December 24, 2011

Five Steps to EHR: A .Gov Primer

Now that electronic health record software is a virtual necessity for a productive practice, offers a common-sensical five-step plan for implementing EHR in a practice. A number of years ago, we worked with the national Blue Cross and Blue Shield Association to create a case-based analysis of the EHR scenario. That publication outlined the efforts of many practices to incorporate EHR into multi-physician practcies. Check out the current wisdom at

October 10, 2011

Phone Messaging: New Channel to Physicians

It's wildly hit-and-miss -- much like email spam -- but marketers are increasingly using bulk text messaging to penetrate the armor cladding of physician offices. And it's a wide open opportunity; physician office phone numbers are openly published, unlike email addresses. Fax numbers are available too (CarePrecise provider data includes both phone and fax numbers, up to four numbers per record, and we know that it is widely used for marketing to physicians), but "faxpam" doesn't have the same high-tech glamor. Unlike a fax broadcast, text messaging allows marketers to embed a live link to a web landing page, as well as an instantly accessible means for recipients to opt out, making bulk SMS marketing just a little bit more respectable. (Ever tried to get a faxpammer to stop? Ha!)

So what's the difference between bulk SMS cold-calling and plain old spam? Not much, except that it's newer and less fraught with sleaze. And here's something more: It's not free, so spammers can't just set up a computer and start sending 100 million spam messages a day at essentially no cost. Text messaging to phones requires that you have an SMS gateway, or an account with a service provider who has one. These are available to bulk senders, but at a price. Okay, it's not exactly postage, but it's at least a price.

Among the numerous offerings for bulk SMS gateway and software services are Mobomix and TXTwire. Both offer essentially unlimited sending with premium accounts, but both enforce opt-in requirements. That is, you can't just upload a database of phone numbers, such as the 5 million or so in the CarePrecise database, and start texting. Instead, these services require that you are sending only to your own customers or others who have explicitly said, "Yeah, okay, text me spam."

Of course, there's always a workaround. Another company, SMScountry, offers an Excel plug in that lets you send personalized text messages. While they have a similar anti-spam policy, the way the system works would make it difficult to police. As with all bulk SMS systems, it isn't particularly easy for a recipient to contact the carrier to complain. The carrier backbone for SMS is a bit primitive compared with that of email, and there are fewer hooks for filtering messages by the carriers, should they ever want to do what ISPs are doing about email spam. It's pretty much up to the owner of the gateway.

In the war between marketers and physicians, both sides escalate as new weapons or defenses arise. A fax isn't likely to ever see a doctor's spectacles, but that same unreachable physician isn't really that unreachable if you can get his email address or phone number. Naturally, it helps to have her mobile number rather than just the office phone, for obvious reasons. But if you've got a product to sell to docs, any opening is a huge gaping hole, and, even if the text message gets converted to a computer-voiced voice mail message, and, even if only the smallest percentage reach a bona fide phyz, maybe paying $60 a month for a bulk gateway account with few limits sounds good to you. And a good many of those published numbers are cell phones, some portion of them presumably reaching right into a doctor's pocket.

Bulk SMS has its Whitehat side, of course. Services that allow you to enter your customers' account info and send text billing notices, patient appointment reminders, among a host of other applications, are opening up the commercial use of phone messaging. I opted in for a J.C. Penney's coupon texting service, and I use it.

But let's say you've got a nice big customer list, folks who freely gave you their phone numbers (long before the advent of SMSpam, but still...). Can you send em all a coupon, or a new product announcement, or an offer of a free EHR assessment? I want to say no, but we send these same customers more-or-less "unsolicited" email, at least in the sense that they never explicitely said "Send me your coupons," but something more like "Send me product update notices via your monthly newsletter." That phone number was optional, right? Houston, we have achieved opt-in.

Certain advantages of smartphones, such as the ability to blacklist messagers, are a helpful control. The barriers to entry are currently very high for an SMSpammer who wants to set up his own unrestricted gateway, so he'll be using these third party services and, perhaps, have to behave himself. But look for text marketing to grow wildly in the near future.

Check out our page on Marketing to Healthcare Providers.

September 21, 2011

Nifty Licensing Agency Contact Resource

Want to know who the various healthcare provider licensing entities are for a given state? Palmetto GBA has made that a piece of cake now. Their new database of licensing requirements (primarily for use by DME suppliers) includes the licensing bodies for each state. For example, here's what they show for New York:

1)New York State Board of Pharmacy
Phone: 518-474-3817 extension 130 extension 130
- Registered Pharmacy Establishment Certificate
2)New York State Board of Pharmacy, Office of the Professions
Phone: 518-474-3817 extension 250 extension 250
- Ophthalmic Dispenser License
3)New York State Board of Respiratory Therapy
Phone: 518-474-3817 extension 120 extension 120
- Respiratory Therapist
4)New York State Education Department, Office of the Professions
Phone: 518-474-3817 extension 591 extension 591
- Optometrist License
- Physician License
5)New York Department of Health
Phone: 518-402-1016
- Ambulatory Surgical Center
- Home Health License
- Hospital License
- Nursing Home Administrator License
- Nursing Home License

Another table shows the type of provider with a link to the number (as listed above), and still another nifty feature lets you choose a healthcare product or service from a dropdown, and jumps you to a listing of the various licensing requirements. Kudos!


The origin of ALL YOUR (insert asset here) ARE BELONG TO US#sslsecurityhack SSL/TLS, the encryption system that has been keeping online credit card transactions and HIPAA-sensitive communications safe for over a decade, has broken down. As shown by researchers at a recent conference, a simple tool now gives hackers access to your PayPal transactions and much more. Gonna be fixed? Possibly not for many months, even years, since any change to the SSL/TLS protocols causes ecommerce to break for any number of sites, depending on the server or browser involved in the transaction. The hack is truly a killer app.

Just google SSL/TLS HIPAA and you'll find hundreds of applications that use Secure Sockets Layer/Transport Layer Security technology to secure electronic medical records transactions. (Here's an ironic example of the misinformation out there, labeled "Completely Secure Collection of Web Form Data using SSL".)

An article in The Register reports that a couple of researchers announced a demo of their tool, called BEAST (Browser Exploit Against SSL/TLS), at a Buenos Aires security conference last week. BEAST performs a "plaintext-recovery" attack, exploiting a (previously theoretical, but known) weakness in TLS. During encryption, the TLS protocol scrambles each subsequent block of data based on the previous encrypted block. It had long been theorized that an attack could manipulate the process to make educated guesses about the contents of the plaintext blocks. If a guess is correct, the block cipher will get the same hash for a new block as it used for the previous one, resulting in identical cipher-text. Security just goes POOF.

At the moment, BEAST requires a little under two seconds to decrypt each byte in an encrypted cookie, used by a web browser to secure an online transaction session. Doing the math, a 1,000-byte cookie would take maybe half a minute, but researchers Thai Duong and Juliano Rizzo have now announced that they've tweaked the process down to about ten seconds. That's plenty quick to grab whatever users are sending, decypher it, and, well, steal it.

So, what are browser makers doing to plug this new hole? One word: Nothing. What's the hold up? Well, although this "theoretical" hack has been understood for years, a secure transaction involves just too many parties to get it all straightened out without knocking out millions -- perhaps billions -- of transactions for perhaps an extended period of time. For instance, the Firefox and Chrome browsers (according to, Firefox gets 40.6% of traffic, while Internet explorer gets just 22.4%, and Google Chrome gets 30.3% as of August, 2011) use the open source Network Security Package to implement HTTPS. But there are other security packages out there, and IE uses one of them. Any change would require simultaneous change to all packages. And that's not the half of it; the servers use multiple SSL implementation platforms, such as OpenSSL, and all of those would have to change at the same time. The offending protocol, TLS 1.0, has been available in an upgraded version (1.1 and 1.2) since 2006, but getting all the ducks lined up just isn't happening.  While IE 8 and up include support for TLS 1.1 and 1.2, which do not appear to have the vulnerability, it is not the default, and still relies on servers to accept the protocols without falling back to 1.0.

“The problem is people will not improve things unless you give them a good reason, and by a good reason I mean an exploit... It's terrible, isn't it?” said an analyst with the security firm Qualys.

There appear to be no reliable estimates of the percentage of HIPAA electronic transactions that are secured using SSL with TLS 1.0, but considering that, in the absence of a broadly implemented general browser-server solution, any TLS v1.2 implementations would require proprietary code at both the server and client sides, and transactions running under the hackable version would likely be the overwhelming majority. As of early 2011, Microsoft's .Net framework did not support the updated TLS protocols, suggesting that any EMR, EHR, eligibility and billing applications developed at that time may not support them either. Time to call your vendor?
Check Comments below for updates...

    September 11, 2011

    91 Charged With $295 Million Medicare Fraud

    Ninety-one doctors, nurses and others were charged in a blockbuster sting operation, with arrests unfolding over three weeks and culminating in 70 arrests last week. In 2007, a strike force was set up between the Department of Justice and the Department of Health and Human Services to identify and build federal fraud cases to fight criminal abuse of federal healthcare programs. U.S. Attorney General Eric Holder said that arrests were made in eight US cities involving more than $295 million in stolen funds.

    Almost half of those charged were part of a Florida ring that recruited healthcare providers to refer patients to a mental health center, in some cases threatening residents of a halfway house with eviction if they refused the unnecessary care. Another case involved $3.4 million in unnecessary physical therapy by two Brooklyn physicians.

    On September 1, officials in Detroit charged 18 physicians, nurses, clinic owners and other medical professionals for submitting $28 million in false claims to Medicare. Just one day earlier, the owner of a Houston, Texas durable medical equipment business was sentenced to 97 months in prison for his role in a Medicare fraud scheme.

    In all, the strike force, known as Health Care Fraud Prevention and Enforcement Action Team (HEAT), has charged 1,140 defendants who collectively have falsely billed the Medicare program for more than $2.9 billion.

    When providers have been convicted of fraud and certain other infractions and delinquencies, their names are placed on the List of Excluded Individuals/Entities (LEIE) database. CarePrecise compiles this data into its comprehensive database of U.S. healthcare providers, identifying excluded providers' NPI numbers, phone and fax numbers.

    Read the full story on the HHS website.

    September 9, 2011

    U.S. Doctors Earn Big, Drive Up Costs

    According to a new study published in Health Affairs, America's approximately 1.1 million physicians are paid dramatically higher fees than those in all of the other more than 230 Organisation for Economic Co-Operation and Development countries. Per capita, our physicians are paid $1,599; other countries averaged significantly less than that -- about 81% less -- or about $310. The difference, nearly $1,300, is a major factor in driving up U.S. healthcare costs, and, according to the report, is the the main cause of higher overall spending in America on physicians' services.

    The disparity comes into stark focus in the area of specialists' fees. While U.S. primary care docs earned significantly higher than their foreign counterparts -- averaging $186,582 annually -- orthopedic physicians earned $442,450. As an example, the study compared physicians’ fees paid by public and private payers for hip replacements in Australia, Canada, France, Germany, the United Kingdom, and the United States, finding that much higher fees were paid to U.S. orthopedic physicians for hip replacements (70 percent more for public payers, 120 percent more for private payers) than public and private payers paid these specialitsts in other countries. The study concludes that "the higher fees, rather than factors such as higher practice costs, volume of services, or tuition expenses, were the main drivers of higher U.S. spending, particularly in orthopedics."

    According to August, 2011 CarePrecise data, of the approximately 1.1 million U.S. physicians, about 35,500 practice as orthopedists and orthopedic surgeons, with another 378,000 specialists practicing in the high fee taxonomies. Only about 160,000 U.S. physicians serve in family practice.

    August 4, 2011

    And They Were So Close to Canada!

    Looks like some Medicare patients will go to any lengths to escape the high cost of U.S. prescription drugs. Even if only through opium-induced euphoria.

    Michigan: Twenty-six persons have been charged by Federal investigators in a Medicare fraud scam that took in more than $58 million in fraudulent billings and illegally acquired more than 6 million doses of pricy medications. Drugs were used to entice Medicare patients to play along.

    The brains of the gang, one Babubhai Patel, ran a network of 26 Michigan pharmacies that bribed physicians to write the prescriptions, many of them opiates and other frequently-abused pharmaceuticals. Physicians recruited grandmas as mules. Medicare patients would knowingly fill the illicit prescriptions, keeping the drugs and handing over their Medicare and Medicaid billing information to the conspirators. Four doctors and ten pharmacists, as well as some of the patients and others, were indicted in the federal grand jury action.

    July 7, 2011

    A Nut Too Tough to Crack?

    One of the hardest problems in health IT is the effort to get data from different silos into a centralized database that can be searched as a single dataset. So, this is us announcing our new "linking and shrinking" technology, code named "Squirrel." What does it do?

    Squirrel is a record-linkage and deflation system that pulls in data from multiple federal provider databases in various formats, makes them play nice together by linking everything up under providers' NPI numbers, preserves all the data but shrinks the file size down to about 9% of the original size, puts it in a format that can be managed in Microsoft Access or other garden variety database software, downloads it to our customers, and then does it all again fresh every month.

    The technology is built on record-linkage methods developed over twenty years. Interesting trivia: The precursor to the current system was built in Microsoft Access 1.0 -- you remember it, the Introductory Package -- in 1992. While we don't share all the secrets, the basic trick involves pattern matching algorithms and a lot of processing time to handle more than 13 million rows of data, comparing each provider's records between all the sources. The end result is called CarePrecise Access.

    We just sent out a press release about the whole thing.

    Now you'll excuse us, as we have some more nuts to collect and crunch on.

    July 1, 2011

    Health IT Talent at a Premium, or Take 2 Aspirin and Call Me a Headhunter

    It's hardly news that the pool of qualified healthcare information technology professionals is drying up as providers and vendors race to meet tech deadlines associated with federal HIT funding programs. For HIT folk like us, this rocks! Except, of course, when we're trying to flesh out project staff and we learn that the talent is beginning to know what it's worth.

    At stake is the $25 billion allocated in 2009 by the American Recovery and Reinvestment Act for EHR and other health IT outlays. Providers can be compensated for costs if they jump through the hoops by certain dates, with several important deadlines coming through the next several months. July 3 is the last day for hospitals to begin the 90-day reporting period in which they must demonstrate Meaningful Use for the Medicare EHR incentive program for federal FY 2011.

    Oct. 3, 2011 is the last day for physicians to begin their Meaningful Use reporting period for EHR, and November 30 the curtain drops on general and critical access hospitals registering for payments. And that's just a handful of the headaches.

    In addition to all of this activity, ICD-10 and 5010 implementations are also looming. If you're in HIT and you haven't asked for a raise, as my daddy used to say, "What's wrong, cat got your tongue?" (Apologies to our CIO friends.)

    Medicare Wins in Vegas Fraud Case

    Rakesh Nathu, a Las Vegas oncologist, settled his fraud case with the Justice Department yesterday for $5.7 million plus interest. Dr. Nathu was accused of submitting false claims to Medicare, TRICARE and the Federal Employees Health Plan for various radiation oncology services, including intensity modulated radiation therapy, and double billing for services. We hope he did better at the craps table. The government has recovered more than $7.3 billion in False Claim Act cases since 2009.

    Among CarePrecise clients are law enforcement agencies working on federal and private payer fraud investigations. As a result of work done for our clients, we developed a means of matching the federal fraud conviction list with providers' NPI records, and associating certain demographic data with practice locations to help visualize patterns. Late in 2010 we began including the fraud data in our CarePrecise Access Complete dataset, and the additional economic data in CarePrecise Gold products. Now included is a flag that indicates provider records whose data strongly suggest a match with the federal LEIE (List of Excluded Individuals/Entities) database. Other features help investigators track providers' licensing, credentials, specialty codes, enrollment in the PECOS database, and numerous other functions.

    Read the Justice Department news release.

    June 28, 2011

    New Way to Market to Healthcare Providers

    The international PR firm Ogilvy has just released a study prescribing a shift in healthcare marketing from the exploitation of clinical breakthroughs to something Ogilvy calls "sustainability." They're not talking about the sort of sustainability we in healthcare usually mean, such as the sustainability of a health information exchange's business model. Instead, they're suggesting that we start selling green.

    Companies with strong environmental competencies will rule the market in the coming years, say the investigators, Jeff Chertack and Monique da Silva. In an op-ed by Chertack, he says that "[the new] value will be delivered by new healthcare products and delivery systems that help society adapt to and thrive in changing climate and disease patterns."

    CarePrecise Technology made a move in the past year toward eliminating a large part of its carbon footprint by shifting even our largest file deliveries from physical (DVD disks) to virtual. All new product sales are now 100% virtual, and as subscribers renew, their deliveries will be virtual as well. Not only has the shift reduced fuel and materials consumption, but products are now delivered in less than half the time. In a business where the freshness of data is crucial, every hour counts. CarePrecise's NPI directory unit, NPIdentify, has produced state NPI directories in electronic form only since 2007.

    CarePrecise's data center is a shared environment, utilizing hyper-efficient cloud computing resources. Except for certain mission-critical operations performed on in-building platforms, all front-end operations and many back-office computing tasks have been moved to the cloud, dramatically reducing office space utilization and fuel consumption.

    Whether the healthcare industry in specific, and the broader business community in general, will effectively turn environmental competencies into profits is still an open question. Certainly, entities like hospitals make huge impacts and consume enormous resources (think about all those disposables and all those sheets washed after 30 minutes of use, pillows, trays and pitchers discarded after each patient...), and spectacular improvements could be made. Vendors who help these organizations green up are offering a new way to compete for patients. The competitive advantage offered by corporate carbon consciousness could be tomorrow's marketing edge for providers and their vendors.

    June 9, 2011

    Flaw in CMS Logic Causes Cost

    When the NPI Final Rule (and all of its after-final rules) created the National Plan and Provider Enumeration System, there were many unknowns: Which datapoints would be released for the industry to use? loomed large. But another issue has come home to roost.

    Organizations (Type 2 providers under the rule) were permitted to have as many NPI numbers as they liked, and they could structure their assignment of NPIs any which way. For instance, one hospital might get separate NPI numbers for each of its business units, while another got and NPI for each of its physical locations, another for each of the cluster of corporations, while some clever hospitals got an NPI for each reimbursement channel. And then of course, some hospitals got just one.

    No problem with that -- the various business optimization strategies are interesting to observe, and surely make sense in their various contexts. The problem is that there is no primary NPI number per hospital or health system. That is to say, there is no way to know from the NPPES records which if any of the NPI records is a parent, and which is a child. Oh, of course, an army of human analysts can pore over the records and find 37 hospital NPI records each identifying, say, Mayonaise Health System as its parent. But a computer finds that task a bit difficult, since it will find many variations in the records, e.g.,
    • Mayonaise Hospital
    • Mayonaise Health System
    • Mayo Hospital
    • Mayo Hospitals
    • Mayonaise Hospitals
    • Miracle Whip Health
    • and on an on
    Thus, it becomes essentially impossible to say how many hospitals there are, even though we are looking at the complete set of federal records on hospitals. Had there been a primary or master NPI required for each General acute care hospital -- regardless of how many business units and other NPIs are involved, it would be possible to perform much more significant research on hospital service areas, densities, availability of care, duplication of services, and much more. (We've just started putting state-by-state physician and hospital counts on our home page at, but for now, we are able only to show the total of all hospital records -- 29,946 at present -- which is far more than the roughly 5,000 actual hospitals to whom all those records belong.)

    The coyness built into the NPPES was more or less deliberate. American hospitals are a contentious lot, engaging in constant competition, and they did not want any more known about them than absolutely necessary. Coy data costs everyone money, and adds opacity to the healthcare system. Still, with the HospitalCompare project and our subsequent mining of all of these data sources, much can be learned, and the reach of each hospital organization can ultimately be published. Stay tuned.

    May 26, 2011

    Ryan Plan Dies in the Senate

    "The Republican plan to kill Medicare is part of a plan to balance the budget on the backs of seniors," Senate Majority Leader Harry Reid said before yesterday's vote. That plan, originating in the House authored by Republican Paul Ryan, would have dismantled Medicare guarantees in favor of a private system that would force seniors to shop for health plans.

    Republicans forced a vote on the Obama Administration's budget as a ploy to show the lack of support among Democrats for it. The 97-0 vote roundly defeated the President's budget.

    March 18, 2011

    Health Information Exchange Finance Study

    Year-over-year Revenue Growth, U.S. HIE (2006-2007)Lately I've been asked by multiple people about the RHIO/HIE work we did a few years ago. With wider adoption of EHR and EMR, health information exchanges are finally beginning to be able to sink their teeth into data, and their value is being better understood. Still the most detailed analysis of HIE finance is the two-year study conducted while I was senior analyst at Healthcare IT Transition Group. The full 129-page study is now available online again.

    March 16, 2011

    New Hospital Admin Education Website

    Hannah Anderson's goal was to compile an unbiased and updated list of every school that offers a hospital administration degree in the US.  She felt that the existing lists were not comprehensive, easy to find, and many websites have outdated information and links. is a valuable new resource for hospital administration students, and for seasoned administrators when we're asked to make recommendations. All the schools are listed on the front page and lead directly to each program, and can be viewed state-by-state. Thanks, Hannah!

    March 10, 2011

    Got Teeth? Here Comes HIPAA Enforcement

    Two-day workshops in April, May and June have been set to train state attorneys general in HIPAA enforcement. The economic stimulus law attached stronger penalties for HIPAA privacy and security violations, and perhaps more importantly, removed sole prosecutorial powers from the Office for Civil Rights at HHS (OCR) for enforcement of federal privacy and security provisions by granting dual enforcement authority to state attorneys general. Going further, the law also expanded application of HIPAA criminal provisions to any individual who obtains or discloses health information kept by a covered entity -- not just the covered entity itself -- which essentially reverses the Bush administration Justice Department, which held that only "covered entities" are eligible for prosecution. So, if that EHR software company has an oopsie with your medical records, your state attorney general can go after it. CHOMP! Read the Modern Healthcare article.

    March 8, 2011

    Patients Want Their Providers Online

    The second-annual study from Intuit Health, the Health Care Check-Up Survey, found that 73% of Americans surveyed would use secure online tools to access lab results, request appointments, pay medical bills, and communicate with their doctor's office. CarePrecise began building web portals for healthcare providers a few years ago, and has seen a rise in interest from providers, who want to be able to point patients to written information in the controlled environment of their websites. Providers are also looking at adding scheduling applications, and some are participating in PHRs (patient health record portals). Read the Information Week article.

    February 14, 2011

    Good News, Docs and Vendors: No Medicut

    According to the Associated Press, the Obama administration proposes $3.73 trillion for the next budget cycle, as part of its plan to shrink the federal deficit by $1.1 trillion over the coming decade. $62 billion of the savings would be used to avoid cuts in Medicare payments to physicians over the next two years. The full proposed budget is expected to be released later today.

    January 18, 2011

    Nearly 3000 Excluded Providers Still Practicing

    You might wonder if, and if so, why, healthcare providers who have been convicted of Medicare fraud are still practicing medicine, writing prescriptions, and billing health plans (except, presumably, Medicare). Well, it's a good question. Apparently such a conviction may not get a provider's NPI deactivated.

    For several months the number of providers that appear on both the HHS Office of Inspector General's excluded providers list and the current National Plan and Provider Enumeration System (NPPES) have hovered around 2,700.* But for December the number jumped to 2,925. Of that number, more than 1,400 are physicians.

    For the past several months, CMS has dropped only 400 to 500 providers each month for various reasons; not all dropped NPI records are due to fraud convictions. Interestingly, the December NPPES dropped more than 1,000 records, while still including more than 2,900 providers listed in the LEIE (List of Excluded Individuals/Entities), the federal database primarily of healthcare providers convicted of fraud or other crime, for patient neglect or abuse, felony controlled substance conviction, or whose licenses have been revoked, suspended or surrendered. A small number of providers are included on the list for less serious reasons, including refusal to provide required information to HHS, and default on a federal healthcare education loan. An inquiry sent to CMS requesting information on the matter has not been answered.

    Each month, nearly 30,000 new records are added to the NPI database, primarily representing new healthcare providers. On average, 33,000 records are updated (by the providers themselves in nearly every case). The December NPPES database includes 3,277,833 healthcare provider records. All HIPAA-covered U.S. healthcare providers are required to obtain an NPI record. For all practical purposes, a physician's NPI number, along with a DEA number, is required to write a prescription because pharmacies generally require them. Theoretically, at least, if a pharmacy could not find a valid NPI number, it could refuse to fill the prescription.

    CarePrecise compiles federal healthcare provider data for use in research, clinical trial provider pool development, fraud prevention and marketing. Clients include health plans, educational institutions, drug companies, marketers, law enforcement, health systems and individual providers.
    * Source: CarePrecise research data. Methodology involves cross-referencing the two databases using proprietary algorithms to affix NPI numbers to providers in the fraud database; the fraud database (LEIE) does not include NPI numbers, making it difficult to track against practicing providers. Actual number of providers on both lists may be higher; the cross-referencing algorithm is used conservatively.