Prevention is Better than Cure: Protect Your Medical Identity
Center for Program Integrity
Centers for Medicare & Medicaid Services
Shantanu Agrawal, MD, MPhil
Medical Director
Center for Program Integrity Mission and Vision
The central purpose and role of the Center for Program Integrity is to ensure that correct payments are made to legitimate
providers for covered appropriate and reasonable services for eligible beneficiaries of the Medicare and Medicaid programs.
Mission
Over its first three years, the Center for Program Integrity has become an organization within CMS that uses state-of-the-art methods to prevent and detect fraud and to reduce waste, abuse, and other improper payments under the Medicare and
Vision
Billing for services or supplies that were not provided
Program Integrity encompasses a range of activities to target the causes of improper and fraudulent payments:
Intentional Deception Bending the
rules Inefficiencies
Mistakes
Range of Program Integrity activities
Examples: incorrect coding
Medically unnecessary service
Improper billing practice (e.g., up-coding)
Error Waste Abuse Fraud
Definition of medical identity theft
Medical identity theft is the appropriation or misuse of a patient’s or physician’s unique medical identifying
information to obtain or bill public or private payers for fraudulent medical goods or services
• Physicians/providers: National Provider Identifier (NPI), Tax Identification Number (TIN), medical licensure
• Patients: Health Insurance Claim Number (HICN),
insurance ID card
Scope of the issue
• Both FTC and HHS/CMS track cases of medical identity theft of providers and patients
• Latest FTC data shows that over 3,600 physician and patient cases were reported in 2009 – with over 12,000 cases between 2007-2009
• Much medical identity theft may go un- or under-
reported: 32% of thefts were discovered over 1 year
after they occurred
CMS/CPI Compromised Numbers Database
Currently, CMS is aware of:
• 5,000 compromised Medicare provider
numbers (Parts A/B/D)
• 284,000 compromised beneficiary numbers
We are working to improve risk stratification and
categorization of numbers as victim or perpetrator
• Proactive data analysis by CPI and contractors
• Beneficiaries complaints of suspect billing on Medicare Summary Notices
• Physician complaints, such as from utilization reports
• Interviews of physicians, suppliers, and beneficiaries
• Law enforcement investigations
• Reporting from other CMS programs
Geographic distribution of compromised
physician identifiers
How stolen physician identities are used
• Fraudster bills directly for
services in the physician’s name
• As if the services are being
rendered/performed by the victim, including oversight of MLPs
• Examples: billings include professional services or E&M
• Results in financial harm to the physician and potentially
generates overpayments
• Physician’s information used to order or refer for services
• Examples: laboratory analyses, diagnostic testing, durable
medical equipment
• Fraudster bills for services by
appropriating the stolen identity to authorize payment of a claim
• This approach is difficult to
detect; does not generally lead to financial harm to the physician
Performing Ordering/Referring
Consequences beyond healthcare dollars
Physicians
• Impacts all utilization reviews such as comparative billing reports, quality measurement and reporting
• Financial or tax liabilities from fraudulent billing
• Accountability for care or services they did not provide
Patients
• Increases in co-pays or insurance costs
• Inability to get coverage or services which duplicate fraudulent billing
• Safety may be placed at risk through alteration of the
medical record
Major categories of risk for physician medical identity theft
• Based on cases and fraud investigations, the
leading risk factor is complicity in fraud schemes, especially when the scheme expands or the
physician attempts to leave it
• ―Structural factors‖ impacting all physicians
• Individual choices about the use and dispersion of
medical identifiers
Risks: examples of structural factors
Culture of transparency
Public
availability
Convenience items
Standard processes
Risks: purposeful dispersion
• Number and complexity of individuals and
organizations to whom physicians make their unique identifiers available
• Examples: physicians working with multiple
organizations, reassignment of medical identities to a larger group for billing purposes, divulging identifiers to staff, having mid-level providers bill in their names
• Purposeful distribution of information is often the
biggest determinant of an identity being compromised
Physicians too frequently allow identity misuse by others
• Physicians are often asked to certify the medical necessity of services or supplies billed by another supplier or provider
• Physicians too often fail to assess medical necessity and simply certify documents – allowing fraudulent or abusive billing
• This can even be done retrospectively
• Contributing factors: poor compliance strategies, paperwork burden, desire to please patients, conflict avoidance, perceived lack of harm
• Physicians can be held liable for these actions even without
evidence of other fraud (e.g., kickbacks)
Examples of common issues
• Signing referrals without knowledge of who the beneficiary is
• Signing certifications for known beneficiaries but without medical necessity for services or supplies
• Signing certifications despite the physician’s own documentation disputing medical necessity
• Signing certifications for services or supplies beyond what is medically necessary or what will benefit the patient
• Signing blank referral forms
• Signing requests for the same services or supplies sent to
numerous physicians
Beneficiary Risk Factors
Card sharing is a common beneficiary medical identity theft risk factor
• 26% of surveyed respondents admitted sharing their medical identifiers
• Respondents were most likely to share with family members
• Cards were shared because family members had
no insurance or could not afford needed treatment
Risk mitigation education: control of medical identifiers
• Greater control through cultural change around the dispersion of medical identifiers and awareness of personal choice
• Avoid giving medical identifiers to potential employers or organizations before appropriate due diligence
• Train staff on appropriate use and distribution of identifiers including when not to distribute
• Control prescription pads and other documents
• IT security
Risk mitigation education: collaboration with payers and patients
• Work with payers and patients, who have interests aligned with you
• Update payers on any material enrollment change including changes in practice locations, especially when opening, closing, or moving practice locations
• For Medicare, periodically the Provider Enrollment, Chain, and Ownership System (PECOS) record
• Educate patients, leverage Explanation of Benefits
statements (Medicare Summary Notice), gain input
Risk mitigation education: compliance
• Strengthen compliance activities to minimize risk and improve overall program integrity
• Be aware of billings and revenues, particularly by organizations to which your have reassigned your billing privileges
• Monitor mid-level provider activities and charting
• Report fraud: inform public/private payers and the FTC, file a police report, place a fraud alert on credit reports
• Hotlines: 1-800-Medicare, 1-800-HHS-TIPS
Identity theft legislative responses
• Legislation has provided legal mechanisms for ensuring the privacy and security of medical identity and protected health information
• Health Insurance Portability and Accountability Act of 1996 (HIPAA): created transactional security requirements for the exchange of certain health information and regulated its
disclosure
• Health Information Technology for Economic and Clinical Health Act (HITECH): expanded HIPAA by requiring
notification of victims of data breaches of unsecured
protected health information held by HIPAA-covered entities
and vendors of personal health records
National Fraud Prevention Program facilitates identity theft prevention and detection
Provider Screening (Enrollment) Predictive
Analytics
(Claims)
Provider screening
Provider Screening (Enrollment) Predictive
Analytics (Claims)
Two major components of provider screening
• Automated Provider Screening
• PECOS enhancements
Overall goals
• Facilitate entry of good actors
• Prevent entry and removal of
bad actors
Historical Enrollment Screening Issues
Fraudulent Providers and Suppliers have exploited the Medicare enrollment system
• Able to register with stolen medical identities
• Able to register phony addresses
• Able to re-enter after being revoked
• Able to stay in the local systems without being in the
national system
Automated Provider Screening
CPI launched the Automated Provider Screening (APS) system on December 31, 2011
APS functions:
• Validate data received from providers on enrollment applications against referential data
• Continuously monitor enrollment data for changes in status
• Identify applications of providers that pose an elevated risk based on specific indicators
• Assign a risk score to each provider that integrates with the
Fraud Prevention System
Examples of APS Data Checks
• Identity verification conducted on Health Care Organization and Commercial data for both individuals and organizations
• Licensure/Accreditation checks for individual providers
• Criminal history for both individuals and organizations
• Sanction status and history for both individuals and organizations
• NPI deactivation status
• Death
• Address verification and Geospatial markers
We Are Focused On Making Improvements to Enrollment
Legitimate providers and suppliers are seeing major improvements in the Medicare Enrollment System
• Process faster: anticipate 2/3 reduction in time
• Process user-friendly: on-line enrollment
• Process reliable: all enrollees in same system, all
information up to date
Enhanced enrollment will provide information for use far beyond CPI
• Verify provider and supplier identity
• Verify specialty, expertise, and credentialing
• Verify specific location(s) of practice
• Verify relationships between providers, beneficiaries, and related entities
• Improved security for CMS systems (Medicare and Medicaid)
• Measurement of micro- and macro- patterns of beneficiary care and healthcare utilization
• Applications: quality reporting and measurement,
accountable care,
understanding episodes of
care, telemedicine
Process changes to prevent ID theft and protect provider enrollments
• MACs have been instructed to contact the provider in the original enrollment record prior to adding a new PTAN to the enrollment
• Greater care is being taken to revoke only illegitimate PTANs, allowing providers to continue billing through legitimate PTANs
• Provider revalidation will close vulnerable or misused PTANS (e.g., locum tenens billing)
• Remote identity proofing for online PECOS access and
provider notification about changes
Proactive detection of ID theft
Provider Screening (Enrollment) Predictive
Analytics (Claims)
• Identity theft analytics have been incorporated into our predictive modeling system (FPS)
• Beneficiary complaints are being leveraged regularly for analytics and risk assessment
• Working on other models which can identify potential ID theft cases for investigation and
possible incorporation into FPS
Remediation process for victims
CPI has developed a new process to determine and validate whether a provider has been the victim of identity theft and to absolve related debts
1. Each Zone Program Integrity Contractor (ZPIC) has named a point of contact to work with provider victims
2. The ZPIC will investigate and develop a case on the provider
3. The ZPIC will forward the case to CMS/CPI for a decision on whether the overpayment should be waived
4. If CPI is able to determine that ID theft occurred, associated debt will be recalled from the MAC
5. If CPI is unable to determine that ID theft
occurred, the ZPIC shall advise the provider that the appeals process may be used as an
Report It!
Victims of medical identity theft should report it to:
• Local law enforcement service
• State Medicaid agency (SMA) where you practice
• FTC
• HHS-OIG
• Health and Human Services regional office
Contacts
• SMA—Visit
https://www.cms.gov/FraudAbuseforConsumers/Downloads/smafraudcontacts.pdf on the CMS website. Click on the state where you practice for the appropriate contact information, and then notify the agency.
• FTC—Contact the FTC’s Identity Theft Hotline to report misuse of your personal information
Phone: 1-877-438-4338 (1-877-ID-THEFT) TTY #: 1-866-653-4261
Website: http://www.ftc.gov/bcp/edu/microsites/idtheft/
• HHS-OIG Hotline and report suspected fraud:
Phone: 1-800-447-8477 (1-800-HHS-TIPS) TTY #: 1-800-377-4950
Fax #: 1-800-223-8164
E-mail: HHSTips@oig.hhs.gov
Website: http://oig.hhs.gov/fraud/report-fraud/index.asp