CAQH Passwords on Application forms: A Halloween Horror Story 

by Adrienne Bolger

Happy Halloween! Today, I’m here to tell you a story so awful, so nightmarish that it will have anyone who has ever worked remotely near an IT department sleeping with the lights on. No, it’s not “IT Chapter Two” or “Get Out”. Instead, this story is about how a well-intentioned organization caused physicians to hand out their personal account passwords like Halloween candy corn, and their employers joined right in to help. 

Once upon a time, there was (and still is) a nonprofit called the CAQH, set up by insurance companies to try and reduce paperwork. They created a product called CAQH ProView that “… eliminates duplicative paperwork with organizations that require your professional and practice information for claims administration, credentialing, directory services, and more.” Their goal was to reduce duplicated paperwork for providers and insurance companies, and the future was looking bright. 

But, darkness fell across the land. Physicians were expected to enter data into a long, complicated form, and when a physician made a mistake, the insurance carriers who used the CAQH used incomplete or incorrectly filled out forms as a reason to delay or deny coverage approvals. A mistake on a CAQH profile could cost a physician months in lost revenue, making such mistakes an unacceptable loss. 

Physicians and their employers turned to the champions of light and order: their own medical staff offices and outsourced credentialing specialists who were experts at filling out the paperwork exactly right and guaranteeing proper processing, but now there was a problem: these experts and paperwork ninjas could collect data from physicians, but CAQH ProView profiles were supposed to be attested by the physician. The 3rd party experts had no ability to access the data with their own unique user-names and passwords as this is not the type of access allowed by the current structure of CAQH. Practice managers ran into trouble because physicians many times work at more than one practice. Each of these practices would then compete for control of the data contained in a physician’s CAQH profile. So institutions nation-wide struck a deal with the devil and started sending out employment and medical staff application forms that look like this: 

caqh application

The deal was struck, and it still stands today: if payers won’t accept information that actual physicians can reasonably provide with their time and knowledge available, then payers aren’t going to get the application filled in by the actual physician. 

This is the stuff of IT nightmares: once a password is out there, anyone from the organization who can see the application can see it or use the password. What’s more, because it’s being shared between multiple people who are responsible for the account, it can never be changed, lest the office manager becomes unable to update it. God forbid the provider used that password on some other account as well, as is still common (even if not recommended). If the CAQH is compromised, and they try to re-secure their own user base by resetting the passwords of all their users (a common strategy after a known data breach), they will destroy the workflow of thousands of people. 

Horror stories like this are often used to teach lessons, so what can other tech companies and IT departments in healthcare do to avoid getting their souls stolen in such a deal? Well, one is usability: if you make a form so difficult to fill out that 95% of your intended users do it wrong, that’s on you, not on your users. My boss from my first internship taught me a hard lesson in design that’s stuck with me: “The user is never the stupid one.” Even more so in this case, since your intended user probably has an MD! 

The second lesson is a little more sophisticated, but can be summed up by a quote from a smart former co-worker of mine who runs a blog on software design: “Remove the word ‘user’ from your vocabulary and replace it with something more specific”.  Did you design for the office staffer, the physician, the manager, the employer, and the CVO contractor? All of them count as the user, and all of them get paid to get s*** done, whether or not it means using your software in the way the instruction manual states. 

Happy Halloween! May your code be free of bugs and devils!