The Health Care Infrastructure Improvement Act of 2000

Chairman Horn, Congressman Turner, other distinguished members of the Committee, thank you for inviting me to discuss the Health Care Financing Administration’s (HCFA) information technology architecture and H.R. 4401, the "Health Care Infrastructure Improvement Act of 2000." We appreciate the opportunity to share our information technology plans and vision for achieving goals espoused in H.R. 4401.

Assuring access to health care services for our beneficiaries is a priority for our Agency and the need for cutting-edge modern information technology, and a strategic information technology vision, are both critical to this mission. Today’s health care industry is becoming increasingly data- and technology-intensive. As a result, the demands on our outdated information technology architecture are greater than ever before. We must modernize and expand our capabilities in order to meet today's needs and tomorrow’s challenges.

Medicare is already the most highly automated, most efficient, fastest payer in the health insurance industry, despite our archaic information technology environment. Our costs are roughly $1 to $2 to process each claim, compared to $6 to $10 or more for private insurers. Over 90 percent of Medicare claims are processed electronically, and we pay those claims on average in 14.9 days after receipt. Most providers must wait far longer to receive claims payment from commercial insurers. Nonetheless, there is an urgent need to update our systems.

We learned a great deal about how to proceed last year when, in partnership with Congress and over one million health care providers across the country, we successfully met the Year 2000 challenge. Now, with our resources no longer committed to that effort, we are refocusing on the technological promise of the new millennium with a comprehensive plan to modernize our systems architecture. It will support more efficient operations and be easier and less expensive to maintain. It also will help us develop innovative ways to manage data, be more responsive to new initiatives, and support efforts to improve health outcomes for our beneficiaries.

Your legislation, H.R. 4401, Mr. Chairman, includes several substantive suggestions for meeting those goals. We strongly agree with the bill's information technology service concepts. However, the mechanisms and means raise some concerns about potential program integrity problems and other serious unintended consequences that we need to understand. This Subcommittee's continuing support in this critical area is much appreciated. The need to modernize our systems is urgent. I can assure you that this continues to be a key priority of our Administrator, Nancy-Ann DeParle. And, as Chief Information Officer, it is my number one goal.

To effectively discuss the issues raised in H.R. 4401, it is important for us to understand the context of Medicare’s current, complex information technology environment. The complexity of this environment is driven by the increasingly data-intensive nature of modern health care and as we strive to meet our mission of providing health insurance coverage to some 39 million older and disabled Americans. Expanded responsibilities resulting from legislation, such as the Health Insurance Portability and Accountability Act, the Balanced Budget Act, and the recent Balanced Budget Refinement Act, also challenge us to continually amend our systems. We need to provide timely solutions and ready access to information for a wide-variety of customers. But our overall ability to do so is limited by the outdated nature of our current information technology infrastructure.

Our current information technology infrastructure is made up over 100 different "legacy" systems -- operations that were developed at the outset of the Medicare program some 35 years ago. They are automated, but reflect the business and design philosophies of the mid 1960s, an era when claims processing was largely done with paper and computers were seen only as efficient ways of automating manual processes. The large number of systems is an artifact of the historical structure of the program which, by law, relies on a number of different private insurance companies to process and pay claims. Each of these claims processing contractors has been free to develop their own unique information technology and business processes.

As a result, each Medicare business function is today a separate monolithic, "stovepipe" system with limited ability to locate information and share information with other systems. While these systems tend to be quite efficient at what they were designed to do, they can only produce and process data in a limited "batch-wise" fashion and the results are not always of the desired quality. These stovepipe systems are also restricted in their ability to accommodate unstructured information, such as documents, e-mail, or on-line services. In addition, the overall structure of these systems is generally not well documented, and any existing documentation may not be complete, since the systems were added to and changed over time in a patchwork fashion.

Prompt access to accurate and wide-ranging data about beneficiaries, program trends and costs, and other financial information is critical to the long-range success of the Medicare program. Data about beneficiary needs and characteristics are essential for assessing beneficiaries’ functional status over time, conducting appropriate beneficiary education programs, and reaching vulnerable populations. Also, comparative data, benchmark and quality indicators, and outcome-oriented measures are needed to help us to ensure that beneficiaries have access to new technologies and emerging medical practices, as well as to measure the effectiveness of our programs and policies.

Similarly, beneficiary outcome and assessment data are critical to our ability to evaluate different service delivery models or specific intervention strategies. Data also are helpful in highlighting population or treatment setting trends, or the impact of program changes on different beneficiary groups. Finally, improving our access to cost and financial data related to our policies and programs, particular interventions or outcomes, or different types of service delivery, will help us to more effectively evaluate various financing options and expenditure trends, as well as detect and prevent fraud, waste, and abuse.

Our information technology vision, developed in the first several months after I was appointed as HCFA Chief Information Officer, has several key goals. They include:

We also want to take advantage of modern day advances that make it possible for us to adapt information technology to support our business processes, not the reverse. In the past, our information processing operations were defined by the capabilities of existing technology and how best to adapt our business processes to existing proprietary technology. Under our information technology vision, the information itself, not the stovepipe processing of the information, will be the structure’s foundation.

Under this new systems architecture, data management becomes the core process, and all individual business practices, such as claim processing, financial audits, or research queries, are viewed as data operations.

This information-centric architecture resembles a "sunflower-like" model, which optimizes the management of information and the efficient flow of information.

Under the sunflower model, primary database management occurs in the middle, or core, and individual business functions are supported by specialized systems represented by petals. All databases are accessible by the various business processes, supported by modular systems that are compatible with different programs, and accessible by various business processes through standard interfaces. This model provides prompt and broad access to data, is highly reliable, and ensures flexibility, allowing us to quickly respond to local system variations, future needs, and emerging technologies.

The first step in reaching these goals is standardizing Medicare’s claims processing systems. By mid-2003, we anticipate having a single system for processing Medicare Part A claims, a single system for most Part B claims, and a single system for durable medical equipment claims, rather than several monolithic systems that we have had.

We also are now assessing the current capabilities of our Common Working File, which is the current linchpin of our claims processing system. And we are evaluating options for an integrated general ledger accounting system to better control and monitor Medicare accounting functions at our Central Office headquarters in Baltimore and at our claims processing contractors.

These are just the first steps. As we move forward, it is critical that we prudently plan our overall systems modernization effort and take incremental steps to achieve our goals. The difficult lessons learned in our efforts to implement the Medicare Transaction System make clear that a "big bang" approach is not appropriate or feasible. We are committed to following the astute guidance of the Clinger-Cohen Act that prescribed concise, well-planned, and strongly managed modernization.

We greatly appreciate this Subcommittee’s support for our efforts to modernize Medicare’s information technology systems. Chairman Horn, the legislation you are sponsoring, the Health Care Infrastructure Improvement Act of 2000, includes some interesting provisions that could benefit beneficiaries, providers, and our program management. We would like to explore these ideas further with you. However, we also have some substantial concerns about the bill’s potential to negatively impact our program integrity efforts and have other unintended consequences.

Beneficiary Impact. The system that is envisioned by H.R. 4401 could help beneficiaries by giving them instant information on whether a specific service will be covered and what their copayment obligation will be. It also would raise important concerns about privacy.

Medicare has an excellent record of protecting the confidentiality of beneficiary information and we are working to further improve technical and administrative security controls in our claims processing systems. For example, we are implementing a Medicare Contractor Information System Security Initiative to improve security controls in contractor claims processing systems. We also intend to make future investments in technical controls like intrusion detection and data encryption.

We are concerned, however, that the system as proposed in H.R. 4401 could greatly increase the possibility of security breaches. The system would afford immediate and unprecedented electronic access to beneficiary eligibility, entitlement, utilization, and claims data to providers. Many experts, including me, believe that insiders with access represent the greatest risk to security and privacy of beneficiary data.

Use of "smart card" technology also raises additional security and privacy issues that must be evaluated and addressed. Strong, national-scale protections would be needed, such as individual identifiers for every beneficiary and provider, (known as "public key infrastructure") in order to be confident of any such system’s ability to adequately ensure the privacy of individual health data. While we have participated in efforts to develop such a system, there are many difficult, unresolved issues. These issues include additional administrative requirements and costs for providers. And the Administration has rightfully decided not to proceed with the issuance of personal identity cards until privacy protections are in place.

Provider Impact. The system that is envisioned by H.R. 4401 might have important benefits for physicians and other Medicare providers. For example, allowing providers to know in real time whether a claim has been filed properly and how to correct any mistakes has obvious advantages. There would be an ability to establish links to further explanation of rules and local medical review policies. And there would be the potential for providers to use just one Internet site to submit claims and access coverage information for all patients, whether covered by Medicare, commercial, or other insurers.

However, there may be some unintended consequences for providers with the system. Even with use of the Internet, there may be substantial costs for point-of-service terminals in all provider offices, especially if such a system uses smart cards that record beneficiary information. We must remember that the cost, even if relatively small per unit, would be multiplied by the more than one million providers who provide care to Medicare beneficiaries. Providers may have already invested in computer systems and networks whose functions are generally duplicated by the new terminals that might be necessary for such a system. Any new infrastructure proposal relying on new technologies would have to evaluate these impacts.

There also may be a potential to disrupt or increase costs for providers if they would need to conduct billing operations onsite during busy clinic hours instead of offsite or off-hours, as many do now. Providers with low-incomes and little current reliance on technology could be disadvantaged.

Prompt Payment. Medicare is already the fastest payer in the health insurance industry. We pay electronic claims on average in 16.5 days, which is much faster than private insurers. A recent study of private health insurance payers by the Ohio State Medical Association found that 42 percent missed the State’s statutory deadline of payment within 24 days for undisputed claims. Other data show that private payers typically reimburse paper claims only after 90 to 120 days. In fact, the law stipulates that, if our contractors do not pay claims within 30 days, we must pay interest on the claim. Therefore, we keep a close eye on ensuring that claims are paid timely.

Current law also mandates that we wait a minimum of 14 days to pay claims that have been submitted electronically, and 27 days for those submitted on paper. This requirement affords us time needed to conduct prepayment medical review. Prepayment medical review is an essential part of our program integrity efforts, and is far more cost-effective than the alternative known as "pay and chase," in which we must attempt to recoup funds that have been improperly paid out.

It also is important to understand that removing the 14-day minimum delay, as H.R. 4401 would do, would create a substantial, one-time charge to the Treasury that would have important implications on how this bill is scored, and may require a budgetary offset.

Program Integrity. The system that is envisioned in H.R. 4401 offers a number of positive features. It would make it easier to contact a beneficiary to confirm that services had, in fact, been delivered while the service delivery is still fresh in the beneficiary’s mind. It might also be easier to identify, analyze, and respond to fraudulent schemes more quickly.

However, as mentioned above, this system would severely limit our ability to conduct prepayment review. Many improper claims appear to be appropriate as submitted, and only by review of the medical record can errors be identified. Identifying these errors before payment is made is far more cost effective than the "pay and chase" approach that the system envisioned in H.R. 4401 would require.

The proposed system also inadvertently increases Medicare's vulnerability to abuse by supplying immediate feedback on why claims are rejected. This would allow unscrupulous providers to adjust the claims accordingly, and to resubmit fraudulent claims designed to evade our automatic payment error prevention system.

There also would be an increased potential for theft of a beneficiary’s personal identification and "smart cards" that could create new opportunities for fraud and abuse.

System Overhaul. The grand scope of H.R. 4401 seems appealing on its surface. However, Medicare’s own difficult experience with such an effort in our attempt to develop the Medicare Transaction System, along with similar experiences at other agencies, suggest that a good deal of caution is warranted before embarking on any such endeavor. We must remember the lessons of past efforts at our agency and others in attempting to build a single, "big-bang" system and, instead, plan our modernization carefully, proceed incrementally, and build modularly. We must take into account our own legacy systems, proceed incrementally, build modularly, plan meticulously, manage with prudence and savvy, and above all not bite off more than we can chew. The rapid evolution of information technology generally makes it unwise to specify specific goals and timeframes for 5 and 10 years in the future.

That is why we have incorporated the requirements set forth in the Clinger-Cohen Act and subsequent guidance from the Office of Management and Budget -- the so-called Raines’ Rules -- into our internal systems governance processes to ensure that our decision making is sound and disciplined. The Clinger-Cohen and Raines’ Rules investment management principles, such as prototyping, testing, feasibility and risk assessment, and risk mitigation, guide all of our information technology decisions. The Agency also established my position, Chief Information Officer, as the person responsible for overseeing the information technology investment and planning processes of our Agency. We work in close conjunction with the Department of Health and Human Services Chief Information Officer, John Callahan. And, as required by Clinger-Cohen, we carefully assess the needed resources and the financial impact of our information technology investments before we make any investments.

The separate commission as suggested under the legislation would seriously compromise our ability to maintain these essential safeguards. It would hamper successful planning and development practices as set forth in Clinger-Cohen. Furthermore, taking on such a questionable and ambitious endeavor would be particularly daunting for an external commission made up of individuals who have no experience with or understanding of Medicare’s unique structure and requirements. I do not believe such an undertaking could succeed without a principal role for Medicare’s own Chief Information Officer, the HHS Chief Information Officer, and extensive input from other Agency and Departmental information technology experts who do have this knowledge.

Moreover, the short implementation timeframes as called for in the legislation would not allow the Agency to follow sound management, design, and financial practices prior to implementing the new infrastructure. Separating the information technology from policy decisions is problematic and contrary to the principles embodied in our information technology architecture. Setting policy without understanding what is possible on the technology-side may force the design of a system that is impossible to build.

We share many of the strategic objectives of the legislation. However, we believe our current, careful management approach, which reflects the careful and deliberative management requirements of Clinger-Cohen, will lead to superior information technology decision-making, management, and investment.

We are making progress in modernizing our Medicare systems architecture. This effort will facilitate more efficient operations and help us to develop innovative and secure ways to manage and access data. Our ultimate goal is, of course, to improve health outcomes for the more than 39 million Americans who depend on the Medicare program every day. Undertaking such a large systems modernization effort is by no means a simple task, but with careful planning and by taking incremental steps I am confident we will meet this challenge successfully. We share many mutual information technology goals and we welcome your continued input as we move forward. Again, we appreciate your continued interest, and I am happy to answer your questions.