WASHINGTON--With Medicare fraud and abuse a hot topic on Capitol Hill and CMS pushing tougher supplier standards and accreditation as a catchall fix in the DMEPOS sector, just how easy is it to bilk the system by pulling the wool over CMS’ eyes?
Well, according to a recent Government Accountability Office report, it’s not hard.
In a recent undercover operation, the GAO set up two fictitious DME companies to test the rigors of CMS’ oversight in policing Medicare enrollment. The result? Both phony companies, one in Virginia and one in Maryland, were approved to bill Medicare, despite the fact that neither had clients or inventory. (See lead story in this issue.)
In fact, the GAO report said, many sham companies do not even attempt to go to great lengths to cheat the system. In one of the example given in the report that was found on an unannounced site visit, a scammer “was operating two … fraudulent DMEPOS companies--one of them located in a utility closet containing buckets of sand mix, road tar and a large wrench (but no medical files, telephone, or other office equipment).”
In short, here is the undercover “sting” that was used to test CMS’ DMEPOS enrollment oversight, contracted to Palmetto GBA as the National Supplier Clearinghouse--and how they got past it--in the GAO’s own words:
--“Prior to submitting applications to CMS to become approved DMEPOS suppliers, investigators easily set up two fictitious durable medical equipment companies during April and May 2007 using undercover names and bank accounts. Although we did not actually obtain any inventory, we decided that both companies would be generic medical supply companies … To appear legitimate, we rented 100 square foot commercial offices in both Maryland and Virginia. Both rentals cost approximately $1,000 per month and came complete with Internet, phone and fax service, and a shared secretary. We also set up fictitious Web sites, created brochures and business cards and purchased a few ‘props’ to be prepared for on-site inspections, including a wheelchair and bed pan.”
--“Our investigators for the most part followed the general procedures that any legitimate business would use to begin DMEPOS operations. First, they paid online registration companies about $400 per supplier to obtain required state business licenses, such as sales tax licenses. In addition, for each company, investigators obtained employer identification numbers (EIN) from the Internal Revenue Service (IRS) and National Provider Identification (NPI) numbers from CMS. Investigators obtained both numbers for free online using basic information, such as the business name and address.”
--“To make sure that our companies would meet the requirements for DMEPOS suppliers as outlined in the [supplier] standards, we did the following: 1) We created phony contracts with two fictitious DMEPOS wholesale suppliers to demonstrate that we had the capacity to supply equipment and supplies to clients. We also established phone numbers for each fictitious wholesale supplier. In reality, these phone numbers were unmanned extensions in the GAO building. 2) We created signs for the office doors listing hours of operations and staffed the offices with undercover agents posing as sales representatives. 3) We purchased approximately $3 million worth of general liability insurance covering, among other things, property damage and employee injury, at a cost of $550 annually.”
--Despite its efforts, the GAO’s phony locations were initially denied on the grounds that they did not meet two of the mandatory quality standards. “To comply with these two standards, we sent NSC corrective action plans that included repair policies and the same phony DMEPOS wholesale supplier contracts that we had previously submitted. CMS accepted this documentation as valid and approved both of our fictitious DMEPOS companies. In short, the subcontractors hired to review our applications ultimately focused on the technical and administrative completeness of our applications rather than attempting to determine whether we were running valid businesses.“
--In both fraudulent facilities, the GAO said, CMS contractors made onsite visits. In each case, the inspector used a checklist to ensure the facility was fulfilling the supplier quality standards. The undercover investigators gave “deliberately vague” answers to the site inspectors and were required to send follow-up information to CMS.
According to the report, “Although we were never questioned about our plan to correct our repair policy, NSC did call the undercover phone number we set up for our phony DMEPOS wholesale supplier in November and left a message requesting additional information. Posing as a representative for this wholesale supplier, an undercover investigator left a vague message in response but did not confirm the existence of a contract or a credit line. NSC never returned these calls or conducted any other follow-up. Over the next several months, we repeatedly called NSC and its subcontractors to determine the status of our application and corrective action plan. Each time, we were told that our application was still under review. Finally, on Feb. 4, 2008, NSC requested a voided check or deposit slip to confirm our banking information so that we could be set up for electronic funds transfers. We provided the information the next day, and CMS approved our application and sent us a Medicare billing number in its approval letter dated Feb. 13, 2008.”
In the case of the Virginia facility, the NSC “did not do any further investigation and accepted the existence of the fictitious DMEPOS wholesale suppliers we created.” The Virginia facility received its Medicare billing number on Jan. 30, 2008.
--With the billing numbers, the GAO began billing Medicare. “Using billing software downloaded from the Web, we began processing claims by entering fictitious dates of service, our undercover beneficiary information, DMEPOS item codes and charges, generic diagnosis codes, our billing numbers, and physician identification numbers that we found on the Internet. It is important to note that we only used the latter to complete test billing; we did not compromise the provider status of any legitimate physicians by submitting fraudulent claims using their identification information. We then submitted several completed claims to CMS for acceptance.”
--When the first few claims were rejected, the GAO said, “Our undercover investigator called CMS’ help desk for assistance and found that we had to input our billing number on one of CMS’ billing-related Web sites. There had been no instructions in the billing packet indicating that this was a required step. Once we provided our billing number at the site, CMS approved our initial claims.”
The bottom line of the sting operation, according to the GAO: "After establishing two fictitious DMEPOS storefronts with no inventory and no clients, our undercover investigators were able to successfully complete the Medicare enrollment process.”