Fraud, Waste & Abuse
Introduction and changes for 2023
Most physicians strive to work ethically, render high-quality medical care to their patients, and submit proper claims for payment. Society places enormous trust in physicians, and rightly so. Trust is at the core of the physician-patient relationship. When our health is at its most vulnerable, we rely on physicians to use their expert medical training to put us on the road to a healthy recovery.
The Federal Government also places enormous trust in physicians. Medicare, Medicaid, and other Federal health care programs rely on physicians' medical judgment to treat beneficiaries with appropriate services. When reimbursing physicians and hospitals for services provided to program beneficiaries, the Federal Government relies on physicians to submit accurate and truthful claims information.
The presence of some dishonest health care providers who exploit the health care system for illegal personal gain has created the need for laws that combat fraud and abuse and ensure appropriate quality medical care.
This training assists physicians in understanding how to comply with these Federal laws by identifying "red flags" that could lead to potential liability in law enforcement and administrative actions. The information is organized around three types of relationships that physicians frequently encounter in their careers:
The key issues addressed in this training are relevant to all physicians, regardless of specialty or practice setting.
Fraud & Abuse Laws
The five most important Federal fraud and abuse laws that apply to physicians (for 2023) are the False Claims Act (FCA), the Anti-Kickback Statute (AKS), the Physician Self-Referral Law (Stark law), the Exclusion Authorities, and the Civil Monetary Penalties Law (CMPL). Government agencies, including the Department of Justice, the Department of Health & Human Services Office of Inspector General (OIG), and the Centers for Medicare & Medicaid Services (CMS), are charged with enforcing these laws. As you begin your career, it is crucial to understand these laws not only because following them is the right thing to do, but also because violating them could result in criminal penalties, civil fines, exclusion from the Federal health care programs, or loss of your medical license from your State medical board.
False Claims Act [31 U.S.C. § § 3729-3733]
The civil FCA protects the Government from being overcharged or sold shoddy goods or services. It is illegal to submit claims for payment to Medicare or Medicaid that you know or should know are false or fraudulent. Filing false claims may result in fines of up to three times the program’s loss plus $11,000 per claim filed. Under the civil FCA, each instance of an item or a service billed to Medicare or Medicaid counts as a claim, so fines can add up quickly. The fact that a claim results from a kickback or is made in violation of the Stark law also may render it false or fraudulent, creating liability under the civil FCA as well as the AKS or Stark law.
Under the civil FCA, no specific intent to defraud is required. The civil FCA defines "knowing" to include not only actual knowledge but also instances in which the person acted in deliberate ignorance or reckless disregard of the truth or falsity of the information. Further, the civil FCA contains a whistleblower provision that allows a private individual to file a lawsuit on behalf of the United States and entitles that whistleblower to a percentage of any recoveries. Whistleblowers could be current or ex-business partners, hospital or office staff, patients, or competitors.
There also is a criminal FCA (18 U.S.C. § 287). Criminal penalties for submitting false claims include imprisonment and criminal fines. Physicians have gone to prison for submitting false health care claims. OIG also may impose administrative civil monetary penalties for false or fraudulent claims, as discussed below.
Anti-Kickback Statute [42 U.S.C. § 1320a-7b(b)]
The AKS is a criminal law that prohibits the knowing and willful payment of "remuneration" to induce or reward patient referrals or the generation of business involving any item or service payable by the Federal health care programs (e.g., drugs, supplies, or health care services for Medicare or Medicaid patients). Remuneration includes anything of value and can take many forms besides cash, such as free rent, expensive hotel stays and meals, and excessive compensation for medical directorships or consultancies. In some industries, it is acceptable to reward those who refer business to you. However, in the Federal health care programs, paying for referrals is a crime. The statute covers the payers of kickbacks-those who offer or pay remuneration- as well as the recipients of kickbacks-those who solicit or receive remuneration. Each party's intent is a key element of their liability under the AKS.
Criminal penalties and administrative sanctions for violating the AKS include fines, jail terms, and exclusion from participation in the Federal health care programs. Under the CMPL, physicians who pay or accept kickbacks also face penalties of up to $50,000 per kickback plus three times the amount of the remuneration.
Safe harbors protect certain payment and business practices that could otherwise implicate the AKS from criminal and civil prosecution. To be protected by a safe harbor, an arrangement must fit squarely in the safe harbor and satisfy all of its requirements. Some safe harbors address personal services and rental agreements, investments in ambulatory surgical centers, and payments to bona fide employees.
For additional information on safe harbors, see "OIG's Safe Harbor Regulations."
As a physician, you are an attractive target for kickback schemes because you can be a source of referrals for fellow physicians or other health care providers and suppliers. You decide what drugs your patients use, which specialists they see, and what health care services and supplies they receive.
Many people and companies want your patients' business and would pay you to send that business their way. Just as it is illegal for you to take money from providers and suppliers in return for the referral of your Medicare and Medicaid patients, it is illegal for you to pay others to refer their Medicare and Medicaid patients to you.
Kickbacks in health care can lead to:
The kickback prohibition applies to all sources of referrals, even patients. For example, where the Medicare and Medicaid programs require patients to pay copays for services, you are generally required to collect that money from your patients. Routinely waiving these copays could implicate the AKS and you may not advertise that you will forgive copayments. However, you are free to waive a copayment if you make an individual determination that the patient cannot afford to pay or if your reasonable collection efforts fail. It is also legal to provide free or discounted services to uninsured people.
Besides the AKS, the beneficiary inducement statute (42 U.S.C. § 1320a-7a(a)(5)) also imposes civil monetary penalties on physicians who offer remuneration to Medicare and Medicaid beneficiaries to influence them to use their services.
The Government does not need to prove patient harm or financial loss to the programs to show that a physician violated the AKS. A physician can be guilty of violating the AKS even if the physician actually rendered the service and the service was medically necessary. Taking money or gifts from a drug or device company or a durable medical equipment (DME) supplier is not justified by the argument that you would have prescribed that drug or ordered that wheelchair even without a kickback.
Physician Self-Referral Law [42 U.S.C. § 1395nn]
The Physician Self-Referral Law, commonly referred to as the Stark law, prohibits physicians from referring patients to receive "designated health services" payable by Medicare or Medicaid from entities with which the physician or an immediate family member has a financial relationship, unless an exception applies. Financial relationships include both ownership/investment interests and compensation arrangements. For example, if you invest in an imaging center, the Stark law requires the resulting financial relationship to fit within an exception or you may not refer patients to the facility and the entity may not bill for the referred imaging services.
"Designated health services" are:
For more information, see CMS's Stark law Web site
The Stark law is a strict liability statute, which means proof of specific intent to violate the law is not required. Stark law prohibits the submission, or causing the submission, of claims in violation of the law's restrictions on referrals. Penalties for physicians who violate the Stark law include fines as well as exclusion from participation in the Federal health care programs.
Exclusion Statute [42 U.S.C. § 1320a-7]
OIG is legally required to exclude from participation in all Federal health care programs individuals and entities convicted of the following types of criminal offenses: (1) Medicare or Medicaid fraud, as well as any other offenses related to the delivery of items or services under Medicare or Medicaid; (2) patient abuse or neglect; (3) felony convictions for other health-care-related fraud, theft, or other financial misconduct; and (4) felony convictions for unlawful manufacture, distribution, prescription, or dispensing of controlled substances. OIG has discretion to exclude individuals and entities on several other grounds, including misdemeanor convictions related to health care fraud other than Medicare or Medicaid fraud or misdemeanor convictions in connection with the unlawful manufacture, distribution, prescription, or dispensing of controlled substances; suspension, revocation, or surrender of a license to provide health care for reasons bearing on professional competence, professional performance, or financial integrity; provision of unnecessary or substandard services; submission of false or fraudulent claims to a Federal health care program; engaging in unlawful kickback arrangements; and defaulting on health education loan or scholarship obligations.
If you are excluded by OIG from participation in the Federal health care programs, then Medicare, Medicaid, and other Federal health care programs, such as TRICARE and the Veterans Health Administration, will not pay for items or services that you furnish, order, or prescribe. Excluded physicians may not bill directly for treating Medicare and Medicaid patients, nor may their services be billed indirectly through an employer or a group practice. In addition, if you furnish services to a patient on a private-pay basis, no order or prescription that you give to that patient will be reimbursable by any Federal health care program.
For more information, see Special Advisory Bulletin: The Effect of Exclusion From Participation in Federal Health Care Programs
You are responsible for ensuring that you do not employ or contract with excluded individuals or entities, whether in a physician practice, a clinic, or in any capacity or setting in which Federal health care programs may reimburse for the items or services furnished by those employees or contractors. This responsibility requires screening all current and prospective employees and contractors against OIG's List of Excluded Individuals and Entities. This online database can be accessed from OIG's Exclusion Web site. If you employ or contract with an excluded individual or entity and Federal health care program payment is made for items or services that person or entity furnishes, whether directly or indirectly, you may be subject to a civil monetary penalty and/or an obligation to repay any amounts attributable to the services of the excluded individual or entity.
For more information, see OIG’s exclusion Web site.
Civil Monetary Penalties Law [42 U.S.C. § 1320a-7a]
OIG may seek civil monetary penalties and sometimes exclusion for a wide variety of conduct and is authorized to seek different amounts of penalties and assessments based on the type of violation at issue. Penalties range from $10,000 to $50,000 per violation. Some examples of CMPL violations include:
Compliance Programs for Physicians
Establishing and following a compliance program will help physicians avoid fraudulent activities and ensure that they are submitting true and accurate claims. The following seven components provide a solid basis upon which a physician practice can create a voluntary compliance program:
For more information on compliance programs for physicians, see OIG's Compliance Program Guidance for Individual and Small Group Physician Practices:
With the passage of the Patient Protection and Affordable Care Act of 2010, physicians who treat Medicare and Medicaid beneficiaries will be required to establish a compliance program.
For additional information regarding Fraud and Abuse:
https://oig.hhs.gov/| Payer/Organization | Hotline | Online Reporting | Address |
|---|---|---|---|
| Genesys PHO | 810-424-2440 | N/A | Compliance Official 3495 S. Center Road Burton, MI 48519 |
| Medicare - HHS Office of Inspector General |
800-447-8477 TTY: 800-337-4950 |
Report Fraud Form |
U.S. Department of Health and Human Services Office of Inspector General ATTN: OIG HOTLINE OPERATIONS P.O. Box 23489 Washington, DC 20026 |
| Medicare - Railroad | 1-800-772-4258 | N/A |
RRB-OIG Hotline Officer 844 North Rush St, 4th floor Chicago, IL 60611-1275 hotline@oig.rrb.gov |
| Medicaid - Michigan Department of Attorney General | 855-643-7283 |
Email Online Form |
Department of Attorney General Health Care Fraud Division P.O. Box 30218 Lansing, MI 48909 |
| Aetna | 800-338-6361 | Email: AetnaSIU@aetna.com | N/A |
|
Blue Cross/Blue Shield PPO (BCBSM) Blue Care Network (BCN) Blue Cross Complete (BCC) |
800-482-3787 Medicare: 888-650-8136 Medicaid: 855-232-7640 Fraud Hotline: 1-844-786-7392 |
Report fraud form |
Blue Cross Blue Shield of Michigan Corporate & Financial Investigation Department MC 1825 600 E. Lafayette Detroit, MI 48226 |
| CIGNA | 800-667-7145 |
Cigna Special Investigations 900 Cottage Grove Road W3SIU Hartford, CT 06152 |
|
| Health Alliance Plan (HAP) Alliance Health & Life Insurance Company | 877-746-2501 | Reporting fraud and abuse | Michigan Health Insurance | HAP |
HAP Compliance Department 2850 West Grand Boulevard Detroit, MI 48202 |
| HAP Midwest Health Plan | 877-746-2501 | Reporting fraud and abuse | Michigan Health Insurance | HAP |
HAP Compliance Department 2850 West Grand Boulevard Detroit, MI 48202 |
| Meridian Health Plan | 866-364-1350 |
Email |
Meridian Health Fraud, Waste and Abuse Department 1 Campus Martius, Suite 700 Detroit, MI 48226 |
| Molina Health Care | 866-606-3889 | Report Fraud Form | N/A |
| Priority Health - HMO & PPO | 800-560-7013 |
Email Report Fraud Form |
Priority Health Compliance Officer 1231 East Beltline, NE, MS 3230 Grand Rapids, MI 49525 |
Account Takeover – Account takeover means a fraudster takes over your account by changing your PIN or address so that you can no longer access your account.
Account Takeover via Porting – Fraudster social engineers the mobile network operator call center to “port” ownership from victim device to himself in order to obtain mobile terminating one time passwords, or even generate outgoing communication.
AVS – stands for address verification, which is used to determine if the billing address on an account matches the mailing address on a credit card.
Automatic Number Identification (ANI) – Spoofing also known as Caller ID Spoofing: The practice of causing the telephone network to indicate to the receiver of a call that the originator of the call is a station other than the true originating station. For example, the caller ID display might display a phone number different from that of the telephone from which the call was placed. The term is commonly used to describe situations in which the motivation is considered malicious.
Bust-out Fraud – Bust-out fraud is when the amount of available credit is raised on otherwise-legitimate credit cards. Differs from account takeover since it is generally intended by and carried out by the original account holder.
Call Forwarding – Fraudster enables call forwarding on the victim’s phone in order to hijack mobile terminating voice calls from the bank that contain sensitive information (one time passwords, transaction confirmations).
Card-not-present (CNP) – A transaction where the card is not present at the time of purchase, such as for Internet, mail or telephone orders.
Chargeback – A chargeback is the reversal of the dollar value, in whole or in part, of a particular transaction by the card issuer to the acquirer, and usually, by the merchant bank to the merchant. Chargeback’s are a big problem with consumers and merchants where many accounts of fraudulent chargeback’s lead to costly fees and fines.
Child Identity Theft – Child identity theft is when the victim is a minor child. Because a child or parent acting on behalf of the child is unlikely to request credit reports or try to obtain credit, the theft can go undetected for a long time.
Credit Card Fraud – This type of fraud is committed when a credit card is used without the intention of paying for the bill or transaction.
Criminal Fraud – This occurs when a fraudster provides law enforcement with another person’s name and personal information such as date of birth or Social Security Number (SSN) during an investigation or upon arrest.
Dark Web – the portion of the Internet that is intentionally hidden from search engines, uses masked IP addresses, and is accessible only with a special web browser. People who access and utilize the Dark Web want to browse anonymously. There’s a lot of legitimate people on it, and also bad. For example, law enforcement or journalists may use it to keep in contact with informants and others may use it to simply protect their identity from state and private surveillance. On the other hand, unfortunately, criminals also use the dark web for a variety of mischievous purposes. A fraudster might be searching for identities to purchase, or criminals might be looking to buy drugs, hacking tutorials, adult entertainment or other malicious services.
Deep Web – the portion of the Internet that is hidden from conventional search engines, as by encryption. The Deep Web includes the Dark Web, but also includes all user databases, webmail pages, registration-required web forums and pages behind paywalls.
Device Cloning – Fraudster makes a software image of the device in order to impersonate the device from a software perspective and fool device fingerprinting solutions.
Dirty Data – can contain such mistakes as spelling or punctuation, incorrect data associated with a field, incomplete or outdated data or even data that is duplicated in the database.
Dumpster Diving – The act of rummaging through someone’s trash to obtain personal information used to commit identity theft.
False Positive – This is the amount of good or true accounts flagged by the fraud prevention system as fraudulent.
Familiar Fraud – Familiar fraud in the identity industry is when your ex-husband/wife or someone close to you, like a relative, impersonates you to get access to sensitive information. This is a big issue in the healthcare industry for HIPPA compliance reasons. An example of this would be something like an ex-spouse gaining access to your medical information.
Financial Fraud – Financial fraud is fraud that involves a financial account or transaction such as a bank account including a consumer loan or a credit card account.
Fraud – A deliberate misrepresentation to gain another’s money, assets or information.
Fraud Prevention – Fraud prevention is taking the steps that best protect against identity theft and other external threats targeting companies.
Fraud Ring – A group of individuals who scheme together to commit fraud.
Fraudster – A person who commits a fraud.
Friendly Fraud – Friendly fraud, also known as friendly fraud chargeback, is a credit card industry term used to describe a consumer who makes an Internet purchase with his/her own credit card and then issues a chargeback through his/her card provider after receiving the goods or services.
Honeypot – a decoy computer system for trapping hackers or tracking unconventional or new hacking methods. Honeypots are designed to purposely engage and deceive hackers and identify malicious activities performed over the Internet.
Identity Theft – Identity theft is a form of fraud or cheating of another person’s identity in which someone pretends to be someone else by assuming that person’s identity. This typically occurs when a person is trying to access resources or obtain credit and other benefits in that person’s name.
Invisible Internet Project (I2P) – an overlay network and dark net that allows applications to send messages to each other pseudonymously and securely.
Malware – Any software or computer program that is designed to intentionally damage or disable computers or computer systems. Malware examples are computer viruses, trojan horses, and spyware.
Man-in-the-Middle Attack – an attack where the fraudster secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
Medical Fraud – Medical Fraud occurs when someone steals your personal information to obtain medical care, buy prescription drugs, or submit fake billings to medicare in your name.
Payment Fraud – This occurs when a single transaction made on a payment card is fraudulent.
Perfect Identity – contains enough personal information on a consumer for a fraudster to accurately impersonate that individual (Ex: Name, Address, DOB and SSN) and attempt to open and access financial accounts, file a tax return, submit a medical claim and more. This data is usually stolen information from widespread data breaches, as well as other identity theft schemes.
Pharming – Pharming is a type of online scam where an attempt is made to redirect a website’s traffic to another, fraudulent website. This is very similar to phishing, however, instead of relying completely on users clicking on a link in a fake email message, pharming re-directs victims to the fraudulent website even if they type the right web address of their bank or other online service into their web browser.
Phishing – Phishing is a fraudulent attempt to acquire sensitive information. This is usually done through email in which the fraudster sends out a legitimate-looking email in an attempt to gather personal and financial information from recipients such as credit card number, social security number, account number or password. Phishing emails usually appear to come from a well-known organization.
Phoneypot – a telephone honeypot that allows researchers to collect data from millions of calls to unlisted numbers such as robo-callers, debt collectors and telemarketers.
Risk Management – Risk management involves identifying, assessing, managing and controlling potential events or situations, then taking measures to control or reduce them. And with fraudsters attempting new tricks every day, being able to quickly meet the rapidly changing fraud landscape is a necessity. This is why IDology offers easy-to-use, completely customizable technology that you can control.
Shoulder Surfing – This is the act of a person sneakily looking over the should of someone using a PIN.
SMS Intercept – When a fraudster intercepts inbound SMS communication. Fraudsters usually do this by phone cloning (lets you intercept incoming messages and send outgoing ones as if your phone were the original). If both phones are near the same broadcast tower, you can also listen in on calls.
Skimming – Skimming is a method that fraudsters use to illegally obtain credit card information. This is done using a method of using a small electronic device called a skimmer, to swipe and store hundreds of victim’s credit card numbers. This has become very popular at the gas pump. Fraudsters are tampering with pumps, installing skimmers and then using Bluetooth devices to read the card data.
SMiShing – This is a variation on phishing in which the criminal fishes for personal data over a cell phone. Instead of receiving an email, the person gets a text message that tells him to call a toll-free number, which is answered by a bogus interactive voice-response system that tries to fool the person into providing his/her account number and password.
SIM Cloning – A victim’s SIM card data, which contains all of their phone’s data, is copied to fraudster’s SIM so that the fraudster can impersonate a subscriber on the network and obtain all incoming communication.
SIM Swap – In this type of fraud, first a fraudster will collect your personal information, such as banking account information, through phishing, vishing, smishing or any other means. The fraudster then employs tactics, such as social engineering, to call the mobile network operator and deactivate the existing users SIM as well as activate a device in their possession in order to hijack all mobile communication.
Social engineering – a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into giving them personal information.
Spoofing – Spoofing, in general, is a fraudulent or malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver. Email spoofing is one of the best known spoofs as it is fairly simple to forge and impersonate emails. Spoofed emails may request the recipient to reply with an account number for verification or may link to malware which can infect or damage a device.
Spear Phishing – Phishing email that looks as if it came from someone you know. Typically the email contains a file that when opened will infect your computer with a bot or a key logger or something equally as bad.
Social Security Fraud – This occurs when a fraudster uses your Social Security Number in order to get other personal information. An example of this would include applying for more credit in your name and not paying the bills.
Synthetic Fraud – A type of ID fraud in which fraudsters combine real and fake identifying information to create new identities by either establishing new accounts with fictional identities or creating new identities from totally fake information.
Tor (anonymity network) – free software for enabling anonymous communication. The name is an acronym derived from the original software project name The Onion Router. Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than six thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis.
Virus – A computer program that replicates itself to infect computers. Viruses are typically spread from one computer to another through executable code in an infected file
Vishing – This is a variation of phishing in which the criminal fishes for personal information or attempts to install malicious software on a computer through a video file.
Voice Over Internet Protocol (VoIP) – phone service over the Internet.
Voice-mail Hack – Fraudster breaks into victim’s voice-mail typically by searching for voice mailboxes that still have the default passwords active or have passwords with easily-guessed combinations, like 1-2-3-4. Fraudster causes mobile terminating voice one time passwords sent to phone to go to voice-mail and obtains them for fraudulent use. The fraudster can also use this tactic to make international calls.