WASHINGTON

With Medicare fraud and abuse a hot topic on Capitol Hill and CMS pushing tougher supplier standards and accreditation as a catchall fix in the DMEPOS sector, just how easy is it to bilk the system by pulling the wool over CMS' eyes?

Well, according to a recent Government Accountability Office report, it's not hard.

In an undercover sting operation, the GAO set up two fictitious DME companies to test the rigors of CMS' oversight in policing Medicare enrollment. The result? Both phony companies, one in Virginia and one in Maryland, were approved to bill Medicare, despite the fact that neither had clients or inventory.

“Health and Human Services (HHS) has acknowledged Centers for Medicare and Medicaid Services' (CMS) oversight of suppliers of durable medical equipment … is inadequate to prevent fraud and abuse,” the GAO report, released last month, states. “Specifically, weaknesses in the DMEPOS enrollment and inspection process have allowed sham companies to fraudulently bill Medicare for unnecessary or nonexistent supplies.”

CMS' contractor (the National Supplier Clearinghouse, responsible for verifying that potential suppliers meet Medicare enrollment standards) conducted a “limited verification” of the phony companies and sham contracts, the report said. Despite onsite visits and an initial denial of the applications, the contractor ultimately did not detect that the companies were phony.

“We believe that, had our operation continued successfully, we could have fraudulently billed Medicare for substantial sums — potentially reaching millions of dollars,” the GAO said in its report.

CMS recently awarded Palmetto GBA a continuing contract to act as the NSC for one more year with four additional one-year options. Palmetto has held the NSC contract since 1993.

Following is a description of the sting that was used to test CMS' DMEPOS enrollment oversight — and how undercover agents got past the requirements — in the GAO's own words:

• “Prior to submitting applications to CMS to become approved DMEPOS suppliers, investigators easily set up two fictitious durable medical equipment companies during April and May 2007 using undercover names and bank accounts. Although we did not actually obtain any inventory, we decided that both companies would be generic medical supply companies …

  “To appear legitimate, we rented 100 square foot commercial offices in both Maryland and Virginia. Both rentals cost approximately $1,000 per month and came complete with Internet, phone and fax service, and a shared secretary. We also set up fictitious Web sites, created brochures and business cards and purchased a few ‘props’ to be prepared for onsite inspections, including a wheelchair and bed pan.”

• “Our investigators for the most part followed the general procedures that any legitimate business would use to begin DMEPOS operations. First, they paid online registration companies about $400 per supplier to obtain required state business licenses, such as sales tax licenses.

  To report suspected Medicare fraud, contact the Office of Inspector General:

  “In addition, for each company, investigators obtained employer identification numbers (EIN) from the Internal Revenue Service (IRS) and National Provider Identification (NPI) numbers from CMS. Investigators obtained both numbers for free online using basic information, such as the business name and address.”

• “To make sure that our companies would meet the requirements for DMEPOS suppliers as outlined in the [supplier] standards, we did the following:

  1. “We created phony contracts with two fictitious DMEPOS wholesale suppliers to demonstrate that we had the capacity to supply equipment and supplies to clients. We also established phone numbers for each fictitious wholesale supplier. In reality, these phone numbers were unmanned extensions in the GAO building.

  2. “We created signs for the office doors listing hours of operations and staffed the offices with undercover agents posing as sales representatives.

  3. “We purchased approximately $3 million worth of general liability insurance covering, among other things, property damage and employee injury, at a cost of $550 annually.”

• Despite its efforts, the GAO's phony locations were initially denied on the grounds that they did not meet two of the mandatory quality standards.

  “To comply with these two standards, we sent NSC corrective action plans that included repair policies and the same phony DMEPOS wholesale supplier contracts that we had previously submitted. CMS accepted this documentation as valid and approved both of our fictitious DMEPOS companies.

  “In short, the subcontractors hired to review our applications ultimately focused on the technical and administrative completeness of our applications rather than attempting to determine whether we were running valid businesses.”