WASHINGTON With Medicare fraud and abuse a hot topic on Capitol Hill and CMS pushing tougher supplier standards and accreditation as a catchall fix in
Monday, September 1, 2008

WASHINGTON

With Medicare fraud and abuse a hot topic on Capitol Hill and CMS pushing tougher supplier standards and accreditation as a catchall fix in the DMEPOS sector, just how easy is it to bilk the system by pulling the wool over CMS' eyes?

Well, according to a recent Government Accountability Office report, it's not hard.

In an undercover sting operation, the GAO set up two fictitious DME companies to test the rigors of CMS' oversight in policing Medicare enrollment. The result? Both phony companies, one in Virginia and one in Maryland, were approved to bill Medicare, despite the fact that neither had clients or inventory.

“Health and Human Services (HHS) has acknowledged Centers for Medicare and Medicaid Services' (CMS) oversight of suppliers of durable medical equipment … is inadequate to prevent fraud and abuse,” the GAO report, released last month, states. “Specifically, weaknesses in the DMEPOS enrollment and inspection process have allowed sham companies to fraudulently bill Medicare for unnecessary or nonexistent supplies.”

CMS' contractor (the National Supplier Clearinghouse, responsible for verifying that potential suppliers meet Medicare enrollment standards) conducted a “limited verification” of the phony companies and sham contracts, the report said. Despite onsite visits and an initial denial of the applications, the contractor ultimately did not detect that the companies were phony.

“We believe that, had our operation continued successfully, we could have fraudulently billed Medicare for substantial sums — potentially reaching millions of dollars,” the GAO said in its report.

CMS recently awarded Palmetto GBA a continuing contract to act as the NSC for one more year with four additional one-year options. Palmetto has held the NSC contract since 1993.

Following is a description of the sting that was used to test CMS' DMEPOS enrollment oversight — and how undercover agents got past the requirements — in the GAO's own words:

  • “Prior to submitting applications to CMS to become approved DMEPOS suppliers, investigators easily set up two fictitious durable medical equipment companies during April and May 2007 using undercover names and bank accounts. Although we did not actually obtain any inventory, we decided that both companies would be generic medical supply companies …

    “To appear legitimate, we rented 100 square foot commercial offices in both Maryland and Virginia. Both rentals cost approximately $1,000 per month and came complete with Internet, phone and fax service, and a shared secretary. We also set up fictitious Web sites, created brochures and business cards and purchased a few ‘props’ to be prepared for onsite inspections, including a wheelchair and bed pan.”

  • “Our investigators for the most part followed the general procedures that any legitimate business would use to begin DMEPOS operations. First, they paid online registration companies about $400 per supplier to obtain required state business licenses, such as sales tax licenses.

    To report suspected Medicare fraud, contact the Office of Inspector General:

    “In addition, for each company, investigators obtained employer identification numbers (EIN) from the Internal Revenue Service (IRS) and National Provider Identification (NPI) numbers from CMS. Investigators obtained both numbers for free online using basic information, such as the business name and address.”

  • “To make sure that our companies would meet the requirements for DMEPOS suppliers as outlined in the [supplier] standards, we did the following:

    1. “We created phony contracts with two fictitious DMEPOS wholesale suppliers to demonstrate that we had the capacity to supply equipment and supplies to clients. We also established phone numbers for each fictitious wholesale supplier. In reality, these phone numbers were unmanned extensions in the GAO building.

    2. “We created signs for the office doors listing hours of operations and staffed the offices with undercover agents posing as sales representatives.

    3. “We purchased approximately $3 million worth of general liability insurance covering, among other things, property damage and employee injury, at a cost of $550 annually.”

  • Despite its efforts, the GAO's phony locations were initially denied on the grounds that they did not meet two of the mandatory quality standards.

    “To comply with these two standards, we sent NSC corrective action plans that included repair policies and the same phony DMEPOS wholesale supplier contracts that we had previously submitted. CMS accepted this documentation as valid and approved both of our fictitious DMEPOS companies.

    “In short, the subcontractors hired to review our applications ultimately focused on the technical and administrative completeness of our applications rather than attempting to determine whether we were running valid businesses.”

  • In both fraudulent facilities, the GAO said, CMS contractors made onsite visits. In each case, the inspector used a checklist to ensure the facility was fulfilling the supplier quality standards. The undercover investigators gave “deliberately vague” answers to the site inspectors and were required to send follow-up information to CMS.

    According to the report, “Although we were never questioned about our plan to correct our repair policy, NSC did call the undercover phone number we set up for our phony DMEPOS wholesale supplier in November and left a message requesting additional information.

    “Posing as a representative for this wholesale supplier, an undercover investigator left a vague message in response but did not confirm the existence of a contract or a credit line. NSC never returned these calls or conducted any other follow-up.

    “Over the next several months, we repeatedly called NSC and its subcontractors to determine the status of our application and corrective action plan. Each time, we were told that our application was still under review.

    “Finally, on Feb. 4, 2008, NSC requested a voided check or deposit slip to confirm our banking information so that we could be set up for electronic funds transfers. We provided the information the next day, and CMS approved our application and sent us a Medicare billing number in its approval letter dated Feb. 13, 2008.”

    In the case of the Virginia facility, the NSC “did not do any further investigation and accepted the existence of the fictitious DMEPOS wholesale suppliers we created.” The Virginia facility received its Medicare billing number on Jan. 30, 2008.

  • With the billing numbers, the GAO began billing Medicare. “Using billing software downloaded from the Web, we began processing claims by entering fictitious dates of service, our undercover beneficiary information, DMEPOS item codes and charges, generic diagnosis codes, our billing numbers, and physician identification numbers that we found on the Internet.

    “It is important to note that we only used the latter to complete test billing; we did not compromise the provider status of any legitimate physicians by submitting fraudulent claims using their identification information. We then submitted several completed claims to CMS for acceptance.”

  • When the first few claims were rejected, the GAO said, “Our undercover investigator called CMS' help desk for assistance and found that we had to input our billing number on one of CMS' billing-related Web sites. There had been no instructions in the billing packet indicating that this was a required step. Once we provided our billing number at the site, CMS approved our initial claims.”

The GAO said on reviewing its report, CMS acknowledged that the covert tests “illustrate gaps in oversight that still require improvement.” CMS has said that mandatory accreditation for DMEPOS suppliers, along with revised rules prohibiting the use of cell phones and pagers as primary contact telephone numbers, will aid in reducing fraud.

But the GAO warned that efforts by CMS to address the issue “will only be successful if those tasked with ensuring compliance exercise due diligence when conducting screenings and inspections.

“Our covert tests clearly demonstrate that a simple paperwork review is not sufficient,” the GAO said. “Unless CMS and its contractors scrutinize suppliers to ensure that they are responsible, legitimate businesses, DMEPOS fraud will continue to cost taxpayers billions of dollars each year.”

To report suspected Medicare fraud, contact the Office of Inspector General:

  • Call 800/HHS-TIPS (800/447-8477)
  • Email: HHSTips@oig.hhs.gov
  • Fax: 800/223-8164 (no more than 10 pages)
  • Mail:
    Office of Inspector General
    HHS TIPS Hotline
    P.O. Box 23489
    Washington, DC 20026