Key insights:

• • • The OBBBA has stricter verification requirements 鈥� These requirements have inadvertently created an environment that incentivizes fraudulent activities, such as identity theft and document forgery, especially among individuals seeking Medicaid and ACA coverage.

    • The OBBBA enacts tax policy modifications 鈥� These modifications, including reduced third-party reporting mechanisms and expanded tax benefits, may create opportunities for underreporting of income among gig workers and small businesses.

    • OBBBA’s contains large-scale funding mechanisms 鈥� These mechanisms along with rapid implementation may put pressure on traditional procurement safeguards, creating potential challenges in oversight and accountability.

The One Big Beautiful Bill Act (OBBBA) aimed to fulfill several policy objectives from the Trump Administration’s campaign platform. However, an examination of the legislation and its implementation reveals mixed results, particularly concerning potential vulnerabilities for fraud, waste, and abuse across various sectors.

Healthcare eligibility fraud: A slippery slope

The OBBBA introduced stricter verification requirements for lawful status, residency, and work eligibility within healthcare benefit programs. While intended to bolster program integrity, these tightened standards have, in some cases, inadvertently incentivized fraudulent activities.

For example, individuals seeking Medicaid and Affordable Care Act (ACA) coverage have reportedly resorted to identity theft, document forgery, and falsified employment or training records to meet the new criteria. This environment has attracted organized fraud networks and unscrupulous enrollment brokers who exploit system vulnerabilities, ultimately impacting legitimate beneficiaries through compromised identities and bilking taxpayers through misallocated resources.

Historically, enhanced verification measures have sometimes led to similar unintended consequences. The period after passage of the Immigration Reform and Control Act of 1986 (IRCA), for instance, saw a rise in widespread counterfeiting operations due to document requirements. Similarly, Medicaid programs have consistently battled identity fraud, and related work requirement pilot programs have shown patterns of misreporting. The rapid, large-scale eligibility transitions during the pandemic also created opportunities for fraudulent activity. These historical examples demonstrate an unfortunate reoccurring pattern that sometimes administrative safeguards, while designed for integrity, can create incentives for sophisticated circumvention strategies.

Tax policy changes: Opening doors to evasion

The OBBBA’s tax policy modifications have introduced new dynamics in reporting and compliance, potentially affecting revenue collection. The legislation reversed the $600 1099-K reporting threshold and raised 1099-MISC/NEC thresholds to $2,000. This reduction in third-party reporting mechanisms makes it harder to ensure accurate income declaration. Simultaneously, the law expanded certain tax benefits, including a 100% federal credit for private-school scholarship donations and a doubled, qualified small business stock exclusion. These changes impact various stakeholders, including gig workers, self-employed individuals, operators of small businesses, high-income investors, charitable organizations, and tax planning professionals.

In addition, state-level scholarship programs with similar 100% credit structures have experienced various forms of abuse. These precedents indicate that the current changes in the OBBBA may create opportunities for underreporting of income among gig workers and small businesses. There is also potential for misuse of the new tax benefits through self-dealing arrangements or sophisticated strategies designed to minimize tax obligations.

History suggests that changes to reporting requirements and tax incentives can create compliance challenges. Past instances in which reporting mechanisms were weakened or enforcement reduced have correlated with an increase in the tax gap 鈥� the difference between taxes owed and taxes collected. The Tax Cuts and Jobs Act (TCJA) era, for example, demonstrated how new provisions could be exploited in unforeseen ways.

Unaccountable spending and contracting fraud: A risky proposition

The OBBBA also established significant funding mechanisms, including a $100 million Office of Management and Budget fund and $30 billion allocated for immigration enforcement activities, that granted relatively broad administrative discretion in their deployment. These substantial appropriations, intended for rapid implementation, may put pressure on traditional procurement safeguards.

Indeed, the sheer scale and urgency of these funding streams have attracted various participants, including agency officials with expanded discretionary authority, established government contractors, and new market entrants.

Historical experience with large-scale, rapidly deployed government funding suggests potential challenges in oversight and accountability. The Department of Homeland Security, for example, has been designated as High Risk by the Government Accountability Office partly due to procurement management concerns. In the past, post-9/11 security initiatives and Iraq reconstruction efforts also revealed vulnerabilities in expedited contracting processes; and more recently, COVID-19 relief programs like the Paycheck Protection Program demonstrated how substantial funding, compressed timelines, and reduced oversight can create conditions conducive to fraud and waste. These precedents suggest that the current funding structure within the OBBBA may face similar risks, including potential misallocation of resources, irregular contracting practices, and exploitation by opportunistic actors seeking to benefit from loosely constrained procurement processes.

Cross-cutting vulnerabilities and systemic impact

The OBBBA’s implementation has introduced significant operational changes across multiple government programs, leading to rapid policy transitions and large-scale re-verification processes. These administrative shifts have generated confusion among beneficiaries and stakeholders, which opportunistic actors have exploited.

This exploitation includes phishing operations and fraudulent benefit fixer services that prey on individuals struggling to navigate the new requirements. The pace and complexity of these changes have challenged traditional oversight mechanisms, as the government鈥檚 capacity for auditing, data analytics, and procurement controls has struggled to keep pace with the scale and speed of implementation demands.

These gaps in oversight and enforcement are likely to create systemic vulnerabilities beyond immediate program integrity concerns. When fraudulent activities succeed, legitimate program beneficiaries face reduced access to services as resources are diverted from their intended purposes. Simultaneously, compliant taxpayers bear increased burdens as fraudulent claims and inefficient spending patterns require additional revenue or reduce the effectiveness of public investments.

This dynamic illustrates how implementation challenges, like those in the OBBBA, can create cascading effects, ultimately undermining both program effectiveness and public trust in government operations, regardless of the underlying policy objectives.

You can find more of our coverage of听the impact of the One Big Beautiful Bill Act听here

Key insights:

• • • Coordinated investigations boost detection 鈥� The recent operation formed a fusion center in which data was shared and compared, enabling earlier and more effective identification of fraudulent patterns.

    • Advanced analytics uncover complex schemes听鈥� Fraudsters allegedly used hundreds of shell companies to mask illicit activities, complicating detection, but analytics platforms leveraging third-party data help identify anomalies.

    • Multi-entity collaboration is essential 鈥� Broader cooperation and data sharing across entities increase the likelihood of timely detection and enforcement actions.

State and federal prosecutors recently charged more than 320 people for $14.6 billion in false claims in what is described as the largest coordinated takedown of healthcare fraud schemes in the history of the U.S. Department of Justice.

The key word here is coordinated. Traditionally, Medicare, Medicaid, private insurers, and other organizations have tended to investigate fraud in isolation. Each agency or carrier worked its own pipeline 鈥� reviewing claims, generating leads, and pursuing cases on its own.

Fraudsters, meanwhile, are more equal opportunity exploiters, often spreading their tentacles across numerous targets. This not only increases their total potential illicit gains, but it also reduces their detectable footprint within any single target. In schemes that sprawl across multiple targeted entities, even if the fraudulent activity is discovered, each target only sees a slice of the total picture.

This recent operation completely flipped that script. The organizations that were targeted for fraud formed a fusion center that shared and compared data. While each individual organization carries its own unique vulnerabilities, the more data that’s shared between more parties, the more likely that patterns can be identified or that perpetrators will hit a trip wire somewhere along the way in one of the targeted organizations and be detected.

The goal of such coordination is to spot fraud as early as possible, before it has a chance to permeate more deeply into each affected organization. Even with coordination, the challenge remains to detect sophisticated fraud before it balloons into multi-billion-dollar losses. The $14.6 billion figure likely reflects activity that went undiscovered for years.

Early detection is key

In many of these types of fraud schemes, there are massive numbers of dots to connect and threads to follow. In this recent takedown, fraudsters had allegedly set up hundreds of shell companies to mask their illicit transactions, which intentionally made it difficult to trace the fraud back through the shadow businesses to the individual perpetrators.

Advanced analytics platforms that leverage third-party data can help spot these suspicious patterns. And the more entities and more data that these platforms have to work with, the greater their ability to spot anomalies through analysis, such as:

• • • Risk scoring 鈥� Assigning fraud-specific risk ratings based on abnormal billing patterns, outlier service volumes and geographic spikes
    • Entity resolution 鈥� Linking providers, clinicians, and business owners to spot potential shell companies
    • Ownership mapping 鈥� Uncovering hidden relationships among entities registered in different states or countries

Yet, even with advanced analytics and other data sources, detecting fraud and piecing together the multitude of disparate leads that could potentially point back to the perpetrators is a daunting task. Further, the government agencies and private insurers involved both make extensive use of contractors, which, on the one hand, can add another layer of complexity, but at the same time, these contractor networks can also provide additional resources and data for spotting fraudulent patterns.

As the recent takedown demonstrates, it鈥檚 difficult for any single entity to handle this by themselves. For example, the alleged fraudsters in the recent takedown reportedly used entities spread across multiple countries. So, the wider the net is cast, the more likely it is to get better, faster results that can lead to enforcement actions.

Coordinating learnings to assist prevention

While it鈥檚 vital to analyze cases after they鈥檙e successfully concluded to better identify and correct weaknesses and vulnerabilities and to prevent fraud from recurring, it鈥檚 equally important for agencies and organizations to find out what went right and share best practices.

While one organization may fall victim to a fraud scheme, another organization may find that they managed to partially or completely deter the same scheme. By comparing notes along with data, organizations can see which policies, procedures, or technology solutions specifically either enabled or deterred the fraud.

Then, policies and procedures can be reshaped based on what other agencies or carriers are learning in real time as they deal with fraudsters. When organizations share datasets, a suspicious provider or transaction that is flagged by one organization can immediately trigger alerts across the coordinated agencies and carriers. Even if organizations have dissimilar systems or datasets, they can share best practices and adopt similar data taxonomies to make sharing of data easier.

Even if an organization isn鈥檛 part of a multi-agency task force, the principle holds: The more you break down silos 鈥� between departments, between payers, and between public and private sectors 鈥� the faster organizations will be able to spot patterns that might otherwise get missed, enabling earlier detection and faster action.

The extent and breadth of the recent takedown 鈥� from bogus wound-care supplies to illegal pill mills, fraudulent catheter claims, and more totaling billions of dollars 鈥� underscores how fraudsters will seek to exploit every vulnerability and loophole they can find. At the same time, the successfully coordinated crackdown demonstrates how collaboration, data sharing, and the right technologies can help organizations and agencies turn the tide.

You can find out more about the ongoing fight against medical fraud here

The highlights more than $2.76 billion in expected recoveries resulting from agency audits and investigations conducted during the reporting period of October 1, 2023, through March 31, 2024.

During this period, the OIG reported:

• • • 712 criminal and civil actions;
    • 1,795 exclusions from federally funded programs;
    • 195 recommendations issued to reduce fraud, waste, and abuse; and
    • 1,201 referrals to federal and state prosecutorial partners.

“To hold wrongdoers accountable, OIG doggedly pursues criminals whose schemes put federal funds at risk and endanger the public,” said Christi A. Grimm, HHS Inspector General, in the report. “These enforcement cases often involved egregious fraud, including false billing, costly kickback schemes, and failures to provide care.” Further, OIG enforcement efforts 鈥渃onsistently yields a positive return on investment of around $10 returned to every $1 invested,鈥� according to the report.

OIG enforcement highlights

As part of its report, the OIG highlighted a number of healthcare fraud and abuse enforcement actions against the most egregious fraudsters and regulatory compliance failures. The actions include drug diversion, COVID-19 fraud, against self-referrals, state long-term care survey deficiencies, and Medicare patient abuse and neglect.

Some of the cases highlighted included:

Mark Murphy, a pain management physician, and his wife, Jennifer Murphy, “conspired to unlawfully dispense and distribute controlled substances, including Fentanyl and Oxycodone, through prescriptions that were not issued for legitimate medical purposes,” the report stated. In addition, the Alabama couple submitted fraudulent claims to federal healthcare programs and private insurers. They were of conspiracy to distribute controlled substances and healthcare fraud. The trial court sentenced them to 20 years in prison and ordered them to pay approximately $52 million in restitution. The OIG also excluded them from participating in federally funded programs for 70 years.

Mark Schena, president of Arrayit Corp., a medical technology company, was sentenced to eight years in prison and ordered to pay $24 million in restitution in the first criminal securities fraud case related to the and the first criminal COVID-19 healthcare fraud case brought to trial. Arrayit defrauded investors by claiming his “revolutionary technology” could “test for virtually any disease using a single drop of blood.” In meetings with investors, he and his publicist claimed he was the “father of microarray technology” and was on the “shortlist for the Nobel Prize.” Arrayit also “ran tests on every patient for 120 different allergens” regardless of medical necessity.

He also falsely said the company had a COVID-19 test and claimed that the government required individuals being tested for COVID-19 also be tested for allergies. He also “orchestrated a deceptive marketing plan that falsely claimed the company’s test was highly accurate鈥� as well as paying kickbacks to marketers.” Schena concealed from investors that the U.S. Food and Drug Administration (FDA) found Arrayit’s COVID-19 test was not accurate enough to receive an emergency-use authorization.

Community Health Network, Inc., a healthcare network headquartered in Indianapolis, agreed to pay $345 million to resolve allegations that it violated the U.S. False Claims Act by “knowingly submitting claims to Medicare for services that were referred in violation of the Stark Law.” Beginning in 2008 and 2009, senior management at the healthcare network engaged in an “illegal scheme to recruit physicians for employment” in order to capture their “lucrative .”

Community Health recruited hundreds of local specialists by paying salaries that were as much as double what they were making in their own private practices. In order to hide its scheme, the network knowingly provided false compensation figures to a valuation firm so that it rendered a favorable opinion on the compensation it planned to pay the recruited specialists. In addition to the excessively high compensation, the network also paid bonuses to the physicians when they reached a set target number of referrals to the network.

Nursing homes and Medicare fraud

Further, the OIG found 1,973 deficiencies among 98 nursing homes in its audit of five states’ oversight of nursing home compliance with federal requirements for life safety, emergency preparedness, and infection control. The OIG found that Colorado, Ohio, and Oklahoma did not that nursing homes within the state were complying with federal requirements. (States are required to survey long-term care facilities for compliance issues.)

The OIG also found that the state of Washington did not ensure compliance with federal requirements and identified deficiencies in all it audited in the state, including “91 deficiencies related to life safety, 155 deficiencies related to emergency preparedness, and 279 deficiencies related to infection control,” the report noted.

The OIG also during this reporting period that found 30,258 Medicare claims for services provided in 2019 and 2020 contained diagnosis codes that “indicated the treatment of injuries potentially caused by abuse or neglect of Medicare enrollees.” The OIG estimated that 91% of Medicare claims with injury diagnoses “contained evidence of potential abuse or neglect.” The agency also found that 24% of incidents were not reported to law enforcement, 12% of incidents occurred in medical facilities, and 8% were “allegedly perpetrated by health care workers.”

The OIG oversees more than $2 trillion in HHS spending, almost 24% of the federal budget. Its enforcement and recovery efforts are considered necessary to safeguard taxpayer dollars.

Financial institutions are financially responsible for fraud, such as unauthorized transactions or identity theft, and they must have robust security measures in place to detect and prevent such fraud. If a bank fails to safeguard against such activities, it may be held liable for the losses. However, banks have historically refused to pay for certain kinds of fraud, especially in cases in which consumers authorized payments, even if those consumers were deceived.

For instance, the United States Senate鈥檚 Permanent Subcommittee on Investigations, a part of the Senate Committee on Homeland Security and Governmental Affairs, has been examining fraud- and scam-related cases that have been taking place within the Zelle network. Zelle 鈥� operated by Early Warning Services, is owned by seven of the largest US banks including JPMorgan Chase, Bank of America, and Wells Fargo 鈥� was the subject of a about the hundreds of millions of dollars lost to fraud at Zelle and the organization鈥檚 previous resistance to reimbursing victims. Several of those giving testimony included Cameron Fowler, CEO of Early Warning Services, who stated the company has ; and several executives from some of the owner banks who asserted they were to combat scams, that Zelle had taken steps to , and that owners could have better in the process.

Banks have historically refused to pay for certain kinds of fraud, especially in cases in which consumers authorized payments, even if those consumers were deceived.

These banks aren鈥檛 alone 鈥� most financial institutions claim the responsibility for fraud and financial losses falls on the consumer because the transfers were conducted voluntarily and that there is a risk of compensating for first-party fraud. In 2021 alone, Zelle users to various types of fraud. To combat this, Zelle has implemented , which has reduced the number of fraud cases on the platform.

However, this news may come too late to some consumers who authorized fraudulent payments or those who ignore the red flags. Despite the implementation of systems and tools to flag irregular transfer activity, customers may still voluntarily transfer money even when warned by a bank representative of potential fraud. Consumers are expected to exercise due diligence and may be liable for negligence unless considered vulnerable individuals.

Working together to combat financial fraud

Customers need to understand that they are their own accounts’ first line of defense. While it is the bank’s responsibility to protect assets, it is also important for customers to protect themselves.

Addressing scam-induced fraud losses requires a cooperative effort between consumers, financial institutions and regulators.听For example, consumers need to stay informed about the latest scam techniques and recognize potential fraud. This involves understanding common red flags, such as unsolicited requests for personal information, urgent demands for payment, or communication from unfamiliar sources.

Consumers also should exercise caution when conducting financial transactions. This includes verifying the authenticity of requests for payments or information, using secure and verified channels for transactions, and regularly monitoring bank statements for any unauthorized activities. By being attentive and cautious, consumers can reduce their risk of falling victim to scams.

Financial institutions should develop and implement supportive policies that assist and reimburse fraud victims… including offering clear guidelines on the steps consumers should take if they fall victim to fraud.

On the financial institutions鈥� side, they must continuously invest in advanced technologies to proactively detect and prevent fraudulent activities. Financial institutions also should implement robust security measures, such as multi-factor authentication, encryption, and secure access controls to better help protect consumer accounts and sensitive information from unauthorized access and fraud.

Finally, financial institutions should develop and implement supportive policies that assist and reimburse fraud victims. This includes offering clear guidelines on the steps consumers should take if they fall victim to fraud and ensuring a swift and fair resolution process.

Of course, government banking regulators play a role as well. By clearly defining the responsibilities of consumers and financial institutions, regulators can offer guidance to help delineate the boundaries of liability and ensure that both parties understand their roles in preventing and addressing fraud. Regulatory bodies also can monitor compliance with established standards and take enforcement actions against institutions that fail to meet their obligations. This helps maintain trust in the financial system and ensures that institutions are held accountable for their part in fraud prevention.

Key Elements of the UK’s Approach

One financial regulator has already begun to address this situation. The United Kingdom’s Payment Services Regulator (PSR) has implemented a comprehensive reimbursement policy aimed at protecting consumers and ensuring accountability among financial institutions. By examining the UK’s approach, the US can adopt and adapt effective strategies to mitigate APP fraud and enhance consumer protection.

As part of its solution, the PSR established mandatory reimbursement rules that require banks to reimburse victims of APP fraud. This policy ensures that consumers are not left to bear the financial burden of scams and that banks are held accountable for facilitating secure transactions.

The UK’s policy also outlines specific responsibilities for consumers to help prevent fraud. These include following warnings from banks, reporting fraud promptly, sharing necessary information, and allowing banks to report fraud to the police. And special provisions are made for vulnerable customers, exempting them from certain standards and ensuring they do not have to pay claim excesses if their vulnerability contributed to the fraud. This ensures fair treatment and protection for those who may be more susceptible to scams.

Further, the UK’s approach includes robust monitoring and compliance measures, with Pay.UK overseeing banks’ adherence to reimbursement rules and reporting findings to the PSR, ensuring transparency and accountability in the financial system.

Conclusion

The rise of AI-enabled scams presents challenges for both consumers and financial institutions, especially around APP fraud. While financial institutions must continuously invest in advanced technologies and implement robust security measures to detect and prevent fraud, consumers must also exercise caution and due diligence in their financial transactions. Regulatory bodies also play a crucial role in defining responsibilities and enforcing accountability to protect consumers and maintain trust in the financial system.

A collaborative effort between consumers, financial institutions, and regulators is essential to address scam-induced fraud losses and ensure a secure financial environment for all.

Traditional elder financial abuse would likely come in the form of a close acquaintance taking advantage of their relationship with the victim to take possession of their property or money. This abuse could include manipulation to get expensive jewelry or convincing a vulnerable person to disclose bank codes allowing the illicit actor to drain the victim鈥檚 accounts.

While these are crimes, of course, they are much easier to catch and protect against than other types of financial fraud. In fact, bank employees are now encouraged to look for the signs of this type of manipulation and actively take steps to prevent it. However, less traditional financial abuse is becoming more concerning.

With theft by fraud skyrocketing 鈥� to more than $10 billion in 2023, from $2.4 billion in 2019 鈥� the rapid rate of is growth should put people (especially those in more vulnerable situations, like the elderly) into a more defensive and skeptical position. Indeed, elderly individuals are disproportionally vulnerable to this more complex and harder to detect type of theft.

In its 2023 report, the FBI’s indicated that individuals under the age of 20 were the demographic least impacted by scams and fraud with only 18,000 reported victims, while those 60 years old and older saw more than 101,000 reported victims.

Understanding the root cause of elder fraud

Yet, to more fully understand the problem that some elders are facing you must first look at the root. Desperation and greed are among the reasons scammers have ramped up the use of schemes that will get money quickly from elderly victims. Scammers also look for options that have the lowest risk, so when considering crimes, they see elderly individuals as prime targets for several reasons, including:

• • • They assume that elderly individuals are the most likely to have disposable income or savings. While younger individuals are beginning their careers and are just starting to earn money, elderly individuals have had time to amass savings and often have disposable income available for use and investment.
    • Elderly people are often less knowledgeable about the complexities of technology, including newer ways of investing. This lack of understanding around recently developed technology platforms making it easier to manipulate the victim. This would include venues like dating apps or digital currency platforms.
    • The older the population gets, the more likely they are to be retired, widowed, or lonely. Often, this leads to elderly individuals seeking companionship or friendship; and sometimes, looking for those connections online can open up a whole different world of (unverified and anonymous) people with whom to connect.
    • Elderly people also tend to adhere to more conservative beliefs, keeping finances to themselves and not asking for help. So, during manipulation and even after a financial loss, elderly victims are often left in a situation in which they are less likely to speak about it. This makes reporting, prevention, and tracking more difficult.

This spring, several government agencies 鈥� including the Financial Industry Regulatory Authority (FINRA), the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), and the AARP (formerly the American Association of Retired Persons) 鈥� all took notice of the situation and issued warnings or guidance on the increases in elder financial crime, a stark reminder of this widespread problem.

In fact, FinCEN found that between June 2022 and June 2023, it had received 155,415 Elder Financial Exploitation (EFE)-related Bank Secrecy Act (BSA) reports associated with more than $27 billion in reported suspicious activity, which may include both actual and attempted transactions. It is important to note that this is only the number that was reported and听does not account for instances in which individuals did not catch on to the fact they were the victim of a scam or instances in which the loss was not reported for other reasons. Further, an says that more than 40% of Americans (an estimated 141.5 million adults) say they have lost money to scams or had sensitive information obtained and used fraudulently.

While it is easy to count how much money is lost, it’s not as easy to count the number of individuals who suffer from depression or even suicidal attempts as a result of being scammed.

Elders are now facing many complex scams that are aimed at taking advantage of them in more significant ways. In 2023, the Top 5 scams reported to the IC3 were: tech support scams, personal data breaches, romance and confidence scams, product scams (non-payment or non-delivery), and investment scams. IC3 reports that the losses to investment scams alone totaled more than$1 billion in 2023.

And there is another factor that most people don鈥檛 even consider in the aftermath of a tremendous financial loss. While it is easy to count how much money is lost, it’s not as easy to count the number of individuals who suffer from depression or even suicidal attempts as a result of being scammed. For example, who was scammed for nearly $100,000 ultimately took his life as a result. In this case, the scammers were caught, but it highlights how these crimes need to be taken seriously.

Eva Velasquez, a former investigator for the San Diego District Attorney鈥檚 Office and who now serves as president and CEO of the nonprofit , said the organization鈥檚 most recent study noted a sharp increase in the number of fraud victims who reported having thoughts of suicide after being conned.

What is clear is that it is important to educate elderly Americans on the use of technology and the reg flags they will inevitably come across, especially online. It is also important to continue to report and track these elderly financial abuse scams in order to try to prevent them in the future.

In addition to recovering taxpayer funds and deterring future fraud, False Claims Act enforcement “also protects patients from medically unnecessary or ,” the DOJ said in a statement.

DOJ enforcement highlights

The agreed to pay $172 million to resolve allegations that it used “inaccurate and untruthful diagnosis codes鈥� for its Medicare Advantage plan enrollees to improperly increase its payments from Medicare. The government alleged that Cigna also relied on improperly reported diagnosis codes reported by vendors without performing or ordering testing to confirm those diagnoses. The Medicare program reimburses Medicare Advantage plans at a capitated rate based on the health of each member. A member with more diagnoses or more complex medical conditions nets the plans a higher reimbursement from the government.

agreed to pay $22.5 million to resolve similar allegations that it had submitted inaccurate diagnosis codes for its Medicare Advantage plan enrollees in order to increase reimbursements. The diagnoses codes were not supported by member medical records.

The DOJ also litigated other cases involving the government鈥檚 , including cases against UnitedHealth Group, Independent Health Corporation, Elevance Health (formerly Anthem), and Kaiser Permanente.

In another case involving false claims, the government alleged that former long-term care facility and related entities submitted claims for “services performed by unlicensed and unauthorized students” and that the services were either not provider or were “effectively worthless.” Cornerstone and the related entities agreed to pay $21.6 million to resolve these allegations.

The DOJ also announced two resolutions involving electronic health records. In the first, (ModMed) agreed to pay $45.4 million to resolve allegations that it solicited and received kickbacks from a lab company in exchange for recommending that its customers use the lab’s pathology services, conspired with the lab company to donate ModMed’s electronic health records technology to healthcare providers, and paid kickbacks to its customers and other influential entities to recommend its technology and refer potential customers. The government also alleged that ModMed’s electronic health record technology did not always use “required standard vocabularies” that caused providers to improperly submit claims for electronic health record incentive payments.

In the second case, agreed to pay $31.2 million to resolve allegations that it misrepresented the capabilities of some versions its electronic health records software that were 鈥渓acking in critical functionality.鈥� The government also alleged the NextGen offered credits worth as much as $10,000 and tickets to sporting and entertainment events to customers whose recommendation of its software led to a new sale.

In another resolution, and its president and CEO agreed to pay $22.9 million to resolve allegations the company had improperly paid physicians “under the guise of medical directorships to induce referrals of home health patients.”

State Medicaid recoveries

Although the federal government often recovers Medicaid funds when pursuing Medicare fraud, states also have a separate responsibility to prosecute Medicaid fraud. Because Medicaid is a federal/state partnership, these recoveries benefit both state and federal taxpayers.

All 50 state, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have Medicaid Fraud Control Units (MFCUs) to Medicaid provider fraud and patient abuse or neglect.

For fiscal year 2023, in:

• • • $1.2 billion recovered;
    • 1,143 convictions (814 for provider fraud and 329 for patient abuse or neglect);
    • 850 exclusions of individuals or entities from federally funded programs; and
    • 436 civil settlements and judgments.

MFCU enforcement highlights

In , the MFCU partnered with other state agencies in a civil investigation of allegations that managed care company Centene overcharged the California Medicaid program by “falsely reporting higher prescription drug costs” for two of its managed care plans. Centene agreed to pay more than $215 million to resolve the allegations.

In , the MFCU investigated the owner of a laboratory for allegedly billing Medicaid for medically unnecessary testing services and providing illegal kickbacks in exchange for the testing. The owner was convicted of conspiracy to commit healthcare fraud, violations of the anti-kickback statute, conspiracy to commit money laundering, and money laundering. The scheme defrauded the North Carolina Medicaid program of more than $11 million.

In another case involving a medical device manufacturer, the National Association of MFCUs partnered with federal agencies to investigate allegations that misled federal healthcare programs regarding the radio-frequency emission generated by some of its devices that could potentially interfere with other devices that use the same radio-frequency spectrum. The company agreed to pay more than $12 million to settle the allegations.

Although healthcare fraudsters continue to steal, scheme, and conspire to steal federal and state healthcare program funds, these enforcement result show that the government is also having a certain amount of success in recovering taxpayer dollars and punishing fraudsters.

For more on , click here.

In the most recent scheme, scammers are using enrollees’ personal information to submit monthly bills to Medicare for “medically unnecessary” urinary catheters that may or may not actually be sent to the Medicare enrollee, according to a from the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG).

In this scam, an “unscrupulous” durable medical equipment company will claim that “they work for Medicare or are calling on behalf of Medicare鈥�, yet the fraudster’s goal is to obtain the enrollee’s Medicare number. Often, the durable medical equipment company pays a provider with no relationship with the enrollee to sign an authorization for the durable medical equipment.

Medicare fraud might not be the only risk 鈥� these illicit actors can also use the Medicare enrollee’s personal information to perpetrate other financial fraud schemes.

Other recent durable medical equipment fraud schemes

Although the Medicare fraud catheter scam is the most recent, durable medical equipment schemes are a favorite of healthcare fraudsters. Often relying on kickbacks to unethical medical professionals, telemedicine and telemarketers will partner to mislead seniors into providing their personal information and Medicare numbers. The scammers then use that information to submit false claims for reimbursement to the federal Medicare program.

Knee and back brace scam

The owner of two telemedicine companies, Steven Richardson of Parkland, Fla., agreed to plead guilty to one count of conspiracy to commit healthcare fraud in February, for his role in a involving medically unnecessary durable medical equipment, including back and knee braces.

Over several years, Richardson’s companies entered into business arrangements with telemarketing companies that “generated leads by targeting” Medicare enrollees. The telemarketers then paid Richardson鈥檚 companies on a “per-order basis” to generate physician orders for durable medical equipment for the enrollees.

In order to perpetrate the fraud, Richardson worked with medical staffing companies to find doctors and nurses who would “review and sign prepopulated orders.” Although the medical records falsely documented that these medical providers had performed medical examinations of the enrollees, in reality, they rarely had any contact with the enrollees.

Richardson then provided the signed orders to the telemarketing companies so they could sell the falsified orders to durable medical equipment suppliers. The suppliers would then bill Medicare for providing the medically unnecessary knee and back braces whether or not they actually sent the braces to enrollees.

Richardson faces up to 10 years in prison and a fine of up to $250,000 or “twice the gross gain or loss” from the scheme, whichever is greater.

Orthotic brace scam

In a similar scheme involve fraud of $136 million, Jean Wilson, of Richmond Hill, Georgia, pleaded guilty to conspiracy to commit healthcare fraud and wire fraud on March 8. Wilson was a licensed nurse practitioner in New Jersey who owned two telemedicine companies and two orthotic brace suppliers.

Through her companies, Wilson to “sign prescriptions” for Medicare enrollees for “orthotic braces and prescription drugs” that were medically unnecessary, not covered by Medicare, or not provided to enrollees. During the conspiracy, Wilson and others submitted false and fraudulent claims to Medicare in excess of $136 million. The Medicare program paid “at least $66 million for these claims.”

Wilson faces up to 20 years in prison and has agreed to pay more than $66 million in restitution to Medicare and the IRS.

Preventing Medicare durable medical equipment fraud schemes

Medicare enrollees can protect themselves and taxpayer dollars from durable medical equipment fraud schemes. The OIG offers the following tips:

• • • If you receive a call from someone offering you free durable medical equipment or services that will be billed to Medicare, hang up immediately.
    • Be suspicious of anyone who offers you free medical equipment and then requests your Medicare number. If your personal information is compromised, it may be used in other fraud schemes.
    • If medical equipment is delivered to you, don’t accept it unless it was ordered by your personal physician. You can refuse the delivery or return it to the sender. You should also keep a record of the sender’s name and the date that you returned the items.
    • Carefully review any explanation of medical benefits documents you receive. Look for any durable medical equipment or services you did not order or did not receive.
    • Medicare enrollees should be cautious of unsolicited requests for Medicare numbers. No one other than your provider鈥檚 office should ever request your Medicare information.

The pervasive use of telemarketing and targeted internet and television ads can leave Medicare enrollees vulnerable to healthcare fraudsters and awareness of these schemes may be the best protection.

Ongoing HIPAA compliance is crucial for healthcare organizations to maintain trust with patients, avoid costly penalties for non-compliance, safeguard sensitive data from breaches, and uphold ethical standards in healthcare delivery, all of which ultimately promote better patient care and outcomes, and confidentiality.

Traditional methods of HIPAA compliance

Complying with HIPAA poses unique challenges for home health agencies due to the direct provision of care to patients in their homes, which can often require more stringent measures to ensure the confidentiality and security of patient information outside of traditional healthcare settings.

Historically, most home health agencies have relied on methods such as limiting access to patient records, implementing secure communication channels, and internal auditing to meet the objectives that HIPAA was created to meet. While these methods have been effective to a certain extent, more often than not, they were not good enough to address the evolving landscape of data security and other threats.

With the ever-changing technological, regulatory, and operational environment, however, home health agencies today are racing to adopt more effective solutions 鈥� including digital solutions 鈥� to tackle these challenges and to ensure and enhance HIPAA compliance and patient data security.

Proactive HIPAA compliance measures

There are some more forward-looking and proactive compliance measures used in regard to HIPAA, including:

1. Holding regular staff training and education

Regularly updated and ongoing staff training is a critical component of ensuring continued HIPAA compliance. This means making sure that your staff 鈥� especially your and other home care workers 鈥� knows the latest HIPAA rules, understands why patient privacy matters, and learns how to handle patient information safely.

2. Conducting regular risk assessments

Risk assessments are essential for identifying potential vulnerabilities in data security and other possible operational lapses. By conducting regular assessments, agencies can proactively identify areas of weakness and take appropriate measures to mitigate them. should cover both physical and electronic aspects of data security, including access controls, network security, and data storage.

3. Implementing strong data security measures

Implementing strong data security measures is essential to proactively address potential breaches and maintain compliance standards in home healthcare. All electronic devices and communications channels used in operational work must have the strongest possible encryption to best prevent unauthorized access to patient data. Additionally, employing secure authentication methods, such as multi-factor authentication, adds an extra layer of protection against data breaches.

4. Developing a comprehensive incident response plan

Despite the best preventive measures, data breaches may still occur. That’s why home healthcare agencies need to have a comprehensive in place.听This plan should outline the steps to be taken in the event of a breach, including notifying affected individuals, reporting the incident to the appropriate authorities, and conducting a thorough investigation to determine the cause of the breach.

5. Reviewing and updating policies and procedures

HIPAA regulations are not static but are instead subject to change and updates over time. Home healthcare agencies need to stay abreast of these changes and ensure that their policies and procedures are updated in line with the latest requirements.

The role of technology in HIPAA compliance

Technology has revolutionized many aspects of healthcare, including home health agencies’ ability to provide efficient and effective care to patients. However, while technology offers numerous benefits, it also presents challenges and potential risks, particularly concerning HIPAA compliance. Indeed, technology has both helped and hurt home health agencies in regard to their HIPAA compliance, and agencies would be wise to examine the ways in which they use technology.

Common technology

For example, some of the most common technology used in HIPAA compliance include:

Electronic health records 鈥� Electronic health records systems streamline the documentation process, making it easier for agencies to maintain accurate and comprehensive patient records. These systems often include built-in security features such as encryption and access controls, which help safeguard patient information from unauthorized access or breaches.

Telehealth and remote monitoring 鈥� Telehealth platforms enable home health agencies to deliver care remotely, reducing the need for in-person visits and improving access to healthcare services. Remote monitoring devices allow for real-time tracking of patients’ vital signs and other health data, allowing for early intervention and proactive management of chronic conditions.

Secure messaging and collaboration tools 鈥� Secure messaging platforms and collaboration tools enable healthcare providers to communicate and share patient information securely, enhancing care coordination and collaboration among multidisciplinary teams. These tools often incorporate encryption and authentication mechanisms to protect sensitive data from interception or unauthorized access.

Cloud computing and data storage 鈥� Cloud-based storage solutions offer scalable and cost-effective options for storing and managing vast amounts of patient data. Cloud providers typically implement robust security measures and compliance standards, such as encryption and data segregation, to protect sensitive information stored on their infrastructure.

Technology challenges

Of course, there are challenges to the use of technology in HIPAA compliance as well, including:

Cybersecurity threats 鈥� The increasing reliance on interconnected systems and digital platforms exposes home health agencies to cybersecurity threats such as malware, ransomware, and phishing attacks. A successful cyberattack can compromise patient data, disrupt operations, and result in costly data breaches or HIPAA violations.

Mobile devices and bring-your-own-device policies 鈥� The proliferation of mobile devices and bring-your-own-device policies introduces additional security risks, as these devices may lack adequate security controls or are vulnerable to unauthorized access. Home health agencies must implement robust mobile device management solutions and enforce policies to ensure the secure use of mobile devices for accessing and transmitting patient information.

Complex regulatory landscape 鈥� The rapid pace of often outpaces regulatory guidelines and standards, making it challenging for home health agencies to keep pace with evolving compliance requirements. Compliance with HIPAA and other healthcare regulations requires ongoing monitoring, assessment, and adaptation to any changes in technology and industry best practices.

Data breach liability 鈥� Home health agencies are legally and ethically responsible for safeguarding patient information and preventing data breaches.

Conclusion

The benefits that accrue to your home health agency or organization from complying with HIPAA regulations far outweigh the cost of doing so. The consequences of a can be bad enough for any organization, but when coupled with the reputational damage that may follow, agencies may find it hard to recover from these setbacks. Hence, the importance of ongoing HIPAA compliance cannot be overstated.

Similarly, the application of technology in home healthcare has brought both opportunities and challenges for ensuring HIPAA compliance. While these technological advancements enhance patient care and collaboration, they also introduce new risks, some of which can very easily lead to a HIPAA violation if extreme caution is not taken.

Therefore, it is critical that home health agencies strike a balance between leveraging technology to improve efficiency in their operations and maintaining rigorous safeguards to protect patients鈥� privacy and data security.

From the beginning of the pandemic public health emergency in March 2020 through June 2023, approximately were “found guilty or liable” in pandemic-related fraud cases, according to the U.S. Government Accountability Office (GAO). And more fraud schemes are uncovered every day.

Pandemic-related relief program fraud often involves two common methods: i) , which involves “willful misrepresentation in order to improperly obtain a benefit for a beneficiary or at their expense”; and ii) identity fraud, which “uses the theft of personal information to obtain benefits.” Of course, many schemes combine both methods to perpetrate the fraud.

Enforcement actions in Q3

Below are a few examples of pandemic-related fraud enforcement actions from the third quarter.

On July 31, a New Jersey tax preparer was charged with from the Internal Revenue Service (IRS) by filing more than 1,000 tax returns falsely claiming pandemic-related employment tax credits. According to the allegations, from November 2020 to May 2023, the tax preparer prepared and submitted 1,387 false forms to the IRS claiming pandemic-related tax credits for himself and his clients. He also misrepresented to his clients that the “government was giving out pandemic-relief money for businesses and that they were eligible for the money simply because they had a business.” He then submitted forms on behalf of their businesses that “grossly overstated” the number of employees and the amounts of wages paid. He also charged his clients a fee up to 15% of the refund they received based on his false filings.

On August 4, a federal jury in Baltimore convicted a Maryland doctor for his role in submitting more than to Medicare and a commercial insurer for patients who received COVID-19 tests at his testing sites. The physician owned and operated “multiple drive-through COVID-19 testing sites” and directed employees at the testing sites to bill for “high-level evaluation and management visits” for each patient in addition to the COVID-19 tests. However, the patients were not receiving any care at the visits and were only being tested for COVID. The jury convicted the physician of five counts of healthcare fraud.

On August 23, the U.S. Department of Justice released the results of a that included 718 enforcement actions for offenses related to more than $836 million in alleged pandemic-related fraud. The actions included criminal charges, civil charges, forfeitures, guilty pleas, and sentencings. Criminal charges were filed against 371 defendants and another 119 defendants pleaded guilty or were convicted at trial during the sweep. Courts also ordered more than $57 million in restitution, and prosecutors secured an additional $231.4 million through forfeiture. More than $10.4 million in judgments resulted from 117 civil actions. The enforcement actions included charges related to pandemic-related unemployment insurance benefit fraud as well as fraud against pandemic-related Small Business Administration (SBA) programs. Other actions involved healthcare and tax fraud.

On September 7, to their roles in a scheme to “file fraudulent loan applications” for approximately $7.6 million in forgivable Paycheck Protection Program (PPP) loans that the SBA guaranteed under the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Between April and September 2020, the brothers allegedly conspired to submit eight fraudulent PPP loan applications that contained false statements about the payroll expenses of companies they owned or controlled. As part of the scheme, they submitted IRS forms that had never been filed with the IRS and “fraudulent payroll registers.” The brothers pleaded guilty to conspiracy to commit bank fraud and wire fraud.

Unemployment insurance fraud during the pandemic

The estimated total fraud across all unemployment insurance programs during the pandemic was 11% to 15% of the total benefits paid, according to a . This amounts to between $100 billion and $135 billion for the period from April 2020 to May 2023.

Unfortunately, recovery from these pandemic-era programs has been “” because of the “large amounts of identity fraud in which unknown suspects used stolen identities to receive unemployment insurance benefits.” Recoveries from unemployment insurance fraud are also more difficult because benefits are paid at the state level, so enforcement actions require interagency cooperation. To that end, the federal government has provided significant funding to the states to support their fraud prevention and recovery efforts.

As of May 1, about $5.3 billion in fraudulent unemployment insurance overpayments and have recovered about $1.2 billion.

Through January 1, the federal government provided more than to help the country respond to and recover from the global COVID-19 pandemic. With that amount of money spent, it is certain that more fraud schemes will be uncovered in the months and years to come.

Providing healthcare services

The use of AI in healthcare continues to gain momentum with studies confirming its effectiveness in diagnosing some chronic illnesses, increasing staff efficiency, and improving the quality of care while optimizing resources. In fact, AI is already to help diagnose patients, for drug “discovery and development,” to improve physician-patient communication, and to transcribe medical documents.

Because there are typically large data sets available, including images, that can be applied to well-defined problems, AI has successfully diagnosed conditions requiring visual comparisons. For example, Google developed and trained AI to diagnose and grade diabetic retinopathy. It diagnosed patients quickly, served as a second opinion for ophthalmologists, detected the condition earlier, and reduced barriers to access. Now, researchers at Stanford have developed an algorithm that can review X-rays to detect 14 pathologies in 鈥�.鈥�

The use of AI assistants and chatbots also can improve patient experience by helping patients find available physicians, schedule appointments, and even answer some patient questions.

Access to these tools can also assist physicians in identifying treatment protocols, clinical tools, and appropriate drugs more efficiently. Providers are also taking advantage of AI to document patient encounters in near real-time. Not only does this , but it can increase efficiency and reduce provider frustration with the time-consuming documentation tasks. Not surprisingly, some hospitals and providers also are using AI tools to verify health insurance coverage and prior authorization of procedures, which can reduce unpaid claims.

Although AI has demonstrated that it is as accurate in diagnosing conditions or recommending treatment protocols, 60% of Americans said if their healthcare provider relied on AI to diagnose conditions or recommend treatments, according to a Pew Research Center poll. Concerns that AI would make the patient-provider relationship worse was a factor for 57% of respondents, according to the poll, while only 38% said they thought AI would “lead to better health outcomes.”

Racial and gender bias

Beyond concerns about the effectiveness of AI, there are also concerns about the in the underlying algorithms. Some studies have found race-based discrepancies in the algorithms and limitations due to the lack of healthcare data for women and minority populations.

In a May 2022 report on the听, Deloitte identified the need to reevaluate long-standing clinical algorithms to help ensure that all patients receive the care they need. Deloitte recommended forming teams to evaluate clinical algorithms, how race is used in the algorithm, and whether “race is justified.”

The Deloitte report also identified “long-standing issues around the听听of race and ethnicity data in health care 鈥� due to both lack of standards and misconceptions.” The report noted Centers for Disease Control and Prevention findings that race and ethnicity data were not available “for nearly 40% of people testing positive for COVID-19 or receiving a vaccine.”

The American Medical Association (AMA) has for the development and use of AI in healthcare that emphasize the use of population-representative data and takes steps to address explicit and implicit bias and transparency in the use of AI for healthcare. The AMA also encourages the use of augmented AI rather than fully autonomous AI tools.

Regulators have also taken notice of the potential for bias in healthcare AI. California Attorney General Rob Bonta sent letters to across the state last year “requesting information about how healthcare facilities and other providers are identifying and addressing racial and ethnic disparities in commercial decision-making tools.” The letters are the first step in an investigation into whether commercial healthcare algorithms have discriminatory impacts based on race and ethnicity.

In contrast to these findings, the Pew Research Center poll found that “among the majority of Americans who see a problem with racial and ethnic bias in health care,” a majority (51%) thought the problem of “bias and unfair treatment” would improve with the use of AI.

Privacy of health data

The sharing of private health data to train and use AI tools is another serious concern. Training AI algorithms requires access to vast amounts of underlying data while the use of the tools creates a risk of exposure of such data either because the tool memorizes and retains the information or because third-party vendors may be exposed to data breaches.

Although many AI tools are developed in academic research centers, partnering with private-sector companies is often the only way to . At times, these partnerships have resulted in the poor protection of privacy and cases in which patients were not always given control over the use of their information or were not fully informed about the privacy impacts.

Studies have also found that AI tools can re-identify individuals whose data is held in health data repositories even when the data has been anonymized and scrubbed of all identifiers. In some instances, the AI can not only re-identify the individual, it can about the individual鈥檚 non-health data.

Healthcare entities and their third-party vendors are particularly vulnerable to data breaches and ransomware attacks. The healthcare industry, which is especially vulnerable to attack, also reported the most expensive data breaches, with an average cost of $10.93 million, according to IBM Security’s for 2023.

As with most privacy issues, states are leading the way in the effort to protect individual privacy as AI use expands in healthcare. Currently, 10 states have AI-related regulations as part of their ; however, only a handful of states have proposed legislation specific to the privacy of data or the use of AI in healthcare.

As the use of AI expands in healthcare, all parties involved in the process must be aware of and work to avoid the known risks of bias or loss of privacy. With awareness of the risks, the benefits for patients and providers could be vast.