Fraud Risks in Indian Cashless Healthcare Ecosystems

The IRDAI Master Circular on Health Insurance, 2024 pushed Indian insurers towards a cashless-everywhere standard, where any IRDAI-registered hospital can offer cashless treatment to any insured customer regardless of empanelment status. The change has been good for access: cashless settlement now covers over 80% of hospital-admissions claims by value at most major insurers, up from around 55% in 2020.

Access gains have not come for free. Cashless ecosystems concentrate the points where fraud can occur and reduce the friction that historically constrained ring-driven activity. Reimbursement workflows, where the policyholder paid first and recovered later, gave insurers the chance to verify the bill against the patient and the policy before payout. Cashless workflows compress the timeline: pre-authorisation in minutes, treatment in days, discharge bill settled in hours. Every step that reduces friction for genuine customers also reduces friction for those willing to game the system.

Six fraud vectors are distinctive to cashless ecosystems, in the sense that they are less common or less profitable in reimbursement flows.

Ghost admissions: cases where the patient does not actually exist or does not actually receive treatment. The hospital, often in collusion with an agent or a corrupt employee, submits a complete record (admission note, discharge summary, bills) and receives cashless payment. Detection requires post-admission verification visits or biometric capture at admission, which most networks do not yet maintain.

Length-of-stay padding: admitting a patient who needs a day of treatment for three days, with the third day being a notional observation period. The marginal cost to the hospital is small; the marginal revenue from the insurer is large. Common in cardiac, orthopaedic, and gastric admissions.

Procedure upgrading: billing a higher-cost variant of a procedure than was actually performed (laparoscopic instead of open, with implant instead of without, named-brand consumables instead of generic). The patient is rarely aware enough to dispute the bill.

Coding manipulation: choosing the ICD-10 and procedure code that produces the highest insurer payment within the technical compliance bounds. Many cashless tariffs use procedure-code-based pricing; a small change in the chosen code can produce a 30 to 50% price difference.

Pre-authorisation gaming: submitting an inflated estimate at pre-authorisation knowing the actual final bill will be negotiated downward, with the hospital pocketing the gap if the insurer pays the original estimate. Aggressive estimate practice is now near-universal at some networks.

Implant and consumables markup: marking up the cost of stents, joint replacements, and implantable devices well beyond their procurement price. The National Pharmaceutical Pricing Authority caps some categories, but uncapped categories see persistent markup.

Member-side fraud, while less voluminous than provider-side fraud, has its own cashless-specific patterns.

• card sharing: an insured customer's card or e-card is used to treat a non-covered relative or acquaintance, with hospital cooperation
• policy switching at admission: an admission begun on one policy is shifted to another with broader coverage or higher sub-limits
• pre-existing concealment: cashless pre-authorisation submitted with concealment of pre-existing conditions that would otherwise trigger a waiting period
• multi-insurer claiming: the same admission is claimed cashless on one policy and reimbursement on another
• agent-driven enrolment for treatment: families enrolling specifically to obtain treatment, with the agent coordinating the timing

Pre-authorisation is the highest-impact control point in a cashless ecosystem. The IRDAI's expectation is that authorisation be returned within 60 minutes for emergency admissions and 2 to 6 hours for elective admissions. Within this window, the insurer or TPA must validate medical necessity, policy eligibility, and tariff alignment.

A working pre-authorisation architecture includes:

• case-mix-aware rules flagging admissions where the diagnosis does not typically warrant inpatient care
• length-of-stay benchmarks flagging requested durations exceeding peer norms by a defined margin
• estimate-pattern scoring identifying hospitals whose estimates consistently exceed final bills, suggesting padding behaviour
• member-pattern signals identifying recently enrolled members with high-cost diagnoses or repeated admissions
• provider-pattern signals flagging hospitals with adverse history
• clinical review by a medical officer empowered to ask for additional documentation, propose alternative care plans, or query the diagnosis

The architecture must balance throughput with rigour. A pre-authorisation function that asks for additional documentation on every case slows access and produces complaint volumes; one that approves automatically misses the cases worth investigating. Most insurers calibrate to flag 8 to 15% of cases for enhanced review.

Even with strong pre-authorisation, fraud and abuse can shift into the discharge bill. Bill audit at discharge has become a routine TPA function, but the depth varies materially across networks.

A capable discharge-audit programme:

• compares discharge bill line items against the pre-authorisation estimate
• validates each line item against the documented procedure and clinical course
• checks the discharge ICD coding for consistency with the admission diagnosis
• benchmarks consumables and pharmacy charges against network averages
• verifies implant pricing against NPPA caps and procurement evidence
• runs a clinical-narrative review where the discharge summary suggests inconsistency

The audit must complete within the discharge window, typically 4 to 8 hours, to support the patient's discharge process. Indian TPAs are increasingly running automated bill-audit tools that flag anomalies for human review, with human reviewers focused on the 15 to 25% of bills the automation surfaces rather than every case.

Where significant discrepancies are detected, the insurer or TPA can negotiate down the bill, reject specific line items, or pursue post-pay audit. The IRDAI's expectation is that legitimate components of the bill are settled without delay; disputed components can be subject to escalation procedures without holding up the discharge of the patient.

Cashless-everywhere does not remove the importance of preferred network empanelment. Insurers retain significant control through tariff agreements, preferred-network arrangements, and de-empanelment rights for serious fraud.

Network governance levers that matter:

• tariff agreements that fix prices for major procedures, narrowing the gaming surface
• empanelment audit programmes with documented periodic visits, including unannounced visits to high-volume providers
• fraud-clause termination rights in empanelment contracts, with clear definitions and procedures
• provider scorecards combining clinical, billing, and fraud signals, shared with the provider periodically
• escrow or hold-back mechanisms for hospitals under active investigation

The Indian IRDAI 2024 master circular and the Insurance Council initiatives have encouraged cross-insurer information sharing on flagged providers, with a national fraud database in development. The infrastructure is not yet uniform, and information sharing remains partial; insurers that build their own internal database meaningfully reduce repeat exposure to known bad actors.

Cashless fraud is a coordination problem. No single party can solve it alone, and the current Indian distribution of responsibility creates accountability gaps that fraudsters exploit.

Insurers owe the product design, the network strategy, the analytics investment, and the consequence management for confirmed fraud. They cannot delegate accountability to TPAs by contract and remain unaware of network-level patterns.

TPAs owe the operational discipline: pre-authorisation rigour, discharge audit, provider engagement, case-level investigation, and clinical review capability. They cannot run as billing intermediaries without taking the fraud-control responsibility their position requires.

Hospitals owe accurate billing, accurate coding, and cooperation with audit and investigation. Hospitals that treat audit cooperation as optional, or that retaliate against staff who flag internal billing issues, are propagating the problem.

Regulators owe a coherent enforcement environment: clarity on what constitutes fraud versus billing dispute, expectations on insurer and TPA fraud programmes, and law-enforcement coordination for serious cases. The IRDAI's 2024 fraud-control guidance moves in this direction; further specificity is expected as enforcement matures.

Getting cashless right is increasingly a test of whether Indian health insurance can scale to its next phase. Fraud control is not a cost to be minimised; it is the foundation on which the cashless promise rests.