When Self-Reporting Fails, Fraud Prevails

Posted on September 10, 2015

Nearly 2 million doctors, nurses, medical equipment suppliers, and other health care providers participate in Medicare, according to the Centers for Medicare and Medicaid Services. To get paid for their services to Medicare beneficiaries, providers must first tell CMS about themselves, such as where they practice and their medical license status.

When we looked into CMS’s procedures for screening these providers, we found that this reliance on self-reported data leaves Medicare vulnerable to fraud. Policing self-reporting CMS doesn’t just accept applications from all providers who want to bill Medicare. The agency enters and tracks providers in its Provider Enrollment, Chain and Ownership System, or PECOS. The system also screens applications for indicators of potential fraud. But only half of PECOS’s fraud screens work well. While CMS can keep out banned providers or people attempting to register using deceased providers' information, the agency has trouble screening practice locations and physician license status. A routine exam...with a side of fries? We combed through nearly 1 million provider addresses from 2013 and found that more than 10% were potentially ineligible. For example, we found providers who claimed they would treat patients at: a mailbox rental store,

GAO-15-448 mail(Excerpted from GAO-15-448)

a vacant lot,

GAO-15-448 demolished(Excerpted from GAO-15-448)

and a fast food restaurant.

GAO-15-448 fast (Excerpted from GAO-15-448)

The problem is that CMS’s system only checks providers’ addresses for things like misspelled street names and zip code errors. By contrast, we reviewed the data using a system that also checks whether the address is vacant, invalid, or a commercial mail receiving agency, such as a UPS store.

Moreover, CMS has relaxed verification requirements for suspect addresses. The agency used to require that certain addresses be verified by searching the web and calling the business number listed on the application. But in March 2014 CMS began requiring this more robust verification only if its software couldn’t standardize the address. Of the 2,600 addresses we confirmed as ineligible, we estimated that each received at least $500,000 from Medicare. Paging “Dr.” Gonzo We also found that CMS failed to catch suspensions or other adverse actions against providers or suppliers—in part because providers only have to report these actions for their current state. Using information for each provider and supplier in the Medicare system, we checked each license they ever had. Of 1.3 million providers and suppliers, we found 147 who had not self-reported final adverse actions, such as a state revoking their medical license. One of the physicians we found had enrolled his Missouri license, but not his old California one—which had been revoked due to sexual misconduct.

GAO-15-448 summary(Excerpted from GAO-15-448)

Trust AND Verify We made multiple recommendations to CMS to improve how it screens providers, and will monitor what steps it takes to make sure only legitimate medical professionals participate in Medicare.