ABA Health eSource
 April 2006 Volume 2 Number 8

Managing Risks of Fraud, Waste and Abuse: Part D Challenges for Drug Plans
by José A. Tabuena 1 , Deloitte Financial Advisory Services LLP 2

Jose A. TabuenaWhere money flows, fraud is likely to follow. And where there is federal money, there is federal oversight. 3 Certainly these adages apply to the new Medicare prescription drug benefit, referred to as “Part D,” that went into effect on January 1, 2006. Regulators and enforcement authorities have been on the speaking circuit warning about the risk of fraud, waste and abuse arising from the estimated $60 billion a year expected infusion of new federal funds.

After Part D was enacted on December 8, 2003 (as part of the Medicare Prescription Drug, Improvement, and Modernization Act, 4 shortened as the “Medicare Modernization Act,” or “MMA”), the Centers for Medicare and Medicaid Services (“CMS”) issued proposed and final rules on both Titles I (“Part D”) and II (“Part C”, now called “Medicare Advantage”). 5 CMS has also promulgated a significant amount of “informal” regulatory guidance over the last two years, in part to address some of Part D’s most contentious issues. 6

Due to the legitimate and historically based apprehension that unscrupulous elements often follow the money, CMS has issued materials to assist plan sponsors – those offering qualified prescription drug coverage – in the implementation of a program to help prevent and detect fraud, waste and abuse specific to Part D, while actively communicating its own plans to monitor Part D compliance and prosecute fraud and abuse. CMS hosted a compliance conference in September 2005 and issued a fact sheet detailing expanding efforts to fight fraud. 7

This article focuses on the major fraud, abuse and compliance program issues and challenges anticipated to be faced by drug plans as they implement the new benefit. There have been early warning signs with beneficiaries starting with the interim temporary discount card program 8 – such as scams involving fake prescription cards sold to seniors, including a scheme by two Canadian telemarketing firms to drain money out of consumers' checking accounts after they were persuaded to give up sensitive financial information. Under the new benefit, a scheme has been already been uncovered this year called the "$299 Ring" for the typical amount of money beneficiaries are talked into withdrawing from their checking accounts to pay for a non-existent prescription drug plan. 9

Compliance and Fraud Control Programs

The MMA requires Part D plans to have in place a program to control fraud, waste and abuse (FWA). 10 While standard Medicare and Medicaid fraud and compliance provisions are applicable to Part D contractors and their subcontractors, it is worth noting that Part D is the first Medicare program to mandate contractors or plan sponsors to have a comprehensive plan and program to detect, correct and prevent fraud, waste and abuse. 11

In an effort to consolidate the various compliance plan requirements in the Title I rule, CMS included the FWA component as part of a Part D sponsor’s overall compliance plan. On February 8, 2006, CMS released an updated, expanded draft of guidance for Part D prescription drug plan sponsors on the structure and focus of the compliance programs required under their contracts with CMS. The draft guidance constitutes an entire chapter (Chapter 9) of the Prescription Drug Benefit Manual. CMS has sought public comment on the guidance. 12

The draft guidance assigns monitoring and auditing duties to Part D plans similar to the program integrity work historically undertaken by Medicare contractors who process provider and supplier claims. The draft manual provides that a sponsor can implement a FWA program in one of two ways: (1) separate and in addition to other compliance plan components; or (2) integrated into elements of an existing compliance plan. Structurally, CMS also notes that a “Part D Compliance Officer” may be the same person as the corporate compliance officer; however, it strongly recommended that the two positions be staffed independently. 13

Besides emphasis on the compliant operation of the prescription drug benefit itself, is there any real distinction between a compliance program and a FWA program? As viewed in the draft manual, the structures seem to appear basically the same with merely the insertion of Part D fraud risk considerations into each element of a general compliance program.

However, the FWA component highlights the heightened regulatory attention to requirements on insurers and managed care organizations to have and operate effective fraud detection and prevention plans (not just compliance programs), including the use of proactive scanning and detection methods. For instance, the Part D manual describes approaches for use of data analysis as a tool for fraud detection. For commercial plans, many state regulatory agencies mandate proactive fraud control programs including the formation and use of special investigation units (SIUs). 14 Moreover, anti-fraud programs are getting more attention as Board Audit Committees of public companies now have a burgeoning spectrum of fraud prevention responsibilities, particularly those imposed by Sarbanes-Oxley, the U.S. Security Exchange Commission (SEC) rules, and the Public Company Accounting Oversight Board (PCAOB) Auditing Standards. 15 Another recent development is the Deficit Reduction Act (DRA) of 2005, signed into law on February 8, 2006, which includes a section on eliminating FWA in Medicaid, with a requirement of employee education that provides details on false claims recovery. 16

These developments point to the need for an organization to also address its own risks of becoming a victim of fraud and abuse, in addition to ensuring that the plan itself is not committing fraud. While there are substantial commonalities in the features of an effective compliance program versus an anti-fraud program (such as employment screening, reporting mechanisms, investigative protocols and enforcement of standards), there are also distinctions. Fraud control draws more heavily on the tools of data-mining, investigation, law enforcement and initiated legal actions; whereas compliance focuses more broadly on education, training and protection from legal actions initiated by others. Effective integration can help optimize the impact from both perspectives. 17

There remain open issues as to what is expected of Part D contractors as they begin implementing the FWA components of their compliance program this year. A related area for drug plans to monitor is the role of the newly created Medicare Drug Integrity Contractors (MEDICs). CMS has contracted with private organization MEDICs to manage CMS’ audit, oversight and fraud control efforts for the Part D benefit, 18 and the Prescription Drug Benefit Manual (draft Chapter 9) provides a table outlining the MEDICs expected activities. Plan sponsors will also still need to be alert to basic fraud and compliance risks such as the False Claims Act, the Anti-Kickback Statute and the Stark physician self-referral statute. 19

Areas of Fraud Risk

In actively promoting its intentions to monitor Part D compliance, CMS has described the wide-ranging types of fraud that can occur. Some of these are the garden-variety fraud already well known (e.g., counterfeit, diluted, or mislabeled drugs), while others are unique to the new benefit. Various categorizations of the specific types of fraud as well as lists of susceptible products have been disseminated. The draft Prescription Drug Benefit Manual in Chapter 9 20 provides examples of risks applicable to the various industry sectors – Pharmacy Benefit Managers (PBMs), pharmacies, prescribers, pharmaceutical manufacturers, wholesalers, Medicare beneficiaries, and of course plan sponsors.

As they offer the new drug benefit, sponsors such as Prescription Drug Plans (PDPs) and Medicare Advantage plans will see emerging risks and face scrutiny in this arena. The following is a sampling of the newer types of FWA risks that have been raised for plan sponsors:

Gaming risk corridors and risk adjustors – As a PDP or Medicare Advantage Plan you are paid under a risk adjusted payment per patient, so the risks can include manipulation of risk corridors through the actuarial process, as well as the well known concerns of patient avoidance or dumping and adverse selection of enrollees. Related to this risk is the manipulation of low-income subsidy enrollees in order to receive unwarranted subsidy payments. Any new form of data submission (e.g., plan quarterly data and prescription drug event data) presents opportunity for the plan to misrepresent or falsify information furnished to CMS.

Calculation of TrOOP – Tracking payments to beneficiaries and manipulating beneficiary status is considered one of the biggest potential fraud issues. Because formularies, deductibles, and co-payments can vary considerably by plan, it will be a challenge to accurately calculate true out-of-pocket (TrOOP) expenditures and what counts towards the donut hole. 21 Manipulation of calculations to keep beneficiaries in the coverage gap or to push the coverage gap into catastrophic coverage are some of the potential fraud opportunities.

Marketing Schemes – This includes cross-marketing activities in which a few large insurers have already received scrutiny for allegedly entering into the PDP market in an overly aggressive manner. According to public news reports, the practice to enroll-and-migrate from a drug-only plan to potentially more profitable managed care plans is believed by regulators to be inappropriately encouraged in violation of CMS regulations. Another area that surfaced during interim use of the drug discount card is the cross-selling between Part D lists and Part B durable medical equipment (DME) beneficiaries. Quite simply, the rules regarding appropriate marketing activities to beneficiaries and business partners are not yet fully clear.

Formulary Issues – Sponsors and PBMs need to be alert to improper formulary decisions in which costs take priority over clinical efficacy – as when switching medications to favor targeted drugs that are more expensive than those originally prescribed. Further, the nature of relationships between Pharmacy & Therapeutics (P&T) committee members and drug companies will be scrutinized; therefore, processes to manage and identify conflicts of interests will be critical. A unique twist may be the drug manufacturers’ concerns in ensuring that formulary decisions are proper and do not inappropriately exclude access to its drug within Part D.

Rebates and Arrangements with Pharmacies and Manufacturers – There will be enhanced opportunity in the new system for rebates and moving volume through agreements with drug companies. FWA can occur when sponsors fail to disclose or misrepresent rebates, discounts, price concessions, or other value-added items offered by drug manufacturers.

From an operational and compliance program perspective, Part D is a daunting undertaking, yet it also provides an opportune time to re-examine an organization’s compliance program for integrating existing fraud control activities such as those mandated by state insurance agencies. A FWA program also comports with increasing board governance and consumer expectations for organizations to prevent fraud from taking place. The benefits of an effective corporate compliance program can become more visible and considered a return on investment if such programs are expanded to address Part D specifically and FWA more broadly. For lawyers and compliance officers, the challenge will be to assist their organization wade through the numerous minefields that can arise.


José A. Tabuena is in the Forensic & Dispute Services practice of Deloitte Financial Advisory Services LLP.

The views in this article are those of the author, and do not necessarily represent the views of Deloitte Financial Advisory Services LLP.

2 About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.

Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu. In the U.S., services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP.

3 As presented by James Sheehan, Associate U.S. Attorney, during a Health Care Compliance Association Audio Conference on January 23, 2006.
4 Pub. L. No. 108-173, 117 Stat. 2066 (2003) (codified at 26 USCA §§ 139A, 223, 4980G; 42 USCA §§ 299b-7, 1395b-8, 1395b-9, 1395w-3a, 1395w-3b, 1395w-27a, 1395w-29, 1395w-101 to 1395w-104, 1395w-111 to 1395w-116, 1395w-131 to 1395w-134, 1395w-141, 1395w- 151, 1395w-152, 1395cc-3, 1395kk-1, 1395zz, 1395hhh, 1396u-5).
5 The final Part D rules and the final Medicare Advantage rules were both published in the Federal Register on January 28, 2005 (70 Fed. Reg. 4193-4742).
6 Such as the process for transitioning dual eligibles from Medicaid coverage onto Part D, the comprehensiveness of required formularies, Part B versus Part D coverage issues, etc. The complexity of Part D resulted in various informational initiatives by CMS, and in a few instances CMS had to reissue guidance when it received comments pointing out inconsistencies – such as the guidance to long term care facilities regarding its emergency refill policy.
7 The Medicare fact sheet is available at http://www.cms.hhs.gov/apps/media/press/release.asp?Counter=1690.
8 During the interim period before the drug benefit went into effect on January 1, 2006, the MMA authorized establishment of a Medicare Discount Card Program and a Transitional Assistance Program for low-income beneficiaries. These programs became available June 1, 2004.
9 Complaints have been received from Indiana, Michigan, Pennsylvania, Massachusetts, New Jersey and Georgia and have been made against a number of different companies, but authorities believe the companies are the same and are based outside the U.S. CMS Release, March 7, 2006 at http://www.cms.hhs.gov/apps/media/press/release.asp?Counter=1794.
10 42 U.S.C. § 1395w-104.
11 42 C.F.R. § 423.504(b)(4)(vi)(H). These regulations list the core elements of a compliance plan, to now include a comprehensive fraud, waste and abuse program.
12 CMS accepted comments until March 1, 2006. The draft of Chapter 9 to the Manual can be found at http://www.cms.hhs.gov/PrescriptionDrugCovContra/Downloads/PDBManual_Chapter9_FWA.pdf.
13 As required under 42 CFR § 423.504(b)(4)(vi)(B).
14 Approximately 17 states require insurers to have a fraud plan, with 12 of those states also requiring an SIU. See information from the Coalition Against Insurance Fraud at http://www.insurancefraud.org/regulations_search.html. In some states these requirements may differ between health insurers and managed care organizations versus other lines of insurance.
15 See the SEC Final Rule, Management Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274 (Section II(B)(3)(d)), located at http://www.sec.gov/rules/final/33-8238.htm, as directed by Section 404 of the Sarbanes-Oxley Act of 2002; and see PCAOB Auditing Standard No. 2, paragraphs 25 and 139, which can be downloaded at http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_Standard_2.pdf.
16 For entities that receive more than $5 million in Medicaid Reimbursement. Pub. Law 109-171, (2006), Chapter 3, Section 6032 of the DRA, which takes effect on January 1, 2007.
17 In fact, it can be argued that compliance program elements are mostly satisfied when an organization has a fraud control program – regardless of whether it works well or not – as opposed to the other way around.
18 CMS RFP CMS-2006-0017, Medicare Prescription Drug Benefit (Part D), Medicare Drug Integrity Contractor, May 25, 2005.
19 See 70 Fed. Reg. 4194, 4201 ( Jan. 28, 2005).
20 See note 10, supra.
21 The donut hole refers to a period when no Part D coverage for prescription drugs will be available. After total drug costs reach $2,250, one will pay an additional $2,850 out-of-pocket before Medicare Part D will continue coverage. After this coverage gap, Medicare will pay for 95% of further drug costs.