The document discusses a pilot program aimed at preventing Medicare fraud in the Durable Medical Equipment (DME) sector by implementing a verification system using provider and beneficiary identity cards. The pilot was executed in Indiana and focused on establishing secure transactions to verify that DME orders were legitimate and originated from authorized physician offices. Findings indicate that the system can be scaled nationally to reduce fraud, with a potential return on investment of 250% by decreasing fraud rates in the DME claims process.

1. 2011
Before the Fact Prevention of Certain Medical
Insurance Fraud and Loss
A Pilot
Medicare Durable Medical Equipment
CMS and National Government
Services (WellPoint)
Jeffrey Leston
CastleStone Advisors, LLC
www.castlestone-llc.com

2. Contents
Background ....................................................................................................... 2
Technical and Functional Objectives ........................................................................ 3
Methodology ...................................................................................................... 4
Original Design ................................................................................................ 4
Actual Implementation ...................................................................................... 5
Project Operation ............................................................................................ 5
Summary of Findings ............................................................................................ 6
Implementation and ability to scale ...................................................................... 6
Provider Verification ......................................................................................... 6
System Usability .............................................................................................. 7
Design Specifications of Matching ......................................................................... 7
Protection of Physician Identity............................................................................ 7
Protection of Patient Identity .............................................................................. 7
Economics ......................................................................................................... 8
Afterword ....................................................................................................... 10
Castlestone VisitEye Presentations and Reports – ....................................................... 11
1 | P a g e
Confidential to Castlestone Advisors LLC

3. Background
The Medicare DME Program has historically been the victim of significant fraud and
abuse. GAO and HHS Inspector General reports, as well as HEAT arrests, pointed out the
establishment of ‘storefront’ DME suppliers that used stolen physician identities and
stolen beneficiary identities to bill Medicare for high value products never ordered or
never delivered. There are also documented cases of known and established suppliers
submitting claims using stolen or purchased physicians and beneficiary identities.
Another impediment in spotting fraud and abuse in the DME and Part D programs is the
processing infrastructure for Medicare claims. The claim for the Part B in-office visit to
justify an order for DME is processed by a different contractor than the DME claim.
There is little information sharing, and the DME claim contractor is forced to rely on the
coding of the claim; they otherwise have no way to verify that a provider actually wrote
the order. In addition, many DME items can be ordered by mail from suppliers out of
jurisdiction. In Part D, the office visit where the prescription is written is processed by a
Part A/B contractor, and the actual prescription, requiring the doctor’s order, is
processed by the beneficiary plan of choice. The OIG highlighted this problem in a
report in 2011, stating that at least 375,000 part D prescriptions were paid for without a
proper physician ID.
These types of fraud listed above arise from the improper use of physician identities or
NPIs. Preventing the misuse of the physician ID, and verifying that the order actually
emanates from the physician office, were objectives of the pilot.
Recent press has also focused on the theft of Social Security numbers, used both for
Medicare claim processing as well as tax filing. . Stolen Medicare IDs (SSNs) have been
used to file fraudulent tax returns as well. It is likely that the potential impact of stolen
identities on Medicare has been understated, since the identities on their known
compromised list have to date only come from CMS-initiated actions and audits. The
IRS has their own list of compromised identities, and at the initiation of Castlestone, the
agencies are now communicating about this common problem. Testing another
identification that is recognized at all locations to protect the identity, like a credit card
number with no financial or Personal Health Information, is an original objective of the
pilot as well.
In addition to a focus on reducing fraud and abuse in the DME program, CMS
concentrated on screening providers to eliminate bad actors from getting into the
system. Integral to this effort is the inclusion of third party information to validate data
from providers, CMS and contractors.
The location selected for the pilot was in Indiana because it was deemed that since
National Government Services was both the Part A/B Administrative Contractor, and the
DME claims contractor, and since the pilot required communications with both groups it
2 | P a g e
Confidential to Castlestone Advisors LLC

4. would be simpler to manage. The data communications between Castlestone, NGS DME
processing and NGS Part A/B processing would be representative of separate
contractors for those services.
Technical and Functional Objectives
The objectives of the proof of concept were:
• Identify and prevent storefront operations from billing CMS for high value
durable Medical Equipment. Additionally, test the use of financial network
information and other outside data sources in provider screening and
verification processes
• Assist physicians in protecting their identities, as pointed out in Dr. Budetti’s
recent article in the Journal of the American Medical Association
• Test the ability to use an alternate beneficiary ID for beneficiaries
• Test the ability to use the financial networks for secure communication of
healthcare transactions
• Test the ability to verify transactions from provider offices as a form of prior
authorization, in an environment with multiple contractors processing related
claims.
• Test the ease of use for provider offices to use the existing swipe terminal
The pilot was not structured to quantify savings from reductions in fraud and abuse.
Because of voluntary participation, no financial measures such as withholding payment,
as would be implemented under ACA, and no reimbursement code for participating, as
there often is in other pilots. It is also unlikely that perpetrators would commit to
working with the project. However, because of the certainty of verified information
received from the card networks, and the known types of fraud and abuse in the
program, we can forecast with a level of confidence what the Return on Investment
would be if the project were mandatory and scaled to include known fraud hotspots.
We also found that physicians’ offices tend to participate in projects or procedures that
are either mandatory or reimbursed.
3 | P a g e
Confidential to Castlestone Advisors LLC

5. Methodology
Original Design
Much of the fraud and abuse in the DME program originates from ‘storefront’ locations
who steal IDs and submit claims. If the claim meets the proper formats, it is likely to
have been paid.
This and other frauds are possible because there had been no way to verify that the
beneficiary was ever in the provider office (also a source of fraud for Part B claims) or
that the physician who’s NPI appears on the claim actually ordered the DME.
The original design of the system incorporated the swipe of a beneficiary card in the
provider office swipe terminal to verify that the beneficiary was in the office and the
provider did write an order for Durable Medical Equipment. This would also verify the
Part B claim and meet the requirements of the Affordable Care Act and other pending
and proposed legislation. It would also test the use of a magnetic stripe card for
replacement of the current beneficiary cards. CMS, like other insurers, must eliminate
the Social Security on the face of the card as well as eliminating it as the identifier in
processing systems, to reduce identity theft.
Providers are issued a card also which would protect the use of their NPI (National
Provider Identification.) The provider swipes the card in the terminal in their place of
business to register the swipe terminal in the data base. The computer “signature” of
the swipe terminal, the process required to obtain one (verification of bank account and
other incorporation information) and the information on location and ownership-transmitted
during swipes with a complete data set available during monthly network
reconciliation- enhance the provider screening process, as well as verifying that a
transaction initiated in that provider’s office. This would eliminate a major cause of
fraud.
In the original design, a DME transaction would be entered on the swipe terminal by
means of a code, which can be done using the Castlestone technology. The combination
of 1) the beneficiary card being swiped, 2) the provider card being swiped at 3) the
verified location where that physician practices, gives us a high level of certainty that
the beneficiary was in the office when the [Part B] claim stipulates, and the provider
wrote an order for DME for that beneficiary on that date from that office. Those data,
the provider name and NPI and the date of service, must accompany the DME claim
from the DME supplier in their claim as well.
The DME suppliers were also provided with a card, which they would swipe to register
their credit card device. Those who did not have physical swipe terminals, but entered
credit card information on a browser, could still use the system. They entered
complementary information about the beneficiary HICN. The information from the
4 | P a g e
Confidential to Castlestone Advisors LLC

6. provider office swipe, the DME location swipe and the claim would be matched for
consistency.
Actual Implementation
Because of the controversy or pending decisions on various types of beneficiary cards,
the use of the beneficiary card was eliminated. Castlestone’s system was re-engineered
to capture the transaction at the provider office with a provider card only. The provider
office then entered the last 4 digits of the beneficiary’s HICN. This re-engineering
process also proved the flexibility of the Castlestone technology in using the card
networks, handling multiple swipes for a single transaction, and redesigning
transactions for a specific purpose. The re-engineering process was completed in one
week. It also made the transaction more cumbersome than the original card swipe, and
required that the provider card and the supplier card be present in order to initiate a
transaction. This was problematic in locations like retail pharmacies that also supply
Durable Medical Equipment. It would not have been necessary with a beneficiary card.
In the pilot, participation was voluntary. Unlike the design of pilots such as the DME
preauthorization pilot, there is no reimbursement code available for physicians to bill
for their participation. There was also no withholding of payment if transactions did not
match.
Project Operation
All technology infrastructures between NGS and Castlestone was agreed upon, coded,
tested and implemented in less than 60 days. The interfaces between Castlestone and
NGS were limited, and Castlestone and NGS added further protections to provider and
beneficiary identities by creating an alternate reference; Castlestone held no HICN/SSNs
or NPIs in its systems at any time. This proves that the Castlestone architecture can be
implemented quickly and cost effectively with various Medicare claims contractors,
many of whom use common systems.
The data base of locations and swipe terminals was built from the initial registration of
the provider and supplier cards from IVR activation and a swipe and entry of a
registration code. When a beneficiary was to receive DME, the physician card would be
swiped and the last 4 digits of the HICN entered. The order would go to the DME
supplier, who would enter the same information into their system.
5 | P a g e
Confidential to Castlestone Advisors LLC

7. Summary of Findings
Implementation and ability to scale
The implementation of the system was simple and straightforward, and accomplished in
60 days.
The system can be scaled to support the DME program nationally with no software
changes, and only minor changes to accommodate a beneficiary card. The connections
to any Medicare Administrative Contractor were proven to be simple to implement and
secure.
Risks/Issues
The largest risk to large scale implementation is the addresses of the providers. Since
much of the communication between CMS, contractors and providers has become
electronic, the maintenance of physical address locations has lagged. In the distribution
of cards to providers, approximately 15% of the addresses were not current. During the
project, following the discovery of this gap, we proposed and have implemented
matching the address from the swipe networks to the address on file with CMS and its
contractors. PECOS and other initiatives should help reduce the risk and improve
accuracy, when combined with the swipe and telephone network data Castlestone
proposed. A mailing prior to the mailing of the provider cards would also reduce the
scope of this issue.
Provider Verification
The system was able to match information from the swipe terminal to provider
information, including name and address. This provides another level of provider
verification. This technology and third-party verification of terminal user or owner, their
street address and their banking relationship has demonstrated that it can and should
be part of CMS’s provider screening process.
Risks/Issues
In certain situation the swipe terminal was listed under the name of the billing company
for the practice. This information can be matched against PECOS information, but
required a manual intervention to correct. We believe that this can be corrected
automatically with access to PECOS billing company information. Castlestone also
proposed a multiple level match with the telephone number associated with the
practice and matching that number, used in the activation process, to the directory
listing for telephone numbers.
There are other methods available to verify the use and activity of the swipe terminal
with claims
6 | P a g e
Confidential to Castlestone Advisors LLC

8. System Usability
Providers and suppliers were able to use the system immediately. There were no
technical issues with the system or card network reported, save a short downtime at the
server location. The predominant errors that came from the system were from
transactions that were rejected because the provider or supplier location did not
properly follow the activation instructions. Those transactions were posted on the
system as unrecognized. Castlestone and NGS created a methodology to verify the
location and have the transactions reclassified as accepted once the criteria were met.
Risks/Issues
Providers who work in large outpatient facilities found it inconvenient to access swipe
terminals. Castlestone has mobile solutions in its inventory. Early on in the project, we
found that DME suppliers who accept credit cards but do not have a walk-in business do
not have a physical swipe terminal, but enter credit card information via a browser
application. This was engineered into the application with no changes to the underlying
processes.
Design Specifications of Matching
The matching algorithms developed by NGS and Castlestone were able to successfully
match information from the swipe at a provider office against a swipe transaction at a
DME supplier and the claim from the DME. This validates, at a high level of certainty,
the ability to prevent fraud where a physician identity is inappropriately used to submit
a claim. This process verifies that the beneficiary was in the provider office, that the
DME order originated in the provider office, and once the order was ‘counterswiped’ by
the DME supplier, any other supplier who attempted to fill the order would have it
rejected. This capability can be used for any ‘ordered and referred’ service such as
home care, physical therapy and pharmacy claims. The FBI Financial Crimes lists
duplicate claims as one of the major causes of fraud. It is highly likely that duplicate
DME claims have been filed in multiple jurisdictions for the same beneficiary. The US
Attorney has told Castlestone that organized gangs submit the same claim across
jurisdictions
Protection of Physician Identity
At no time did Castlestone have or require the NPI to perform this pilot. Assigning the
physician an ID card and requiring that the order be verified with a swipe from the
physician office blunts fraud from stolen NPIs. Even if the NPI were to be compromised,
and CMS has a list of 5,000, the transaction would have to be verified with the physician
card at the swipe terminal in the physician office. If a beneficiary card were to be used,
that would provide the same protection.
Protection of Patient Identity
Since the beneficiary card was not implemented in the pilot, there was no way to fully
test the ability to protect patient identities. However, creating a different identification
from that used by the IRS will reduce the ability to use an ID stolen in one context to be
7 | P a g e
Confidential to Castlestone Advisors LLC

9. used for another. The IRS reports 400,000 returns every year where the identity of the
individual has been stolen, as have their refunds. These identities can be used for
Medicare fraud if and when the individual is eligible.
The beneficiary card would protect patient identity be eliminating the Social Security
number on the current card. The same identification card can be used if the beneficiary
remains on fee-for-service or switches to a Medicare Advantage plan. If implemented,
the MA plan may not need the Social Security number of the beneficiary, only their ID.
This would further protect beneficiary identities.
Economics
The average DME claim, as based on statistics from NGS, is approximately $100. The
overall fraud and abuse rate estimated by the GAO is 10%, which means that each claim
‘carries’ an approximately fraud or abuse component of $10, although DME CERT error
rates and estimated fraud rates are higher than the GAO average. The verification and
matching process costs about $0.20 per claim, which would decrease if and when the
project is scaled nationally. Even at this level, each 1% of fraud prevented or detected,
in the form of non-match of information, would provide a Return on Investment of 50%.
Reducing or preventing only 5% of fraud and abuse in the DME program overall
produces a Return on Investment of 250%. This does not include the benefit to the Part
A/B program of verifying the outpatient office visit.
This calculation includes low-cost DME items such as diabetic test strips and pressure
bandages. CMS’ focus on power mobility equipment would bring even greater benefits
if the technology is used. CMS is currently proposing a pilot for prior authorization of
power mobility equipment. The power mobility equipment costs range from $700-
$4,500. Assuming the same fraud and abuse rates, varying assumptions of:
The cost range of power mobility equipment
Low: $750
High $4500
The range of fraud and abuse in Power Mobility Equipment
Low: 7.5%
High 17.5%
Percentage of Fraudulent claims arising from lack of face to face visit, no prior
authorization or inappropriate use of physician ID:
Low: 10%
High 50%
Return on Investment:
8 | P a g e
Confidential to Castlestone Advisors LLC

10. This “Lo-Lo” matrix uses the low end of the cost range ($750 per PMD claim) and low
end of the fraud estimate (7.5%) with a range of 10-50% of frauds due to physician or
beneficiary information improperly used to submit a claim, as a percentage of the [7.5%]
fraud percentage. Each “percentage reduction” across the top is a reduction as a
percentage of the [7.5%.]
The highlighted cell, for example, would be interpreted as follows: “Assuming PMDs
cost $750, and 7.5% of the claims are fraudulent, and 20% of that fraud is caused by
inappropriate use of provider or beneficiary ID, no prior authorization, or no [required]
office visit, and we are able to reduce that fraud by 7%, the Return on Investment is
267.50%.”
9 | P a g e
Confidential to Castlestone Advisors LLC
Lo-Lo
Percentage Reduction
Percent of Fraud from 5.0% 6.0% 7.0% 10.0% 15.0% 20.0%
Unverified Orders with 10% 31.25% 57.50% 83.75% 162.50% 293.75% 425.00%
no documentation: 15% 96.88% 136.25% 175.63% 293.75% 490.63% 687.50%
20% 162.50% 215.00% 267.50% 425.00% 687.50% 950.00%
25% 228.13% 293.75% 359.38% 556.25% 884.38% 1212.50%
30% 293.75% 372.50% 451.25% 687.50% 1081.25% 1475.00%
40% 425.00% 530.00% 635.00% 950.00% 1475.00% 2000.00%
50% 556.25% 687.50% 818.75% 1212.50% 1868.75% 2525.00%

11. Afterword
Since the initial draft of this Summary, the largest fraud ever perpetrated against the
Medicare program was recently announced. A Texas physician was indicted on charges
of ordering over $375 Million for ordering home care visits that were either unnecessary
or never provided. It is also probable that most of the 11,000 orders were for patients
that never were in the accused doctor’s office, as is required for an evaluation to qualify
for homecare services. That fraud on that scale would have been prevented using the
same infrastructure built for the DME program.
The system designed for the DME swipe card, if properly implemented and enforced,
can be used to prevent frauds in programs that are “ordered and referred” These
products and services include DME, pharmacy, physical therapy, lab services and home
care, where a physician ID is required for a claim, and an office visit to that physician is
necessary for approval of the same claim In concert with other analytical techniques
developed by Castlestone and others, frauds like this, on this scale, should never occur.
Claims for those beneficiaries who were never seen would not have been paid.
Also, the Inspector General also issued a report Questionable Billing for Medicare
Independent Diagnostic Test Facility Services (OEI-09-09-00380 March 2012) which
discusses the problems in verifying that services such as imaging, testing and
evaluations were actually ordered by physicians and actually delivered to beneficiaries
as ordered. This report should be read along with this project summary as the platform
implemented for the DME can be used to address these frauds as well.
10 | P a g e
Confidential to Castlestone Advisors LLC

12. Castlestone VisitEye Presentations and Reports –
Title Link
Fraud Prevention for Health Insurers http://slidesha.re/1pCGh98
Doctor Shopping and Prevention http://slidesha.re/1nNb9OL
CMS Pilot/Test of VisitEye http://slidesha.re/1vlGGeU
Management Tech. for Therapeutic
Cannabis
11 | P a g e
Confidential to Castlestone Advisors LLC
http://slidesha.re/1nQ5JkD
Corporate Wellness http://slidesha.re/1qQf6Fi