If CMS could be sued for HIPAA violations, it would be. But behind tales of government inefficiency and inertia is a tremendous debate. Summed up, the very technology that could solve our identity and fraud problems could open up tremendous privacy concerns.
Depending on who you talk to, Medicare fraud is estimated to be a $48- to $120-billion-a-year problem in the United States. Yet, for all the technology this country cranks out, surprisingly little so far has been applied to combating this problem. Could it take another act of Congress?
On August 15, Rep. Jim Gerlach, a Republican from Pennsylvania, introduced H.R. 3024, the Medicare Common Access Card Act of 2013.
Under the proposal, within 18 months of passage, the HHS secretary would conduct a pilot program utilizing smart card technology for Medicare beneficiaries.
Smart cards are devices that contain an embedded integrated circuit chip that can be either a secure microcontroller or equivalent memory, or a memory chip alone. That's the definition put forth by the Smart Card Alliance, a trade association that supports H.R. 3024. Other supporters include the AARP, the ACPE (American College of Physician Executives) and the AAOS (American Association of Orthopaedic Surgeons).
Smart card technology is already commonplace in employee key cards, transit cards, credit cards (outside the U.S., and in the U.S. starting by 2015), and more. I even have a smart card that allows me to easily rent bicycle locker space at transit stations in the San Francisco Bay Area, at the big-ticket rate of 1 to 3 cents per hour.
Meanwhile, today's Medicare card is a piece of paper with no intelligence. Dare I say it, it's downright stupid. That's because the Medicare member's Social Security number is printed right on the card.
Yes, that means everyone who comes in contact with that card, from clerks on their first day on the job to EMTs making a midnight run, has access to that Social Security number.
If CMS could be sued for HIPAA violations, it would be.
But since it can't, I am left wondering why Medicare is so far behind the rest of society, and facing its own share of responsibility for the fraud and inefficiency so often ascribed to it. The truth is that behind tales of the same old government inefficiency and inertia is a tremendous debate about the role that digital identity plays in our modern world.
Summed up, the very technology that could solve our identity and fraud problems could open up tremendous privacy concerns, due to the very powerful effect that digitizing all our personal details has on the ability to aggregate and, unfortunately, abuse that information.
5 Data Problems
1. Consumers have no easy way to read the information stored on the smart cards they carry. So they can't verify the accuracy of that information without a lot more help.
2. Smart cards may help verify a patient's identity at the clinic, but they provide no benefit for the consumer at home trying to log into a patient portal or other online health services, again because there are no home readers or standards for same.
3. Government is really good at building silos of information, one act of Congress at a time. Government is really bad at integrating these silos of information quickly or inexpensively. At a HIMSS analytics conference this June, one speaker said that CMS alone has multiple data warehouses, built over the years, which have great difficulty sharing information with each other.
4. HIPAA currently has a prohibition against the federal government planning or even researching a national patient identifier system. H.R. 3024 claims the Medicare smart card pilot will be compliant with HIPAA. That should be interesting to watch, particularly after the HHS lawyers get through with it.
5. Should we have a smart card for every possible use in society? That's the direction modern society is going. Library cards, brand loyalty cards, insurance cards, keys as cards – they're all getting smarter. But no one is making wallets any bigger. Or if they are, they shouldn't be. We will need flexibility, so at the consumer's discretion, they can use one smart card in multiple ways.
With all these problems, it's no wonder that "analysis paralysis" seems to be the order of the day. Now let me suggest what can be done about it.
5 Proposals
1. We should let Rep. Gerlach and his Medicare smart card allies make their case. Similar legislation was introduced in the last Congress but didn't get anywhere. This time, let's hold a hearing. Capitol Hill holds lots of hearings about what's wrong with healthcare in this country. It's time for (another) hearing or two about the role that technology can play to solve the identity problem, the fraud problem, and the problem of Congress building one information silo after another.
2. Let's look around the world to see if anyone else has solved this problem, and see what we can learn from them. Taiwan has the lowest administrative cost of healthcare in the world – two percent, according to Kelli Emerick, executive director of the SecureID Coalition. One reason: They use smart cards. And I am told that Canada may have some clever ways to roll out a national patient identifier.
3. Let's put some effort into the public/private partnership that is NSTIC, the National Strategy for Trusted Identities in Cyberspace. It is the umbrella group established by executive order in 2011. NSTIC describes an "identity ecosystem" that allows individuals and organizations to trust each other through a set of agreed-upon standards and practices.
NSTIC has convened a healthcare committee which has regular conference calls, and could benefit from greater participation by providers. Already, a number of major stakeholders are participating. It is also conducting its own pilot, with the help of five awardees.
4. Engage with a group that's just been announced, the Medicare Identity Fraud Alliance. Supporters include AARP, Blue Cross and Blue Shield Association, Consumer Federation of America, ID Experts, Identity Theft Resource Center, and National Health Care Anti-Fraud Association. Get some providers involved in that effort, for a less piecemeal approach.
5. Pay attention to Patient Privacy Rights (PPR), a nonprofit which spearheads efforts in this area and hosts an annual conference, where the story recently broke of hospitals providing re-identifiable information via public health reporting requirements.
Adrian Gropper, MD is PPR's chief technology officer. He has a deep understanding of NSTIC's concept of the identity ecosystem. We spoke last week and I noted the irony that NSTIC faces challenges receiving further funding to solve the identity problem the right way, while at the same time H.R. 3024 proposes allocating $29 million for the Medicare Smart Card pilot.
Maybe these two government initiatives should get together and share expertise and funds, I suggested to Gropper.
"That's a very nice idea," Gropper told me.
Now before you write me, yes there are many other ways to fight Medicare fraud with technology other than figuring out the identity and smart card problems. Algorithms are already at work, and getting smarter, at detecting patterns of abuse. The Medicare regulations themselves probably still contain an encyclopedia's worth of loopholes that permit waste and fraud, loopholes that should be closed.
But in an age when libraries do a better job of protecting our privacy than healthcare does, and when the average wallet has an impressive array of security-powered smart cards, surely Medicare, and the rest of the healthcare system, can be doing better than it is.
Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.