Malcolm Sparrow Testifies Before the Senate Subcommittee on Criminal Prosecution as a Deterrent to Health Care Fraud

May 22, 2009

Malcolm K. Sparrow
Professor of the Practice of Public Management
John F. Kennedy School of Government
Harvard University

Senate Committee on the Judiciary: Subcommittee on Crime and Drugs

Wednesday May 20th, 2009

Hearing: "Criminal Prosecution as a Deterrent to Health Care Fraud"



Good afternoon Chairman Durbin, Ranking Member Graham, and distinguished members of the Senate Committee on the Judiciary, Subcommittee on Crime and Drugs.

My name is Malcolm Sparrow, and I teach regulatory and enforcement policy and operational risk control, predominantly to government regulators, at Harvard's John F. Kennedy School of Government. I have worked on the practical challenges of fraud detection and fraud control strategy with the credit card industry, with the IRS on tax fraud, and with private, not-for-profit and public insurers on health care fraud.

The units of measure for losses due to health care fraud and abuse in this country are hundreds of billions of dollars per year. We just don't know the first digit. It might be as low as one hundred billion. More likely two or three. Possibly four or five. But whatever that first digit is, it has eleven zeroes after it. These are staggering sums of money to waste, and the task of controlling and reducing these losses warrants a great deal of serious attention. One of my deep regrets is to discover that academia has paid almost no serious attention to this critical problem. I suspect this neglect is because the art of health care fraud control falls awkwardly between the traditional disciplines of health economics, health policy, crime control policy, anomaly detection and pattern recognition.

For those running our major health programs, fraud comes as the unwelcome guest. Systems carefully designed and set up to provide the best possible health care have turned out to be fabulously attractive targets for criminal fraud. So health care policymakers find themselves plunged into the crime control business, whether they like it or not. Many don't like it, and find themselves quite unprepared for it.

In 1993, while I was working with the IRS on a major tax fraud issue, IRS Commissioner Margaret Milner Richardson introduced me to Attorney General Janet Reno. It was in 1993 that Attorney General Reno declared Health Care Fraud to be the number two crime problem in America, second only to violent crime. That was an extraordinary position for a white collar crime to hold, and it reflected how seriously the Clinton administration viewed the problem. Attorney General Reno wanted to understand the strengths and weaknesses of the fraud controls used within the health care system, and as a result of my conversation with her, I subsequently accepted a research grant from the National Institute of Justice. My task was to study the state-of-the-art of fraud control within the health industry and, if possible, explain why health care fraud seemed so persistent and pervasive.

In 1996 I published my first book on the subject, called "License to Steal," which analyzed the industry's approach. The 1996 version is now out of print, but I can briefly summarize for you it's central message. In a nutshell, the analysis showed that the health industry failed to distinguish adequately between payment accuracy and crime control. On the whole the industry did a good job using modern process improvement strategies to ensure payment accuracy—by which I mean making sure that the claims as presented were processed correctly and according to all the relevant rules. But the industry did a terrible job of crime control, with almost no procedures in place to routinely verify that the claims presented were actually true, or that services provided were medically necessary.

This basic confusion, and the resulting lopsided performance, means that the health industry's controls are weakest with respect to outright criminal fraud. By contrast the industry's controls perform reasonably well in managing the grey and more ambiguous issues—such as questions about medical orthodoxy, pricing, and the limits of policy coverage. But criminals, who are intent on stealing as much as they can and as fast as possible, and who are prepared to fabricate diagnoses, treatments, even entire medical episodes, have a relatively easy time breaking through all the industry's defenses. The criminals' advantage is that they are willing to lie. And provided they learn to submit their bills correctly, they remain free to lie. The rule for criminals is simple: if you want to steal from Medicare, or Medicaid, or any other health care insurance program, learn to bill your lies correctly. Then, for the most part, your claims will be paid in full and on time, without a hiccup, by a computer, and with no human involvement at all.

In 2000 I updated and reissued "License to Steal" to give an account of the progress made by the Clinton administration, but also to make clear to subsequent administrations just how much more needed to be done to properly excise the cancer of fraud from important public programs.

Although I have not conducted any new field research since then, I have remained engaged with the field and have been watching developments over the last nine years with great interest and growing concern. Last month I published a summary paper analyzing recent developments, which was requested by the journal Social Research. That paper presents an analysis of why highly automated health care payment systems invite criminal assault, and what we know and don't know about the actual fraud loss rates. The paper also provides a critical assessment of the government's response to the latest round of billing scams to be discovered in the Medicare and Medicaid programs. With your permission, I would like to introduce that paper into the record.

Deterrence Theory:

The magnitude of a deterrent effect depends, according to criminologists, on a potential perpetrator's assessment of three factors:

(a) the likelihood of getting caught (i.e. the probability of being detected or reported),
(b) the probability of being convicted once detected, and
(c) the severity of the punishment if eventually convicted.

This hearing clearly focuses on the third, and I certainly support the notion of effective punishment for white collar crimes, particularly those that involve an abuse of the public's trust and diversion of public funds.

But I would urge the committee in its deliberations to consider the first two factors equally seriously. The third—severity of punishment—can be set or altered by statute or by adjusting sentencing guidelines. The first two are harder to change, as they depend on the underlying capacity of the detection apparatus and the capacity of the criminal justice system to deal with cases that come to light. The most obvious weaknesses in health care fraud control lie with these first two. Criminologists argue, in fact, that the first two—the probability of detection and conviction—weigh more heavily in the calculus of would-be-perpetrators than the severity of sentences because (assuming a low enough probability of detection) criminals like to believe they will never face sentencing.

I would like to highlight for this committee two major issues that relate directly to the chances of crimes being detected and dealt with appropriately.

Determining the Appropriate Scale for Detection and Control:

The resources available for fraud detection and control in health care are not only inadequate; they are of the wrong scale. The credit card industry has established benchmarks for "acceptable business risk" with respect to fraud losses. Their threshold is ten basis points on transaction volume, or one tenth of one percent. By contrast, estimates of fraud losses in the health industry range from 3% to 10% to 14%, depending on who you ask. Suppose for a moment the loss rate were 10%. That would be one hundred times the acceptable business risk threshold set by the credit card industry.

Meanwhile, spending on program integrity functions all across the health industry tends to run at or just below one tenth of one percent of overall program payouts. My papers and books present a wealth of facts and figures to demonstrate that.

These investments in control, while minimal, pay off handsomely. From year to year the Office of Inspector General (DHHS) reports return ratios per dollar spent in the region of 17 to 1. Sometimes higher. One view is that these handsome returns reveal a highly efficient operation. But any economist would tell you, conversely, that this shows the levels of investments in control are nowhere near optimal. Economists would say that one ought to keep adding controls until the marginal returns get much closer to one-to-one. Returns of the order of 20 to 1 indicate a reservoir of fraud available, and considerable ease in skimming off the more obvious cases. If you're standing in a lake, it does not take much effort to scoop up a bucket of water and hold it up for everyone to see.

Loss rates due to fraud and abuse could be 10%, or 20% or even 30% in some segments. We do not have reliable figures of the loss rates, because the overpayment rate studies the government has relied on in the past have been sadly lacking in rigor, and have therefore produced comfortingly low and quite misleading estimates.

By taking the fraud and abuse problem seriously this administration might be able to save 10% or even 20% from Medicare and Medicaid budgets. But to do that, one would have to spend 1% or maybe 2% (as opposed to the prevailing 0.1%) in order to check that the other 98% or 99% of the funds were well spent.

But please realize what a massive departure that would be from the status quo. This would mean increasing the budgets for control operations by a factor of 10 or 20. Not by 10% or 20%, but by a factor of 10 or 20. Such a move would be politically inconceivable unless the actual magnitude of the losses were properly measured, and the cold hard facts about loss rates put on the table. Measurement is normally step one in any effective fraud control operation. Without reliable information regarding the scope of the problem, everyone is free to guess what the loss rate might be, and they will guess high or low depending on their interests. While ambiguity persists about the size and seriousness of the problem, re-sizing the controls in such a dramatic fashion could not possibly be justified.

There have been some previous attempts to measure and report overpayment rates in Medicare and Medicaid. The most prominent of these were the "Medicare Overpayment Rate" studies, conducted by the Office of Inspector General (for Department of Health & Human Services) from FY 1996 through FY 2002. These OIG studies involved stratified random samples of recently paid Medicare claims, and retrospective audits of the claims selected for review. But the audit protocol the OIG used on these claims resembled a typical post-payment utilization review. These were desk-based audits, not fraud-audits. They did not involve face-to-face contact with providers, nor any contact with the majority of patients; and medical records mailed in by providers were assumed to be truthful. Thus the overpayments detected by these studies would not have included the majority of fraud types that are familiar to the Medicare program. This audit method would successfully capture processing errors (which one assumes should be few in a highly automated environment), and some cases of insufficient documentation. Despite the weak audit protocol, the first of these OIG studies, reported in 1997, showed an overpayment rate of 14%, equivalent to $23 billion in annual losses from the Medicare program. These findings shocked Congress, and the nation. In subsequent years the Medicare overpayment rates, measured the same way, settled down in the range 6% to 7%, providing some comfort for alarmed taxpayers.

These figures provided the basis for the outgoing Clinton administration's claim that they had correctly identified health care fraud as a problem, and had successfully cut the problem in half. Early in 2000 the GAO was asked by the Congressional House Budget Committee to examine the methodology the OIG had been using to estimate Medicare overpayment rates. The GAO, in its response, reported

"?our work shows that because the methodology was not intended to detect all fraudulent schemes such as kickbacks, and false claims for services not provided, the estimated improper payments of $12.6 billion would have been greater. How much greater, no one knows.
?The methodology assumes that all medical records received for review represent actual services provided."

Despite the clear admission that these studies did not capture most forms of fraud, and in particular would not capture the most obvious and central form of fraud—false claims—the OIG continued to use the same audit protocol in subsequent years. OIG officials argued that they had to employ the same methodology year after year in order to make the results comparable, so that any trends over time could be reliably discerned.

In January of 2003 the OIG discontinued the Medicare overpayment measurement program, leaving the Medicare agency itself (CMS) to run an equivalent annual study. The Centers for Medicare and Medicaid Services continue to use weak audit methodology in their Claims Error Rate Testing (CERT) program, and hence we now have no reliable indications of the overall fraud loss rates for the Medicare program.

For any invisible problem, effective control begins with valid measurement. For health care fraud, control breaks down at this very first hurdle. No-one knows quite how bad the situation has become, and industry practices seem to reflect a broad reluctance to find out. Exposing the scale of the problem might involve a dose of very bad news; but such bad news is easier to swallow at the beginning of an administration than at the end of one. I believe we have an important opportunity, now, to correct this defect and establish more appropriate levels of control based in a rational way on valid measurement of the loss rates.

Recent Developments: Evidence of Fake Billing Scams

My second major point relates to the extremely low probability, for criminals, of being prosecuted even when their false claims are detected. There is accumulating evidence that existing control strategies are missing important opportunities to shut down major false-billing scams.

The last ten years has seen an extraordinary series of reports produced by the Office of Inspector General (OIG) for the Department of Health and Human Services. According to OIG reports, several different categories of patients, none of whom should be getting treatment under these programs, have been showing up in significant numbers within paid Medicare and Medicaid claims. The most obvious embarrassment involves treatments rendered to patients who were already dead on the date they were supposedly treated. In March 2000, the OIG published its investigation into provision of medical services to Medicare beneficiaries after their dates of death. They quickly found $20.6 million in such claims, paid in 1997. A significant volume of the claims showed new treatments for a patient, beginning more than a month after they had died.

Dead patients also showed up in Medicaid claims around the country. An OIG report in 2006 summarized findings from ten different states, revealing $27.3 million in Medicaid payments for services after death.

Patients who have previously been deported also show up in paid claims. INS records show patients who had been banished from the country prior to the reported treatment dates, and prohibited from returning. How did these patients manage to receive their treatments here within the U.S., and at public expense? In March 2002, the OIG reported finding 43 deported Medicare beneficiaries for whom fee-for-service claims had been received and paid after the recorded date of deportation.

Similarly, patients who are in prison generally ought not to show up in Medicare and Medicaid paid claims. Most health insurance for prisoners is provided through prison systems, not by Medicaid or Medicare.

In July 2008, another group came to light, adding to Medicare's public embarrassment. The Senate Permanent Subcommittee on Investigations revealed the presence of dead doctors within Medicare's paid claims. From 2000 to 2007 between $60 million to $92 million was paid for medical services or equipment that had been ordered or prescribed by dead doctors. In many cases, the doctors had been dead for more than ten years on the date they supposedly ordered or authorized treatments.

All of these reports from the Office of Inspector General basically follow the same formulaic approach. They point out that the requisite data about deaths, deportations, and incarcerations is available somewhere within government, and so the Medicare and Medicaid programs could and should do a better job of obtaining that data from the relevant agency in a timely fashion and incorporating it into the claims processing edits and audits so that the payment systems could "auto-reject" the bad claims.

Anytime we discover that totally implausible claims have been paid, there are two questions that should spring immediately to mind: First, how did these obviously fictional claims get generated? Second, why did we pay them? All of these OIG reports focus heavily on the second question—the issue of whether the claim should or could have been denied—and neglect the first one almost entirely. In my mind, the first question is potentially much more revealing, and the most striking feature of the OIG's approach to these implausible claims is that their inquiries appear to pay little or no attention to the business practices that generate fake claims. Businesses that produce such claims are not error-prone; they are fraudulent. But the strategy the OIG recommends for dealing with these various classes of implausible billings reflect more of a concern with payment accuracy than with crime control.

While the OIG focuses on process improvement and payment accuracy, the scandals that emerge all around the country are about criminal fraud. The media provide a steady stream of stories about petty crooks or organized crime groups who—without ever seeing a patient or providing any valid medical services at all—manage to bill Medicare or Medicaid or some other health insurer millions of dollars. We know from these cases that fake billing scams exist, because they sometimes come to light. When claims are submitted, and they involve dead doctors or dead patients or some other feature that renders them obviously false, the most obvious explanation is that these claims arise as a chance by-product of much larger fake billing scams. To understand why the government's current response to these billing issues is inadequate, even dangerous, one has to briefly contemplate what life looks like on the other side of the fence.

Let us imagine that these claims have actually been produced by Billy, the crook. Billy's goal is to steal as much as he can, as fast as possible. Billy pays a nominal fee to sign up as a Medicare provider himself, or infiltrates a billing service which submits claims on behalf of others. In order to bill Medicare, Billy doesn't need to see any patients. He only needs a computer, some billing software to help match diagnoses to procedures, and some lists. He buys on the black market lists of Medicare or Medicaid patient IDs. If he wants to bill for services that require a prescription or authorization, he will also need to buy, steal, or otherwise obtain lists of physician numbers (UPINs) to enter into his electronic claims submissions.

Billy is actually vulnerable because his lists are not entirely "clean." They contain just a few cases, probably no more than one in a hundred, of doctors or patients who are dead, deported, or incarcerated. And Billy doesn't know that. In fact, Billy would pay a lot, at this point, to know which patients' and doctors' numbers to avoid.

Now consider the standard governmental response to these various billing anomalies. In particular, what do the OIG's proposals mean for a fraud perpetrator like Billy? If CMS perfects its pre-payment edits, and operates them as recommended by the OIG, then Billy will receive computer-generated auto-rejection notices for the small fraction of his claims that are obviously implausible: "Medicare rejected this claim because, according to government records, this patient died prior to the date of service." The other 99% of Billy's claims, not involving detectable aberrances, will all be paid. From Billy's viewpoint, life could not be better. Medicare helps him "scrub" his lists, making his fake billing scam more robust and less detectable over time; and meanwhile Medicare pays all his other claims without blinking an eye or becoming the least bit suspicious.

Even the briefest of glances over this fence enables us to see these several categories of implausible claims in quite a different light. Rather than processing errors to be corrected these claims represent detection opportunities for massive fake billing scams. Once one sees them in this light, an important question follows: just how large might these billing scams be? For that, there is no empirical evidence. But one might imagine that lists of Medicare providers and patients available to fraud perpetrators would typically contain only a few instances of people who were in fact dead, retired, deported, or incarcerated. Suppose these accounted for 1% or less of the patient list, and that the fake billing scheme used the numbers on the lists evenly. Then one might surmise that the billing scams would likely be at least 100 times as large as the volume of dead doctor or otherwise implausible claims that these scams would naturally generate.

So, while the OIG reports and resulting public concern focus on the several millions of dollars in obviously implausible claims that are apparently processed and paid in error, the underlying billing scams may well amount to hundreds of millions or billions of dollars. The implausible claims, as obvious fictions, represent important detection opportunities. But they themselves are not the real problem; they are just the detectable and visible symptoms of much larger and more sinister abuses.

By all means, CMS and their contractors should improve their capacity to detect such obviously implausible claims. Better inter-agency data exchange can facilitate this. But once such claims become visible, auto-rejection of the implausible claims is a feeble response. Criminals should not be able to submit fake claims with impunity. The system should bite back. All assumptions of trust should be dropped immediately. A proper fraud response would do whatever was necessary to rip-open and expose the business practices that produce such fictitious claims. Relevant methods include surveillance, arrest, or dawn raids. All other claims from the same source should immediately be put on hold. Whenever a provider submits claims for treatment of the dead, or treatment by the dead, there is almost no chance that any of their other claims—submitted in the names of the living—are any more valid.

It seems extraordinary, given the long history of health care fraud in the U.S., that the Office of Inspector General, which is centrally placed to oversee the fight against fraud, recommends such a weak and inadequate response when it comes to false claims and fake billings. Medicare officials and their overseers fail, like so many others across this industry, to properly distinguish between the imperatives of process management and the imperatives of crime control. By focusing so heavily on the first, they make life easier and safer for fraud perpetrators. One fundamental truth of the fraud-control business is this: fraud works best when claims-processing works perfectly.

The health care industry still acts as if it imagines that process-accuracy is the cornerstone of effective fraud control. In fact, process-accuracy (with the transparency and predictability it produces) is a large part of what makes health care payment systems such attractive targets for fraud.


I am happy to assist the committee in any way I can. I certainly support effective punishment for white collar crimes, particularly those that so clearly involve an abuse of the public trust. But I would urge this committee to consider also the following proposals, which would help to clarify the true nature and scope of the problem, and dramatically increase the likelihood that criminal activity will be detected in the first place and then pursued in an appropriately aggressive manner.

(1) As a matter of urgency, reinstate the requirement that the OIG provide an independent audit of the Medicare overpayment rate on an annual basis. CMS should not be left to diagnose and report on its own failings.
(2) Require the OIG, as it designs the necessary audit protocols for such overpayment measurement, to use a rigorous fraud-audit methodology, not the process-oriented desk-audit approach they used from 1996 to 2002. A fraud audit must include steps to verify with the patient or with others that the diagnosis was genuine and that the treatments actually too place. It should also include contextual data analysis sufficient to identify any suspicious patterns of incestuous or self-dealing patient referrals, diagnostic biases, or systematic padding of claims or treatments consistent with patterns of fraud.
(3) Require a review of the adequacy of the Medicare and Medicaid programs' operational responses to claims submitted that are clearly implausible. Auto-rejection of claims involving dead patients, dead doctors, or previously deported persons is a terribly weak response, and actually helps perpetrators perfect their billing scams. The detection of such claims ought to trigger a presumption of the presence of serious criminal enterprise, and that presumption should then be tested through appropriate criminal investigation and law-enforcement response.

Thank you, Mr. Chairman.

Print print | Email email