Claims fraud auditing

Internal Auditor, June, 1997 by Huong Q. Ngo

The bill for U.S. health insurance claims that are fraudulent, abusive or inaccurately submitted and processed may be as much as $84 billion per year. According to U.S. General Accounting Office estimates, as much as three to ten percent of health care expenditures must go toward covering the costs of fraud. It's no surprise that government insurance programs, self-insured corporations, insurance companies, and third-party administrators that can uncover and prevent fraudulent health claims stand to reap substantial savings.

Large claims often involve loss adjusters and are, therefore, less risky than small claims, which typically settle with little or simple review. Until recently, insurance companies were willing to accept occasional losses from fraud rather than pay to investigate smaller claims. However, the amount of fraud loss has substantially increased today; and insurance companies are seeking cost-beneficial audit programs to curtail these losses. A straightforward, three-step audit program may help internal auditors detect control weaknesses, claim fraud, and processing errors involving small- to medium-sized claims.

* A Throe-step Plan

The auditing program includes three key steps: verifying proper enrollment of policyholders and providers, reviewing the claim adjudication process, and checking payments. The steps are interdependent, and each must be implemented in precise order. For example, during Audit Step 2, the auditor must check claims' references to corresponding policyholders, whose validity should have been verified during Audit Step 1. During Step 3, the auditor must check disbursements' references to corresponding claims, the validity of which should have been verified during Step 2.

* Audit Step 1: Verifying Policyholders

The auditor's first step is to assure that each policyholder is (1) unique and (2) authorized. Policyholders must be unique, so that duplicate payments for one claim cannot be issued to the same person. Personal data must be recorded according to a prescribed standard, so that no identity confusion can arise.

Authorized enrollment is open only to individuals who meet certain employment, health, and premium payment conditions. The auditor should review these enrollment procedures and verify their effectiveness. It's not uncommon, for example, for a company to continue paying for health benefits of former employees. In the U.S., the Health Care Finance Administration has paid Medicaid/Medicare to deceased individuals because their data was not removed from the database. To prevent unauthorized payments, auditors should ensure that procedures are in place to cancel invalid policies in a timely manner.

The auditor should also examine data about dependents and providers and the procedures in place to record and maintain such data. Dependents should meet the relationship and age criteria, and providers should be participating members of the insurer's plan for payments to be allowed.

An essential control in the maintenance of the system's database is to segregate inactive accounts from active accounts for all policyholders, dependents, and providers. A fraud study by the American Institute of Certified Public Accountants revealed that inactive accounts often become the targets of fraudulent transactions.(*) The auditor needs to review procedures for deactivating and reactivating an account to assess whether the procedures are effective in deterring fraudulent claimants. After the auditor is reasonably assured that the individuals or entities represented in the system are authorized payment. recipients, he or she can proceed to Audit Step 2.

* Audit Step 2: Reviewing Claim Adjudication

Claim adjudication is the process of reviewing a claim for approval or disapproval. Audits of this area involve verification of three points:

1. Each claim references a claimant from the database examined in Audit Step 1 - which prevents payments to unauthorized individuals.

2. Each claim is entered only once - which prevents duplicate claims that could lead to duplicate payments.

3. Policies ensuring that all claims must meet the requirements of the health plan are enforced.

In examining the third point, the auditor may group all claims according to plan or policy type to search for violations of contract terms regarding deductibles, such as benefits maxima, geographic restrictions, restrictions on types of service, and age of patients, as prescribed by the respective plans. Plan terms can vary greatly from one to another, so such grouping makes it efficient to check all claims for violations of their respective contract terms.

Sorting all claims according to the individual policyholder's account allows the auditor to obtain claims histories for individuals. Improbable claim filing patterns, such as filing multiple claims in a same day by a policyholder and overcharges of various types, can be disclosed by examining this data.

Expertise in medical coding is a significant asset in detecting illogical matching of undertaken procedures and medical diagnoses. In claim processing, for example, ICD9-CM codes are used to report physician diagnoses, and CPT-4 codes to report physician procedures. Claims with illogical coding should not be paid. Common practices by fraudulent providers involve unbundling, which is coding one procedure with several codes to increase the claimed amount, and upcoding, which involves coding a simple procedure with a code for a complicated procedure to increase the claimed amount. Such fraudulent tactics are much more likely to be uncovered by auditors with fundamental skills in medical coding.