FORENSIC LEGIBILITY EXAMINER

CASE 103|EVIDENCE & FORENSIC HANDLING|2025-10-24|DISPOSITION: SUPPLIER BILLING CREDENTIAL ACCEPTED FOR EQUIPMENT ALREADY COVERED UNDER INPATIENT PAYMENT; BILLING CONDITION NOT ENCODED IN CREDENTIAL; IMPROPER PAYMENTS CONTINUED ACROSS THREE AUDIT CYCLES|ARCHIVE →

Medicare Supplier Billing Credential Authority Failure Through Part B Claims Submitted for Equipment Already Covered Under Part A Inpatient Payment at DMEPOS Suppliers

A Medicare supplier billing credential authorizes a supplier to bill Medicare Part B for durable medical equipment provided to an enrollee. The credential encodes the supplier's authorization to bill. It does not encode the conditions under which billing is permitted — including the condition that the enrollee not be in an inpatient facility at the time of the claim, because inpatient stays are covered under Part A and equipment costs are already included in the facility's payment. When a supplier bills Part B for equipment provided during an inpatient stay, the credential authorizes the transaction. Medicare pays. The condition under which payment was not permitted was never required to appear in the credential. It was not evaluable at the point of billing. The gap between what was credentialed and what was permissible remained invisible until audit.

Failure classification: Supplier Billing Credential Accepted Without Encoding Conditions Under Which Billing Is Permitted; Improper Payments Continued Across Three Audit Cycles Spanning Ten Years

Program:

Medicare Part B; durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) supplier billing

Audit period:

January 2018 through December 2024 (seven years); follow-up to prior OIG audit covering January 2015 through December 2017

Improper payments identified:

$22.7 million across the 2018–2024 audit period; none of the reviewed payments should have been made

Prior audit finding:

$34 million in improper payments identified for 2015–2017; same structural condition; system edits modified in January 2020

Post-remediation payments:

$4.5 million improperly paid after January 2020 system edit correction, through December 2024; improper payments continued despite remediation

Enrollee exposure:

Up to $5.9 million in deductible and coinsurance amounts incorrectly collected from enrollees or their representatives

Investigating authority:

U.S. Department of Health and Human Services, Office of Inspector General; Report No. OAS-24-09-005, issued October 24, 2025

CMS response:

Concurred with four of five recommendations; did not concur with recommendation to review system edits for further refinement

Context

Medicare Part A covers inpatient hospital stays. When an enrollee is admitted to an inpatient facility, the facility receives a bundled payment that covers all services and items provided during the stay — including durable medical equipment, prosthetics, orthotics, and supplies. Medicare Part B covers DMEPOS items provided in outpatient settings, billed separately by the supplier. The distinction is structural: when a patient is inpatient, the facility payment covers the equipment. A supplier billing Part B for equipment provided to that same patient during that same stay is billing for something already paid for.

To prevent duplicate payment, Medicare's Common Working File maintains system edits — automated controls that flag or deny claims that do not comply with billing requirements. The edit relevant to this case is designed to detect when a DMEPOS claim submitted under Part B overlaps with an active inpatient stay. When working properly, the edit denies the claim before payment is made. The credential that authorizes a supplier to bill Medicare does not itself encode this condition. The edit is the external mechanism that is supposed to supply it.

Trigger

A 2018 OIG audit found that Medicare had improperly paid DMEPOS suppliers $34 million for equipment provided during inpatient stays between 2015 and 2017. The auditors found that the Common Working File edits designed to prevent these payments were not functioning adequately. CMS concurred with the recommendations and modified the system edits in January 2020. The modification substantially reduced improper payments. It did not eliminate them.

The 2025 follow-up audit covered January 2018 through December 2024 — seven years, two audit periods, one system modification. None of the $22.7 million in payments reviewed should have been made. Of that total, $18.2 million was paid before the January 2020 edit modification; $4.5 million was paid after it. The structural condition that allowed improper billing — a supplier credential that authorizes billing without encoding the conditions under which billing is permitted — was present throughout. The edit modification reduced the volume of payments that passed through without detection. It did not resolve the underlying condition.

Failure Condition

A DMEPOS supplier enrolled in Medicare holds a billing credential: the enrollment authorizes the supplier to submit claims to Medicare Part B for qualifying equipment. That credential encodes the supplier's authorization. It does not encode the conditions under which a specific claim is permissible — including whether the enrollee is in an inpatient facility at the time the item is provided. The relying party — the Medicare claims processing system — accepts the claim because the credential is valid. Whether the claim is permissible under the conditions that existed at the point of service is determined not by the credential but by a separate automated control. When that control fails or is absent, the credential alone is insufficient to prevent payment for a claim that should not have been submitted.

This is not a case of fraudulent intent in every instance. Many of the improper claims likely resulted from suppliers billing in the ordinary course without knowledge of the enrollee's inpatient status at the time of the item's delivery. The structural condition does not require intent. It requires only that the credential authorize billing without encoding the boundary condition — and that the external control designed to supply that boundary be insufficient to prevent payment in all cases. Both conditions were present across a ten-year period spanning three audit cycles.

CMS did not concur with the OIG's recommendation to review system edits for further refinement, maintaining that its current controls are adequate. The OIG stated it considers the recommendation valid. At the time of the report, $4.5 million in improper payments had been made after the last control modification. The boundary between what the supplier credential authorized and what billing conditions permitted remained unevaluable at the point of claim submission.

Observed Response

The OIG made five recommendations: recover up to $22.7 million in improper payments, refund up to $5.9 million in incorrectly collected deductible and coinsurance amounts to enrollees, notify affected suppliers to conduct internal audits, identify any claims outside the audit period for additional recovery, and review system edits for further refinement. CMS concurred with four recommendations and did not concur with the fifth. The OIG maintained its position. Both recommendations related to recovery remained open as of the report date. The prior 2018 audit's recommendations had also required recovery of $34 million in improper payments — a condition the follow-up audit confirmed had not prevented the same structural failure from producing an additional $22.7 million in improper payments over the following seven years.

Analytical Findings

None of the $22.7 million in DMEPOS payments reviewed for the 2018–2024 audit period complied with Medicare requirements; the failure was universal across the sample
The same structural condition had produced $34 million in improper payments in the prior 2015–2017 audit period; the 2025 finding documents a condition that persisted through a system modification and two complete audit cycles
The supplier billing credential encodes authorization to bill; it does not encode the conditions under which billing is permitted at the point of service — including the inpatient status of the enrollee at the time the equipment is provided
The external control designed to supply the missing boundary — the Common Working File system edit — was insufficient to prevent improper payments before January 2020 and continued to permit $4.5 million in improper payments after modification through December 2024
Enrollees or their representatives were incorrectly billed up to $5.9 million in deductible and coinsurance amounts for items that should not have been billed to them separately under any circumstances
CMS declined to concur with the OIG recommendation to review system edits for further refinement, maintaining current controls are adequate; the OIG maintained the recommendation is valid
If the Common Working File edits had functioned properly since 2008, OIG estimated Medicare could have avoided $223.1 million in improper payments and enrollees could have avoided $56.3 million in incorrectly collected deductible and coinsurance amounts

References

1. U.S. Department of Health and Human Services, Office of Inspector General. "Medicare Improperly Paid Suppliers $22.7 Million Over 7 Years for Durable Medical Equipment, Prosthetics, Orthotics, and Supplies Provided to Enrollees During Inpatient Stays." Report No. OAS-24-09-005. Issued October 24, 2025.
2. U.S. Department of Health and Human Services, Office of Inspector General. "Medicare Improperly Paid Suppliers for Durable Medical Equipment, Prosthetics, Orthotics, and Supplies Provided to Beneficiaries During Inpatient Stays." Report No. A-09-17-03035. Issued November 29, 2018. (Prior audit: $34 million in improper payments, 2015–2017.)
3. 42 CFR §§ 409.10; Medicare Claims Processing Manual, Chapter 3, § 10.4. Federal requirements governing DMEPOS billing during inpatient stays.
4. CMS Common Working File system edits; modified January 2020 in response to prior OIG audit findings.