Tag Archives: Anti-Fraud Management

The Healthcare Fraud Circus

The trade press indicates that healthcare expenditures are again on the rise while the ACFE tells us that approximately $25 million dollars per hour is stolen, wasted or abused in the provision of healthcare services in the US alone. Not surprisingly, our Chapter members, CFEs and forensic accountants, employed by both governmental and private institutions, are being increasingly called upon to grapple with the fallout.

The Centers for Medicare and Medicaid Services (CMS) defines healthcare fraud as the intentional deception or misrepresentation that an individual knows, or should know, to be false, or does not believe to be true, and makes, knowing the deception could result in some unauthorized benefit to himself or some other person(s). The Health Insurance Portability and Accountability Act (HIPAA) is more specific, defining the term federal healthcare offense as “a violation of, or a criminal conspiracy to violate” specific provisions of the U.S. Code, “if the violation or conspiracy relates to a health care benefit program” 18 U.S.C. § 24(a).

The statute goes on to define a health care benefit program as any public or private plan or contract, affecting commerce, under which any medical benefit, item, or service is provided to any individual, and includes any individual or entity who is providing a medical benefit, item, or service for which payment may be made under the plan or contract. Finally, health care fraud is defined as knowingly and willfully executing a scheme to defraud a healthcare benefit program or obtaining, by means of false or fraudulent pretenses, representations, or promises, any of the money or property owned by. . . any healthcare benefit program. HIPAA establishes specific criminal sanctions for offenses against both private and public health insurance programs. These offenses are consistent with the common definitions of fraud in that they involve false statements, misrepresentations, or deliberate omissions that are critical to the determination of benefits payable and which may obstruct fraud investigations.

Practitioners new to fraud examination and forensic accounting in the healthcare arena need to develop a familiarity with the players involved in the provision of and payment for healthcare services if they are to effectively investigate identified instances of fraud, waste, and abuse in this ever-expanding sector of the economy.

Healthcare fraud differs from healthcare abuse. CMS says that abuse refers to incidents or practices that are not consistent with the standard of medical care (in other words, with substandard care)

–Unnecessary costs to a program, caused either directly or indirectly;
–Improper payment or payment for services that fail to meet professional standards;
–Medically unnecessary services;
–Substandard quality of care (e.g., in nursing homes);
–Failure to meet coverage requirements.

Healthcare fraud, in comparison, typically takes one or more of the following forms:

–False statements or claims;
–Elaborate schemes;
–Cover-up strategies;
–Misrepresentations of value;
–Misrepresentations of service.

It’s important to appreciate that healthcare is a dynamic and segmented market among parties that deliver or facilitate the delivery of health information, healthcare resources, and the financial transactions that underly and support the functioning of all the many components of the total business process. To fully appreciate what healthcare fraud looks like, it’s important to understand traditional and nontraditional players. The patient is the individual who actually receives a healthcare service. The provider is an individual or entity that delivers or executes the healthcare service. The payer is the entity that processes the financial transaction. The plan sponsor is the party that funds the transaction. Plan sponsors include private self-insurance programs, employer-based premium programs, and government programs such as Medicare and Medicaid. A vendor is any entity that provides a professional service or materials used in the delivery of patient care. Complicating matters is that each one of these player entities has a distinct perspective and point of view of the overall process which can differ significantly from that of each of the others.

So, what does healthcare fraud look like from the individual patient’s perspective? The patient may submit a false claim with no participation from any other party. The patient may exaggerate a workers’ compensation claim or allege that an injury took place at work when in fact it occurred outside of work. The patient may participate in collusive fraudulent behavior with other parties. A second party may be a physician who fabricates a service for liability compensation. The patient may be involved in an established crime ring that involves extensive collusive behavior, such as staging an auto accident. The schemes typically repeat themselves as well as constantly evolve in the creativity they demonstrate.

And from the provider’s perspective? The fraud schemes can vary from simple false claims to complex financial arrangements. The traditional scheme of submitting false claims for services not rendered has always been and continues to be a problem. Other maneuvers, such as submitting duplicate claims or not acknowledging duplicate payments, are issues as well.

Some schemes manifest great complexity and sophistication in their understanding of payer systems. One example is the rent-a-patient scheme where criminals pay “recruiters” to organize and recruit beneficiaries to visit clinics owned or operated by the criminals. For a fee, recruiters “rent,” or “broker,” the beneficiaries to the criminals. Recruiters often enlist beneficiaries at low-income housing projects, retirement communities, or employment settings of low-income wage earners. Detecting complicated misrepresentations that involve contractual arrangements with third parties or cost report manipulations submitted to government programs requires a niche expertise for identification representing an opportunity for anti-fraud practitioners expert in data mining.

And from the payer’s perspective? The fraud schemes perpetrated by this group tend to be pursued mostly in response to transactions between the payer and a government plan sponsor. They include misrepresentations of performance guarantees, not answering beneficiary questions on claims status, bad-faith claim transactions, and financial transactions that are not contractually based. Other fraudulent activities include altering or reassigning the diagnosis or procedure codes submitted by the provider. Auditing payer activities also requires a niche expertise involving operational as well as contractual issues.

Healthcare fraud schemes perpetrated by employers include underreporting the number of employees, employee classifications, and payroll information; failing to pay insurance premiums, which results in no coverage; creating infrastructures that make employees pay for coverage via payroll deductions; engaging in management activities that discourage employees from seeking medical treatment; and referring employees to a medical facility and in turn receiving compensation for the referrals.

Vendor perpetrated schemes furnishes numerous examples involving a range of participants, from professional healthcare subcontractors to suppliers of equipment, products, services, and pharmaceuticals. These schemes include false claims, claims for altered products, counterfeit medications, and services from unlicensed professionals. They include collusive behavior among several entities as well as between individual professionals.

In summary, the take away for anti-fraud professionals is that Healthcare fraud is growing at an accelerated rate in the United States. Traditional schemes include false claim submissions, care that lacks medical necessity, controlled substance abuse, upcoding (billing for more expensive procedures), employee-plan fraud, staged-accident rings, waiver of copayments and deductibles, billing experimental treatments as nonexperimental ones, agent-broker fraud relationships, premium fraud, bad-faith claim payment activities, quackery; overutilization (rendering more services than are necessary), and kickbacks. Evolved schemes include complex rent-a-patient activities, 340 B program abuse activities (setting aside discounted drugs, making them unavailable to those in need), pill-mill schemes (schemes to falsely bill prescriptions), counterfeit drug activities, and organized criminal schemes.

CFEs and forensic accountants have a significant role in combating all of this. The good news is that much information is available to guide practitioners from both governmental and private sources.

The Sword of Damocles

The media provide us with daily examples of the fact that technology is a double-edged sword. The technological advancements that make it easy for people with legitimate purposes to engage with our client businesses and governmental agencies also provide a mechanism for those bent on perpetrating theft and frauds of all kinds.

The access to services and information that customers have historically demanded has opened the flood gates through which disgruntled or unethical employees and criminals enter to commit fraud. Criminals are also exploiting the inadequacies of older fraud management policies or, in some instances, the overall lack thereof. Our parent organization, the Association of Certified Fraud Examiners (ACFE) has estimated that about 70 percent of all companies around the world experienced some type of fraud in 2016, with total global losses due to fraud exceeding US $4 trillion annually and expected to rise continually.  Organizations have incurred, on average, the loss of an estimated 7 percent of their annual revenues to fraud, with $994 billion of that total in the US alone. The ACFE has also noted that the frauds reported lasted a median length of 18 months before being detected. In addition to the direct impact of revenue loss, fraud erodes customer satisfaction and drains investments that could have been directed to corporate innovation and growth. Organizations entrusted with personally identifiable information are also held directly accountable in the eyes of the public for any breach. Surveys have shown that about one-third of fraud victims avoid merchants they blame for their victimization.

We assurance professionals know that criminals become continuously more sophisticated and the fraud they perpetrate increasingly complex. In response, the requirements for fraud risk management have significantly changed over the last few years. Fraud risk management is now not a by-product, but a purposeful choice intended to mitigate or eliminate an organizations’ exposure to the ethically challenged. Fraud risk management is no longer a “once and done” activity, but has become an on-going, ideally concurrent, program. As with all effective processes, it must be performed according to some design. To counter fraud, an organization must first understand its unique situation and the risk to which it may be exposed. This cannot be accomplished in a vacuum or through divination, but through structured analysis of an organization’s current state. Organizations are compelled by their increasingly cyber supported environments to establish an appropriate enterprise fraud risk management framework aligned with the organization’s strategic objectives and supported by a well-planned road map leading the organization to its properly defined target state of protection. Performing adequate analysis of the current state and projecting the organization goals considering that desired state is essential.  Analysis is the bedrock for implementation of any enterprise fraud risk management framework to effectively manage fraud risk.

Fraud risk management is thus both a top-down and a bottom-up process. It’s critical for an organization to establish and implement the right policies, processes, technology and supporting components within the organization and to diligently enforce these policies and processes collaboratively and consistently to fight fraud effectively across the organization. To counter fraud at an enterprise level, organizations should develop an integrated counter fraud program that enables information sharing and collaboration; the goal is to prevent first, detect early, respond effectively, monitor continuously and learn constantly. Counter fraud experience in both the public and for-profit sectors has resulted in the identification of a few critical factors for the successful implementation of enterprise-wide fraud risk management in the present era of advanced technology and big data.

The first is fraud risk management by design. Organizations like the ACFE have increasingly acknowledged the continuously emerging pattern of innovative frauds and the urgency on the part of all organizations to manage fraud risk on a daily, concurrent basis.  As a result, organizations have attempted implementation of the necessary management processes and solutions. However, it is not uncommon that our client organizations find themselves lacking in the critical support components of such a program.  Accordingly, their fraud risk mitigation efforts tend to be poorly coordinated and, sometimes, even reactionary. The fraud risk management capabilities and technology solutions in place are generally implemented in silos and disconnected across the organization.  To coordinate and guide the effort, the ACFE recommends implementation of the following key components:

— A rigorous risk assessment process — An organization must have an effective fraud risk assessment process to systematically identify significant fraud risk and to determine its individual exposure to such risk. The assessment may be integrated with an overall risk assessment or performed as a stand-alone exercise, but it should, at a minimum, include risk identification, risk likelihood, significance assessment and risk response; a component for fraud risk mitigation and implementation of compensating controls across the critical business processes composing the enterprise is also necessary for cost-effective fraud management.

–Effective governance and clearly defined organizational responsibilities — Organizations must commit to an effective governance process providing oversight of the fraud management process. The central fraud risk management program must be equipped with a clear charter and accountability that will provide direction and oversight for counter fraud efforts. The fraud risk must be managed enterprise-wide with transparency and communication integrated across the organization. The formally designated fraud risk program owner must be at a level from which clear management guidelines can be communicated and implemented.

–An integrated counter fraud framework and approach — An organization-wide counter fraud framework that covers the complete landscape of fraud management (from enterprise security, authentication, business process, and application policy and procedure controls, to transaction monitoring and management), should be established. What we should be looking for as CFEs in evaluating a client’s program is a comprehensive counter fraud approach to continually enhance the consistency and efficacy of fraud management processes and practices.

–A coordinated network of counter fraud capabilities — An organization needs a structured, coordinated system of interconnected capabilities (not a point solution) implemented through management planning and proper oversight and governance. The system should ideally leverage the capabilities of big data and consider a broad set of attributes (e.g., identity, relationships, behaviors, patterns, anomalies, visualization) across multiple processes and systems. It should be transparent across users and provide guidance and alerts that enable timely and smart anti-fraud related decisions across the organization.

Secondly, a risk-based approach. No contemporary organization gets to stand still on the path to fraud risk management. Criminals are not going to give organizations a time-out to plug any holes and upgrade their arsenal of analytical tools. Organizations must adopt a risk-based approach to address areas and processes of highest risk exposures immediately, while planning for future fraud prevention enhancements. Countering fraud is an ongoing and continually evolving process, and the journey to the desired target state is a balancing act across the organization.

Thirdly, continual organizational collaboration and systemic learning. Fraud detection and prevention is not merely an information-gathering exercise and technology adoption, but an entire life cycle with continuous feedback and improvement. It requires the organization’s commitment to, and implementation of continual systemic learning, data sharing, and communication. The organization also needs to periodically align the enterprise counter fraud program with its strategic plan.

Fourthly, big data and advanced analytics.  Technological breakthroughs and capabilities grounded in big data and analytics can help prevent and counter fraudulent acts that impact the bottom line and threaten brand value and customer retention. Big data technology can ingest data from any source, regardless of structure, volume or velocity. It can harness, filter and sift through terabytes of data, whether in motion or at rest, to identify and relate the elements of information that really matter to the detection of on-going as well as of potential frauds. Big data off-the-shelf solutions already provide the means to detect instances of fraud, waste, abuse, financial crimes, improper payments, and more. Big data solutions can also reduce complexity across lines of business and allow organizations to manage fraud pervasively throughout the entire life cycle of any business process.

In summary, smart organizations manage the sword of potential fraud threats with well-planned road maps supported by proper organization and governance.  They analyze their state to understand where they are, and implement an integrated framework of standard management processes to provide the guidance and methodology for effective, ethics based, concurrent anti-fraud practice. The management of fraud risk is an integral part of their overall risk culture; a support system of interconnected counter fraud capabilities integrated across systems and processes, enabled by a technology strategy and supporting formal enterprise level oversight and governance.

With a Little Help

by Rumbi Petrozzello, CPA/CFF, CFE
2018 Vice-President – Central Virginia Chapter ACFE

In November, my husband and I headed out to our usual spot, on Fourth Avenue in Brooklyn, to cheer for those running the New York marathon. A marathon, for those who don’t know, is 26.2 miles long. People who complete marathons get nothing but respect from me – success in marathoning only comes with a lot of dedication and training. Many people spend at least six months following a training plan that is not just about building distance. For instance, when learning (and it is learning) how to complete 26.2 miles of running (or walking for that matter) people must learn how to remain fueled and hydrated while running. This training also then applies to making lifestyle adjustments such as changing one’s diet and sleeping habits. Years ago, when I was training for the New York Marathon, friends knew to not call after 10PM because I was going to bed early to get enough sleep before early morning runs. I tried not to go out on Friday nights, because I went on my long runs on Saturday mornings and wanted to be energized for them. I spent a lot of time and energy doing research, talking to friends who were seasoned runners and even took running classes to improve my performance and chances of success during the race. Despite the very popular tag line “Just Do It”, a lot of work goes into even getting to that point.

The past few months, I have been doing quite a bit of work that involves assessing the controls that companies have over their systems to detect, deter and prevent fraud and error. Going in, the time energy and money that companies have put into all of this is impressive. They will have an audit committee, an internal audit function and a lot of documentation around what their systems are. There will be volumes of documentation on procedures and protocols and, at the very least, on paper, things look fantastic. However, when we start talking to employees about what their reality is, things often are very different. Some of the issues we found included:

• Staff who did not quite understand what some technical terms meant and, so ignored the parts they didn’t understand. We spoke with people who were very happy to perform and review controls, but they didn’t know how best to do that, and no one was telling them the how;

• Some staff did not understand why they were being asked to change things and, believing that what they had been doing for years constituted a good system, stuck with that;

• In some cases, it wasn’t clear just who was responsible for ownership of a process and that meant, often, that nothing ended up getting done;

• In other instances, staff were given such vague instructions that they resorted to making it up as they went along.

Having the rules is completely useless if your people don’t know what do with them and, just as importantly, why they’re doing what they’ve been asked to do in the first place. What is vital in all of this, is the proper training. As CFEs and Forensic Accountants, we are perfectly positioned to work with clients to ensure that controls and systems go beyond theory. So it’s vitally important for success to constantly work with clients to strengthen systems and controls. This can be done by recommending that our corporate clients:

• Provide training to employees. This training must include the identification of control owners and then the process of working directly with them to ensure that they understand what their roles are and specifically why they need to follow the steps being asked of them. Sometimes, when a control owner is given a requested role, they are told to “review” something. Review can mean anything and often what some people consider to be a review is insufficient for complete understanding. For instance, an employee may think that merely saying they checked something is sufficient. Or that having a verbal conversation is enough proof of review. Be sure to recommend to clients that they let employees know that there should be written evidence of a mandated review and to be equally sure to provide clear examples of what qualifies as evidence of that review.

• Review systems and controls to ensure that they address risks. A company may institute many systems and related procedures but, upon review, a CFE or forensic accountant may find inadequate segregation of duties. You may find that a supervisor is checking a team’s work, but no one is authorizing that supervisor’s. This becomes particularly risky if that supervisor has access to many aspects of the business. A CFE or forensic accountant, can review roles and duties to ensure that duties are sufficiently segregated.

• Training should be ongoing and updated for changes in the company as well as changes in technology and processes. At least once a year, employees should receive updated training and performance reviews. In this way, companies can also learn if there have been material changes that might lead to systems and processes having been adjusted in such a way as to create weakness and holes that could lead to future fraud or error.

It’s all well and good to have ads where famous people run, jump and play and tell you to “just do it”. I remember people rolling their eyes at me when I mentioned that I was dashing to running class – why do you have to learn how to run? Doesn’t everyone know how to do that? Yes, I could run, but with training, I ran a better marathon and lived to tell the tale (unlike the original guy). Yes, employees may know how to do the compliance and control work but as a CFE or forensic accountant, you can help a client company work with their employees to perform their work better, be aware of controls and be cognizant of risk and how to mitigate it. It’s so much better than just doing it.