|Home | About | Journals | Submit | Contact Us | Français|
In Texas, a supplier of durable medical equipment was found guilty of five counts of healthcare fraud due to submission of false claims to Medicare. The court sentenced the supplier to 120 months of incarceration and restitution of $1.6 million.1
Raritan Bay Medical Center agreed to pay the government $7.5 million to settle allegations that it defrauded the Medicare program, purposely inflating charges for inpatient and outpatient care, artificially obtaining outlier payments from Medicare.2
AmeriGroup Illinois, Inc., fraudulently skewed enrollment into the Medicaid HMO program by refusing to register pregnant women and discouraging registration for individuals with preexisting conditions. Under the False Claims Act and the Illinois Whistleblower Reward and Protection Act, AmeriGroup paid $144 million in damages to Illinois and the U.S. government and $190 million in civil penalties.3
In Florida, a dermatologist was sentenced to 22 years in prison, paid $3.7 million in restitution, forfeited an addition $3.7 million, and paid a $25,000 fine for performing 3,086 medically unnecessary surgeries on 865 Medicare beneficiaries.4
In Florida, a physician was sentenced to 24 months incarceration, ordered to pay $727,000 in restitution for cash payments where the physician signed blank prescriptions and certificates for medical necessity for patients he never saw.5
The U.S. Department of Health and Human Services (HHS) Office of the Inspector General (OIG) found that providers in 8 out of 10 audited states received an estimated total of $27.3 million in Medicaid overpayments for services claimed after beneficiaries' deaths.6
The above are some examples of fraud presented by the HHS and Department of Justice fraud and abuse report for 2007. It is projected that fraud and abuse account for between 3 to 15 percent of annual expenditures for healthcare in the United States. The National Healthcare Antifraud Association Report (March 2008) suggests that the cost ranges between 3 to 10 percent; the GAO 2008 and the Congressional Budget Office place the estimated cost at 10 percent; and the U.S. Chamber of Commerce Report places it at 15 percent.7–9 Using these data as a base, the estimated cost of fraud and abuse ranges from $100–170 billion annually.
To help combat fraud and abuse, the federal government's False Claims Act (FCA) of 1986 specifically targeted healthcare fraud and abuse. Under the FCA, the United States may sue violators for treble damages, plus $5,500–11,000 per false claim. To further fight the rising incidence of fraud and abuse, in 1993 the Attorney General announced that tracking fraud and abuse would be a top priority for the Department of Justice. In 1993 the Health Insurance Portability and Accountability Act of 1996 (HIPAA) established the Health Care Fraud and Abuse Control program (HCFAC). In 2007, HHS and the Attorney General allocated $248,459,000 to HCFAC to fight healthcare fraud and abuse.
During the time period from 1997 to 2007, HCFAC collected over $11.2 billion in fraudulent claims, $1.8 billion in 2007 alone.10 As a result of increased surveillance, HHS and OIG estimate that their efforts resulted in healthcare savings (i.e., “funds put to better use as a result of…program initiatives”) of approximately $39 billion.11
Despite federal legislation and a commitment of millions of dollars to fight fraud and abuse, research suggests that less than 5 percent of the losses from fraud and abuse are recovered annually.12 This paper will provide both a technical and working definition of fraud and abuse, identify the most common types of healthcare fraud and abuse, and provide a working model that uses data mining methods for detecting and managing (identifying and reducing) fraud and abuse.
Under HIPAA, “fraud is defined as knowingly, and willfully executes or attempts to execute a scheme…to defraud any healthcare benefit program or to obtain by means of false or fraudulent pretenses, representations, or promises any of the money or property owned by…any healthcare benefit program.”13 Abuse is most often defined in terms of acts that are inconsistent with sound medical or business practice ().14 Unlike fraud, abuse is an unintentional practice that directly or indirectly results in an overpayment to the healthcare provider. Abuse is similar to fraud, except that the investigator cannot establish the act was committed knowingly, willfully, and intentionally.15 Use of the term “intentional” is important in defining fraud and abuse and in identifying ethical or unethical action.16
Some of the most common types of fraud and abuse are misrepresentation of services with incorrect Current Procedural Terminology (CPT) codes; billing for services not rendered; altering claim forms for higher payments; falsification of information in medical record documents, such as International Classification of Diseases, Ninth Revision, Clinical Modification (ICD-9-CM) codes and treatment histories; billing for services that were not performed or misrepresenting the types of services that were provided; billing for supplies not provided; and providing medical services that are unnecessary based on the patient's condition.
Under the above definitions, it is impossible to delineate between fraud and abuse on the basis of evaluating a single case or record. In order to prove fraud, the government must prove that the acts were performed knowingly, willfully, and intentionally. To prove fraud occurred rather than abuse, the upcoding or miscoding of an event must occur over time and across a large number of patients. For example, in the case of the Florida dermatologist noted above, fraud occurred over a period of six years, 3,086 false procedures, and 865 patients.17
While it is impossible to stop an individual who intentionally commits fraud, there are certain external and internal systems and processes that can be implemented to better detect fraud and abuse and to deter future fraud and abuse. From our review of the literature, the following four solutions to identifying and reducing fraud and abuse are suggested:
Educational training programs focused on deterring fraud and abuse must first and foremost stress the importance of appropriate documentation and coding in accurately identifying the patient's condition in order to provide timely and effective care. Accurate medical record documentation is essential not only in addressing issues of fraud and abuse but in providing patients with quality care. These educational training sessions must emphasize the accuracy of the coding in order to ensure that undercoding as a result of the physician's fearing repercussions of overcoding does not occur. One study found that undercoding was three times more likely to occur than overcoding.18,19 Training sessions should not focus on overcoding or undercoding but on providing the appropriate documentation to support the code. Documentation must be directly tied to the patient's condition and services required to treat the condition.
Evaluation and management (E&M) CPT codes seem to be one area where documentation and coding issues are prevalent. Educational and training programs focused on CPT codes should emphasize the importance of documentation to support time spent examining the patient. There are five levels of E&M coding, ranging from 99201 to 99205. Each level requires more specification in documentation to justify reimbursement levels based on the expected amount of time the physician spends with the patient to perform services required. For example, a Level 1 code (99201) is usually used for patients with minor problems, where the history and examination are focused and medical decision making is straightforward. Typically, for a Level 1 code, the physician would spend approximately 10 minutes face-to-face with the patient. For a Level 3 code (99203), the presenting problems are low to moderate in severity, and the history and examination is more detailed; however, the medical decision making is likely to be of low complexity. Here the physician would typically spend approximately 30 minutes face-to-face with the patient. To avoid charges of fraud or abuse, the physician must justify through documentation the additional 20 minutes spent in face-to-face care to receive the higher reimbursement level.
Implementation of fraud and abuse education and training programs may be facilitated through establishing corporate or staff coding committees to create standards and protocols (e.g., standard abbreviations, documentation for medical necessity). This committee would consist of a compliance officer, health information management (HIM) staff, physicians, nurses, and financial administrators. The coding committee would establish guidelines for staff concerning proper documentation for level of services provided, establish enterprise-wide training guidelines, perform audits to verify accuracy, and serve as a communication liaison between coders and organizational administration. The coding committee would facilitate site review of training programs focused on teaching ethical principles (such as a code of ethics) and values to providers, staff, and healthcare administrators.
In addition to establishing a coding committee, it is important to bring in external experts to provide an unbiased evaluation of guidelines and processes. Training grassroots coders through externally sponsored programs also allows HIM coders to better identify gaps in documentation related to appropriate codes. One such program is AHIMA's sponsorship of coding round tables that bring together coders from across the nation for discussion specifically focused on fraud and abuse.
Computer-assisted coding is defined as “the use of computer software that automatically generates a set of medical codes for review, validation, and use based upon clinical documentation of the healthcare practitioner.”20 CAC tools are based on natural-language processing algorithms that automate the assignment of codes (ICD-9-CM, CPT, and Healthcare Common Procedural Coding System [HCPCS]) from clinical documentation provided by clinical staff. Currently, there are two key financial issues driving CAC adoption: 1) healthcare reimbursement and 2) compliance with anti–fraud and abuse regulations. CAC provides healthcare organizations and providers with a mechanism to reduce potential issues of fraud and abuse in medical coding. Building upon a health information technology platform, certified CAC software provides coding that is based upon standard coding principles and guidelines.21 CAC software provides prompts and decision-support tools that assist healthcare entities and providers in completing accurate and timely supportive documentation required for specified levels of care. The implementation of CAC within the healthcare environment fosters system integrity through increased compliance with identified standards and protocols, further reducing miscoded claim submissions. Current innovations in CAC now include software that can read free text, extract information from the record, and assign the appropriate code. CAC software can be used to create an audit trail that will provide postpayment audits to detect coding errors and fraudulent practices over time.
One of the most effective ways of controlling fraud and abuse is through reinforcement of federal penalties. In 2007, HHS and OIG committed approximately $248 million in the fight against fraud and abuse. This unprecedented effort resulted in a significant increase in the number of cases prosecuted, amount of money recovered, and the dollar amount of claims filed. In 2007, the U.S. Attorney's Office opened 878 new criminal fraud investigations and filed 434 new cases. During fiscal year 2007, 560 defendants were convicted of healthcare fraud related crimes. To put this in perspective, during 1988 and 2000, the federal government recovered approximately $2 billion from healthcare providers who committed fraud. In 2007, the federal government recovered slightly over $1.8 billion from healthcare providers who committed fraud. Interestingly, during the investigatory phase of the Medicare Fraud Strike Force (March 1 through September 30, 2007) submitted claims to Medicare dropped $1.2 billion from $1.87 billion to $661 million during March 1 through September 30, 2006. Furthermore, claims paid from March 1 through September 30, 2007, dropped from $485 million to $230 million over the same seven-month period during 2006.22
As noted above, fraud and abuse often involves multiple actors committing subtle acts over a long period of time. Fraud often involves complex patterns of very minute indicators collected over a long period of time. In a modern claims environment, with petabyte databases and limited resources for analyzing them, detecting these patterns is extremely difficult. Thus, fraud detection is usually managed by very experienced investigators who concentrate only on the largest cases because of resource constraints. Even so, most of these cases come to light only because the offender becomes greedy or makes a mistake or due to coincidence.
Data modeling and mining techniques are perhaps the most valuable tool the organization can utilize in detecting fraud and abuse. Data modeling and mining techniques can be used to identify both consumer fraud and provider fraud. Both types of fraud can cost healthcare organizations millions of dollars each year. The advancement of data mining and machine-learning programs gives healthcare organizations and providers the ability to predict potential fraud and abuse. Automated data mining technologies allow the organization to gain valuable insights and to detect patterns within data without predetermined bias. Statistical algorithms can be used to identify general trends or patterns of suspicious transactions in healthcare data sets.
In order to better explain the use of data mining and machine learning technologies in understanding fraud and abuse, the following example is offered. For purposes of this paper, we will focus on consumer fraud and abuse rather than provider fraud and abuse. Provider fraud and abuse is extremely complicated and involves numerous variables related to CPT codes, time, documentation patterns, and multiple stakeholders. This type of analysis is beyond the scope of this paper, which aims to provide a simple explanation of how data mining and modeling algorithms can be used to identify patterns of fraud and abuse.
Given the complexity of the problem and the challenge at hand, most payers have historically used a “threshold” approach to claims review and fraud detection in which a claim or payee gets referred for review when the dollar amount or number claimed exceeds a certain threshold that has been historically observed to correlate with fraud and abuse. This is a blunt instrument: a great deal of fraud and abuse cases are too small to trigger these thresholds, many legitimate claims that are simply large are reviewed unnecessarily, and most fraud occurs over long time periods. As a result, only a small portion of fraud is actually detected (3 to 5 percent), and it is typically detected late in the cycle, resulting in only a small recovery and wasted resources that could have been used to provide care.
Data mining techniques have allowed payers to use more sophisticated techniques such as data mining, reporting, and rules engines for fraud and abuse detection. An effective automated review and detection system has three key components: 1) a data curation (organization) component, 2) an algorithmic component, and 3) an implementation process.
The first component, data curation, is focused on the development of appropriate data standards and methodologies. These include identifying source data for study and structuring data for analysis, as well as data cleaning and normalization. Issues faced in curation include the following: Where do I source my study data? Is it an appropriate representation of my population? Do I have the appropriate data elements, and do I have enough resources to collect additional elements if I need them? How do I go about cleaning entry errors? Are my outcomes properly described in my data? One of the greatest challenges in curating data for data mining is semantic normalization. If I have an orange sphere, it can be a fruit, a tennis ball, or a candy (among other things), so which is it? The best way to approach data curation is to begin a dialogue with the acknowledged domain experts, such as the investigators, to better understand what constitutes a discrete outcome, what elements constitute it, and what constitutes “success” in terms of detection. All of these should be clearly and extensively documented into a data specification, which can be based upon existing data documentation or created from scratch.
The second component, data mining and classification algorithms, requires the input of experts in data mining and statistics. Many methods can be used to develop an algorithm or set of rules for detecting fraud and abuse: Bayesian belief networks, neural networks, fuzzy logic, genetic algorithms, logistic regression, and others. People often have strong views about which method is appropriate, and entire books have been dedicated to this topic. Rather than recommend a method or algorithmic approach, we will suggest some criteria that should be considered when selecting a methodology. First, is the method appropriate to your data? Different types of algorithms are suited to different types of problems. Is your problem set linear or nonlinear? Is the outcome discrete or continuous? Second, you need to identify a method you are comfortable with. To use and trust one of these complex technologies, you must have a basic understanding of it. Different methods have different degrees of transparency—the more transparent a method, the easier it is to “gut check” the result. Third, will the method scale? You need to ensure that the method and technology you select can scale to the amount of data you will be examining. Methodology selection needs to be considered in a thoughtful and open-minded way.
The third and final component is implementation and deployment. Proper implementation and deployment consists of four critical elements: validation, system implementation, maintenance, and policy. Validation methodologies are used to ensure data are robust. These methodologies include cross-validation, interset validation, and prospective study. Implementation refers to the systems, manual or automated, that will be used to reduce the findings to practice. Implementation of coding or rules needs to be engineered and documented, with attention paid to the current workflow and with the goal of improving the workflow. Systems that derive rules from large, complex systems are already dated the moment they are turned on. This is particularly true of systems designed to detect fraud and abuse, where an adversary is actively seeking to evade detection. It is important to have a plan to maintain the system and periodically update the logic and revalidate the system's efficacy. Finally, policy is an often overlooked element of system implementation and deployment. The same rule can often be applied in many different ways: to optimize detection, minimize false positives, or maximize accuracy. The correct implementation is a function of the relative cost (monetary and otherwise) of fraud and abuse, investigation, and false positives. While data mining can dramatically improve detection, management still has to decide what the “optimal” outcome should be so that the system can be properly tuned. Algorithms do not absolve us from decision making.
To illustrate the principles discussed above, we have developed a system using one of the data mining methods discussed above: Bayesian belief networks. This example uses artificial data since actual data has many legal and policy constraints on disclosure, and it provides a simple but easily understandable approximation of a payer environment. In our example, the algorithm is built using a simplified data set that has a selection of inpatient and outpatient diagnoses, treatment intervals, information about changing physicians, total claims, comorbidities, and our outcome of interest—fraud.
To begin with, let us briefly discuss our data mining methodology. A Bayesian belief network (BBN) is a directed, acyclic graph of conditional dependence. A BBN allows us to estimate the likelihood of a given outcome of interest given prior knowledge. Further, the manner in which this estimate is derived is through a directed (structured) network of conditional dependence (joint probability) that actually provides us with a hierarchy of information: if I want to estimate the likelihood of A, the most useful pieces of a priori knowledge are C, D, and L. This allows us to be efficient and only use those pieces of information that are most useful in solving the problem at hand. The BBN discussed in this example was constructed using machine learning, meaning that a computer algorithm was used to study a data set of prior evidence in order to discover the optimal structure of the BBN. Machine learning is a highly efficient method to discover rule sets in highly complex, otherwise impenetrable data sets.
The network in Figure Figure11 represents our example data set. We can learn several things just from the network structure itself. For example, if we want to detect fraud in our study population, the four most important factors are whether the enrollee has changed clinicians between visits, what the diagnosis is at the third outpatient visit, what the interval between second and third outpatient visits is, and what the interval between the first and second inpatient visits is.
Having observed the information structure of our population, we can dig deeper to begin to understand the evidence underlying the model and derive the rule sets that predict fraud. Figure Figure22 shows, with the network nodes expanded to histograms, the reference distributions of our study population. We can observe, for instance, that about 10 percent of enrollees have been involved in some type of fraud, while only about 11 percent of enrollees have changed physicians. These two features are conditionally dependent—but how do they impact one another?
In Figure Figure3,3, we input evidence into our network to understand its impact on the posterior probabilities of other features in our network. In this instance, we now know (100 percent probability) that the enrollee in question has not used the same physician for all visits. The posterior probability of fraud is now about 79 percent (compared to about 10 percent in the overall population). In addition, if we reverse the evidence and ask how many enrollees committing fraud change physicians, the answer is an estimated 90 percent. From this we can draw an inference: 79 percent of enrollees who changed physicians commit fraud, and 90 percent of enrollees who commit fraud change physicians.
Figure Figure44 provides data only on those who committed fraud. This provides a direct examination of characteristics of those who commit fraud. Here, we find that on the third visit (63.07%) the patient who committed fraud saw a different physician (90.2 percent). Furthermore, the visit was for pain (63.07 percent).
However, the BBN is a nonlinear model, meaning it can represent complex relationships that may have multiple solutions. In Figure Figure5,5, we examine the likelihood of fraud if a patient changes physicians but only has a single inpatient and two outpatient visits. In this case, the posterior probability of fraud drops to about 39 percent, still significantly more than the general population but significantly lower than the 79 percent estimate we receive with only the one piece of evidence.
The models allow us to codify large rule sets. For example, if we take only the four nodes most closely associated with fraud in this model and run an inference table (a table representing all possible combinations), the total number of potential rules is 216, even from this relatively simply network. Since that is too many rules to discuss here, we have selected a discrete example in Table Table1,1, Table Table2,2, and Table Table3.3. In these tables, we select only two rules, where we examine an enrollee with short encounter intervals for injury—which typically has a low likelihood of fraud and abuse. However, if the enrollee changes physicians during the course of treatment, the probability of fraud increases to 53 percent. If we increase the outpatient interval to 180 days, however, the likelihood of fraud decreases to about 21 percent, perhaps reflecting that if you return to the same hospital six months later you are likely to be assigned a different attending physician.
The examination of these rules brings us to the policy question. At what predicted probability of fraud do we take action? This is a significant question because the probability threshold we select will impact whether the system is optimized toward sensitivity (detection) or specificity (accuracy). Figure Figure66 shows a receiver operating characteristic (ROC) curve for our fraud model. By examining Figure Figure66 and focusing on the crosshairs, we see that using a threshold of 12.6 percent provides a sensitivity of almost 70 percent, detecting more than two-thirds of all fraud; however, our accuracy is poor (19 percent false positives), and we get two false positives for each real case of fraud we detect. In Figure Figure7,7, we select a threshold of 40 percent and optimize toward accuracy (1 percent false positives) with very few false positives, but we only detect 60 percent of fraud. Does the value of detecting the incremental 10 percent of fraud pay for the cost of reviewing large numbers of false positives?
Finally, once our network is developed, validated, and optimized, we can deploy our rule sets, either by using the classifier in real time through batch inference or by selecting specific rule sets for implantation in systems or workflow.
A major concern physicians have in the use of data modeling and mining techniques is that they will be unfairly accused of fraud. A primary advantage of the data mining approach is that the resulting algorithms can be tested, validated, and optimized to an optimal level of sensitivity and specificity that will exclude patterns of normal use. Educating physicians to understand that data modeling and mining will help alleviate suspicion of fraud and abuse should go a long way to addressing their concerns.
In order to adequately address issues of fraud and abuse, responsibility, ownership, and consequences for actions must cross the continuum at the individual physician, healthcare provider, organizational, and federal levels. Providers as well as consumers must be committed to providing appropriate documentation to address abuse issues and take a moral and ethical stand against fraud in the healthcare environment. This may mean taking advantage of the FCA whistleblower laws to identify fraudulent claims to the appropriate federal authorities. Healthcare providers and organizations must invest in offering education and training programs, creating coding and fraud and abuse committees, and utilizing data mining and modeling software. Finally, the federal government must be diligent in prosecuting providers, healthcare organizations, manufacturers/retailers, and individuals who commit fraud and abuse in an organized and systematic manner.
William J Rudman, University of Mississippi Medical Center in Jackson, MS.
John S Eberhardt, DecisionQ Corporation in Washington, DC.
William Pierce, University of Mississippi Medical Center and works in the Center for Health Informatics and Patient Safety at the Mississippi Institute for the Improvement of Geographic and Minority Health in Jackson, MS.
Susan Hart-Hester, Department of Family Medicine of the School of Medicine at the University of Mississippi Medical Center in Jackson, MS, and the director of the Center for Health Informatics and Patient Safety at the Mississippi Institute for the Improvement of Geographic and Minority Health in Jackson, MS.