Although media attention often focuses on billing fraud, another type of fraud is costing the healthcare industry millions of dollars annually: fraud within the purchasing function.
At a Glance
- Purchasing fraud leads to significant losses for healthcare entities and damages the reputation of the industry.
- Designing and implementing an effective internal control environment helps reduce the risk of fraud.
- An effective control environment includes a variety of policies, procedures, strategies, and tactics.
Hospitals and health systems today risk falling victim to purchasing kickback schemes, a form of fraud that causes organizations to pay more than fair market value for a product or service. Internal controls are required to avoid this risk.
The Association of Certified Fraud Examiners (ACFE) found instances of purchasing fraud in more than 30 percent of the healthcare industry cases analyzed as part of a 2012 study, making this type of fraud a very close second to billing fraud in terms of prevalence. The ACFE estimated that the average cost of corruption for healthcare entities in 2012 was $250,000 for each case of fraud.
The risks associated with purchasing fraud go beyond monetary losses; fraud allegations also put an organization’s reputation at risk. Although kickbacks and purchasing fraud are not directly related to clinical quality, they can diminish public confidence in an organization’s ability to provide high-quality health care. For hospitals and health systems that receive federal or state grants, the grantor could choose to initiate investigation based on allegations of fraud. If the organization falls out of compliance with grant requirements, it could be required to return funds to the granting agency.If the hospital or health system itself is charged with fraud, legal sanctions, including fines, could ensue.
Purchasing Fraud and Kickback Schemes: An Overview
The ACFE defines a kickback scheme as the giving or receiving of anything of value to influence a business decision without the employer’s knowledge and consent. Kickback schemes, which involve collusion between employees and vendors, typically include submission of invoices for goods or services that are either overpriced or completely fictitious. Once the healthcare entity pays the vendor for the invoice, the vendor provides something of value to the individual who arranged everything. Vendors may send purchasing agents on extravagant vacations, buy them cars, or simply make cash payments to them.
Kickback schemes may originate at any level within the organization with the ability to influence purchasing decisions, including—but not limited to—purchasing agents. Recent examples of alleged purchasing fraud, as described in the sidebar below, show how costly this type of fraud can be.
Purchasing fraud can be very difficult to prevent and detect. If a vendor is simply increasing the price of each item purchased by a small amount, it could go unnoticed for many years. If an employee with a high level of control over the purchasing process is involved, it could go unnoticed indefinitely.
Developing an Effective Control Environment
The cornerstone of preventing and detecting fraud is an effective control environment, which should start at the top. Executive leaders and the board of directors should be committed to designing effective processes and procedures to reduce the risk of fraud. At least once a year, the organization’s executives should perform a risk assessment that includes a discussion about “what could go wrong,” covering topics such as how employees could steal money, how financial statements could be misstated, how the overall control environment could affect the work environment, and other potential areas of concern.
Once concerns are identified, leaders should determine what types of controls are in place to mitigate these risks and should arrange to have their organizations’ internal controls reviewed independently on a periodic basis; for larger organizations, controls should be evaluated annually and for smaller organizations, at least biannually. An independent review can highlight the areas in which internal controls are not designed appropriately or are not being followed. Even the best-designed controls are not effective if they are not being followed.
The following controls can reduce the risk of purchasing fraud that is committed through kickback schemes.
Employee code of conduct/code of ethics. Expectations about honest and ethical employee behavior should be codified. A written code of conduct sets guardrails for employees, letting them know what is acceptable and what is not acceptable. The code of conduct should be all encompassing, including items such as ethics, confidentiality, conflicts of interest, intellectual property, sexual harassment, and fraud. Consequences of violating the code of conduct should be addressed. Organizations should include their employees in the development and review of the code of conduct to improve “buy-in.” All new employees should be required to certify that they have read and understand the code, and all employees should be required to renew this certification at least once a year. Also, organizations should keep in mind that a code of conduct can be effective only if it is enforced.
Vendor code of conduct. In addition to an employee code of conduct, hospitals should have a code of conduct for vendors, addressing areas such as legal compliance, conflicts of interest, gifts, gratuities, kickbacks, privacy and confidentiality, accuracy of records, fair competition,discrimination, government contract-related policies, and reporting of misconduct. As a prerequisite for being added to the hospital’s approved list, each vendor should certify that it will act in accordance with the code of conduct.
Gift policy. A gift acceptance policy helps protect employees from developing a conflict of interest with a vendor. The policy should detail gifts that are acceptable and gifts that are not, with specifics about the value of acceptable gifts.Gifts of cash or cash equivalents (e.g., gift cards) should be strictly prohibited, with possible exceptions for cash equivalents with minimal value. The policy should also describe how employees should decline the acceptance of a gift and how gifts should be reported so they can be tracked properly. All employees should be required to certify that they have read and understood this policy at least once a year.
Purchasing control. All hospitals should have a detailed and well-documented purchasing process. Purchase orders should go through multiple levels of review, depending on the size of the purchase. Purchasing cycle duties should be segregated appropriately. For example, the individual preparing the purchase order should not be allowed to approve the invoice. A second employee should compare the purchase price with the approved purchase order. Receipt of the goods or service should be documented by a third employee who does not have the authority to approve a purchase order or an invoice. In small organizations, it may be necessary to get individuals outside of the purchasing department involved. For example, an administrative employee can assist in receiving or a C-level officer may need to approve purchases of certain amounts. Overall, it is imperative that controls be designed to prevent any one person from having the ability to process and approve a purchase.
A bidding/proposal process that includes at least three employees should be used for purchases that exceed a designated amount. Organizations should have a detailed policy documenting the process for each level of purchasing. For example, purchases in excess of $10,000 may require a bidding process; purchases of less than $1,000 may use an expedited purchasing process.
Controls over the approved vendor listing are an important element of a fraud risk reduction program. Initially, vendors should be required to go through an intense vetting process that may include financial statement analysis, interviews with employees, site visits, and certification of the vendor code of conduct. Hospitals and health systems should analyze and review the approved listing at least once a year to identify vendors listed more than once under different names and vendors the company no longer uses. This step helps reduce the risk of having fictitious vendors in the organization’s database.
Healthcare organizations also may opt to rotate purchasing duties. Whether purchasing agents are assigned to particular vendors and/or products or there is only one purchasing agent for the entire organization, a good rule of thumb is to rotate purchasing responsibilities at least every six months. In smaller organizations, it may be possible to rotate duties within purchasing and other accounting functions. This policy adds another layer of control to the purchasing process and facilitates cross training, which may also be useful in the event of employee turnover.
Whistleblower hotline. Employees and others should be able to report suspicions of malfeasance to management anonymously. The easiest vehicle for this is a whistleblower hotline that is advertised and available to all employees, volunteers, patients, visitors, and vendors. In 2010, the Antifraud Programs and Controls Task Force of the American Institute of Certified Public Accountants developed a series of questions for audit committees to consider when assessing the effectiveness of a whistleblower hotline, which were published in the Journal of Accountancy .
Internal audit. An internal auditor can be a powerful control in preventing and detecting all types of fraud by conducting vendor research, performing surprise audits, interviewing employees, making price comparisons, and implementing continuous auditing procedures. Continuous auditing procedures may include analyzing purchasing trends (e.g., always purchasing certain products from a single vendor), comparing vendor addresses with the personnel database, and analyzing the inventory database for unnecessary purchases. The internal auditor should be a key player in developing a risk assessment program and implementing responses to risks.
Fraud training for employees. Organizations should train employees on how to recognize fraud and what to do if they have suspicions. This training should occur at least annually and should include information about types of fraud, behavior traits that could indicate someone is committing fraud, and controls that are in place to mitigate fraud (so employees can recognize when someone is attempting to circumvent the controls). Fraud training also is a key component of organizational culture, as it shows that management is committed to doing business in an ethical manner.
Budget-to-actual analysis. Budget-to-actual analysis may help expose malfeasance. A department with continual budget deficiencies should be scrutinized. All too often, organizations explain away budget deficiencies rather than investigating the reasons for them. It also is important to keep in mind that projects should have an approved budget. Any budget changes or deficiencies should be investigated prior to incurring the actual expense.
Insurance coverage. Organizations should maintain insurance coverage, known as fidelity insurance, to cover employee dishonesty. This coverage may limit the damage to an organization in the event of fraud.
Preserving Assets and Reputations
Purchasing fraud causes significant losses for healthcare entities and damages the reputation of the industry. Designing and implementing an effective internal control environment helps reduce the risk of such fraud. Healthcare leaders should emphasize the importance of ethical behavior while providing adequate resources to ensure that an appropriate internal control environment can be implemented.
Lance Mann, CPA, CFE, is associate director of assurance services at Dean Dorton Allen Ford, PLLC, Lexington, Ky.
Recent Indictments Related to Hospital Purchasing Fraud
Purchasing fraud can take a variety of forms, as is evident in three recent cases In New York and New Mexico.
International “clinical partnership.” In September 2012, the former CEO of the Hospital for Special Surgery in New York was arrested and charged in a $1.4 million kickback scheme that spanned more than a decade. He is accused of receiving approximately $420,000 in kickbacks from hospital vendors, $298,500 from a hospital employee, and roughly $670,000 from a British-based healthcare organization. In exchange for these payments, this CEO allegedly approved a clinical partnership between the hospital and the British-based organization. The funds received from the hospital employee were allegedly received in exchange for negotiating payment of that worker’s annual bonus. The amounts received from hospital vendors were allegedly received for approval of purchase orders and/or services that were either overpriced or unnecessary. If convicted, the CEO faces up to 20 years in prison for racketeering and making false statements to the federal government.
Improper awarding of construction contracts. In October 2012, two former facilities employees of New York Presbyterian Hospital were convicted of defrauding the hospital in a kickback scheme related to awarding of construction, maintenance, and service contracts for asbestos abatement, air monitoring, and general construction to a co-conspirator’s company. The vice president of facilities received over $2.3 million in kickbacks, which were funneled through a company owned by the vice president’s relative and then eventually paid to him. Sadly, the company through which the kickbacks were funneled was set up in the conspirator’s mother’s name. In the end, 17 individuals and six companies were convicted of or pleaded guilty to charges arising out of this federal antitrust investigation of bid rigging, fraud, bribery, and tax-related offenses.
“Bogus” IT system updates. In December 2012, the former COO/CFO of St. Vincent Hospital in Santa Fe, N. M.—now called Christus St. Vincent Medical Center—pleaded guilty to conspiracy and two counts of fraud over $20,000 in a plea bargain agreement. It is alleged this employee awarded contracts to a co-conspirator and five companies owned by the co-conspirator for work related to updating the hospital’s information systems. According to the original indictments, the COO/CFO received at least $678,000 between 2005 and 2008 in exchange for approving more than $3 million in payments to his co-conspirator. The indictments state that “St. Vincent largely received no or minimal work product” for payments authorized by the COO and the work was “frequently unnecessary, of poor quality or completely bogus.” The indictments further state that the co-conspirators worked as a team to bilk the hospital of the money, creating false letterheads for companies that “existed largely on paper only,” overriding the hospital’s administrative protocols, and staging displays to mollify other employees and “prevent detection of the scheme.” According to court documents, the co-conspirators used the funds received to purchase a luxury vehicle, make payments on credit cards, buy country club memberships, and fund the construction of a home. The plea agreement requires five years of supervised probation, court-ordered restitution, and assistance in resolving other criminal and civil matters still pending. In March 2013, the co-conspirator pleaded guilty to three counts of fraud and conspiracy. Sentencing in this case is scheduled for September 2013.