You don’t know what you don’t know
Fraud losses in government healthcare are on the rise. U.S. healthcare has the dubious distinction of the most amount of losses to fraud and abuse within any industry or market globally. Various estimates put the total potential losses around 20% with 4% classified as fraud, additional 6% as abuse and another 10% in improper payments from errors and inaccuracies. But unlike financial industry where most fraud is 3rd party, retail industry where it is 2nd party (insider theft), healthcare fraud is majority first party i.e. it is committed by providers to whom most of the payments are made.
So one would think, that payers would spend more time and money on knowing everything they need to know about the providers that they pay from tens of thousands to tens of millions of dollars each year. Unfortunately, despite the significant fraud losses the system continues to operate on an honor system trusting providers both at the time of enrollment as well as when they submit their claims for payment.
Fraud Prevention State of Union
Until recently, most Fraud prevention has solely relied on what is called the “Pay and Chase” model. Providers are enrolled based on limited verification and their claims paid rapidly to comply with prompt payment regulations. All that is required is to be “compliant” with basic enrollment and claims submission rules respectively. On a retrospective basis, a small number of providers are audited or investigated based on customer complaints, external referrals or abnormal utilization discovered from data analysis. When fraud, abuse or improper payments are found (less than 5% of total estimated fraud is ever discovered), often an average of 2.5 years after payment, it takes months and years of additional prosecutions to achieve civil or criminal judgements and settlements. In essence current efforts prevent less than 2% of fraud and abuse at an average ROI of 1:3.
The bigger problem with the “Pay and Chase” approach is not even how much it recovers but that it has very low Deterrence value. The reason why fraud is so low in the financial industry (less than 0.1% of total transaction value compared to 4% in Healthcare) is because most fraud is caught within days not only preventing further losses but discouraging or limiting fraudsters from scaling their activity. Contrast this with Medicare and Medicaid where one of the largest fraud case by a single enterprise (perpetrated by an Armenian Gang) costed almost $163 Million dollars and was discovered more than 5 years after its inception. Most of the money has never been recovered. Wiretaps in the case recorded candid conversations in which the criminals discussed plans to launder money knowing they would be caught eventually.
Studies have shown that the recidivism rate for healthcare fraud is similar to other professional crimes including other white collar crimes. Once the fraudsters (including unethical medical practitioners) have discovered the easy money in healthcare and the methods to enroll and get paid, it is hard not to continuing tapping this gold mine. It is estimated that approximately 1 out of every 3 individuals suspended, prosecuted or excluded in healthcare fraud re-enters the program either directly (in another state) or indirectly through family, relatives or partners. Since the ultimate bosses in the Armenian case remain outside the country it is highly likely they are back in with new recruits as foot soldiers!
So how much do Payers know about their providers?
Today’s profile of a typical Medicaid provider is a lot different from the 1970s and 1980s when the current system based on trust was started. More than 30% of providers are organizations such as Durable Medical Equipment Suppliers (DME), Pharmacies, Home Health Providers, Home and Community Based Services providers, Behavioral Health Providers, Laboratories and so on. In fact almost 40% of Medicaid spending goes to long term care services. This number was less than 20% just a decade ago. One does not need to go to 10 years of medical school to open these businesses and hence the blind assumption of trust may not apply. Add to that medical practitioners who are enrolled as groups and clinics that are owned by non-medical persons. Even practitioners are ultimately humans and vulnerable to the temptations of greed, substance abuse, sexual offenses or patient neglect. Multiple sampled studies including from HHS OIG and GAO have reported that more than 2% of providers and 6% of Direct Patient Access Care employees may have backgrounds that should prevent them from enrolling or providing services to Medicaid beneficiaries.
Given the enormous amounts paid to these providers, and the fraud losses associated with those payments, most people would be surprised to learn that Healthcare Payers know little to nothing about their providers as evidenced by their Provider Master File (PMF). In fact the little they do know is often inaccurate and outdated. For e.g. multiple studies have shown that over 20% of even basic identifying information (NPI, SSN or EIN) is missing or inaccurate, more than 30% of license data maybe expired, and more than 40% of service or mailing addresses can be wrong or outdated. In case of medical practitioners, there is no knowledge of what degrees they have or where they graduated from (it is assumed they are qualified if they have a board license), where they have practiced before, if they have or are currently enrolled in any other state or Medicare, if they have ever been disciplined or have issues in their backgrounds from drug abuse to convictions or arrests for disqualifying offenses. Even less is known about the businesses from knowledge of ownerships and managing employees to negative news to outstanding debts and liens that may indicate vulnerability to abusing of the system.
The Armenian Gang Case involved 118 phony clinics in 25 states based on stolen provider identities. At its heart, the gang, based largely in Los Angeles and New York, resembled a giant identity-theft ring that stole doctors’ dates of birth and Social Security and medical license numbers and paired them up with legitimate Medicare recipients. In today’s networked world it is hard to stop identity theft. However, had the government agencies deployed advanced screening that could independently verify hundreds of data elements collected in the enrollment applications against market data they could have discovered discrepancies and red flags stopping these stolen identities to be used to establish new provider accounts.
Deter and Deny – A New Paradigm
Healthcare Payers need a new paradigm. Instead of “Pay and Chase” they need to move towards “Deter and Deny”. Deter and Deny starts with implementing “Front-end Fraud prevention” where risky providers are detected early potentially at the time of enrollment (a.k.a. Enhanced Screening) and monitored continuously at the first sign of risk in their evolving profile (a.k.a. Enhanced Monitoring).
One of the few bipartisan provisions under the Affordable Care Act (ACA) were related to fraud prevention including new Provider Screening and monitoring rules. Unfortunately, implementation remains slow and most payers have focused on minimum compliance vs. using the regulations as an opportunity to modernize technology and processes to achieve true Front-end fraud prevention.
But Deter and Deny is achievable. Over the last decade there are powerful new technologies that are changing the way risk is detected and managed. Payers can leverage Social Forms and Social Case technologies to collect, process and manage complex enrollment information more accurately and efficiently (more on this in the next blog). They can utilize advanced entity resolution techniques to automatically screen against thousands of available commercial data sources. They can leverage predictive analytics to generate red flags and a comprehensive risk score for each provider taking into account all parties and business entities involved for each account or enrollment. Lastly they can implement Watch List Management technologies to continuously monitor all enrolled providers and parties against hundreds of watch lists and generate automated alerts based on change in compliance status or risk profile.
However new technologies are only part of the solution. Payers need public-private partnerships to modernize existing processes. Payers need to allow digital collaboration with electronic signatures to allow providers to submit more accurate information and keep it updated in near time. Enrollment analysts need to use investigative case management processes to make enrollment decisions. Staff should be trained to research and triage alerts in monitoring workflows and refer and respond in near-time. And Management should use operational dashboards and heat maps to manage efficiency and effectiveness. Lastly, similar to Claims Warehouse Payers need to consider investing in creating a Provider Data Warehouse that can feed all other downstream systems including analytics and reporting.
Front-end Fraud prevention can guarantee Return on Investment (ROI) of 5-10X based on effective deterrence. Even more important it can increase the speed of enrolling good providers which Medicaid desperately needs while keeping the bad guys out. Additionally, a “Big Data” analytics approach can help Medicaid programs leverage industry intelligence data and advanced analytics to understand their Network Adequacy, Network Performance and Quality of Care.
By the way, Deter and Deny also includes transformation of back-end fraud prevention by leveraging behavioral models within predictive analysis frameworks. By contextually fusing claims data with provider data these models can score claims to help suspend or deny decisions before payment. But that is a subject for another blog!