2025017

Information requested

2025017 13/8/2025 Request regarding information for Low Income Scheme, Overseas Visitor Charging and eligibility-linked representation for NHSCFA. This request concerns fraud risk, detection, investigation and recovery relating to NHS Low Income Scheme exemptions (HC2/HC3), Overseas Visitor Charging, and eligibility-linked misrepresentation, particularly in light of the UK Supreme Court’s rulings on the legal meaning of “sex” in the Equality Act 2010 (For Women Scotland Ltd v Scottish Ministers (No. 2) [2024] UKSC 12). Please treat “recorded information” broadly (emails, minutes, guidance, reports, registers, datasets, training materials).

Date range: 1 January 2019 to the date of your response, highlighting any items created after 16 April 2025.

Definitions (for clarity):

• HC2/HC3: NHS Low Income Scheme exemption/remission certificates administered by NHSBSA.
• Overseas Visitor Charging: charging regimes under the NHS (Charges to Overseas Visitors) Regulations and associated guidance.
• Eligibility misrepresentation: false declarations of attributes (including where sex/legal category is material to entitlement, charging, or exemptions).

1) Risk, detection & alerts

1. Fraud risk assessments, RAG risk registers, typologies, detection rules/indicators, intelligence products and fraud alerts concerning:
   1. HC2/HC3 misuse;
   2. Avoidance of Overseas Visitor Charging;
   3. Eligibility misrepresentation where sex/legal category is material.
2. For each document, please include document-control metadata (title/ref, owner, version, date) and distribution lists (e.g., NHS England, ICBs/Trusts, NHSBSA, Overseas Visitor Managers (OVMs)).

2) Guidance, coordination & policy influence

1. Guidance/circulars/coordination notes from NHSCFA to NHS England, ICBs/Trusts, NHSBSA or OVMs on preventing, detecting or reporting suspected HC2/HC3 misuse and Overseas Visitor Charging fraud.
2. Any post-UKSC updates (after 16 April 2025) addressing data accuracy where sex is relevant to entitlement/charging.
3. MoUs, Data Sharing Agreements/DPAs, or protocols with NHSBSA, Home Office, DWP, HMRC relevant to the above.

3) Investigations & outcomes (aggregated)

Annual totals (2019→present) for: allegations/intelligence logs received; cases opened; outcomes (prosecutions, civil/criminal sanctions, administrative penalties, NFA); monies prevented/recovered and any POCA figures—split by:

1. HC2/HC3 misuse;
2. Overseas Visitor Charging fraud;
3. Eligibility misrepresentation where sex/legal category was material.

Please also provide any trend/lessons-learned summaries (titles/dates/exec summaries if full reports engage exemptions).

4) Systems, vendors & controls

1. Names of analytics/case-management tools and any external vendors used for detection/investigation of the above themes; indicator fields relied upon; and post-April-2025 rule/configuration changes to address data integrity where sex/legal category is relevant.
2. Descriptions of data-quality controls and escalation routes to NHSBSA/NHS England/OVMs.

5) Training & communications

Training materials, webinar decks, or briefings issued to NHSCFA, NHS antifraud teams, ICBs/Trusts or OVMs since 2019 covering HC2/HC3, Overseas Visitor Charging fraud, or eligibility misrepresentation (flag any updates after 16 April 2025).

Please include any communications with DHSC, NHS England, NHSBSA or the ICO/DRCF where fraud-risk intersects with identity/eligibility profiling and lawful use of personal data for fraud prevention.

6) Fraud Loss Measurement (FLM) / audit activity / Counter Fraud Standards

1. Any FLM exercises, post-payment checks, sampling studies or national audits that quantify losses/error for HC2/HC3 or Overseas Visitor Charging, with titles/dates and any executive summaries.
2. Summaries or dashboards arising from Counter Fraud Standards (NHS) assessments that reference these risk areas (aggregate provider-level scoring/rag status is sufficient).

7) Procurement/third-party contracts & conflicts of interest (fraud risk)

1. Recorded information (risk reviews, internal memos, audit findings, red/amber risk flags) concerning procurement and contract fraud risks in EDI/DEI-related consultancy/membership/training purchased by NHS bodies where NHSCFA has assessed or advised (e.g., single-tender actions, price inflation, sham deliverables, undisclosed conflicts of interest).
2. Any fraud alerts, case studies or prevention guidance issued by NHSCFA to NHS bodies addressing EDI/DEI vendor risks, including gifts/hospitality and COI controls.

(Please provide aggregate findings and example documents; individual provider names may be redacted if necessary.)

8) Whistleblowing/referrals & intelligence sources (aggregated)

Annual counts (2019→present) of protected disclosures/referrals to NHSCFA specific to the themes in this FOI, with recorded outcomes (e.g., intelligence only, prevention action, investigation opened).

9) National Fraud Initiative (NFI) / data-matching liaison

Any NHSCFA records of liaison with the Cabinet Office NFI or other data-matching exercises that specifically relate to HC2/HC3, Overseas Visitor Charging, or the eligibility risks above—titles/dates and high-level outputs only (no raw personal data requested).

10) If not held / not within remit

Where NHSCFA holds no records or took no action on any limb, please provide NHSCFA’s recorded rationale/governance note (e.g., “handled by NHSBSA/NHS England/Trust antifraud teams/OVMs”).

NHSCFA response

In response to your request, it may be helpful to explain as follows:

The NHS Charges to Overseas Visitors is overseen by NHS Business Services Authority(BSA) Provider Assurance and The Dept of Health & Social Care (DHSC) Overseas Policy teams with local disputes / issues managed by the respective Trust Overseas Visitor Manager (OVM).

Guidance on cost recovery for overseas visitors is published by the Department of Health and Social Care:

Charging overseas visitors in England: guidance for providers of NHS services - GOV.UK

In addition, responsibility for the Low Income Scheme (HC2/HC3) lies with the NHSBSA Provider Assurance.

However, the NHSCFA has identified the following information that falls in scope of your request:

1) Risk, detection & alerts

1. Fraud risk assessments, RAG risk registers, typologies, detection rules/indicators, intelligence products and fraud alerts concerning:
   1. HC2/HC3 misuse;
   2. Avoidance of Overseas Visitor Charging; iii. Eligibility misrepresentation where sex/legal category is material.
2. For each document, please include document-control metadata (title/ref, owner, version, date) and distribution lists (e.g., NHS England, ICBs/Trusts, NHSBSA, Overseas Visitor Managers (OVMs)).
4. a)
   1. NHS Counter Fraud Authority holds no fraud risk assessment, RAG risk registers, typologies, detection rules, intelligence products or fraud alerts in relation to HC2/HC3 misuse.
   2. The Authority holds a fraud risk assessment on Overseas Health Service which contains some information relevant to your request. This document is produced by the NHS Business Service Authority.

      The information is being withheld as it falls under the exemption in section 31(1)(a)(g) and 31(2)(a) the Act. In applying this exemption we have had to balance the public interest in withholding the information against the public interest in disclosing the information The attached annex to this letter sets out the exemption in full, as well as the factors the Authority considered when deciding that in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

   3. Refer to attached briefing document shared internally within our Intelligence Unit.

2) Guidance, coordination & policy influence

1. Guidance/circulars/coordination notes from NHSCFA to NHS England, ICBs/Trusts, NHSBSA or OVMs on preventing, detecting or reporting suspected HC2/HC3 misuse and Overseas Visitor Charging fraud.
2. Any post-UKSC updates (after 16 April 2025) addressing data accuracy where sex is relevant to entitlement/charging.
3. MoUs, Data Sharing Agreements/DPAs, or protocols with NHSBSA, Home Office, DWP, HMRC relevant to the above.

1. The Authority holds information within the Quarterly Threat Assessments (QTA) pertaining to Patient Exemption Fraud/Help with Health Costs.

The QTAs are circulated to the fraud community within the health sector.

The information is being withheld as it falls under the exemption in section 31(1)(a)(g) and 31(2)(a) the Act. In applying this exemption we have had to balance the public interest in withholding the information against the public interest in disclosing the information The attached annex to this letter sets out the exemption in full, as well as the factors the Authority considered when deciding that in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

Information on patient exemption fraud and fraudulent access to NHS care by overseas visitors is published in the NHSCFA Strategic Intelligence Assessment:

Previous strategic intelligence assessments | Strategic Intelligence Assessment 2024 | NHSCFA

Strategic Intelligence Assessment 2024 | Corporate publications | NHSCFA

2. The Authority does not hold any post-UKSC updates (after 16 April 2025) addressing data accuracy where sex is relevant to entitlement/charging.
3. The Authority does not hold any MoUs, Data Sharing Agreements/DPAs, or protocols with NHSBSA, Home Office, DWP, HMRC relevant to the above.

3) Investigations & outcomes (aggregated)

Annual totals (2019→present) for: allegations/intelligence logs received; cases opened; outcomes (prosecutions, civil/criminal sanctions, administrative penalties, NFA); monies prevented/recovered and any POCA figures—split by:

1. HC2/HC3 misuse;
2. Overseas Visitor Charging fraud;
3. Eligibility misrepresentation where sex/legal category was material.

Please also provide any trend/lessons-learned summaries (titles/dates/exec summaries if full reports engage exemptions).

3) Investigations & outcomes (aggregated)

1. From 01/01/2019 to 31/08/2025 the NHSCFA received the following number of allegations relating to HC2/HC3 misuse

Four of these allegations became investigations (all in 2022). Fraud was identified in one of these but there are no criminal or civil sanctions or monies prevented/recovered.

2. From 01/01/2019 to 31/08/2025 the NHSCFA received the following number of allegations relating to Overseas Charging fraud

Of these there are 21 closed investigations where fraud has been identified.

The NHSCFA does not hold records of prosecutions, criminal/civil sanctions, administrative penalties, moneys recovered and POCA figures.

Prosecution and recovery of a debt is at the discretion of the Overseas Visitor Manager. Information pertaining to this can be accessed here:

Charging overseas visitors in England: guidance for providers of NHS services - GOV.UK

(iii) Eligibiliy Misrepresentation – The Authority does not hold any information for this category.

The Authority does not hold any trend/lessons-learned summaries,

4) Systems, vendors & controls

1. Names of analytics/case-management tools and any external vendors used for detection/investigation of the above themes; indicator fields relied upon; and post-April-2025 rule/configuration changes to address data integrity where sex/legal category is relevant.
2. Descriptions of data-quality controls and escalation routes to NHSBSA/NHS England/OVMs.

1. The Authority utilizes the iBase system for gathering and recording intelligence and the CLUE system for case management.
2. The Authority does not hold Descriptions of data-quality controls and escalation routes to NHSBSA/NHS England/OVMs.

5) Training & communications

Training materials, webinar decks, or briefings issued to NHSCFA, NHS antifraud teams, ICBs/Trusts or OVMs since 2019 covering HC2/HC3, Overseas Visitor Charging fraud, or eligibility misrepresentation (flag any updates after 16 April 2025).

Please include any communications with DHSC, NHS England, NHSBSA or the ICO/DRCF where fraud-risk intersects with identity/eligibility profiling and lawful use of personal data for fraud prevention.

The Authority does not hold Training materials, webinar decks, or briefings issued to NHSCFA, NHS antifraud teams, ICBs/Trusts or OVMs since 2019 covering HC2/HC3, Overseas Visitor Charging fraud, or eligibility misrepresentation or any communications with DHSC, NHS England, NHSBSA or the ICO/DRCF where fraud-risk intersects with identity/eligibility profiling and lawful use of personal data for fraud prevention.

NHSBSA and DHSC may hold information pertaining to this request.

6) Fraud Loss Measurement (FLM) / audit activity / Counter Fraud Standards

1. Any FLM exercises, post-payment checks, sampling studies or national audits that quantify losses/error for HC2/HC3 or Overseas Visitor Charging, with titles/dates and any executive summaries.
2. Summaries or dashboards arising from Counter Fraud Standards (NHS) assessments that reference these risk areas (aggregate provider-level scoring/rag status is sufficient).

1. Attached are executive summaries for fraud loss measurement exercises conducted for Patient Prescription Fraud.

1. NHS Prescription fraud loss analysis exercise 2019-2020.
2. NHS RTEC Patient prescription fraud 2022-23 – Some of this information has been redacted and withheld as it falls under the exemption in section 31(1)(a)(g) and 31(2)(a) the Act. In applying this exemption we have had to balance the public interest in withholding the information against the public interest in disclosing the information The attached annex to this letter sets out the exemption in full, as well as the factors the Authority considered when deciding that in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

NHSCFA have not conducted any Fraud Loss Measurement exercises, post-payment checks, sampling studies or national audits for overseas visitor charging.

The DHSC may hold this information

2. The Authority does not hold any summaries or dashboards arising from Counter Fraud Standards (NHS) assessments that reference these risk areas.

7) Procurement/third-party contracts & conflicts of interest (fraud risk)

1. Recorded information (risk reviews, internal memos, audit findings, red/amber risk flags) concerning procurement and contract fraud risks in EDI/DEI-related consultancy/membership/training purchased by NHS bodies where NHSCFA has assessed or advised (e.g., single-tender actions, price inflation, sham deliverables, undisclosed conflicts of interest).
2. Any fraud alerts, case studies or prevention guidance issued by NHSCFA to NHS bodies addressing EDI/DEI vendor risks, including gifts/hospitality and COI controls.

(Please provide aggregate findings and example documents; individual provider names may be redacted if necessary.)

The Authority does not hold any Recorded information (risk reviews, internal memos, audit findings, red/amber risk flags) concerning procurement and contract fraud risks in EDI/DEI-related consultancy/membership/training purchased by NHS bodies where NHSCFA has assessed or advised (e.g., single-tender actions, price inflation, sham deliverables, undisclosed conflicts of interest).

Any fraud alerts, case studies or prevention guidance issued by NHSCFA to NHS bodies addressing EDI/DEI vendor risks, including gifts/hospitality and COI controls.

8) Whistleblowing/referrals & intelligence sources (aggregated)

Annual counts (2019→present) of protected disclosures/referrals to NHSCFA specific to the themes in this FOI, with recorded outcomes (e.g., intelligence only, prevention action, investigation opened).

i. From 01/01/2019 to 31/08/2025 the NHSCFA received the following number of allegations relating to HC2/HC3 misuse from people making a protected disclosure

None of these became investigations.

ii. From 01/01/2019 to 31/08/2025 the NHSCFA received the following number of allegations relating to Overseas Charging fraud from people making a protected disclosure: -

There are no closed investigations from these reports where any fraud was identified.

iii. There were no allegations involving eligibility misrepresentation where sex/legal category was material.

9) National Fraud Initiative (NFI) / data-matching liaison

Any NHSCFA records of liaison with the Cabinet Office NFI or other data-matching exercises that specifically relate to HC2/HC3, Overseas Visitor Charging, or the eligibility risks above—titles/dates and high-level outputs only (no raw personal data requested).

The Authority does not hold any NHSCFA records of liaison with the Cabinet Office NFI or other data-matching exercises that specifically relate to HC2/HC3, Overseas Visitor Charging, or the eligibility risks above

The information is held by individual health bodies.