Featured Health Business Daily Story, Nov. 18, 2015
Reprinted from INSIDE HEALTH INSURANCE EXCHANGES, a hard-hitting newsletter with news and strategic insights on the development and operation of public and private exchanges. Sign up for a $62 two-month trial subscription today.
As part of a 2014 undercover investigation, 11 out of 12 fictitious insurance exchange applications easily glided through the eligibility verification process. On Oct. 23, less than 10 days before the 2016 open-enrollment period began, federal investigators told a House subcommittee that fraudulently obtaining coverage and federal subsidies hasn’t gotten any more difficult.
This year, investigators from the non-partisan Government Accountability Office (GAO) created 10 fictitious applicants to test application and enrollment controls at federal exchanges in New Jersey and North Dakota, and state exchanges in California and Kentucky.
“We did not detect any material change between 2014 and 2015. It was the same relatively easy lift to work the system to our advantage to get coverage and subsidies,” Seto Bagdoyan, director of GAO’s Forensic Audits and Investigative Services, tells HEX. “To some extent, we expected that certain things might have changed.” After testifying before the House Ways & Means Committee in July 2014, CMS indicated it would use GAO’s findings to improve the eligibility verification system. “If they have responded, we are not aware of it, and certainly did not detect it in our work,” he adds. GAO will issue its final report early in 2016, which will include greater detail as well as recommendations. CMS and the state exchanges have an opportunity to comment officially on the findings for the final report.
Since being made aware of GAO’s findings, a spokesperson for Covered California says the exchange is developing process improvements and will provide more details of that plan to GAO for their final report.
Despite the use of blatantly false Social Security numbers — such as those that began with 000 — GAO investigators obtained coverage and advance premium tax credits (APTCs) for nearly all of their made-up applicants. Although false Social Security numbers were initially flagged during the online enrollment process, switching to telephone-based enrollment allowed the process to continue to completion. Eight additional phony applications tested the enrollment process for Medicaid through the same state and federal exchanges. Investigators obtained either Medicaid or subsidized qualified health plan (QHP) coverage for all but one phony applicant.
Like Medicaid, exchange enrollment rules operate under a model of “presumptive eligibility,” which favors the applicant and makes early fraud detection difficult. Even if federal data verification — from agencies including the Social Security Administration (SSA), Dept. of Homeland Security and IRS — fails, CMS and state exchanges generally allow the application to proceed. Completing the application process, however, typically requires the applicant to follow up with supporting documentation within 90 days. As a result, fraud detection and prevention efforts tend to be executed after enrollment is completed.
Social Security numbers are used to establish identity rather than to determine eligibility. As a result, even a false Social Security number won’t end the application process. Kentucky’s insurance exchange, for example, contacted SSA when a GAO investigator tried to apply with a false number. “But because of the rules regarding self-attestation, they went ahead and approved our application anyway,” says Bagdoyan.
However, Chris Lunt, vice president of policy at GetInsured, an online insurance exchange, says assuming that applicants are acting in good faith, dealing with potential fraud on the back end, makes sense. “The counter policy would be to punish false negatives by keeping them from getting insurance. Even the ‘000’ Social Security numbers may represent someone who’s in their car, calling a broker, and they don’t know their number by heart. They’re trying to get the deal done, and fill in the details later,” he tells HEX. “I agree, you can up the bar on this a little bit.”
But Bagdoyan says trying to detect fraud on the back end is a red herring. “None of the massive social-benefit programs currently in existence have even a remotely effective back-end capability to detect and claw back fraudulent money,” he asserts.
A spokesperson for Rhode Island’s state-based exchange tells HEX that it sends applicant Social Security numbers to SSA as well as to other federal and state agencies. If the number isn’t verified by the SSA, it triggers a notice to the exchange. Through a manual process, the applicant is then notified by the exchange and has a set period within which to respond with qualifying proof of identification. “If the customer doesn’t respond within the allowable limits, the coverage is terminated,” says spokesperson Maria Tocco. Previously, the loop wasn’t always closed and the customer’s coverage may not always have been terminated in a timely way, she adds.
Exchanges allow applicants to use a wide range of documents (e.g., proof of residence, citizenship, income, etc.) to establish eligibility, and CMS doesn’t perform detailed authentication. Moreover, for many documents, no uniform standard exists, says one federal IT contractor who spoke on the condition of anonymity. Birth certificates, for example, can vary by county within a state as well as from state to state. CMS deemed it infeasible to staff Eligibility Support Services with personnel who are trained in or possess expertise in determining the authenticity of documents, he tells HEX.
Too many steps in verifying eligibility would slow the application process. And the technical and procedural challenges associated with preventing fraud are daunting. The contractor suggests that greater emphasis be placed on using automation to validate Social Security numbers. An invalid number, he says, should raise a permanent red flag.
GAO is conducting additional forensic work on actual applications to determine the prevalence of fraud within the exchanges.
In an Oct. 27 telephone interview with HEX, Bagdoyan provided additional details about his department’s undercover work. Here’s what he said:
HEX: You started the 2015 application processes online and then switched to telephone enrollment.
Bagdoyan: Correct. The premise that we posed…is we are acting as typical consumers with very little foreknowledge of the application process. The predominant direction was to get onto HealthCare.gov and apply. Once we did that, we failed the online identity proofing check. But the system directed us…to call the exchange. That’s where the work-around occurred. We engaged in conversation, provided self-attestation of information and we were able to get coverage. It was essentially a straight-up transaction. For undercover work, on a 0-10 scale, this was probably a two or a three.
HEX: And you were using blatantly false information, such as Social Security numbers that began with three zeros.
Bagdoyan: Yes, we were using things that obviously should have been flagged and questioned. But apparently none of them were. We used straight up bogus information, bogus identities and bogus documents.
HEX: With self-attestation, an applicant has 90 days to follow up with the proper documentation.
Bagdoyan: Yes. All you have to do is submit the documents they’re looking for to clear the inconsistencies that the system generates when your information and their information doesn’t match. But in addition to your verbal attestation, your written attestation — in this case, through bogus documents — trumps whatever is in the government or state government’s system. That’s where the controls start failing big-time.
HEX: You applied for coverage in California and Kentucky. If there are problems with the eligibility systems in those states, is it likely other exchanges have similar vulnerabilities?
Bagdoyan: This is a challenge for most if not all of them. There are a lot of deserving people who ought to have coverage, but a program of this size and scale — where you have millions of enrollees and hundreds of billions of dollars in subsidies — is inherently at risk for fraud and improper payments. Any sort of a control environment that you design has to be very careful. Our preference is to have controls front loaded for [fraud] detection and prevention. Once fraud enters into the transaction stream, it is very difficult to detect down the line. In this case, the final check is the tax filing and reconciliation. When you sign up, you attest that you will file a tax return so that the IRS can supposedly reconcile your return and make sure that your income and subsidies were correct. But over this past summer, GAO, the Treasury Inspector General for Tax Administration and HHS’s Office of Inspector General all issued reports questioning CMS’s and IRS’s ability to execute this control effectively. So we overcame the front-end control, bypassed the middle control, which was the document-verification process, very easily. We also came out with three separate reports questioning the final control. It’s not really looking good right now.
HEX: Some people contend that the costs involved in preventing fraud outweigh the cost of inappropriately awarded subsidies. Any truth to that?
Bagdoyan: On an annual basis, the subsidy costs are in the tens of billions of dollars. Even if 10% of that is at risk for fraud, you are looking at $6 billion or $8 billion….There are no system improvements that are going to cost you close to that much. If you are rigorous in design and vigorous in enforcement, you will have reasonable assurance that you are going to flag potential fraud and improper subsidy payments early enough that you don’t wind up in this pay-and-chase situation.
HEX: This administration is very focused on enrollment in the exchanges. Does that put it at odds with fraud prevention?
Bagdoyan: We see it as a policy decision from CMS, HHS and the White House to say they want to sign up as many people as possible, and believe they have reasonable controls in place. But our interpretation is the balance between access and program integrity is clearly tilted toward access. Clearly there is money at risk. We are showing there are vulnerabilities that are reasonably easy to exploit.
To see GAO’s report, visit www.gao.gov/products/GAO-16-159T.
© 2015 by Atlantic Information Services, Inc. All Rights Reserved.
Get instant health reform news! Twitter.com/AISHealth • Facebook.com/AISHealth • LinkedIn.com/company/atlantic-information-services