Scams, Frauds, and Audits
Get Out-Of-Pocket in your email
Yeah I dunno I think we’re in a golden age of fraud in healthcare. The government has optimized for speed of giving money out in order to combat the COVID crisis, so they’ve made rules that work generally but also lead to some interesting edge cases.
The dollars are being sent out with very little oversight by the government, especially in healthcare. When it came to buying PPE, there were insane stories of millions of dollars in checks being handwritten by State agencies and transacted in the parking lots of McDonalds. Hospitals with billions in cash reserves that have basically seen no COVID patients are getting stacks of government cash. The government mandating insurers to pay all costs of lab testing has unsurprisingly led to labs price gouging the shit out of them.
Insurers have paid Gibson Diagnostic Labs as much as $2,315 for individual coronavirus tests. In a couple of cases, the price rose as high as $6,946 when the lab said it mistakenly charged patients three times the base rate…
In a statement last week, the company said the $2,315 price was the result of “human error” that occurred when a billing department employee entered the wrong price into an internal system. It billed 117 tests at that price, and had 23 of the claims paid in full. Some insurers paid partial reimbursements or sent back no money at all.
Lol ok. For some reason they only see to mess up charging when it’s going up in price. Crazy how it be like that.
With lack of oversight over where dollars are going, I’m sure right now we’re seeing a ton of wasteful spending and fraud yet to be uncovered. It highlights also why fraud is so rampant in healthcare.
- No single entity feels the dollar ramifications of fraud since it gets passed on to a different entity (usually ending with the patient paying indirectly).
- The lack of data standardization and accessibility means it’s difficult to figure out when there’s something anomalous happening. Plus the AMOUNT of data is so large in many cases a (usually overworked) human is not going to catch issues all the time.
- There’s a huge information asymmetry. Patients are going TO healthcare professionals for advice on what to do. So it’s much easier to convince patient to get unnecessary things since most don’t understand what the “right” answer is or when something seems off.
- The government is a massive spender and lacks the resources needed to properly monitor how dollars are being spent.
The GAO estimates that improper government payments alone was $151B. That’s more than 10% of Medicare + Medicaid spend. Not only do I think $151B a lowball on the payments anyway, but that doesn’t include the improper payments and fraud in the commercial insurance space.
It feels like there’s a big opportunity to make the auditing process better. Below are some places fraud comes to mind. It’s worth noting that there is a line between “waste” and “fraud”, but I’d guess finding ways to better monitor the former will lead to a reduction of the latter. Where there’s smoke, there’s a Fyre Festival.
Area 1: Research Data and Peer Review
When hydroxychloroquine (HCQ) was the main topic of conversation amongst the cool kids, a study came out in the Lancet that suggested patients taking HCQ were more likely to die in the hospital. Many of the HCQ studies subsequently ended up pausing recruitment.
But turns out the underlying data behind the original study was likely fabricated! A company called Surgisphere seemed to provide data across 671 hospitals, 6 continents, and included nearly 15,000 patients for the study. But people started noticing weird things about the data, like the fact that doses in North America were higher than traditional guidelines.
Eventually the study was retracted, along with several other studies that used data from Surgisphere, but the damage was already done. There are still a lot of questions about how a study like this could possibly pass peer-review, especially since everyone knew how massive the impact of these results would be.
My take is that peer-review is good for understanding the results and interpretation of data, but is not designed to catch outright fraud. Going through that much data, following up with hospitals to see if they participated, checking to see when data was accessed and when the databases were locked, noticing when data is omitted, etc. There are a lot of steps that frankly many peer-reviewers are not paid enough (in social currency) to do.
But I do think this is something software can do! There are projects and companies doing this like GRIM, but I think there’s actually more opportunity here.
In fact…this is what the founder of Surgisphere said himself lmaooooo. There are just some ironies you can’t make up.
Dr. Desai founded [Surgisphere] in April 2008 while he was a surgery resident at Duke University School of Medicine…
In 2015, Dr. Desai was the corresponding author on a paper about the potential for fraud in medical publications. “While peer-review may be an effective way to judge the scientific relevance of the article, whether it is an effective method for detecting fraud is doubtful, particularly since most peer-reviewers do not see the raw data or review high resolution images to evaluate for image manipulation,” it said.
This man really took his own advice to heart.
Maybe primary data should be exposed to a third-party dedicated to checking the veracity of it (a la. TurnItIn for plagiarism).
Or similar to how the tech world has white hat hackers which find bugs for bounties, there could be something similar sponsored by journals or even government institutions that set bounties for finding these issues. This article about people that police research and trials in their free time is an interesting read about their process and findings so far, but it’s clearly uncoordinated/motivated by altruism.
I’d be interested in seeing more software dedicated to better auditing data quality in research, clinical trials, etc.
Area 2: Lab Testing
Theranos really did the lab testing space no favors when it comes to fraud. But the lab space seems to have quite a bit of other types of fraud in it. I’d guess there’s a few reasons why lab testing is fraud prone:
- Labs tend to be high volume and low cost, which makes it hard/not worthwhile to actually police any individual transactions.
- Extra lab testing will get “bundled in” to actually necessary testing, making it hard to separate what’s needed vs. what’s not.
- The financial connections between the prescribers of tests and the labs themselves are murky and often hard to track.
- Many patients already push for tests even if they don’t need them, since patients think the test might catch a disease that would be undetected
- As with anything in healthcare, price variation between labs is large (especially across state lines).
One massive fraud that’s recently unraveled was EmpowerHMS, which claimed to save rural hospitals by getting them more $ from lab testing. Rural hospitals can get reimbursed at higher rates for lab tests, which was designed to help these hospitals in underserved areas stay afloat. Jorge Perez realized he could just say labs were being run at these rural hospitals (when they were actually done in cities) and then charge more for them. Insurers figured this one out, but it was $1.4B later and half of the rural hospital bankruptcies in the US in 2019 were involved in this fraud.
A few years prior Millennium Health agreed to a $256M fraud settlement where they coerced physicians to order the entire gamut of tests regardless of whether it was medically necessary or not, and only run those tests at Millennium. Whistleblowers eventually alerted the government of this fraud.
Detection of fraud and scams needs to happen in two places. One is understanding the conditions in which a doctor chooses to order tests and whether it makes sense given the patient’s history and diagnoses. The second is understanding where labs source their samples from and the context in which those specimens were sourced. Whistleblower programs and insurers analyzing their claims seem to work in some capacity, but would there have been a way to identify these frauds earlier? Maybe registries could play a role in detecting this anomalous behavior earlier.
Area 3: Clinical Decision Support
Clinical Decision Support (CDS) tools are pop-up ads, but good. Just kidding…sort of.
These are tools that usually surface relevant patient information to a physician or alert the physician of something when looking at a patient record, filling out an order form, etc. For example, some tools might alert a physician that a certain lab test has already been ordered (which might be on purpose if they’re participating in a scam)
The alerts are usually based on some evidence-based guidelines around how to treat a disease or when a patient should be screened. But…how do we KNOW that the alerts are actually following guidelines?
PracticeFusion showed us how shady this can get. The company worked with pharma companies who could “sponsor” and have a say in the guidelines and criteria around how these alerts were presented to physicians. This included opioid manufacturers, and PracticeFusion took that money to increase CDS alerts that would result in more opioids prescribed. Eventually PracticeFusion was fined $145M in total for a host of things, including $26M in criminal fines and forfeiture.
It feels like there should be a better way to audit this to make sure CDS tools are generally following guidelines. For one, there should be more transparency around how CDS tools make decisions around surfacing alerts. At the end of the day it’s up to physicians to listen to these alerts or not, but they should understand where the rationale is coming from. But providers themselves also choose and customize a lot of the workflows in these tools to make their lives easier, and unfortunately not every doctor is a saint either.
There’s probably better ways to externally conduct audits of these tools. Maybe it’s audits through screen monitoring that flag new alerts, maybe it’s looking at changes in practice behavior over time, etc.
Area 4: Literally anything in Medicare
Medicare is that one friend that somehow keeps getting involved in multi-level marketing schemes. You’re honestly just impressed at this point at how the ways in which they get scammed.
Just a handful of examples:
Non-medical professionals getting multiple NPI numbers.
NPIs (National Provider Identifier) are the identifiers providers use to get paid from payers. According to the Centers for Medicare & Medicaid Services
“The NPI is a unique identification number for covered health care providers…The NPI is a 10-position, intelligence-free numeric identifier (10-digit number).”
Except when non-medical professionals can get them because there are no background checks. And they can get multiple of them to throw you off the scent. This story about a personal trainer getting NPIs and billing for medical services for years is so brazen I’m in awe.
In September 2015, United wrote to Williams, noting his lack of a license and the resulting wrongful payments, totaling $636,637. But then the insurer added a baffling condition: If Williams didn’t respond, United would pay itself back out of his “future payments.” So while demanding repayment because Williams was not a doctor, the company warned it would dock future claims he would be making as a doctor…Then Williams turned to another NPI number, records show, and continued submitting claims to United.
Guess the NPI really is intelligence-free.
If a scammer infiltrated the government to create a policy that looked well-intentioned but also an ideal place to scam taxpayers out of billions, it would look like risk-adjustment.
The idea behind risk-adjustment is to pay insurers and providers more for taking care of sicker people. Especially in an area like Medicare Advantage, where insurers are paid a flat $ per head by the government to take care of Medicare enrollees, you can see how they’d want to just take the healthy people. Risk-adjustment is a methodology used to incentivize them to take care of sicker people.
When I explain this to someone, a frequent question is “wouldn’t they try to make all of their members look sicker then?” Well la di da, look who’s the smarty pants. But yes.
To give a sense of the scale in 2018 $210B risk-adjustment dollars were paid out. The Office of the Inspector General estimated that $2.7B of those dollars couldn’t even be tied to any actual service provided, they just…sorta said they were sicker.
There is some dubious and occasionally fraudulent behavior that happens here.
- Patients will get coded for more severe diseases so that they look sicker than they probably are. This is called upcoding, and is also the reason relying on Medicare claims as a data source is tricky.
- Running more tests and screening on patient is likely to find something that would make a patient look sick, even if they maybe didn’t need it. This is especially bad with the Medicare population that’s already typically worried about developing diseases.
- Many insurers will hire a third-party to do “chart reviews” to make sure that patients level of severity is being reported accurately. 99% of chart reviews result in making patient submissions more sick, sometime the chart reviewers will “mysteriously” not see the adjustments where a patient was actually more healthy.
It’s worth noting that most of risk-adjustment is not fraudulent. It’s a way for overworked providers who didn’t do 100% of documentation to get dollars they probably were owed. But would I guess there was lots of waste and potentially fraud here? Yes.
With telemedicine becoming more and more ubiquitous (hopefully permanently), we’ll need to be wary of the ever increasing telemedicine frauds. This manifests in companies calling Medicare beneficiaries, asking them if they want a test or some equipment, calling that a telemedicine visit and then billing Medicare. This article outlines just some of the scams. One peddled durable medical equipment to the tune of $1.2B, and recently one was found to be a $2.1B scam for cancer testing. These aren’t small numbers.
Waiving Cost Sharing
This happens across all types of insurance but particularly for Medicare beneficiaries. Sometimes providers will agree to waive things like your co-payment or deductibles. Then they’ll charge your insurance for the rest of the portion of the visit (which is most of the dollars they get paid). The purpose of co-pays and deductibles is to dissuade patients from getting unnecessary care, so a provider covering that for you is illegal.
This also happens in the pharmacy world too, where drug companies will cover the Medicare patients co-pays for prescriptions so patients will continue to purchase their drug. Pfizer recently settled a lawsuit where they funded a foundation that helped pay for patients co-pays. Wait so did Regeneron. Wait so did Astellas. Wait so did United Therapeutics. Wait so did Actelion. I’m sure it’s fine now.
The greatest trick the healthcare devil ever pulled is convincing patients their out-of-pocket costs are the only costs they pay.
I think we have yet to uncover some truly massive, Bernie Madoff level fraud or some LIBOR Scandal level of coordination happening right now.
While researching this, the clear reality is that no one actually has a true incentive to root out fraud except the government. You would think insurers might, but in many cases they’re complicit in the fraud, it costs them too much money to enforce, or the dollars don’t end up coming out of their pockets. It comes out of your employers and/or the patients.
Plus, insurers sell patients on the number of health services that are IN their network, so it’s not in their interest to face-off against providers unless it’s REALLY worth the fight. I find it hard to believe that insurers couldn’t detect fraud like Jorge Perez through their claims data - I think there’s an issue of how insurers internally escalate fraud and choose to pursue.
But the amount of fraud dollars here are insane, there must be a business that can be built around this. My guess is that it’ll be a company with some other function that HAPPENS to have fraud detection as function. For example, Stripe has Radar which can monitor fraud by using payment data/activity ACROSS all of its customers. What’s the equivalent in healthcare? FraudScope is one company that recently raised to tackle this. I would think voice-to-text transcription companies like Abridge or companies that connect datasets like Komodo or HealthVerity would be potential contenders too.
If you are building something in this space, I’d love to chat with you so hit me up!