Electronic Healthcare Records , Fraud , Insider Fraud

$60 Million Fraud Case Involves Hospice Patients' EHRs

DOJ Alleges Records Falsified for Over-Billing
$60 Million Fraud Case Involves Hospice Patients' EHRs

Federal prosecutors have filed criminal charges against 16 individuals who were allegedly part of a $60 million Medicare and Medicaid fraud case involving falsifying electronic health records of hospice patients to bill for care they did not need.

See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry

An indictment document filed on Feb. 23 in U.S. District Court in Dallas says the 16 individuals include Bradley Harris, a certified public accountant who has no medical licenses and is co-owner and CEO of Novus Health Services. Others indicted include several Novus managers and nurses, plus five licensed physicians who worked as medical directors for the company. Also indicted in the case is the owner of a separate physicians' home visit company.

Each suspect is charged with one count of conspiracy to commit healthcare fraud, but 12 of the defendants are also charged with at least one other charge related to conspiracy.

Case Details

In a Feb. 28 statement, the Department of Justice says that from July 2012 to September 2016, Novus billed Medicare and Medicaid more than $60 million for fraudulent hospice services, of which more than $35 million dollars was paid to Novus.

"Specifically, defendants submitted false claims for hospice services, submitted false claims for continuous care hospice services, recruited ineligible hospice beneficiaries by providing kickbacks to referring physicians and healthcare facilities, and falsified and destroyed documents to conceal these activities from Medicare."

The indictment notes that Medicare payments for claims for "continuous care" were substantially greater than the payments for claims for routine hospice services. "For example, in 2013 Medicare paid hospice providers a daily rate of $153.45 for routine care. Daily rates for continuous care ranged from $303.60 to $895.56, depending on the amount of continuous care provided, from a minimum of eight hours to a maximum of twenty-four hours per day."

Prosecutors allege that Novus paid several licensed physicians as medical directors who actually provided little to no oversight of Novus hospice patients. "Care was directed primarily by Novus nurses and by Harris. Defendants who were not physicians would determine whether a beneficiary would be certified for, recertified for, or discharged from hospice; whether they would be placed on continuous care; and how and to what extent they would be medicated with drugs such as morphine and hydromorphone," court papers allege.

Decisions on medical care "were often driven by financial interest rather than patient need," prosecutors allege. The defendants allegedly would decide whether to place, keep or discharge a beneficiary from hospice care depending on how that decision would affect Novus's ability to bill Medicare.

Prosecutors allege that some patients under Novus care received unnecessarily aggressive medication to ensure that Medicare beneficiaries' medical records contained documentation that would justify billing Medicare at a higher billing rate. "There were instances when these excessive dosages resulted in serious bodily injury or death to the beneficiaries," prosecutors allege.

Falsifying Records

Indictment documents allege that "Novus medical directors would sign certificates of terminal illness indicating that they had determined that a beneficiary was eligible for hospice services regardless of whether this was true or not."

This also allegedly included defendants "routinely" giving medical directors' login information to others "to log into Novus's electronic medical records database to create and sign physician orders for services that had not been performed or had not been performed by the medical directors."

Prosecutors allege Harris would direct that beneficiaries be placed on continuous care, whether the beneficiaries needed this service or not. "This decision would often be made without any consultation with a physician. Continuous care physician's orders were falsified and uploaded into Novus's electronic medical records database."

When a beneficiary was on continuous care, the Novus nurses would administer high doses of controlled medications such as morphine or hydromorphone, "whether the beneficiary needed the medication or not," prosecutors allege.

EHR Fraud Pros and Cons

The case against Harris and his alleged co-conspirators illustrates how EHRs - like paper records - can be falsified to commit healthcare fraud. But it also shows how EHRs can aid law enforcement and regulators in the investigation of these cases.

"I have been involved in fraud cases involving paper records and electronic records," notes privacy and security attorney Adam Greene of the law firm Davis Wright Tremaine. "In my experience, there is a lot more that can be done forensically when electronic records are involved. Accordingly, I expect that electronic records in most cases provide law enforcement officials with increased ability to investigate matters."

While the patient harm that's alleged in the indictment of Harris and his co-conspirators is disturbing, for the most part, "this is a mainstream fraud case that has been occurring for decades," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "Individuals interested in committing fraud fake records to justify certain billing records, and then engage in various other documentation efforts to conceal their activity. The fact that this involved electronic records makes it both easier and harder to commit and detect," he says.

Nahra notes that it may be easier to undertake fraud efforts in volume with electronic records, but, at the same time, there may be easier ways to track and detect this activity. "So, this is exactly the kind of case that fraud investigators have been pursuing for years - with minor variations based on specific situations that make each case different."

Keith Fricke, principal consultant of tw-Security notes that in the case against Harris and his co-conspirators, the alleged fraud involved the sharing of logon accounts and passwords. "This allowed them to act as someone else in the system and not be physically present. A properly configured EHR system generates audit trails of electronic activity. However, with the right knowledge and collusion, electronic audit trails can be altered or disabled."

Still, generally, electronic audit trails can offer evidence that false activities are occurring, Fricke notes. "Some technologies can analyze audit logs, alerting on anomalous behaviors. Two examples of this include activity on a user account belonging to an hourly employee that has clocked out for the day and a user account that is accessing medical record numbers in sequence.

"However, if someone were taking pictures of their computer screen with their cell phone as they were legitimately accessing patient information as part of their daily job duties, and then using that information illegally, that would be more difficult to detect," Fricke notes.

Greene notes that there also are aspects of EHRs that can make it easier for criminals to commit healthcare fraud easier, such as the potential ability to "cut and paste" data from one record to another.

"But there are also aspects of EHRs that reduce risks related to health care fraud, such as improved auditing logs and the availability of tools to better identify potential fraud. Overall, I think it's a wash - whatever record systems are in place, those who want to commit fraud will use whatever tools are available to do so."

However, "when EHRs are properly used and there is a culture of compliance, EHRs offer auditing tools that may make it easier for management to identify practices that indicate fraud," Greene adds.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network