Healthcare fraud: The card strikes back!

By Yolanda Varuhaki, Gemalto

Combating Healthcare fraud: Gemalto contributes and shares its best practices

This study on fraud in healthcare systems was drafted following a request from Gemalto’s customers during the 2009 conference on healthcare systems held in Warsaw, attended by participants from thirteen different countries.

Gemalto’s analysis has been focused on several countries with different environments and systems and based on its findings, the company has set out recommendations to reduce fraud by implementing better-coordinated processes and improving the use of technology. In this report, the term “healthcare system” refers to the following: funding systems, the provision of healthcare, and the organization of such provision. Furthermore, fraud affects funding for healthcare, but is committed within healthcare systems, hence the need to analyze both areas; funding systems and the provision of healthcare itself.

Touching on such complex and important topics is always a delicate matter. Indeed, social, political, working environment aspects or even ethical considerations are taken into account. However, there is universal agreement on the need to fight fraud.

This report is Gemalto’s contribution to the debate, based on its 25 years’ of experience worldwide in the healthcare sector, in order to tackle a phenomenon which poses a real threat to healthcare systems. Implementing improved systems is an entirely realistic goal. These systems can be extremely effective in fighting fraud, and also in cutting down administrative errors.

Abstract

On average, around 6 to 10% of spending in the healthcare sector is lost to fraud, according to the European Healthcare Fraud and Corruption Network (EHFCN). In Europe, which spent 1,100 billion euros on healthcare in 2010, this means nearly 110 billion euros lost in that year alone. Feedback from interviewees for this study and our involvement in eleven national healthcare systems indicate that the higher EHFCN figure is closer to the true extent of the issue.

Fraud, abuse and errors are not just an issue for one specific healthcare system. They occur everywhere, regardless of the share of public and private funding, levels of technology, the type of culture (Latin, Anglo-Saxon or other), or the amounts of money in play. Usually, fraud involves the payment of undeserved sums of money, or undeserved access to services. Three worrying trends are currently gaining ground: a shift from fraud committed by isolated individuals to that committed by organized groups, the intentional endangerment of people’s lives for financial gain, and an increase in identity theft.

All processes seem to be affected, and anyone can be involved. This means fraud mechanisms are becoming more complex, and that detecting fraud requires forms of collaboration which can be difficult to establish (auditors, police, legal authorities).

Even if healthcare professionals are sometimes involved, administrative procedures relating to healthcare reimbursements are inadequate in terms of data integrity, patient identity and claiming entitlements. The best practices for the fight against fraud can be found in a systematic approach; as part of which all components (legal, technical, organizational) have to be improved.

Although we must accept that progress will be made in each area at a different pace, the legal framework does not have to be finalized before technical and organizational solutions can be implemented, especially since fraud has to be tackled dynamically, on a continual basis, as the healthcare sector is in constant flux. Even if this comprehensive approach takes time, and is difficult and costly initially, it provides a considerable return on investment. The USA began to fight fraud and improve data quality ten years before European initiatives started to take shape, and their experiences must be used as a guide, along with the successful strategies implemented by the banking sector, which now has a fraud rate of less than 1%.

Information technologies must be regarded as essential and indispensable for improving healthcare information systems. They are powerful tools to achieve potentially considerable results in the fight against fraud and abuse, and cut errors.

The quality of data entered automatically at source, the protection of data confidentiality and the issue of insured party identification (as well as the protection of entitlements) are issues in all healthcare systems. It is therefore not surprising that microchip card technology has been included in most social security and healthcare programs deployed over the last twenty years.

Yet this technology is often under-used at present, in areas where we know it will produce excellent results.

• Strong identification and authentication for patients and healthcare professionals are key features of microchip cards, and should be implemented in the healthcare sector. Yet this is not the case in many countries.
• Implementing healthcare smart cards with an identification number and PIN or biometric authentication would enable the creation of personalized, online services, a quintessentially “patient-centric” approach, but these initiatives are still in the development stages.
• The ability of these services to control entitlements, expiry dates, repeated and multiple uses, etc., is on the whole under-used.
• Thus far, the benefits of paperless, electronic medical data exchanges have not been fully tapped. Yet cards have a crucial role to play in creating consistent databases, with the automatic reading of data, and the temporary or permanent confidential local storage of additional data such as blood groups, allergies, chronic diseases and associated treatments.

This robust technology can strike at the heart of fraud mechanisms, often with little investment in infrastructures, and without major changes for patients and healthcare professionals. Smart card technology is an invaluable asset to combat fraud in healthcare for the benefit of all.

 Healthcare systems should also be designed to fight fraud

Although microchip cards for healthcare professionals and insured parties enable identification, paperless procedures, and the creation of secure digital networks, they only serve as a means to facilitate organizational change.

Healthcare systems which are designed to speed up the transition to paperless procedures (in particular with care forms) usually achieve this goal. Systems which have not been designed in this way, or have not taken into account the fight against fraud, produce disappointing results, which are of course difficult to assess in this area. Microchip cards are therefore powerful catalysts for projects with the specific goal of fighting fraud. The technology can boost system capacity, produce impressive results and fundamentally overhaul practices. Nevertheless, the effects of “card” technology are completely dependent on organizations’ ability and intent to use it. In this respect, the fight against fraud is driven by human endeavor in the design of healthcare systems, rather than by the technology itself.

Information systems have taken the fight against fraud into account since the 2000s

The first decade of the 21st century has been a transitional period. Before this period, the only example of the implementation of automated systems was in making procedures paperless to increase administrative productivity, or to set up collaborative tools (care forms and/or prescriptions/medical data, etc.). The fight against fraud has been included in all new systems implemented after the turn of the century.

Slovenia has been at the forefront of this change. It began to invest in eHealthcare twenty years ago, and now has one of the most accomplished healthcare systems in the world. The “eHealth 2010” strategic plan in place at present is the second generation of the system launched at the start of the 2000s. It provides a nationwide network of information systems, ensuring that transparent information and electronic services are provided to all stakeholders, in a secure and efficient manner.

Slovenia was one of the first countries in Europe to introduce microchip healthcare cards. Launched in 1996, the Slovenian healthcare card program was deployed nationwide during the summer of the year 2000. ZZZS (Zavod za zdravstveno zavarovanje Slovenije), the Slovenian national health insurance organization, in charge of the national system of health insurance cards, is systems integrator for the program, and supplies the cards to citizens. The whole solution is compatible with existing infra structures.

Today, the country is in the process of renewing and updating the two million electronic health insurance cards already in circulation within its borders. By rolling out latest-generation eHealth solutions, Slovenia is improving online services for healthcare professionals, helping them to complete their administrative tasks more swiftly and to exchange medical information and communicate with hospitals and other healthcare professionals in a simple and secure way.

•  This approach enables the inclusion of all healthcare fi elds, a comprehensive view of patient health, with interaction between all sub-records, and better management of medication-related iatrogenesis).
• It provides a better statistical or even epidemiological overview, and better-substantiated aid for making decisions and establishing general approaches.
• It also improves fraud control and prevention efficiency, with new integrated mechanisms and improved identification and analysis tools.

The issue of the validity and control of entitlements, for example, was resolved with a simple mechanism in the microchip cards: expiry date management. The following rules were implemented: cards are valid for three months for students and foreigners, a year for private sector employees, and three years for retirees and public sector employees.

Cardholders must renew their card (mainly through pharmacies) before the expiry date, to be able to continue using it. Entitlements therefore have expiry dates, within limits which are acceptable for all.

Similarly, Algeria completely remodeled its healthcare system between 2006 and 2007, before deploying the new-look system between 2009 and 2011. Algeria was able to draw from the experience of European countries, and integrate mechanisms into this new system, in particular to control the repeated abusive use of cards, and the exceeding of card limits. Algeria used the same concepts as Slovenia, but included specific components:

• a counter to keep track of card spending, and block the card in the event of the card limit being exceeded;
• a counter to keep track of transactions, control the use of the card and stop it being used for fraud.

So the card of a patient, visiting their doctor for the fourth time in a week, will be blocked, making it impossible for the transaction to be processed. The counter can be unblocked by providing a satisfactory explanation during a prior visit to a doctor certified by the Algerian social security fund (CNAS – Caisse Nationale d’Assurances Sociales des travailleurs salariés). For these latest deployments, at the end of the 2000s, identification issues became a major problem, in particular for countries implementing health insurance systems for the first time. This is the case for Mauritania in 2007, Gabon in 2008, and Mali in 2011.

Other countries will soon launch systems in the region. For Gabon in particular, it was clear in 2008 that all resources should be implemented to ensure that the generosity of the program would not lead to its collapse, due to the unlawful transfer of rights or the abuse of entitlements.

Beneficiaries must therefore be individually identified so that only they can access the care they are entitled to. It was decided each insured party in Gabon would receive a non-transferrable, individual health insurance number, with entitlements recorded in a biometric microchip card. So Gabon implemented a strong cardholder authentication system, based on fingerprints. Each patient must present their card and identify themselves with a fingerprint to access third-party payments when visiting healthcare professionals.

No central database for fingerprints is required, since data is checked offline. The reader and the card will locally compare the two fingerprints and confi rm (or not) it matches with the patient’s fingerprint in the room. Finally, large countries which began to implement paperless reimbursement procedures first are now either replacing their systems, or redesigning them.

In 2011, Germany began to deploy a new healthcare card system, taking into account the fi ght against fraud, with mechanisms to check patient entitlements online, strong cryptographic systems to authenticate cardholders, etc. Germany, one of the leading countries to leverage the smart card technology for its health system in the 90’s, is confi rming the technology now available with the second generation of smart cards can be extremely effective for the next decade.