Health insurance and health care fraud
FinCEN’s February 2, 2021, health insurance and health care fraud advisory identifies 16 red flags to help financial institutions spot instances of fraud linked to COVID-19. The advisory also includes two case studies drawn from recent federal indictments. In the first case study, owners of several New York-area pharmacies were charged with claiming millions of dollars in Medicare funds by using COVID-19 emergency override billing codes, despite never purchasing or dispensing medications. The defendants then allegedly used the proceeds to engage in an international money laundering conspiracy. In the second case study, the president of a California-based medical technology company was charged with paying kickbacks and bribes for unnecessary allergy tests, later expanding the testing scheme to include lucrative COVID-19 testing. As part of the scheme, the defendant allegedly made false claims to health care investors regarding the company's ability to provide cheap and effective COVID-19 tests.
The 16 red flags fall into one of four categories, as follows:
1. Unnecessary medical services or billing fraud
The advisory notes that federal authorities have seen an uptick in unnecessary medical services since the beginning of the pandemic. Accordingly, financial institutions should be on high alert for medical providers with higher than expected payment volume during the pandemic period. Other red flags include unusual transaction activities in a health care provider’s business account or higher than expected reimbursement rates that do not match the provider’s business profile, such as a small medical facility with few personnel processing a high volume of COVID-19 tests.
2. Potentially fraudulent businesses
The advisory discusses how individuals and businesses have made false representations about performing COVID-19 services to defraud insurance carriers and health care investors.
Certain red flags may suggest potentially fraudulent business activities. For example, financial institutions should be wary of business activity that is inconsistent with the account holder’s history or with the typical activities of a health care provider. These include personal or business accounts that receive steep increases in health care-related payments despite not receiving these types of payments before, or where the withdrawal activity is atypical for health care businesses (for example, cashier’s checks, cash withdrawals, or domestic and international wire transfers). Additionally, a lack of small-dollar deposits might indicate that patients are not paying copays, further suggesting that medical services are not actually being rendered.
Financial institutions should also scrutinize the address and website of a health care provider. For example, a medical facility with minimal online presence, or one that began around the time of the pandemic, may suggest fraudulent business activity. Even where the physical location of a health care provider exists, financial institutions should compare that address to the locations of its purported patient base (for example, a medical facility located in a western state receiving payments related to patients residing on the East Coast).
3. Kickbacks and money laundering
The advisory highlights instances of health care service providers making or receiving kickback payments or being involved in money laundering. Financial institutions should be on the lookout for frequent or unusually large payments recorded as advertising or marketing expenses, or that reference “director fees,” “consulting fees,” “marketing,” or “business process outsourcing.” The advisory also calls out payments to health care providers without any supporting financial documentation. Additionally, overly complex medical-related transactions involving multiple counterparties could indicate structuring, layering, or fraudulent medical claims.
4. Fraudulently obtaining COVID-19 relief funds
The advisory notes the prevalence of businesses and individuals fraudulently obtaining COVID-19 relief funds intended for health care providers. Red flags include accounts with no history of providing health care services receiving payments related to the CARES Act’s Provider Relief Fund or the Paycheck Protection Program and Health Care Enhancement Act. Likewise, financial institutions should be wary of an account holder simultaneously receiving payments from these programs as well as COVID-19-related unemployment insurance payments.
FinCEN asks financial institutions that identify any of the typologies outlined in its COVID-19 health care fraud advisory to file Suspicious Activity Reports (SARs) that include the key term, “FIN-2021-A001,” in SAR field 2 and the narrative portion of the SAR. It also asks filers to select SAR field 34(g) (health care – public or private health insurance) as the associated suspicious activity type.
Economic impact payment fraud
FinCEN’s February 24, 2021, advisory focuses on financial crimes linked to Economic Impact Payments (EIPs) authorized by the CARES Act and the Coronavirus Response and Relief Supplemental Appropriations Act of 2021. The advisory identifies 14 red flags to help financial institutions spot instances of fraud linked to these payments.
FinCEN and its partner agencies have seen a wide variety of financial crimes involving EIPs, including: (i) the deposit of altered, stolen, counterfeit, or otherwise fraudulent EIP checks; (ii) theft of EIPs; (iii) phishing schemes pursuing personally identifiable information (PII) based on purported EIPs; and (iv) unlawful seizure of EIPs for wage garnishments or debt collection.
Red flags may include attempts by an account holder to deposit one or more checks that appear to be issued by the U.S. Treasury, but that are fraudulent or counterfeit, or where a customer opens a new account with an EIP check, but the name of the account holder is different from the EIP payee.
Even where the EIP payments do not appear to be counterfeit or altered, financial institutions should be wary of multiple EIP payments, especially where the number of payments is excessive relative to the customer’s profile. Financial institutions should proceed with caution if it appears that a customer’s account is being used as a “funnel account” to negotiate multiple EIP checks, or where the account holder may be acting as a “money mule.” Likewise, financial institutions should pay attention to the IP addresses used to transfer funds. Heightened concern is warranted where the same IP address is used to transfer funds from several EIP debit cards to a bank account, especially if that IP address is located outside of the United States or is associated with a business.
Financial institutions should also be on the lookout for rapid transfers of multiple EIPs into one account, which could indicate that fraudsters are consolidating payments. In particular, financial institutions should scrutinize accounts with multiple EIPs that also receive numerous tax refund payments from federal and state governments. According to FinCEN, the fraud risk is heightened where, after the funds are consolidated in one account, cash is quickly withdrawn, the funds are transferred out of the account via a money services business or used to purchase virtual currencies, or the funds are transferred onto prepaid debit or gift cards.
The advisory also notes FinCEN’s concern that businesses may be defrauding their own employees by using employees’ PII to apply for EIP benefits for the purpose of unlawfully collecting payments. Likewise, the advisory identifies nursing homes and assisted living facilities as potentially unlawfully withholding residents’ EIP funds, particularly where the facility receives deposits of one or more EIP checks that are not returned to the residents.
FinCEN asks financial institutions that identify any of the typologies outlined in its COVID-19 EIP fraud advisory to file SARs that include the key term, “FIN-2021-A002,” in SAR field 2 and the narrative portion of the SAR. It also asks filers to select SAR field 34(z) (fraud – other) as the associated suspicious activity type and to avoid relying on the generic term “stimulus check,” but rather to include the term “economic impact payment” in the SAR narrative.
Conclusion
The information provided to FinCEN in SARs has become a critical component of the government’s ongoing efforts to stem COVID-19-related fraud. For example, the Special Inspector General for Pandemic Recovery (SIGPR),2 which helps oversee disbursed funds related to pandemic relief, has announced a partnership with FinCEN. SIGPR’s activities rely chiefly on Bank Secrecy Act data contained in SARs. Investigations and audits by SIGPR have already ramped up and are expected to last for many years. Therefore, financial institutions should expect and prepare to receive government inquiries related to COVID-19 fraud, including the fraud typologies related to health care and EIP fraud as outlined in FinCEN’s February 2021 advisories.
Our Reed Smith Coronavirus team includes multi-disciplinary lawyers from Asia, EME, and the United States who stand ready to advise you on the issues above or others you may face that are related to COVID-19.
For more information on the legal and business implications of COVID-19, visit the Reed Smith Coronavirus (COVID-19) Resource Center or contact us at COVID-19@reedsmith.com.
- FinCEN Advisory FIN-2021-A001, “Advisory on COVID-19 Health Insurance- and Health Care-Related Fraud” (Feb. 2, 2021); FinCEN Advisory FIN-2021-A002, “Advisory on Financial Crimes Targeting COVID-19 Economic Impact Payments” (Feb. 24, 2021).
- In addition to the SIGPR, the Congressional Oversight Commission and the Pandemic Response Accountability Committee are both charged with overseeing aspects of the government’s response to the pandemic. See also Quarterly Report to the U.S. Congress, Oct. 1, 2020 to Dec. 31, 2020, Office of the Special Inspector General for Pandemic Recovery, dated Feb. 1, 2021, available at sigpr.gov.
Client Alert 2021-063