FWA in Saudi Healthcare: Structural Exposure, False Positives, and the True Cost of Misaligned Controls

The Saudi Council of Health Insurance processes approximately 80 million claims worth nearly SAR 25 billion every year. The fee-for-service model that underpins the vast majority of those claims creates, as WHO's 2025 analysis of the Saudi system confirms, an elevated structural risk of supplier-induced demand, fraud, waste and abuse. That risk is widely acknowledged. What is discussed far less is the governance problem that compounds it: most organisations in the Saudi health insurance market lack the analytical architecture to distinguish between fraud, waste, abuse, and coding error. And the consequence of that conflation is expensive for everyone.

Claim rejection rates in Saudi Arabia tell part of the story. Research drawing on anti-fraud records from ten leading health insurance companies found an overall rejection rate of approximately 15 per cent between 2014 and 2019, with dental and obstetrics/gynaecology services recording the highest rates. For small and medium-sized hospitals, rejection rates ranged from 20 to 25 per cent. These are not primarily figures about criminal fraud. They include coding errors, documentation gaps, guideline deviations, and service-level disagreements that do not cross any legal threshold but produce rejected claims with the same financial effect for the provider who submitted them.

The analytical failure this represents is as consequential as the fraud it is meant to address.

The Three Conflations That Break FWA Governance

Fraud, waste, and abuse are different problems. They have different causes, different prevention strategies, different legal frameworks, and different appropriate remedies. Treating them as a single category produces detection systems calibrated for the wrong failure mode, with consequences that fall on organisations that are not the primary source of exposure.

Fraud is intentional. It involves deliberate misrepresentation: billing for services not rendered, upcoding, unbundling, or identity theft. It is the smallest category by volume, the most legally significant, and the hardest to detect without sophisticated analytical capability. In Saudi Arabia, SAMA distinguishes three overarching categories: internal fraud by employees, intermediary fraud by service providers, and policyholder fraud in the purchase of insurance products. Each requires a different governance response.

Waste is systemic. It arises from overutilisation driven by fee-for-service incentives, from unnecessary ordering of diagnostic tests, from medication substitution, and from care delivery patterns that exceed clinical necessity without constituting fraud. WHO's 2025 analysis of Saudi healthcare identifies supplier-induced demand as a structural feature of the system: the private sector, which delivers approximately 25 per cent of care, provides services for a fee, creating incentives to offer more services than required. This is a system design problem, not a conduct problem. It cannot be solved by rejecting claims.

Abuse is the middle ground: a pattern of practice that falls outside accepted medical, business, or fiscal standards without meeting the legal threshold for fraud. Unnecessary admissions, excessive length of stay, repeated use of high-margin procedures across a patient cohort. These patterns are identifiable analytically but require different intervention than fraud: education, network management, and contract-level incentive restructuring rather than claim rejection or legal referral.

What the AR-DRG Transition Does to the FWA Risk Surface

The Saudi market's transition from fee-for-service to AR-DRG bundled episode payments does not reduce FWA risk. It transforms it. Under fee-for-service, the fraud surface is broad and granular: individual line items, individual procedures, individual consultations. Detection requires claim-level pattern recognition. Under AR-DRG, the fraud surface concentrates into the episode classification mechanism: which DRG is assigned, how comorbidities are coded, whether the principal diagnosis reflects the actual clinical presentation or has been selected to optimise the weight.

DRG upcoding: coding a patient into a higher-weight DRG than the clinical record justifies: is analytically harder to detect than itemised claim inflation because it requires clinical coding review rather than statistical outlier analysis. It also generates higher revenue impact per episode than equivalent fraud under fee-for-service. The organisations whose FWA detection architecture was calibrated for line-item review under FFS will be systematically under-equipped to detect the DRG coding manipulation that becomes the dominant fraud mode after the transition.

The RGA Middle East insurance survey found that two-thirds of insurers in the region report at least 2 per cent of claims declined due to fraud and abuse, with 16 per cent reporting decline rates up to 10 per cent. Those figures were generated under a fee-for-service claims environment. The transition to DRG episode payments makes them unreliable as a baseline for planning FWA programme capability.

The False Positive Problem and Its Cost

False positives in FWA detection are not a secondary concern. When rejection and audit activity falls on providers who are coding accurately but triggering rules designed for a different fraud pattern, the consequences are material and compounding.

For the provider, a rejected claim is a cash-flow event. For a mid-tier hospital with 20 to 25 per cent rejection rates, the working capital impact of systematic false positive detection is equivalent to an involuntary credit facility extended to the insurer at the provider's expense. The administrative cost of resubmission, appeal, and reconciliation compounds the direct financial impact. And the relationship damage: experienced as payers treating compliant providers as suspects: is one of the most consistently underestimated costs of poorly calibrated FWA governance.

For the insurer, false positive rates distort the audit pipeline. Every legitimate provider appeal that results in a reversed rejection represents wasted adjudication cost and damages the credibility of future FWA actions. The signal-to-noise ratio in a detection system generating 20 per cent rejection rates at mid-tier hospitals is analytically degraded: genuine fraud patterns become harder to isolate because the volume of false positives drowns them.

NPHIES Fraud Management: Infrastructure vs Governance

NPHIES includes fraud management as one of its core service modules. The platform reached 100 million insurance transactions by March 2023, making it one of the most comprehensively instrumented health information exchange systems in the region. The data is there. The transaction history is there. The coding records are there. What the platform provides is infrastructure. What it does not provide is governance.

An organisation that has connected to NPHIES and is submitting claims through the fraud management module has not thereby established an FWA governance programme. It has established a data pipe. Translating that data into actionable intelligence: identifying patterns that distinguish fraud from waste from abuse from coding error, calibrating detection thresholds to produce a manageable false positive rate, building an appeal process that reverses incorrect flags without creating a systematic escape route for genuine fraud, and updating detection logic as the claims environment transitions from FFS to AR-DRG: is a governance discipline that requires analytical capacity the platform does not supply.

The gap between NPHIES transaction volume and FWA governance maturity is one of the least visible but most consequential structural weaknesses in the Saudi health insurance market. The organisations that close that gap before the NISS expansion arrives and before the AR-DRG transition reshapes the fraud surface are the ones that will manage their loss ratio through the reform period rather than discover their exposure in it.