Physician Identity Theft
By Cybil G. Roehrenbeck, American Medical Association, Washington, DC*
On October 13, 2010, the Federal Bureau of Investigation (“FBI”) unsealed indictments charging 44 alleged members and associates of an international crime organization for what the FBI described as the “largest single Medicare fraud ever charged.” Reportedly, the organization’s activities spanned 25 states, operated in 118 phantom clinics, and billed at least $100 million in fraudulent claims.1
The members of the alleged crime ring were charged with using physicians’ unique identifiers to bill Medicare for services that were never performed, in clinics that did not exist. According to the indictment on racketeering charges, “the conspirators would steal the identity of a doctor—in particular, a doctor’s date of birth, social security number, medical license number, and other identifying information.”2
That indictment also describes schemes in which the conspirators would file paperwork to incorporate a business entity associated with the stolen identity of the doctor, and then file an application with Medicare to bill for services. Often, the indictment explains, services billed did not match up with the physician victim’s medical expertise or licensure. For example, the indictment charged that a dermatologist’s personal identifiers were used to bill for heart tests, and an otolaryngologist’s personal identifiers were used to bill for pregnancy ultrasounds.
On July 8, 2011, the accused “crime boss” named in the indictment pled guilty to racketeering in connection with the case in Manhattan federal court.3 While this case may have moved out of the spotlight for now, it posits two key questions which remain: How can physician identity theft be prevented in the future? And, what becomes of the victims of physician identity theft?
Extent of the problem
Physician identity theft can be devastating for the physician victim, and, as in the example above, can result in significant financial losses for the federal health programs. As of June 2010, the Centers for Medicare & Medicaid Services (“CMS”) was aware of at least 5,000 compromised provider identifiers.4 While the precise incidence of physician identity theft has not been reported by the agencies with oversight over the federal health programs, many reports of fraudulent billing involve the misappropriation of physicians’ unique personal identifiers.
Generally, there are two common scenarios in which physician identity theft can occur. In the first scenario, a physician’s identity is used to open a phony clinic and begin billing for services that are not provided. For example, in one recent case in Dallas, Texas, the owner of a sham medical supply company pleaded guilty to aggravated identity theft after he submitted more than $1,028,000 in false claims to the Medicare program.5 Physicians are often alerted to this scenario because fraudulent billing for medical services are detected in audits, in connection with review of overpayment demands, and through investigation of alleged tax liabilities.6
In a second scenario, a physician’s identity is used to order fraudulent prescriptions, medical equipment, or medical devices. For example, a technician at a medical clinic in Seattle, Washington recently pleaded guilty to aggravated identity theft and conspiracy to acquire and distribute controlled substances after the technician forged prescriptions on physicians’ stolen prescription pads.7
Physician identity theft is so pervasive that President Obama’s proposal to the Joint Select Committee on Deficit Reduction recommended “strengthening penalties for illegal distribution by others of Medicare, Medicaid, or Children’s Health Insurance Program (“CHIP”) beneficiary identification or billing privileges.”8 (Emphasis added)
Public access to National Provider Identifiers
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) required the adoption and use of a standard unique identifier for healthcare providers.9 In the implementing regulations, CMS adopted the National Provider Identifier (“NPI”) as the standard.10
Commentators argued throughout CMS’ rulemaking on the NPI that the public should not have access to providers’ NPIs or other personal identifiers. CMS declined to establish a secure data site with limited NPI access, reasoning that, “in order to keep costs low, we must make the National Provider System data dissemination strategy as efficient and uncomplicated as possible. The number of formats and access options will need to be limited.”11
Today, physicians’ personal identifiers are openly available to the public on CMS’ NPI registry website, also called the National Plan and Provider Enumeration System (“NPPES”). A simple search of a physician by first and last name on the registry yields his or her NPI number, license number, licensing state, taxonomy, business mailing address, full legal name, and gender.
It is unclear why criminals target certain physicians’ NPIs and not others. While some criminals may look for physicians who practice in their geographic area, others may manipulate the personal identifiers of physicians in varied and remote locations in an attempt to thwart investigation.
Physician advocates continue to urge CMS to remove the public display of the NPI registry.12 Many believe that public access to physicians’ NPI numbers facilitates fraudulent activity and is contrary to the Administration’s goal to reduce healthcare fraud and abuse.13
Risk assignment for physician identity theft victims
CMS recently sought to address the problem of compromised physician identities in its rulemaking on the new risk-based screening procedures authorized by the Patient Protection and Affordable Care Act (“PPACA”). In the proposed screening rule, CMS included a provision to adjust a physician’s categorical risk level from “limited” or “moderate” to “high” if CMS or its contractor had information from a physician that another individual was using his/her identity within the Medicare program.14
CMS omitted that provision in the final screening rule after physician advocates asserted that “classifying physicians who have been the victims of identity theft to the high screening level would stigmatize the physician and create a presumption that he or she has engaged in conduct warranting heightened scrutiny.”15
CMS noted in the final screening rule preamble that it does “not plan to use screening tools to address identity theft concerns as it would not be an adequate response.”16 The final rule assigned physicians whose identities have been stolen and compromised to the limited risk tier.
CMS’ new program to aid physician identity theft victims
On September 8, 2011, at an educational event in California on provider identity theft, CMS announced the “Provider Victim Validation / Remediation Initiative” to aid Medicare providers who have incurred a financial liability because their identity has been stolen.17
Under this new program, Medicare Zone Program Integrity Contractors (“ZPICs”) will investigate a provider’s claim that his or her identity has been stolen and resulted in financial liability. The ZPIC will then make a recommendation to the Center for Program Integrity (“CPI”) at CMS.18 If CPI determines that the provider is indeed a victim of identity theft, CPI will work with the Department of the Treasury and other agencies to resolve the provider’s outstanding financial liabilities, including tax assessments.
CMS has announced the ZPIC point of contact for California, Nevada, American Samoa, Guam, and Hawaii. Each state will have a ZPIC point of contact for provider identity theft victims, and nationwide contact information should be forthcoming from CMS soon.
This new program is likely to garner support from the physician community. Physician advocates had previously asked for inter-agency coordination and a streamlined process for physician identity theft reporting.19
Until physicians’ personal identifiers are kept confidential, criminals will continue to devise ways to use them to steal scarce healthcare dollars. Also troubling, until this information is secured, physicians who fall victim to identity theft will continue to find themselves in the nightmarish scenario of trying reclaim their identities. The federal government has taken positive steps to aid physician identity theft victims, and could build on that effort in the future by removing physicians’ personal identifiers—including the NPI registry—from unrestrained public access. To arm against identity theft, physicians should make every effort to secure their personal and professional information, and should promptly report any suspicious activity involving their identity to law enforcement.20
*The views expressed herein are the author’s own and are not necessarily those of the American Medical Association.
U.S. Attorney’s Office, Southern District of New York. (October 13, 2010). Manhattan U.S. Attorney Charges 44 Members and Associates of an Armenian-American Organized Crime Enterprise with $100 Million Medicare Fraud [press release]. Available at http://www.fbi.gov/newyork/press-releases/2010/nyfo101310.htm.
|2 ||United States District Court, Southern District of New York. United States of America v. Armen Kazarian et. al. [sealed indictment]. Available at this link.|
United States Attorney, Southern District of New York. (July 8, 2011). Leader of Armenian Organized Crime Ring Pleads Guilty In Manhattan Federal Court of Racketeering [press release]. Available at http://www.justice.gov/usao/nys/pressreleases/July11/kazarianarmenpleapr.pdf.
United States Attorney James T. Jacks, Northern District of Texas. (April 12, 2010). Durable Medical Equipment (DME) Business Owner in Dallas Sentenced to 24 Months in Federal Prison in Aggravated ID Theft / Medicare Fraud Scheme [press release]. Available at http://www.justice.gov/usao/txn/PressRel10/movsesyan_HCF_sen_pr.html. See also Peter Pollack. (February 2010). Medicare Fraud Hits Home: AAOS Member finds his name used in Medicare Scam. AAOS Now. Available at http://www.aaos.org/news/aaosnow/feb10/cover2.asp.
See generally Bernard M. Cassidy. (February 9, 2011). Physician Identity Theft Causes Medicare Headaches. Available at this link.
United States Attorney’s Office, Western District of Washington. (May 12, 2011). Two Plead Guilty in Scheme to Get Prescription Medication by Fraud: Defendants Stole Identities, Health Insurance Info and Prescription Pads to Obtain Drugs [press release]. Available at http://www.justice.gov/usao/waw/press/2011/may/burrellmitchell.html.
The Joint Select Committee on Deficit Reduction was created by the Budget Control Act of 2011. See Pub.L.112-25. (August 2, 2011). See also President Obama’s recommendations to the Committee at Office of Management and Budget. (September 2011). Living Within our Means and Investing in the Future: The President’s Plan for Economic Growth and Deficit Reduction. Available at this link
Pub. L. 104–191. Health Insurance Portability and Accountability Act of 1996 (HIPAA). (August 21, 1996).
69 Fed. Reg. 3434 et seq. Available at https://www.cms.gov/nationalprovidentstand/Downloads/NPIfinalrule.pdf.
Id. at 3456.
See November 28, 2006 American Medical Association correspondence to the Centers for Medicare & Medicaid Services. Available at this link. See also November 18, 2010 American Medical Association correspondence to U.S. Department of Health and Human Services and U.S. Department of Justice. Available at this link.
Physician advocates have argued that public release of NPIs and physicians’ Drug Enforcement Administration (DEA) numbers have spurred identity theft. See this link.
75 Fed. Reg. 58242. Available at http://edocket.access.gpo.gov/2010/pdf/2010-23579.pdf.
76 Fed. Reg. 5882. Available at http://www.gpo.gov/fdsys/pkg/FR-2011-02-02/pdf/2011-1686.pdf .
Centers for Medicare & Medicaid Services. (September 8, 2011). California Healthcare Fraud Prevention & Awareness Month: CMS Provider Victim Validation/Remediation Initiative [announcement]. Available at http://www.ama-assn.org/resources/doc/washington/cms-fraud-prevention-month.pdf.
On April 11, 2010, the Centers for Medicare & Medicaid Services’ internal organization structure was realigned. As part of this realignment, program integrity activities under Medicare and Medicaid were housed with the newly-created Center for Program Integrity. See Reducing Fraud, Waste and Abuse in Medicare : Hearing before the U.S. House of Representatives Committee on Ways & Means, Subcommittee on Health, Subcommittee on Oversight (April 19, 2011) (Statement of Kimberly Brandt, Director, Program Integrity Group, Office of Financial Management, Centers for Medicare and Medicaid Services, U.S. Department of Health & Human Services). Available at http://www.hhs.gov/asl/testify/2010/06/t20100615a.html. See also the Center for Program Integrity website at https://www.cms.gov/CMSLeadership/30_Office_CPI.asp#TopOfPage.
See November 18, 2010 American Medical Association correspondence to U.S. Department of Health & Human Services and U.S. Department of Justice. Available at this link.
Physicians are encouraged to contact the Department of Health & Human Services and U.S. Department of Justice to report identity theft. More information is available at http://www.stopmedicarefraud.gov/.
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.