Tag Archives: ocr

How Robotics Will Transform Claims

Across the insurance industry, claims organizations have made significant progress in modernizing their core processing systems in the last several years. Typically, the objectives of these programs are to increase speed, improve accuracy and reduce risks in all phases of claims handling. Given that claims interactions are “moments of truth” in customer relationships, insurers have good reason to ensure that the experience for policyholders is smooth and satisfying at every step of the process.

No matter where insurers are on this continuum, robotic process automation (RPA) can help them achieve their business objectives while leveraging existing technology and boosting returns on previous and current transformation investments. In seeking the best path forward, claims leaders will want to consider:

  • Why robotics is well-suited for use in claims and how it complements other enabling technologies
  • Key components of the business case and value proposition
  • High-priority opportunities and common use cases
    for deploying RPA
  • Applying the principles and techniques used by successful early adopters as they develop their own implementation approach

Why RPA? Why now?

RPA involves the use of virtual workers, or software robots, to perform business tasks similar to human users. The main appeal for insurers is the ability to handle high-volume and complex data actions at exponentially greater speed than in the past.

RPA is also notably flexible, which makes it both business-enabling and IT-friendly. It can be deployed alone or with other technologies across the claims value chain. For example, robotics can:

  • Automate discrete tasks or activities
  • Work in concert with other systems on transaction processing, data manipulation, communication and response triggering
  • Facilitate straight-through or “no-touch” processing, working alongside analytics tool sets and other cognitive technologies, such as machine learning and natural language processing

The cost of entry for RPA in terms of financial commitment and deployment requirements is low, compared with other technologies. There is no disruptive “rip and replace” with RPA; proofs of concepts are straightforward to launch, which helps IT and business leaders get past their “not another technology” reluctance. And many benefits can be unlocked without large-scale process re-engineering.

See also: Insurtech Presents Major Opportunities

More than just overhauling the most routine administrative tasks, robotics creates capacity and expands the art of the possible in claims. While many assume robots simply replace human resources, RPA can – and should – be viewed as an enabler and a win-win for insurers and their workers.

RPA ROI: building the business case

A significant number of insurers have already implemented robotics, though few have done so at scale. ROI cycles for RPA can usually be measured in months rather than years. Most early adopters start with multiple functional “pilots” or proofs of concept that are completed in as little as 30 to 60 days. Broader, first-generation programs may take six to 12 months.

Increased capacity and focus on high-value work: Robotics can free knowledge workers from the burden of routine reporting, documentation and maintenance tasks. Instead, they can focus on areas where they can provide the most value, such as managing exceptions and dealing with high-risk and complex claims. A common approach is to use RPA to support straight-through processing for claims under a certain dollar threshold. RPA may also be used to handle basic data entry tasks for claims of any amount. Industry research has found that turnaround times for these types of claims may be reduced as much as 75%–85%, with 50%–70% of repetitive tasks effectively eliminated.

Higher quality and accuracy: Robots processing claims will no doubt be able to increase accuracy and reduce errors, whether related to sophisticated fraud or simple “fat-fingering,” for the vast majority of routine claims. Indeed, robots are uniquely qualified to assist quality assurance (QA) staff, given their ability to scan large quantities of data and transactions almost instantaneously. For example, RPA can help identify potentially fraudulent claims by flagging data outliers. Further, in the realm of compliance, RPA helps strengthen and streamline adherence to standard audit, risk, privacy and security policies and protocols.

Increased scalability: RPA is a natural solution for insurers that need to add temporary capacity to deal with seasonal spikes in claims activity or after catastrophes. The virtual workforce can scale to peak loads without overtime and establish 24/7 processing. For example, RPA enables insurers to increase the amount of new loss intake capabilities without a corresponding increase in first notification of loss (FNOL) processing staff. The easy scalability also makes RPA a highly useful tool for insurers exploring shared services models for claims.

Higher customer satisfaction: In identifying processes that can be automated, leaders should also look for opportunities to enrich the customer experience. Speed, accuracy, transparency and level of service are what matters most to claimants. RPA helps on all those fronts by allowing claims professionals to focus on the “art” of claims adjusting and customer experience, as opposed to the transactional aspects. RPA can also accelerate innovation programs in customer engagement and experience. Business rules can be configured directly into the robotics to align with customer expectations for personalization and timely communications.

Strategic data usage: The quality gains and capacity improvements from RPA enable claims teams to shift from simply processing data to exploiting it for more accurate and timely reporting and insight generation. In this sense, RPA can actually be an empowering force, rather than a discouraging threat, to a claims workforce.

RPA in action: where to start the journey

The use of robots and automation can take many forms in claims, including both customer-facing and back-office functions and tasks. The following represent the most common and promising use cases across the industry:

    1. Streamlining vendor applications and estimating: Most current estimating processes require adjusters or others to rekey data from one form or system to another. Robotics along with enabling technology such as optical character recognition (OCR) can eliminate that duplicate effort by bridging the gap between claims systems, vendor apps and third-party estimating systems.
    2. Capturing and managing claimant data: RPA can be on the receiving end of claims submissions, especially those that typically include photos from customers. Robots can ensure the right information ends up in the right systems and attached to the right claims. As such, they ensure human representatives have the information they need to move claims forward and respond to customer inquiries. Customers who prefer self-service also benefit when submitted information is more readily accessible.
    3. Streamlining, automating and enhancing communications: Claimant communication remains a largely manual undertaking, requiring adjusters or other claims staff to initiate and, in some cases, monitor the process. RPA can help operationalize smart rules so the right letter (e.g., one required to be sent 30 days after a loss is reported) reaches the right claimant at the right time through the right channel. For instance, robots can pull data from claims submission forms and pre-populate letters that are typically housed in other systems and map distribution to customer preferences.
    4. Scanning, indexing and converting forms and data: RPA has proven especially proficient at pulling data from standard fields on medical bills, from claimant name and address, to provide information to coding details. Standard in name only, these forms are a common source of errors. Similarly, RPA can transfer and convert data across older claims systems that may be used by individual product lines or regions to newer enterprise systems.
    5. Validating payments: Conventional wisdom holds that 3-5% of claims payments are inaccurate, though no one knows for sure, given the difficulty and expense in auditing all claims. The key is robots’ ability to quickly and cost-effectively run QA on entire populations of forms and payments, rather than just a small sample. For example, rather than auditors discovering a $5,000 payment on a $500 settlement months after a customer has cashed the check, robots can flag the disparity beforehand. Further, they can help deliver the information and intelligence so that human analysts can investigate anomalies proactively.
    6. Customer-facing enhancements: RPA can alleviate the need for time-consuming and costly adjuster input by supporting customer-friendly apps for capturing photos of fender-bender car accidents and submitting all claims submission forms with just a few taps and swipes. Chatbots, another automation tool easily integrated with RPA, are already handling many routine communications tasks, including notifications of settlements and customer inquiries into claim status.
    7. Integrating other enabling technologies: RPA will become more prevalent, especially as claims groups adopt other enabling technologies. For instance, AI-powered bots will likely handle the inputs from drones conducting standard property inspections or surveying damage after catastrophic storms. Integrating RPA with machine learning and natural language processing (NLP) can enable the initiation of new claims and issue first notice of loss (FNOL) communications by scanning and analyzing unstructured communications, including emails from agents or even voice interactions. Robots will also be used widely in the real-time review of social media streams to assess claims severity and reduce fraud. RPA will receive and route advanced telematics data (including video imagery) that will be instantaneously captured during automobile accidents and downloaded from the cloud, automatically
      triggering an FNOL entry.

Suggested approach and lessons learned: following the leaders

Significant numbers of insurers are already using RPA in their claims organizations. In designing the business case for robotics, claims leaders should seek an incremental approach, adopting more ambitious use cases once they have built momentum and demonstrated results through initial and targeted deployments. With RPA, there’s no need to try do too much too fast, which may be attractive for insurance executives seeking to minimize risk and disruption in their adoption of enabling technologies. Further, an incremental approach can help organizations overcome their natural wariness toward RPA in terms of its workforce impacts.

See also: Robots and AI—It’s Just the Beginning  

The following lessons learned come from early adopters:

Target the opportunities: In developing a business case and tangible ROI model, specific tactical questions can lead to the right strategy as well as clarify the highest priorities for near-term automation. Finding answers may require a robust assessment of current capabilities and the completion of a cost-benefit analysis, given that the candidates for automation may number into the dozens.

Engage IT early and often: To ensure a smooth implementation and integration with other systems, there are many important infrastructure, governance and security questions to address. IT leaders reluctant to deploy another technology in the claims “stack” should consider how RPA can support strategic platform upgrades and those mandated by regulatory change. Most RPA tools are product- and platform-agnostic and work with existing IT architecture.

Find the right partner: External vendors and suppliers – including insurtechs, consultants and systems integrators – will be part of the solution, so it’s important to choose wisely. Beyond technical expertise, look for those firms with deep technical and operational claims knowledge, including a clear understanding of how it affects the customer experience.

Don’t overlook the organizational factors: As with other “digital” initiatives, claims leaders must invest time and resources in education and, if necessary, evangelization regarding the use of RPA. The delicate matter of robots taking over jobs should be addressed, most likely in the context of the need to reskill claims workers, as the role will evolve to become more analytical and more focused on customer needs and the most complex claims.

The bottom line: RPA is critical to the evolving claims process

The time for adopting robotics in claims has come, due primarily to the compelling business case and imperative for claims leaders to enhance performance and contribute more value to the business. Robotics can serve as a foundation in supporting true, end-to-end automation when integrated with other advanced technologies, such as OCR, chatbots, machine learning and NLP.

Indeed, as multiple early adopters have made clear, RPA is ready to help claims organizations advance and enhance outcomes in the digital era through increased automation, higher productivity and increased capacity and strategic focus for claims professionals.

RPA is among the top enabling technologies insurers should consider adopting in claims, as well as other parts of the organization, due to:

  • Low cost
  • The path to ROI
  • Manageable deployment requirements
  • Flexible use cases

For the full report on which this article is based, click here.

Healthcare Firms on Hit List for Fines

When the Health Insurance Portability and Accountability Act (HIPAA) became law in 1996, the internet was an infant. Physicians walked around with paper charts. A “tablet” referred to a pill. And the typical cyber attack aimed to simply deface a website.

But with the evolution of the electronic age, the majority of the nearly 1.2 billion annual medical visits in the U.S. are documented, stored and shared in electronic form.

And the threat landscape has been evolving, as well.

“Now that (the records) are online and connected across multiple providers and exchanges, there will be more breaches if nothing else is done (for security),” says Kurt Roemer, chief security strategist for Citrix, which provides security tools.

See also: Restated HIPAA Regulations Require Health Plans To Tighten Privacy Policies And Practices

In response, federal authorities have stepped up enforcement actions against healthcare organizations that violate patient privacy rules under HIPAA. As a result, the number of sanctions has reached record levels.

In August, Advocate Health Care Network agreed to pay a record $5.6 million HIPAA settlement for a series of 2013 data breaches affecting 4 million patients.

The fines levied by the Department of Health and Human Services’ Office of Civil Rights (OCR) in 2016 surpassed any previous year since HIPAA became law.

Settlements send a message

And the fines levied by OCR in 2016 were hefty, averaging just over $2 million per sanction. This stepped-up enforcement is no doubt sending a message to healthcare providers.

“There’s a clear upward trend,” says Matt Mellen, security architect for health care with Palo Alto Networks, which provides a next-generation cybersecurity platform. This “is definitely enough to get the attention of healthcare organizations.”

The trend also is reflected in the number of incidents reported by HIPAA-covered entities. OCR’s database, which only includes incidents that affect 500 or more individuals, shows a steady growth each year.

In 2010, 198 incidents were reported to OCR, compared with 296 in 2014 and 269 in 2015. This trend has been documented in various cybersecurity reports, including IBM’s 2016 Cybersecurity Intelligence Index, which put healthcare at the top of all other industries for the number of data breaches.

And according to Ponemon’s recent “State of Cybersecurity in Healthcare Organizations in 2016,” nearly half of the 535 respondents said their healthcare organizations experienced an incident in the past 12 months involving loss or exposure of patient data.

The sector is clearly struggling to keep up with the threats, but the problem is not the law itself, says Niam Yaraghi, a fellow at the Center for Technology Innovation at the nonprofit Brookings Institution.

Sinking teeth into the law

“HIPAA is a fairly good law,” he says. “The problem is that healthcare organizations consider (HIPAA) as the ultimate level of security that they have to implement, and they do not have any incentive to go beyond HIPAA.”

Jodi Daniel, who worked for the Department of Health and Human Services for 15 years and was one of the key draft writers of HIPAA’s Privacy Rule and Enforcement Rule, says, “When the rules first came out … the focus of enforcement was on education and promoting voluntary compliance.” The goal was to help the industry “get it right, as opposed to penalizing them for getting them wrong.”

The first OCR settlement — $100,000 — didn’t come until 2008. And over the next three years, there were only a total of six. The pace picked up in 2012, as has the average amount of the settlements.

See also: Will You Be the Broker of the Future?  

What happened in the meantime was the passage in 2009 of the Health Information Technology for Economic and Clinical Health Act. The HITECH Act dramatically expanded the penalties, based on “increasing levels of culpability,” and increased the maximum to $1.5 million instead of $25,000 per identical violation. It also extended HIPAA to business associates.

The addition of business associates was significant, considering a large number of breaches are attributed to third-party incidents.

Risk management more important

The increased OCR enforcement also is putting an emphasis on risk management. Of the 39 settlements to date, at least 14 included lack of risk assessments among the violations.

Palo Alto’s Mellen says OCR’s emphasis on risk management is a positive trend.

“The risk management process is designed to identify all the potential threats to patient data and allows you to define action plans to mitigate those risks,” he says.

Cyber attacks, in particular, pose a bigger threat to patient privacy than other types of breaches. Yaraghi’s report shows that nearly 120 million people were affected by about 150 incidents involving cyber attacks versus a little more than 20 million people affected by about 700 incidents involving theft (laptops, media, etc.).

And the number of hacking/IT incidents is seeing a dramatic increase. Those reported to OCR between 2010 and 2014 grew from nine to 32. In 2015, there were 57.

Yaraghi is a proponent of a third-party HIPAA certification system to serve as a preventative measure. But a true economic incentive, he believes, would be cybersecurity insurance. He recommends every healthcare organization have a policy.

“Healthcare organizations will have to take security into account to reduce the cost of premiums,” he says.

See also: Can InsurTech Make Miracles in Health?  

In the meantime, the increased OCR enforcement could create a stronger incentive for healthcare organizations to step up cybersecurity. It will also get the attention of boards of directors, Citrix’s Roemer says.

“It would make it more difficult for the health care institutions and their boards to casually say they aren’t going to invest in security,” Roemer says. “It will definitely drive some changes in behavior.”

More stories related to HIPAA and health records:
Hospital hacks show HIPAA might be dangerous to our health
Encrypting medical records is vital for patient security
Healthcare data at risk: Internet of Things facilitates healthcare data breaches

This article originally appeared on Third Certainty. It was written by Rodika Tollefson.

Hard Lessons on Protecting Health Data

The $2.5 million payment and corrective action plan that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) required for CardioNet to settle potential charges of noncompliance with the Health Insurance and Portability Act (HIPAA) Privacy and Security Rules contains many important lessons for other healthcare providers, health plans, healthcare clearinghouses (Covered Entities) and their business associates.

A remote cardiac monitoring provider, CardioNet is paying the $2.5 million settlement payment and implementing a corrective action plan to settle potential OCR charges it violated HIPAA by impermissible disclosure of unsecured electronic protected health information (ePHI).

The first OCR HIPAA settlement involving a wireless health services provider, the CardioNet Resolution Agreement and Corrective Action Plan (Resolution Agreement) announced by OCR on April 24, 2017, adds to the rapidly growing list of announced OCR HIPAA enforcement actions that clearly show all covered entities and their business associates the substantial enforcement liability risks of failing to finalize and actually adopt, implement, administer and maintain the necessary HIPAA Privacy and Security policies and procedures required by HIPAA as well as some of the steps OCR expects to fulfill these requirements.

CardioNet OCR Investigation and Resolution Agreement

As has become increasingly common in recent years, the CardioNet settlement arose from concerns initially brought to OCR’s attention in connection with a HIPAA breach notification report. On Jan. 10, 2012, OCR received notification from the provider of remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias that a workforce member’s laptop with the ePHI of 1,391 individuals was stolen from a parked vehicle outside of the employee’s home. CardioNet subsequently notified OCR of a second breach of ePHI 2,219 individuals.

The facts outlined in the resolution agreement highlight compliance weaknesses existing in the operations of many HIPAA covered entities and business associates. According to the resolution agreement, OCR’s investigation in response to these breach reports revealed a series of continuing compliance concerns, including:

  • CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities;
  • CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented;
  • CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices;
  • CardioNet failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of its facilities, the encryption of such media, and the movement of these items within its facilities until March 2015; and
  • CardioNet failed to safeguard against the impermissible disclosure of protected health information by its employees, thereby permitting access to that information by an unauthorized individual, and failed to take sufficient steps to immediately correct the disclosure.

See also: Healthcare Buyers Need Clearer Choices

To resolve these OCR charges, CardioNet agrees to pay $2.5 million to OCR and implement a corrective action plan. Among other things, the corrective action plan requires CardioNet to complete the following actions to the satisfaction of OCR:

  • Prepare a current, comprehensive and thorough risk analysis of security risks and vulnerabilities that incorporates its current facility or facilities and the electronic equipment, data systems and applications controlled, currently administered or owned by CardioNet, that contain, store, transmit, or receive electronic protected health information (“ePHI”) and update that risk analysis annually or more frequently, if appropriate in response to environmental or operational changes affecting the security of ePHI.
  • Assess whether its existing security measures are sufficient to protect its ePHI and revise its risk management plan, policies and procedures and training materials and implement additional security measures, as needed.
  • Develop and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis as required by the risk management plan.
  • Review and, to the extent necessary, revise, its current security rule policies and procedures based on the findings of the risk analysis and the implementation of the risk management plan to comply with the HIPAA Security Rule.
  • Provide certification to OCR that all laptops, flashdrives, SD cards and other portable media devices are encrypted, together with a description of the encryption methods used.
  • Review and revise its HIPAA security training to include a focus on security, encryption and handling of mobile devices and out-of-office transmissions and other policies and practices required to address the issues identified in the risk assessment and otherwise comply with the risk management plan and HIPAA train its workforce on these policies and practices.
  • Investigate all potential violations of its HIPAA policies and procedures and notify OCR in writing within 30 days of any violation.
  • Submit annual reports to OCR, which must be signed by an owner or officer of CardioNet attesting that he or she has reviewed the annual report, has made a reasonable inquiry regarding its content and believes that the information is accurate and truthful.
  • Maintain for inspection and copying, and provide to OCR, upon request, all documents and records relating to compliance with the corrective action plan for six years.

Implications of CardioNet and Other HIPAA Enforcement For Covered Entities and Business Associates

The CardioNet resolution agreement contains numerous lessons for other covered entities and their business associates, including:

  • Like many previous resolution agreements announced by OCR, the resolution agreement reiterates the responsibility of covered entities and business associates to properly secure their ePHI and that as part of this process OCR expects all laptop computers and other mobile devices containing or with access to ePHI will be properly encrypted and secured.
  • It also reminds covered entities and their business associates to be prepared for, and expect an audit from, OCR when OCR receives a report that the organization experienced a large breach of unsecured ePHI.
  • The resolution agreement’s highlighting of the draft status of CardioNet’s privacy and security policies also reflects that OCR expects covered entities to actually finalize policies, procedures and training for maintaining compliance with HIPAA.
  • The discussion and requirements in the corrective action plan relating to requirements to conduct comprehensive risk assessments at least annually and in response to other events, and to update policies and procedures in response to findings of these risk assessments also drives home the importance of conducting timely, documented risk analyses of the security of ePHI, taking prompt action to address known risks and periodically updating the risk assessment and the associated privacy and security policies and procedures in response to the findings of the risk assessment and other changing events.
  • The requirement in the resolution agreement of leadership attestation and certification on the required annual report reflects OCR’s expectation that leadership within covered entities and business associates will make HIPAA compliance a priority and will take appropriate action to oversee compliance.
  • Finally, the $2.5 million settlement payment required by the resolution agreement and its implementation against CardiNet makes clear that OCR remains serious about HIPAA enforcement.

While the $2.5 million settlement payment sends a strong message about the risks of violating HIPAA by itself, this lesson takes on even greater significance when considered in light of OCR’s January 2017 announcement of its imposition of another HIPAA civil monetary penalty against Children’s Medical Center of Dallas and the growing list of expensive settlement payments that OCR has exacted from other covered entities wishing to avoid CMPs for their alleged HIPAA violations.

In January 2017, for instance, OCR announced Children’s paid a $3.2 million CMP assessed by OCR for failing to adequately secure electronic protected health information (ePHI) and correct other HIPAA compliance deficiencies that resulted from its failure to take appropriate, well-documented actions to timely to secure ePHI on systems and mobile devices and other actions needed to comply with other HIPAA privacy or security requirements.

Of course, covered entities and business associates need to keep in mind that that actions and inactions that create HIPAA liability risks also carry many other potential legal and business risks. For instance, since PHI records and data involved in such breaches usually incorporates Social Security Numbers, credit card or other debt or payment records or other personal consumer information, and other legally sensitive data, covered entities and business associates generally also may face investigation, notification and other responsibilities and liabilities under confidentiality, privacy or data security rules of the Fair and Accurate Credit Transaction Act (FACTA), the Internal Revenue Code, the Social Security Act, state identity theft, data security, medical confidentiality, privacy and ethics, insurance, consumer privacy, common law or other state privacy claims and a host of other federal or state laws. Depending on the nature of the covered entity or its business associates, the breach or other privacy event also may trigger fiduciary liability exposures for health plan fiduciaries in the case of a health plan, professional ethics or licensing investigations or actions against health care providers, insurance companies, administrative service providers or brokers, shareholder or other investor actions, employment or vendor termination or disputes and a host of other indirect legal consequences.

See also: Healthcare Disruption: Providers Are Making Newspaper Industry Mistakes  

Beyond, and regardless of the technical legal defensibility of its actions under these and other laws, however, the most material and often most intractable consequences of a HIPAA or other data or other privacy breach report or public accusation, investigation, admission also typically are the most inevitable:

  • The intangible, but critical loss of trust and reputation that covered entities and business associates inevitably incur among their patients, participants, business partners, investors and the community; and
  • The substantial financial expenses and administrative and operational disruptions of investigating, defending the actions of the organization and implementation of post-event corrective actions following a data or other privacy breach, audit, investigation or charge.

In light of these risks, covered entities business associates and their management should use the experiences of CardioNet and other covered entities or business associates caught violating HIPAA or other privacy and security standards to reduce their HIPAA and other privacy and data security exposures. Management of covered entities and their business associates should take steps to ensure that their organizations policies, practices and procedures currently are up-to-date, appropriately administered and monitored, and properly documented. Management should ensure that their organizations carefully evaluate and strengthen as necessary their current HIPAA risk assessments, policies, practices, record keeping and retention and training in light of these and other reports as they are announced in a well-documented manner. The focus of these activities should be both to maintain compliance and position their organizations efficiently and effectively to respond to and defend their actions against a data breach, investigation, audit or accusation of a HIPAA or other privacy or security rule violation with a minimum of liability, cost and reputational and operational damages.

As the conduct of these activities generally will involve the collection and analysis of legally sensitive matters, most covered entities and business associates will want to involve legal counsel experienced with these matters and utilize appropriate procedures to be able to use and assert attorney-client privilege and other evidentiary privileges to mitigate risks associated with these processes. To help plan for and mitigate foreseeable expenses of investigating, responding to or mitigating a known, suspected or asserted breach or other privacy event, most covered entities and business associates also will want to consider the advisability of tightening privacy and data security standards, notification, cooperation and indemnification protections in contracts between covered entities and business associates, acquiring or expanding data breach or other liability coverage, or other options for mitigating the financial costs of responding to a breach notification, investigation or enforcement action.

Is Your Work Comp Doctor a P.O. Box?

Are your workers’ compensation medical doctors treating injured workers from a P.O. Box? That may sound ludicrous, but most workers’ compensation data suggests just that. The rendering physician’s address is a P.O. Box.

In the past, documenting only the provider’s mailing address was acceptable because that and a tax ID were all that were needed to pay bills and file 1099s. Now, having more complete data has become profoundly important.

Data on providers is scrutinized to determine medical performance, claim cost and outcome. Accurate analysis relies on the data-complete data. Rendering physicians must be documented on the bill so that their performance is accurately tied to the correct injured worker and claim in the data. Including the 1) treating physician’s name, 2) physical location and 3) NPI number of the rendering provider on each bill lets analytics tell us who are the best and why. When those three little data elements are missing, so is any useful information for medical management.

When the data contains group or facility demographics without the rendering physician’s name, the actual treating physician cannot be linked to the claim. Performance cannot be logically averaged among all the providers in the group. Obviously, not every treating provider is equally gifted or competent.

The HCFA (Health Care Finance Administration) standardized form has a box to document the rendering provider’s name and NPI (National Provider Identification). That box must be used.

Sometimes, the name of the provider is documented on the billing form but is not captured in the OCR (optical character recognition) process, whereby the data on the bill is translated to a digital form.

Even when bills are submitted electronically, that data element, while present, may not be forwarded. The digital bill is usually handed off to a bill review service that analyzes the appropriateness of the charges and passes its conclusions on to the payer. Rarely is all the information from the HCFA billing form passed on to the payer. The provider information that is handed off may be just the billing address and tax ID.

Sometimes, the name and NPI of the rendering physician are omitted simply because it has always been done that way. No one has thought to change the procedure.

In other words: Retrieving definitive provider demographics might be a simple matter of requesting it!

Sometimes, though, the reason accurate data is missing may be more sinister. The Centers for Medicare and Medicaid Services (CMS) requires the rendering physician name and NPI number on bills submitted to Medicaid and Medicare. CMS simply withholds payment on bills without that information. But those standards are not applied in workers’ compensation. The frequent result is bad or misleading data, but it can be even worse.

Unfortunately, omitting the name and NPI of the rendering physician is sometimes deliberate. This could be strategic or actual fraud. Some large multi-specialty medical groups and multi-location practices deliberately omit such information because they want the anonymity for their individual practitioners. They want to avoid measurement of their providers’ performance. They do not want individuals identified, not even by the location in which they practice. All the providers in the group treat from a P.O. Box and under the group NPI number.

Some providers deliberately obfuscate the data so they can stay under the radar to overbill. They submit different addresses and even different NPI numbers on their bills. The practice is clearly fraudulent because CMS expects that one physician or other medical provider is assigned one NPI. Providers who commit fraud also circumvent CMS.

The solution

Regardless of the reason for bad medical provider data, payers can correct the problem by demanding more. Often, the solution is as simple as asking the bill review service for more complete data. Further upstream, it might be as simple as requiring all providers in a network to include the name and NPI of the actual treating physician on the HCFA billing form.

All you require is the 1) rendering physician’s name, 2) physical location and 3) NPI number with every bill. With that information, the best and worst providers can be identified, and the fraudulent ones exposed.

7 Ways Your Data Can Hurt You

Your data could be your most valuable asset, and participants in the workers’ compensation industry have loads available because they have been collecting and storing data for decades. Yet few analyze data to improve processes and outcomes or to take action in a timely way.

Analytics (data analysis) is crucial to all businesses today to gain insights into product and service quality and business profitability, and to measure value contributed. But processes need to be examined regarding how data is collected, analyzed and reported. Begin by examining these seven ways data can hurt or help.

1. Data silos

Data silos are common in workers’ compensation. Individual data sets are used within organizations and by their vendors to document claim activity. Without interoperability (the ability of a system to work with other systems without special effort on the part of the user) or data integration, the silos naturally fragment the data, making it difficult to gain full understanding of the claim and its multiple issues. A comprehensive view of a claim includes all its associated data.

2. Unstructured data

Unstructured documentation, in the form of notes, leaves valuable information on the table. Notes sections of systems contain important information that cannot be readily integrated into the business intelligence. The cure is to incorporate data elements such as drop-down lists to describe events, facts and actions taken. Such data elements provide claim knowledge and can be monitored and measured.

3. Errors and omissions

Manual data entry is tedious work and often results in skipped data fields and erroneous content. When users are unsure of what should be entered into a data field, they might make up the input or simply skip the task. Management has a responsibility to hold data entry people accountable for what they add to the system. It matters.

Errors and omissions can also occur when data is extracted by an OCR methodology. Optical character recognition is the recognition of printed or written text characters by a computer. Interpretation should be reviewed regularly for accuracy and to be sure the entire scope of content is being retrieved and added to the data set. Changing business needs may result in new data requirements.

4. Human factors

Other human factors also affect data quality. One is intimidation by IT (information technology). Usually this is not intended, but remember that people in IT are not claims adjusters or case managers. The things of interest and concern to them can be completely different, and they use different language to describe those things.

People in business units often have difficulty describing to IT what they need or want. When IT says a request will be difficult or time-consuming, the best response is to persist.

5. Timeliness

There needs to be timely appropriate reporting of critical information found in current data. The data can often reveal important facts that can be reported automatically and acted upon quickly to minimize damage. Systems should be used to continually monitor the data and report, thereby gaining workflow efficiencies. Time is of the essence.

6. Data fraud

Fraud finds its way into workers’ compensation in many ways, even into its data. The most common data fraud is found in billing—overbilling, misrepresenting diagnoses to justify procedures and duplicate billing are a few of the methods. Bill review companies endeavor to uncover these hoaxes.

Another, less obvious means of fraud is through confusion. A provider may use multiple tax IDs or NPIs (national provider numbers) to obscure the fact that a whole set of bills are coming from the same individual or group. The system will consider the multiple identities as different and not capture the culprit. Providers can achieve the same result by using different names and addresses on bills. Analysis of provider performance is made difficult or impossible when the provider cannot be accurately identified.

7. Data as a work-in-process tool

Data can be used as a work-in-process tool for decision support, workflow analysis, quality measurement and cost assessment, among other initiatives. Timely, actionable information can be applied to work flow and to services to optimize quality performance and cost control.

Accurate and efficient claims data management is critical to quality, outcome and cost management. When data accuracy and integrity is overlooked as an important management responsibility, it will hurt the organization.