HIPAA and health care fraud: an empirical perspective.

• Author: Hyman, David A.
• Position: Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act passed Congress nearly unanimously in 1996. When HIPAA was considered, the focus of attention was portability. Little or no attention was paid to the statutory provisions relating to "accountability"--fraud control, for those unfamiliar with inside-the-beltway euphemisms. Ironically enough, the extent to which these ends were accomplished turned out be the inverse of the attention that was paid to them. The portability provisions have had relatively little impact on the portability of health care benefits, while the drive for accountability has resulted in an unprecedented number of civil and criminal enforcement actions; the transfer of billions of dollars from providers and insurers to the federal government and whistleblowers; the expenditure of tens of millions of dollars on lawyers, accountants, consultants, and compliance programs; and vehement protests by providers.

Contemporaneous statements by program administrators and law enforcement personnel certainly suggested that there was a desperate need for more accountability in health care, Bruce Vladeck, the then-administrator of the Health Care Financing Administration, (1) wrote in the Journal of the American Medical Association that there was "an enormous increase in health care fraud and program abuse ... [and] considerable temptations are cropping up for those unable to resist the quick buck" (Vladeck 1995: 776). The Department of Health and Human Services (2000) unveiled "Operation Restore Trust," a sweeping fraud control program for Medicare and Medicaid, and it enlisted the assistance of members of the American Association of Retired Persons to act as "fraud-busters." (2) FBI Director Louis Freeh testified before the Senate Committee on Aging that cocaine traffickers in Florida and California were switching from drug dealing to health care fraud, because it was safer, more lucrative, and less likely to be detected (Shogren 1995). Governmental reports similarly suggested that organized crime viewed health care fraud as a growth opportunity (General Accounting Office 2000a, 2000b). The popular press breathlessly reported stories of egregious fraud and abuse (see, e.g., Bell 1997, Hedges 1998, and Rundle 1989).

Public perceptions were influenced accordingly. A 1998 survey by AARP revealed that 83 percent of consumers believed health care fraud was extremely widespread or somewhat widespread, and 72 percent of consumers believed Medicare would be in no danger of going broke if fraud and abuse were eliminated. Fully 53 percent believed health care fraud was increasing (Sparrow 2000: xvi-xvii). As with many areas of health policy, colorful anecdotes and political statistics have played a major role in framing perceptions of the frequency and severity of health care fraud and abuse. (3) This article presents a more systematic appraisal of the problem of health care fraud and abuse and the strategies employed to address it, including those embodied in HIPAA. (4) In particular, the article focuses on what we know, don't know, and know that isn't so about health care fraud, abuse, and fraud control.

The Statutory and Administrative Framework for Health Care Fraud Control

The Existing Framework

When Medicare and Medicaid were enacted in 1965, a single provision prohibited the making of false statements to secure reimbursement (Sage 1999: 1179). Matters did not remain in this pristine form for long. In relatively short order, a complicated interlocking array of health-care-specific civil, criminal, and administrative anti-fraud laws and regulations were enacted by the states and the federal government, along with multiple levels of investigative and enforcement agencies. Although the aggressiveness with which health care fraud has been pursued has waxed and waned over the intervening decades, we are currently at an all-time high in terms of the level of enforcement and the associated "law and order" rhetoric.

Primary responsibility for enforcing federal criminal laws regarding health care fraud rests with the Department of Justice, and the individual U.S. attorneys. The Federal Bureau of Investigations plays a major role in assisting the DOJ in investigating and developing health care fraud cases. Within the Department of Health and Human Services, the Office of Inspector General is responsible for investigating fraud cases and bringing enforcement actions involving administrative sanctions. Individual states have their own Medicaid fraud control units, and local prosecutors can bring such cases as well. A number of private companies who contract with the Centers for Medicare and Medicaid Services to administer various aspects of the Medicare program have some responsibilities in this area as well. (5) Finally, in certain circumstances, private parties can pursue health care fraud through a civil lawsuit, although the government has the option of taking over the case.

In dealing with health care fraud and abuse, these entities can choose among a wide array of criminal, civil and administrative responses (see Schofield and Weaver 2000; Bucy 1996). On the criminal side, offenses can be addressed with general statutes or with healthcare specific statutes. (6) The range of possible punishments for these criminal offenses goes all the way up to life imprisonment.

On the civil side, the False Claims Act creates a cause of action against individuals or entities who knowingly present a false claim to the government. (7) No specific intent to defraud is required, and suit can be brought by the federal government or a private plaintiff. Private plaintiffs who sue under the FCA are known as "qui tam" relators, and they are entitled to a share of the eventual recovery. The amount varies depending on whether the government joins the case or not. Historically, the vast majority of the cases that the government does not join have foundered (Kovacic 1996: 1817-18). It remains to be seen whether the same pattern will apply to health care cases brought by qui tam relators, because the high stakes may induce defendants to settle, regardless of whether the government joins the case or not.

The FCA specifies that violators are liable for a statutory penalty of $5,500 to $11,000 per claim, in addition to three times the amount of damages sustained by the government because of the false claim. Because most health care providers typically submit a large number of modest claims, this structure means that statutory penalties generally dwarf actual damages, and quickly rise to staggering levels--as much as $1.1 million for every 100 false claims, irrespective of the dollar value of the false claims. (8)

In recent years, a flourishing qui tam bar has emerged and FCA claims have been transformed. The traditional FCA litigation involved claims for services that were not actually provided, or were provided in a manner quite different than was claimed. More recent cases have involved the use of the FCA to enforce other program rules or norms, including compliance with the anti-kickback statute, the self-referral statute, and minimum quality standards (Hyman 2001). False claims litigation involving allegations of substandard care have been brought against a number of nursing homes and psychiatric hospitals, and government representatives have announced their willingness to use the FCA against managed care organizations (MCOs) who fail to provide high-quality care to program beneficiaries (Peterson 2000: 74-79; Kalb 1999: 1164).

Finally, there are administrative penalties for violation of a wide range of program requirements, such as the ban on self-referral. The sanctions include substantial civil monetary penalties and program exclusion. (9)

This fraud control regime helps ensure that more than one million providers, filing more than a billion claims per year, comply with an exceedingly complex administered pricing system. Providers routinely complain about the complexity and volume of the rules with which they must comply. As one health lawyer observed, providers "need a U-Haul trailer to carry the statutes, regulations, general instructions, Intermediary and Carrier pronouncements, etc., to which they are required to adhere" (Epstein 1998).

Not surprisingly, the complexity of the system leads to frequent disputes. Indeed, studies of coding accuracy paint a dismal picture. One study found that family physicians agreed with expert coders (who themselves were not in perfect agreement) 52 percent of the time for established patient progress notes, and 17 percent of the time for new patient progress notes. Family physicians undercoded 33 percent of established patients and overcoded 81 percent of new patients (King, Sharp, and Lipsky 2001; see also Iezzoni 1999).

Although such disputes were traditionally handled informally or appealed to the Provider Reimbursement Review Board, providers now complain about the "criminalization" of billing disputes. In this setting, the FCA makes it possible for the government and qui tam relators to behave strategically and extract the health care equivalent of "greenmail" (Hyman 2001, Sage 1999, Reinhardt 2000). (10) Providers who believe they are blameless are under tremendous pressure to settle, because of the legal expenses associated with mounting a defense and the high probability of bankruptcy and professional disgrace if the jury does not see things the same way the provider does. Even if program administrators are inclined to overlook such disputes, fraud control personnel and qui tam relators are not bound by that determination, and have tended to take a much harder line on the subject of regulatory compliance (Hyman 2001).

HIPAA

HIPAA changed the fraud control framework in two substantial ways. It stiffened and federalized much of the law of health care fraud, and it created structural incentives to pursue such conduct, by creating three new programs and implementing a...