When Self-Reporting Fails, Fraud Prevails
Nearly 2 million doctors, nurses, medical equipment suppliers, and other health care providers participate in Medicare, according to the Centers for Medicare and Medicaid Services. To get paid for their services to Medicare beneficiaries, providers must first tell CMS about themselves, such as where they practice and their medical license status.
When we looked into CMS’s procedures for screening these providers, we found that this reliance on self-reported data leaves Medicare vulnerable to fraud. Policing self-reporting CMS doesn’t just accept applications from all providers who want to bill Medicare. The agency enters and tracks providers in its Provider Enrollment, Chain and Ownership System, or PECOS. The system also screens applications for indicators of potential fraud. But only half of PECOS’s fraud screens work well. While CMS can keep out banned providers or people attempting to register using deceased providers' information, the agency has trouble screening practice locations and physician license status. A routine exam...with a side of fries? We combed through nearly 1 million provider addresses from 2013 and found that more than 10% were potentially ineligible. For example, we found providers who claimed they would treat patients at: a mailbox rental store,(Excerpted from GAO-15-448)
a vacant lot,
(Excerpted from GAO-15-448)
and a fast food restaurant.
(Excerpted from GAO-15-448)
The problem is that CMS’s system only checks providers’ addresses for things like misspelled street names and zip code errors. By contrast, we reviewed the data using a system that also checks whether the address is vacant, invalid, or a commercial mail receiving agency, such as a UPS store.
Moreover, CMS has relaxed verification requirements for suspect addresses. The agency used to require that certain addresses be verified by searching the web and calling the business number listed on the application. But in March 2014 CMS began requiring this more robust verification only if its software couldn’t standardize the address. Of the 2,600 addresses we confirmed as ineligible, we estimated that each received at least $500,000 from Medicare. Paging “Dr.” Gonzo We also found that CMS failed to catch suspensions or other adverse actions against providers or suppliers—in part because providers only have to report these actions for their current state. Using information for each provider and supplier in the Medicare system, we checked each license they ever had. Of 1.3 million providers and suppliers, we found 147 who had not self-reported final adverse actions, such as a state revoking their medical license. One of the physicians we found had enrolled his Missouri license, but not his old California one—which had been revoked due to sexual misconduct.(Excerpted from GAO-15-448)
Trust AND Verify We made multiple recommendations to CMS to improve how it screens providers, and will monitor what steps it takes to make sure only legitimate medical professionals participate in Medicare.- Questions on the content of this post? Contact Seto Bagdoyan at bagdoyans@gao.gov.
- Comments on GAO’s WatchBlog? Contact blog@gao.gov.
GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.
The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.
Please send any feedback on GAO's WatchBlog to blog@gao.gov.