Reprinted from INSIDE HEALTH INSURANCE EXCHANGES, a
hard-hitting newsletter with news and strategic insights on the development and
operation of public and private exchanges.
By Steve
Davis, Managing Editor
November 2015 Volume
5 Issue 11
As part of a 2014 undercover
investigation, 11 out of 12 fictitious insurance exchange applications easily
glided through the eligibility verification process. On Oct. 23, less than 10
days before the 2016 open-enrollment period began, federal investigators told a
House subcommittee that fraudulently obtaining coverage and federal subsidies
hasn’t gotten any more difficult.
This year, investigators from the
non-partisan Government Accountability Office (GAO) created 10 fictitious
applicants to test application and enrollment controls at federal exchanges in
New Jersey and North Dakota, and state exchanges in California and Kentucky.
“We did not detect any material change
between 2014 and 2015. It was the same relatively easy lift to work the system
to our advantage to get coverage and subsidies,” Seto Bagdoyan, director of
GAO’s Forensic Audits and Investigative Services, tells HEX. “To some
extent, we expected that certain things might have changed.” After testifying
before the House Ways & Means Committee in July 2014, CMS indicated it
would use GAO’s findings to improve the eligibility verification system. “If
they have responded, we are not aware of it, and certainly did not detect it in
our work,” he adds. GAO will issue its final report early in 2016, which will
include greater detail as well as recommendations. CMS and the state exchanges
have an opportunity to comment officially on the findings for the final report.
Since being made aware of GAO’s
findings, a spokesperson for Covered California says the exchange is developing
process improvements and will provide more details of that plan to GAO for
their final report.
‘Presumptive Eligibility’ Favors
Applicants
Despite the use of blatantly false
Social Security numbers — such as those that began with 000 — GAO investigators
obtained coverage and advance premium tax credits (APTCs) for nearly all of
their made-up applicants. Although false Social Security numbers were initially
flagged during the online enrollment process, switching to telephone-based
enrollment allowed the process to continue to completion. Eight additional
phony applications tested the enrollment process for Medicaid through the same
state and federal exchanges. Investigators obtained either Medicaid or
subsidized qualified health plan (QHP) coverage for all but one phony applicant.
Like Medicaid, exchange enrollment
rules operate under a model of “presumptive eligibility,” which favors the
applicant and makes early fraud detection difficult. Even if federal data
verification — from agencies including the Social Security Administration
(SSA), Dept. of Homeland Security and IRS — fails, CMS and state exchanges
generally allow the application to proceed. Completing the application process,
however, typically requires the applicant to follow up with supporting
documentation within 90 days. As a result, fraud detection and prevention
efforts tend to be executed after enrollment is completed.
Social Security numbers are used to
establish identity rather than to determine eligibility. As a result, even a
false Social Security number won’t end the application process. Kentucky’s
insurance exchange, for example, contacted SSA when a GAO investigator tried to
apply with a false number. “But because of the rules regarding
self-attestation, they went ahead and approved our application anyway,” says
Bagdoyan.
However, Chris Lunt, vice president of
policy at GetInsured, an online insurance exchange, says assuming that
applicants are acting in good faith, dealing with potential fraud on the back
end, makes sense. “The counter policy would be to punish false negatives by
keeping them from getting insurance. Even the ‘000’ Social Security numbers may
represent someone who’s in their car, calling a broker, and they don’t know
their number by heart. They’re trying to get the deal done, and fill in the details
later,” he tells HEX. “I agree, you can up the bar on this a little
bit.”
Back-end Detection Doesn’t Work
But Bagdoyan says trying to detect
fraud on the back end is a red herring. “None of the massive social-benefit
programs currently in existence have even a remotely effective back-end
capability to detect and claw back fraudulent money,” he asserts.
A spokesperson for Rhode Island’s
state-based exchange tells HEX that it sends applicant Social Security
numbers to SSA as well as to other federal and state agencies. If the number
isn’t verified by the SSA, it triggers a notice to the exchange. Through a
manual process, the applicant is then notified by the exchange and has a set
period within which to respond with qualifying proof of identification. “If the
customer doesn’t respond within the allowable limits, the coverage is
terminated,” says spokesperson Maria Tocco. Previously, the loop wasn’t always
closed and the customer’s coverage may not always have been terminated in a
timely way, she adds.
Exchanges allow applicants to use a
wide range of documents (e.g., proof of residence, citizenship, income, etc.)
to establish eligibility, and CMS doesn’t perform detailed authentication.
Moreover, for many documents, no uniform standard exists, says one federal IT
contractor who spoke on the condition of anonymity. Birth certificates, for
example, can vary by county within a state as well as from state to state. CMS
deemed it infeasible to staff Eligibility Support Services with personnel who
are trained in or possess expertise in determining the authenticity of
documents, he tells HEX.
Too many steps in verifying eligibility
would slow the application process. And the technical and procedural challenges
associated with preventing fraud are daunting. The contractor suggests that
greater emphasis be placed on using automation to validate Social Security
numbers. An invalid number, he says, should raise a permanent red flag.
GAO is conducting additional forensic
work on actual applications to determine the prevalence of fraud within the
exchanges.
Q&A With GAO’s Forensic Audits
Director
In an Oct. 27 telephone interview with HEX,
Bagdoyan provided additional details about his department’s undercover work.
Here’s what he said:
HEX: You started the 2015 application
processes online and then switched to telephone enrollment.
Bagdoyan: Correct. The premise that we posed…is
we are acting as typical consumers with very little foreknowledge of the
application process. The predominant direction was to get onto HealthCare.gov
and apply. Once we did that, we failed the online identity proofing check. But
the system directed us…to call the exchange. That’s where the work-around
occurred. We engaged in conversation, provided self-attestation of information
and we were able to get coverage. It was essentially a straight-up transaction.
For undercover work, on a 0-10 scale, this was probably a two or a three.
HEX: And you were using blatantly false
information, such as Social Security numbers that began with three zeros.
Bagdoyan: Yes, we were using things that
obviously should have been flagged and questioned. But apparently none of them
were. We used straight up bogus information, bogus identities and bogus
documents.
HEX: With self-attestation, an
applicant has 90 days to follow up with the proper documentation.
Bagdoyan: Yes. All you have to do is submit the
documents they’re looking for to clear the inconsistencies that the system
generates when your information and their information doesn’t match. But in
addition to your verbal attestation, your written attestation — in this case,
through bogus documents — trumps whatever is in the government or state
government’s system. That’s where the controls start failing big-time.
HEX: You applied for coverage in
California and Kentucky. If there are problems with the eligibility systems in
those states, is it likely other exchanges have similar vulnerabilities?
Bagdoyan: This is a challenge for most if not
all of them. There are a lot of deserving people who ought to have coverage,
but a program of this size and scale — where you have millions of enrollees and
hundreds of billions of dollars in subsidies — is inherently at risk for fraud
and improper payments. Any sort of a control environment that you design has to
be very careful. Our preference is to have controls front loaded for [fraud]
detection and prevention. Once fraud enters into the transaction stream, it is
very difficult to detect down the line. In this case, the final check is the
tax filing and reconciliation. When you sign up, you attest that you will file
a tax return so that the IRS can supposedly reconcile your return and make sure
that your income and subsidies were correct. But over this past summer, GAO,
the Treasury Inspector General for Tax Administration and HHS’s Office of
Inspector General all issued reports questioning CMS’s and IRS’s ability to
execute this control effectively. So we overcame the front-end control,
bypassed the middle control, which was the document-verification process, very
easily. We also came out with three separate reports questioning the final
control. It’s not really looking good right now.
HEX: Some people contend that the
costs involved in preventing fraud outweigh the cost of inappropriately awarded
subsidies. Any truth to that?
Bagdoyan: On an annual basis, the subsidy costs
are in the tens of billions of dollars. Even if 10% of that is at risk for
fraud, you are looking at $6 billion or $8 billion….There are no system
improvements that are going to cost you close to that much. If you are rigorous
in design and vigorous in enforcement, you will have reasonable assurance that
you are going to flag potential fraud and improper subsidy payments early
enough that you don’t wind up in this pay-and-chase situation.
HEX: This administration is very
focused on enrollment in the exchanges. Does that put it at odds with fraud
prevention?
Bagdoyan: We see it as a policy decision from
CMS, HHS and the White House to say they want to sign up as many people as
possible, and believe they have reasonable controls in place. But our
interpretation is the balance between access and program integrity is clearly
tilted toward access. Clearly there is money at risk. We are showing there are
vulnerabilities that are reasonably easy to exploit.
To see GAO’s report, visit www.gao.gov/products/GAO-16-159T.
No comments:
Post a Comment