Fraud prevention in dme claims

2011

A Pilot Medicare Durable Medical Equipment CMS and National Government Services (WellPoint)

Jeffrey Leston

CastleStone Advisors, LLC

www.castlestone-llc.com

Before the Fact Prevention of Certain Medical Insurance Fraud and Loss

1 | P a g e Confidential to Castlestone Advisors LLC

Contents

Background ....................................................................................................... 2

Technical and Functional Objectives ........................................................................ 3

Methodology ...................................................................................................... 4

Original Design ................................................................................................ 4

Actual Implementation ...................................................................................... 5

Project Operation ............................................................................................ 5

Summary of Findings ............................................................................................ 6

Implementation and ability to scale ...................................................................... 6

Provider Verification ......................................................................................... 6

System Usability .............................................................................................. 7

Design Specifications of Matching ......................................................................... 7

Protection of Physician Identity............................................................................ 7

Protection of Patient Identity .............................................................................. 7

Economics ......................................................................................................... 8

Afterword ....................................................................................................... 10

Castlestone VisitEye Presentations and Reports – ....................................................... 11


Background

The Medicare DME Program has historically been the victim of significant fraud and

abuse. GAO and HHS Inspector General reports, as well as HEAT arrests, pointed out the

establishment of ‘storefront’ DME suppliers that used stolen physician identities and

stolen beneficiary identities to bill Medicare for high value products never ordered or

never delivered. There are also documented cases of known and established suppliers

submitting claims using stolen or purchased physicians and beneficiary identities.

Another impediment in spotting fraud and abuse in the DME and Part D programs is the

processing infrastructure for Medicare claims. The claim for the Part B in-office visit to

justify an order for DME is processed by a different contractor than the DME claim.

There is little information sharing, and the DME claim contractor is forced to rely on the

coding of the claim; they otherwise have no way to verify that a provider actually wrote

the order. In addition, many DME items can be ordered by mail from suppliers out of

jurisdiction. In Part D, the office visit where the prescription is written is processed by a

Part A/B contractor, and the actual prescription, requiring the doctor’s order, is

processed by the beneficiary plan of choice. The OIG highlighted this problem in a

report in 2011, stating that at least 375,000 part D prescriptions were paid for without a

proper physician ID.

These types of fraud listed above arise from the improper use of physician identities or

NPIs. Preventing the misuse of the physician ID, and verifying that the order actually

emanates from the physician office, were objectives of the pilot.

Recent press has also focused on the theft of Social Security numbers, used both for

Medicare claim processing as well as tax filing. . Stolen Medicare IDs (SSNs) have been

used to file fraudulent tax returns as well. It is likely that the potential impact of stolen

identities on Medicare has been understated, since the identities on their known

compromised list have to date only come from CMS-initiated actions and audits. The

IRS has their own list of compromised identities, and at the initiation of Castlestone, the

agencies are now communicating about this common problem. Testing another

identification that is recognized at all locations to protect the identity, like a credit card

number with no financial or Personal Health Information, is an original objective of the

pilot as well.

In addition to a focus on reducing fraud and abuse in the DME program, CMS

concentrated on screening providers to eliminate bad actors from getting into the

system. Integral to this effort is the inclusion of third party information to validate data

from providers, CMS and contractors.

The location selected for the pilot was in Indiana because it was deemed that since

National Government Services was both the Part A/B Administrative Contractor, and the

DME claims contractor, and since the pilot required communications with both groups it


would be simpler to manage. The data communications between Castlestone, NGS DME

processing and NGS Part A/B processing would be representative of separate

contractors for those services.

Technical and Functional Objectives

The objectives of the proof of concept were:

• Identify and prevent storefront operations from billing CMS for high value

durable Medical Equipment. Additionally, test the use of financial network

information and other outside data sources in provider screening and

verification processes

• Assist physicians in protecting their identities, as pointed out in Dr. Budetti’s

recent article in the Journal of the American Medical Association

• Test the ability to use an alternate beneficiary ID for beneficiaries

• Test the ability to use the financial networks for secure communication of

healthcare transactions

• Test the ability to verify transactions from provider offices as a form of prior

authorization, in an environment with multiple contractors processing related

claims.

• Test the ease of use for provider offices to use the existing swipe terminal

The pilot was not structured to quantify savings from reductions in fraud and abuse.

Because of voluntary participation, no financial measures such as withholding payment,

as would be implemented under ACA, and no reimbursement code for participating, as

there often is in other pilots. It is also unlikely that perpetrators would commit to

working with the project. However, because of the certainty of verified information

received from the card networks, and the known types of fraud and abuse in the

program, we can forecast with a level of confidence what the Return on Investment

would be if the project were mandatory and scaled to include known fraud hotspots.

We also found that physicians’ offices tend to participate in projects or procedures that

are either mandatory or reimbursed.


Methodology

Original Design

Much of the fraud and abuse in the DME program originates from ‘storefront’ locations

who steal IDs and submit claims. If the claim meets the proper formats, it is likely to

have been paid.

This and other frauds are possible because there had been no way to verify that the

beneficiary was ever in the provider office (also a source of fraud for Part B claims) or

that the physician who’s NPI appears on the claim actually ordered the DME.

The original design of the system incorporated the swipe of a beneficiary card in the

provider office swipe terminal to verify that the beneficiary was in the office and the

provider did write an order for Durable Medical Equipment. This would also verify the

Part B claim and meet the requirements of the Affordable Care Act and other pending

and proposed legislation. It would also test the use of a magnetic stripe card for

replacement of the current beneficiary cards. CMS, like other insurers, must eliminate

the Social Security on the face of the card as well as eliminating it as the identifier in

processing systems, to reduce identity theft.

Providers are issued a card also which would protect the use of their NPI (National

Provider Identification.) The provider swipes the card in the terminal in their place of

business to register the swipe terminal in the data base. The computer “signature” of

the swipe terminal, the process required to obtain one (verification of bank account and

other incorporation information) and the information on location and ownership-

transmitted during swipes with a complete data set available during monthly network

reconciliation- enhance the provider screening process, as well as verifying that a

transaction initiated in that provider’s office. This would eliminate a major cause of

fraud.

In the original design, a DME transaction would be entered on the swipe terminal by

means of a code, which can be done using the Castlestone technology. The combination

of 1) the beneficiary card being swiped, 2) the provider card being swiped at 3) the

verified location where that physician practices, gives us a high level of certainty that

the beneficiary was in the office when the [Part B] claim stipulates, and the provider

wrote an order for DME for that beneficiary on that date from that office. Those data,

the provider name and NPI and the date of service, must accompany the DME claim

from the DME supplier in their claim as well.

The DME suppliers were also provided with a card, which they would swipe to register

their credit card device. Those who did not have physical swipe terminals, but entered

credit card information on a browser, could still use the system. They entered

complementary information about the beneficiary HICN. The information from the


provider office swipe, the DME location swipe and the claim would be matched for

consistency.

Actual Implementation

Because of the controversy or pending decisions on various types of beneficiary cards,

the use of the beneficiary card was eliminated. Castlestone’s system was re-engineered

to capture the transaction at the provider office with a provider card only. The provider

office then entered the last 4 digits of the beneficiary’s HICN. This re-engineering

process also proved the flexibility of the Castlestone technology in using the card

networks, handling multiple swipes for a single transaction, and redesigning

transactions for a specific purpose. The re-engineering process was completed in one

week. It also made the transaction more cumbersome than the original card swipe, and

required that the provider card and the supplier card be present in order to initiate a

transaction. This was problematic in locations like retail pharmacies that also supply

Durable Medical Equipment. It would not have been necessary with a beneficiary card.

In the pilot, participation was voluntary. Unlike the design of pilots such as the DME

preauthorization pilot, there is no reimbursement code available for physicians to bill

for their participation. There was also no withholding of payment if transactions did not

match.

Project Operation

All technology infrastructures between NGS and Castlestone was agreed upon, coded,

tested and implemented in less than 60 days. The interfaces between Castlestone and

NGS were limited, and Castlestone and NGS added further protections to provider and

beneficiary identities by creating an alternate reference; Castlestone held no HICN/SSNs

or NPIs in its systems at any time. This proves that the Castlestone architecture can be

implemented quickly and cost effectively with various Medicare claims contractors,

many of whom use common systems.

The data base of locations and swipe terminals was built from the initial registration of

the provider and supplier cards from IVR activation and a swipe and entry of a

registration code. When a beneficiary was to receive DME, the physician card would be

swiped and the last 4 digits of the HICN entered. The order would go to the DME

supplier, who would enter the same information into their system.


Summary of Findings

Implementation and ability to scale

The implementation of the system was simple and straightforward, and accomplished in

60 days.

The system can be scaled to support the DME program nationally with no software

changes, and only minor changes to accommodate a beneficiary card. The connections

to any Medicare Administrative Contractor were proven to be simple to implement and

secure.

Risks/Issues

The largest risk to large scale implementation is the addresses of the providers. Since

much of the communication between CMS, contractors and providers has become

electronic, the maintenance of physical address locations has lagged. In the distribution

of cards to providers, approximately 15% of the addresses were not current. During the

project, following the discovery of this gap, we proposed and have implemented

matching the address from the swipe networks to the address on file with CMS and its

contractors. PECOS and other initiatives should help reduce the risk and improve

accuracy, when combined with the swipe and telephone network data Castlestone

proposed. A mailing prior to the mailing of the provider cards would also reduce the

scope of this issue.

Provider Verification

The system was able to match information from the swipe terminal to provider

information, including name and address. This provides another level of provider

verification. This technology and third-party verification of terminal user or owner, their

street address and their banking relationship has demonstrated that it can and should

be part of CMS’s provider screening process.

Risks/Issues

In certain situation the swipe terminal was listed under the name of the billing company

for the practice. This information can be matched against PECOS information, but

required a manual intervention to correct. We believe that this can be corrected

automatically with access to PECOS billing company information. Castlestone also

proposed a multiple level match with the telephone number associated with the

practice and matching that number, used in the activation process, to the directory

listing for telephone numbers.

There are other methods available to verify the use and activity of the swipe terminal

with claims


System Usability

Providers and suppliers were able to use the system immediately. There were no

technical issues with the system or card network reported, save a short downtime at the

server location. The predominant errors that came from the system were from

transactions that were rejected because the provider or supplier location did not

properly follow the activation instructions. Those transactions were posted on the

system as unrecognized. Castlestone and NGS created a methodology to verify the

location and have the transactions reclassified as accepted once the criteria were met.

Risks/Issues

Providers who work in large outpatient facilities found it inconvenient to access swipe

terminals. Castlestone has mobile solutions in its inventory. Early on in the project, we

found that DME suppliers who accept credit cards but do not have a walk-in business do

not have a physical swipe terminal, but enter credit card information via a browser

application. This was engineered into the application with no changes to the underlying

processes.

Design Specifications of Matching

The matching algorithms developed by NGS and Castlestone were able to successfully

match information from the swipe at a provider office against a swipe transaction at a

DME supplier and the claim from the DME. This validates, at a high level of certainty,

the ability to prevent fraud where a physician identity is inappropriately used to submit

a claim. This process verifies that the beneficiary was in the provider office, that the

DME order originated in the provider office, and once the order was ‘counterswiped’ by

the DME supplier, any other supplier who attempted to fill the order would have it

rejected. This capability can be used for any ‘ordered and referred’ service such as

home care, physical therapy and pharmacy claims. The FBI Financial Crimes lists

duplicate claims as one of the major causes of fraud. It is highly likely that duplicate

DME claims have been filed in multiple jurisdictions for the same beneficiary. The US

Attorney has told Castlestone that organized gangs submit the same claim across

jurisdictions

Protection of Physician Identity

At no time did Castlestone have or require the NPI to perform this pilot. Assigning the

physician an ID card and requiring that the order be verified with a swipe from the

physician office blunts fraud from stolen NPIs. Even if the NPI were to be compromised,

and CMS has a list of 5,000, the transaction would have to be verified with the physician

card at the swipe terminal in the physician office. If a beneficiary card were to be used,

that would provide the same protection.

Protection of Patient Identity

Since the beneficiary card was not implemented in the pilot, there was no way to fully

test the ability to protect patient identities. However, creating a different identification

from that used by the IRS will reduce the ability to use an ID stolen in one context to be


used for another. The IRS reports 400,000 returns every year where the identity of the

individual has been stolen, as have their refunds. These identities can be used for

Medicare fraud if and when the individual is eligible.

The beneficiary card would protect patient identity be eliminating the Social Security

number on the current card. The same identification card can be used if the beneficiary

remains on fee-for-service or switches to a Medicare Advantage plan. If implemented,

the MA plan may not need the Social Security number of the beneficiary, only their ID.

This would further protect beneficiary identities.

Economics

The average DME claim, as based on statistics from NGS, is approximately $100. The

overall fraud and abuse rate estimated by the GAO is 10%, which means that each claim

‘carries’ an approximately fraud or abuse component of $10, although DME CERT error

rates and estimated fraud rates are higher than the GAO average. The verification and

matching process costs about $0.20 per claim, which would decrease if and when the

project is scaled nationally. Even at this level, each 1% of fraud prevented or detected,

in the form of non-match of information, would provide a Return on Investment of 50%.

Reducing or preventing only 5% of fraud and abuse in the DME program overall

produces a Return on Investment of 250%. This does not include the benefit to the Part

A/B program of verifying the outpatient office visit.

This calculation includes low-cost DME items such as diabetic test strips and pressure

bandages. CMS’ focus on power mobility equipment would bring even greater benefits

if the technology is used. CMS is currently proposing a pilot for prior authorization of

power mobility equipment. The power mobility equipment costs range from $700-

$4,500. Assuming the same fraud and abuse rates, varying assumptions of:

The cost range of power mobility equipment

Low: $750

High $4500

The range of fraud and abuse in Power Mobility Equipment

Low: 7.5%

High 17.5%

Percentage of Fraudulent claims arising from lack of face to face visit, no prior

authorization or inappropriate use of physician ID:

Low: 10%

High 50%

Return on Investment:


This “Lo-Lo” matrix uses the low end of the cost range ($750 per PMD claim) and low

end of the fraud estimate (7.5%) with a range of 10-50% of frauds due to physician or

beneficiary information improperly used to submit a claim, as a percentage of the [7.5%]

fraud percentage. Each “percentage reduction” across the top is a reduction as a

percentage of the [7.5%.]

The highlighted cell, for example, would be interpreted as follows: “Assuming PMDs

cost $750, and 7.5% of the claims are fraudulent, and 20% of that fraud is caused by

inappropriate use of provider or beneficiary ID, no prior authorization, or no [required]

office visit, and we are able to reduce that fraud by 7%, the Return on Investment is

267.50%.”

Lo-Lo

Percentage Reduction

Percent of Fraud from 5.0% 6.0% 7.0% 10.0% 15.0% 20.0%

Unverified Orders with 10% 31.25% 57.50% 83.75% 162.50% 293.75% 425.00%

no documentation: 15% 96.88% 136.25% 175.63% 293.75% 490.63% 687.50%

20% 162.50% 215.00% 267.50% 425.00% 687.50% 950.00%

25% 228.13% 293.75% 359.38% 556.25% 884.38% 1212.50%

30% 293.75% 372.50% 451.25% 687.50% 1081.25% 1475.00%

40% 425.00% 530.00% 635.00% 950.00% 1475.00% 2000.00%

50% 556.25% 687.50% 818.75% 1212.50% 1868.75% 2525.00%


Afterword

Since the initial draft of this Summary, the largest fraud ever perpetrated against the

Medicare program was recently announced. A Texas physician was indicted on charges

of ordering over $375 Million for ordering home care visits that were either unnecessary

or never provided. It is also probable that most of the 11,000 orders were for patients

that never were in the accused doctor’s office, as is required for an evaluation to qualify

for homecare services. That fraud on that scale would have been prevented using the

same infrastructure built for the DME program.

The system designed for the DME swipe card, if properly implemented and enforced,

can be used to prevent frauds in programs that are “ordered and referred” These

products and services include DME, pharmacy, physical therapy, lab services and home

care, where a physician ID is required for a claim, and an office visit to that physician is

necessary for approval of the same claim In concert with other analytical techniques

developed by Castlestone and others, frauds like this, on this scale, should never occur.

Claims for those beneficiaries who were never seen would not have been paid.

Also, the Inspector General also issued a report Questionable Billing for Medicare

Independent Diagnostic Test Facility Services (OEI-09-09-00380 March 2012) which

discusses the problems in verifying that services such as imaging, testing and

evaluations were actually ordered by physicians and actually delivered to beneficiaries

as ordered. This report should be read along with this project summary as the platform

implemented for the DME can be used to address these frauds as well.


Castlestone VisitEye Presentations and Reports –

Title Link Fraud Prevention for Health Insurers http://slidesha.re/1pCGh98

Doctor Shopping and Prevention http://slidesha.re/1nNb9OL

CMS Pilot/Test of VisitEye http://slidesha.re/1vlGGeU

Management Tech. for Therapeutic Cannabis

http://slidesha.re/1nQ5JkD

Corporate Wellness http://slidesha.re/1qQf6Fi

Healthcare

Fraud prevention in dme claims