Health-Care Fraud and PHI: Employers protecting employees & bottom line

Your employees' "protected health information" - names and addresses, social security numbers, payment histories, diagnoses - can be stolen or misused. Learn how your entity can protect its employees and add to the bottom line. 

Betty, a longtime administrative assistant at ABC Foods Inc., a large conglomerate, was hurting. She had recently fallen on the steps outside the company's headquarters and had broken her ankle.

Shortly after her accident, the company's health-care provider asked Betty to sign an extensive treatment contract that was in direct conflict with the employers' benefits' contract that the employer had signed via its insurance company. Employees, including Betty, rarely know anything about employer and insurance company contracts. Regardless, she quickly signed the treatment contract but didn't notice a clause that said she had to pay the provider even if she didn't receive her full treatment or if it wasn't effective. Betty never received all the provider services but nevertheless the provider submitted a claim to the carrier for payment in full. The provider pursued a higher rate of reimbursement contract with the employee knowing that it already had one with the insurance company at a lower rate.

In the meantime, Sam, who worked in the human resources department of ABC Foods, had sold Betty's name, address, date of birth, and social security number to a crime ring that set up a false line of credit. But more importantly, Betty's information now could be used by any of the "players" in the health-care system to bill for services or supplies that weren't provided.1  

How can employers help their employees avoid becoming the victims of health-care fraud and medical errors? By concentrating on the employees' protected health information (PHI) and the U.S. Health Portability Act of 1996 (HIPAA) that protects it.

Protected health information
HIPAA regulations define health information as "any information, whether oral or recorded in any form or medium" that

• "(i)s created or received by a health-care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse"; and
• "(r)elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."

The Privacy Rule (as described in HIPAA) defines PHI as individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that's transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that's created or received by a health-care provider, health plan, employer, or health-care clearinghouse. For purposes of the Privacy Rule, genetic information is considered to be health information. (See www.hhs.gov)

PHI can include: 

• name and address;
• date of birth;
• social security number;
• payment history;
• account number; and
• name and address of health care provider and/or health plan.

Fraudsters can tie these facts with other specific health information to perpetrate schemes such as opening up credit lines, submitting false claims, and many others.

Trillion-dollar cash cow
Health care is a trillion-dollar marketplace. It's a cash cow for those players who provide services within the industry and those who want to develop fraud schemes.

Consider these staggering numbers: 

• U.S. health-care fraud estimates range between 3 percent to 10 percent of total health- care expenditures or $42 billion to $140 billion per year. 2  
• Each U.S. intensive care unit sustains an average of 1.7 mistakes daily.

The price tag nationally? $80 billion per year. (A 1 percent failure rate is equivalent to two unsafe plane landings at O'Hare Airport each day, the U.S. post office losing 16,000 pieces of mail daily, and 32,000 bank checks being deducted from wrong accounts every hour.) 3  

Health-care fraud in this element is defined as knowingly, willfully, and intentionally deceiving the health-care supply chain. Take a look at a simplified version of that chain in the diagram below. 

Figure 1 is no longer available

Byzantine supply chain
As shown in the diagram, it begins by the employer providing health-care benefits. Once the plan is set up an employee - the patient - initiates the health-care supply chain when he or she uses any health-care service. The patient's PHI moves from and through various players and vendors within the provider, payer, and employer relationships. Providers in this diagram are any entities that provide health-care services (hospitals, clinics, etc.) and suppliers of goods (pharmaceuticals, supplies, equipment, etc.). Payers (insurance companies), and TPAs (third-party administrators) and others actually pay the bills. The patient's PHI (and more than a trillion dollars per year) travels through these channels and the company's employees plus subcontractors and their respective vendors. The cycle repeats itself every year the employer renews its benefit program. The risks are significant that stolen or misused PHI will lead to fraud and mistakes.

And beyond the specific problem of misused PHI, any of the players can generate numerous fraud schemes. For example, an employee can submit a false claim or misrepresent a medical service that isn't covered. A provider can submit a false claim or overcharge for the service. A payer might not disclose all subcontracted relationships to the employer and vendor schemes can be integrated within all of these categories. The arrow below the dotted line represents the growing trend of false entities, constructed by organized crime, that access health information and data to either steal from a particular player or submit false claims through this channel of active health care players. Few employers are ready for this area.

This diagram has no beginning and no end. The fraud can start on the employer side or the employee side. The dollar amount loss? $24 million per hour in the United States alone.

Misusing PHI for many frauds
Possible crimes can include claimant fraud, provider fraud, payer fraud, application fraud, eligibility fraud, and more. A fraudulent scheme can be initiated at any point in this process and no individual entity is immune. Here are a few examples.

Claimant fraud 

• altering claim forms to obtain a higher payment amount
• misrepresenting non-covered services
• filing claims for services not rendered
• misrepresenting eligibility

Provider fraud 

• billing for services or supplies that weren't provided
• soliciting, offering, or receiving a kickback, bribe, or rebate
• falsely representing the nature of the services furnished
• presenting the appearance of multiple visits by billing procedures over a period of days when all treatment occurred during one visit

Payer fraud 

• intentional denial of services according to plan documents
• intentional incorrect application of contracted payment schedules
• use of funds from self-insured accounts for payment of non-contracted services
• misrepresenting the amount actually paid to providers as a "medical expense" within employee utilization reports

Fraud could be initiated by the patient, the provider of care, by the payer, and even by those entities providing health-care coverage or their employers. All these entities should have, within their internal audit functions, risk analyses for potential risk exposure of PHI in their employee and contractor networks.

'Disconnects' in communication
How does this all tie back to medical errors? If we look at the same diagram (above) and the elements of PHI, we'll quickly note that the same data elements that can be used to create a fraudulent scheme are in essence the same data elements that need to be communicated effectively to prevent a medical error from occurring. Errors result from "disconnects" in communication within this diagram. For example, amputating the left leg versus the right leg or incorrectly communicating a blood type on a patient. Companies can address these types of quality errors by developing employee training programs on screening providers and ensuring they protect communication of PHI. Fraud schemes can be developed from the same communication disconnects in the delivering of patient care.

For example, in a workers' compensation case we reviewed, the surgeon committed a medical error and masked it by associating the complications from the error with the work-related injury. The employer paid out 25 years of workers' compensation benefits to the employee and respective providers on this case. The workers' compensation plan continued to pay the patient for health-care services that were assumed to be related to the work-related injury in addition to paying the employee salary benefits. In fact, a group health plan should have paid those services and the hospital and physician should have been accountable for 25 years of health-care expenses that had absolutely nothing to do with the injury. The services were the result of a medical error cover up.

Disconnects in communication of PHI can open the door to those who want to obtain PHI to create a fraudulent scheme. Let's take a look a case we reviewed from an ophthalmologist. A 40-year-old female schedules a routine eye exam according to the benefits provided by her employer. She receives the routine services and a new prescription for eyeglasses. However, the guaranteed $25 frames aren't in stock so she purchases a more expensive set of frames. Later, the provider calls her to tell her the glasses are ready to be picked up. The fraudulent doctor first charges a higher rate for the frames than agreed upon in the plan document signed by the employer. He then charges the patient $300 for the visit that just involves picking up the prescription. The $300 "visit" is for a false diagnosis of dry eyes. This diagnosis of dry eyes (ICD9 code) is submitted to the payer and it's entered into a data bank with the patient's name. Now any time she applies for disability or future insurance, this false diagnosis always will be part of her record. So her PHI is being used for illegitimate services as well as billing for services not rendered. The impact of the damage goes well beyond taking $300 from this employer; it actually damages the patient's risk profile for future insurance programs. On a massive scale, this type of activity may also affect the employer's employee risk and insurance rates. If your employee population has a pool of provider misrepresentation for diagnoses submitted, it will give the appearance of higher utilization, higher risk, and therefore higher rates.

PHI audits
The protection of PHI and understanding how it's used within the relationships identified in the diagram can help prevent inappropriate access or opportunities for theft. Quality control in preventing disconnects or incorrect disclosure of PHI can protect the patient from inappropriate denials and prevention of medical errors.

How do we begin to manage this process? Any entity within this diagram should conduct a PHI audit. The who's, what's, when's, why's, and how's of PHI within any organization should be documented and periodically audited. Within these categories, all entities should monitor electronic versus manual transactions. Eventually, any long-term corporate initiative should include the elimination of all manual transactions.

Numerous common data-mining techniques can make this massive analysis of data achievable. Manual internal audit tools and use of medical auditors are important, of course, but the development of technology audit tools are vital in conducting internal checks for risk and identification of inappropriate use of PHI critical to any audit program.

Protecting everyone
An entity should protect an employee's good name but also his or her date of birth, social security number, health-care payment history, insurance account number, and other private protected health information. Unfortunately, hundreds of people may have access to a patient's PHI. Routine analyses and regular audits can protect employees, reduce liabilities, and increase profits.

Rebecca S. Busch, RN, MBA, CFE, CCM, CBM, FHFMA, is CEO of Medical Business Associates Inc., a health-care auditing firm specializing in employer benefit audit programs, employee training programs, and health-care forensic auditing services in Oak Brook, Ill.