Leveraging Big Data to Mitigate Health Care Fraud Risk

Leveraging Big Data to Mitigate Health Care Fraud Risk Jeremy Clopton, CPA, CFE, ACDA Senior Managing Consultant BKD, LLP Forensics & Valuation Services

Introduction Health Care Is Victimized by Fraud Fraud by Industry Fraud Schemes in Health Care Industry of victim organizations in the 2014 Report to the Nations: 1. Banking 2. Government 3. Manufacturing 4. Health Care 5. Education The most common fraud schemes perpetrated in the health care industry in the 2014 Report to the Nations were: 1. Corruption 2. Billing 3. Expense reimbursements 4. Skimming 5. Payroll 6. Cash on Hand Source: 2014 ACFE Report to the Nations 2

Anti-Fraud Controls in Health Care Frequency & Effectiveness Frequency of Anti-Fraud Controls Effectiveness of Anti-Fraud Controls The 2014 Report to the Nations included questions regarding the presence of 18 possible anti-fraud controls in victim organizations. Some of the controls include external audits of financial statements, internal audit departments, hotlines & others. Proactive data monitoring/analysis ranked 14th most common, with 34.8 percent of victim organizations having this control in place. To determine effectiveness, the study analyzed the impact of the anti-fraud controls on median loss & duration. Organizations not using proactive data monitoring/analysis saw a median loss of $181,000, while those with the control in place saw a median loss of $73,000. The overall reduction in median loss was 59.7 percent, higher than any other control. With regard to duration, organizations that did not have proactive data monitoring/analysis saw a median duration of 24 months, while those with the control saw a median duration of 12 months. The overall reduction was 50 percent, matching five other controls for the most effective. Source: 2014 ACFE Report to the Nations 3

proactive data monitoring and analysis appears to be the most effective at limiting the duration and cost of fraud schemes Source: 2014 ACFE Report to the Nations

Purchasing Cards Leveraging bank data to identify fraud, waste & abuse.

Background How Fraud Is Committed In addition to fraud, purchasing cards are an area where waste & abuse are common. In many cases it is possible to analyze purchasing card activity to identify potential areas for cost savings, e.g., through the use of purchasing accounts at high volume vendors. Common purchasing card fraud schemes include: Using a corporate credit card for personal purchases Using reward card points for personal benefit Paying corporate expenses with the card when expense reimbursements has also been requested section 01 6

Insights Procedures to Consider While purchasing cards are considered by many to be high risk, the data available for analysis is some of the best. Also, many organizations have strictly developed policies regarding the use of purchasing cards. Detecting fraud, improper use, waste & abuse begins with procedures designed to identify violations of organizational policy. Other common procedures include: Identify transactions outside normal business hours Identify transactions on a holiday, including Black Friday & online Cyber Monday purchases Analysis of transactions with high-risk merchants Identify use of a purchasing card while on vacation or leave Identify transactions indicative of gift card purchases Analysis of Level III detail for unusual purchased items To take your purchasing card analysis to the next level, download leave data from payroll & compare vacation dates to transaction dates to identify employees using their cards on vacation. section 01 7

Accounts Payable Using vendor & transaction based data to address misappropriation & corruption.

Background How Fraud Is Committed Many of the most common fraud schemes in accounts payable start with manipulation of the vendor file. For this reason, control over vendor setup & changes to the vendor master file is an important control. Other attributes of schemes in accounts payable relate to payment information. Common schemes include: Fictitious vendors Conflicts of interest and/or unknown related parties Payments issued outside normal business hours Theft &/or manipulation of payments Invoices for fictitious goods or services Patient refund manipulation section 02 9

Insights Procedures to Consider Vendor Specific Procedures Many investigations in accounts payable begin with an analysis of the vendor master file. This file is important, because it contains the attributes about a vendor used to verify existence. Common procedures include: Employee/vendor matching Geographic proximity analysis Identifying vendors with a mailbox service or PO box address Analysis of vendor attribute capture Assessment of dormant and/or inactive vendors Identification of potential duplicate vendors Transaction Specific Procedures In addition to analysis of vendor attributes, the transactions used to issue payments to vendors are also important. These transactions contain key information regarding trends & patterns of activity. Some of the more common procedures used include: Benford s Law analysis Trend analysis of vendor activity Analysis of payment issuance patterns Identification of potential duplicate invoices Assess of payment sequences for anomalies section 02 10

Payroll Analyzing data to identify potential fraud & gain operational insights on personnel utilization.

Background How Fraud Is Committed Payroll schemes can take many different forms. Manipulation of the employee master file, deductions/withdrawal records, pay rates, time clock information or other hours based information are all ways in which payroll schemes can be perpetrated. Common payroll schemes include: Ghost employees Falsification of hours Tax fraud Earnings manipulation Time-clock manipulation section 03 12

Insights Procedures to Consider Employee Master File Procedures The first line of defense against payroll fraud schemes is control over the employee master file. Procedures designed to identify potential ghost employees include: Identification of potential duplicate employees Analysis of shared employee attributes, e.g., bank accounts, addresses, etc. Identification of employees with mailbox service addresses Analysis of employees without voluntary deductions or tax withholdings on file Payroll Detail File Procedures To identify falsification of hours, earnings manipulation & pay rate manipulation schemes, it is key to analyze payroll transactions. These transactions can also be used to identify potential ghost employees. Procedures include: Trend analysis of pay rates over time to identify unusual fluctuations Analysis of excessive hours by type Identification of payroll transactions issued off-cycle Analysis of hours compared to organizational policies section 03 13

Refunds of Overpayments Leveraging patient accounting data to address compliance with everchanging & complex regulations.

Background Key Regulations for Refunds Liability under the False Claims Act ( FCA ) 1 Section 3729(a)(1)(G) of the statute defines a reverse false claim. Essentially, this section provides liability where one acts improperly to avoid having to pay money to the government. Liability under the Fraud Enforcement Recovery Act of 2009 ( FERA ) FERA expanded the liability provided by FCA by eliminating the requirement of using a false statement or record to avoid payment to the government. Impact of Patient Protection and Affordable Care Act of 2010 ( PPACA ) 3 Combined with the application of FCA & FERA provisions, PPACA results in a requirement that health care organizations return overpayments to the government within 60 days of overpayment identification. The challenge in this regulation is the lack of definition for the term identified. While a definition has not been provided by statute or the courts, organizations need to be aware of this requirement & diligent in their return of overpayments. 1 http://www.justice.gov/civil/docs_forms/c-frauds_fca_primer.pdf 2 http://www.gpo.gov/fdsys/pkg/plaw-111publ21/pdf/plaw-111publ21.pdf section 04 3 Journal of Health Care Compliance, Volume 13, Number 4, July-August 2011, pages 39-41, Stark Provisions, McClain E. Bryant 15

Insights Procedures to Consider Data Elements to Obtain In analyzing activity for compliance with refund requirements stipulated by FCA, FERA & PPACA, health care organizations should incorporate all relevant data elements. These include: Patient visit information, including applicable payer information Account charge level detail, including date of service & charge post dates Account adjustment detail, including post date & related payer information Account payment detail, including date of payment, post date & resulting account balance Patient account billing & collection notes Utilizing all available data fields will provide the most comprehensive picture of the account activity & timing. Analysis to Perform Using the available data sets, organizations have the ability to analyze accounts where refunds were issued & those where refunds may need to be issued. Both account types are important for compliance with all applicable regulations. Some of the key time metrics include: Number of days from initial credit balance to refund Number of days from refund due note posting to refund Number of days an account has had a credit balance Number of days from payment date to payment posting date Number of days since last payment on account Using these metrics, organizations will be in a better position to assess compliance with regulations governing overpayments. section 04 16

Exclusion Testing Using both internal & external data sources to learn more about those with which your organization is doing business.

Background How Violations Occur Organizations receiving federal funds are subject to restrictions regarding the individual & entities with which they do business. Depending on the type of federal funding, the type of exclusion & applicable excluding entity may differ. Three federal lists containing individuals & entities excluded from federal funds include: List of Excluded Individuals & Entities (LEIE) Excluded Parties List System (EPLS) Specifically Designated Nationals list (SDN) In addition to the federal lists, many state funded programs have exclusion lists for their specific programs. Check the website of any government funding sources for potential requirements to comply with these restrictions. section 05 18

Insights Procedures to Assess Compliance At the federal level, there are three main sources of information related to excluded entities & individuals. These are: Office of Inspector General - LEIE (http://oig.hhs.gov/exclusions/index.asp) System for Award Management - EPLS (https://www.sam.gov/portal/sam/#1) U.S. Department of the Treasury - SDN (http://www.treasury.gov/resource-center/sanctions/sdn- List/Pages/default.aspx) Each of these sources of exclusion information contain two options: 1. Searchable lists 2. Downloadable lists Using the downloadable list option, organizations have the ability to compare their employees, vendors, providers & other entities/individuals with which they do business to the list of exclusions. This comparison should use available attributes such as name, address, national provider identifier & others. If a match is found, review the appropriate website to determine next steps. section 05 19

Resources Documents, websites & links to provide you with what you need to start getting the most out of your data.

Information Resources to Consider IIA Global Technology Audit Guides Continuous Auditing Fraud Prevention and Detection in an Automated World Data Analysis Company Sites http://www.acl.com http://www.audimation.com http://www.tableausoftware.com ISACA White Paper Data Analytics A Practical Approach Health Care Specific http://www.healthdata.gov https://www.data.gov/health section 06 21

Speaker Bio Jeremy Clopton, CPA, CFE, ACDA Jeremy is a senior managing consultant in BKD s Forensics & Valuation Services division and specializes in providing fraud investigation and forensic data mining services. Jeremy has experience in using ACL, IDEA and Tableau software for forensic data mining and continuous auditing. His forensic data mining experiences include all major industries in both investigation and prevention projects, and has designed and implemented continuous auditing solutions for organizations in a variety of industries, including Fortune 500 companies and health care institutions. He was a speaker at the 2013 ACL Connections Global User Conference and currently contributes to Fraud Magazine s Fraud EDge column on the intersection of data analytics and digital forensics. Contact Information Phone: 417.865.8701 Email: jclopton@bkd.com Social Media Blog: http://bkdforensics.com Twitter: @j313 LinkedIn: http://www.linkedin.com/in/jeremyclopton/ section 06 22