The Role of EHRs in Healthcare FraudFormer Prosecutor Outlines the Potential Risks
Tackling medical ID theft by insiders intent on committing fraud requires a multi-pronged approach with a variety of controls tailored specifically to each organization, says former prosecutor Maureen Ruane.
"Every healthcare entity should have effective controls that are tailored to its particular business to prevent and identify medical ID theft," says Ruane, who has prosecuted dozens of healthcare fraud cases, in an interview with Information Security Media Group [transcript below].
Additionally, organizations should continuously monitor and refine those controls, she says.
Organizations should also work to make their employees aware of the controls and "that they're actively being monitored and the theft of medical IDs will not be tolerated," Ruane explains.
In the interview, Ruane also discusses:
- The most common types of healthcare fraud;
- How insurers can collaborate to identify fraud trends;
- Steps patients can take to prevent becoming a victim of ID theft or fraud.
Before joining Lowenstein Sandler in August, Ruane served for more than three years as the chief of the healthcare and government fraud unit at the U.S. Attorney's Office for the District of New Jersey. While there, Ruane supervised and directed the prosecution of more than 70 healthcare fraud cases.
Top Healthcare Fraud Issues
MARIANNE KOLBASUK MCGEE: Based on your experience working with healthcare fraud cases, what sorts of healthcare fraud are most rampant, and what emerging or new areas of healthcare fraud are you seeing?
MAUREEN RUANE: There's literally no end to the different kinds and types of fraud schemes that keep cropping up. It's difficult to identify a single emerging or new area of healthcare fraud. There are several reasons for this, including the healthcare industry itself is so large, there are so many different entities and providers that function within the industry and there are, therefore, so many different opportunities for fraud schemes to crop up and target all of the different links in the chain [involved in] the provision of healthcare.
It's critical to note that many, indeed most, in the healthcare industry are professionals. We're dedicated to doing the right thing, improving patient health and safety and helping people's lives day in and day out. That said, however, because the industry is so large and there are so many different participants in it, there are so many different opportunities for people to target private insurance companies, government insurers and various other victims, and the type of fraud schemes are so diverse.
Before I identify some specific schemes that we've seen recently, I think it's helpful to step back and just define a few terms. When we talk about healthcare, the industry itself is enormous because it includes not only pharmaceutical and medical device manufacturers, but also hospitals, groups of doctors and individual doctors. Then there's the whole range of services and products that individual doctors can order for their patients, such as blood tests and diagnostic tests, pharmaceuticals, physical therapy, home health services and durable medical equipment, just to name a few. It's difficult to quantify exactly, but the estimates are that the total healthcare spend in the U.S. each year is $3 trillion. It's also estimated that between 3 percent and 10 percent of the total spend is lost to fraud. As a result, there are lots of people who seek to have a piece of that pie, illegitimate providers or people who are maybe legitimate within the healthcare industry who seek to defraud the industry. But also [there are] those outside the system who just see it as a good opportunity to try to get dollars that they otherwise are not entitled to.
When I think about some common healthcare schemes that have come up recently, they range from fake and unlicensed individuals who purportedly treat or diagnosis real patients, or sometimes bogus patients - meaning nobody is really showing up for service but they just have a medical ID number so they're pretending to treat a patient, and then they bill government or private insurance companies for those services. Of course, the defrauding of the insurance companies is very serious. But where real patients are involved, that adds a whole second layer of seriousness because there are real risks of patient safety and concern for their safety.
I also think that there are actual doctors and other medical providers who provide unnecessary services to patients or who don't actually provide any services at all, but nonetheless bill insurance companies. We have seen recently hospitals and other facilities that use certain billing codes that reimburse the hospital at a higher rate than what would actually be appropriate, and that's done solely to increase the reimbursement that they've received from government or private health insurance companies. There have also been laboratories and other diagnostic facilities that pay cash and other things of value - basically bribes - so that the doctors will direct patients to those labs or facilities for testing and services.
A whole separate area is counterfeit products that are designed to look like actual products, are not the real thing, but they're sold or given out as if they're the real thing, and that also carries a serious risk to those who may take the products. A related problem is diverted drugs - drugs that are pulled out of the normal distribution chain either because third parties steal the drugs or insiders of companies are involved in moving the drugs outside of the chain. Then, those drugs are sold or distributed either inside or outside the chain. But what's critical is the drugs may not have been stored, kept or maintained appropriately during that time. They may have been subject to heat, which could change their effectiveness and actually make them dangerous, or the drugs may have expired but nonetheless find their way back into the chain.
One final example - it's not a new one but it certainly continues to be prevalent - is pharmaceutical or medical device representatives or companies who make false representations about the effectiveness or safety of their drugs or products in order to promote sales. That's sort of a broad view of the various different players and the various different types of schemes that are very prevalent right now in healthcare fraud.
Medical ID Theft
MCGEE: How big of an issue is medical ID theft in healthcare fraud, especially cases that involve insiders or employees at health organizations?
RUANE: Medical ID theft is a very big issue. Medical IDs are the means by which claims get submitted to insurance companies, and they're what insurance companies use to make payments. If medical IDs wind up in the hands of people who seek to commit fraud, those people have the means to bill insurance companies for services that weren't rendered or for products and drugs that weren't actually supplied. In some parts of the country, there have been businesses set up very quickly, essentially overnight, that bill government or private insurance companies using stolen medical IDs. Those entities often operate in that location only for a very short while to collect as much as they can from [insurers] based on the fraudulent claims. Then they quickly try to move on to another location where they can start again.
With regard to insiders, in many healthcare entities, insiders and employees have access to medical IDs, and while most employees do not use that information for improper purposes, there are some who may steal that information and then either use it directly to submit improper or fraudulent bills to insurance companies or they may sell those ID numbers to others so that those other third parties can then improperly bill.
Steps to Prevent Medical ID Theft
MCGEE: What steps should healthcare entities take to prevent and identify medical ID theft, including cases committed by insiders as well as cases committed by patients?
RUANE: Every healthcare entity should have effective controls that are tailored to its particular business to prevent and identify medical ID theft. In addition to having those controls in place, the entity should continually monitor and refine the controls when and if any issues come to light. Equally as important, healthcare entities should make their employees fully aware that those controls exist, that they're actively being monitored and the theft of medical IDs will not be tolerated. Companies, when they discover an issue, should take appropriate action against the employee - that may be employment consequences but also could be the referral of the matter to law enforcement.
MCGEE: When it comes to controls, what controls seem to be most effective based on what you've seen?
RUANE: It really depends on the particular business that you're talking about. Say, for example, there's an entity where employees answer phone calls from potential customers or clients and then the insider or employee needs to input information into the computer that's given to them - medical ID numbers and the like from that person. There can be in place monitoring of the phone calls to ensure that the information that's coming in is being recorded correctly in the computer on a real-time basis and that the order is placed sufficiently. There are some entities ...that take screen shots of computers to make sure that employees are at their job doing what they're supposed to be doing, and that they're at all times following the company's protocols and policies.
MCGEE: As healthcare providers across the country roll out electronic health record systems, there have been allegations that these systems can make it easier for healthcare providers, hospitals and clinicians to commit healthcare fraud by, for instance, falsely documenting the care that they provide or exaggerating it. How big of a problem do you think that is, and what can be done to prevent that kind of fraud?
RUANE: With the rollout of electronic health record systems, the incidence of fraud and the potential for fraud will continue to be a problem. Many healthcare record systems contain features that are designed to expedite accurate record making and keeping, but those same features may actually be used by fraudsters to help perpetrate their frauds. Attorney General Eric Holder and HHS Secretary Kathleen Sebelius noted that there were troubling indications that some providers were using that very technology to game the system by several different means, including cloning medical records in order to inflate what providers get paid and up-coding the intensity of care or severity of a patient's condition in order to get more money that's not commensurate with the actual care that's being given.
As a consequence, the government has really stepped up its efforts in data mining, in analyzing the actual data to look for trends, which does help identify how providers are billing, and it helps identify who the outliers are. When I say outliers, I mean if you look at the data, you can see that most providers are providing care at a certain level right within a particular population of patients, [and] you tend to see certain averages and sometimes on the high end of billing certain providers will pop out as they're providing services at a simply unreasonable rate, meaning that it couldn't be sustained. That data analysis can be used to help see where there are potential problems.
One final thing I want to note here is the rollout of electronic health records is just one example of what happens with fraud. Whenever there's a new mechanism used or a new process implemented, there will always be some folks who seek to exploit weaknesses in the mechanism or the process. Because the systems are new, those weaknesses exist for a little while, but inevitably, over time, fixes will be implemented and the problems will be addressed. But it can take a while to get there. In the meantime, the government seeks to investigate and to prosecute where appropriate the people who are using electronic health records for improper purposes.
Steps Insurers Can Take
MCGEE: What steps do you think the insurers should consider taking to prevent and address healthcare fraud?
RUANE: Most insurance companies have their own internal departments that investigate healthcare fraud. They're typically referred to as special investigation units, or SIUs. The SIUs analyze data, collect information, build cases against suspect providers and can take action against the doctors or the providers who appear to be billing incorrectly, whether intentionally or inadvertently, by either seeking to get the dollars back from the providers or by referring matters to law enforcement for investigation and/or prosecution.
The No. 1 thing that those healthcare insurance companies and SIUs should be doing to prevent and address healthcare fraud is to communicate and coordinate with each other and with law enforcement about the identified trends and suspect providers that they're looking at. It's easy to understand that no one who commits fraud is ever targeting a single insurance company. Those who commit healthcare fraud are targeting all insurers, government and private, any insurer from which they can obtain money that they're not entitled to.
Here in the district of New Jersey and in many other districts around the United States, the U.S. Attorney's Office, along with the Department of Health and Human Services, FBI, FDA and various other federal agencies, meet regularly to share information about fraud trends and to foster better collaboration and coordination between those players. There's real strength in numbers there because they can aggregate data, compare notes and, based on that sharing of information, it's often possible for prosecutors to build bigger and stronger cases against fraudsters.
MCGEE: What steps do you think consumers should consider taking to prevent becoming victims of medical ID theft and fraud?
RUANE: First, everyone should protect their medical ID numbers the same way they protect their credit card information. No one should give out their medical ID number to anyone that they don't know and trust. Second, everyone should know the government programs, in particular Medicare and Medicaid, and most, if not all, private insurers will not ever telephone beneficiaries. They won't try to sell and they won't try to endorse any particular products to beneficiaries. Third, and this one is critical, everyone should read their explanations of benefits, those sometimes long and not-so-easy-to-get-through forms that they get from their insurers. People should look at them very carefully to see if there are any charges for services that weren't received. They should look to see the date of service and make sure they were at the doctor on that day. They should look to see if there are any duplicate entries, billing twice for the same services. A good way to perform that check is if everyone keeps a calendar of their doctor's visits, and any time they go for any tests that's a good way to look back easily to check to ensure that services were rendered on the date that bills are being submitted.
Finally, if anyone knows or suspects medical fraud, there are lots of places to report it. In connection with federal programs such as Medicare, Medicaid, TRICARE and several others, you can call 1-800-HHS-TIPS; that's 1-800-447-8177. For private plans, you can either call your local FBI office or you can call your private insurance company directly.