2009 KAISER PERMANENTE NATIONAL FRAUD CONTROL UPDATE Over $2.2 trillion is spent on health care in the United States each year. The United States spends more than a $1,000 per capita per year 1 or close to $400 billion on health carerelated paperwork and administration. It is undisputed that a significant portion of the more than 4 billion health insurance benefit transactions processed in this country every year are fraudulent. The National Health Care Anti-Fraud Association (NHCAA) estimates conservatively that 3 percent of all health care spending or $68 billion is lost to health care fraud. Other estimates by government and law enforcement agencies place the loss due to health care fraud as high as 10 percent of our nation s annual health care expenditure or a staggering $226 billion each year. 2 Private, not-for-profit entities, even those with an integrated care delivery system, such as Kaiser Permanente, also suffer losses associated with fraud, waste and abuse. The root cause of health care fraud is the failure of internal controls designed to prevent or detect it. Internal controls and an effective fraud control program within a health care entity are therefore crucial to fraud control. Kaiser Foundation Health Plan, Kaiser Foundation Hospitals, and Permanente Medical Groups, herein collectively referred to as The Kaiser Permanente Medical Care Program (KP), are committed to responsible stewardship of KP assets, including but not limited to member dues. Failure to prevent, detect, investigate, correct, prosecute and recover losses associated with fraud significantly impacts health plan members. Consequently, KP continuously develops its programs to control fraud waste and abuse, and they remain a top priority of Kaiser Permanente. During the year, KP continued efforts towards coordination of fraud control efforts and strengthening the organization s ability to prevent, detect, and recover from health care and insurance fraud and abuse. These efforts were designed to minimize the cost impact of health care fraud on KP members and to demonstrate continued compliance with applicable laws. Below are specific examples of Kaiser Permanente s efforts in its fraud control program. kp.org 1
2009 INITIATIVES AND ACTIVITIES 1) KP National Fraud Control Team The KP National Compliance, Ethics & Integrity Office National Fraud Control Team has oversight of the KP Fraud Control Program. The National Director of Fraud Control leads the National Fraud Control Team and the National Fraud Control Program. This team is currently staffed with 16 full-time employees. The fraud team consists of two units, the National Special Investigations Unit (NSIU) and the Fraud Control Program Unit. The NSIU is comprised of very high level investigators with extensive health care fraud or financial fraud investigative experience from state and federal governments. Included are former federal agents, insurance investigators, and investigators from local law enforcement. The Fraud Control Program Unit is now lead by a former NSIU lead investigator with prior State Health Care Fraud experience. The Fraud Control Program Unit manages and facilitates compliance with major proactive fraud control initiatives such as member identity verification and fraud detection via data mining. 1 US Health and Human Services, Centers for Medicare and Medicaid Services (CMS), 2007 2 Federal Bureau of Investigation, Financial Crimes Report to the Public Fiscal Year 2007 3 This major increase was associated with a Northern California employee data breach and identity theft investigation. 4 This report is available upon request. 5 In November 2008, TRAP Systems changed its name to Heuristic Optimized Processing System (HOPS). The mission of the National Fraud Control Team is to protect and serve our members and resources by increasing awareness and improving the prevention, detection, investigation, prosecution, and civil recovery efforts around health care fraud control. The National Fraud Control Team pursues this mission by: Maintaining strong partnerships with stakeholders and customers Facilitating and coordinating state-of-the-art fraud detection via dynamic fraud risk assessments and cross-platform data analysis Serving as a resource to all KP regions for fraud investigations and fraud control compliance strategies and operations kp.org 2
Sharing fraud control alerts and learnings Developing, facilitating and implementing fraud control corrective action Partnering with industry groups, such as the National Health Care Anti-Fraud Association (NHCAA), and participating in government task force teams In 2009, the National Fraud Control Team provided training and presentations to thousands of internal and external stakeholders on a wide variety of topics. There were 54 presentations to internal groups covering topics ranging from: National Fraud Control Updates and Fraud Overview Pharmacy Fraud Control and Awareness Identity Theft and Red Flags Investigative Interview Techniques Cash Control and Theft Prevention Detection of Fraud Through Data Mining NCO s national fraud control team and partners from other regional and local compliance offices presented at three external meetings and industry organizations conferences in 2009. Topics ranged from: Fraud Schemes and Trends: Georgia Health Care Fraud Task Force, FBI Special Agents and counterparts in the industry Fraud Control Updates and Law Enforcement Coordination: Hawaii FBI Special Agents Identity Theft The Health Plan Perspective: National Health Care Anti-Fraud Association The National Fraud Control Team Unit Descriptions A) National Special Investigations Unit (NSIU) The NSIU is currently comprised of a team of 10 full-time investigators with a nationally recognized level of investigative expertise. These investigators share responsibility for investigating suspected health care fraud and major crimes. The NSIU also has expertise with fraud control training, investigations training and support, and in the coordination and management of complex fraud investigations. kp.org 3
The KP NSIU provides KP with extensive and diverse investigative expertise including over 160 years of combined experience from public and private sectors of law enforcement and investigations. Team members also receive ongoing specialized training from recognized professional anti-fraud organizations. Depending upon the nature of the fraud at issue in a particular region, an appropriately experienced and specialized investigator can be immediately dispatched to conduct the investigation. However, most NSIU resources are physically based in California and support the two KP California Regions. The NSIU also coordinates effectively with law enforcement agencies. The vast experience of NSIU staff with criminal law and procedures helps KP more effectively address fraudulent conduct and enables NSIU to effectively partner and perform liaison work on criminal cases with government agencies. Law enforcement agencies often prefer contacts with former law enforcement personnel who have common experience in managing and investigating criminal cases. NSIU investigations cover a broad range of conduct. For example, investigations may focus on pharmacy theft/drug diversion, embezzlement, member fraud, identity theft, cash / check fraud, health care/claims fraud, vendor fraud, kickbacks, and privacy / computer fraud. In 2009, assigned NSIU cases for investigation increased approximately 47% from the previous year; with approximately 345 cases 3 referred to law enforcement and regulatory agencies. Pursuant to section 1,348 of the California Health and Safety Code, KP submits an annual report to the California Department of Managed Health Care listing all health care fraud cases referred to law enforcement. 4 The NSIU is lead by Chief Investigator David P. MacLeod, who serves the unit at a national level, manages staff, and works high profile cases. While unit members may be dispatched to investigate fraud in any KP region, NSIU hubs are located throughout KP as follows: Western Regions Southern California Investigations Manager David P. Macleod 8954 Rio San Diego Drive, Suite 114 San Diego, CA 92108 Telephone: (858) 614-3061 Northern California Lead Investigator Marita Janiga One Kaiser Plaza Program Offices, Ordway Building, Floor 12 Oakland, CA 94612 Telephone: (510) 271-4615 Eastern Regions Lead Investigator Rick Germroth 2101 East Jefferson St. Rockville, MD 20852 Telephone: (301) 816-6288 kp.org 4
B) Fraud Control Program Unit The Fraud Control Program Unit manages, facilitates and helps measure compliance with major proactive fraud control initiatives such as member identity verification and fraud detection via data mining. This unit also assists KP with fraud-related operational issues such as policy and procedures, information sharing, coordination of fraud alerts, training content and fraud-related best practices. The unit currently has three full-time employees. In 2009, this unit continued building partnerships with regional, departmental and medical center fraud control staff. The unit is led by Barbara Naimark. When Barbara joined KP in 2006, she arrived with an extensive background in fraud investigations, having worked as a Regional Chief with the California Department of Health Services, Medi-Cal Fraud Investigations. Barbara also has over 20 years of fraud investigative experience, covering beneficiary and provider health care fraud, and drug diversion investigations. While with California DHS, Barbara implemented statewide polices and procedures for new anti-fraud activities. She also helped the state of California develop a Web-based investigative case management system. Major fraud control projects managed by the Fraud Control Program Unit continued in 2009. Several initiatives included the following: Medical and Financial Identity Theft Red Flags: The Fraud Control Program Unit coordinated with all KP Regions to implement the Identity Theft Fraud Prevention Program. KP continued its i Check ID Program by positively acknowledging staff that check patient identification. KP also continued enhanced data mining activities to detect fraud, waste and abuse. In 2009, we continued the 2008 pilots for detecting identity theft through data mining efforts. For example, matching patient encounters or claims with the Social Security Administration Death Master File. The National Fraud Control Team also coordinates with KP regions and National Departments to conduct Fraud Risk Assessments to identify areas at particularly high risk for suspected fraud, waste or abuse. During 2009, the Fraud Control Program Unit also led hundreds of KP participants in monthly fraud control conference calls designed to enhance fraud control coordination across the program and between regions. These calls included Friday Fraud Focus, Claims Fraud, and Regional Fraud Liaison groups. The updated Organizational Chart for the National Fraud Control Team is attached on page 11 of this report. kp.org 5
2) KP Investigations Working Agreement The KP Investigations Working Agreement and Process Guidelines outline an enhanced and collaborative approach for coordinating and conducting investigative activities within Kaiser Permanente from reporting allegations to taking corrective action. The Agreement reflects KP s commitment to following all applicable federal and state laws (including those related to anti-fraud, Sarbanes-Oxley, and other external requirements) as well as our commitment to following self-imposed requirements as stated in the organization s Principles of Responsibility and other policies. Stated objectives of the Investigations Working Agreement include: 1. To facilitate coordination of internal and external investigations in an effort to reduce redundancy and to leverage investigative expertise. 2. To identify the primary investigative unit (defined as any unit or department that conducts investigations) that is responsible for each type of investigation. 3. To outline a process for investigative units to communicate their investigative activity in order to meet regulatory expectations concerning compliance and anti-fraud programs. 4. To provide the framework and tools to conduct investigations. This Investigations Working Agreement is scheduled to be updated in 2010. This update will include enhanced collaboration with the KP-IT Information Security Computer Forensics & Investigation Unit, and with facilities security. 3) The KP Compliance Hotline 1 (888) 774-9100 The KP Compliance Hotline is an anonymous toll-free helpline available 24 hours a day/7 days a week. It enables KP staff and any other callers to report situations believed to be illegal or improper. In addition, individuals can call the Hotline to obtain information or guidance on any compliance-related issues they may have. The KP Compliance Hotline is intended to: Provide an internal channel for people to anonymously report grievances and suspicious activity without fear of retaliation and retribution. Detect those committing, condoning, or covering up improper acts, including fraud, waste or abuse, by creating an environment in which others can report the improper act. Allow the organization to discover and address potential improper behavior to correct deficiencies and to self-disclose, as necessary, any information that may be required. kp.org 6
In 2009, our Hotline investigation case management system continued to support case tracking through enhancement of data fields. The case management system continues to be modified as we further develop functions for trending risks by integrating information from Hotline investigations, non-hotline investigations, audits, and assessments. In 2009, the KP case management tracking system (TrakWeb) was used to open 9,605 allegations and inquiry cases. Of those cases, 6,885 were received through the KP Compliance Hotline. Seventeen percent of the investigations were related to fraud, waste or abuse. Of those investigations, approximately 34 percent were substantiated. 4) 2009 Investigations In 2009, NSIU investigators closed 945 investigation cases and 372 cases were referred to law enforcement. 5) Internal Audits Kaiser Permanente s Internal Audit Services (IAS) department routinely conducts audits of administrative activities. Elements audited include mechanisms to identify or prevent fraudulent activities, including conduct of employees. In addition, KP s National Compliance, Ethics and Integrity Office National Compliance Audit Team (NCAT) routinely conducts compliance audits of high-risk areas related to compliance and ethics. Regions may request audits and/or investigations of controls or fraud risk areas as deemed appropriate. Several operational departments, such as Pharmacy and Clinical Review, also conduct self-audits and monitor operations for indicators of fraud or abuse. Kaiser Permanente s Chief Compliance Officer and Chief Audit Executive are aligned organizationally to report directly to KP s President and to its Board of Directors. On an annual basis, the National Compliance Office and Internal Audit Services Department engage the KP Board of Directors Audit and Compliance Committee in a dynamic fraud risk assessment discussion. Key issues and risks identified in each year s discussion will become a part of the following year s workplan for fraud control. 6) KP NCO Information Analytics and Compliance Technology (iact) Data Mining Beginning in January of 2002, KP contracted with Heuristic Optimized Processing System (HOPS) 5 to implement data mining capabilities. The project was prompted by a large claims fraud perpetrated against Kaiser Permanente. As a consequence, a core internal data mining kp.org 7
team was dedicated to running various analyses across numerous data platforms to proactively detect fraud, waste and abuse. Prior to 2005, iact (formerly the Fraud Detection Compliance Unit) served only the KP California Regions. In 2006, the team began data mining work in all eight KP regions. After its creation, iact was moved into the National Compliance, Ethics & Integrity Office (NCO), and in 2006 it was placed within the National Compliance Operations Team. Making this program national in scope enhances the organization s fraud control efforts and facilitates compliance with data mining requirements of MMA Part D and other statutory mandates. It also benefits the California Regions by facilitating data mining across regions; for example, where a provider or vendor might be overbilling or defrauding more than one region. These efforts continued through 2009. iact partners closely with the National Fraud Control Team. iact runs data mining algorithms to detect fraud based on information from fraud alerts and media stories. They also proactively examine data for information commonly seen as red flags for historically abusive conduct, or concerning patterns and variations reflecting potential abuse. Our proactive approach includes creation of new algorithms on a regular basis, based on input from the OIG, FBI, NHCAA and other organizations, along with information from internal process experts. A secure external data repository is maintained for this purpose. iact has developed many algorithms to identify fraudulent member issues, including questionable enrollments. Examples of various algorithms include episodes of particular health care, zip code analysis, drug prescription analysis, P.O. Box usage, point-of-sale machine transactions, duplicate claims, workers compensation claims and Medicare unassigned recovery. New algorithms are always under development. In 2008, with continued efforts in 2009, we enhanced data mining studies to include specific efforts related to Kaiser Permanente HealthConnect, Kaiser Permanente s electronic medical record system. Studies were conducted on all Kaiser Permanente members, in all regions. One study, identified as the Services After Death Study, matches patient encounters and claims with the Social Security Death Master File. 7) Sarbanes-Oxley Act of 2002 (SOX) and Fraud Control The Board of Directors for Kaiser Foundation Health Plan and Hospitals voluntarily adopted provisions of Sarbanes-Oxley. A key SOX provision is Section 404, which requires an annual assessment of internal controls, including fraud control. Companies subject to, or voluntarily adopting SOX as a best practice, must implement "antifraud programs and controls," to be kp.org 8
evaluated annually. Under SOX requirements, effective fraud control must contain key elements. The key elements are based on core fraud control principles reflected in SOX regulations and standards. The elements include: The definition of "fraud" Board, audit committee, and senior management oversight Fraud risk assessments Linking control activities to identified fraud risks Fraud monitoring and auditing Communication and knowledge management. Beyond complying with SOX, automating and strengthening fraud control makes good business sense. Effective fraud control protects our members and resources, provides significant cost savings opportunities, and mitigates reputation risk. Kaiser Permanente s National Fraud Control Team coordinates with the SOX team and assists with SOX compliance investigations and audits. 8) Training and Education Comprehensive training addressing compliant and ethical behavior expected of employees is core to KP s compliance and anti-fraud efforts. Education and training programs associated with fraud control awareness continued in 2009. Fraud awareness is included in the Annual Compliance Training that all staff must complete. Training topics covered include Compliance, KP s Principles of Responsibility, HIPAA Compliance, Fraud Awareness, Red Flags for Identity Theft, how to report fraud, waste and abuse, and other compliance concerns. In 2009, compliance training, which is mandatory, was provided to all new employees at or near the time of hire. Topics covered include Compliance, Principles of Responsibility, HIPAA Compliance, Fraud Awareness, Red Flags for Identity Theft, and, how to report fraud, waste and abuse and other compliance concerns. 9) KP Principles of Responsibility The Principles of Responsibility serves as KP s Code of Conduct. The document sets forth KP s core values and standards of conduct. An updated Principles of Responsibility was kp.org 9
distributed in 2007 and is provided to all new employees. Human Resources oversees consistent and fair use of progressive disciplinary measures, up to and including termination, for violations of the Principles of Responsibility, internal policies, regulatory requirements, legal requirements, and ethical expectations. The Principles of Responsibility includes the following statements: We are all responsible for safeguarding our organizational assets against misuse, waste, damage, loss, impairment, and theft. [Section 3.5] Maintaining complete and accurate records is essential if we are to meet our mission to provide quality health care. We must never create or change a document for the purpose of misleading anyone, and no relevant information should ever intentionally be left out, hidden, falsified, or covered up. [Section 3.4] This standard applies to all business records and communications including member, patient, or facility records and claims records that pertain to internal business data; financial and statistical information; timesheets; expense reports; and personnel files. Such business records and communications are used to make critical decisions within Kaiser Permanente. They may also be reported outside Kaiser Permanente to regulators, accrediting organizations, payers, customers, and the public. We must comply with federal and state regulations when preparing and maintaining these records and communications. [Section 3.4] We must cooperate fully during internal and external audits. If you become aware of any weakness in internal controls, structures, or procedures for recording and reporting medical information or financial and statistical data, you must report the matter. [Section 3.4] Medical records and other clinical documents are very important to ensure safe patient care. We must document clinical events in a clear and precise manner to enable others to understand the documents and to help facilitate accurate diagnostic and service coding, billing, cost reporting, planning, and research. [Section 3.4] Documents requested for any government investigation or legal proceeding or documents relevant to an expected government investigation or legal proceeding must not be altered or destroyed in any manner. [Section 3.4] kp.org 10
The government maintains a list of individuals and organizations that have been excluded from government contracting or are otherwise not eligible to participate in Medicare, Medicaid or other government health programs. Any existing or proposed employment, contract, or other association with any individual or entity who appears on these lists, will be handled in accordance with the law and Kaiser Permanente policies. Screening of physicians and employees prior to employment and monthly thereafter is performed according to Kaiser Permanente policies and procedures. This screening reviews physicians and employees against federal sanctions and debarred lists and other government exclusion lists. Any individual covered by the Principles of Responsibility who is added to any of these government lists must provide written disclosure to his or her immediate supervisor. [Section 5.6] The government has exact reporting requirements. Care must be taken in all communications, including written, oral, and electronic, to avoid any false or misleading statements. [Section 5.6] All cost and pricing information must be honest, accurate, and complete. Medical care and services must be documented to accurately reflect a patient s health status and care received. Claims and supporting medical record documentation must reflect compliance with diagnostic and procedural coding requirements. Miscoding is against the law and may require reimbursement of overpayments, payment of fines and penalties to the government, exclusion of individuals or organizations from participation in federal programs, or criminal punishment such as imprisonment. Even unintentional miscoding can result in a violation of law. [Section 5.6] 10) Recovery In 2009, KP s iact team, with the support of programwide Claims and Accounts Payable Operations, facilitated the recovery of close to $19 million. CONCLUSION The actions and activities described in this report are designed to prevent, detect, investigate, report, prosecute and recover losses resulting from health care and insurance fraud to the greatest extent possible. Kaiser Permanente continues to develop and refine standards and procedures designed to prevent, detect, and correct health care fraud, waste and abuse. kp.org 11
1 US Health and Human Services, Centers for Medicare and Medicaid Services (CMS), 2007. 2 Federal Bureau of Investigation, Financial Crimes Report to the Public Fiscal Year 2007. 3 This major increase was associated with a Northern California employee data breach and identify theft investigation. 4 This report is available upon request. 5 In November 2008, TRAP Systems changed its name to Heuristic Optimized Processing System (HOPS). kp.org 12
kp.org 13