Medicare Improper Payments: While Enhancements Hold Promise for Measuring
Potential Fraud and Abuse, Challenges Remain (Letter Report, 09/15/2000,
GAO/AIMD/OSI-00-281).

Pursuant to a congressional request, GAO provided information on the
structural problems that exist in the Medicare claims processing system,
focusing on: (1) what the Health Care Financing Administration (HCFA)
proposals have been designed or initiated to measure Medicare improper
payments; and (2) the status of these proposals and initiatives and how
will they enhance HCFA's ability to comprehensively measure improper
Medicare payments and the frequency of kickbacks, false claims, and
other inappropriate provider practices.

GAO noted that: (1) since 1990, GAO has designated Medicare as a
high-risk program, recognizing that the size of the program, its rapid
growth, and its administrative structure continue to present
vulnerabilities that challenge HCFA's ability to safeguard against
improper payments, including those attributable to fraud and abuse; (2)
due to the broad nature of health care fraud and abuse, a variety of
detection methods and techniques--such as contacting beneficiaries and
providers and performing medical records reviews, data analyses, and
third party verification procedures--are being utilized to uncover
suspected health care fraud and abuse; (3) efforts to measure the extent
of improper payments, and ultimately to stem the flow of Medicare
losses, depend upon the use of an effective combination of these
techniques; (4) the Office of Inspector General's study to measure the
extent of Medicare fee-for-service improper payments was a major
undertaking and, as GAO reported, the development and implementation of
the methodology it used as the basis for its estimates represent
significant steps toward quantifying the magnitude of this problem; (5)
it is important to note, however, that this methodology was not intended
to and would not detect all potentially fraudulent schemes perpetrated
against the Medicare program; (6) HCFA has initiated three projects
designed to enhance its ability to measure the extent of Medicare
fee-for-service improper payments; (7) two of these projects are
designed to improve the precision of future improper payment estimates
and help develop corrective actions to reduce losses--however, like the
current methodology, they are not specifically designed to identify and
measure the extent of improper payments attributable to potential fraud
and abuse; (8) the third project, while still in the concept phase, will
test the viability of using a variety of investigative techniques to
develop a potential fraud and abuse rate; (9) determining the most
appropriate combination of improper payment identification techniques to
incorporate into measurement efforts requires careful evaluation; and
(10) some techniques may be challenging to implement, such as contacting
beneficiaries due to difficulties in locating them.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD/OSI-00-281
     TITLE:  Medicare Improper Payments: While Enhancements Hold
	     Promise for Measuring Potential Fraud and Abuse,
	     Challenges Remain
      DATE:  09/15/2000
   SUBJECT:  Internal controls
	     Reporting requirements
	     Overpayments
	     Health care programs
	     Program abuses
	     Fraud
	     Claims processing
IDENTIFIER:  HCFA Comprehensive Error Rate Testing Project
	     HCFA Payment Error Prevention Program
	     DOJ Fraud Investigation Database
	     Medicare Fee-for-Service Program
	     HCFA Model Fraud Rate Project
	     Medicare Prospective Payment System

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO/AIMD/OSI-00-281

Appendix I: Objectives, Scope, and Methodology

38

Appendix II: Definitions and Examples of Common Types of
Potential Fraud and Abuse Referrals

40

Appendix III: Comments From the Health Care Financing
Administration

43

Appendix IV: GAO Contacts and Staff Acknowledgments

50

Table 1: Techniques for Detecting Potential Fraud and Abuse 16

Table 2: Comparison of HCFA Efforts to Measure Medicare Improper Payments 24

Table 3: Methodologies for Estimating Medicare Improper Payments 28

Figure 1: Fraud Investigation Database Statistics for Cases Referred,
1993 Through April 2000 14

Figure 2: Sources of Common Fraud and Abuse Referrals, 1993
Through April 2000 18

BBA Balanced Budget Act of 1997

CERT Comprehensive Error Rate Testing

CMN Certificate of Medical Necessity

CPT Current Procedural Terminology

DME Durable Medical Equipment

DOJ Department of Justice

EDP Electronic Data Processing

FBI Federal Bureau of Investigation

EOMB Explanation of Medical Benefits

FID Fraud Investigation Database

HCFA Health Care Financing Administration

HHS Department of Health and Human Services

HIPAA Health Insurance Portability and Accountability Act

IDPA Illinois Department of Public Aid

MFRP Model Fraud Rate Project

MSP Medicare as Secondary Payer

OI Office of Investigations

OIG Office of Inspector General

PEPP Payment Error Prevention Program

PPS Prospective Payment System

PRO Peer Review Organizations

PSC Program Safeguard Contractor

SSA Social Security Administration

Accounting and Information
Management Division

B-285653

September 15, 2000

The Honorable John R. Kasich
Chairman
Committee on the Budget
House of Representatives

The Honorable Saxby Chambliss
Chairman
Task Force on Health
Committee on the Budget
House of Representatives

This report responds to your requests that we review the Health Care
Financing Administration's (HCFA) efforts to enhance the measurement of
improper payments in the Medicare fee-for-service program. On July 12, 2000,
we testified1 before the Committee's Task Force on Health in which we
described HCFA's efforts and provided recommendations for improving the
usefulness of future improper payment measurements. As discussed in our
recent report on improper payments across the federal government,2 causes of
improper payments--that is, payments made for unauthorized purposes or
excessive amounts--range from inadvertent errors to outright fraud and
abuse. In its report on the review of fiscal year 1999 Medicare
fee-for-service claims, the Department of Health and Human Services (HHS)
Office of Inspector General (OIG) classified improper payments they
identified into one of four types of errors: (1) insufficient or no
documentation, (2) lack of medical necessity, (3) incorrect coding, and
(4) noncovered or other errors.

As steward for the Medicare program, the Health Care Financing
Administration (HCFA), an operating division within HHS, is accountable for
how it spends Medicare dollars and is responsible for safeguarding against
improper payments. Identifying the extent of improper payments and their
causes, including those attributable to potential fraud and abuse, is the
first step toward implementing the most cost-effective ways to reduce
losses. Recognizing that improper payments are a drain on the program's
financial resources-- resources intended to provide essential health care
services to millions of elderly and disabled Americans, HCFA has designated
ensuring the integrity of the Medicare program a top priority. Moreover, in
its priority management objective of verifying that the right person is
getting the right benefit, the Office of Management and Budget recognizes
that measuring the extent of improper payments and addressing their
underlying causes are essential elements for ensuring that program payments
are made correctly.

In conjunction with its audit of HCFA's annual financial statements since
1996, the HHS OIG has conducted a nationwide study to estimate Medicare
fee-for-service improper payments.3 The statistically projectable results
cited in the OIG's study have provided valuable insights regarding the
extent of Medicare vulnerabilities. Results from the most recent study
indicate that, of the $169.5 billion in fiscal year 1999 Medicare
fee-for-service claim payments, an estimated $13.5 billion, or about 8
percent, was paid improperly. The magnitude of these estimated improper
payments has led to considerable concern regarding HCFA's efforts to protect
Medicare dollars as well as the need to obtain a better understanding of the
nature and extent of the problems.

To demonstrate a commitment to improving payment safeguards, in January
2000, HCFA reaffirmed its goal of reducing the Medicare fee-for-service
payment errors to 5 percent or less by the year 2002, about a 3 percent or
$5 billion reduction from fiscal year 1999 levels. However, without
definitive information on the extent of improper payments, including those
attributable to potential fraud and abuse,4 HCFA's ability to fully measure
the success of its efforts remains limited. Accomplishing this goal will
depend, in part, on HCFA's ability to further develop improper payment
measures to enable it to more effectively focus specific corrective actions.
In response to this need, HCFA has begun three projects intended to enhance
its understanding of improper payments and help it develop targeted
corrective actions.

Given the importance of Medicare to millions of beneficiaries and concerns
about the financial health of the program, you asked us to identify
structural problems that exist in the Medicare claims processing system
which contribute to inherent vulnerabilities resulting in erroneous Medicare
payments. Further, you asked us to focus our review on (1) what HCFA
proposals have been designed or initiated to measure Medicare improper
payments and (2) the status of these proposals and initiatives and how will
they enhance HCFA's ability to comprehensively measure improper Medicare
payments and the frequency of kickbacks, false claims (for example, billing
for services not provided), and other inappropriate provider practices.

Since 1990, we have designated Medicare as a high-risk program,5 recognizing
that the size of the program, its rapid growth, and its administrative
structure continue to present vulnerabilities that challenge HCFA's ability
to safeguard against improper payments, including those attributable to
fraud and abuse. Due to the broad nature of health care fraud and abuse, a
variety of detection methods and techniques--such as contacting
beneficiaries and providers and performing medical records reviews, data
analyses, and third party verification procedures--are being utilized to
uncover suspected health care fraud and abuse. Efforts to measure the extent
of improper payments, and ultimately to stem the flow of Medicare losses,
depend upon the use of an effective combination of these techniques.

The OIG's study to measure the extent of Medicare fee-for-service improper
payments was a major undertaking and, as we recently reported,6 the
development and implementation of the methodology (referred to as "current
methodology") it used as the basis for its estimates represent significant
steps toward quantifying the magnitude of this problem. It is important to
note, however, that this methodology was not intended to and would not
detect all potentially fraudulent schemes perpetrated against the Medicare
program. For example, because the methodology generally assumes that medical
records received for review are valid and thus represent actual services
provided, improper payments supported by falsified documentation may go
undetected. Rather, it was designed to provide users of HCFA's financial
statements with an initial estimate of Medicare fee-for-service claims that
may have been paid in error and has served as a performance measure for the
program. However, given the size and complexity of the Medicare program, the
usefulness of this estimate as a tool for targeting specific corrective
actions is limited.

HCFA has initiated three projects designed to enhance its ability to measure
the extent of Medicare fee-for-service improper payments. Two of these
projects are designed to improve the precision of future improper payment
estimates and help develop corrective actions to reduce losses; however,
like the current methodology, they are not specifically designed to identify
and measure the extent of improper payments attributable to potential fraud
and abuse. The third project, while still in the concept phase, will test
the viability of using a variety of investigative techniques to develop a
potential fraud and abuse rate. Expanding the scope of these projects to
include additional potential fraud and abuse identification techniques would
enhance HCFA's ability to more comprehensively measure the nature and extent
of Medicare fee-for-service improper payments and the usefulness of these
efforts for developing solutions.

Determining the most appropriate combination of improper payment
identification techniques to incorporate into measurement efforts requires
careful evaluation. Some techniques may be challenging to implement, such as
contacting beneficiaries due to difficulties in locating them. Further,
efforts to measure improper payments may seem expensive, and maximizing the
value of administrative resources used to accomplish this task will depend
on HCFA's ability to apply the most effective detection techniques most
efficiently. Given the size and vulnerability of the Medicare program,
however, these represent prudent, needed investments toward creating more
sophisticated controls to help ensure program integrity.

HCFA has been a leader among other federal agencies in its efforts to
measure the extent of improper payments and we support the efforts it has
taken thus far. Further, considering the challenges associated with
identifying and measuring improper payments, the HCFA projects discussed in
this report represent important steps toward advancing the usefulness of its
improper payment measurement efforts. However, we believe HCFA's efforts to
measure Medicare fee-for-service improper payments can be further enhanced
with the use of additional fraud detection techniques. Accordingly, we are
making recommendations designed to assist HCFA in its efforts to further
enhance its ability to measure the extent of losses emanating from Medicare
fee-for-service payments. In comments on a draft of this report, HCFA
generally agreed with our conclusions and recommendations. Further, HCFA
also discussed a number of efforts underway to promote program integrity
along with challenges HCFA faces in implementing additional fraud detection
techniques.

To fulfill our objectives, we analyzed the current methodology and HCFA's
three planned projects related to improper payment measurement; related
documents discussing the methodologies, designs, planned steps, and time
frames for implementation of these initiatives; our reports; and relevant
HHS OIG reports. We also interviewed HCFA officials and other recognized
experts in health care and fraud detection in academia, federal and state
government, and the private sector on the various types of improper payments
and the techniques used to identify and measure them. We requested comments
on a draft of this report from the HCFA Administrator or her designee. We
have incorporated any changes as appropriate and have reprinted HCFA's
response in appendix III. We performed our work from November 1999 through
June 2000 in accordance with generally accepted government auditing
standards. See appendix I for a more detailed discussion of our objectives,
scope, and methodology.

The Medicare program provides health care coverage to people 65 and over and
to some disabled persons.7 With total benefit payments of $201 billion in
fiscal year 1999, Medicare enrollment has doubled since 1967 to nearly 40
million beneficiaries today. Beneficiaries can elect to receive Medicare
benefits through the program's fee-for-service or managed care options. With
benefit payments of $169.5 billion in fiscal year 1999 and about 85 percent
of participating beneficiaries, the fee-for-service option represents the
most significant part of the program. The managed care option accounts for
the remaining $37 billion and 15 percent of participating beneficiaries. The
program comprises two components: Hospital Insurance or Medicare Part A
covers hospital, skilled nursing facility, home health, and hospice care;
Supplementary Medical Insurance, or Part B, covers physician, outpatient
hospital, home health, laboratory tests, durable medical equipment (DME),
designated therapy services, and some other services not covered by Part A.

HCFA has primary responsibility for administering the Medicare program.
HCFA's administration of the Medicare fee-for-service program is
decentralized. Each year, about 1 million providers enrolled in the program
submit about 900 million fee-for-service claims to over 50 Medicare
contractors for payment. In addition to processing these claims, contractors
help administer the Medicare program by managing the billions of dollars
used to pay those claims, protecting Medicare from fraud and abuse, and
providing education and services to beneficiaries and providers.

Ensuring the integrity of the Medicare fee-for-service program is a
significant challenge for HCFA and its Medicare claims administration and
program safeguard contractors8 and peer review organizations (PROs).9 They
are HCFA's front line defense against inappropriate payments, including
fraud and abuse, and should ensure that the right amount is paid to a
legitimate provider for covered and necessary services provided to eligible
beneficiaries. Except for inpatient hospital claims, which are reviewed by
the PROs, Medicare contractors perform both automated and manual prepayment
and postpayment medical reviews of Medicare claims. Various types of pre-
and postpayment reviews are available to contractors to assess whether
claims are for covered services that are medically necessary and reasonable.
These include automated reviews of submitted claims based on computerized
edits within contractors' claims processing systems, routine manual reviews
of claims submitted, and more complex manual reviews of submitted claims
based on medical records obtained from providers.

In addition to performing medical reviews of provider claims, Medicare
contractors employ fraud units specifically responsible for preventing,
detecting, and deterring Medicare fraud and abuse. They accomplish these
tasks by identifying program vulnerabilities; proactively identifying
incidents of fraud that exist within their service areas; and taking
appropriate actions on cases identified, including making referrals to law
enforcement officials. Also, fraud units develop and determine the factual
basis of allegations of fraud made by beneficiaries, providers, and other
sources.

Recent enactment of two legislative reforms--The Health Insurance
Portability and Accountability Act in 1996 (HIPAA), P.L. 104-191, and The
Balanced Budget Act of 1997 (BBA), P.L. 105-33--have helped HCFA's efforts
to protect against improper payments by providing opportunities to enhance
Medicare's antifraud and abuse activities. Specifically, in addition to
authorizing program safeguard activities to be performed by program
safeguard contractors, HIPAA established the Medicare Integrity Program,
which provides HCFA with assured levels of funding for Medicare program
safeguard activities. The five main types of program safeguard activities
include (1) medical reviews of claims, (2) determinations of whether
Medicare or other insurance sources have primary responsibility for
payment--referred to as Medicare as Secondary Payer (MSP), (3) audits of
cost reports, (4) identification and investigation of potential fraud cases,
and (5) provider education and training. Indeed, as we reported in August
1999,10 total program safeguard expenditures have increased for most of
these activities since 1995, with medical review experiencing the largest
overall increase. In that report, we noted that HCFA is emphasizing
prepayment claims reviews to promote correct claims payment, thereby helping
to avoid the difficulties of the "pay and chase" activities associated with
postpayment medical reviews. Similarly, BBA provides HCFA with additional
opportunities to enhance program integrity by providing HCFA more authority
to keep dishonest health care providers out of the Medicare program, exclude
providers who are found to be abusing the program, and impose monetary
penalties on providers as necessary.

HCFA's commitment to identifying fraud and abuse is articulated in its
Strategic Plan, which calls for aggressive action to minimize waste, fraud,
and abuse in the administration of its programs, including Medicare. HCFA
issued its Comprehensive Plan for Program Integrity in March 1999, which is
composed of 10 initiatives to focus efforts in two broad areas it considers
to have significant opportunities for improvement--improving HCFA program
integrity management and addressing service-specific vulnerabilities. These
and other initiatives are designed to help HCFA meet one of its program
integrity goals included in its Annual Performance Plan--to reduce the error
rate for all Medicare fee-for-service payments to 7 percent in fiscal year
2000 and 5 percent in fiscal year 2002.

Since 1990, we have designated the Medicare program as a high-risk area, and
it continues to be one today. Many of Medicare's vulnerabilities stem from
the overall size of the program, the broad range of services it provides,
and its rapid growth as well as other factors--such as previously reported
weaknesses associated with HCFA's decentralized administrative structure,
highly automated claims processing operations, and the voluminous, changing
billing codes used by providers to claim reimbursement--that result in an
increased risk of making inappropriate payments. These vulnerabilities make
the largest health care program in the nation a perpetually attractive
target for exploitation. Wrongdoers continue to find ways to dodge program
safeguards. The dynamic nature of fraud and abuse requires constant
vigilance and the development of increasingly sophisticated measures to
detect fraudulent schemes and protect the program.

Inherent Vulnerabilities for Improper Payments

Annually, about 1 million providers submit about 900 million fee-for-service
claims to Medicare contractors for payment. These claims cover a vast array
of services or supplies provided to millions of eligible beneficiaries,
including inpatient and outpatient hospital, skilled nursing facility, home
health, hospice, physician, laboratory, and other services and supplies;
durable medical equipment; and designated therapy. Obviously, performing
extensive reviews of all claims prior to payment to determine their
appropriateness would be cost prohibitive and inefficient. Therefore, HCFA
and its Medicare contractors rely on a combination of computerized edits and
pre- and postpayment reviews of selected claims to target their efforts for
detecting those that should not be paid.

However, contractors' efforts to prevent and detect improper payments are
challenged due to the sheer volume of claims they are required to process
and the need to pay providers promptly. Recognizing the difficulties
associated with the "pay and chase" aspects of recovering inappropriate
payments identified through postpayment reviews, HCFA is moving toward more
extensive use of prepayment reviews. Yet, despite the increase in prepayment
reviews performed, claims that should not be paid continue to be paid
incorrectly. Postpayment utilization and medical record reviews may catch
some errors but not all--creating opportunities for unscrupulous providers
and suppliers to defraud the program. For example, while performing the
current methodology for fiscal year 1998 claims, OIG auditors identified
numerous errors resulting in the improper payment of a complex claim
submitted by a provider who, according to OIG auditors, had a long history
of questionable billing practices. Although the provider's claims had been
subjected to extensive pre- and postpayment reviews, the claim paid in error
was submitted during a period when focused prepayment reviews of all claims
were not in effect. Further, according to OIG auditors, the improper payment
occurred as a result of the provider altering a previously denied claim in
such a manner that allowed it to pass through the contractor's automated
prepayment edits without being rejected or flagged for manual review.

Since the Medicare program is the fastest growing sector of federal budget
outlays, these challenges are expected to continue. Currently, Medicare
accounts for about 10 percent of total federal revenues, and with the
retirement of the baby boom generation beginning around 2010, Medicare is
projected to grow rapidly, reaching 24 percent of total federal revenues in
2050. Therefore, absent improvements over internal controls, the potential
for additional or larger volumes of improper payments will be present.

Operations Foster Additional Risks for Improper Payments

HCFA's administration of the Medicare fee-for-service program is
decentralized and highly automated--relying on the combined efforts of
numerous external and internal entities and electronic data processing (EDP)
systems to meet its responsibilities for managing the program properly.
Managing these combined efforts presents significant challenges and places
significant reliance on the effectiveness of internal controls. Our previous
reports as well as those by the HHS OIG have consistently expressed concerns
regarding the effectiveness of internal controls related to HCFA's oversight
of the Medicare program and its EDP systems that create an increased risk
for improper payments occurring without prompt prevention or detection.

Effective oversight of the over 50 Medicare claims processing contractors
and their program safeguard efforts is vital to minimize improper payments
and ensure program integrity. HCFA carries out its oversight
responsibilities primarily through the efforts of its 10 regional offices.
Yet, our recent reports as well as recent OIG and financial statement audit
reports express concerns over the effectiveness of these oversight efforts.
In July 1999, based on our review of HCFA's oversight of its claims
processing contractors, we reported11 that, despite its efforts, HCFA's
oversight had significant weaknesses that left the agency without assurance
that contractors are paying providers appropriately. Further, we identified
two aspects of HCFA's organizational structure that created problems for
overseeing contractors effectively: dispersed central office responsibility
for contractor activities among seven components and indirect reporting
relationships between its 10 regional offices and the central office units
responsible for contractor performance. HCFA has developed a contractor
strategic plan and reorganized its contractor management activities so that
all contractors are assigned to one of four Consortium Contract Management
Offices which, according to HCFA officials, have staff with the expertise
needed to address contractor management and systems issues. These and other
measures have been designed to improve contractor oversight, but it is too
early to determine whether these changes have been sufficient to fully
address the identified weaknesses.

In connection with their audits of HCFA's annual financial statements, the
OIG and auditors from independent public accounting firms have consistently
found numerous weaknesses in the significant data processing operations at
both HCFA's central office and various contractor offices. These operations
process and maintain eligibility systems. To facilitate consistency in the
processing of fee-for-service claims, contractors use one of several
"shared" systems which perform various types of edits before authorizing the
payment of claims. In addition, claims are checked against the Common
Working File, consisting of seven distributed databases maintained
throughout the United States, where edits are performed for items such as
beneficiary eligibility, deductibles and limits, and duplicate payments. As
a result of their review of critical EDP controls to ensure the integrity,
confidentiality, and availability of Medicare data, auditors concluded that
weaknesses exist, such as unauthorized access to "shared" system source
codes and ability to implement local changes to programs used to process
claims, that do not effectively prevent activities possibly leading to
improper payments.

Inappropriate Payments

The use of incorrect billing codes is a problem faced both by public and
private health insurers. Medicare pays Part B providers a fee for each
covered medical service identified by the American Medical Association's
uniformly accepted coding system, called the physician's Current Procedural
Terminology (CPT). To be able to describe so many different services, the
coding system is voluminous and undergoes annual changes. As a result,
physicians and other providers may have difficulty identifying the codes
that most accurately reflect the services and products provided. Not only
can this lead providers to inadvertently submit improperly coded claims, it
can make it easier for unscrupulous individuals to deliberately abuse the
billing system. Due to the huge number of claims processed, the integrity of
the program, in part, relies on providers (1) being knowledgeable of proper
billing procedures and (2) only claiming medically necessary and covered
services or supplies that were actually provided to eligible beneficiaries.

The program's vulnerabilities have been compounded by the emergence of
organized groups of criminals who defraud and abuse Medicare. This has led
to an array of fraudulent schemes that are diverse and vary in complexity.
For example, based on our recent review of seven investigations of fraud or
alleged fraud, we reported that the criminal groups involved had created as
many as 160 sham medical entities--such as medical clinics, physician
groups, diagnostic laboratories, and durable medical equipment companies--or
used the names of legitimate providers to bill for services not provided.12

Medicare contractors and PROs are identifying thousands of improper payments
each year due to mistakes, errors, and outright fraud and abuse. They refer
cases of potential fraud and abuse to the OIG and Department of Justice
(DOJ) so they can investigate further, and if appropriate, pursue criminal
and civil sanctions. HCFA tracks the cases referred by Medicare contractors
and PROs to the OIG and DOJ in its Fraud Investigation Database (FID).13
Figure 1 shows the six most common types of potential fraud and abuse cases
in the FID and the relative frequency of these cases. Definitions of these
common types of fraud and abuse and examples are provided in appendix II.

Source: Prepared by GAO from data in HCFA's FID. We did not independently
verify this information.

We were unable to assess the level of actual or potential program losses for
the different types of potential fraud or abuse due to the limited financial
data in the FID. However, HCFA officials told us that while more complex
types of fraud or abuse, such as fraudulent cost reporting and kickback
arrangements, may be less frequent than other types, such cases often
involve significantly greater losses.

of Diverse Techniques

Given the broad nature of health care fraud and abuse, efforts to measure
its potential extent should incorporate carefully selected detection
techniques into the overall measurement methodology. With billions of
dollars at stake, health care fraud and abuse detection has become an
emerging field of study among academics, private insurers, and HCFA
officials charged with managing health care programs. A variety of methods
and techniques are being utilized or suggested to improve efforts to uncover
suspected health care fraud and abuse. Such variety is needed because one
technique alone may not uncover all types of improper payments.

Although the vast majority of health care providers and suppliers are
honest, unscrupulous persons and companies can be found in every health care
profession and industry. Further, fraudulent schemes targeting health care
patients and providers have occurred in every part of the country and
involve a wide variety of medical services and products. Individual
physicians, laboratories, hospitals, nursing homes, home health care
agencies, and medical equipment suppliers have been found to perpetrate
fraud and abuse.

Given the increasingly sophisticated and dynamic nature of health care fraud
and abuse, fraud and abuse detection is not an exact science. No matter how
sophisticated the techniques or the fraud and abuse audit protocols, not all
fraud and abuse can be expected to be identified. However, using a variety
of techniques holds more promise for estimating the extent of potentially
fraudulent and abusive activity and also provides a deterrent to such
illegal activity. Health care fraud experts and investigators have
identified techniques that can be used to detect fraudulent and abusive
activity--techniques currently performed by Medicare contractor medical
review and fraud units to detect potential fraud and abuse in the Medicare
fee-for-service program. Table 1 summarizes the most promising techniques
they identified along with some of their limitations.

 Medical record review: Doctors and nurses review medical records to assess
 whether the services billed were allowable, reasonable, medically
 necessary, adequately documented, and coded correctly in accordance with
 Medicare reimbursement rules and regulations.

 Limitations: Medical reviews may not uncover services that have not been
 rendered or billing for more expensive procedures when the medical records
 have been falsified to support the claim.
 Beneficiary contact: Verify that the services billed were actually
 received through contacting the beneficiary either in person or over the
 phone, or by mailing a questionnaire.

 Limitations: Beneficiary may be difficult to locate and not be fully aware
 of, or understand the nature of, all services provided. Contact may not
 reveal collusion between the beneficiary and provider to fraudulently bill
 for unneeded services or services not received. In some instances, medical
 necessity and quality of care may be difficult to judge.
 Provider contact: Visit provider to confirm that a business actually
 exists, that the activity observed supports the number of claims being
 submitted by the provider, and that medical records and other
 documentation support the services billed.

 Limitations: Provider contact may not reveal collusion between the
 provider and beneficiary to fraudulently bill for unneeded services or
 services not rendered. In some instances, medical necessity and quality of
 care may be difficult to judge.
 Data analysis: Examine provider and beneficiary billing histories to
 identify unusual or suspicious claims. Provider focused data analysis
 attempts to identify unusual billing, utilization, and referral patterns
 relative to a provider's peer group. Beneficiary focused data analysis
 looks for unusual treatment patterns such as visiting several different
 providers for the same ailment or claims for duplicate or similar
 services.

 Limitations: Data analysis may only identify the most flagrant cases of
 potential fraud and abuse because it relies on detecting unusual patterns
 relative to the norm. Application of additional techniques may be
 necessary to assess the appropriateness of unusual patterns identified.
 Third party contact/confirmation: Validate information relied on to pay
 claims with third parties to assist in identifying potential fraud and
 abuse. For example, verify that a provider is qualified to render medical
 services to Medicare beneficiaries through contacting state licensing
 boards or other professional organizations. Also, other entities, such as
 employers, private insurers, other governmental agencies (e.g., Internal
 Revenue Service, Social Security Administration, state Medicaid agencies)
 and law enforcement authorities represent valuable sources in determining
 the validity of claim payments when the reliability of data from primary
 sources (e.g., claims data, beneficiaries, and providers) is questionable.

 Limitations: Does not address utilization patterns, whether services were
 rendered, the need for services, or quality of services.

Consequently, health care experts and investigators also told us that
effective detection of potential fraud and abuse necessarily involves the
application of several of these techniques and considerable analysis,
especially for the more sophisticated types of billing schemes and kickback
arrangements. In addition, data on fraud referrals contained in the FID
indicate that information necessary for identifying potential Medicare fraud
and abuse comes from a variety of sources, as shown in figure 2. In
particular, these data and the fraud experts we spoke with suggest that
Medicare beneficiaries represent a valuable source for detecting certain
types of potential fraud and abuse, especially services not rendered. HCFA
officials told us that beneficiary complaints stem largely from the
beneficiaries' review of their explanation of Medicare benefit (EOMB)
statements received after a provider bills Medicare for health services and
supplies that are reportedly provided. These findings suggest that potential
fraud and abuse can only be comprehensively measured by effectively applying
a variety of investigation techniques using a variety of sources.

Source: Prepared by GAO from data in HCFA's FID and interviews with HCFA and
contractor officials. We did not independently verify information contained
in HCFA's FID.

The inherent vulnerabilities of the Medicare fee-for-service program have
fueled debate over how extensively the measurement of potential fraud and
abuse should be pursued to provide information that policymakers and HCFA
managers need to effectively target program integrity efforts. Implementing
the current methodology to estimate improper payments is a major undertaking
and represents an attempt to give HCFA a national estimate of payment
accuracy in the Medicare program. The current methodology focuses on
estimating Medicare payments that do not comply with payment policies as
spelled out in Medicare laws and regulations but does not specifically
attempt to identify potential fraud and abuse. In addition to the current
methodology, HCFA has three projects in various stages of development that
are designed to enhance the capability to uncover potential fraud and abuse
and help HCFA better target program safeguard efforts over the next few
years.

Potential Fraud and Abuse

The primary purpose of the current methodology is to provide an estimate of
improper payments that HCFA can use for financial statement reporting
purposes, and to the degree that it can measure improper payments, it has
served as a performance measure. The OIG is responsible for overseeing the
annual audit of HCFA's financial statements, as required by the Chief
Financial Officers Act of 1990 as expanded by the Government Management
Reform Act of 1994. The current methodology has identified improper payments
ranging from inadvertent mistakes to outright fraud and abuse. However,
specifically identifying potentially fraudulent and abusive activity and
quantifying the portion of the error rate attributable to such activity has
been beyond the scope of the current methodology.

The focus of the current methodology is on procedures that verify that the
claim payments made by Medicare contractors were in accordance with Medicare
laws and regulations. The primary procedures used are medical record reviews
and third party verifications. Medical professionals working for Medicare
contractors and PROs review medical records submitted by providers and
assess whether the medical services paid for were allowable, medically
necessary, accurately coded, and sufficiently documented. OIG staff perform
various procedures including third party verifications to ensure that health
care providers are in "good standing" with state licensing and regulatory
authorities and are properly enrolled in the Medicare program. They also
verify with the Social Security Administration (SSA) that the beneficiaries
receiving the services were eligible for them.

The OIG reported that the medical reviews conducted in the current
methodology have been the most productive technique for identifying improper
payments--detecting the overwhelming majority of the improper payments
identified.14 According to OIG officials, medical reviews have led to some
major prosecutions. In addition, some of the health care fraud experts we
talked with stated that such medical reviews are most effective in detecting
unintentional errors. They also told us that medical reviews are less
effective in identifying potentially fraudulent and abusive activity because
clever providers can easily falsify supporting information in the medical
records to avoid detection.

With respect to identifying potentially fraudulent or abusive activities,
OIG officials indicated that medical reviews performed during the current
methodology have resulted in referrals to its Investigations Office.
However, they acknowledge that the current methodology generally assumes
that all medical records received for review are valid and thus represent
actual services provided. In addition, they agree that additional improper
payments may have been detected had additional verification procedures been
performed, such as (1) confirming with the beneficiary whether the services
or supplies billed were received and needed and
(2) confirming the nature of services or supplies provided through on-site
visits and direct contact with current or former provider employees.
Recognizing the potential for abuse based on past investigations--such as
falsified certificates of medical necessity or where beneficiaries are not
"homebound," a requirement for receiving home health benefits--the OIG has
included face-to-face contact with beneficiaries and providers when
reviewing sampled claims associated with home health agency services.
Further, during the course of our review, OIG officials stated that they
will conduct beneficiary interviews when reviewing DME claims selected in
its fiscal year 2000 study. However, according to OIG officials, they have
not extended this or certain other techniques to the other numerous types of
claims included in its annual review because they consider them costly and
time-consuming.

Accordingly, the OIG recognizes that the current methodology does not
estimate the full extent of Medicare fee-for-service improper payments,
especially those resulting from potentially fraudulent and abusive activity
for which documentation, at least on the surface, appears to be valid and
complete. In fact, the OIG testified15 that its estimate of improper
payments did not take into consideration numerous kinds of outright fraud,
such as phony records or kickback schemes. To identify potential fraud, the
OIG also relies on tips received from informants and other investigative
techniques.

A secondary benefit that has been derived from the current methodology is
that it has prompted HCFA into developing additional strategies, as we
discuss later, for reducing the types of improper payments identified.
However, HCFA is limited in developing specific corrective actions to
prevent such payments because the current methodology only produces an
overall national estimate of improper payments. Having the ability to
pinpoint problem areas by geographic areas below a national level (referred
to as subnational), Medicare contractors, provider types, and services would
make improper payment measures a more useful management tool.

and Abuse Detection Capabilities

HCFA has two projects that center on providing it with the capability of
producing improper payment rates on a subnational and provider type
basis--the Comprehensive Error Rate Testing (CERT) project and the
surveillance portion of the Payment Error Prevention Program (PEPP). By
examining more claims, these projects are designed to improve the precision
of future improper payment estimates and provide additional information to
help develop corrective actions. However, since the methodologies associated
with the CERT and PEPP projects incorporate techniques for identifying
improper payments that are similar to those used in the current methodology,
the extent to which these two projects will enhance HCFA's potential fraud
and abuse measurement efforts is limited.

HCFA has a third project in the concept phase that will test the viability
of using a variety of investigative techniques to develop a potential fraud
rate for a specific geographic area or for a specific benefit type. This
project, called the Model Fraud Rate Project (MFRP), provides HCFA the
opportunity to pilot test more extensive detection techniques that, if
effective, could be incorporated into the other measurement methodologies to
improve the measurement and, ultimately, prevention of potential fraudulent
and abusive activity. Table 2 compares the scope and potential fraud and
abuse detection capabilities of the current methodology to the HCFA
projects.

The CERT project focuses on reviewing a random sample of all Part A and B
claims processed by Medicare contractors each year except inpatient
Prospective Payment System (PPS) hospital claims. It involves the review of
a significantly larger random sample of claims and thus, according to HCFA
officials, allows HCFA to project subnational improper payment rates for
each Medicare contractor and provider type. It is the largest of the
projects and is undergoing a phased implementation with a scheduled
completion date of October 2001. In addition to developing subnational error
rates, HCFA officials stated that the CERT project will also be used to
develop performance measures that will assist HCFA in monitoring contractor
operations and provider compliance. For example, CERT is designed to produce
a claim processing error rate for each contractor that will reflect the
percentage of claims paid incorrectly and denied incorrectly, and a provider
compliance rate that indicates the percentage of claims submitted correctly.

The PEPP project is similar to the CERT project and is designed to develop
payment error rates for the Part A inpatient PPS hospital claims not covered
by CERT. PEPP is designed to produce subnational error rates for each state
and for each PRO area of responsibility. Claim reviews under PEPP are
designed to be continual in nature, with results reported quarterly. HCFA
officials stated that the project is the furthest along in implementation,
with the first quarterly reports expected in September 2000. The contractors
and PROs implementing the project are expected to identify the nature and
extent of payment errors for these inpatient claims and implement
appropriate interventions aimed at reducing them.

After their full implementation, HCFA intends to develop a national improper
payment rate by combining the results of the CERT and PEPP projects. This
rate will be compared to the rate produced by the current methodology to
identify, and research reasons for, any significant variances among results.
While the national estimate will continue to provide valuable information
concerning the extent of improper payments, HCFA officials state that the
availability of reliable estimates at the subnational levels contemplated by
these efforts will greatly enhance the usefulness of these estimates as
management tools. For example, based on reports of extensive fraud and abuse
in Florida by the OIG, HCFA established a special satellite office in Miami
as part of its Operation Restore Trust in 1995. This effort has led to
numerous investigations and the identification of potentially fraudulent and
abusive activity emerging and existing in that area. Similarly, if
implemented correctly, the increased precision contemplated with the planned
measurement enhancements may indicate various "hot spots" of potential fraud
and abuse throughout the country, thereby increasing HCFA's ability to more
effectively focus its program integrity efforts.

While enhancing the precision of improper payment estimates will offer a
richer basis for analyzing causes and designing corrective actions,
conceptually, the MFRP holds the most promise for improving the measurement
of potential fraud and abuse. However, the Medicare contractor assisting
HCFA in developing this project is dropping out of the Medicare program in
September 2000 and has ceased work on the project. Efforts to date have
focused on developing a potential fraud rate for a specific locality and
specific type of Medicare service; however, HCFA intends to eventually
expand the scope of the project to provide a national potential fraud rate.
As currently conceived, the project involves studying the pros and cons of
using various investigative techniques, such as beneficiary contact, to
estimate the occurrence of potential fraud. HCFA officials informed us that
before the contractor ceased work on this project, it conducted a small
pilot test using beneficiary contact as a potential fraud detection
technique that identified some of the challenges HCFA will face in
implementing this technique. The results of the test are discussed later.

HCFA is seeking another contractor to take over implementation of the
project. The contractor eventually selected will be expected to produce a
report that identifies the specific potential fraud and abuse identification
techniques used, the effectiveness of the techniques in identifying
potential fraud and abuse, and recommendations for implementing the
techniques nationally. The contractor will also be expected to develop a
"how to manual" that Medicare contractors and other HCFA program safeguard
contractors (PSC) can use to implement promising techniques. HCFA officials
stated that promising techniques identified through MFRP could also be
exported to the CERT and PEPP projects and the current methodology to
enhance national and subnational estimates of potential fraud and abuse over
time.

of Potential Fraud and Abuse

Collectively, HCFA's projects do not comprehensively attempt to measure
potential fraud and abuse or evaluate the specific vulnerabilities in the
claims processing process that may be allowing fraud and abuse to be
perpetrated. Table 3 shows the limited use of selected identification
elements among the current methodology and the HCFA projects. The MFRP
project's scope, for example, does not include studying the viability of
making provider and supplier contact or using third party confirmations to
detect potential fraud and abuse.

Contacting beneficiaries and checking providers are valuable investigative
techniques used to develop potential fraud and abuse cases. For example,
California officials recently visited all Medicaid16 DME suppliers as part
of a statewide Medicaid provider enrollment effort and found that 40 percent
of the dollars paid to the suppliers was potentially fraudulent. The on-site
visits not only helped to identify the fraudulent activity, but also to
obtain sufficient evidence to support criminal prosecutions for fraud. Since
Medicare also covers DME supplies for eligible beneficiaries, the problems
found during this effort indicate that similar risks could exist for
potential fraud and abuse in the Medicare program.17

aThe CERT and PEPP projects also provide for estimates of improper payments
at the subnational and provider type levels.

bThe scope of the MFRP is still conceptual. Efforts to date have focused on
developing a potential fraud rate for specific benefit types and specific
localities and to eventually expand efforts to provide a national rate.

cErrors can be classified in many ways; table 3 shows two types of
categories. For example, cause classifications may include inadvertent
billing errors or possible fraud and abuse errors. Type categories may
include documentation errors or lack of medical necessity errors.

dMethodology includes face-to-face contact with beneficiaries and providers
for home health agency claims only.

eOther than requests for medical records.

fThird party contact/confirmation, for example, may include contact with
state licensing boards or other professional organizations to verify
provider standing. This example represents only one of the numerous methods
of utilizing third party confirmation to identify improper payments.

gSee table 1 for a discussion of data analysis techniques for detecting
potential fraud and abuse.

hOIG officials recently told us that each year at the end of the their
review, after all data has been entered in their national database, they
profile each provider type in the claims sample.

Including an assessment of the likely causes of specific payment errors
could help HCFA better develop effective strategies to mitigate them. The
current methodology classifies errors by type, such as lack of documentation
or medically unnecessary services, which is used to show the relative
magnitude of the problems. Knowing the relative magnitude of a problem
offers perspective on what issues need to be addressed. For example, based
on its review of errors identified in the current methodology, HCFA recently
issued a letter to physicians emphasizing the need to pay close attention
when assigning CPT codes and billing Medicare for two closely related, yet
differing, types of evaluation and management services.

Further analysis of identified improper payments that provide additional
insights into possible root causes for their occurrence is essential for
developing effective corrective actions. For example, if errors are
resulting from intentionally abusive activity, specific circumstances or
reasons that permit the abuse to be perpetrated can be analyzed to develop
and implement additional prepayment edits to detect and prevent their
occurrence. In this regard, we have long advocated enhancing automated
claims auditing systems to more effectively detect inappropriate payments
due to inadvertent mistakes or deliberate abuse of Medicare billing
systems.18 Also, developing or strengthening specific enforcement sanctions
offer an additional tool to deter providers or suppliers from submitting
inappropriate claims.

Likewise, numerous individuals and entities are involved throughout the
entire Medicare claims payment process, including providers, suppliers,
employees (caregivers, clerks, and managers), Medicare claims processing
contractors, HCFA, beneficiaries (and their relatives), and others.
Interestingly, in its review of Illinois Medicaid payments,19 the Illinois
Department of Public Aid (IDPA) determined that over 45 percent of the
errors it identified were inadvertent or caused by the IDPA itself during
the process of approving services or adjudicating claims, and that 55
percent appeared to be caused by questionable billing practices. IDPA
officials told us that having a clear understanding of the root causes for
these errors has been instrumental in developing effective corrective
actions. Similarly, attributing the causes of Medicare fee-for-service
improper payments to those responsible for them could provide HCFA with
useful information for developing specific corrective actions.

Certain third party validation techniques are included and have been
successfully implemented in the current methodology. For example, OIG staff
confirm a provider's eligibility to bill the Medicare program by contacting
state licensing boards to ensure that the doctors billing Medicare have
active licenses. They also verify with SSA that beneficiaries are eligible
to receive medical services under the Medicare program. However, as
currently conceived, none of the HCFA projects include third party contact
as a potential fraud detection technique.

Careful Study and Additional Resources

The experiences of recent efforts to apply more aggressive fraud detection
techniques coupled with our discussions with patient and provider advocacy
groups indicate that finding successful protocols for implementing some
detection techniques may require careful study. Our review of three studies
that have attempted to use beneficiary contact as a measurement device--the
MFRP and two Medicaid studies in Texas and Illinois--indicate that, while
useful, it is a challenging technique to implement.

ï¿½ The initial contractor for the MFRP conducted a small pilot test using
beneficiary contact to verify Medicare billed services and found that making
contact was more difficult than anticipated. Telephone contact was the most
cost-effective approach for contacting beneficiaries, but the contractor
could reach only 46 percent of them due to difficulty in obtaining valid
phone numbers and difficulty in actually talking to the beneficiary or his
or her representative once a valid number was located. Using more costly and
time-consuming approaches, such as mailing written surveys and conducting
face-to-face interviews only increased the success rate to 64 percent. To
maximize the effectiveness of these alternative approaches, the contractor
noted that it was important to obtain valid addresses and ensure that the
written survey instrument was concise, easy to understand, and easy to
complete so that the beneficiaries would take the time to respond.

ï¿½ The state of Texas experienced similar difficulties contacting Medicaid
recipients in a recent statewide fraud study.20 Telephone numbers for more
than half of the 700 recipients that the state attempted to contact were not
available or were incorrect. The state attempted to make face-to-face
contact if telephone contact was not possible, and by the study's end, over
85 percent of the recipients were contacted. The state concluded that
contacting a recipient by telephone is the only cost-effective way to verify
that services had been delivered. It also found that delays in making
contact could affect the results since recipients' ability to accurately
recall events appeared to diminish over time.

ï¿½ For the Illinois Medicaid study, the IDPA found other problems in using
beneficiary contact as a detection technique in the payment accuracy study
of its program.21 Department investigators met with almost 600 recipients or
their representatives to verify that selected medical services had been
received. The investigators found that while recipient interviews were an
overall useful step in the study's methodology, they did not always produce
the desired results. For example, investigators found cases where caretaker
relatives could not verify the receipt of services. They also found other
cases where recipients were unaware of the services received, such as lab
tests, or could not reliably verify the receipt of services because they
were mentally challenged.

Illinois officials involved with implementing the Medicaid study told us
that direct provider contact is also challenging. For example, an important
consideration is whether or not to make unannounced visits. According to the
Illinois officials, unannounced visits can be disruptive to medical
practices and inappropriately harm the reputations of honest providers by
giving patients and staff the impression that suspicious activities are
taking place. Announced visits, on the other hand, can give the provider
time to falsify medical records, especially if they know which medical
records are going to be reviewed. The Illinois officials resolved this
dilemma by announcing visits 2 days in advance and requesting records for 50
recipients so it would be difficult for the provider to falsify all the
records on such short notice.

Data on fraud referrals included in HCFA's FID indicates that health care
providers and beneficiaries represent important sources for identifying
improper payments, particularly for certain types of potential fraud and
abuse. Moreover, the application of more extensive fraud detection
techniques into efforts to measure improper payments will require their
cooperation. Our discussions with patient and health care provider advocacy
groups indicated they may oppose the application of more extensive detection
techniques due to concerns with violating doctor-patient confidentiality,
protecting the privacy of sensitive medical information, and added
administrative burdens. For example, officials from the Administration on
Aging, an HHS operating division, told us that they discourage elders from
responding to telephone requests for medical and other sensitive
information. Similarly, the American Medical Association and American
Hospital Association emphasize the adverse impact that meeting what they
consider to be complex regulations and responding to regulatory inquiries
has on health care providers' ability to focus on meeting patient needs.
They also voiced concerns with the added cost that would have to be absorbed
by providers to comply with even more requests for medical information in an
era of declining Medicare reimbursements. Further, some of the health care
experts we talked with cautioned that there are practical limits to the
amount of potentially fraudulent and abusive activity that can be measured.
These experts emphasize that no set of techniques, no matter how extensive,
can be expected to identify and measure all potential fraud and abuse.
However, despite these concerns, compliance with reasonable efforts to
ensure that benefits are, in fact, paid properly is encouraged by
beneficiary advocacy groups. Further, various federal laws and regulations
put providers and Medicare beneficiaries on

notice that HHS and HCFA may require and use information from medical
records for certain purposes.22

In addition to beneficiary and provider contact, the health and fraud
experts we spoke with told us that validating the information that Medicare
contractors are relying on to pay claims, including provider and supplier
assertions concerning the appropriateness of those claims, with third
parties could also help to identify potential fraudulent or abusive
activity. The current methodology incorporates such procedures to confirm
providers' current standing with state licensing authorities and
beneficiaries' eligibility status with SSA. Other sources--such as
beneficiary employers, beneficiary relatives or personal caregivers, State
Medicaid agencies, and employees of providers and suppliers--could also
offer useful information for assessing the appropriateness of claims.
However, determining the appropriate nature and extent of third party
verification procedures to incorporate into efforts to measure improper
payments should be considered carefully. Excluding third party verification
efforts, and therefore placing greater reliance on the accuracy of data
developed internally or provided independently, should be based on risks
determined through analysis of reliable indicators.

The Comptroller General's Standards for Internal Control in the Federal
Government23 stresses the importance of performing comprehensive risk
assessments and implementing control activities, including efforts to
monitor the effectiveness of corrective actions to help managers
consistently achieve their goals. While the annual cost of the current
methodology and the HCFA projects involve several million dollars, these
efforts represent a needed investment toward avoiding significant future
losses through better understanding the nature and extent of improper
payments--including potential fraud and abuse. As shown in table 2, the
current methodology costs $4.7 million, not counting the cost of medical
review staff time at contractors. PEPP is estimated to cost $7.5 million
annually, and CERT costs are expected to be over $4 million annually once
fully implemented. While these may seem to be expensive efforts, when
considered in relation to the size and vulnerability of the Medicare program
and the known improper payments that are occurring, they represent prudent,
needed outlays to help ensure program integrity.

In our recent report on improper payments across the federal government,24
we discussed the importance of ascertaining the full extent of improper
payments and understanding their causes to establish more effective
preventive measures and to help curb improper use of federal resources.
However, as we recently testified,25 HCFA's ability to protect against fraud
and abuse depends on adequate administrative funding. Therefore, in
developing effective strategies for measuring improper payments,
consideration of the most effective techniques to apply in the most
efficient manner is essential to maximize the value of administrative
resources. While HCFA faces significant challenges for ensuring the
integrity of the Medicare fee-for-service program, importantly, HCFA can use
the results of these efforts to more effectively assess corrective actions,
target high-risk areas, and better meet its role as steward of Medicare
dollars.

Measurement

HCFA plans to expand its efforts to measure Medicare improper payments by
assessing the usefulness of performing additional fraud detection techniques
with the MFRP. Meanwhile, since the current methodology and the CERT and
PEPP projects do not incorporate the use of some techniques considered
effective in identifying potential fraud and abuse, HCFA's ability to fully
measure the success of its efforts to reduce fraud and abuse remains
limited.

Health care fraud experts told us that the ability of these projects to
measure potential fraud and abuse are somewhat dependent on the nature,
extent, and level of fraud sophistication that may be involved. For example,
the introduction of beneficiary contact, in conjunction with other
techniques, should improve the ability to determine whether services were
actually rendered. However, if the beneficiary is a willing participant in
the potential fraud and abuse scheme, these additional techniques may not
lead to an accurate determination.

The size and administrative complexity of the Medicare fee-for-service
program make it vulnerable to inadvertent error and exploitation by
unscrupulous providers and suppliers. Given the billions of dollars that are
at risk, it is imperative that HCFA continue its efforts to develop timely
and comprehensive payment error rate estimates that can be used to develop
effective program integrity strategies for reducing errors and combating
fraud and abuse. The current methodology represented a significant first
step in obtaining such information, but the lack of key fraud and abuse
detection techniques limit its effective use as a management tool to
estimate potential fraud and abuse and ultimately achieve important program
integrity goals. HCFA's projects could collectively address some of the
limitations of the current methodology if properly executed, but do not
appear to go far enough. Expanding the scope of the Model Fraud Rate Project
to include studying provider visits and a more extensive assessment of the
cause of improper payments and other promising techniques could help HCFA
pinpoint additional high-risk areas and develop more effective corrective
actions. The implementation of more extensive detection techniques is bound
to be challenging and expensive, so using rigorous study methods and
consulting with the people affected, such as beneficiary and provider
advocacy groups, are essential steps to ensure success, as well as
considering the tangible and intangible benefits of using particular
techniques. Given the delays and potential challenges associated with
implementing the Model Fraud Rate Project, substantial improvements in the
measurement of improper payments, especially those stemming from potential
fraudulent and abusive activity, will probably not be realized for a few
years.

To improve the usefulness of measuring Medicare fee-for-service improper
payments, including those attributable to potential fraud and abuse, we
recommend that the HCFA Administrator take the following actions:

ï¿½ Experiment with incorporating additional techniques for detecting
potential fraud and abuse into methodologies used to identify and measure
improper payments and then evaluate their effectiveness. For example,
visiting providers to verify their existence, collecting medical records and
other documents supporting Medicare payments, observing the level of patient
activity, and inquiring about the nature of the provider's operations with
employees could provide valuable information to more accurately assess the
appropriateness of claim payments and causes of improper payments. Likewise,
inquiries with Medicare beneficiaries to verify receipt of and need for
services or supplies could provide similar insights. In determining the
nature and extent of additional specific procedures to perform, the overall
measurement approach should (1) recognize the types of fraud and abuse
perpetrated against the Medicare program, (2) consider the relative risks of
potential fraud or abuse that stem from the various types of claims, (3)
identify the advantages and limitations of common fraud detection techniques
and use an effective combination of these techniques to detect improper
payments, and (4) consider, in consultation with advocacy groups, concerns
of those potentially affected by their use, including beneficiaries and
health care providers.

ï¿½ Include in the methodologies' design, sufficient scope and evaluation to
more effectively identify underlying causes of improper payments, including
potential fraud and abuse, in order to develop appropriate corrective
actions.

HCFA's written comments are reprinted in appendix III. HCFA agreed with our
recommendations and discussed additional techniques it is developing to
detect potential fraud and abuse. The Administrator described some
techniques outlined in this report that HCFA currently performs, such as
conducting site visits as part of its provider enrollment process as well as
the challenges associated with their use. Performing these activities in
conjunction with on-going program integrity efforts is important. However,
the Administrator's comments and our report highlight the challenges
involved in incorporating additional potential fraud and abuse
identification efforts into initiatives to measure Medicare improper
payments. Nevertheless, despite the challenges they pose, adding these
techniques is essential to gain a more comprehensive assessment of the
nature, extent, and causes of their occurrence. The Administrator also
provided technical comments, which we incorporated in this report as
appropriate.

We are sending copies of this report to Representative John M. Spratt,
Ranking Minority Member of the House Committee on the Budget and interested
congressional committees. We are also sending copies of this report to the
Honorable Donna E. Shalala, Secretary, and the Honorable June Gibbs Brown,
Inspector General, Department of Health and Human Services; and the
Honorable Nancy-Ann Min DeParle, Administrator, Health Care Financing
Administration. Copies will be made available to others upon request.

Please contact me at (202) 512-4476 or by e-mail at [email protected] if
you have any questions about this report. Other GAO contacts and staff
acknowledgements are listed in appendix IV.
Gloria L. Jarmon
Director, Health, Education, and Human Services
Accounting and Financial Management Issues

Objectives, Scope, and Methodology

Our objectives were to identify structural problems that exist in the
Medicare claims processing system which contribute to inherent
vulnerabilities resulting in erroneous Medicare payments and to determine
(1) what HCFA proposals have been designed or initiated to measure Medicare
improper payments and (2) the status of these proposals and initiatives and
how will they enhance HCFA's ability to comprehensively measure improper
Medicare payments and the frequency of kickbacks, false claims, (e.g.,
services not provided) and other inappropriate provider practices.

Through interviews with health care fraud and investigation experts, we
gained an understanding of the vulnerabilities in the Medicare
fee-for-service program that create opportunities for improper payments,
especially those stemming from fraudulent and abusive activity, and the most
promising detection techniques to identify these payments. Specifically, we
talked with officials from the Department of Health and Human Service's
Office of the Inspector General (OIG) and Office of Investigations (OI),
Department of Justice (DOJ), Federal Bureau of Investigation (FBI), HCFA's
program integrity group, HCFA's Atlanta Regional Office unit specializing in
fraud detection efforts, a Medicare claims processing contractor,
Association of Certified Fraud Examiners, three private health insurance
organizations, National Health Care Anti-Fraud Association, Health Insurance
Association of America, three states in connection with their Medicaid
programs, and two academicians with notable fraud investigation experience.
We also reviewed various documents including HCFA and OIG Fraud Alerts,
prior GAO, OIG, and other studies on health care fraud and abuse,
particularly those related to the Medicare fee-for-service program.

We analyzed HCFA's Fraud Investigation Database (FID) to identify the most
common types of potential fraud referred to the OI and DOJ for further
investigation and possible criminal and civil sanctions. We also analyzed
the FID to determine the most frequent sources for identifying potential
fraud. The FID was created in 1995, but has data on fraud referral going
back to 1993. We did not attempt to validate the database.

Through interviews with HCFA Program Integrity Group officials and reviews
of HCFA documentation, including program integrity plans, project
descriptions, statements of work, and requests for proposals, we identified
and determined the status of HCFA projects that could improve the
measurement of Medicare fee-for-service improper payments.

To assess the potential effectiveness of the techniques planned for the HCFA
projects for identifying improper payments attributable to potential fraud
and abuse, we (1) performed a comparative analysis of common types and
sources of referrals of fraud and abuse occurring in the Medicare program,
the types of techniques identified by investigative experts as most
effective for identifying them, and the extent to which identified
techniques are incorporated in the respective methodologies and (2)
discussed the results of our analysis with officials in HCFA's Program
Integrity Group and OIG.

To gain an understanding of how the implementation of additional procedures
to identify and measure improper payments attributable to potential fraud
and abuse could affect providers, suppliers, and recipients of health care
services and supplies, we interviewed officials from patient and health care
provider advocacy groups, including the American Medical Association,
American Hospital Association, HHS Administration on Aging, American
Association of Retired Persons, and the Health Care Compliance Association.

We requested comments on a draft of this report from the HCFA Administrator
or her designee. We have incorporated any changes as appropriate and have
reprinted HCFA's response in appendix III. We performed our work from
November 1999 through June 2000 in accordance with generally accepted
government auditing standards.

Definitions and Examples of Common Types of Potential Fraud and Abuse
Referrals

As the category indicates, cases involving billing for services not rendered
occur when health care providers bill Medicare for services they never
provided. Potential fraud and abuse is usually detected by statements
received from the provider's patients or their custodians and the lack of
supporting documents in the medical records.

For example, a provider routinely submitted claims to Medicare and CHAMPUS26
for cancer care operations for services not rendered or not ordered; upcoded
procedures, as defined below, to gain improper high reimbursement; and
double billed Medicare for certain procedures. As a result of the fraudulent
submissions, the provider allegedly obtained millions of dollars to which it
was not entitled.

Cases involving medically unnecessary services, supplies, or overutilization
occur when providers or suppliers bill Medicare for items and services that
are not reasonable and necessary for the diagnosis and treatment of illness
or injury or to improve the functioning of a body part. They include
incidents or practices of provider, physicians, or suppliers of services
that are inconsistent with accepted sound medical practices, directly or
indirectly resulting in unnecessary costs to Medicare, improper payments, or
payments for services that do not meet professionally recognized standards
of care or are not medically necessary.

For example, a provider ordered magnetic resonance imaging tests and
neurological tests and investigators questioned whether the tests were
medically necessary and whether the neurological tests were actually
performed. Most of the tests were performed on patients who responded to the
provider's advertisements in the yellow pages. After a 5 to 10 minute
consultation, the provider would diagnose almost every patient with the same
disorder − radiculopathy, a disease involving compression of, or
injury to the roots of spinal nerves.

of Medical Necessity (CMNs)/Other Documents

Medicare publishes coverage rules on what goods and services the program
will pay for and under what circumstances it will pay or not pay for certain
goods and services. Providers sometimes bill Medicare, showing a billing
code for a covered item or service when, in fact, a noncovered item or
service was provided. Further, providers sometimes intentionally falsify
statements or other required documentation when asked to support payments
for claimed services or supplies. In particular, investigators have
determined that falsification of CMNs--documents evidencing appropriately
authorized health care professionals' assertions regarding the
beneficiaries' needs for certain types of care or supplies, such as home
health and hospice services or certain durable medical equipment--occur,
providing unscrupulous providers and suppliers additional opportunities to
abuse Medicare.

For example, a provider billed for an orthotic knee brace, when in fact the
provider was providing Medicare beneficiaries with nonelastic compression
garments and leggings. Although knee orthotics are reimbursed by Medicare
and Medi-Cal27 for a total of over $650 per brace, the nonelastic
compression garment is not reimbursed by Medicare. The total billings
totaled approximately $332,055.

One type of incorrect coding is called "upcoding." Upcoding cases result
from health care providers changing codes on claim forms submitted to
Medicare, causing reimbursements to be paid at higher rates than are
warranted by the service actually provided. Upcoding can also result from
providers billing for services actually provided by nonphysicians, which
would be paid at a lower reimbursement rate.

For example, a provider allegedly submitted false claims for services
provided by physicians in training and inflated (upcoded) claims in
connection with patient admissions services. The provider paid the U.S.
government $825,000 primarily to settle allegations resulting from an audit
performed by the HHS OIG. The audit was triggered by a lawsuit filed by
private citizens as authorized by the False Claims Act (31 U.S.C. sections
3729−3733).

Falsifying any portion of the annual report submitted by all institutional
providers participating in the Medicare program. The report is submitted on
prescribed forms, depending on the type of provider (e.g., hospital, skilled
nursing facility, etc.). The cost information and statistical data reported
must be current, accurate and in sufficient detail to support an accurate
determination of payments made for the services rendered.

For example, a provider billed Medicare for hundreds of thousands of dollars
for personal expenses disguised as legitimate healthcare expenses. The
personal expenses billed included an addition to a private home, vacations,
and beauty pageant gowns. The provider was fined over $500,000 for the
fraudulent billings.

Section 1128B of the Social Security Act, 42 U.S.C. sect. 1320a-7b(b), makes it
a felony to solicit, receive, offer, or pay a kickback, bribe, or rebate in
connection with the provision of goods, facilities, or services under a
federal health care program, including Medicare.

For example, a provider agreed to plead guilty to conspiracy, mail fraud,
and violating the anti-kickback provision and to pay $10.8 million in
criminal fines in connection with its scheme to defraud Medicare. The pleas
relate to kickbacks and false Medicare billings made in connection with the
provider's receipt of fees from another company for the provider's
management of certain home health agencies.

Comments From the Health Care Financing Administration

GAO Contacts and Staff Acknowledgments

Kay Daly, (202) 512-9312
Jim Kernen, (404) 679-1938

In addition to those named above, Shawn Ahmed, Aditi Archer, Bill Hamel, Don
Hunts, and Meg Mills made key contributions to this report.

(916315)

Table 1: Techniques for Detecting Potential Fraud and Abuse 16

Table 2: Comparison of HCFA Efforts to Measure Medicare Improper Payments 24

Table 3: Methodologies for Estimating Medicare Improper Payments 28

Figure 1: Fraud Investigation Database Statistics for Cases Referred,
1993 Through April 2000 14

Figure 2: Sources of Common Fraud and Abuse Referrals, 1993
through April 2000 18

  

1. Medicare Improper Payments: Challenges for Measuring Potential Fraud and
Abuse Remain Despite Planned Enhancements (GAO/T-AIMD/OSI-00-251 , July 12,
2000).

2. Financial Management: Increased Attention Needed to Prevent Billions in
Improper Payments (GAO/AIMD-00-10 , October 29, 1999).

3. The Chief Financial Officers Act of 1990, as expanded by the Government
Management Reform Act of 1994, requires 24 major departments and agencies,
including HHS, to prepare and have audited agencywide financial statements.
Major "components" of these 24 agencies, such as HCFA, may also be required
to have audited financial statements.

4. Because the ultimate determination of fraud and abuse involves legal
proceedings that often take several years to resolve, using information
about the causes of improper payments as soon as practical to develop ways
to address root causes would help to improve the effectiveness of management
efforts to increase accountability over federal assets. Attributing the
cause of improper payments to potential fraud and abuse recognizes this
limitation but still provides program managers and others meaningful, timely
information to develop the most effective solutions.

5. High-Risk Series: An Update (GAO/HR-99-1 , January 1999).

6. Efforts to Measure Medicare Fraud (GAO/AIMD-00-69R , February 4, 2000).

7. The 1965 legislation establishing Medicare originally covered people 65
and over. Legislation in 1972 broadened the program to cover certain
disabled people and those with permanent kidney failure.

8. The Health Insurance Portability and Accountability Act (HIPAA) of 1996
authorized HCFA to contract with entities for reviews of providers of
Medicare services. Contracts with these entities, referred to as program
safeguard contractors, are for the performance of medical review,
utilization review, fraud review, cost report audit, and other program
integrity support efforts.

9. PROs are independent physician organizations that review medical services
provided to Medicare beneficiaries in settings such as acute care and
specialty hospitals and ambulatory surgical centers for unreasonable,
unnecessary, and inappropriate care.

10. Medicare: Program Safeguard Activities Expand, but Results Difficult to
Measure (GAO/HEHS-99-165 , August 4, 1999).

11. Medicare Contractors: Despite Its Efforts, HCFA Cannot Ensure Their
Effectiveness or Integrity (GAO/HEHS-99-115 , July 14, 1999).

12. Criminal Groups in Health Care Fraud (GAO/OSI-00-1R , October 5, 1999).

13. The Fraud Investigation Database is a comprehensive nationwide system
devoted to Medicare fraud and abuse data accumulation. The system was
created in 1995, but contains data on potential fraud and abuse referrals
going back to 1993.

14. Improper Fiscal Year 1999 Medicare Fee-For-Service Payments, Department
of Health and Human Services, Office of Inspector General, February 2000,
A-17-99-01999.

15. July 17, 1997, testimony of the HHS Inspector General in a hearing
before the House Committee on Ways and Means, Subcommittee on Health,
entitled Audit of HCFA Financial Statements.

16. The Medicaid program represents the primary source of health care for
medically vulnerable Americans, including poor families, the disabled, and
persons with developmental disabilities requiring long-term care. Medicaid
is administered in partnership with the states pursuant to Title XIX of the
Social Security Act with combined state and federal medical assistance
outlays in fiscal year 1999 totaling $180.8 billion.

17. According to its Comprehensive Plan for Program Integrity, HCFA has
begun conducting routine on-site visits to DME suppliers seeking to enter
the Medicare program as part of its provider enrollment process.

18. Medicare Billing: Commercial System Could Save Hundreds of Millions
Annually (GAO/AIMD-98-91 , April 15, 1998) and Medicare Claims: Commercial
Technology Could Save Billions Lost to Billing Abuse (GAO/AIMD-95-135 , May
5, 1995).

19. Payment Accuracy Review of the Illinois Medical Assistance Program,
Illinois Department of Public Aid, August 1998.

20. Final Staff Draft Report on Health Care Claims Study and Comments from
Affected State Agencies, Texas Comptroller of Public Accounts, December
1998.

21. See footnote 19.

22. For example, section 1815(a) of the Social Security Act, 42 U.S.C. sect.
1395g(a), provides that payments shall not be made to any provider unless it
furnishes information the Secretary of HHS requests to determine the amounts
due the provider.

23. Standards for Internal Control in the Federal Government
(GAO/AIMD-00-21.3.1 , November 1999).

24. Financial Management: Increased Attention Needed to Prevent Billions in
Improper Payments (GAO/AIMD-00-10 , October 29, 1999).

25. Medicare: HCFA Faces Challenges to Control Improper Payments
(GAO/T-HEHS-00-74 , March 9, 2000).

26. CHAMPUS, or the Civilian Health and Medical Program of the Uniformed
Services, is a fee-for-service health insurance program that pays for a
substantial part of the health care that civilian hospitals, physicians, and
others provide to nonactive duty Department of Defense beneficiaries.

27. The Medicaid program for the State of California is known as the
Medi-Cal program.
*** End of document. ***