Subscribe to the Bombay Chartered Accountant Journal Subscribe Now!

June 2008

Using Computer-Assisted Audit Tools (CAATs) for Prevention and Detection of Frauds in Healthcare Industry

By Deepjee Singhal, Manish Pipalia, Chartered Accountants
Reading Time 10 mins

Internal Audit

Introduction :


’Health and Wellness’ is a private general insurance company.
Jacob — head of ‘Claims Forensics department was presenting on the role of his
department in detecting indicators of frauds and red flags to the Board of
Directors The question asked to Jacob was “To what extent should evidence be
gathered to provide assurance on the indicators of frauds ?” Jacob’s attempt was
to explain the role of the investigator in terms of IT control, review of risks
in assurance services, physical document based investigations,
cross-examinations apart from compliance with various directives and statutes
and requirements of regulatory authorities.

As a means of increasing the extent of evidence gathering —
quantity and quality by his investigation team and reducing cost of operations,
Jacob proposed the implementation of a Generalised Audit Software (GAS) which
could help the inspection team query the system for better results and help in
identifying trends, patterns, and indicators of fraud.

The Board was supportive of the presentation made by Jacob
and asked him to implement the GAS and present the red flags detected as a
result of the forensic review at the next quarter meeting.

Methodology :

Jacob set up a mid-size team within the department to take
the initiative of implementing the GAS. The team comprised of 2 senior audit
officials who had a wide range of experience in various process activities like
claim acceptance, settlement, dealing with surveyors and key business functions
of finance and administration, a Certified Fraud Examiner and an IT auditor (CISA).
The team also retained the services of a retired medical expert from the Red
Cross, who was an expert in complex medical diagnostics.

The entire audit manual was reviewed and specific forensic
objectives were mapped for possible audit tests that could be conducted using
GAS and otherwise. The method of using the GAS was debated and discussed by the
group in a way that data integrity, confidentiality and availability of the
production server was not compromised and the objectives were also met.

While it was not possible to log on to the production server
due to access restrictions maintained by the Database Administrator, the team
was faced with a challenge to import data for further analysis.

The team decided to connect to specific data dumps (Print
Report Dumps from various modules of the Medical Management System like Claims
Acceptance, Claims Settlement, etc.) provided by the DGM-IT. The data dump was
provided by running a File Transfer Protocol (FTP) on the Reporting Server,
which is also used for Reporting Tools like SAS.

Bird’s-eye view of red flags which were detected using the
GAS

Excessive procedure billing for same diagnosis, same
procedures

Objective :

To identify instances of excessive medical procedure billing
for the same diagnosis and medical procedure.

Method :

In this exercise, the Healthcare Claims transaction file was
linked with the master file on the basis of the Diagnosis Code.

A computed numeric field was added to arrive at instances
where excessive procedural charges had been claimed by the insured, in
comparison to the current master charge list.

Cases were extracted where the difference exceeded 15%
(Hypothetical acceptable variance norm across hospitals).

GAS functionality covered :

The exercise used the following GAS functionalities :


l
Join files :


The Healthcare Claims transaction file is opened and chosen
as the active database. This file is the primary database. The master file for
procedure rates is chosen as the secondary file.

The two files are linked together based on the similar field
Diagnosis Code. The field is named differently in both the primary and secondary
file as Diagnosis Code and Diagnosis Reference Code, respectively. The link is
still possible as both the fields are the same in nature.

The option ALL RECORDS IN PRIMARY FILE is used as the joining
command.


l
Append a computed numeric field :


As the existing field values could not be altered in the
joined database without disturbing the data integrity, a computed field of
numeric nature was added to the existing database. This computed field contained
the values linked to diagnosis code from the master file.


l
Use the Equation Editor to write the criteria in the computed numeric
filed :


A command is entered through the Equation Editor to arrive at
the difference in medical procedure charges as per the transaction file and
masters captured from the master file.

The command can be checked for syntax and validated for field
nomenclature and construction.


l
Data extraction to filter out the exceptions :


Data extraction involves filtration of transactions from the
joined file which meets the filtration command criteria. The values in the
computed numeric field above are filtered for non-zero cases.

Zero values indicate billing of medical procedure charges as
per the master table of charges. Non-zero cases represent deviations from the
master table of medical procedure rates.

Non-zero cases were trapped through the Data extraction —
Equation Editor facility using the command “Audit Charge <> 0”. Here “<>” refers
to NOT EQUAL TO.

Normally billings should proceed as per the master table of rates. However, options are available within the Med-Plus software for overriding the master charges and applying manual charges on a case-to-case basis. These manual overrides were specifically investigated to determine reasons for change.

Identify excessive number of procedures per day or place of service per day/per patient:

Objective:

To identify instances of excessive number of medical procedures conducted per day or place per patient.

Method:

In this exercise, the Healthcare Claims transaction file was used as the basis for the red-flag check.

A duplicate check was run on the insured name, policy number, and hospitalisation date to identify possible duplicate claims for excessive medical procedures for the same insured patient. This test was further corroborated by a summarisation/ consolidation of claims based on the insured name and policy number to generate multiple claim instances in excess of one hospitalisation/medical procedure.

Cases were identified where multiple medical procedures had been conducted on the same insured at the same hospital. The cases were referred by the team to the expert medical officer who clearly identified the claims as unrelated and fictitious. For ” example – a cornea transplant of the eye was followed by a hernia operation which was medically absurd.

GAS functionality covered:

The exercise used the following GAS functionalities :

•  Duplicate detection:

In the duplicate test, exact vertical matches are detected within specific field or fields designated.

The transactions file was used as the basis for the test.

The insured name, policy number, and hospitalisation date were selected as the key fields on the basis of which duplicates were to be detected.

In the GAS, an auto key field indexing was performed on the insured name, policy number, and hospitalisation date to fasten the process of duplicate key detection.

The duplicate test revealed a list of vertical matches which were to be investigated.

•    Summarisation:

The GAS had a popular transaction consolidation function called summarisation. The advantage of this function was that multi-field summarisation was possible with generation of valuable insightful statistics like MIN, MAX, AVG, VAR, DEVIATION and more. This superior functionality was accompanied by generation of multi-chart and multi-graph utilities in user-friendly colour-rich formats which could be ported across office applications.

Summarisation/ consolidation of claims  was performed based on the  insured name and policy number to generate a report of multiple claim instances in excess of one hospitalisation/medical procedure. Here the key statistic used was COUNT rather  than  SUM.

Just like in the first stage duplicate test, summarisation was also preceded by an auto index facility on the key objective fields to increase the through-put of results.

• Data extraction  to filter  out the exceptions:

Data extraction involves filtration of transactions from the joined file which meets the filtration command  criteria.

Multiple claim instances in excess of one hospitalisation/medical procedure were trapped through the Data extraction – Equation Editor Facility using the command “Count > 1”.

These vital cases and potential red-flag indicators were immediately taken up for scrutiny with the Chief Medical Officer at the concerned hospital. Patient health history reports were also studied to provide allowance for multi-health issues and failures on the same day warranting multi-medical procedures.

Identification of diagnosis and treatment that was clearly inconsistent with patient age and / or gender:

Objective:

To identify diagnosis and treatment that was clearly inconsistent with the patient/ insured age and gender.
 
Method:

The team set up value bands from the Claim Trans-action file. The value bands were set up for 0-20000, 20001-50000, 50001-100000, 100001-200000, and more. The high-value bands were designated as “A Class High Risk”. “A Class High Risk” band cor-responded to 10, 00,000 to 20,00,000. All the claims in this category were culled into a separate dump within the GAS.

All the claims in the A Class category were examined through the search function for the insured details like age, gender, past medical history.

Specific instances were observed with the assistance of the ace team medical expert, wherein open-heart surgeries were conducted for minors even though the medical history suggested otherwise. In one critical high-value instance, the insured (a male) had claimed large amounts for complex medical procedures normally conducted on elderly women.

GAS functionality covered:

The exercise used the following GAS functionalities :

• Stratified  Random    Sampling:

In Stratified Random Sampling credence is given to distribution of individual transaction values between low, medium and high.

Judgment on the interpretation of low, medium and high rests with the GAS user based on consultation with the medical expert and past industry experience of the team members.

The team set up intervals from the Claim Transaction file. The intervals were set up for 0-20000, 20001-50000, 50001-100000, 100001-200000, and more. The high-value bands were designated as “A Class High Risk”. “A Class High Risk” band corresponded to 10, 00,000 to 20, 00,000. All the claims in this category were culled into a separate dump within the GAS using the random number table within the GAS.

The random number table generates a list of random numbers from the” A Class High Risk” interval based on its internal algorithms and generates a separate file of such instances.

•  Data search:

Data  search  is an advanced tool within the GAS which can undertake simple, complex, structured, unstructured, fuzzy, single word or multi-word searches quite similar to a web portal search engine.

Here with the aid of the medical expert specific key strings and character occurrences were trapped. Suspicious transactions were studied in depth along with the patient’s casepaper file.

Conclusion:

While specific audit reports gave regular feedback to the process owners about process flow control gaps, the identification of potential red flags in the process were greatly met using the GAS, which went beyond the set standard traditional norms. Further, it allowed the audit team to move beyond the ‘priority’ set by the Board and were able to complete their investigations within time, with specific unusual drill-down capabilities and results through a third-eye watch. The IT was also excited about the possibilities which such a tool could have for their forensic security reviews on a regular basis and initiated a review of the same with special watch on cyber security i.e., lodging of e-claims, Further, the Head – Forensics also made it mandatory for the Company’s outsourced medical examiners to use a GAS for their branch audits using similar methodologies as them.

As a seasoned user of the GAS, Jacob laid down the structure for Continuous Control Monitoring of specific forensic objectives through automation of tasks and scheduling within the GAS.

You May Also Like