Proprietary software

“ Controls should be established to prevent unauthorized and potentially inaccurate computer changes from being incorporated into [the medical billing system]....”

Software developed for a single individual or a small group probably posses the greatest risk of financial harm to the Medicare program. In some cases, the number of people involved in developing and implementing proprietary software is limited to one or two individuals. This reduces the likelihood that someone will see and correct programming that produces erroneous claims. 

The degree of risk associated with proprietary software is directly related to the number of individuals involved and the checks and balances used during development of software. A recent qui tam suit against a billing company revealed that the owners of the company configured their proprietary software to generated erroneous claims.6 They accomplished this by manipulating and using legitimate information about patients and providers already available in their system. The company agreed to pay $1.5 million to resolve allegations that the company defrauded Medicare and other health care programs.  

In another case, emergency room physicians contracted for billing services from a hospital.7 The physicians were unaware that the hospital had purchased and designed billing software that automatically upcoded the services of the physicians. The physicians were paid based on the codes they provided to the hospital billing department. The hospital kept the higher payment generated from upcoding. The hospital and physicians agreed to a civil settlement and paid more than $600,000 to settle the case.

Billing Medicare has become a complex endeavor. The sheer number of diagnostic codes, procedure codes and other coding requirements increase the chance of billing error. Automation helps physicians, and other Medicare providers, manage data. It helps ensure that claims for reimbursement will meet Medicare standards for claims acceptance. The same tools used to ensure accurate billing can also be misused to maximize reimbursement and to submit false claims. 

The HCFA needs to evaluate its electronic claim safeguards and PECOS is a step in the right direction toward ensuring that only agencies authorized by a provider can submit claims. As further work is done in this area, HCFA may want to consider: 

•  Identifying and registering all clearinghouses and third-party billers. The Internal Revenue Service requires preparers of tax returns to identify themselves. Medicare should require claim preparers to do the same. This would provide an audit trail and ensure that claims enter the Medicare system from authorized sources. 
•  Improving safeguards to ensure that electronic claims are accepted only from authorized sites and terminals. Passwords and new technologies, such as caller identification, can be used to ensure that claims are received and processed only from known terminals. 
•  Educating the provider community concerning their liability for erroneous claims submitted to Medicare using their provider number(s). The HCFA currently relies on provider reviews of remittance notices to identify misuse of provider numbers. These notices can be re-routed to a billing company, or another address, and providers may never see them. Providers should be made aware of their responsibility to review remittance notices.