scrutinize those who are questionable. To qualify as best for injured workers, medical providers need proficiency in case-handling as well as medical treatment.

High-value physician services

The first step is to clarify the characteristics of the best providers, especially in context with workers’ compensation. One resource is an article published by the American College of Occupational and Environmental Medicine in association with the IAIABC (International Association of Industrial Accident Boards & Commissions) titled, “A Guide to High-Value Physician Services in Workers’ Compensation How to find the best available care for your injured workers” It’s a place to begin.

The article notes, “Studies show that there is significant variability in quality of care, clinical outcomes and costs among physicians.” That may be obvious, but it also verifies the rationale for taking steps to identify and select treating doctors rather than pulling from a long list of providers to gain the discount. The question is, what process should be used to select providers?

Approach

Although considerable effort from scores of industry experts contributed to this article, the approach they recommend is complex, time-consuming and subjective. In other words, it is impractical. Few readers will have the expertise and resources to follow the guide. Moreover, one assertion made in the article is simply wrong.

Misstatement

The article states that it would be nice to have the data, but that the data is not available. “Participants in the workers’ compensation system who want to direct workers to high-quality medical care rarely have sufficient data to quantify and compare the level of performance of physicians in a given geographic area.”

Actually, the data is available from most payers whether they are insurers, self-insured, self-administered employers or third-party administrators (TPAs). However, collecting the data is the challenge.

Data silos

The primary reason data is difficult to collect is that it lives in discrete database silos. The industry has not seen fit to place value on integrating the data, but that is required for a broad view of claims from beginning and throughout their course.

At a minimum, claim data should be collected from medical billing or bill review, the claims system and pharmacy (PBM). The data must be collected from all the sources, then integrated at the claim level to get a broad view of each claim. It takes effort, but it is doable. Yet, there remains another data challenge.

Data quality

Payers have traditionally collected billing data from providers, through their bill review vendor. The payer’s task has been paying the bill and sending a 1099 statement to providers at the end of the year. All that is needed is a provider name, address and tax ID so the payment reaches its destination. It makes no difference to payers that providers are entered into their systems in multiple ways causing inaccurate and duplicate provider records. One payment is a payment. The provider might receive multiple 1099s, but that causes little concern.

What is of concern is that when the same provider is entered into the payers’ computer system in multiple ways, it can be difficult to ascertain how many payments were made to an individual provider. Moreover, when the address collected by the payer is a P.O. box rather than the rendering physician’s location, matters become more complicated. This needs to change.

The new request

Now payers are being asked to accurately and comprehensively document individual providers, groups and facilities so the data can be analyzed to measure medical provider performance. They need to collect the physical location where the service was provided and it should be accurately entered into the system in the same way every time. (Note: This is easily done using a drop-down list function rather than manual data entry.)

Most importantly, a unique identifier is needed for individual providers, such as their NPI (national provider identification). Many payers are now stepping up to improve their data so accurate provider performance assessments can be made.

High-value, quality medical providers can be identified by using the data. However, quality data produces better results. Selecting the best medical providers is not a do-it-yourself project. Others will do it for you.

Is Your Work Comp Doctor a P.O. Box?

Are your workers’ compensation medical doctors treating injured workers from a P.O. Box? That may sound ludicrous, but most workers’ compensation data suggests just that. The rendering physician’s address is a P.O. Box.

In the past, documenting only the provider’s mailing address was acceptable because that and a tax ID were all that were needed to pay bills and file 1099s. Now, having more complete data has become profoundly important.

Data on providers is scrutinized to determine medical performance, claim cost and outcome. Accurate analysis relies on the data-complete data. Rendering physicians must be documented on the bill so that their performance is accurately tied to the correct injured worker and claim in the data. Including the 1) treating physician’s name, 2) physical location and 3) NPI number of the rendering provider on each bill lets analytics tell us who are the best and why. When those three little data elements are missing, so is any useful information for medical management.

When the data contains group or facility demographics without the rendering physician’s name, the actual treating physician cannot be linked to the claim. Performance cannot be logically averaged among all the providers in the group. Obviously, not every treating provider is equally gifted or competent.

The HCFA (Health Care Finance Administration) standardized form has a box to document the rendering provider’s name and NPI (National Provider Identification). That box must be used.

Sometimes, the name of the provider is documented on the billing form but is not captured in the OCR (optical character recognition) process, whereby the data on the bill is translated to a digital form.

Even when bills are submitted electronically, that data element, while present, may not be forwarded. The digital bill is usually handed off to a bill review service that analyzes the appropriateness of the charges and passes its conclusions on to the payer. Rarely is all the information from the HCFA billing form passed on to the payer. The provider information that is handed off may be just the billing address and tax ID.

Sometimes, the name and NPI of the rendering physician are omitted simply because it has always been done that way. No one has thought to change the procedure.

In other words: Retrieving definitive provider demographics might be a simple matter of requesting it!

Sometimes, though, the reason accurate data is missing may be more sinister. The Centers for Medicare and Medicaid Services (CMS) requires the rendering physician name and NPI number on bills submitted to Medicaid and Medicare. CMS simply withholds payment on bills without that information. But those standards are not applied in workers’ compensation. The frequent result is bad or misleading data, but it can be even worse.

Unfortunately, omitting the name and NPI of the rendering physician is sometimes deliberate. This could be strategic or actual fraud. Some large multi-specialty medical groups and multi-location practices deliberately omit such information because they want the anonymity for their individual practitioners. They want to avoid measurement of their providers’ performance. They do not want individuals identified, not even by the location in which they practice. All the providers in the group treat from a P.O. Box and under the group NPI number.

Some providers deliberately obfuscate the data so they can stay under the radar to overbill. They submit different addresses and even different NPI numbers on their bills. The practice is clearly fraudulent because CMS expects that one physician or other medical provider is assigned one NPI. Providers who commit fraud also circumvent CMS.

The solution

Regardless of the reason for bad medical provider data, payers can correct the problem by demanding more. Often, the solution is as simple as asking the bill review service for more complete data. Further upstream, it might be as simple as requiring all providers in a network to include the name and NPI of the actual treating physician on the HCFA billing form.

All you require is the 1) rendering physician’s name, 2) physical location and 3) NPI number with every bill. With that information, the best and worst providers can be identified, and the fraudulent ones exposed.

7 Ways Your Data Can Hurt You

Your data could be your most valuable asset, and participants in the workers’ compensation industry have loads available because they have been collecting and storing data for decades. Yet few analyze data to improve processes and outcomes or to take action in a timely way.

Analytics (data analysis) is crucial to all businesses today to gain insights into product and service quality and business profitability, and to measure value contributed. But processes need to be examined regarding how data is collected, analyzed and reported. Begin by examining these seven ways data can hurt or help.

1. Data silos

Data silos are common in workers’ compensation. Individual data sets are used within organizations and by their vendors to document claim activity. Without interoperability (the ability of a system to work with other systems without special effort on the part of the user) or data integration, the silos naturally fragment the data, making it difficult to gain full understanding of the claim and its multiple issues. A comprehensive view of a claim includes all its associated data.

2. Unstructured data

Unstructured documentation, in the form of notes, leaves valuable information on the table. Notes sections of systems contain important information that cannot be readily integrated into the business intelligence. The cure is to incorporate data elements such as drop-down lists to describe events, facts and actions taken. Such data elements provide claim knowledge and can be monitored and measured.

3. Errors and omissions

Manual data entry is tedious work and often results in skipped data fields and erroneous content. When users are unsure of what should be entered into a data field, they might make up the input or simply skip the task. Management has a responsibility to hold data entry people accountable for what they add to the system. It matters.

Errors and omissions can also occur when data is extracted by an OCR methodology. Optical character recognition is the recognition of printed or written text characters by a computer. Interpretation should be reviewed regularly for accuracy and to be sure the entire scope of content is being retrieved and added to the data set. Changing business needs may result in new data requirements.

4. Human factors

Other human factors also affect data quality. One is intimidation by IT (information technology). Usually this is not intended, but remember that people in IT are not claims adjusters or case managers. The things of interest and concern to them can be completely different, and they use different language to describe those things.

People in business units often have difficulty describing to IT what they need or want. When IT says a request will be difficult or time-consuming, the best response is to persist.

5. Timeliness

There needs to be timely appropriate reporting of critical information found in current data. The data can often reveal important facts that can be reported automatically and acted upon quickly to minimize damage. Systems should be used to continually monitor the data and report, thereby gaining workflow efficiencies. Time is of the essence.

6. Data fraud

Fraud finds its way into workers’ compensation in many ways, even into its data. The most common data fraud is found in billing—overbilling, misrepresenting diagnoses to justify procedures and duplicate billing are a few of the methods. Bill review companies endeavor to uncover these hoaxes.

Another, less obvious means of fraud is through confusion. A provider may use multiple tax IDs or NPIs (national provider numbers) to obscure the fact that a whole set of bills are coming from the same individual or group. The system will consider the multiple identities as different and not capture the culprit. Providers can achieve the same result by using different names and addresses on bills. Analysis of provider performance is made difficult or impossible when the provider cannot be accurately identified.

7. Data as a work-in-process tool

Data can be used as a work-in-process tool for decision support, workflow analysis, quality measurement and cost assessment, among other initiatives. Timely, actionable information can be applied to work flow and to services to optimize quality performance and cost control.

Accurate and efficient claims data management is critical to quality, outcome and cost management. When data accuracy and integrity is overlooked as an important management responsibility, it will hurt the organization.