HIPAA and health care fraud: An empirical perspective

The Health Insurance Portability and Accountability Act passed Congress nearly unanimously in 1996. When HIPAA was considered, the focus of attention was portability. Little or no attention was paid to the statutory provisions relating to "accountability"-fraud control, for those unfamiliar with inside-the-beltway

euphemisms. Ironically enough, the extent to which these ends were accomplished turned out be the inverse of the attention that was paid to them. The portability provisions have had relatively little impact on the portability of health care benefits, while the drive for accountability has resulted in an unprecedented number of civil and criminal enforcement actions; the transfer of billions of dollars from providers and insurers to the federal government and whistleblowers; the expenditure of tens of millions of dollars on lawyers, accountants, consultants, and compliance programs; and vehement protests by providers.

Contemporaneous statements by program administrators and law enforcement personnel certainly suggested that there was a desperate need for more accountability in health care. Bruce Vladeck, the then-- administrator of the Health Care Financing Administration, wrote in the Journal of the American Medical Association that there was "an enormous increase in health care fraud and program abuse ... [and] considerable temptations are cropping up for those unable to resist the quick buck" (Vladeck 1995: 776). The Department of Health and Human Services (2000) unveiled "Operation Restore Trust," a sweeping fraud control program for Medicare and Medicaid, and it enlisted the assistance of members of the American Association of Retired Persons to act as "fraud-busters."2 FBI Director Louis Freeh testified before the Senate Committee on Aging that cocaine traffickers in Florida and California were switching from drug dealing to health care fraud, because it was safer, more lucrative, and less likely to be detected (Shogren 1995). Governmental reports similarly suggested that organized crime viewed health care fraud as a growth opportunity (General Accounting Office 2000a, 2000b). The popular press breathlessly reported stories of egregious fraud and abuse (see, e.g., Bell 1997, Hedges 1998, and Rundle 1989).

Public perceptions were influenced accordingly. A 1998 survey by AARP revealed that 83 percent of consumers believed health care fraud was extremely widespread or somewhat widespread, and 72 percent of consumers believed Medicare would be in no danger of going broke if fraud and abuse were eliminated. Fully 53 percent believed health care fraud was increasing (Sparrow 2000: xvi-xvii).

As with many areas of health policy, colorful anecdotes and political statistics have played a major role in framing perceptions of the frequency and severity of health care fraud and abuse.3 This article presents a more systematic appraisal of the problem of health care fraud and abuse and the strategies employed to address it, including those embodied in HIPAA.4 In particular, the article focuses on what we know, don't know, and know that isn't so about health care fraud, abuse, and fraud control.

The Statutory and Administrative Framework for Health Care Fraud Control

The Existing Framework

When Medicare and Medicaid were enacted in 1965, a single provision prohibited the making of false statements to secure reimbursement (Sage 1999: 1179). Matters did not remain in this pristine form for long. In relatively short order, a complicated interlocking array of health-care-specific civil, criminal, and administrative anti-fraud laws and regulations were enacted by the states and the federal government, along with multiple levels of investigative and enforcement agencies. Although the aggressiveness with which health care fraud has been pursued has waxed and waned over the intervening decades, we are currently at an all-time high in terms of the level of enforcement and the associated "law and order" rhetoric.

Primary responsibility for enforcing federal criminal laws regarding health care fraud rests with the Department of Justice, and the individual U.S. attorneys. The Federal Bureau of Investigations plays a major role in assisting the DOJ in investigating and developing health care fraud cases. Within the Department of Health and Human Services, the Office of Inspector General is responsible for investigating fraud cases and bringing enforcement actions involving administrative sanctions. Individual states have their own Medicaid fraud control units, and local prosecutors can bring such cases as well. A number of private companies who contract with the Centers for Medicare and Medicaid Services to administer various aspects of the Medicare program have some responsibilities in this area as wells Finally, in certain circumstances, private parties can pursue health care fraud through a civil lawsuit, although the government has the option of taking over the case.

In dealing with health care fraud and abuse, these entities can choose among a wide array of criminal, civil and administrative responses (see Schofield and Weaver 2000; Bucy 1996). On the criminal side, offenses can be addressed with general statutes or with healthcare specific statutes.6 The range of possible punishments for these criminal offenses goes all the way up to life imprisonment.

On the civil side, the False Claims Act creates a cause of action against individuals or entities who knowingly present a false claim to the government. No specific intent to defraud is required, and suit can be brought by the federal government or a private plaintiff. Private plaintiffs who sue under the FCA are known as "qui tam" relators, and they are entitled to a share of the eventual recovery. The amount varies depending on whether the government joins the case or not. Historically, the vast majority of the cases that the government does not join have foundered (Kovacic 1996: 1817-18). It remains to be seen whether the same pattern will apply to health care cases brought by qui tam relators, because the high stakes may induce defendants to settle, regardless of whether the government joins the case or not.

The FCA specifies that violators are liable for a statutory penalty of $5,500 to $11,000 per claim, in addition to three times the amount of damages sustained by the government because of the false claim. Because most health care providers typically submit a large number of modest claims, this structure means that statutory penalties generally dwarf actual damages, and quickly rise to staggering levels-as much as $1.1 million for every 100 false claims, irrespective of the dollar value of the false claims.8

In recent years, a flourishing qui tam bar has emerged and FCA claims have been transformed. The traditional FCA litigation involved claims for services that were not actually provided, or were provided in a manner quite different than was claimed. More recent cases have involved the use of the FCA to enforce other program rules or norms, including compliance with the anti-kickback statute, the self-referral statute, and minimum quality standards (Hyman 2001). False claims litigation involving allegations of substandard care have been brought against a number of nursing homes and psychiatric hospitals, and government representatives have announced their willingness to use the FCA against managed care organizations (MCOs) who fail to provide high-quality care to program beneficiaries (Peterson 2000: 74-79; Kalb 1999: 1164).

Finally, there are administrative penalties for violation of a wide range of program requirements, such as the ban on self-referral. The sanctions include substantial civil monetary penalties and program exclusion.

This fraud control regime helps ensure that more than one million providers, filing more than a billion claims per year, comply with an exceedingly complex administered pricing system. Providers routinely complain about the complexity and volume of the rules with which they must comply. As one health lawyer observed, providers "need a U-Haul trailer to carry the statutes, regulations, general instructions, Intermediary and Carrier pronouncements, etc., to which they are required to adhere" (Epstein 1998).

Not surprisingly, the complexity of the system leads to frequent disputes. Indeed, studies of coding accuracy paint a dismal picture. One study found that family physicians agreed with expert coders (who themselves were not in perfect agreement) 52 percent of the time for established patient progress notes, and 17 percent of the time for new patient progress notes. Family physicians undercoded 33 percent of established patients and overcoded 81 percent of new patients (King, Sharp, and Lipsky 2001; see also Iezzoni 1999).

Although such disputes were traditionally handled informally or appealed to the Provider Reimbursement Review Board, providers now complain about the "criminalization" of billing disputes. In this setting, the FCA makes it possible for the government and qui tam relators to behave strategically and extract the health care equivalent of "greenmail" (Human 2001, Sage 1999, Reinhardt 2000).1 Providers who believe they are blameless are under tremendous pressure to settle, because of the legal expenses associated with mounting a defense and the high probability of bankruptcy and professional disgrace if the jury does not see things the same way the provider does. Even if program administrators are inclined to overlook such disputes, fraud control personnel and qui tam relators are not bound by that determination, and have tended to take a much harder line on the subject of regulatory compliance (Hyman 2001).

HIPAA

HIPAA changed the fraud control framework in two substantial ways. It stiffened and federalized much of the law of health care fraud, and it created structural incentives to pursue such conduct, by creating three new programs and implementing a continuing stream of funding dedicated to fraud control.

The Federalization and Stiffening of Fraud Law. HIPAA criminalized a wide array of conduct involving public and private health care benefits by creating the new offense of health care fraud, and applying pre-existing prohibitions of theft, embezzlement, false statements, obstruction of a criminal investigation, and money laundering to private health plans and contracts (Faddick 1997). HIPAA also authorized law enforcement personnel to employ administrative subpoenas, civil forfeiture, and injunctive relief, and it ratcheted up the sanctions for violating program requirements. HIPAA dramatically increased the applicable civil monetary penalties, added new offenses that trigger permissive or mandatory exclusion from Medicare, specified minimum periods of exclusion, broadened the group of individuals who could be sanctioned in all of these ways, and imposed stiff penalties for violating the new health-care-specific criminal statutes. For example, prior to HIPAA, the crime of health care fraud was typically prosecuted as mail fraud or a false statement, subject to a substantial fine and sentence of up to five years imprisonment for each count. Pursuant to HIPAA, the crime of health care fraud is subject to a penalty of 10 years imprisonment and a substantial fine, unless the violation results in serious bodily injury (20 years) or death (life imprisonment).

Structural Incentives and Funding. HIPAA created three distinct new programs: the Fraud and Abuse Control Program (Control Program), the Medicare Integrity Program (Integrity Program), and the Beneficiary Incentive Program (Beneficiary Program).

The Control Program, which is jointly administered by the Attorney General and the Secretary of HHS, is designed to coordinate and systematize fraud control efforts at all levels of government. The Control Program is intended to make it easier for the government to conduct investigations, audits, and evaluations and inspections relating to the delivery and payment for health care. Data are expected to be shared with public and private third-party payers.

The Integrity Program allows HHS to contract with private companies to perform a variety of functions relating to fraud control, including detection, auditing, utilization review, and education of providers, beneficiaries, and the public. Prior to the enactment of the Integrity Program, some of those tasks were performed by CMS but most were handled by the carriers and intermediaries CMS contracted with to handle claims processing. Carriers and intermediaries had historically demonstrated little interest in fraud control, because it was not their money they were paying out, and they were historically judged on how quickly and cheaply they had paid claims (Hyman 2001; Vladeck 1995: 766; Sparrow 2000: 117-99). Program administrators are often unenthusiastic about fraud control as well. Professor Malcolm Sparrow (2000: 125) notes some of the factors that encouraged carriers, intermediaries, and program administrators to place fraud control at the bottom of their list of priorities:

Officials whose job it is to make processes more efficient or streamlined or predictable resent the obstacles to performance placed in their way by those who concentrate on exception monitoring. To the managers of these high-volume processes, the fraud investigators seem irritatingly obsessed with an apparently small (and to them, largely insignificant) segment of a colossal transaction load. The processors want to think about the best way to handle the whole load. The investigators or fraud analysts want to think about the best way to handle the exceptions.

The Integrity Program allowed CMS to carve these services out of its existing contracts with its carriers and intermediaries, and enter into new contracts with entities that would focus on fraud control. In 1999, CMS entered into approximately a dozen such contracts.

Finally, the Beneficiary Program offers incentive payments to beneficiaries who provide information that leads to monetary recoveries or the imposition of civil or criminal sanctions. Individuals qualify for a share of the recovery if they provide information leading to the recovery of at least $100, exclusive of criminal penalties. Incentive payments are capped at $1,000.

The most noteworthy feature of these programs is that these structural changes are coupled with dedicated funding sources. The Health Care Fraud and Abuse Control Account (Control Account), which is located within the Medicare Part A trust fund, is used to fund the Control Program. HIPAA specifies the maximum amount of appropriations into the Control Account, subject to a certification of necessity by the Attorney General and the Secretary of HHS. HIPAA provides for initial funding of the Control Account in FY 1997 of $104 million, with increases not to exceed 15 percent per annum through FY 2003. Table I shows actual appropriations into the Control Account for 1997-2000. HIPAA requires a majority of this amount to be employed in support of the activities of the OIG in connection with Medicare and Medicaid. A second dedicated funding source is a mandatory allocation of funding to the FBI of $47 million in FY 1997, with automatic increases of approximately $10 million per annum through FY 2003. Finally, a third dedicated funding source is an automatic appropriation to cover the costs of the Integrity Program, commencing with approximately $430 million in FY 1997, with increases of roughly $50 million per year through FY 2003.

Although some of this funding was a substitute for existing appropriations, the net effect was a dramatic increase in the amounts available to conduct fraud control-coupled with a far greater degree of predictability that such funding will be available in future years. This certainty allows CMS to make a substantial long-term investment in fraud control and not worry that it will compete with other administrative priorities. Because the payback from fraud control is often quite speculative, its funding has a characteristic "boom-bust" cycle (Hyman 2001). Noting the competition between fraud control and other parts of the processing apparatus, Sparrow (2000: 136) observes:

Every extra dollar spent on prudent controls means one dollar less spent on processing, automation, customer service, due process, beneficiary services, or a variety of other inescapable obligations. Fraud controls, once in this zero-sum game, invariably lose .... Minor fluctuations in administrative budgets cause major fluctuations in control resources. These fluctuations, say senior HCFA officials, have disastrous effects on the capacity of investigative units.

To be sure, CMS does not get to "eat what it kills." HIPAA specifies that all fines, penalties, or other recoveries made as a result of the government's fraud control efforts are to be transferred into the Medicare Part A trust fund. Although this structure prevents the government's fraud control system from operating on a pure bounty system, there is still considerable suspicion in the provider community on this point. Indeed, government brochures go out of their way to label this a "common misconception" (Centers for Medicare and Medicaid Services 2000).

What We Know, Don't Know, and Know That Isn't So

What We Know That Isn't So

How common is fraud and abuse? The standard answer, which has attained the status of gospel through repetition, is that 10 percent of expenditures on health care (approximately $120 billion per year) is attributable to fraud and abuse. This figure turns out to be one of those things we know that isn't so.

The original source for this estimate was a General Accounting Office report issued in 1992. The report carefully states that "estimates vary widely on the losses resulting from fraud and abuse, but the most common is 10 percent... of our total health care spending" (General Accounting Office 1992). Subsequent commentators-- including the House Ways and Means Committee Report for HIPAA-have simply asserted a 10 percent rate of fraud.11 Yet all the GAO report indicates is that in a thoroughly unscientific survey of unidentified individuals asking them to estimate the losses resulting from fraud and abuse, the most common answer was 10 percent. It is unclear how many individuals were questioned, what the basis of their knowledge actually was, how many responses were actually given, whether those surveyed were given a choice of figures, or were required to pick a figure on their own, and so on. Although the figure of 10 percent was an effective political statistic, it has no empirical foundation.

Earlier analyses give a better feel for the methodology by which these estimates are generated and their margin of error. In the 1978 OIG annual report, the OIG estimated that Medicaid fraud accounted for $468 million (out of a total program budget of $22.8 billion, or two percent), but cautioned that the number was "incomplete and probably low."12 CMS (then known as HCFA) responded by recommending an estimate of $100 million, or 0.44 percent. The OIG responded, "All agree numbers are soft. IG considers HCFA estimate low."

The same report includes an estimate that "fraud, waste, and abuse in HEW programs amount to $5.5 to $6.5 billion each year." Several years later, an assistant inspector general reflected on how this number was arrived at:

We never could figure out how they came up with that figure. We got a call from the Secretary's office saying that he would be giving a speech in nine days, and wanted an estimate of waste, fraud, and abuse. We sure didn't know about our program, and I doubt that any of the people in other programs had better figures. We sent in some figures-we had to-and I guess the Secretary's people just added up all the guesses. Since 1978, we've been smart enough not to even try to come up with a figure [Gardiner and Lyman 1984: 3-4].

The most candid response on the subject came in 1977 from the Congressional Budget Office, in response to a question about the likely fiscal impact of creating Medicaid fraud control units: "The unknown magnitude of fraud and abuse presently extant in the programs makes it impracticable to project the actual cost impact of this measure at this time" (Senate Finance Committee 1977). To summarize, no one knows the actual incidence of fraud and abuse in health care-and the widely disseminated figure of 10 percent is one of those things we know that isn't so.

What We Know

Anyone looking for good empirical data on health care fraud and abuse should get used to disappointment. Most of the available data are impressionistic and anecdotal. However, there are four data sources that provide a more concrete and systematic perspective on the issue. The first is performance statistics on the government's fraud control efforts, collected from a number of different sources. The second is a series of studies conducted by the OIG over five years, examining the frequency of overpayment in the fee-for-service portion of the Medicare program. The third is a series of GAO studies evaluating how fraud control is actually implemented by the responsible agencies. The last is an analysis using Lexis and Westlaw of the number of cases in which particular provisions in HIPAA were employed.

Fraud Control Performance Statistics. Tables 1 and 2 collect a variety of performance statistics on the government's fraud control efforts, using process and outcome-based measures. Table 1 reflects a dramatic increase over the past six years in the financial and personnel "inputs" to health care fraud control. Table 2 demonstrates an equally dramatic upward trend in civil, criminal, and administrative enforcement. As one might expect, the trends in Table 2 parallel but slightly lag the trends in Table 1.

Table 3 documents a somewhat similar pattern for FCA cases brought by qui tam relators against health care providers and insurers, although the time frame over which there were increases is quite different. Qui tam filings were flat during 1988-92, and then began trending upward, with the greatest percentage increases in 1993 and 1996, with much more moderate increases in 1994 and 1998, and modest downticks in 1995 and 1997. (Although figures are available regarding the total number of qui tam cases filed during 1999 and 2000, the Department of Justice no longer provides a breakdown of the extent to which the cases are attributable to health care.)

Overpayment Statistics. Over the past five years, a series of audits by the OIG have quantified "improper payment rates" in the fee-forservice part of Medicare. These audits involved the randomized identification of a small number of program beneficiaries, whose medical records were reviewed to determine whether the payments made by the Medicare program were "proper." These "desk audits" did not involve any contact with the patients to determine whether they agreed that the services in question had been provided (Sparrow 2000: 91-93). Payment was classified as improper for one of four reasons: unsupported services (i.e., inadequate documentation), medically unnecessary services, improper coding, or uncovered services. As Figure 1 reflects, over the past five years, improper payments ranged from 7 to 14 percent of the total Medicare fee-forservice budget. Although inadequate documentation accounted for the largest percentage of overpayments in three of the five years, and lack of medical necessity accounted for the largest percentage of overpayments in the other two years, there was considerable year-by-- year variation in the percentage of overpayments attributable to these reasons.13 On average, unsupported services and lack of medical necessity accounted for 78 percent of annual overpayments. These figures are frequently cited as a measure of Medicare fraud and abuse, but they were not designed for that purpose and, in fact, do not measure it. Indeed, there are good reasons to question whether these figures are even a valid measure of "overpayment," because a substantial percentage of coverage denials are routinely overruled on appeal (Blanchard 1999: 94, n. 17). On the other hand, a paper audit will not identify instances where fraudulent supporting documentation was submitted.

IMAGE TABLE 37

TABLE 1

IMAGE TABLE 42

TABLE 2

Fraud Control Law in Action. Law on the books is one thing; law in action is another. We might be (relatively) unconcerned about laws broadly criminalizing health care fraud if we believed they were only used against their "intended" targets. Yet, if provider complaints are any guide, the government's fraud control efforts routinely target blameless providers (Jost and Davies 1999, Eiland 1999). Provider complaints range from the typical bureaucratic absurdities (valet parking attendants must receive compliance training) to the use of heavy-handed tactics by fraud control personnel, to attacks on the merits of particular anti-fraud initiatives (Hyman 2001, Albert 2001). Fraud control personnel and their defenders have responded with a blizzard of statistics demonstrating the rarity with which criminal prosecutions and civil penalties are imposed, anecdotes indicating the seriousness of the conduct which is actually pursued, reassurance that they are not interested in pursuing innocent violations, and condemnation of scare-mongering by providers and their lawyers (Jost and Davies 1999, Morris and Thompson 1999, Thornton 1999).

IMAGE TABLE 47

TABLE 3

Sorting this issue out requires a systematic appraisal of the government's behavior across all cases, including those that the government did not pursue at all, those in which the government "settled" for the return of overpayments, and those in which the government went for maximal penalties. Needless to say, these data are not available. Short of that, the available evidence provides some support for both sides in the debate. Table 2 suggests that although there has been a major increase in fraud control efforts in recent years, relatively few of the more than one million Medicare providers have been targeted. Indeed, from an economic perspective, there is compelling evidence of underenforcement of these laws. Fraud control personnel have noted that every additional dollar spent on fraud control saves between $10 and $25.14 The Congressional Budget Office has employed lower figures, ranging between $7 and $8.15 These statistics suggest that these programs are (and have been) substantially underinvesting in fraud control.

IMAGE GRAPH 51

FIGURE 1

At the same time, publicly available information on two enforcement initiatives suggests that there is something to provider complaints-and that the government and qui tam relators have, in fact, been leveraging the threat of severe sanctions into ex post discounts. Over several years, the OIG conducted a number of enforcement initiatives aimed at hospital billing practices, including bills for unbundled laboratory charges (Operation Bad Bundle), and services provided at a teaching hospital (Physicians at Teaching Hospitals, or PATH).16

Operation Bad Bundle was aimed at the "unbundling" of billings by hospitals for outpatient clinical laboratory tests. The government took the position that hospitals were required to "bundle" their billings for automated blood chemistry tests and the failure to do so constituted a violation of the FCA. The hospitals disagreed, although their efforts to obtain judicial review of the issue were not particularly successful.17 Five separate U.S. Attorney's Offices sent out letters to a large number of hospitals, alleging or implying they had violated the FCA, and could be liable for three times the overpayments, along with the statutory penalties. The letters offered the hospitals the choice of conducting an independent self-audit, and paying two times the amount of identified overpayments.

Hospitals viewed these letters as coercive if not extortionate, and complained loudly about the tone and content. However, the selection criteria employed by the U.S. Attorney's Offices are more troubling; of the five offices that participated in Operation Bad Bundle, the GAO concluded that four had a questionable basis for deciding to which hospitals to send the letters.18 One U.S. Attorney's Office sent letters to the two dozen largest billing hospitals in the state, without any evidence that they had been unbundling. Three U.S. Attorney's Offices sent letters to approximately 120 hospitals without sufficient evidence indicating a violation of the FCA. At one of the offices, when hospitals did not promptly volunteer for self-audits, they were warned that the government would seek full FCA penalties if the U.S. Attorney's Office had to conduct the audit itself. Some of these hospitals settled on terms that required them to return "overpayments" totaling approximately $50 million. Many of the remaining cases were dropped after a year or more of investigation revealed insignificant billing errors or failed to substantiate the necessary elements of a FCA violation. Given the potential exposure, these hospitals almost certainly incurred substantial costs for accountants, billing consultants, and attorneys-all to respond to demand letters for which there was an inadequate evidentiary basis in the first place.

The PATH audit focused on whether there was adequate documentation of the involvement of an attending physician in the care of an inpatient at a teaching hospital, and whether Medicare was appropriately billed for the services that were provided. " The University of Pennsylvania Hospital settled a PATH dispute for $30 million, and Thomas Jefferson University Hospital did so for $12 million. Dartmouth-Hitchcock Medical Center was found to have no significant billing improprieties. Representatives of academic medical centers condemned the PATH initiative for retroactively applying new billing standards, and coercively employing the FCA, and unsuccessfully sought to have it enjoined (Cohen and Dickler 1997: 1320).

As with Operation Bad Bundle, the selection of hospitals for audit raises some questions. The OIG originally intended to audit every major teaching hospital and faculty practice plan in the nation. Dartmouth-Hitchcock was selected for audit although there was no significant evidence of compliance problems, and some evidence to the contrary. After a ten-month audit that cost Dartmouth-Hitchcock approximately $1.7 million, the OIG concluded the hospital had been overpaid by $778.

Although the University of Pennsylvania Hospital and Thomas Jefferson Hospital paid a substantial amount of money to settle these cases, representatives of both hospitals made it clear that they did so only because of the financial risks they faced under the FCA. For example, at the University of Pennsylvania, 1.4 million claims were submitted during the audit period. Hospital personnel calculated that if their records failed to satisfy documentation requirements for as few as two percent of this amount, they would face statutory penalties of $280 million, without considering the tripling of the actual overpayments. Not surprisingly, settling these cases, at almost any price, became the only viable option.

Hospital representatives were sufficiently unhappy with this environment that they mounted an impressive lobbying campaign seeking a moratorium on enforcement actions. When those efforts were unsuccessful, they lobbied Congress to amend the FCA. In short order, a bill creating certain restrictions on the FCA attracted 200 cosponsors in the House of Representatives, despite vehement opposition from the Department of Justice, and the Office of the Inspector General (Sparrow 2000: 66-69; Subcommittee on Immigration and Claims 1998). Among other changes, the law would have precluded the application of the FCA unless the damages from the alleged false claims were "material." The legislative drive was defused only when the Attorney General's Office issued guidelines for the use of the FCA by local U.S. attorneys (Holder; McGinley 1998: A3).

IMAGE TABLE 61

TABLE 4

HIPAA in Action. HIPAA created a number of new health-care specific criminal offenses and tools, but it does not follow that U.S. attorneys are actually employing these provisions. Indeed, U.S. attorneys have historically relied on general criminal statutes to pursue health care fraud, given their greater familiarity with those sets of laws. Accordingly, it is worth evaluating the extent to which the "new and improved" criminal provisions in HIPAA are actually being employed. As Table 4 reflects, my Lexis and Westlaw searches for opinions in cases in the District Courts and Courts of Appeals that cited any of the relevant sections revealed that exceedingly few criminal prosecutions involved the use of any of the provisions found in HIPAA.20 To be sure, Lexis and Westlaw citations are an underinclusive measure because they only reflect cases in which opinions were prepared, but they do provide considerable evidence that U.S. Attorneys continue to rely on traditional criminal statutes in pursuing health care fraud.

Summary. The influx of additional resources has clearly purchased a great deal more fraud control, although criminal enforcement appears to rely on statutes which pre-date HIPAA. Overpayment rates seem to have settled at about seven percent of the Medicare program budget, with lack of documentation accounting for a near majority of the total. Finally, although the enforcement environment has a major influence on whether the fraud control provisions are operating as intended, there is support both for those who believe there is underenforcement and those who believe enforcement efforts are improperly targeting blameless providers, who settle their cases because they can not afford to try them.

Professors Tim Jost and Sharon Davies (1999: 305-13) argue that there is no overenforcement because reputable providers have never had to pay statutory penalties under the FCA, and, at worst, they were only required to return overpayments-sometimes with a modest multiplier. Representatives of the OIG frequently make the same point. The difficulty with this argument is that it is impossible to know whether there were, in fact, "overpayments," or whether the providers were simply refunding money to which they were entitled because the costs and hazards of defending such cases was too high. Indeed, the fact that providers paid over $50 million to settle Operation Bad Bundle cases, when there was little or no evidence supporting the sending of the demand letters by four of the five U.S. Attorney's offices involved in the matter, suggests that this issue can not be resolved simply by examining whether penalties were imposed."

What We Don't Know: Is HIPAA an 800-Pound Gorilla or Much Ado about Nothing?

Unfortunately, it is clear that the little we know about health care fraud and abuse is dwarfed by what we don't know and what we know that isn't so. If the fraud control regime does not cost-effectively target truly undesirable conduct, it will perform poorly by under-- deterring undesirable conduct and over-deterring desirable conduct, while imposing a sizeable compliance-related cost on all transactions (Hyman 2001). It is relatively easy to condemn billing by sham entities, billing for services which were not provided, billing for 12.5 miles of one inch adhesive tape for a single patient (sufficient to wrap the patient from head to toe in adhesive tape six times a day for six months), or billing for the treatment of diaper rash in a nineteenyear-old football player. It is quite another matter when the issue involves novel services delivery arrangements, "creative billing," the consequences of the exercise of clinical discretion, compliance with relational contracts, and other "gray areas" in the law (see Hyman 2001; Sparrow 2000: 140; Mashaw and Marmor 1994). Professor Jim Blumstein (1997) similarly differentiates between "raw fraud," billing decisions requiring contestable judgments, and technical violations of the law that are actually desirable in light of changed market conditions.

There is equivocal evidence on whether provider complaints fairly reflect reality, and slightly more persuasive evidence that the government and private parties are, in some instances, leveraging the threat of severe sanctions into ex post discounts. Jost (1998: 302) points out the basic problem: "as is often true with enforcement of the criminal laws, the reality perceived by law enforcers is very different from the reality perceived by defendants and those who fear that they may become defendants."

How did HIPAA affect health care fraud and fraud control? We cannot simply connect the dots between the passage of a statute designed to enhance "accountability" and the evidence of enhanced fraud control to conclude that credit for an increase in fraud control (and a decrease in fraud and abuse) should be laid at the feet of HIPAA. The 1996 law is only part of the story-and probably not the most important part.

To begin, it is impossible to know whether HIPAA has had any impact on the incidence of health care fraud and abuse, because there is no valid measure or longitudinal data with regard to the frequency and severity of such misconduct. When it comes to fraud control, Tables 1 and 2 certainly suggest that several provisions in HIPAA have had a substantial impact on fraud control. Although it is impossible to separate the impact of the Control Program from the Control Account, the combination of these elements has resulted in a substantial increase in fraud control. For example, there was a dramatic increase in the number of open civil files immediately following the enactment of HIPAA, and there have been less dramatic and slightly lagging increases in the number of criminal cases, convictions, program exclusions, and corporate integrity agreements. The number of open criminal files has also steadily increased, but it has lagged the civil measures, in keeping with the greater difficulties of pursuing criminal cases.

Because the Integrity Program was not implemented until May 1999, it is premature to predict its ultimate impact on fraud control efforts-although it might well account for the dramatic increase in the number of civil fraud filings in FY 2000. However, the long-term impact of the Integrity Program is more likely to be the result of the ability of CMS to contract with entities whose sole concern is fraud control, instead of having to rely on carriers and intermediaries who have little or no interest in the problem.

It remains to be seen whether the Beneficiary Program will have any real effect. Although patients can play an important role in revealing health care fraud, sorting the wheat from the chaff is likely to prove time consuming and expensive. Early indications are not promising. Despite widespread publicity, there have been relatively few payments to beneficiaries, and many of the complaints appear to be attributable to misunderstandings. Indeed, the recording on the Medicare fraud hotline directs callers that they should first attempt to resolve matters with their provider-hardly the strategy one would employ if one viewed the hotline as a gold mine of fraud control tips (Sparrow 2000: 89-90).

Table 3 indicates that there is more to the story of fraud control than HIPAA. The number and percentage of health care qui tam cases has grown substantially over the ten years for which data is available-but the largest percentage increases came in 1993 and 1996. Because HIPAA was not enacted until August, 1996, it could not have had any impact on qui tam filings in 1993, and it is unlikely to have significantly affected qui tam filings in 1996. To be sure, the government can bring FCA cases on its own, and the additional funding and structural resources provided by HIPAA make it easier for the government to initiate and pursue such cases. However, it is the FCA that is the major source of financial exposure and leverage against providers, and it is a serious mistake to give sole credit (or blame) for the government's enhanced fraud control efforts to HIPAA.

Finally, Table 4 offers independent confirmation of the implication of Table 3 that there is more to fraud control than HIPAA. Indeed, Table 4 suggests that the substantive criminal law provisions in HIPAA have had no impact whatsoever, because U.S. Attorneys have continued to rely on traditional criminal statutes to prosecute health care fraud and abuse.22

Purchasing Health Care: Businesslike Government or Governmental Exceptionalism?

Of the $1.2 trillion spent annually on health care in the United States, federal, state, and local governments account for approximately $520 billion, or 46 percent. Medicare and Medicaid alone account for approximately $410 billion, or 34 percent of total U.S. health care spending. As major purchasers of health care services, federal and state governments confront the problem of how they can best purchase the goods and services they require. The debate pivots on whether the government should behave like every other marketplace participant or should behave differently because of its governmental status-"businesslike government" versus "government exceptionalism" (compare Schooner 2001 with Schwartz 1996). A businesslike government model is relatively unencumbered by bureaucratic constraint and internal oversight, and it employs the terms and practices of marketplace transactions as a touchstone for program administration.

Because a governmental exceptionalism model emphasizes quite different norms, it is conducted in a fashion that would never occur in the private sector. The norms in a governmental exceptionalism model are equity, integrity, and economy. As a result, government procurement decisions generally do not consider the past performance of vendors, they discourage informal long-term relationships, and they allow disappointed bidders to sue the government (Kelman 1990). Such behavior is understandably uncommon in the private sector. The differing perspectives are neatly captured as follows:

A businessman who bends the rules is showing flexibility, and a rulebook that is highly general allows scope for individual initiative in the pursuit of profit. A civil servant who does the same is guilty of misconduct, and a rulebook that allows large discretion to the official in dealings with the public is inviting arbitrariness in the treatment of different citizens [Beetham 1996: 321.

Over the past decade, government procurement has moved substantially in the direction of the businesslike government model (Schooner 2001). Thus, it is worth considering how private sector health insurance handles fraud control. Although each company has its own unique arrangements, none are similar to those employed by the government. No private sector health insurer employs contractual provisions analogous to the FCA. Instead, most insurers seem to rely on greater prepayment scrutiny, with nonpayment of questionable or noncovered claims. Although there is an expectation that providers will not deliberately submit improper claims, the nature of the utilization review process is such that there is frequently doubt ex ante as to whether a claim will be covered. In such circumstances, providers are advised to submit claims, and allow the insurer to decide whether it will cover it. If providers adopted such tactics with Medicare or Medicaid, such claims might well be subject to sanctions under the FCA.

If post-payment investigation reveals that a claim for private insurance coverage is improper, the provider is responsible for repayment, but there are no additional contractual penalties. If a private carrier concludes a provider has defrauded them, it can attempt to interest a U.S. attorney or states' attorney in the case, but most cases are resolved through civil channels. A private carrier also has the option to refuse to deal with a particular provider, barring state law to the contrary. The potential for exclusion from a carrier's network provides a powerful source of leverage over recalcitrant providers.

Once businesslike government is the baseline for government procurement, there are substantial reasons for questioning the merits of the current fraud control regime. Indeed, compared to the private sector, the government appears to be "penny wise and pound foolish," in that it under-invests in claims review ex ante, and tries to compensate with very large sanctions for misbehavior ex post. Jost (2000) has suggested that the government employs the FCA to correct for the lack of resources it invests in claims review. Of course, this explanation calls into question the wisdom of Medicare's low administrative overhead-historically its greatest selling point.

The ex post approach might be acceptable on purely economic grounds, although its effectiveness is questionable on psychological grounds (Hyman 2001). The spillover effects resulting from statutory over-inclusiveness also create real difficulties. Indeed, the fraud control system in health care bears more than a passing resemblance to the one condemned as "obviously undesirable" by the First Circuit in United States v. Data Translation Inc.: "[A] system that lays down a literal rule with which compliance is inordinately difficult, turning nearly everyone into a rule violator, and then permits the agency to pick and choose when and where to enforce the rule." 23

Worse still, the existence of the FCA is a significant disincentive to contract with the government at a time when there are difficulties keeping providers in the Medicare market (Serafini 2000). There have also been noted isolated cases of physicians refusing to treat Medicare patients because of these risks, or closing their practice to new Medicare patients (see Thornton 1999: 499; Phalen 2001).

Parties who are willing to contract with the government despite the FCA must invest heavily in compliance and inflate their prices to reflect those costs,24 as well as the expected "give-back" that will be extracted ex post by the government or qui tam relator. 25

Conclusion

About a year and a half after HIPAA was enacted, CMS held its first-ever conference on fraud, waste, and abuse in Medicare and Medicaid. Then-secretary of HHS Donna Shalala briefly noted how the Clinton Administration had come to focus on the problem of health care fraud and abuse:

During the health care reform debate, as I did town meetings around the country, people were not very interested in talking to me about the substance of the president's proposal. In meeting after meeting, they wanted to talk about fraud and waste in the Medicare program, and I came back roaring on the Department and on the Clinton administration's need to change its direction and to build a capacity and preferably a systemic strategy in the area [Centers for Medicare and Medicaid Services 1998].

HIPAA clearly marked a substantial step toward fulfilling Shalala's vision of a "capacity, and preferably a systemic strategy" in the area of health care fraud and abuse, and it addressed the two requirements for effective fraud control-sustained investment in management and careful oversight of the programs (Kettl 1998).

Fraud control turns out to be like most other goods and services: the more one is prepared to spend, the more one can purchase. However, HIPAA is only part of the fraud control picture. It was the fortuitous combination of HIPAA and the FCA that provided the motive, means, and opportunity for the fraud control crackdown detailed previously.

The larger normative question-whether HIPAA marks a step in the right direction-is less susceptible to empirical assessment, and the "answer" depends greatly on one's preexisting assumptions regarding the frequency and severity of the problem and the motivations and likely behavior of those involved. An analyst who begins with the assumption that the problem is mostly inadequate documentation and a few isolated bad apples will come to a quite different conclusion than one who believes that organized crime has forsaken narcotics and targeted Medicare. An analyst who believes that every provider is a scoundrel looking for an opportunity to rip off the system will come to a quite different conclusion than one who believes that most providers are trying to do the right thing.

Similar factors apply when one considers the degree of discretion appropriately reposed in regulators. An analyst who believes fraud enforcers are gun-toting bullies with no understanding of the complexities of medical diagnosis and treatment will approach these issues quite differently than one who believes prosecutors and fraud investigators have too many better things to do to go after someone who doesn't deserve it.

Perhaps the easiest way to conceptualize these conflicting perspectives is to change the frame of reference, as in the following fishing narrative:

Once upon a time there was a lake filled with fish and other wildlife. Only some kinds of trophy fish were fair game, and there were restrictions on who was allowed to go fishing. The designated fisherman had lots of other things to do, and little money to invest in equipment. The result was that the only trophy fish that ot caught were the ones that were so dumb they jumped in the boat. Once the laws were liberalized, more fishermen showed up, with better equipment and more motivation. Technological innovations included better fish detection equipment, more precise tools for measuring whether the fish that had been caught were actually trophy fish, and drag nets, which caught lots of fish-not all of whom were supposed to be taken. After some fishermen were caught with fish that did not meet the conventional definition of trophy fish, they argued that they had satisfied the definition of trophy fish found in the statute, regardless of what the conventional understanding actually was. A few exceptionally enthusiastic fishermen used dynamite to enhance their yield.

At a town meeting to discuss the situation, the fishermen point to the record number of trophy fish they have collected. No one is prepared to defend those using dynamite, but the fishermen argue that the rest of the methods they are employing strike the right balance between harvesting trophy fish and collateral harm to other fish and wildlife. Those living near the lake complain about the noise, the violation of traditional norms regarding acceptable fishing tactics, and the collateral damage to other species in the lake. Many people believe the fishermen are shading the definition of what constitutes a trophy fish, to justify their time and effort. A few people argue that most of the fishermen are using dynamite, at least intermittently. No one knows for sure how many trophy fish are still in the pond, or how large the collateral damage really is.

When the subject turns to how fishing should be regulated, those attending the meeting quickly divide into three distinct groups. A small group of pro-fish extremists wants to ban all fishing, because they think all the trophy fish are dead-and even if any are alive, the effort required to catch them is too disruptive to the rest of the fish. A larger group concedes the necessity for fishing, but wants to place strict limits on the tools that can be employed and on what counts as a trophy fish. Finally, a small group of pro-fishing extremists believes every trophy fish in the lake should be exterminated, and that attacks on the integrity of the fishermen are part of a pro-trophy-fish/ environmental extremist conspiracy.

Obviously, the fishing narrative does not capture all the complexities of the fraud control debate, but it makes clear the consequences of HIPAA, which effectively put many more highly motivated and well-equipped fishermen on the lake. The narrative also demonstrates the significance of preexisting preferences to any assessment of this development.

Finally, the narrative helps surface the tradeoffs associated with various fraud control strategies. If you really want to catch trophy fish, you might be willing to use dynamite once in a while. If you value the tranquility of the pond, you want as little fishing as possible, regardless of the tools employed. And, if you want to catch trophy fish, but only trophy fish, you will find plenty of things to complain about, regardless of what is going on in the lake.

FOOTNOTE

2See Administration on Aging, "Help to Fight Medicare and Medicaid Waste, Fraud and Abuse," www.aoa.dhhs.gov/ort/volunteer.html. For a hostile assessment of this initiative, see Dickey (1999).

3On the dangers of basing policies on anecdotes, see Hyman (1998). The definitive definition of political statistics was made by Winston Churchill: "I gather, young man, that you wish to be a Member of Parliament. The first lesson that you must learn is, when I call for statistics about the rate of infant mortality, what I want is proof that fewer babies died when I was Prime Minister than when anyone else was Prime Minister. That is a political statistic."

4A more extensive discussion of these issues appears in Hyman (2001).

FOOTNOTE

5Carriers and intermediaries are responsible for reviewing and handling claims, processing payments, and recovering overpayments. Peer review organizations (PROs) review submitted claims to detect upcoding and other improper billing practices. CMS is encouraging PROs to assist in preventing billing errors, by offering incentive payments for PROs that decrease the rate of improper payments.

6General criminal statutes include conspiracy to defraud the United States (18 U.S.C. 1 286,371), false statements (18 U.S.C. 1001), mail fraud (18 U.S.C. 1341), wire fraud (18 U.S.C. 1343), and money laundering (18 U.S.C. 1956, 1957). Health care specific statutes include kickbacks (42 U.S.C. 1320a-7b(b)), health care fraud (18 U.S.C. 1347), theft or embezzlement (18 U.S.C. 669), false statements (18 U.S.C. 1035 and 42 U.S.C. 1320a-7b(a)), obstruction of criminal investigations (18 U.S.C. 1518), and money laundering (18 U.S.C. 1956(a)(1)).

FOOTNOTE

(7)31 USC. 137

FOOTNOTE

8In one recent case, a provider accused of receiving an overpayment of $245,392 was sued for statutory penalties of $81 million. United States v. Krizek, 111 F.3d 934 (D.C. Cir. 1997). After extensive litigation, the District Court imposed a substantially lower sanction.

9See, e.g., 42 U.S.C. 1320a-7 (1998) (allowing as penalties for crimes related to the delivery of health services either mandatory or permissive exclusion, as well as fines not

FOOTNOTE

exceeding $25,000 for a felony and $10,000 for a misdemeanor); 42 U.S.C. 1320c-5 (1998) (allowing as penalties the exclusion of a provider from eligibility to provide services on a reimbursable basis, as well as payment of an amount not in excess of the actual cost of medically improper services provided).

10As Sage (1999: 1180) observes, "[L]arge organizations have such a large stake in avoiding exclusion from Medicare that they readily settle pending charges, making much of fraud control resemble a rebate program more than a law enforcement exercise."

FOOTNOTE

11See, e.g., H.R. Rep. No. 104-496 (1996), reprinted in 1996 U.S.C.C.A.N. 1856, 1869.

12Office of Inspector General Annual Report: 1 January-31 December 1978, 152 (1979). Due to a typographical error, the figure is incorrectly reported as $668 million on page 152, and correctly reported as $468 million on pages 159 and 168 of the report. Interestingly, the higher figure was cited as the correct amount in a book on fraud control (Gardiner and Lyman 1984: 10). The fact that a $200 million typographical error was not caught prior to publication further demonstrates the margin of error in estimates of health care fraud.

FOOTNOTE

13A significant proportion of the overpayments attributable to inadequate documentation were the result of the failure of the treating provider to produce any records whatsoever, despite repeated contacts from the OIG. During the five years, this figure ranged between 18 percent and 47 percent of the total attributable to inadequate documentation (OIG 2000: 7).

FOOTNOTE

14See Sparrow (2000: 123) and Vladeck (1997). Although one would expect some multiplier effect from the rise of enhanced sanctions to offset the low risk of detection, the size of these payback ratios casts doubt on the wisdom of Medicare's historically low administrative costs. Worse still, prior to the influx of funding from HIPAA, there had been a longstanding trend of decreases in both the real and nominal amounts spent per claim to ensure program integrity (General Accounting Office 1997). See also Stanton (2001).

15H.R. Rep. No. 104-496 (1996), reprinted in 1996 U.S.C.C.A.N. 1856, 1967-68 ("Based on studies by the General Accounting Office and HCFA, the estimate assumes that an additional dollar devoted to HCFA payment safeguard activities would at first return eight dollars in lower benefit payments. Data from the IG indicate that an additional dollar devoted to its enforcement efforts would initially return seven dollars in recoveries.")

FOOTNOTE

16See General Accounting Office (1998). A third enforcement initiative, which targeted billings for outpatient testing performed within three calendar days of a hospital admission, was controversial as well, but is not discussed further because the evidence of overenforcement is less persuasive.

17See Ohio Hospital Association v. Shalala, 978 F.Supp 735 (D. Ohio 1997), affd in part, rev'd in part, 201 F.3d 418 (6th Cir. 1999).

18It has been suggested that this problem was attributable to a trigger-happy attitude among newly hired assistant U.S. attorneys. Of course, these attorneys were hired because HIPAA gave DOJ the resources to do so, and once they were hired, they were under pressure to produce results.

FOOTNOTE

19See General Accounting Office (1998). Teaching hospitals present a problem for Medicare because care is provided at a hospital by residents and paid for under Medicare Part A, but attending physicians can also provide care and bill under Medicare Part B. CMS and the carriers/intermediaries have issued numerous conflicting and confusing guidelines in an attempt to clarify the circumstances under which claims under both Part A and Part B are appropriate.

FOOTNOTE

20Searches were conducted for the code sections for health care fraud (18 U.S.C. 1347), theft or embezzlement (18 U.S.C. 669), false statements (18 U.S.C. 1035, obstruction of criminal investigations (18 U.S.C. 1518), and administrative subpoenas (18 U.S.C. 3486). Two civil case were excluded: one involving a contractual dispute in which one of the parties raised RICO and another involving the validity of an audit conducted by the Controller of the State of California. Year-by-year case totals do not sum because some cases involved multiple provisions of HIPAA.

21See Ohio Hospital Association, 201 F.3d at 421 ("The hospitals were obviously unhappy about the prospect of having to disgorge twice the amount of 'overpayments' that they did not view as overpayments at all in order to limit their exposure to full statutory penalties for actual violations of the False Claims Act.")

FOOTNOTE

22To be sure, it is possible that these provisions are being employed but not appearing in Lexis and Westlaw opinions because guilty pleas do not result in opinions. Alternatively, these offenses may be plea-bargained down, allowing defendants to plead guilty to charges with lower sanctions. Further research will be necessary to exclude these possibilities.

FOOTNOTE

(23)984 F.2d 1256, 1262 (Ist Cir. 1992).

24 According to Kovacic (1998: 219-20), "Exacting compliance becomes essential even though the outlay of resources to attain complete adherence to a specific regulatory command may significantly surpass the value that the government derives from having its suppliers follow that command scrupulously . . . Because the CFCA treats grievous and trivial deviations from regulatory commands alike, firms must structure their compliance systems to obey all commands fully."

25Kovacic (1998: 227) notes: "[T]he CFCA too often serves as a device by which the government opportunistically uses the threat of prosecution for fraud to extract pricing or other concessions from its suppliers ... Many survey participants perceive that the CFCA enables the government to convert what in the commercial world would be simple contract disputes into fraud allegation and to use the threat or prosecution of fraud-based claims to obtain settlements that could not be attained in commercial practice."

FOOTNOTE

26With regard to fraud control personnel, Sparrow (2000: 160) writes. "[T]he majority of cases they investigate involve blatant behavior, with little attemp at concealment or

FOOTNOTE

subtlety, and most are detected because the predators were careless, excessively greedy, or stupid."

REFERENCE

References

REFERENCE

Albert, T. (2001) "Strong Objections Expressed Over Compliance Guidelines." American Medical News (9-16 July).

Barr, S. (1997) "Outgoing Chief Leaves His Mark on Procurement Process." Washington Post (12 September): A23.

Beetham, D. (1996) Bureaucracy. 2nd ed. St. Paul, Minn.: University of Minnesota.

Bell, M. (1997) "Medicare Easy Target For Thieves." Orlando Sentinel (15 June): Al.

Blanchard, T. P. (1999) "Medicare Medical Necessity Determinations Revisited: Abuse of Discretion and Abuse of Process in the War Against Medicare Fraud and Abuse." St. Louis University Law Review 43: 91-135.

Blumstein, J. F. (1997) "What Precisely Is 'Fraud' in the Health Care Industry." Wall Street Journal (8 December): A25.

Bucy, P. H. (1996) Health Care Fraud: Criminal, Civil and Administrative Law. New York: Law Journal Seminars Press.

Centers for Medicare and Medicaid Services (1998) "National Fraud, Waste and Abuse Conference." Transcript (17 March). (www.hcfa.gov.medicare/ fraud/transcr7.htm.)

- (2001) "The Medicare Integrity Program: Pay It Right!" (March). (www.hcfa.gov/medicare/mip/mip.pdf.)

Cohen, J. J., and Dickler, R. M. (1997) "Auditing the Medicare-Billing Practices of Teaching Physicians: Welcome Accountability, Unfair Approach." New England Journal of Medicine 336: 1317-20.

Department of Health and Human Services (2000) "A Comprehensive Strategy to Fight Health Care Waste, Fraud, and Abuse." (www.hhs.gov/news/ press/2000pres/2000309a.html.)

Dickey, N. (1999) "Government to Grandpa: Rat Out Your Doctor." Wall Street Journal (24 February): A18.

Eiland, G. W. (1999) "A Call for Balancing of Agency Sentinel Priorities." Journal of Health Law 32: 503-14.

Epstein, J. D. (1998) "The Criminalization of Medicare Payment Disputes." University of Houston Health Law News 11(3). (www.law.uh.edu/ healthlawnews/03-1998.html.)

Faddick, C. M. (1997) "Health Care Fraud and Abuse: New Weapons, New Penalties, and New Fears for Providers Created by the Health Insurance

REFERENCE

Portability and Accountability Act of 1996 (HIPAA)." Annals of Health Law 6: 77-102.

Gardiner, J. A., and Lyman, T. R. (1984) The Fraud Control Game: State Responses to Fraud and Abuse in AFDC and Medicaid Programs. Bloomington, Ind.: University of Indiana Press.

Hedges, S. J. (1998) "The New Face of Medicare Fraud." U.S. News dr World Report (2 February): 46-55.

Holder, E. (1998) Letter to U.S. Attorneys (3 June). (www.usdoj.gov/04foia/ readingrooms/chcm.htm.)

Hyman, D. A. (1998) "Lies, Damned Lies, and Narrative." Indiana Law Journal 73: 797-864.

- (2001) "Health Care Fraud and Abuse: Market Change, Social Norms, and the `Trust Reposed in the Workmen.' "Journal of Legal Studies 30(2).

Iezzoni, L. I. (1999) "The Demand for Documentation for Medicare Payment." New England Journal of Medicine 341: 365-67.

Jost, T. S. (1998) "Public Financing of Pain Management: Leaky Umbrellas and Ragged Safety Nets." Journal of Law, Medicine dr Ethics 26: 290-307. - (2000) "Fairness in Fraud and Abuse Enforcement." Journal of the American Medical Association 283: 1289.

Jost, T. S., and Davies, S. L. (1999) "The Empire Strikes Back: A Critique of the Backlash Against Fraud and Abuse Enforcement." Alabama Law Review 51: 239-318.

Kalb, P. E. (1999) "Health Care Fraud and Abuse." Journal of the American Medical Association 282: 1163-68.

Kelman, S. (1990) Procurement and Public Management: The Fear of Discretion and the Quality of Government Performance. Washington, D.C.: AEI Press.

REFERENCE

Kettl, D. F. (1998) "Reinventing Government: A Fifth Year Report Card." Brookings Institution Center for Public Management, CPM 98-1.

King, M. S.; Sharp, L.; and Lipsky, M. S. (2001) "Accuracy of CPT Evaluation and Management Coding by Family Physicians."Journal of the American Board of Family Practice 14(3): 184-92.

Kovacic, W. E. (1996) "Whistleblower Bounty Lawsuits as Monitoring Devices in Government Contracting." Loyola of Los Angeles Law Review 29: 1799-1857.

- (1998) "The Civil False Claims Act as a Deterrent to Participation in Government Procurement Markets." Supreme Court Economic Review 6: 201-39.

Mashaw, J. L., and Marmor, T. R. (1994) "Conceptualizing, Estimating, and Reforming Fraud, Waste, and Abuse in Healthcare Spending." Yale Journal on Regulation 11: 455-94.

McGinley, L. (1998) "U.S. to Ease Up on Suspected Medicare Fraud." Wall Street Journal (9 April): A3.

Office of Inspector General (2000) "Improper Fiscal Year 2000 Medicare Fee-For-Service Payments." A-17-00-02000.

Peterson, K. A. (2000) "First Nursing Homes, Next Managed Care? Limiting Liability in Quality of Care Cases under the False Claims Act." American Journal of Law & Medicine 26: 69-88.

REFERENCE

Phalen, K. (2001) "Opting Out: Physicians Exiting Medicare Program." American Medical News (25 June). (www.ama-assn.org/sci-pubs/amnews/ pick-01/gvsa0625.htm.)

Reinhardt, U. (2000) "Medicare Can Turn Anyone into a Crook." Wall Street Journal (21 January): A18.

Rundle, R. L. (1989) "Medical Rip Off: How Doctors Boost Bills by Misrepresenting the Work They Do." Wall Street Journal (6 December): Al. Sage, W. M. (1999) "Fraud and Abuse Law." Journal of the American Medical Association 282: 1179.

Schofield, A., and Weaver, L. D. (2000) "Health Care Fraud." American Criminal Law Review 37: 617-56.

Schooner, S. L. (2001) "Fear of Oversight: The Fundamental Failure of Businesslike Government." American University Law Review 50: 627-723.

Schwartz, J. I. (1996) "Liability for Sovereign Acts: Congruence and Exceptionalism in Government Contracts Law." George Washington Law Review 64: 633-702.

Serafini, M. W. (2000) "HMOs on Life Support." National Journal (9 September): 2782- 85.

Shogren, E. (1995) "Rampant Fraud Complicates Medicare Cure." Los Angeles Times (8 October): At.

Sparrow, M. (2000) License to Steal: How Fraud Bleeds America's Health Care System. Boulder, Colo.: Westview Press.

Stanton, T. H. (2001) "Fraud-and-Abuse Enforcement in Medicare: Finding Middle Ground." Health Affairs 20: 28-42.

Thornton, D. M. (1999) " `Sentinel Effect' Shows Fraud Control Effort Works." Journal of Health Law 32: 493-502.

U.S. Congress (1977) Medicare Fraud and Abuse Amendments of 1977.

REFERENCE

Hearings before the Committee on Finance. Senate, 95th Cong., Ist Sess.

- (1998) Health Care Initiatives under the False Claims Act That Impact Hospitals. Hearing before the Subcommittee on Immigration and Claims of the Committee on the Judiciary. House of Representatives, 105th Cong., 2nd Sess. (28 April).

U.S. General Accounting Office (1992) "Health Insurance: Vulnerable Payers Lose Billions to Fraud and Abuse." GAO/HR-92-69.

(1997) "Medicare." GAO/HR-97-10.

(1998a) "Application of the False Claims Act to Hospital Billing Practices." GAO/HEHS-98-195.

- (1998b) "Concerns With Physicians at Teaching Hospitals (PATH) Audits." GAO/HEHS-98-174.

- (2000a) "Fraud Schemes Committed by Career Criminals and Organized Criminal Groups and Impact on Consumers and Legitimate Health Care Providers." GAO/OSI-00-1R.

- (2000b) "Health Care Fraud: Schemes to Defraud Medicare, Medicaid, and Private Health Care Insurers." GAO/T-OSI-00-15.

Vladeck, B. C. (1995) "Medicare, Medicaid Fraud and Abuse."Journal of the American Medical Association 273: 766-73.

- (1997) Testimony on Chief Financial Officer Audit Findings for FY 1996 (17 July) (wwvw.hhs.gov/asl/testify/t970717a.html.)

AUTHOR_AFFILIATION

David A. Hyman is Professor of Law at the University of Maryland School of Law. He thanks Peter Jacobson, Joan Krause, Jana Singer, and Peter Winn for their helpful comments.

1Recently renamed, and hereinafter referred to as, the Centers for Medicare and Medicaid Services or CMS.