Medicare: Covert Testing Exposes Weaknesses in the Durable	 
Medical Equipment Supplier Screening Process (03-JUL-08,	 
GAO-08-955).							 
                                                                 
According to the Department of Health and Human Services (HHS),  
schemes to defraud the Medicare program have grown more elaborate
in recent years. In particular, HHS has acknowledged Centers for 
Medicare & Medicaid Service's (CMS) oversight of suppliers of	 
durable medical equipment, prosthetics, orthotics, and supplies  
(DMEPOS) is inadequate to prevent fraud and abuse. Specifically, 
weaknesses in the DMEPOS enrollment and inspection process have  
allowed sham companies to fraudulently bill Medicare for	 
unnecessary or nonexistent supplies. From April 2006 through	 
March 2007, CMS estimated that Medicare improperly paid $1	 
billion for DMEPOS supplies--in part due to fraud by suppliers.  
Due to the committee's concern about vulnerabilities in the	 
enrollment process, GAO used publicly available guidance to	 
attempt to create DMEPOS suppliers, obtain Medicare billing	 
numbers, and complete electronic test billing. GAO also reported 
on closed cases provided by the HHS Inspector General (IG) to	 
illustrate the techniques used by criminals to fraudulently bill 
Medicare. On June 18, 2008, we briefed CMS representatives on the
results of our investigation. In response, they acknowledged that
our covert tests illustrate gaps in oversight that still require 
improvement and stated that they would continue to work to	 
strengthen the entire DMEPOS enrollment process.		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-955 					        
    ACCNO:   A82715						        
  TITLE:     Medicare: Covert Testing Exposes Weaknesses in the       
Durable Medical Equipment Supplier Screening Process		 
     DATE:   07/03/2008 
  SUBJECT:   Accountability					 
	     Cost analysis					 
	     Documentation					 
	     Fraud						 
	     Health care cost control				 
	     Health care costs					 
	     Health care fraud					 
	     Health care programs				 
	     Health care services				 
	     Investigations into federal agencies		 
	     Medical equipment					 
	     Medical supplies					 
	     Medical technology 				 
	     Medicare						 
	     Program evaluation 				 
	     Program management 				 
	     Risk assessment					 
	     Risk management					 
	     Strategic planning 				 
	     Corrective action					 
	     Waste, fraud, and abuse				 
	     durable medical equipment, prosthetics,		 
	     orthotics, and supplies (DMEPOS)			 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-955
This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected]. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Permanent Subcommittee on Investigations, Committee on 
Homeland Security and Governmental Affairs, U.S. Senate: 

United States Government Accountability Office: 

GAO: 

July 2008: 

Medicare: 

Covert Testing Exposes Weaknesses in the Durable Medical Equipment 
Supplier Screening Process: 

DME Supplier Convert Testing: 

GAO-08-955: 

GAO Highlights: 

Highlights of GAO-08-955, a report to the Permanent Subcommittee on 
Investigations, Committee on Homeland Security and Governmental 
Affairs, U.S. Senate. 

Why GAO Did This Study: 

According to the Department of Health and Human Services (HHS), schemes 
to defraud the Medicare program have grown more elaborate in recent 
years. In particular, HHS has acknowledged Centers for Medicare & 
Medicaid Serviceï¿½s (CMS) oversight of suppliers of durable medical 
equipment, prosthetics, orthotics, and supplies (DMEPOS) is inadequate 
to prevent fraud and abuse. Specifically, weaknesses in the DMEPOS 
enrollment and inspection process have allowed sham companies to 
fraudulently bill Medicare for unnecessary or nonexistent supplies. 
From April 2006 through March 2007, CMS estimated that Medicare 
improperly paid $1 billion for DMEPOS suppliesï¿½in part due to fraud by 
suppliers. 

Due to the committeeï¿½s concern about vulnerabilities in the enrollment 
process, GAO used publicly available guidance to attempt to create 
DMEPOS suppliers, obtain Medicare billing numbers, and complete 
electronic test billing. GAO also reported on closed cases provided by 
the HHS Inspector General (IG) to illustrate the techniques used by 
criminals to fraudulently bill Medicare. 

On June 18, 2008, we briefed CMS representatives on the results of our 
investigation. In response, they acknowledged that our covert tests 
illustrate gaps in oversight that still require improvement and stated 
that they would continue to work to strengthen the entire DMEPOS 
enrollment process. 

What GAO Found: 

Investigators easily set up two fictitious DMEPOS companies using 
undercover names and bank accounts. GAOï¿½s fictitious companies were 
approved for Medicare billing privileges despite having no clients and 
no inventory. CMS initially denied GAOï¿½s applications in part because 
of this lack of inventory, but undercover GAO investigators fabricated 
contracts with nonexistent wholesale suppliers to convince CMS and its 
contractor, the National Supplier Clearinghouse (NSC), that the 
companies had access to DMEPOS items. The contact number GAO gave for 
these phony contracts rang on an unmanned undercover telephone in the 
GAO building. When NSC left a message looking for further information 
related to the contracts, a GAO investigator left a vague message in 
return pretending to be the wholesale supplier. As a result of such 
simple methods of deception, both fictitious DMEPOS companies obtained 
Medicare billing numbers. The following figure contains a redacted 
acceptance letter GAO received from CMS. 

Figure: CMS Approval Letter for GAO's Fictitious DMEPOS Company: 

This figure is a picture of a CMS approval letter for GAO's fictitious 
DMEPOS company. 

[See PDF for image] 

Source: CMS. 

[End of figure] 

After requesting an electronic billing enrollment package and obtaining 
passwords from CMS, GAO investigators were then able to successfully 
complete Medicareï¿½s test billing process for the Virginia office. GAO 
could not complete test billing for the Maryland office because CMS has 
not sent the necessary passwords. However, if real fraudsters had been 
in charge of the fictitious companies, they would have been clear to 
bill Medicare from the Virginia office for potentially millions of 
dollars worth of nonexistent supplies. 

Once criminals have similarly created fictitious DMEPOS companies, they 
typically steal or illegally buy Medicare beneficiary numbers and 
physician identification numbers and use them to repeatedly submit 
claims. In one case from HHS IG, a company received $2.2 million in 
payments from Medicare for supplies and services that were never 
delivered. The owner submitted these fraudulent claims from March 2006 
through July 2006 using real beneficiary numbers and physician 
identification numbers that he had purchased illegally. The only 
employee not involved in the scheme was a secretary, who told HHS IG 
that there was no business activity in the office and that the owner 
was rarely there. Another case related to an individual who stole 
beneficiary numbers and physician identification numbers and submitted 
$5.5 million in claims for three fraudulent offices from October 2006 
through March 2007. He operated one of these offices out of a utility 
closet containing buckets of sand mix, road tar, and a large wrench, 
but no medical files, office equipment, or telephone. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-955]. For more 
information, contact Gregory D. Kutz at (202) 512-6722 or [email protected] 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Testing the Medicare Enrollment Process: 

Case Studies Provide Real Examples of Fraudulent DMEPOS Suppliers: 

Corrective Action Briefing: 

Conclusion: 

Appendix I: 25 Standards for Medicare Suppliers of Durable Medical 
Equipment, Prosthetics, Orthotics, and Supplies: 

Appendix II: GAO Contact and Staff Acknowledgments: 

Figures: 

Figure 1: Timeline of Maryland DMEPOS Supplier Application and Approval 
Process: 

Figure 2: Maryland DMEPOS Supplier Approval Letter: 

Figure 3: Timeline of Virginia DMEPOS Supplier Application and Approval 
Process: 

United States Government Accountability Office: 

Washington, DC 20548: 

July 3, 2008: 

The Honorable Carl Levin: 
Chairman: 
The Honorable Norm Coleman: 
Ranking Member: 

Permanent Subcommittee on Investigations Committee on Homeland Security 
and Governmental Affairs United States Senate: 

Medicare, which is administered by the Department of Health and Human 
Services' (HHS) Centers for Medicare & Medicaid Services (CMS), helps 
pay for a variety of health care services and items on behalf of almost 
42 million elderly and certain disabled beneficiaries. According to 
HHS, schemes to defraud the Medicare program have grown more elaborate 
in recent years, resulting in the misuse of taxpayer dollars and the 
misdirection of funds intended to help beneficiaries. In particular, 
HHS has acknowledged that there are significant vulnerabilities in 
CMS's oversight of suppliers of durable medical equipment, prosthetics, 
orthotics, and supplies (DMEPOS). Specifically, weaknesses in the 
DMEPOS enrollment and inspection process have allowed sham companies to 
fraudulently bill Medicare for unnecessary or nonexistent supplies. For 
example, in December 2006, the HHS Inspector General (IG) randomly 
visited 1,581 DMEPOS suppliers in South Florida and found that almost 
one-third of them did not even have an office at the business address 
they provided Medicare, although they had collectively submitted claims 
for hundreds of millions of dollars worth of supplies. In part due to 
fraud by suppliers, CMS estimated that, from April 2006 through March 
2007, $1 billion of the $10 billion in payments Medicare made for 
DMEPOS supplies were improper. 

To prevent fraudulent DMEPOS suppliers from entering the Medicare 
program, CMS developed 25 standards that suppliers must meet to be 
authorized to bill Medicare for health care services and items that 
they provide to beneficiaries.[Footnote 1] These standards are intended 
to help ensure that suppliers are legitimate businesses and properly 
licensed within the states they operate. CMS contracts with the 
National Supplier Clearinghouse (NSC) to screen potential suppliers and 
enroll into the Medicare program only those that comply with all 25 
standards. NSC and its contractors are required to verify suppliers' 
compliance through on-site inspections and conduct other reviews, such 
as confirming that the supplier either has access to its own DMEPOS 
inventory or has a contract with a wholesaler. Once a DMEPOS supplier 
successfully completes this verification process, CMS sends the 
supplier an approval letter containing a Medicare billing number. To be 
able to submit claims to Medicare electronically, DMEPOS suppliers that 
opt to do their own billing also have to complete Medicare's test 
billing process using their billing number, Medicare beneficiary 
numbers, and ordering physician identification numbers.[Footnote 2] 

In 2005, we reported that NSC's efforts to verify compliance with the 
standards were insufficient because of weaknesses in procedures for 
checking state licensure and conducting on-site inspections.[Footnote 
3] As a result, CMS agreed to take a number of actions to strengthen 
NSC's verification procedures, including requiring NSC to conduct site 
inspections of DMEPOS suppliers' off-site inventory storage locations 
and of the wholesaler businesses that provide them with inventory 
through contracts.[Footnote 4] Despite these reported actions, you 
continue to be concerned that vulnerabilities in the DMEPOS enrollment 
process allow fraudulent suppliers to enroll in and ultimately bill 
Medicare. Therefore, we agreed to test CMS's processes by attempting to 
create fictitious DMEPOS suppliers, obtain Medicare billing numbers, 
and successfully complete electronic test billing. We also agreed to 
develop case studies to illustrate the techniques used by criminals in 
recent years to fraudulently bill Medicare for DMEPOS supplies. 

To complete our testing, we used publicly available guidance and 
software to open two DMEPOS suppliers. Because CMS has divided the 
country into four regions--or zones--we set up one company in Maryland 
(Zone A) and one in Virginia (Zone C) so that we could determine 
whether the contractors conducting the Medicare application review, 
including visits to the companies, followed consistent review steps in 
each zone. To appear legitimate, we also created a series of phony 
documents and company policies. We then submitted applications to CMS 
to obtain a Medicare billing number. To complete the test billing 
process, we used undercover, fictitious Medicare beneficiaries, as well 
as physician identification numbers that we found on the Internet. It 
is important to note that we only used this information to complete 
test billing; we did not compromise the provider status of any 
legitimate physicians or the status of actual beneficiaries by 
submitting actual claims using their identification information. To 
demonstrate how criminals use similar techniques, we worked with the 
HHS IG to identify recently closed DMEPOS supplier fraud cases. We 
performed our undercover operation from February 2007 through June 2008 
in accordance with guidelines established by the President's Council 
for Integrity and Efficiency. 

Results in Brief: 

CMS approved both of our fictitious, easily created DMEPOS storefronts 
despite the fact that we had no clients and no inventory. Even though 
CMS and NSC initially denied our applications in part due to this lack 
of inventory, they eventually accepted the phony contracts with 
wholesale suppliers we created. NSC performed limited verification to 
confirm the authenticity of these contracts. For example, the telephone 
number we gave for the wholesalers rang on an unmanned undercover 
telephone in the GAO building. When NSC's inspector left a message on 
the number looking for further information related to the contracts, a 
GAO investigator left a vague message in return pretending to be the 
wholesaler. As a result of such simple methods of deception, we 
obtained Medicare billing privileges and billing numbers for both 
companies, even though we had absolutely no means of supplying 
prospective clients with durable medical equipment. After requesting an 
electronic billing enrollment package and obtaining passwords from CMS, 
we were then able to successfully complete Medicare's test billing 
process for our Virginia office; we did not complete test billing for 
our Maryland office because we did not receive the necessary passwords 
from CMS by the close of our investigation in June 2008. Based on a 
review of case studies we obtained from HHS IG, we believe that, had 
our operation continued successfully, we could have fraudulently billed 
Medicare for substantial sums--potentially reaching millions of 
dollars. 

Once criminals similarly create fictitious DMEPOS companies, they 
typically steal or illegally buy Medicare beneficiary numbers and 
physician identification numbers and use them to repeatedly submit 
claims. In one closed case we obtained from HHS IG, a fraudulent 
company billed Medicare for $4.4 million in supplies and services that 
were never delivered, ultimately receiving $2.2 million in payments. 
The owner submitted these claims from March 2006 through July 2006 
using legitimate beneficiary numbers and physician identification 
numbers that he had purchased illegally. According to HHS, the only 
employee not involved in the scheme was a secretary, who told 
investigators that there was no business activity in the office and 
that the owner was rarely there. Another case relates to an individual 
who submitted $5.5 million in fraudulent claims from October 2006 
through March 2007. This individual purchased a DMEPOS company but then 
submitted claims using the original owner's identity, Medicare billing 
number, and beneficiaries in an attempt to avoid detection by CMS. At 
the same time, this individual was operating two additional fraudulent 
DMEPOS companies--one of them located in a utility closet containing 
buckets of sand mix, road tar, and a large wrench (but no medical 
files, telephone, or other office equipment). 

Background: 

Medicare's 25 supplier standards were introduced to deter individuals 
intent on committing fraud from entering the program and to safeguard 
Medicare beneficiaries by ensuring that suppliers were qualified. The 
25 standards apply to a variety of business practices and establish 
certain requirements and prohibitions (see app. I for a list of the 
standards). For example, the standards require suppliers to have a 
physical facility on an appropriate site that is accessible to 
beneficiaries and to CMS, with stated business hours clearly posted. 
The following are the most pertinent standards for the purposes of this 
report: 

* Standard 1: Operate business and furnish Medicare-covered items in 
compliance with all applicable federal and state licensure and 
regulatory requirements. 

* Standard 4: Fill orders for equipment or supplies using its own 
inventory or by contracting with other companies. If the supplier 
contracts with other companies, it must provide copies of the contracts 
upon request. 

* Standard 7: Maintain a physical facility that contains space for 
storing business records including the supplier's delivery, 
maintenance, and beneficiary communication records. 

* Standard 8: Permit CMS to conduct on-site inspections. In addition, 
the supplier's location must be accessible during reasonable business 
hours to beneficiaries and to CMS, and must maintain a visible sign and 
posted hours of operation. 

* Standard 9: Maintain a primary business telephone listed under the 
name of the business locally or toll-free for beneficiaries. 

* Standard 10: Have a comprehensive liability insurance policy in the 
amount of at least $300,000 that covers both the supplier's place of 
business and all customers and employees of the supplier. Failure to 
maintain required insurance at all times will result in revocation of 
the supplier's billing privileges retroactive to the date the insurance 
lapsed. 

* Standard 14: Must maintain and replace at no charge or repair 
directly, or through a service contract with another company, Medicare-
covered items it has rented to beneficiaries. The item must function as 
required and intended after being repaired or replaced. 

NSC verifies compliance with the 25 standards, primarily during 
enrollment and reenrollment, through on-site inspections conducted by 
subcontractors, and desk reviews conducted by NSC analysts. NSC 
requires that site inspectors arrive unannounced for any inspection. 
Before the inspection, NSC provides the inspectors with briefing 
information on the supplier, including information on whether the 
supplier is enrolling or reenrolling and the type of state licenses to 
verify. While on site, inspectors are expected to take photographs of 
the supplier's sign with its business name, posted hours of operation, 
complete inventory in stock, and facility. NSC also expects site 
inspectors to obtain copies of relevant documents, such as state 
licenses, comprehensive liability insurance policies, contracts with 
companies for inventory, and contracts for the service and maintenance 
of DMEPOS supplies. NSC analysts are expected to check that the 
supplier has all the state licenses that it would need to provide the 
items it disclosed in its application. The NSC analyst is also expected 
to contact the insurance underwriter to ensure that the supplier's 
policy is valid and the post office to make sure the supplier's address 
is listed. NSC also has a procedure to match data from its supplier 
database with computerized lists maintained by the federal government 
to ensure that supply company owners are not prohibited from 
participating in federal health care programs or debarred from federal 
contracting. 

In addition, suppliers submitting an enrollment application to NSC on 
or after March 1, 2008, must also be accredited by an approved 
organization prior to submitting the application. These accrediting 
organizations are supposed to ensure that prospective DMEPOS suppliers 
meet quality standards related to financial and human resource 
management, consumer management, product safety, product delivery, and 
beneficiary training, among others.[Footnote 5] DMEPOS suppliers that 
enrolled for the first time between January 1, 2008, and February 29, 
2008, must obtain accreditation by January 1, 2009. Suppliers that 
enrolled with Medicare before January 1. 2008, must obtain 
accreditation by September 30, 2009. Further, CMS is beginning to 
implement competitive bidding, which will change how suppliers obtain 
the right to participate in the program. Competitive bidding is a 
process in which suppliers of medical equipment and supplies compete 
for the right to provide their products on the basis of established 
criteria, such as quality and price. Competitive bidding provides CMS 
with the authority to select suppliers by screening their financial 
documents such as income statements and credit reports and other 
application materials. CMS has chosen suppliers to serve beneficiaries 
in 10 Metropolitan Statistical Areas and the program is scheduled to 
begin July 1, 2008. 

Apart from the competitive bidding program, as long as suppliers can 
demonstrate that they comply with all the standards and have not been 
excluded from participating in any federal health care program, NSC 
must enroll or reenroll them in Medicare. Enrolled suppliers are issued 
a Medicare billing number. If NSC discovers that a new applicant or 
enrolled supplier is not in compliance with any of the 25 standards, 
NSC can deny the application or, with CMS's approval, revoke the 
supplier's billing number.[Footnote 6] Suppliers whose applications 
have been denied or whose numbers have been revoked can submit a plan 
to NSC to correct the noncompliance, appeal the denial or revocation by 
requesting a hearing or both. 

In January 2008, CMS proposed creating five new standards and 
strengthening several of the existing standards.[Footnote 7] The new 
standards require most suppliers to be open to the public for at least 
30 hours per week and prohibit them from sharing an office with another 
supplier. They will also be required to maintain ordering and referring 
documentation received from physicians for 7 years. Finally, suppliers 
that have a federal or state tax delinquency will be prohibited from 
obtaining or retaining billing privileges. With regard to strengthening 
the existing standards, CMS will, among other things, require that 
suppliers maintain an office to store business records and will limit 
the use of cell phones, beeper numbers, pagers, and answering services 
as the primary DMEPOS business telephone number during posted hours of 
operation. 

Testing the Medicare Enrollment Process: 

After establishing two fictitious DMEPOS storefronts with no inventory 
and no clients, our undercover investigators were able to successfully 
complete the Medicare enrollment process. Although CMS and NSC 
initially requested corrections to our paperwork and then denied our 
applications because we failed to comply with 2 of the 25 standards, 
they never detected the fact that our companies were fictitious. After 
submitting corrective action plans addressing the standards we failed, 
both companies were approved for Medicare billing privileges and 
provided with billing numbers. These numbers, in conjunction with 
billing passwords and software, allowed us to successfully complete 
Medicare's test billing process for our Virginia office. Based on a 
review of case studies we obtained from HHS IG, we believe that, had 
our operation continued successfully, we could have fraudulently billed 
Medicare for substantial sums--potentially reaching millions of 
dollars. 

Creating Fictitious DMEPOS Companies: 

Prior to submitting applications to CMS to become approved DMEPOS 
suppliers, investigators easily set up two fictitious durable medical 
equipment companies during April and May 2007 using undercover names 
and bank accounts. Although we did not actually obtain any inventory, 
we decided that both companies would be generic medical supply 
companies, providing, among other things, commodes, diabetic supplies, 
surgical dressings, urinals and bedpans, walkers and canes, and manual 
wheelchairs. To appear legitimate, we rented 100 square foot commercial 
offices in both Maryland and Virginia. Both rentals cost approximately 
$1,000 per month and came complete with Internet, phone and fax 
service, and a shared secretary. We also set up fictitious Web sites, 
created brochures and business cards, and purchased a few "props" to be 
prepared for on-site inspections, including a wheelchair and bed pan. 

Our investigators for the most part followed the general procedures 
that any legitimate business would use to begin DMEPOS operations. 
First, they paid online registration companies about $400 per supplier 
to obtain required state business licenses, such as sales tax licenses. 
In addition, for each company, investigators obtained employer 
identification numbers (EIN) from the Internal Revenue Service (IRS) 
and National Provider Identification (NPI) numbers from CMS.[Footnote 
8] Investigators obtained both numbers for free online using basic 
information, such as the business name and address. 

To make sure that our companies would meet the requirements for DMEPOS 
suppliers as outlined in the 25 standards, we did the following. 

* We created phony contracts with two fictitious DMEPOS wholesale 
suppliers to demonstrate that we had the capacity to supply equipment 
and supplies to clients. We also established phone numbers for each 
fictitious wholesale supplier. In reality, these phone numbers were 
unmanned extensions in the GAO building. 

* We created signs for the office doors listing hours of operations and 
staffed the offices with undercover agents posing as sales 
representatives. 

* We purchased approximately $3 million worth of general liability 
insurance covering, among other things, property damage and employee 
injury, at a cost of $550 annually. 

Obtaining a Medicare Billing Number: 

The approval process for both applications[Footnote 9] was similar and 
the site inspections were even conducted by the same individual, who 
identified several discrepancies related to our office paperwork. Even 
though we corrected these discrepancies and submitted all required 
documentation, both of our applications were initially denied due to 
lack of compliance with two of the standards. In particular, even 
though we had already submitted our contracts with phony wholesale 
suppliers, CMS said that we did not demonstrate that we had the 
capacity to fill orders for equipment or supplies using our own 
inventory or by contracting with other companies, as per Standard 4. 
According to CMS, we also did not demonstrate that we could replace or 
repair the items we provided to beneficiaries, as per Standard 14. To 
comply with these two standards, we sent NSC corrective action plans 
that included repair policies and the same phony DMEPOS wholesale 
supplier contracts that we had previously submitted. CMS accepted this 
documentation as valid and approved both of our fictitious DMEPOS 
companies. In short, the subcontractors hired to review our 
applications ultimately focused on the technical and administrative 
completeness of our applications rather than attempting to determine 
whether we were running valid businesses. 

Maryland Application Review and Site Visits: The application review 
process for our fictitious Maryland DMEPOS company took approximately 9 
months, from the end of May 2007 until February 2008, when we received 
an approval letter from CMS containing a Medicare billing number. As 
shown in figure 1 and described in the following narrative, although 
NSC and its subcontractors identified several administrative 
discrepancies, they never uncovered the fact that our DMEPOS company 
was a fraudulent business. 

Figure 1: Timeline of Maryland DMEPOS Supplier Application and Approval 
Process: 

This figure is a timeline of Maryland DMEPOS supplier application and 
approval process. 

5/22: DMEPOS provider application sent to CMS/NSC; 

6/26: Facility site inspection by NSC contractor. Some documentation 
was not provided by undercover investigators during site visit and 
follow-up was required; 

8/17: Last communication with NSC to provide information for the 
application; 

10/8: Application rejected as of October 2, 2007; 

10/30: Mailed ï¿½Corrective Actionï¿½ plan to NSC for reconsideration of 
application; 

11/1: Closed physical office and began using ï¿½virtualï¿½ office; 

11/28: Undercover investigators left a message with NSC contractor 
claiming to be wholesale suppliers; 

2/4: NSC requested a confirmation of banking information; 

2/5: Sent NSC banking information; 

2/18: Received CMS letter stating that Maryland DMEPOS was approved for 
a Medicare billing number effective February 13, 2008; 

[See PDF for image] 

Source: GAO. 

[End of figure] 

As shown in the figure, we sent our application for review on May 22, 
2007. On June 26, 2007, a representative from a contractor hired by NSC 
to conduct inspections visited the office. The representative explained 
to our undercover investigator, who was posing as a salesperson, that 
the visit would be used to gather information needed to verify 
compliance with CMS's standards. Using a checklist, the representative 
asked questions about the company's return policy, how the items were 
going to be delivered, and whether we had a warehouse or if we would 
have items drop-shipped from a supplier. He also asked if any member of 
our fictitious owner's family was in the medical supply business, if 
the owner had any business partners, and if there were any investors. 
The representative also asked for copies of our state licenses, 
insurance policy, and other documentation. Our investigator was 
deliberately vague in his responses to the representative and did not 
provide the inspector with any of the requested documentation, telling 
the representative that the "owner" had all that information. 

The representative also took pictures of the office to make sure that 
the building was accessible to persons with disabilities. He asked for 
our insurance documentation and noted that it was missing the company's 
physical address. Finally, he mentioned that the business needed a sign 
in the office window identifying its location and hours. We did not 
have the hours posted because the building where our office was located 
had a policy prohibiting postings on office windows; however, the 
investigator told the representative that he would speak to the 
building managers and ensure that the hours were posted. The 
representative then presented our investigator with a site visit 
acknowledgement form and checked off the following eight documents that 
needed to be provided to NSC as required by the standards: 

* required licenses, including zoning, 

* complaint log, 

* complaint resolution protocol, 

* rental/purchase option agreement, 

* comprehensive liability insurance, 

* credit agreements or invoices, 

* proof of warranty coverage, and: 

* written instructions on beneficiary use. 

One day later, we sent NSC the information requested on the checklist. 
On July 17, 2007, NSC requested a full copy of the over 100 page 
insurance policy; we had sent an abbreviated version provided by our 
carrier after the site visit, but NSC wanted a complete copy. We 
immediately contacted the carrier and they agreed to send a complete 
copy directly to NSC. On August 15, 2007, NSC requested that we provide 
it with warranty information for DMEPOS rentals and we faxed the 
information on August 17. We had no further communication with NSC or 
the subcontractor who conducted the site visit until we called on 
October 3, 2007, requesting information about the status of our 
application. 

On October 8, we received a letter from CMS denying our application for 
a billing number because our company did not adhere to 2 of the 25 
standards. Specifically, even though we had already submitted our 
contracts with phony wholesale suppliers, CMS said that we did not 
demonstrate that we had the capacity to fill orders for equipment or 
supplies using our own inventory or by contracting with other 
companies, as per Standard 4. According to the letter, we also did not 
demonstrate that we could replace or repair the items we provided to 
beneficiaries, as per Standard 14. The letter also informed us that we 
could reopen our application by submitting a "corrective action plan" 
addressing our deficiencies within 90 days. As part of the corrective 
action plan, we sent NSC a repair policy and resubmitted our phony 
supplier contract on October 30, 2007. We also provided the contact 
numbers that we created for the wholesale suppliers and informed NSC 
that we had hired a full-time employee to take care of repair issues. 
On November 1, 2007, we closed down our physical office and switched to 
a "virtual office" in the same building, meaning that we no longer had 
designated office space but still had access to mail and fax services, 
the shared secretary, and meeting rooms. 

Although we were never questioned about our plan to correct our repair 
policy, NSC did call the undercover phone number we set up for our 
phony DMEPOS wholesale supplier in November and left a message 
requesting additional information. Posing as a representative for this 
wholesale supplier, an undercover investigator left a vague message in 
response but did not confirm the existence of a contract or a credit 
line. NSC never returned these calls or conducted any other followup. 
Over the next several months, we repeatedly called NSC and its 
subcontractors to determine the status of our application and 
corrective action plan. Each time, we were told that our application 
was still under review. Finally, on February 4, 2008, NSC requested a 
voided check or deposit slip to confirm our banking information so that 
we could be set up for electronic funds transfers. We provided the 
information the next day, and CMS approved our application and sent us 
a Medicare billing number in its approval letter dated February 13, 
2008 (see fig. 2). 

Figure 2: Maryland DMEPOS Supplier Approval Letter: 

This figure is a picture of Maryland DMEPOS supplier approval letter. 

[See PDF for image] 

Source: CMS. 

[End of figure] 

Virginia Application Review and Site Visit: The application review 
process for our fictitious Virginia DMEPOS company took approximately 6 
months, from the end of July 2007 until January 2008, when we received 
an approval letter retroactive to September 28, 2007, and a Medicare 
billing number. As shown in figure 3 and the following narrative, NSC's 
inspectors identified several discrepancies in our application and at 
our office but never uncovered the fact that our DMEPOS company was a 
fraudulent business. 

Figure 3: Timeline of Virginia DMEPOS Supplier Application and Approval 
Process: 

This figure is a timeline of Virginia DMEPOS supplier application and 
approval process. 

7/24: DMEPOS provider application sent to CMS/NSC; 

8/15: NSC stated that our application was incomplete; 

8/30: Final communication with NSC regarding incomplete information on 
our applications; 

9/18: Facility site inspection by NSC contractor. Some documentation 
was not provided by undercover investigators during site visit and 
follow-up was required; 

9/20: Faxed information to NSC as follow-up to site visit; 

10/4: Application rejected as of September 28, 2007; 

11/1: Closed physical office and began using ï¿½virtualï¿½ office; 

12/11: Mailed ï¿½Corrective Actionï¿½ plan to NSC for reconsideration of 
application; 

1/30: Received CMS letter stating the Virginia DMEPOS had been approved 
for a Medicare billing number effective September 28, 2007

[See PDF for image] 

Source: GAO. 

[End of figure] 

As shown in figure 3, we sent our application for review on July 24, 
2007. Although we complied with most of the application instructions, 
we did make several errors on the application. Specifically, we failed 
to provide copies of certain state licenses and certifications and did 
not check either "yes" or "no" when asked if we had any previous legal 
actions filed against the company or its owners. NSC detected these 
errors and on August 15, 2007, we received a letter stating that our 
application was incomplete. In addition, NSC requested clarification 
about our office location and requested a voided check or deposit slip 
to confirm our bank account so that we could be set up for electronic 
funds transfers. We corrected all these discrepancies by August 30, 
2007. 

NSC's representative, the same individual who inspected our Maryland 
office, inspected the site on September 18, 2007. As with the Maryland 
office, this individual used a simple checklist to conduct the 
inspection and asked for the same documentation, including licenses, 
insurance policy, complaint protocols, rental agreement, and 
instructions for beneficiary use of the supplies. This time, the 
undercover investigator immediately provided almost all the information 
requested. The representative provided a site acknowledgment form with 
just one missing item checked off: written instructions on beneficiary 
use/maintenance of supplies. We sent these instructions to NSC on 
September 20, 2007. 

On October 4, 2007, we received a letter from CMS denying our 
application for a billing number because our company did not adhere to 
2 of the 25 standards--the same standards we had failed to comply with 
in Maryland. Specifically, we did not demonstrate that we had the 
capacity to fill orders for equipment or supplies using our own 
inventory or by contracting with other companies, as per Standard 4. 
According to the letter, we also did not demonstrate that we could 
replace or repair the items we provided to beneficiaries, as per 
Standard 14. As in Maryland, we sent NSC our repair policy and 
resubmitted our phony wholesale supplier contract on December 11, 2007, 
as part of our corrective action plan to show compliance with the 
standards.[Footnote 10] Because our corrective action plans for the 
Maryland and Virginia offices were identical, we intentionally delayed 
sending our Virginia plan by several months so as not to arouse 
suspicion with NSC. We also provided the contact numbers that we 
created for the wholesale suppliers and informed NSC that we hired a 
full-time employee to take care of repair issues. 

To our knowledge, NSC did not do any further investigation and accepted 
the existence of the fictitious DMEPOS wholesale suppliers we created. 
On January 30, 2008, we received an approval letter and Medicare 
billing number. The letter stated that the effective date of the 
approval was retroactive to September 28, 2007--the date our 
application was initially denied. 

Completing Electronic Test Billing: 

After requesting an electronic billing enrollment package and obtaining 
passwords from CMS, we were able to successfully complete Medicare's 
often confusing test billing process for our Virginia office; we did 
not complete test billing for our Maryland office because we did not 
receive the necessary passwords from CMS by the close of our 
investigation in June 2008. Had we been real fraudsters, we could have 
fraudulently billed Medicare for substantial sums, potentially reaching 
millions of dollars. 

Although the Medicare approval letters we received contained billing 
numbers, they contained no instructions for how to begin the electronic 
billing process. Consequently, we had to do our own research on CMS and 
NSC Web sites in order to figure out that we needed to download billing 
enrollment packets so that we could be approved to submit electronic 
claims. We sent completed enrollment packets for both companies to 
CMS's contractor by the beginning of March 2008. These packets included 
billing applications, completed Electronic Data Interchange (EDI) 
agreements and software order forms, contact information, NPIs, and 
EINs for our two companies. We did not receive any further information 
related to the Maryland DMEPOS company. On March 13, 2008, we received, 
among other things, an electronic billing submitter identification 
number and password for the Virginia office. There were no instructions 
accompanying this information and it was not clear to which systems 
each applied. 

Using billing software downloaded from the Web, we began processing 
claims by entering fictitious dates of service, our undercover 
beneficiary information, DMEPOS item codes and charges, generic 
diagnosis codes, our billing numbers, and physician identification 
numbers that we found on the Internet.[Footnote 11] It is important to 
note that we only used the latter to complete test billing; we did not 
compromise the provider status of any legitimate physicians by 
submitting fraudulent claims using their identification information. We 
then submitted several completed claims to CMS for acceptance, but our 
first few attempts were rejected. Our undercover investigator called 
CMS's help desk for assistance and found that we had to input our 
billing number on one of CMS's billing-related Web sites.[Footnote 12] 
There had been no instructions in the billing packet indicating that 
this was a required step. Once we provided our billing number at the 
site, CMS approved our initial claims. As required by the electronic 
enrollment application, DMEPOS suppliers must submit a single test file 
with at least 25 claims that are 95 percent error-free in order to 
complete test billing. On May 14, 2008, we successfully submitted a 
file with 27 claims for $6,876.34 with no errors. 

Case Studies Provide Real Examples of Fraudulent DMEPOS Suppliers: 

As shown by four closed cases from South Florida that we obtained from 
the HHS IG, criminals use similar techniques to establish fictitious 
DMEPOS suppliers and then employ billing schemes to obtain millions of 
dollars in Medicare funds from the government. Specifically, once 
criminals have created fraudulent DMEPOS companies, they typically 
steal or buy Medicare beneficiary numbers and physician identification 
numbers in order to repeatedly submit claims. 

Case Study 1: The owner of this fraudulent company admitted to HHS that 
she started her DMEPOS company after working as a secretary for another 
fraudulent company. She rented an office in the same location as this 
company and worked with her former employer to obtain all the required 
state licenses. She also purchased fake invoices for DMEPOS equipment 
from another company to make it seem as though she was obtaining 
legitimate supplies from a wholesaler. In February 2005, she received 
her Medicare provider number and then provided her former employer with 
kickbacks in order to have access to Medicare beneficiary numbers. From 
January 1, 2006, through April 30, 2007, she submitted about $1.5 
million in claims to Medicare for supplies including urinary bags, 
tubing, canisters, and air mattresses. Ultimately, Medicare paid the 
company $372,286. The owner was indicted for health care fraud on 
September 11, 2007, and was convicted and sentenced on January 22, 
2008, to 30 months imprisonment and 3 years supervised release, and 
ordered to pay $372,286 in restitution. 

Case Study 2: This case relates to three fraudulent companies with the 
same owner. In October 2006, the owner bought a DMEPOS company that had 
been incorporated in August 2006 and used the original owner's 
identity, billing number, and beneficiaries to submit claims in an 
attempt to avoid detection by CMS. The new company used an address in 
Coral Gables but did not have a real office and did not serve 
customers. The owner also stole the personal identification numbers of 
licensed physicians. According to the HHS IG, these physicians did not 
have any involvement with the company and did not provide care or 
prescriptions related to the submitted claims. During the course of its 
investigation, HHS discovered that the owner had opened another 
fraudulent DMEPOS company. This company used a utility closet as its 
address--HHS investigators found buckets of sand mix, road tar, and a 
large wrench in the room, but no medical files, office equipment, or 
telephone. This time, the owner used a fictitious physician name and 
identification number to submit claims to CMS; CMS confirmed that this 
number should not have passed the initial computer system edit for 
payment. Finally, while conducting a financial analysis of the second 
company's bank account records, investigators found that the owner 
operated yet another fraudulent DMEPOS company. In total, from October 
2006 through March 2007, the owner submitted claims from these three 
companies in excess of $5.5 million and ultimately received about 
$77,000 from Medicare. In August 2007, the owner was sentenced to 37 
months in prison for conspiracy to commit health care fraud, ordered to 
pay over $70,000 in restitution, and made to forfeit his Miami home and 
Rolls Royce. 

Case Study 3: This company billed Medicare for $4.4 million dollars 
worth of supplies and services that were never delivered. These claims 
were submitted between March and July 2006 using real beneficiary 
numbers that the DMEPOS company owner had purchased illegally. 
Ultimately, Medicare paid approximately half of these claims ($2.2 
million). According to HHS IG records, the only employee not involved 
in the scheme was a secretary who told investigators that there was 
never any business activity in the office and that the owner rarely 
visited. She also stated that Medicare beneficiaries often called her 
to complain that they had received an explanation of benefits letter in 
the mail even though they did not receive any supplies or services. The 
Bank of America eventually filed a suspicious activity report as a 
result of the company's billing practices. The Federal Bureau of 
Investigation (FBI) and HHS IG subsequently determined that the owner 
stole the identities and physician identification numbers of practicing 
physicians to legitimize his fraudulent claims. The owner plead guilty 
to one count of health care fraud and on March 16, 2007, was sentenced 
to 4 years in prison and 3 years of probation, assessed a $100 fee, and 
ordered to pay $2.2 million in restitution. 

Case Study 4: The owner of this DMEPOS company operated a fictitious 
supply business out of an office connected to a real estate company and 
purchased real Medicare beneficiary numbers illegally for $45 each in 
order to submit claims. Through data mining, the HHS IG determined that 
the company displayed billing patterns that were highly consistent with 
known fraudulent practices. Specifically, the company owner used a 
small number of stolen physician identification numbers to submit 
numerous claims for expensive DMEPOS items that are typically used in 
fraudulent schemes, including motorized wheelchairs, wound therapy 
pumps, and infusion equipment. From July 2005 through October 2006, the 
DMEPOS company billed the Medicare program over $1 million and received 
over $500,000 in payments. On August 7, 2007, the owner was ordered to 
pay $702,186 in restitution to Medicare and was sentenced to 2 years in 
federal prison and 3 years of probation. 

Corrective Action Briefing: 

On June 18, 2008, we informed representatives from CMS about the 
results of our investigation. In response, they stated that they are 
implementing new supplier requirements, including the accreditation 
process and the revisions and additions to the 25 standards that were 
proposed in January 2008. They also acknowledged that our covert 
testing illustrates gaps in oversight that still require improvement 
and stated that they would continue to work to strengthen the entire 
DMEPOS enrollment process. 

Conclusion: 

Although CMS took actions to address our prior recommendations, we 
found that the fraud prevention controls in place during our 
investigation were not effective in preventing our fictitious DMEPOS 
companies from obtaining legitimate Medicare billing numbers and 
completing test billing. As indicated, CMS is currently taking 
additional actions to strengthen both the 25 standards and its 
oversight of the DMEPOS supplier enrollment process; however, these 
actions will only be successful if those tasked with ensuring 
compliance exercise due diligence when conducting screenings and 
inspections. Our covert tests clearly demonstrate that a simple 
paperwork review is not sufficient. Unless CMS and its contractors 
scrutinize suppliers to ensure that they are responsible, legitimate 
businesses, DMEPOS fraud will continue to cost taxpayers billions of 
dollars each year. 

As agreed with your offices, unless you announce the contents of this 
report earlier, we will not distribute it until 30 days from its date. 
At that time, we will send copies to the Administrator of CMS and other 
interested parties. In addition, the report will be available at no 
charge on the GAO Web site at [hyperlink, http://www.gao.gov]. 

Please contact me at (202) 512-6722 or [email protected] if you have any 
questions concerning this report. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this report. Key contributors are listed in appendix II. 

Signed by: 

Gregory D. Kutz: 

Managing Director: 
Forensic Audits and Special Investigations: 

[End of section

Appendix I: 25 Standards for Medicare Suppliers of Durable Medical 
Equipment, Prosthetics, Orthotics, and Supplies: 

Standard number: 1; 
Description of what a supplier must do: Operates its business and 
furnishes Medicare-covered items in compliance with all applicable 
Federal and State licensure and regulatory requirements. 

Standard number: 2; 
Description of what a supplier must do: Has not made, or caused to be 
made, any false statement or misrepresentation of a material fact on 
its application for billing privileges. (The supplier must provide 
complete and accurate information in response to questions on its 
application for billing privileges. The supplier must report to CMS any 
changes in information supplied on the application within 30 days of 
the change.) 

Standard number: 3; 
Description of what a supplier must do: Must have the application for 
billing privileges signed by an individual whose signature binds a 
supplier. 

Standard number: 4; 
Description of what a supplier must do: Fills orders, fabricates, or 
fits items from its own inventory or by contracting with other 
companies for the purchase of items necessary to fill the order. If it 
does, it must provide, upon request, copies of contracts or other 
documentation showing compliance with this standard. A supplier may not 
contract with any entity that is currently excluded from the Medicare 
program, any State health care programs, or from any other Federal 
Government Executive Branch procurement or nonprocurement program or 
activity. 

Standard number: 5; 
Description of what a supplier must do: Advises beneficiaries that they 
may either rent or purchase inexpensive or routinely purchased durable 
medical equipment, and of the purchase option for capped rental durable 
medical equipment, as defined in ï¿½ 414.220(a) of this subchapter. (The 
supplier must provide, upon request, documentation that it has provided 
beneficiaries with this information, in the form of copies of letters, 
logs, or signed notices.) 

Standard number: 6; 
Description of what a supplier must do: Honors all warranties expressed 
and implied under applicable State law. A supplier must not charge the 
beneficiary or the Medicare program for the repair or replacement of 
Medicare covered items or for services covered under warranty. This 
standard applies to all purchased and rented items, including capped 
rental items, as described in ï¿½ 414.229 of this subchapter. The 
supplier must provide, upon request, documentation that it has provided 
beneficiaries with information about Medicare covered items covered 
under warranty, in the form of copies of letters, logs, or signed 
notices. 

Standard number: 7; 
Description of what a supplier must do: Maintains a physical facility 
on an appropriate site. The physical facility must contain space for 
storing business records including the supplier's delivery, 
maintenance, and beneficiary communication records. For purposes of 
this standard, a post office box or commercial mailbox is not 
considered a physical facility. In the case of a multi-site supplier, 
records may be maintained at a centralized location. 

Standard number: 8; 
Description of what a supplier must do: Permits CMS, or its agents to 
conduct on-site inspections to ascertain supplier compliance with the 
requirements of this section. The supplier location must be accessible 
during reasonable business hours to beneficiaries and to CMS, and must 
maintain a visible sign and posted hours of operation. 

Standard number: 9; 
Description of what a supplier must do: Maintains a primary business 
telephone listed under the name of the business locally or toll-free 
for beneficiaries. The supplier must furnish information to 
beneficiaries at the time of delivery of items on how the beneficiary 
can contact the supplier by telephone. The exclusive use of a beeper 
number, answering service, pager, facsimile machine, car phone, or an 
answering machine may not be used as the primary business telephone for 
purposes of this regulation. 

Standard number: 10; 
Description of what a supplier must do: Has a comprehensive liability 
insurance policy in the amount of at least $300,000 that covers both 
the supplier's place of business and all customers and employees of the 
supplier. In the case of a supplier that manufactures its own items, 
this insurance must also cover product liability and completed 
operations. Failure to maintain required insurance at all times will 
result in revocation of the supplier's billing privileges retroactive 
to the date the insurance lapsed. 

Standard number: 11; 
Description of what a supplier must do: Must agree not to contact a 
beneficiary by telephone when supplying a Medicare- covered item unless 
one of the following applies: 

(i) The individual has given written permission to the supplier to 
contact them by telephone concerning the furnishing of a Medicare-
covered item that is to be rented or purchased; 
(ii) The supplier has furnished a Medicare- covered item to the 
individual and the supplier is contacting the individual to coordinate 
the delivery of the item; 
(iii) If the contact concerns the furnishing of a Medicare-covered item 
other than a covered item already furnished to the individual, the 
supplier has furnished at least one covered item to the individual 
during the 15- month period preceding the date on which the supplier 
makes such contact. 

Standard number: 12; 
Description of what a supplier must do: Must be responsible for the 
delivery of Medicare covered items to beneficiaries and maintain proof 
of delivery. (The supplier must document that it or another qualified 
party has at an appropriate time, provided beneficiaries with necessary 
information and instructions on how to use Medicare-covered items 
safely and effectively.) 

Standard number: 13; 
Description of what a supplier must do: Must answer questions and 
respond to complaints a beneficiary has about the Medicare-covered item 
that was sold or rented. A supplier must refer beneficiaries with 
Medicare questions to the appropriate carrier. A supplier must maintain 
documentation of contacts with beneficiaries regarding complaints or 
questions. 

Standard number: 14; 
Description of what a supplier must do: Must maintain and replace at no 
charge or repair directly, or through a service contract with another 
company, Medicare-covered items it has rented to beneficiaries. The 
item must function as required and intended after being repaired or 
replaced. 

Standard number: 15; 
Description of what a supplier must do: Must accept returns from 
beneficiaries of substandard (less than full quality for the particular 
item) or unsuitable items (inappropriate for the beneficiary at the 
time it was fitted and rented or sold) from beneficiaries. 

Standard number: 16; 
Description of what a supplier must do: Must disclose these supplier 
standards to each beneficiary to whom it supplies a Medicare-covered 
item. 

Standard number: 17; 
Description of what a supplier must do: Must comply with the disclosure 
provisions in ï¿½ 420.206 of this subchapter. 

Standard number: 18; 
Description of what a supplier must do: Must not convey or reassign a 
supplier number. 

Standard number: 19; 
Description of what a supplier must do: Must have a complaint 
resolution protocol to address beneficiary complaints that relate to 
supplier standards in paragraph (c) of this section and keep written 
complaints, related correspondence and any notes of actions taken in 
response to written and oral complaints. Failure to maintain such 
information may be considered evidence that supplier standards have not 
been met. (This information must be kept at its physical facility and 
made available to CMS, upon request.) 

Standard number: 20; 
Description of what a supplier must do: Must maintain the following 
information on all written and oral beneficiary complaints, including 
telephone complaints, it receives: 

(i) The name, address, telephone number, and health insurance claim 
number of the beneficiary; 
(ii) A summary of the complaint; 
the date it was received; 
the name of the person receiving the complaint, and a summary of 
actions taken to resolve the complaint; 
(iii) If an investigation was not conducted, the name of the person 
making the decision and the reason for the decision. 

Standard number: 21; 
Description of what a supplier must do: Provides to CMS, upon request, 
any information required by the Medicare statute and implementing 
regulations. 

Standard number: 22; 
Description of what a supplier must do: All suppliers of DMEPOS and 
other items and services must be accredited by a CMS-approved 
accreditation organization in order to receive and retain a supplier 
billing number. The accreditation must indicate the specific products 
and services, for which the supplier is accredited, in order for the 
supplier to receive payment for those specific products and services. 

Standard number: 23; 
Description of what a supplier must do: All DMEPOS suppliers must 
notify their accreditation organization when a new DMEPOS location is 
opened. The accreditation organization may accredit the new supplier 
location for three months after it is operational without requiring a 
new site visit. 

Standard number: 24; 
Description of what a supplier must do: All DMEPOS supplier locations, 
whether owned or subcontracted, must meet the DMEPOS quality standards 
and be separately accredited in order to bill Medicare. An accredited 
supplier may be denied enrollment or their enrollment may be revoked, 
if CMS determines that they are not in compliance with the DMEPOS 
quality standards. 

Standard number: 25; 
Description of what a supplier must do: All DMEPOS suppliers must 
disclose upon enrollment all products and services, including the 
addition of new product lines for which they are seeking accreditation. 
If a new product line is added after enrollment, the DMEPOS supplier 
will be responsible for notifying the accrediting body of the new 
product so that the DMEPOS supplier can be re-surveyed and accredited 
for these new products. 

[End of table] 

Source: 42 C.F.R. ï¿½ 424.57(c). 

[End of section] 

Appendix II: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Gregory D. Kutz, (202) 512-6722 or [email protected]: 

Staff Acknowledgments: 

In addition to the individual named above, Matthew Harris, Assistant 
Director; Erika Axelson; Gary Bianchi; Valerie Blyther; Norman Burrell; 
Ray Bush; Shafee Carnegie; Jennifer Costello; Paul Desaulniers; Dennis 
Fauber; Craig Fischer; Janice Friedeborn; Jessica Gray; Ken Hill; 
Christine Hodakievic; Jason Kelly; Barbara Lewis; Christopher Madar; 
Jeffrey McDermott; Andrew McIntosh; Keith Steck; and Viny Talwar made 
key contributions to this report. 

[End of section] 

Footnotes: 

[1] See appendix I for a complete list of the standards. Three of the 
25 standards were created by a 1994 statute (42 U.S.C. ï¿½ 
1395m(j)(1)(B)(ii)), and HHS added 4 standards related to accreditation 
in 2006 that were mandated by Public Law 108-173. The other 18 
standards were established by regulation. The 25 standards are found at 
42 C.F.R. ï¿½ 424.57(c). 

[2] DMEPOS suppliers can choose to contract with third party billing 
agents who do not have to complete the test billing process because 
these agents have their own billing software. 

[3] GAO, Medicare: More Effective Screening and Stronger Enrollment 
Standards Needed for Medical Equipment Suppliers, GAO-05-656 
(Washington, D.C.: Sept. 22, 2005). 

[4] Among other things, CMS agreed to require NSC to check suppliers' 
licenses and liability insurance each year, require NSC to conduct out- 
of-cycle inspections, and require the inspection of beneficiary files. 

[5] The quality standards are available at [hyperlink, 
http://www.cms.hhs.gov/MedicareProviderSupEnroll/]. 

[6] First-time applicants for enrollment can be denied, while DMEPOS 
suppliers currently enrolled in the program that are renewing their 
applications for billing privileges may have their current billing 
numbers revoked. DMEPOS suppliers must renew their Medicare enrollment 
application every 3 years. 

[7] 73 Fed. Reg. 4503 (Jan. 25, 2008). 

[8] An EIN is issued to any person or company who must pay withholding 
taxes on employees, while an NPI is a unique identification number for 
covered health care providers and is required to enroll in Medicare. 

[9] The Medicare enrollment application was straightforward and easy to 
complete. In addition to supplying our business names, locations, 
mailing addresses, and phone numbers, we also had to state what type of 
supplier we were applying to be (e.g., an ambulatory surgical center; a 
nursing care facility; an oxygen supplier; or a medical supply company) 
and what type of products we were going to supply. We were also asked 
to provide information regarding any previous legal actions taken 
against our companies and their owners. Finally, we had to certify that 
we had made no false statements on the applications and that we would 
not knowingly present a fraudulent claim for payment. We were also 
asked to submit copies of all federal and state licenses, our liability 
insurance, and forms authorizing electronic funds transfer. 

[10] Prior to this date, on November 1, 2007, we closed down our 
physical office and switched to a "virtual office" in the same 
building. 

[11] As specified by the billing software, we first created a series of 
"reference files" containing all this information to facilitate 
processing. 

[12] When our claims were rejected, we received an error message which 
stated "NPI Not on Crosswalk." The help desk told us that we had to 
include our Virginia Medicare billing number in our NPI file on the 
National Plan and Provider Enumeration System Web site (NPPES) for our 
claims to be accepted. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***