Medicare Recovery Audit Contracting
Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight
Gao ID: GAO-10-143 March 31, 2010
The Centers for Medicare & Medicaid Services (CMS) conducted a mandated 3-year project from March 2005 through March 2008 to demonstrate the use of recovery audit contractors (RAC) in identifying Medicare improper payments and recouping overpayments. CMS implemented a mandated national RAC program, which began in March 2009. GAO was asked to examine specific issues that arose during the demonstration project and CMS's efforts to address them in the national RAC program. This report examines the extent to which CMS (1) developed a process and took corrective actions to address vulnerabilities identified by the RACs that led to improper payments, (2) resolved coordination issues between the RACs and the Medicare claims administration contractors, and (3) established methods to oversee RAC claim review accuracy and provider service during the national program. GAO reviewed CMS documents and interviewed officials from CMS and contractors and provider groups affected by the demonstration project.
CMS did not establish an adequate process in the 3-year demonstration project or in planning for the national program to address RAC-identified vulnerabilities that led to improper payments, such as paying duplicate claims for the same service. CMS stated that one purpose of the demonstration project was to obtain information to help prevent improper payments. However, CMS has not yet implemented corrective actions for 60 percent of the most significant RAC-identified vulnerabilities that led to improper payments, a situation that left 35 of 58 unaddressed. These were vulnerabilities for which RACs identified over $1 million in improper payments for medical services or $500,000 for durable medical equipment. CMS developed a spreadsheet, which listed the most significant improper payment vulnerabilities that were identified by the RACs during the demonstration project. However, the agency did not develop a plan to take corrective action or implement sufficient monitoring, oversight, and control activities to ensure these significant vulnerabilities were addressed. Thus, CMS did not address significant vulnerabilities representing $231 million in overpayments identified by the RACs during the demonstration project. For the RAC national program, CMS developed a process to compile identified vulnerabilities and recommend actions to prevent improper payments. However, this corrective action process lacks certain essential procedures and staff with the authority to ensure that these vulnerabilities are resolved promptly and adequately to prevent further improper payments. Based on lessons learned during the demonstration project, CMS took multiple steps in the national program to resolve coordination issues between the RACs and Medicare claims administration contractors. During the demonstration project, CMS learned that having regular communication with the claims administration contractors on improper payment vulnerabilities that the RACs were identifying was important. CMS also learned that the data warehouse used to store claims information for the RACs needed more capacity and utility, that manual claims adjustment by claims administration contractors to recoup improper payments was burdensome, and that sharing paper copies of medical records between RACs and claims administration contractors when claims denials were appealed was difficult to manage. As a result, CMS took steps to resolve these coordination issues in the national program, such as enhancing the existing data warehouse and automating the claims-adjustment process. CMS took steps to improve oversight of the accuracy of RACs' claims reviews and the quality of their service to providers for the national program. CMS added processes to review the accuracy of RAC determinations, including independent reviews by another CMS contractor. CMS also established requirements to address provider concerns about service, such as having the RACs establish Web sites that will allow providers to track the status of a claim being reviewed. In addition, CMS established performance metrics that the agency will use to monitor RAC accuracy and service to providers.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-10-143, Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight
This is the accessible text file for GAO report number GAO-10-143
entitled 'Medicare Recovery Audit Contracting: Weaknesses Remain in
Addressing Vulnerabilities to Improper Payments, Although Improvements
Made to Contractor Oversight' which was released on March 31, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
March 2010:
Medicare Recovery Audit Contracting:
Weaknesses Remain in Addressing Vulnerabilities to Improper Payments,
Although Improvements Made to Contractor Oversight:
GAO-10-143:
GAO Highlights:
Highlights of GAO-10-143, a report to congressional requesters.
Why GAO Did This Study:
The Centers for Medicare & Medicaid Services (CMS) conducted a
mandated 3-year project from March 2005 through March 2008 to
demonstrate the use of recovery audit contractors (RAC) in identifying
Medicare improper payments and recouping overpayments. CMS implemented
a mandated national RAC program, which began in March 2009.
GAO was asked to examine specific issues that arose during the
demonstration project and CMS‘s efforts to address them in the
national RAC program. This report examines the extent to which CMS (1)
developed a process and took corrective actions to address
vulnerabilities identified by the RACs that led to improper payments,
(2) resolved coordination issues between the RACs and the Medicare
claims administration contractors, and (3) established methods to
oversee RAC claim review accuracy and provider service during the
national program. GAO reviewed CMS documents and interviewed officials
from CMS and contractors and provider groups affected by the
demonstration project.
What GAO Found:
CMS did not establish an adequate process in the 3-year demonstration
project or in planning for the national program to address RAC-
identified vulnerabilities that led to improper payments, such as
paying duplicate claims for the same service. CMS stated that one
purpose of the demonstration project was to obtain information to help
prevent improper payments. However, CMS has not yet implemented
corrective actions for 60 percent of the most significant RAC-
identified vulnerabilities that led to improper payments, a situation
that left 35 of 58 unaddressed. These were vulnerabilities for which
RACs identified over $1 million in improper payments for medical
services or $500,000 for durable medical equipment. CMS developed a
spreadsheet, which listed the most significant improper payment
vulnerabilities that were identified by the RACs during the
demonstration project. However, the agency did not develop a plan to
take corrective action or implement sufficient monitoring, oversight,
and control activities to ensure these significant vulnerabilities
were addressed. Thus, CMS did not address significant vulnerabilities
representing $231 million in overpayments identified by the RACs
during the demonstration project. For the RAC national program, CMS
developed a process to compile identified vulnerabilities and
recommend actions to prevent improper payments. However, this
corrective action process lacks certain essential procedures and staff
with the authority to ensure that these vulnerabilities are resolved
promptly and adequately to prevent further improper payments.
Based on lessons learned during the demonstration project, CMS took
multiple steps in the national program to resolve coordination issues
between the RACs and Medicare claims administration contractors.
During the demonstration project, CMS learned that having regular
communication with the claims administration contractors on improper
payment vulnerabilities that the RACs were identifying was important.
CMS also learned that the data warehouse used to store claims
information for the RACs needed more capacity and utility, that manual
claims adjustment by claims administration contractors to recoup
improper payments was burdensome, and that sharing paper copies of
medical records between RACs and claims administration contractors
when claims denials were appealed was difficult to manage. As a
result, CMS took steps to resolve these coordination issues in the
national program, such as enhancing the existing data warehouse and
automating the claims-adjustment process.
CMS took steps to improve oversight of the accuracy of RACs‘ claims
reviews and the quality of their service to providers for the national
program. CMS added processes to review the accuracy of RAC
determinations, including independent reviews by another CMS
contractor. CMS also established requirements to address provider
concerns about service, such as having the RACs establish Web sites
that will allow providers to track the status of a claim being
reviewed. In addition, CMS established performance metrics that the
agency will use to monitor RAC accuracy and service to providers.
What GAO Recommends:
GAO recommends that CMS improve its corrective action process by
designating responsible personnel with authority to evaluate and
promptly address RAC-identified vulnerabilities to reduce improper
payments. CMS agreed with GAO‘s recommendations.
View [hyperlink, http://www.gao.gov/products/GAO-10-143] or key
components. For more information, contact Kathleen M. King at (202)
512-7114 or kingk@gao.gov or Kay L. Daly at (202) 512-9095 or
dalykl@gao.gov.
[End of section]
Contents:
Letter:
Background:
CMS Did Not Establish an Adequate Process to Address RAC-Identified
Vulnerabilities That Led to Improper Payments; Corrective Actions Were
Limited:
CMS Is Taking Action to Resolve RAC and Medicare Claims Administration
Contractor Coordination Issues:
CMS Has Taken Steps to Improve Oversight of RAC Accuracy and Service
to Providers:
Conclusions:
Recommendations for Executive Action:
Agency and Other External Comments:
Appendix I: Selected Changes Made to the Medicare National Recovery
Audit Contractors (RAC) Program:
Appendix II: Comments from the Department of Health & Human Services:
Appendix III: GAO Contacts and Staff Acknowledgments:
Table:
Table 1: Selected Recovery Audit Contractor (RAC) Performance Metrics
Related to Accuracy and Provider Service:
Figures:
Figure 1: Recovery Audit Contractor (RAC) Medicare Claim Review
Process:
Figure 2: Medicare Recovery Audit Contractor (RAC) Regions and Phase-
in Schedule:
Figure 3: Timeline for the Recovery Audit Contracting (RAC) Program:
Figure 4: Status of Corrective Actions for Vulnerabilities with
Improper Payments of Greater Than $1 Million, as of the End of the
Recovery Audit Contractor Demonstration Project--March 2008:
Figure 5: Interdependence of Recovery Audit Contractors (RACs) and
Medicare Administrative Contractors (MACs):
Abbreviations:
CMS: Centers for Medicare & Medicaid Services:
DME: durable medical equipment:
FFS: fee-for-service:
HHS: Department of Health and Human Services:
IPPP: Improper Payment Prevention Plan:
LCD: local coverage determination:
MAC: Medicare Administrative Contractor:
MMA: Medicare Prescription Drug, Improvement, and Modernization Act of
2003:
NCD: national coverage determination:
OFM: Office of Financial Management:
RAC: recovery audit contractor:
VC: validation contractor:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
March 31, 2010:
Congressional Requesters:
For almost 20 years, we have designated Medicare, which provides
health insurance for those aged 65 and older and certain disabled
persons, as a high risk program due to the its size and complexity, as
well as its susceptibility to mismanagement and improper payments.
[Footnote 1] Improper payments may be due to errors, such as the
inadvertent submission of duplicate claims for the same service, or
misconduct, such as fraud and abuse.[Footnote 2] In 2009, the
Department of Health and Human Services (HHS) estimated that
approximately $24.1 billion, or 7.8 percent of Medicare fee-for-
service (FFS)[Footnote 3] payments for claims from April 2008 through
March 2009 were improper.[Footnote 4] Because billions of dollars are
paid in error each year, the Centers for Medicare & Medicaid Services
(CMS)--the HHS agency that administers the Medicare program--conducts
a number of activities to reduce improper payments.[Footnote 5] CMS's
efforts include pre-payment reviews to prevent improper payments
before claims are paid, as well as post-payment reviews of claims
potentially paid in error. CMS uses Medicare claims administration
contractors to perform these and other Medicare FFS functions,
[Footnote 6] which include reviewing and paying claims in accordance
with Medicare policy, and conducting provider outreach and education
on correct billing practices.[Footnote 7]
The Medicare Prescription Drug, Improvement, and Modernization Act of
2003 (MMA) directed CMS to conduct a project to demonstrate how
effective the use of recovery audit contractors (RACs) would be in
identifying underpayments and overpayments, and recouping overpayments
in the Medicare program.[Footnote 8] Recovery audits involve post-
payment review of supporting documents and other information to
identify overpayments and underpayments.[Footnote 9] The MMA directed
CMS to establish a RAC demonstration in at least two states from among
the ones with the highest per-capita Medicare utilization rates and to
use at least three RACs.[Footnote 10] The MMA also authorized CMS to
pay the RACs on a contingency basis, which differs from how the agency
pays its other contractors.[Footnote 11] For Medicare, the RAC
demonstration project was designed to be an addition to existing
claims review processes conducted by various contractors that CMS uses
to administer the program.
The demonstration project required the RACs to review claims
previously paid by Medicare claims administration contractors to
identify payment errors, such as whether a provider billed the correct
number of units for a particular drug or service. Once a RAC
identified an improper payment, it informed the provider of the error
and its amount. The Medicare claims administration contractor then
adjusted the claim to the proper amount and collected the overpayment
or reimbursed the underpayment. During the demonstration project, CMS
paid RACs contingency fees on overpayments collected and underpayments
refunded.[Footnote 12]
In the CMS RAC Status Document FY 2006: Status on the Use of Recovery
Audit Contractors (RACs) in the Medicare Program, the agency reported
its intention to use information from RAC reviews to identify issues
at risk for improper payments. Similarly, the agency's 2008 evaluation
of the demonstration project provided information on the service-
specific errors or vulnerabilities, which resulted in RAC-identified
improper overpayments and underpayments. CMS or its Medicare claims
administration contractors could then address the vulnerabilities most
likely to result in payment errors in order to reduce improper
payments. Once a RAC identified a vulnerability, it was the
responsibility of CMS or the Medicare claims administration
contractors to take corrective action. Corrective action involves
identifying the causes for each type of vulnerability and addressing
them, in order to reduce future improper payments.
In the 2006 status document on the demonstration project, CMS also
reported that the demonstration RACs identified $303.5 million in
improper payments.[Footnote 13] However, this amount did not include
the final results of any provider appeals filed after or pending at
that time.[Footnote 14] CMS concluded that "preliminary results
indicate that the use of recovery auditors is a viable and useful tool
for ensuring accurate payments" and that RACs would be a "value-added
adjunct" to the agency's programs. Subsequently, in December 2006 the
Tax Relief and Health Care Act of 2006 required CMS to implement a
national recovery audit contractor program by January 1, 2010.
Providers reported problems during the RAC demonstration project, and
expressed concerns about the implementation of a national program
before these issues were resolved. For example, providers stated that
the contingency fee payment structure created an incentive for RACs to
be aggressive in determining that paid claims were improper. In
addition, providers faulted CMS for not holding the RACs accountable
for the accuracy of their decisions, noting that RAC determinations
resulted in thousands of provider appeals to Medicare claims
administration contractors. These appeals and adjustments to claims
produced additional workload and coordination challenges for the
Medicare claims administration contractors adjudicating appeals and
RACs. Association and hospital representatives further noted the RACs
sometimes requested duplicate medical records as part of their
reviews, thus increasing providers' administrative burden. In a June
2008 report evaluating the 3-year RAC demonstration project, CMS
reported its intent to make a number of changes to the RAC national
program to address these concerns and streamline operations.[Footnote
15]
You asked us to examine how CMS used information on RAC-identified
improper payments to address the underlying vulnerabilities that led
to them. You also asked us to examine particular issues regarding
contractor coordination and RAC accuracy and service that arose during
the RAC demonstration project and CMS's efforts to address them in the
RAC national program. This report examines the extent to which CMS (1)
developed an adequate process and took corrective action to address
RAC-identified vulnerabilities that led to improper payments; (2)
built upon lessons learned from the demonstration project to resolve
coordination issues between the RACs and the Medicare claims
administration contractors for the national program; and (3)
established methods to oversee the accuracy of RACs' claims-review
determinations and the quality of RAC service to providers during the
national program. This report focused on implementation of the
recovery audit provisions of the MMA and the Tax Relief and Health
Care Act of 2006 and not certain other statues and guidance relevant
to recovery auditing.
To determine the extent to which CMS developed an adequate process and
took corrective action to help prevent future improper payments due to
vulnerabilities identified during the RAC demonstration project, we
used the criteria outlined in our Standards for Internal Control in
the Federal Government.[Footnote 16] We applied these standards to
assess whether the policies and procedures CMS instituted to monitor
the RAC program reasonably ensured that the findings from RAC reviews
were evaluated, assigned to the appropriate components within CMS or
its Medicare claims administration contractors to implement corrective
actions, and resolved promptly in accordance with these internal
control standards. We also used criteria from our Internal Control
Management and Evaluation Tool to assess whether CMS's actions to
establish an effective internal control environment for the RAC
program included the appropriate assignment of authority,
accountability, and responsibility to meet the agency's goals and
objectives.[Footnote 17] We reviewed the agency's Improper Payment
Prevention Plan (IPPP), an internal agency spreadsheet that was
designed to list the most significant improper payments identified
during the RAC demonstration project that generally resulted in
overpayments of at least $1 million. We evaluated the IPPP against
CMS's essential steps of a corrective action process namely: (1) data
analysis of the errors including those associated with improper
payments; (2) determination of the specific programmatic causes; (3)
identification of corrective actions to be implemented based on data
and program analysis; (4) development of an implementation schedule
for each corrective action, including major tasks, personnel
responsible, and a timeline for each action, and implementation of the
corrective actions; and (5) evaluation of the effectiveness of the
corrective actions through monitoring.[Footnote 18] We also
interviewed CMS officials to determine the actions taken to assure
that the information in the IPPP was accurate. Agency officials said
they did not verify the dollar amounts reported by the RACs. However,
they referred us to the agency's final evaluation report for the most
accurate analysis of the amounts recovered by the RACs as of the end
of the demonstration project. Therefore, to quantify the relative
dollar amounts of improper payments associated with specific RAC-
identified vulnerabilities in the IPPP, we developed a crosswalk
between the vulnerabilities listed on the IPPP and the dollar amounts
presented in CMS's June 2008 evaluation of the RAC demonstration
project. Agency officials agreed that this approach provided an
accurate representation of the overpayment amounts at the end of the
demonstration project for the most significant vulnerabilities
identified by the RACs that led to improper payments.[Footnote 19] We
determined these data were sufficiently reliable for our purposes
because the data represented the best available information on the RAC-
identified vulnerabilities and their financial impact at that time. We
also interviewed relevant officials from CMS, two Medicare claims
administration contractors that participated in the demonstration
project,[Footnote 20] and the demonstration RACs to obtain information
about the demonstration RACs' processes and findings.
To determine whether CMS addressed coordination issues between RACs
and the Medicare claims administration contractors, we reviewed the
statements of work for the RACs and MACs that detail CMS's
expectations for these contractors. We also examined the performance
metrics for the RACs, as well as performance metrics CMS uses to
assess coordination between Medicare claims administration contractors
and other Medicare FFS contractors. We assessed these elements against
the Standards for Internal Control in the Federal Government. We also
interviewed CMS officials and staff from the same two Medicare claims
administration contractors that participated in the RAC demonstration
project about the quality of communication among contractors involved
with the RAC program.
To determine the extent of CMS's oversight of RAC accuracy and quality
of service to providers, we analyzed documentation from CMS, including
the RAC statement of work. In addition, we listened to two Special
Open Door Forums audio conferences hosted by CMS on the RAC program,
as well as a national RAC summit sponsored by associations of health
care professionals to learn about provider experiences during the
demonstration project and concerns about the national program. We also
conducted interviews with CMS officials, RAC staff, and
representatives from the American Hospital Association and state
hospital organizations in the demonstration states of California,
Florida, and New York; the American Medical Association; the Medical
Group Management Association; and the American Health Care
Association, to obtain further information about the oversight of RAC
accuracy and quality of service.
We requested comments on a draft of this report from CMS. We received
written comments on March 3, 2010 and have summarized them in the
agency comment section of this report. We also provided statements of
facts from our draft report to the two Medicare claims administration
contractors and seven provider associations we interviewed and
requested their comments that we incorporated as appropriate. We
conducted this performance audit from March 2009 to March 2010 in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.
Background:
Recovery auditing has been used in various industries, including
health care, to identify and collect overpayments for about 40 years.
Private insurance companies, managed care plans, and employee group
health plans contract with recovery auditors to review payments made.
Typically, recovery auditing contractors are paid a contingency fee
based on a percentage of the overpayments collected. Fees vary
depending on such factors as the types of overpayment involved and the
degree of difficulty associated with identifying and collecting them.
Use of Contractors in the Operation of the Medicare Program:
Contractors play an essential role in the Medicare program. Since the
program's inception in 1965, Medicare claims administration
contractors, then known as fiscal intermediaries and carriers, have
conducted its claims administration activities. In addition, CMS also
uses other contractors to conduct Medicare functions, such as to
investigate instances of potential fraud and develop cases for
referral to law enforcement and to answer beneficiary inquiries
through the 1-800-Medicare help line.
At present, CMS is in the midst of the largest transition of its
claims administration contracts since the program was established. The
MMA required CMS to use competitive procedures to select new entities
called Medicare Administrative Contractors (MACs) to conduct claims
administration activities that had been conducted by fiscal
intermediaries and carriers. Through February 2005, CMS contracted
with approximately 51 fiscal intermediaries and carriers that
processed and paid claims, conducted automated pre-payment and limited
post-payment review of claims, handled the first level of provider
appeals of denied claims, enrolled providers in Medicare, and audited
providers' cost reports.[Footnote 21] To address improper billing,
these Medicare claims administration contractors also performed trend
analysis of provider billing patterns, developed strategies to address
improper billing through systems edits or provider education and
claims review, helped implement CMS-issued national coverage
determinations (NCD), and developed local coverage determinations
(LCD).[Footnote 22] By the end of the transition from fiscal
intermediaries and carriers to MACs, CMS will have transferred all of
these tasks to 15 MACs that will handle Part A claims and Part B
claims with the exception of durable medical equipment (DME) claims,
which will be processed by four specialized DME MACs. As of September
2009, CMS made an initial award decision on all the MAC contracts and
has implemented 13. Because the transition is not completed, the
current Medicare contracting environment includes fiscal
intermediaries, carriers, and MACs, any one of which we refer to as
Medicare claims administration contractors for this report.
Claims Review in Medicare:
Medicare claims administration contractors review Medicare claims both
before and after payment using similar automated and complex
processes. CMS's use of recovery auditing in the RAC demonstration
project augmented existing Medicare claims administration contractor
pre-and post-payment claims review efforts. While Medicare claims
administration contractors have the authority to review claims they
initially paid, this is only one of the many functions they perform.
Further, because the Medicare claims administration contractors
receive more than 1.2 billion claims per year (the equivalent of 4.5
million claims per work day), it is impractical, according to CMS, for
these contractors to manually review more than a small fraction of
claims--either before or after payment.[Footnote 23] Recovery audit
contractors, in contrast, focus exclusively on post-payment claims
review.
Medicare claims administration contractors and the RACs generally use
the same processes to review claims:
* Automated reviews use systems edits to check claims for evidence of
improper coding or other mistakes.[Footnote 24] Medicare claims
administration contractors may use automated reviews before payment to
deny claims, or to flag claims that require additional non-automated
review before payment. RACs use automated reviews after payment to
analyze paid claims and identify those that were or could have been
paid improperly.
* Complex reviews rely on licensed medical professionals to manually
examine a claim and any related documentation, including paper files,
to determine whether the service was covered and was reasonable and
necessary. Complex reviews conducted by a Medicare claims
administration contractor or a RAC involve an examination of the
medical records associated with a service, which the provider submits
for review.[Footnote 25]
RAC Responsibilities in the Demonstration Project:
CMS implemented the RAC demonstration project to test whether recovery
auditing would effectively identify additional improper payments that
could be recouped. In March 2005, CMS selected three RAC contractors
to conduct claims reviews in the three states with the highest per-
capita Medicare utilization rates--California, Florida, and New York.
In July 2007, CMS expanded the demonstration project to three
additional states--Arizona, Massachusetts, and South Carolina. The
demonstration project ended in March 2008.[Footnote 26]
CMS initially provided the RACs with 4 years of claims data in their
jurisdictions, followed by an additional 3 months of claims each
quarter for the rest of the demonstration project. CMS gave the
demonstration RACs a total of 1.2 billion claims that they could
review. To prevent the RACs from auditing those claims that previously
underwent complex review by a Medicare claims administration
contractor or other contractor,[Footnote 27] CMS established a data
warehouse that contained information on which claims were unavailable
for RAC review.
During the demonstration project, the RACs were required to use
automated and complex review processes using the same Medicare
policies and regulations as CMS's Medicare claims administration
contractors to identify improper payments. The RACs used their own
software to analyze paid claims and identify those that were or could
have been paid improperly. For example, claims indicating duplicate
payments could be identified by automated analysis alone. In other
cases, the RACs identified claims likely to contain errors and
conducted complex reviews. (See figure 1 for a depiction of the claims
review process.) In these cases, the RACs requested that providers
submit the associated medical records for review. If the RAC found an
improper payment, it notified the provider and the Medicare claims
administration contractor responsible for recouping the overpayments
or repaying an underpayments. Providers could appeal RAC
determinations through the established Medicare appeals process, which
included a first-level review conducted by the Medicare claims
administration contractors.
Figure 1: Recovery Audit Contractor (RAC) Medicare Claim Review
Process:
[Refer to PDF for image: process map]
Provider submits claim:
Medicare claims administration contractor processes claim:
Deny; or:
Pay:
RAC conducts post-payment review:
* No improper payment identified; or:
* Improper payment identified:
- Medicare claims administration contractor recoups overpayment;
- Medicare claims administration contractor pays underpayment.
Source: GAO analysis of CMS documents.
Note: Figure does not include steps related to the appeals process and
does include steps prior to the RAC review process.
[End of figure]
Two years into the demonstration project, CMS initiated a series of
vulnerability calls, conference calls between the RACs and the
Medicare claims administration contractors. These calls enabled the
RACs to provide information about the vulnerabilities they identified
that resulted in improper payments and to highlight situations where
corrective action might be needed. Although a CMS official told us it
was not required, the Medicare claims administration contractors could
consider RAC-identified vulnerabilities when developing their
strategies to reduce improper payments. If a Medicare claims
administration contractor determined that a RAC-identified
vulnerability was widespread in its region, it could choose to take
several corrective actions. A Medicare claims administration
contractor could: (1) conduct provider outreach and education, (2)
develop or revise local coverage determinations to clarify what
services were reasonable and necessary in that jurisdiction, and (3)
initiate additional service-specific prepayment edits in its local
claims processing system. In addition, CMS could initiate a nationwide
corrective action, such as implementing a national system edit,
reissue instructions for coding a claim, or develop a national
coverage determination. CMS also could provide outreach and education
on critical issues to providers directly through its Special Open Door
Forums teleconferences, and presentations at national meetings.
In its June 2008 evaluation report, CMS stated that the demonstration
project corrected $1.02 billion in improper payments from the three
claim RACs--$980.0 million in overpayments and $37.8 million in
underpayments--as of March 27, 2008, and returned $693.6 million to
the Medicare Trust Funds.[Footnote 28] Eighty-five percent of the
overpayments collected were for services detailed on inpatient
hospital claims.[Footnote 29] Common types of improper payments were
for claims determined to be: coded incorrectly, lacking sufficient
documentation, or medically unnecessary.[Footnote 30] However, the
RACs collected the majority of these improper payments in the last
quarter of the demonstration project, and many provider appeals had
not been decided or even filed by the end of the demonstration
project. The final outcome of the appeals process, which can take more
than two years, could decrease the savings attributed to the
demonstration project.[Footnote 31] CMS's report also discussed
several changes the agency made prior to the start of the RAC national
program. (See appendix I.)
RAC Responsibilities in the National Program:
In 2008, following the mandate to create a national program, CMS made
initial awards of contingency-fee contracts to four RACs, each with
responsibility for reviewing claims in one of four geographic
regions.[Footnote 32] CMS launched the RAC national program in two
stages with outreach activities beginning in 24 states on March 1,
2009, and the remaining states starting in August 2009 or later. (See
figure 2.) RAC claim reviews in the national program involve the same
processes of automated and complex review of claims as during the
demonstration project, and the Medicare claims administration
contractors are responsible for recoupments, claims adjustments, and
provider outreach and education.
Figure 2: Medicare Recovery Audit Contractor (RAC) Regions and Phase-
in Schedule:
[Refer to PDF for image: U.S. map]
RAC Region A:
Phase-in March 1, 2009:
Maine;
Massachusetts;
New Hampshire;
New York;
Rhode Island;
Vermont.
Phase-in August 1, 2009:
Connecticut;
Delaware;
District of Columbia;
Maryland;
New Jersey;
Pennsylvania;
RAC Region B:
Phase-in March 1, 2009:
Indiana;
Michigan.
Phase-in August 1, 2009:
Illinois;
Kentucky;
Minnesota;
Ohio;
Wisconsin.
RAC Region C:
Phase-in March 1, 2009:
Colorado;
Florida;
New Mexico;
Oklahoma;
South Carolina;
Texas;
Phase-in August 1, 2009:
Alabama;
Arkansas;
Georgia;
Louisiana;
Mississippi;
North Carolina;
Tennessee;
Virginia;
West Virginia.
RAC Region D:
Phase-in March 1, 2009:
Arizona;
California;
Hawaii;
Montana;
Nevada;
North Dakota;
South Dakota;
Utah;
Wyoming.
Phase-in August 1, 2009:
Alaska;
Idaho;
Iowa;
Kansas;
Missouri;
Nebraska;
Oregon;
Washington.
Sources: GAO analysis of CMS data; copyright © Corel Corp. all rights
reserved (map).
[End of figure]
The four regional RACs also are required to conduct outreach to
providers about the purpose of the RAC program, assist CMS with the
development of an improper payment prevention plan, and support the
agency regarding any overpayments appealed by providers. The RACs are
expected to conduct outreach to providers in each state in
coordination with CMS and include the appropriate Medicare claims
administration contractor in each state in its region. In addition,
RACs are required to compare the claims proposed for review with the
claims in the data warehouse to ensure that a Medicare claims
administration contractor or other contractor had not previously
audited the claims or that RAC activities would not interfere with
potential fraud investigations.
From March 2009 through June 2009, the RACs' activities included
accessing claims data from CMS and convening meetings with the
providers in the states in their regions to explain the RAC program.
In June 2009, CMS announced a gradual implementation of claims review
activities. CMS permitted RACs to begin automated reviews as of June
2009.[Footnote 33] RACs will be permitted to conduct complex reviews
to assess medical necessity of DME claims in fiscal year 2010 and
complex review of other claims for medical necessity in calendar year
2010. (See figure 3 for a timeline for the RAC program.)
Figure 3: Timeline for the Recovery Audit Contracting (RAC) Program:
[Refer to PDF for image: timeline]
December 2003:
Congress requires a RAC demonstration project.
March 2005:
Demonstration project begins in California, Florida, and New York.
December 2006:
Congress requires a RAC national program.
July 2007:
CMS expands RAC demonstration project to Arizona, Massachusetts, and
South Carolina[A].
March 2008:
RAC demonstration project ends.
October 2008:
CMS awards contracts for RAC national program.
March 2009:
RAC national program activity begins.
June 2009:
Automated reviews begin for RAC national program.
During 2010:
Complex reviews for medical necessity can begin for RAC national
program.
Source. GAO analysis of CMS documents.
[A] While CMS added Arizona to the demonstration project in July 2007,
the relevant RAC did not review any Arizona claims prior to the end of
the RAC demonstration project.
[End of figure]
CMS Did Not Establish an Adequate Process to Address RAC-Identified
Vulnerabilities That Led to Improper Payments; Corrective Actions Were
Limited:
CMS did not establish an adequate process during the demonstration
project or in planning for the national program to ensure prompt
resolution of the RAC-identified improper payment
vulnerabilities.[Footnote 34] Although the agency's goal was for the
RACs to provide information to CMS and Medicare claims administration
contractors that could help prevent future improper payments, CMS did
not implement corrective actions for 60 percent of the most
significant vulnerabilities identified during the RAC demonstration
project.
CMS Did Not Establish an Adequate Process to Address RAC-Identified
Vulnerabilities to Reduce Improper Payments:
While CMS stated in its fiscal year 2006 status report on the RAC
demonstration project that the agency intended to draft a corrective
action plan to prevent future improper payments based on the findings
identified by the RACs, it did not do so. CMS developed the IPPP--a
list of the most significant vulnerabilities that led to improper
payments and corrective actions taken to address them--but this
document did not include the essential elements of a corrective action
plan.[Footnote 35] The IPPP listed the 58 most significant RAC-
identified vulnerabilities--generally those that resulted in
overpayment collections of $1 million or more--and whether any
corrective actions were taken to address them.[Footnote 36] Improper
payments for medically unnecessary services and duplicate claims are
examples of types of RAC-identified vulnerabilities listed in the
IPPP. For each vulnerability, the IPPP listed the provider type,
improper payment amount, status, and comments.[Footnote 37] If any
action were taken by CMS or its Medicare claims administration
contractors, it would be noted in the IPPP. For the RAC national
program, CMS has yet to assign responsibility to personnel for
implementing corrective actions to address RAC-identified
vulnerabilities or to develop steps to assess the effectiveness of
actions taken.
Based on criteria outlined in our Standards for Internal Control in
the Federal Government and criteria that CMS developed for a
corrective action process, we found the following limitations in CMS's
resolution process:
CMS lacked a process to evaluate RAC findings promptly. CMS did not
begin to evaluate the most significant vulnerabilities that resulted
in improper payments until almost 2 years after the program began.
Agency officials told us they did not anticipate that the RACs would
identify such a high volume of improper payments and did not have
systems in place to collect data at the beginning of the demonstration
project. CMS's fiscal year 2006 status report on the RAC demonstration
project stated that CMS would draft a proposed RAC Corrective Action
Plan to prevent future improper payments by January 2007. However, CMS
did not create the IPPP--the spreadsheet to track significant
vulnerabilities identified during the demonstration project--until
November 2008, 8 months after the demonstration project ended.
CMS lacked a process to determine appropriate responses to RAC
findings. CMS did not assign responsibility for taking corrective
action on the vulnerabilities listed in the IPPP to either the agency
itself, its Medicare claims administration contractors, or a
combination of both. According to CMS officials, the agency only takes
corrective action for vulnerabilities with national implications, and
leaves it up to the Medicare claims administration contractors to
decide whether to take action for vulnerabilities with local
implications. However, the IPPP did not specify what type of action
was required on the part of CMS or the Medicare claims administration
contractors. For example, for inpatient services that did not meet the
stated inpatient care criteria, the IPPP neither specified what type
of corrective action would be needed to prevent future improper
payments nor whether CMS or its Medicare claims administration
contractors were responsible for taking action. Accordingly, neither
Medicare claims administration contractors nor CMS have taken
corrective action to address payment errors related to this inpatient
service vulnerability. Similarly, we reviewed the instructions CMS
provided to the Medicare claims administration contractors during the
demonstration project and found that CMS did not provide specific
guidance to the Medicare claims administration contractors for
incorporating RAC findings into local corrective action plans.
Instead, CMS allowed its Medicare claims administration contractors to
independently determine when to take action and what actions, if any,
were needed to address RAC findings. The lack of documented assigned
responsibilities--as prescribed in our internal control standards--
impeded CMS's efforts to promptly resolve the vulnerabilities
identified by the RACs during the demonstration project.
CMS lacked a process to implement corrective actions promptly. The
IPPP, which was not created until 8 months after the end of the
demonstration project, lacked a time frame based on established
criteria for when CMS or its Medicare claims administration
contractors should take action. CMS officials told us that although
they conducted some informal follow-up, neither the agency nor its
Medicare claims administration contractors have implemented any
corrective actions to address RAC findings since the fall of 2008. CMS
officials noted that the agency does not plan to take any further
action until the appeals from the demonstration project are finalized.
Because CMS has not developed a time frame for taking action based on
established criteria and is currently unable to track all pending
first-level appeals of RAC determinations, it is uncertain when or if
the agency would take any further action on the remaining
vulnerabilities. Although educating providers promptly on how to
correct billing errors reduces the risk of improper payments, provider
associations also told us they and their members had not received
training on the majority of the vulnerabilities identified by the RACs
during the demonstration project. For example, one national provider
association said that it was not aware of any educational efforts
related to the RAC program findings on vulnerabilities either during
or after the demonstration project. Another noted that in addition to
provider education, systems edits should be used when possible to
prevent the initial improper payments.
CMS continues to lack an adequate process for implementing corrective
actions during the RAC national program. Although CMS has made public
statements that preventing future improper payments is the RAC
program's mission, the agency has yet to assign responsibility to
personnel for implementing corrective actions to address RAC-
identified vulnerabilities or to develop steps to assess the
effectiveness of corrective actions taken.
While CMS's Office of Financial Management (OFM) established a
corrective action team for the RAC national program that will compile,
review, and categorize RAC-identified vulnerabilities and discuss
corrective action recommendations, the team does not have the
organizational authority to implement the corrective actions necessary
to reduce future improper payments. Rather, the team can only forward
the issues and their recommendations to other leadership groups
comprised of senior officials from different components within CMS
that have the authority to take corrective actions. For example, if
the decision is made to address a vulnerability by developing a NCD,
the responsibility to prioritize the development of NCDs and expertise
to develop them is not within OFM, but rather within the Office of
Clinical Standards and Quality. The different components can choose
whether to address the identified vulnerabilities that could lead to
improper payments.
Further, CMS's corrective action process does not include steps to
assess the effectiveness of any actions taken to reduce improper
payments on RAC-identified vulnerabilities. Strong internal controls
include ongoing monitoring of corrective actions, evaluating their
effectiveness, and modifying them as necessary.[Footnote 38] CMS
officials in OFM said their corrective action team would monitor
actions taken by other agency components. However, the corrective
action process does not include any steps to either assess the
effectiveness of the corrective actions taken or adjust them as
necessary based on the results of the assessment. Until CMS designates
key personnel with accountability for ensuring corrective actions are
implemented and establishes a process to ensure these actions are
effective, the agency remains at risk for making improper payments on
vulnerabilities previously identified by RACs.
CMS's Corrective Actions Did Not Address Most of the RAC-Identified
Vulnerabilities That Led to Improper Payments:
The lack of accountability and adequate processes for ensuring
corrective actions are taken have resulted in most of the RAC-
identified vulnerabilities that led to improper payments going
unaddressed. CMS implemented corrective actions for 23 of the 58
vulnerabilities (40 percent) listed in the IPPP. (See figure 4.) This
left 35 of the 58 vulnerabilities identified during the demonstration
project (60 percent) unaddressed, representing millions of dollars in
potential overpayments.[Footnote 39] CMS stated in its June 2008
demonstration evaluation report that overpayments were identified for
18 specific medical services totaling $378 million.[Footnote 40] Our
analysis of the status of the vulnerabilities related to these
overpayments in the IPPP indicates that corrective actions had not
been implemented by CMS or the Medicare claims administration
contractors for vulnerabilities representing $231 million (61 percent)
of the $378 million in overpayments for these services.[Footnote 41]
More than 90 percent of the $231 million in vulnerabilities that were
not addressed were for inpatient hospital claims alone.
Figure 4: Status of Corrective Actions for Vulnerabilities with
Improper Payments of Greater Than $1 Million, as of the End of the
Recovery Audit Contractor Demonstration Project--March 2008:
[Refer to PDF for image: pie-chart illustration]
Status of vulnerabilities:
Corrective actions taken: 42% (23);
- Edits implemented: 12% (7);
- Education provided: 10% (6);
- Clarification of guidance/issuance of new regulation: 17% (10).
Corrective actions not taken: 60% (35).
- Unable to develop corrective actions[A]: 12% (7);
- Corrective actions not taken: 48% (28).
Source: GAO analysis of CMS data.
Note: Percentages in figure do not add up due to rounding.
[A] According to CMS officials the agency was unable to develop
corrective actions because it either lacked adequate information on
the specific services involved or decided it was not cost effective to
do so.
[End of figure]
The corrective actions taken to address 23 of the 58 vulnerabilities
(40 percent) included: 7 system edits (12 percent), 6 provider
education activities (10 percent), and 10 clarifications of guidance
and issuance of new regulations (17 percent).[Footnote 42] Six of the
23 corrective actions taken included local actions implemented by the
Medicare claims administration contractors and other contractors, but
according to the IPPP, CMS also implemented national corrective
actions for the same vulnerabilities.
CMS did not implement corrective actions for 35 of the 58
vulnerabilities (60 percent) listed in the IPPP. Of these 35
vulnerabilities, CMS did not list a reason on the IPPP for 28 of them
(48 percent). CMS officials told us that they were unable to develop
specific corrective actions on the other seven (12 percent) because
they either lacked adequate information to address the problem or
decided it was not cost-effective to do so.[Footnote 43] CMS officials
told us the agency was unable to develop corrective actions for 7
vulnerabilities because the agency did not provide sufficient guidance
to the RACs on how to categorize these vulnerabilities. As a result,
the RACs combined several billing codes into single categories, which
presented a challenge for identifying corrective actions, according to
CMS officials. For example, RACs denied millions of dollars in
inpatient hospital claims not meeting the requirements for inpatient
admission. However, CMS officials told us they were unable to develop
corrective actions on this and six other vulnerabilities because they
either lacked adequate information on specific services involved or
decided it was not cost effective to address each specific billing
code. Further, the agency reported that it did not have sufficient
time to analyze the information on one of these types of
vulnerabilities prior to the end of the demonstration project.
CMS noted several actions it took to improve the quality of its
information on improper payment vulnerabilities that might be
identified through the national RAC program. According to CMS
officials, the agency has enhanced the data warehouse to provide
additional information by establishing 20 to 30 different types of
categories for use in the national program. In addition, CMS officials
said they will not rely on each RAC to report its findings; instead,
the agency will use the information from the data warehouse for data
analysis and reports.
CMS officials told us they had no plans to take further action on RAC-
identified improper payment vulnerabilities that have appeals
outstanding from the demonstration project until the results from
these appeals are known. According to the agency, information from
these appeals may help the agency determine what corrective actions
are appropriate.
CMS and Medicare claims administration contractors reported that the
following factors also hindered their progress in implementing
corrective actions:
* Competing priorities in implementing system edits--According to CMS
officials, national systems edits to address RAC findings competed
with other computer system changes, such as Medicare fee schedule
updates. National edits require collaboration among various CMS
components and senior executives to determine the viability of each
edit and its priority level and can take up to 7 months to be
implemented. The decision to implement system edits at the local level
is usually up to the local Medicare claims administration contractor.
A Medicare claims administration contractor can decide not to
implement a local edit if it does not consider that particular
vulnerability a priority in its strategy to reduce improper payments
or if it anticipates that the edit would result in a high level of
appeals. CMS officials also told us that the availability of
resources, including staff hours, played a role in prioritizing the
implementation of national and local edits. Due to the limited
resources available and the agency's competing priorities, RAC-related
system edits from the three state demonstration project were not a
high priority according to CMS.
* Significant workload increase in processing claim readjustments and
appeals--CMS officials and one of the Medicare claims administration
contractors' staff we interviewed told us that the increase in
workload from claim adjustments and appeals from RAC findings during
the demonstration project strained the Medicare claims administration
contractors' capacity to institute corrective actions.[Footnote 44]
Medicare claims administration contractors made adjustments for claims
in which the RACs had identified either overpayments or underpayments.
However, during the demonstration project, the Medicare claims
administration contractors processed hundreds of thousands of RAC
claim adjustments--some manually--which created significant additional
workload. In addition, both of the Medicare claims administration
contractors that we interviewed that worked with the RACs during the
demonstration project reported significant increases in appeals
workload due to RAC activities, especially Part A appeals. One
Medicare claims administration contractor stated that in fiscal year
2008, 99 percent of its Part A appeal workload arose from RAC claims,
while another claims administration contractor reported having twice
as many Part A appeals as it did prior to the demonstration project.
* Transition of Medicare claims administration functions to MACs--The
transfer of claims administration responsibilities to MACs further
contributed to CMS's inability to implement corrective actions. CMS
consolidated numerous fiscal intermediary and carrier jurisdictions
into the new MAC jurisdictions. The MACs are responsible for
consolidating the different coverage policies and systems edits they
inherited from the previous contractors into one consistent set of
edits and coverage policies for the new jurisdictions. As a result,
CMS told us that some Medicare claims administration contractors did
not act upon RAC-identified vulnerabilities that led to improper
payments during the demonstration project. Further, CMS officials said
that in part they did not implement corrective actions due to the lack
of continuity when some of the Medicare claims administration
contractors were not awarded MAC contracts, which prevented the agency
from continuing discussions with contractor staff familiar with the
RAC program.
Our prior work has shown that CMS has allowed known vulnerabilities
that contribute to or result in improper payments to remain unresolved
for years.[Footnote 45] In fact, the RACs focused on some specific
types of claims because both we and the HHS Office of the Inspector
General identified them in the past.[Footnote 46] Moreover, CMS
officials and one of the RACs noted that many of these vulnerabilities
were known to CMS before the demonstration project due to medical
record reviews and the agency's error reports. In its 2006-2009
Strategic Action Plan, CMS reported that it planned to effectively
oversee its providers and aggressively deliver provider education and
outreach and that this oversight would include ways to prevent
overpayments and improper payments. In addition, CMS reported that it
was also expanding the use of electronic data to more efficiently
detect improper payments and program vulnerabilities. However, we have
reported recently that continuing weaknesses in CMS's process still
exist, and therefore Medicare continues to be at risk for improper
payments.[Footnote 47]
CMS Is Taking Action to Resolve RAC and Medicare Claims Administration
Contractor Coordination Issues:
CMS used lessons learned from the RAC demonstration project to take
actions to resolve RAC and Medicare claims administration contractor
coordination issues for the RAC national program. Specifically, the
agency continued activities that worked well during the demonstration
project, initiated a number of new actions, and is taking steps to
address coordination challenges.
According to CMS officials, the success of the RAC program depends on
collaboration between the RACs and the Medicare claims administration
contractors because of the interdependence of their responsibilities.
Once the RACs identify errors, Medicare claims administration
contractors are responsible for re-processing the claims to repay
underpayments or recoup overpayments, conducting the first level
review for RAC-related appeals, and informing and training providers
about lessons learned through the RAC reviews, according to CMS
officials. (See figure 5 which illustrates this interdependence of
RACs and MACs.)
Figure 5: Interdependence of Recovery Audit Contractors (RACs) and
Medicare Administrative Contractors (MACs):
[Refer to PDF for image: process flow]
Formalizing interactions:
MACs sign Joint Operating Agreements[A] with RACs (Requires both RAC
and MAC action).
Claims review process:
RACs conduct automated and complex postpayment review (Requires RAC
action):
* No improper payment identified; no further action required (Requires
RAC action);
* Improper payment identified (Requires RAC action);
- MACs refund underpayment (Requires MAC action);
- MACs recoup overpayment (Requires MAC action).
First level of appeal:
Providers may appeal RAC decision; prevents MACs recouping over-
payments while pending (No action required by RAC or MAC);
MAC resolves first level of appeals (Requires MAC action):
* Provider wins appeal, no recoupment[B] (No action required by RAC or
MAC);
* Provider appeal denied[C] (No action required by RAC or MAC).
Corrective action:
RACs and MACs analyze data and discuss solutions to address improper
payments during, for example, Vulnerability Calls[D]
(Requires MAC action);
* No action taken (No action required by RAC or MAC);
* CMS takes corrective actions (No action required by RAC or MAC);
* MACs take corrective actions (Requires MAC action).
Source: GAO analysis of CMS documents.
[A] The RAC and MAC statements of work require that these contractors
develop Joint Operating Agreements.
[B] If providers win appeals concerning payments the MACs had
recouped, the MACs will repay the providers the amounts that were
recouped.
[C] If a provider's appeal is denied, the provider may continue to
appeal up to four additional levels.
[D] MACs and CMS may also pursue corrective actions to address
vulnerabilities that lead to improper payments beyond those discussed
during RAC vulnerability calls.
[End of figure]
CMS is taking multiple steps to resolve RAC and Medicare claims
administration contractor coordination issues in the national program
based on lessons learned during the demonstration project, such as
continuing the RAC and Medicare claims administration contractors
vulnerability calls, enhancing the existing data warehouse, automating
the claims-adjustment process, and developing a system for electronic
documentation sharing when RAC determinations are appealed.
CMS is continuing regular RAC and Medicare claims administration
contractor vulnerability calls. The vulnerability calls, which began 2
years after the start of the demonstration project, were considered
valuable according to agency officials. CMS officials said that they
plan to hold weekly calls during the national program, to share RAC-
identified vulnerabilities that may result in improper payments with
Medicare claims administration contractors. According to CMS, these
calls can inform Medicare claims administration contractors about ways
to reduce payment errors, for example, by implementing appropriate
local system edits or educating providers. CMS noted that conducting
these calls during the demonstration project provided information
about how best to implement corrective actions that would prevent
future improper payments. For example, upon learning about some RAC-
identified inpatient hospital errors, CMS consulted coding experts
about how to resolve these errors and whether it was necessary to
conduct an educational session on the issue. According to a CMS
official, the vulnerability calls are expected to serve as the main
mechanism of communication between the RACs and the Medicare claims
administration contractors about vulnerabilities and are expected to
provide a means to share RAC findings with various other components of
CMS.
CMS is enhancing the data warehouse. For the national program, CMS is
redesigning, enhancing, and maintaining the data warehouse created
during the demonstration project to house data on RAC activity and
prevent RACs from auditing claims under investigation or previously
reviewed by other contractors. RACs and one of the Medicare claims
administration contractors reported issues with the data warehouse
during the demonstration project, including difficulty uploading data
in the correct format, slow processing time, and a lack of information
on collection activities. According to CMS, it has already made
significant changes to the data warehouse. For example, it enhanced
the system to accommodate increased user demand, added capability to
generate reports for CMS to track RAC activity, and improved processes
for data uploads and downloads. CMS also plans to incorporate appeals
data into the data warehouse.
CMS is automating the claims-adjustment process. According to CMS, the
agency is automating the claims-adjustment process to address Medicare
claims administration contractors' workload issues. During the
demonstration project, the Medicare claims administration contractors'
workload related to claims adjustment increased significantly, due to
the high volume of claims RACs identified that required adjustment and
the time-consuming process necessary for the contractors to adjust
them. CMS officials stated that the amount of time and effort required
of the Medicare claims administration contractors to re-process RAC-
related claims was the most significant coordination problem. The
agency automated the Part A claims adjustment process and is working
to automate the process for adjusting Part B claims by April 2010. CMS
officials stated that the changes eliminate the need for costly and
time-consuming manual intervention by the Medicare claims
administration contractors, ensure that overpayment recovery or
underpayment reimbursement occurs promptly, and ultimately minimize
the burden on the Medicare claims administration contractors. However,
one Medicare claims administration contractor informed us that the
Part A claims adjustment process failed to adjust its claims.
CMS is developing an electronic documentation sharing system.
According to CMS officials, the agency addressed an administrative
burden by developing the e-RAC initiative, an electronic system that
RACs, CMS, and Medicare claims administration contractors will use to
share medical records. CMS officials stated that during the
demonstration project, RACs transferred paper copies of medical
records to Medicare claims administration contractors for appeals
deliberations. According to Medicare claims administration
contractors, the volume of appeals made it difficult to manage all of
the paper medical records.[Footnote 48] A CMS official told us the
agency expects the first phase of the e-RAC initiative to be
operational in March 2010, which would allow the RACs to store imaged
files of medical records and make them accessible to CMS and certain
contractors that review, but do not process, claims. CMS expects this
system to enable the agency to create basic reports and improve
oversight of RAC activities. CMS's goal is to expand the e-RAC
initiative to one or more Medicare claims administration contractors
by the end of calendar year 2010.
CMS established a "black-out period" for claims review. To ensure that
the RAC national program does not interfere with the ongoing
transition of fiscal intermediaries and carriers to MACs, CMS reported
establishing a black out period of three months before and after each
transition when the new MACs will focus on other claims processing
activities and not work with the RACs in their jurisdictions. Claims
processed during this period will be available for RAC review after
the black-out period has ended. According to CMS officials, the agency
instituted the black-out period, in part, to limit the number of
claims adjusted during a time of significant change.
CMS is planning to add performance metrics on coordination with RACs
into the MAC award fee program. CMS officials indicated that the
agency is planning to add performance metrics[Footnote 49] to provide
incentives for coordination between the RACs and MACs into the MAC
award fee program. The award fee program is designed to provide
incentives for exceptional performance by the MACs. According to CMS
officials, these performance metrics will likely include activities
such as participating in conference calls; effectively coordinating,
implementing, and providing appropriate edit recommendations; and
communicating claims determination decisions and inquiries. CMS
officials stated that they will add metrics on coordination with the
RACs to the award fee program once all of the MACs are in place.
CMS Has Taken Steps to Improve Oversight of RAC Accuracy and Service
to Providers:
CMS took a number of steps to improve oversight of the accuracy of
RACs' claims review determinations and the quality of RAC service to
providers in the national program. Specifically, CMS added processes
to review the accuracy of RAC determinations and established Web site
requirements to address provider concerns about service. CMS also
established a number of performance metrics to monitor RAC accuracy
and service to providers.
CMS Established Processes to Review the Accuracy of RAC Determinations
and Required Additional RAC Medical Expertise to Enhance Program
Accuracy:
For the national program, CMS created processes to more closely review
the accuracy of RAC determinations to address provider concerns raised
during the demonstration project. Providers raised concerns that CMS
did not sufficiently oversee the RACs during the demonstration project
to ensure the vulnerabilities pursued by RACs were valid and that RACs
made accurate improper payment determinations. According to provider
associations, this led to numerous appeals of inaccurate RAC
determinations that were expensive and burdensome for providers. For
the national program, CMS will continue a process the agency
established during the end of the demonstration project to help ensure
that RACs pursue valid vulnerabilities. Prior to pursuing a wide-scale
review of any vulnerability, the RAC must submit it to CMS for the
agency's approval. As part of the submission process, the RAC must
provide a description of the vulnerability; a reference to the rule,
regulation, or policy the RAC intends to evaluate claims against; and
a small sample of claims (up to 10) that the RAC already reviewed and
the findings for those claims. For example, CMS approved one RAC's
request to identify overpayments associated with providers billing for
more than one blood transfusion in a hospital outpatient setting for a
Medicare beneficiary in a day--which Medicare policy does not allow.
According to CMS officials, the level of review that each proposed
vulnerability will receive will depend on its complexity. CMS
officials in OFM have authority to allow the RACs to pursue clear-cut
vulnerabilities that can lead to improper payments, such as duplicate
payments for the same service. For more complex vulnerabilities,
including all medical necessity determinations, the agency established
a New Issue Review Board, comprised of officials from four CMS
components, which will decide whether the RAC can go forward with its
proposed review. The board is responsible for ensuring that each RAC's
claims reviews conform to Medicare's coverage or payment policies and
that the language the RAC proposes to use in its determination letters
is appropriate and clear. CMS also contracted with a validation
contractor (VC) with experience in claims review to independently
examine how the RAC plans to select claims for each vulnerability and
to determine whether the RAC plans to use the correct review strategy--
(automated or complex)--in reviewing claims. In addition, the VC also
is expected to reexamine the small sample of claims submitted by RACs
with each proposed vulnerability to assess the accuracy of these RAC
determinations.[Footnote 50]
In addition to the oversight process for proposed vulnerabilities, CMS
also established a process for ongoing oversight of RAC accuracy of
the improper payments identified. Each month CMS's VC is expected to
independently examine 100 randomly selected claims that had been
reviewed by each RAC. For each claim in the sample, the VC is expected
to report whether it agrees or disagrees with the RAC's determination
and evaluate whether the language used by the RAC to communicate the
determination to the provider was clear and accurate. CMS officials
told us that the agency plans to publish an annual accuracy score for
each RAC in the agency's annual report on the RAC program and will
take the scores into consideration when determining whether to renew
each RAC's contract. CMS officials also told us that they may prohibit
a RAC with a low score on a particular issue from reviewing additional
claims on that issue. This process could help address provider
concerns that CMS might not become aware of inaccurate RAC
determinations unless providers filed significant numbers of appeals.
[Footnote 51]
In addition to these oversight processes, CMS added requirements
regarding the medical expertise of RAC staff to help address accuracy
concerns. Providers stated that RACs did not have the necessary
medical expertise to make their determinations during the
demonstration project, because they were not required to have a
physician medical director on staff or coding experts conducting the
claims reviews. To address this concern, for the national program, CMS
required each RAC to have at least one physician on staff as a medical
director to provide clinical expertise and judgment to understand
Medicare policy, provide guidance in questionable claims review
situations, recommend when corrective actions are needed to address
the RAC-identified vulnerabilities that result in improper payments,
and brief and direct personnel on the correct application of policy
during claims review.[Footnote 52] CMS also required RACs to hire
registered nurses or therapists to conduct medical necessity
determinations and coding experts to conduct other types of reviews.
Providers also reported that CMS's decision to allow the demonstration
RACs to retain contingency fees for determinations overturned at the
second through the fifth level of appeal led RACs to make questionable
determinations to increase their fees. CMS chose this methodology, in
part, to encourage companies to participate in the demonstration
project. To address provider concerns about the incentives in the
payment method, CMS will require RACs to refund contingency fees
received on any determination overturned at any level of the appeals
process.
CMS Created Web Site Requirements for RACs Designed to Improve Service
to Providers:
In addition to the changes CMS made to improve oversight of RAC
accuracy, CMS also created a number of requirements for RAC Web sites
to address provider concerns about the RACs' service. Provider
associations reported that during the demonstration project their
members could not easily track the status of claims throughout the RAC
adjudication process, including the status of medical record request
submissions and appeals. CMS also reported in its evaluation report on
the RAC demonstration project that providers wanting to track the
status of their medical record submissions often had to make frequent
phone calls to RAC call centers and read a list of case numbers.
CMS required each RAC by January 1, 2010, to develop a tool on its Web
site that will allow providers to track the status of a claim. This
tool should include information on whether a medical record request is
outstanding, whether the RAC received the requested medical records,
whether the RAC's review is underway or complete, and whether the case
is closed. As of January 4, 2010, according to a CMS official,
providers could track the status of their requested claims on two of
the four RAC Web sites. According to a CMS official, the remaining
RACs will need to have their tools in place prior to issuing requests
for medical records.
Although providers expressed concern about the difficulty tracking the
status of their appeals during the demonstration project, CMS has not
required the RAC Web sites to include information on the status of
appeals resulting from RAC determinations. According to CMS officials,
the agency does not have a standard system to track first-level
appeals, and it would be difficult for RACs to collect the information
from a number of separate Medicare claims administration contractors.
CMS officials overseeing the RAC program told us they are working with
their counterparts in the Medicare appeals division within CMS to move
up the date by which the Medicare claims administration contractors
will begin using the CMS system that already tracks appeals at the
second and third level. These same officials told us they anticipate
RACs will eventually incorporate appeals information into their Web
sites, though the inclusion of appeals information is not a
requirement in the RAC contract.
Providers also expressed concern that they did not know what
vulnerabilities RACs were pursuing during the demonstration project.
In addition to the new issue review process, CMS has required the RACs
to post a description of each vulnerability that they audit on their
Web sites. The postings include a description of the vulnerability,
the states where the RAC identified the problem, and references to
additional information about the vulnerability. According to CMS
officials, providers will need to check the Web site of the RAC in
their region to stay informed of emerging vulnerabilities under RAC
review for improper payments.
To address provider concerns about medical record requests getting
lost during the demonstration project because a RAC did not send the
request to the correct department or individual at a hospital or
practice, CMS is requiring each RAC to develop a tool for its Web
sites that will allow providers to customize their address and point-
of-contact information. CMS also encouraged the RACs to solicit the
assistance of provider associations to help collect the information.
CMS Developed Performance Metrics to Monitor RAC Accuracy and Provider
Service:
CMS developed performance metrics to oversee RAC accuracy, service to
providers, and other aspects of performance. The performance metrics
include measurements of the RACs' compliance with medical record
request limits and the accuracy of RAC determinations, as evaluated by
the VC, as well as measures of staff performance at each RAC's
customer service phone number that is expected to respond to inquiries
from providers. (See table 1.)
Table 1: Selected Recovery Audit Contractor (RAC) Performance Metrics
Related to Accuracy and Provider Service:
Area of performance: Accuracy metrics;
Individual performance metric: The RAC shall achieve an overall 90
percent or greater accuracy score for the first contract year, as
evaluated by the validation contractor.
Area of performance: Accuracy metrics;
Individual performance metric: The RAC's total annual percentage of
claims overturned on appeal shall be less than 10 percent in Year One
with a subsequent decrease to less than 5 percent in Year Two.
Area of performance: Provider service metrics;
Individual performance metric: Qualified personnel shall staff the RAC
call center during normal business hours from 8:00 a.m. to 4:30 p.m.
in the applicable time zone 100 percent of the time.
Area of performance: Provider service metrics;
Individual performance metric: The RAC call center staff shall answer
questions fully and accurately 100 percent of the time unless complex
issues require follow-up.
Area of performance: Provider service metrics;
Individual performance metric: The RAC shall respond to written
correspondence within 30 calendar days of receipt 100 percent of the
time.
Area of performance: Provider service metrics;
Individual performance metric: The RAC shall demonstrate use of a
quality assurance program to ensure that all customer service
representatives are knowledgeable, respectful to providers, and
provide timely follow-up calls when necessary, 100 percent of the time.
Area of performance: Provider service metrics;
Individual performance metric: The RAC shall demonstrate 100 percent
compliance with the medical record request limits as outlined by CMS.
Source: GAO analysis of information from CMS.
[End of table]
CMS's RAC project officers will be responsible for monitoring each
RAC's performance and following up with the RAC if its performance
does not meet the required level in the national program. For
instance, to monitor whether call center staff answer questions fully
and accurately, project officers or their designees will randomly
monitor calls to the RAC call center and investigate provider
complaints. If a project officer determines that call center staff are
not answering questions fully and completely all the time, the project
officer will require the RAC to respond in writing to the finding and
may require a corrective action plan. CMS's statement of work also
includes a provision that CMS may stop recovery work in a particular
region if evidence leads CMS to believe the RAC's plan to provide
service to providers is inappropriate or ineffective. In such a case,
CMS would not allow the RAC to resume recovery work until the RAC
satisfied CMS it made all required improvements to its provider
service in the area.
Conclusions:
The ultimate success of the government-wide effort to reduce improper
payments hinges on each federal agency's diligence and commitment to
identify, estimate, determine the causes of, take corrective actions
on, and measure progress in reducing improper payments. To this end,
CMS must establish effective accountability measures, and incentives,
to ensure the RAC program meets the agency's stated objectives.
Although the RAC demonstration project led to the successful
recoupment and refunding of past improper payments, CMS did not focus
sufficient attention on addressing the root causes of the
vulnerabilities that caused them. Neither the IPPP developed during
the demonstration project nor the current plan for the national
program provide for sufficient monitoring and control activities to
ensure that corrective actions are taken to help meet the overall goal
of reducing improper payments in the Medicare program. Because the RAC
national program team does not have the organizational authority
within the agency to implement the corrective actions needed to
address the vulnerabilities that lead to improper payments, CMS must
develop criteria by which it prioritizes the activities of its various
components and contractors to develop adequate measures to reduce
future improper payments. The identification and prevention of future
Medicare FFS improper payments due to vulnerabilities identified by
the national RAC program require direction from a sufficiently high
level within CMS to initiate action from the various parts of the
agency and its contractors. In addition, assessing the effectiveness
of the corrective actions taken is an important step for reducing
future improper payments.
Recommendations for Executive Action:
To help reduce future improper payments, we recommend that the
Administrator of CMS develop and implement a process that includes
policies and procedures to ensure that the agency promptly:
* evaluates findings of RAC audits,
* decides on the appropriate response and a time frame for taking
action based on established criteria, and:
* acts to correct the vulnerabilities identified.
As part of this process, we recommend that the Administrator of CMS
designate key personnel with appropriate authority to be responsible
for ensuring that corrective actions are implemented and that the
actions taken were effective.
Agency and Other External Comments:
We provided a draft of this report to the HHS for comment. We also
provided statements of facts from our draft report to the two Medicare
claims administration contractors and seven provider associations we
interviewed and requested their comments. We received written comments
from HHS on behalf of CMS. These comments are reprinted in Appendix
II. We also received oral or written comments from two Medicare claims
administration contractors and five of the seven provider associations
on statements of facts related to information they provided, including
some technical comments that we incorporated as appropriate.
CMS Comments:
CMS commented that the national RAC program is an important step in
meeting its commitment to lower the Medicare payment error rate. The
agency indicated that our review imparted vital recommendations that
will greatly enhance CMS's oversight of the RAC national program and
CMS concurred with each of our recommendations. With regard to the
recommendation that CMS promptly evaluate the findings of RAC audits,
CMS concurred and discussed specific elements included in the national
program that are designed to report vulnerabilities from RAC audits
and potential corrective actions. CMS concurred with our
recommendation that the agency implement a process to decide on the
appropriate response to address each RAC-identified vulnerability, but
indicated that more research might be needed to determine the
appropriate response or corrective action for some vulnerabilities.
CMS also concurred that the agency should act promptly to correct the
vulnerabilities, but indicated that it did not consider a
vulnerability to be validated until the majority of claims for that
issue completed the Medicare appeals process. Since the appeals
process can take more than 2 years, the approach CMS suggested in its
comments did not align with the intent of our recommendation. After
conferring with CMS officials to clarify the agency's intent on acting
promptly on vulnerabilities identified during the RAC national
program, CMS acknowledged that it intended to review vulnerabilities
on a case-by-case basis and judge how quickly to act on each. Agency
officials told us they were considering assigning vulnerabilities to
risk categories from high to low that would help to determine whether
the agency should take prompt action or whether it should wait for
claims to complete the appeals process. These officials told us that
waiting for the results of appeals would keep the agency from
expending the resources on:
corrective actions that would need to be reversed if the appeals
process overruled RAC determinations. We agree that taking a risk-
based approach meets the intent of the recommendation. To clarify this
intent, we modified our recommendation to make the prompt prioritizing
and timing of corrective actions, based on established criteria, more
explicit. Finally, CMS concurred with our recommendation that the
agency designate key personnel to oversee that corrective actions are
implemented and effective and stated that the Administrator of CMS is
the official responsible for assuring that vulnerabilities that cut
across all agency components are addressed.
Other External Comments:
We clarified information in the report based on comments from two
Medicare claims administration contractors. In addition, the five
associations that provided comments to us did not offer substantive
changes to the statement of facts that they reviewed. Three
associations affirmed that the draft report addressed issues they had
raised about the RAC demonstration project and national program. These
three associations also discussed in greater detail concerns that they
continue to have with the RAC program, such as the many appeals still
in process from the RAC demonstration project. The other two provider
associations raised no substantive issues with the report.
We are sending copies of this report to the Administrator of CMS and
other interested parties. In addition, the report will be available at
no charge on GAO's Web site at [hyperlink, http://www.gao.gov].
Please contact us on (202) 512-7114 or (202) 512-9095 if you or your
staff have any questions about this report. Contact points for our
Office of:
Congressional Relations and Office of Public Affairs can be found on
the last page of this report. Other major contributors to this report
are listed in Appendix III.
Signed by:
Kathleen M. King:
Director, Health Care:
Signed by:
Kay L. Daly:
Director, Financial Management and Assurance:
List of Requesters:
The Honorable Henry A. Waxman:
Chairman:
The Honorable John D. Dingell:
Chairman Emeritus:
Committee on Energy and Commerce:
House of Representatives:
The Honorable Sander M. Levin:
Acting Chairman:
Committee on Ways and Means:
House of Representatives:
The Honorable Frank Pallone, Jr.
Chairman:
Subcommittee on Health:
Committee on Energy and Commerce:
House of Representatives:
The Honorable Pete Stark:
Chairman:
Subcommittee on Health:
Committee on Ways and Means:
House of Representatives:
The Honorable Lois Capps:
House of Representatives:
The Honorable Charles B. Rangel:
House of Representatives:
[End of section]
Appendix I: Selected Changes Made to the Medicare National Recovery
Audit Contractors (RAC) Program:
As a result of the RAC demonstration project, the Centers for Medicare
& Medicaid Services (CMS) included the following features in the RAC
national program:
* RACs are to have a physician medical director.
* RACs are to be staffed with registered nurses or therapists to make
coverage and medical necessity determinations and certified coders to
make coding determinations.
* RACs are to make credentials of reviewers available to providers
upon request.
* Providers will be able to discuss claim denials with the RAC medical
director upon request.
* The minimum claim amount that the RACs will review was raised to $10
minimum per claim (instead of $10 minimum for aggregated claims).
* CMS will use a validation contractor to independently examine the
criteria each RAC plans to use to make its determinations and the
accuracy of RAC determinations.
* RACs must return the related contingency fee if a claim is
overturned on appeal.
* RACs must use standardized letters to notify providers of
overpayments:
* The look-back period (from claim payment date to date of medical
record request) is reduced from 4 years to 3 years.
* The RACs are allowed to review claims paid in the current fiscal
year.
* CMS is putting limits on the number of medical record requests in a
45 day period.
* The time frame for paying hospital medical record photocopying
vouchers is to be set at 45 days from receipt of medical record.
* CMS is not including Medicare Secondary Payer claims audits in the
National Program.[Footnote 53]
* RACs are to have quality assurance/internal control audits.
* RACs are to list the reason for review on "request for records"
letters and overpayment letters.
* The status of specific claims are to be posted on RAC Web page.
* RAC contingency fees are to be made publicly available.
[End of section]
Appendix II: Comments from the Department of Health & Human Services:
Department Of Health & Human Services:
Office Of The Secretary:
Assistant Secretary for Legislation:
Washington, DC 20201:
March 3, 2010:
Kathleen M. King:
Director, Health Care:
U.S. Government Accountability Office:
441 G Street N.W.
Washington, DC 20548:
Dear Ms King:
Enclosed are comments on the U.S. Government Accountability Office's
(GAO) report entitled: "Medicare Recovery Audit Contracting:
Weaknesses Remain in Process to Address Vulnerabilities to Improper
Payments, Although Improvements Made to Contractor Oversight in
National Program" (GAO-10-143).
The Department appreciates the opportunity to review this report
before its publication.
Sincerely,
Signed by:
Andrea Palm:
Acting Assistant Secretary for Legislation:
Enclosure:
[End of letter]
General Comments Of The Department Of Health And Human Services On The
Government Accountability Office's (GAO) Draft Report Entitled,
"Medicare Recovery Audit Contracting: Weaknesses Remain In Process To
Address Vulnerabilities To Improper Payments, Although Improvements
Made To Contractor Oversight In National Program" (GA0-10-143):
The Department appreciates the opportunity to review and comment on
this Draft Report. The Congressional authority granted through the Tax
Relief and Health Care Act of 2006, allowed the Centers for Medicare &
Medicaid Services (CMS) to implement the Recovery Audit Contractor
(RAC) Program on a permanent and nationwide basis. This is an
important step forward in our commitment to lowering the improper
payment error rate and preserving the Medicare Trust Funds for current
and future generations. The CMS appreciates the time and resources GAO
has invested to review the RAC Demonstration and implementation of the
RAC National Program. Based on their extensive and thorough review,
GAO has imparted vital recommendations which will greatly enhance CMS'
oversight as the RAC National Program progresses.
Section 306 of the Medicare Modernization Act (MMA) required CMS to
establish the RAC Demonstration Project. The demonstration's purpose
was to determine if recovery auditors could identify improper payments
paid by the Medicare fee-for-service program. As discussed in the
report, the RAC demonstration succeeded in correcting more than $l
billion in improper Medicare payments. About 96 percent of these
improper payments were overpayments, a fraction of which was used to
pay for the program and the rest was returned to the Medicare Trust
Funds.
Even though the purpose of the RAC Demonstration Project was to
determine if RACs could be utilized in Medicare, CMS used the results
from the demonstration to inform us in the design of the RAC National
Program. Specifically, CMS made the following improvements to the
program:
* Established a New Issue Approval Process where CMS approves each RAC
issue for review prior to widespread review and/or communication with
providers. CMS believes this will reduce the differences in
interpretation of policies and/or manuals between CMS and the RAC thus
ensuring accurate improper payments are identified;
* Required each RAC to have a Medical Director on staff to ensure
physician involvement in the review process and to ensure providers
have a physician to discuss improper payment identifications and the
reason for the denial;
* Established a documentation request limit of a maximum of 200
requests per 45 days to limit the cost and administrative burden of
the RAC program on Medicare providers;
* Required each RAC to have a website to inform providers about the
RAC program, approved new issues, major findings, contact information
and a web portal allowing providers to see specific claim details, and;
* Established metrics for monitoring the RACs' performance on
compliance, accuracy and provider service. These findings will be
shared with the public on an annual basis.
We appreciate GAO recognizing our efforts and the need to balance the
concerns of the provider community with the agency's need to identify
improper payments. We will continue to improve the RAC National
Program in the future.
Our detailed comments on the report recommendations follow.
GAO Recommendation:
To help reduce future improper payments, we recommend that the
Administrator of CMS develop and implement a process that includes
policies and procedures to ensure that the agency:
* Promptly evaluates findings of RAC audits,
* Decides on the appropriate response, and,
* Acts promptly to correct the vulnerabilities identified.
As part of this process, we recommend that the Administrator of CMS
designate key personnel with appropriate authority to be responsible
for ensuring that corrective actions are implemented and that the
actions taken were effective.
CMS Response:
Promptly evaluates findings of RAC audits.
The CMS concurs. In the current RAC Statement of Work the reporting of
vulnerabilities and recommended corrective actions for vulnerabilities
is required on a monthly basis. CMS has created a corrective actions
team within the RAC program to review the vulnerabilities after
appeal and determine if a referral to the applicable policy or
coverage staff is warranted. CMS is also continuing the vulnerability
calls to alert claim processing contractors and CMS staff on
issues being reviewed by the RACs. In addition, CMS has an independent
contractor reviewing the RAC Data Warehouse on a quarterly basis
looking for trends in the data. These reports are sent to CMS
quarterly and will be shared with all Center/Office components and
external entities such as the OIG. Lastly, all RACs are required to
place vulnerabilities or major findings on their websites to notify
the provider community and CMS will continue to share the top improper
payment identifications with the public.
Decides on the appropriate response.
The CMS concurs. Information on RAC identifications is made available
to the public. This information can be used to determine the
appropriate response or corrective action. In many cases though,
additional research may be necessary. According to the July 2008
Evaluation Report of the RAC Demonstration, complex reviews accounted
for approximately 30% of the improper payments identified. These
claims needed additional review by a clinician prior to a
determination regarding the accuracy of the payment. Lack of
documentation was a prevailing cause of the denials of the complex
cases. In these cases the corrective action taken was an effort to
increase the awareness in the provider community for physicians to
adequately document their case files. Corrective actions can take
place in many forms. For example, provider education, policy
clarifications and system edits can all be corrective actions.
Acts promptly to correct the vulnerabilities identified.
The CMS concurs. Beginning in the FY 2006 CMS RAC Status Document and
every subsequent update, CMS provided the public with information
concerning the top improper payments identified by the RAC by provider
type. CMS felt this information was helpful to providers who wished to
conduct internal quality reviews. In May 2007, CMS began having
regular vulnerability calls with CMS claim processing contractors and
internal CMS staff to discuss RAC identified issues. At the conclusion
of the demonstration, CMS completed a Joint Signature Memoranda to all
contractors to determine actions taken because of these calls.
Contractors around the nation conducted pre-pay review, updated Local
Coverage Determinations, conducted provider education and installed
local edits in response to issues that were identified by the RAC
demonstration.
The CMS believes it is important to take the validated RAC findings
and work to correct the vulnerabilities identified. However, as stated
in the previous recommendation many of the findings need additional
research to determine the appropriate response. In addition, CMS does
not consider a RAC finding to be validated until the majority of
claims for that issue have completed the Medicare Appeals Process. It
is necessary to wait for the appeals process to be completed to ensure
the identification was accurate and appropriate. Lastly, the appropriate
corrective action put into place will be determined by factors such as
cost efficiencies and system limitations.
GAO Recommendation:
As part of this process, we recommend that the Administrator of CMS
designate key personnel with appropriate authority to be responsible
for ensuring that corrective actions are implemented and that the
actions taken were effective.
CMS Response:
The CMS appreciates the recommendation and concurs. The responsible
official for the day-to-day operations of the RAC program is the
Director of the Office of Financial Management. For those
vulnerabilities that cut across all agency components, the responsible
official is the Administrator of CMS.
[End of section]
Appendix III: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Kathleen M. King, (202) 512-7114 or kingk@gao.gov Kay L. Daly, (202)
512-9095 or dalykl@gao.gov:
Acknowledgments:
In addition to the contacts named above, Sheila K. Avruch, Assistant
Director; Carla Lewis, Assistant Director; Lori Achman; Jennie Apter;
Anne Hopewell; Nina M. Rostro; and Jennifer Saunders made key
contributions to this report.
[End of section]
Footnotes:
[1] In 1990, GAO began to report on government operations that it
identified as "high risk" for serious weaknesses in areas that involve
substantial resources and provide critical services to the public. See
GAO, High-Risk Series: An Update, [hyperlink,
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January
2009).
[2] Fraud is an intentional act or representation to deceive with
knowledge that the action or representation could result in an
inappropriate gain. Abuse typically involves actions that are
inconsistent with acceptable business or medical practices and result
in unnecessary costs.
[3] Medicare FFS includes two parts--Medicare Parts A and B whereby
providers are paid for each service or unit of service provided.
Medicare Part A covers inpatient hospital services, skilled nursing
facility services, some home health, and hospice services. Medicare
Part B covers hospital outpatient, physician services, some home
health services and preventive services, among other things.
[4] Current year outlays for Medicare FFS are from the November 2009
Improper Medicare FFS Payments Report in HHS's Fiscal Year 2009 Agency
Financial Report and are based on claims from April 2008 through March
2009. Annual improper payment reports are required by the Improper
Payments Information Act of 2002 and applicable Office of Management
and Budget guidance to help reduce improper payments.
[5] The Secretary of HHS delegated the authority vested in that
position under the Medicare provisions of the Social Security Act to
the Administrator of CMS.
[6] CMS is in the process of transitioning from fiscal intermediaries
and carriers to new contracting entities called Medicare
Administrative Contractors (MACs) due to statutorily required changes
in Medicare administration in the Medicare Prescription Drug,
Improvement, and Modernization Act of 2003 (MMA). Because the
transition is ongoing, for purposes of this report, we will use the
term Medicare claims administration contractors to refer to the
contractors that historically processed Medicare claims--fiscal
intermediaries and carriers--as well as the new MACs. Up until this
transition, fiscal intermediaries were responsible for claims
submitted by hospitals, home health agencies, hospital outpatient
departments, skilled nursing facilities, and hospices. Carriers were
responsible for claims submitted by physicians, diagnostic
laboratories and facilities, and ambulance service providers.
[7] CMS uses the term "providers" to refer collectively to physicians
and non-physician practitioners who provide health care services to
Medicare beneficiaries.
[8] Pub. L. No. 108-173, § 306, 117 Stat. 2066, 2256-57.
[9] According to the Office of Management and Budget (OMB), recovery
auditing is not an audit in the traditional sense. Rather, it is a
control activity designed to assure the integrity of contract
payments, and, as such, serves a management function. See Appendix C
to OMB Circular No. A-123, Requirements for Effective Measurement and
Remediation of Improper Payments (Aug. 10, 2006). A new Part III to
Appendix C was issued on March 22, 2010. See OMB memorandum M-10-13.
[10] CMS initially contracted in March 2005 with three RACs to review
Medicare claims from California, Florida, and New York. CMS later
expanded the demonstration to three additional states--Arizona,
Massachusetts, and South Carolina. While CMS added Arizona to the
demonstration in July 2007, the RAC did not review any Arizona claims
prior to the end of the RAC demonstration project in March 2008.
[11] The MMA also required CMS to retain a percentage of the amount
recovered for program management.
[12] During the demonstration, CMS paid the RACs a total of $187.2
million in contingency fees. Initially, the RAC demonstration project
did not include contingency fee payment to the RACs for identifying
underpayments and refunding providers. Beginning on March 1, 2006, the
RACs were paid an equivalent percentage contingency fee for the
identification of underpayments.
[13] The total amount returned to the Trust Funds includes
overpayments identified by the three RACs reviewing claims (claim
RACs) as well as two Medicare Secondary Payer RACs that participated
in the demonstration project. These overpayments were collected by
their Medicare claims administration contractors. The Medicare
Secondary Payer RACs identified overpayments for which an insurer
other than Medicare should have served as the primary payer of the
claim. Medicare Secondary Payer RACs were not included in the national
program because they identified few improper payments during the
demonstration project. Of the overpayments collected, CMS reported in
its November 2006 report, about 6 percent were attributable to the
Medicare Secondary Payer RACs. See, Centers for Medicare & Medicaid
Services, CMS RAC Status Document FY 2006: Status on the Use of
Recovery Audit Contractors (RACs) in the Medicare Program. (Baltimore,
Md.: November 2006). This report focuses on the recovery reviews of
the "Claim" RACs and does not discuss the findings from the Medicare
Secondary Payer RACs.
[14] Providers could appeal RAC determinations through the standard
Medicare appeals process, which includes five levels of review.
[15] See Department of Health and Human Services, Centers for Medicare
and Medicaid Services, The Medicare Recovery Audit Contractor (RAC)
Program: An Evaluation of the 3-Year Demonstration (Baltimore, Md.:
June 2008).
[16] Internal control is the component of an organization's management
that provides reasonable assurance that the organization achieves:
effective and efficient operations, reliable financial reporting, and
compliance with applicable laws and regulations. Internal control
standards provide a framework for identifying and addressing major
performance challenges and areas at greatest risk for mismanagement.
GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999).
[17] See GAO Internal Control Management and Evaluation Tool,
[hyperlink, http://www.gao.gov/products/GAO-01-1008G] (Washington,
D.C.: August 2001).
[18] See U. S. Department of Health and Human Services, Centers for
Medicare and Medicaid Services, The Essential Steps for an Effective
Corrective Action Process (Oct. 23, 2007).
[19] Due to appeal decisions made in favor of providers, the total
amount of improper payments identified by the RAC demonstration
project is likely to be less than stated in the June 2008 RAC
Evaluation Report. See Department of Health and Human Services,
Centers for Medicare and Medicaid Services, The Medicare Recovery
Audit Contractor (RAC) Program: An Evaluation of the 3-Year
Demonstration (Baltimore, Md.: June 2008) and Department of Health and
Human Services, Centers for Medicare and Medicaid Services, The
Medicare Recovery Audit Contractor (RAC) Program: Update to the
Evaluation of the 3-Year, Demonstration (Baltimore, Md.: January 2009).
[20] These two Medicare claims administration contractors were
responsible for processing Part A claims for three demonstration
states and Part B claims for two of the demonstration states.
[21] HHS reported that there were 51 fiscal intermediaries and
carriers as of February 2005.
[22] NCDs are decisions by CMS that outline nationwide policy on
whether Medicare covers particular services or items. They are made
through an evidence-based process with opportunities for public
participation, and determine whether services are reasonable and
necessary across all jurisdictions. An LCD is a decision by Medicare
claims administration contractor on whether to cover a particular
service in its jurisdiction, based on whether the service is
reasonable and necessary.
[23] We previously found that Medicare claims administration
contractors conducted limited manual pre-payment reviews and reviewed
less than 5 percent of claims post-payment. See GAO, Medicare: Recent
CMS Reforms Address Carrier Scrutiny of Physicians' Claims for
Payment, [hyperlink, http://www.gao.gov/products/GAO-02-693]
(Washington, D.C.: May 28, 2002) and GAO, Medicare: Improvements
Needed to Address Improper Payments in Home Health, [hyperlink,
http://www.gao.gov/products/GAO-09-185] (Washington, D.C.: Feb. 27,
2009). Medicare claims administration contractors typically select a
small sample of claims for review from providers or suppliers who
demonstrate aberrant billing or practice patterns.
[24] Systems edits confirm that the data entered in a claim is in the
correct format, check for the proper coding of the fields needed for
payment, check if the service or procedure is covered by Medicare, and
validate that the beneficiary is eligible for the service provided. In
addition, systems edits may be used to identify certain duplicate
claims, to implement NCDs or LCDs, or to prevent payments for
egregious amounts to providers with a pattern of billing for services
not covered.
[25] Medical records may include: physician orders for care and
treatments, medical diagnoses, rehabilitation diagnoses, past medical
history, progress notes, and laboratory and other test results
supporting the beneficiary's need for the services being provided.
[26] While CMS added Arizona to the demonstration project in July
2007, the relevant RAC did not review any Arizona claims prior to the
end of the RAC demonstration.
[27] For example, CMS contractors responsible for investigating
potential Medicare fraud may conduct post-payment review on claims to
determine whether to refer a case to a law enforcement agency for
fraud investigation.
[28] This total represents funds returned to the Medicare Trust Funds
from both the claim and Medicare Secondary Payer RAC-identified
improper payments, adjusting for underpayments made to providers,
overpayments overturned on appeal and operating costs through March
27, 2008.
[29] According to CMS, because RACs were paid on a contingency fee
basis, they focused their reviews on high-value claims with the
greatest potential to provide the highest contingency fees.
[30] Medicare's payment system relies on the coding of services,
procedures, and devices provided to beneficiaries. Medicare's claims-
administration contractors pay claims according to the codes assigned.
[31] CMS's January 2009 update to the RAC Evaluation Report included
appeal decisions through August 2008. CMS reported that 7.6 percent of
RAC overpayment decisions were overturned on appeal--an increase from
the approximately 5 percent overturned on appeal through March 2008
that was reported in the June 2008 evaluation report. As of January
2010, CMS was still waiting for the final data on appeals filed from
the RAC demonstration.
[32] The RACs will receive contingency fees ranging from 9.0 percent
to 12.5 percent depending on the jurisdiction.
[33] As of October 2009, all four RACs had begun CMS-approved
automated reviews of claims.
[34] In its report, The Medicare Recovery Audit Contractor (RAC)
Program: An Evaluation of the 3-Year Demonstration, issued in June
2008, CMS described vulnerabilities as service-specific issues that
resulted in RAC-identified improper payments.
[35] The IPPP was an internal spreadsheet used by CMS to track the
most significant vulnerabilities identified during the demonstration
project. This spreadsheet was the only document CMS provided us that
described the corrective actions taken by CMS and the Medicare claims
administration contractors and the status of the vulnerabilities
listed.
[36] The IPPP threshold for significance was $500,000 for DME
overpayments that were collected.
[37] The IPPP did not include underpayments.
[38] GAO, Standards for Internal Control in the Federal Government,
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]
(Washington, D.C.: November 1999).
[39] This information is based on our analysis of the data recorded on
the IPPP and we did not verify the accuracy of it. Although CMS listed
some corrective actions in its evaluation report of the 3-year
demonstration, issued in June 2008, most of the actions listed were
vague and did not address the root causes of payment errors.
[40] The 18 specific medical services represented the most significant
vulnerabilities with overpayments of more than $1 million. In its June
2008 evaluation, CMS reported a total of $997.2 million in
overpayments identified during the demonstration.
[41] The $231 million includes the amounts for vulnerabilities in
CMS's evaluation report on the 3-year demonstration for which no
corrective actions were taken based on a status of "pending" or
"closed-no action taken" listed in CMS's IPPP. Centers for Medicare &
Medicaid Services, Medicare RAC Program: An Evaluation of the 3-Year
Demonstration, Appendix G (Baltimore, Md.: June 2008).
[42] Percentages do not add up to 40 percent due to rounding.
[43] CMS categorized the vulnerabilities in its IPPP as pending or
closed. CMS indicated no sufficient action was taken for the pending
vulnerabilities. CMS categorized those vulnerabilities for which
corrective action(s) had been taken, as well as the seven
vulnerabilities for which the agency was unable to take action, as
closed.
[44] The other Medicare claims administration contractor provided
information on four corrective actions that it took to address RAC
findings.
[45] See GAO, CMS Did Not Control Rising Power Wheelchair Spending,
[hyperlink, http://www.gao.gov/products/GAO-04-716T] (Washington,
D.C.: April 2004) and GAO, CMS's Program Safeguards Did Not Deter
Growth in Spending for Power Wheelchairs, [hyperlink,
http://www.gao.gov/products/GAO-05-43] (Washington, D.C.: November
2004).
[46] See U.S. Department of Health and Human Services, Office of
Inspector General, Review of High-Dollar Payments for Inpatient
Services Processed by Palmetto GBA, Intermediary #382, for the Period
January 1, 2004 Through December 31, 2005, A-04-07-06023 (Atlanta, GA:
October 2008) and GAO, CMS's Program Safeguards Did Not Deter Growth
in Spending for Power Wheelchairs, [hyperlink,
http://www.gao.gov/products/GAO-05-43] (Washington, D.C.: Nov. 17,
2004).
[47] GAO, Improper Payments: Responses to Posthearing Questions
Related to Eliminating Waste and Fraud in Medicare and Medicaid,
[hyperlink, http://www.gao.gov/products/GAO-09-838R] (Washington, D.
C.: July 20, 2009).
[48] One of the Medicare claims administration contractors reported
that after the demonstration ended, it had difficulty obtaining
medical records related to provider appeals and, as a result, had to
ask providers to resubmit copies of medical records.
[49] We have suggested that agencies should create and monitor
performance measures that address important dimensions of program
performance (see GAO, Agency Performance Plans: Examples of Practices
That Can Improve Usefulness to Decisionmakers, GAO/GGD/AIMD-99-69,
(Washington, D.C.: Feb. 26, 1999) and Internal Control Management and
Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G]
(Washington, D.C.: August 2001)).
[50] CMS contracted with a VC to review vulnerabilities the
demonstration RACs wished to pursue during the final 7 months of the
RAC demonstration project (September 2007 through March 2008).
[51] Provider associations told us that providers may choose not to
appeal a RAC determination if the effort and cost involved in filing
the appeal outweighs the benefit of recouping the money originally
lost by the RAC's determination.
[52] RAC medical directors are also expected to be responsible for
keeping abreast of medical practice and technology changes that may
result in improper billing or program abuse; interacting with the
medical directors at other contractors or RACs to share information on
potential problem areas; participating in medical director clinical
workshops, as appropriate; providing input on national coverage and
payment policy upon request; and participating in CMS and RAC
presentations to providers and associations.
[53] CMS included two Medicare Secondary Payer RACs in the
demonstration project. They identified overpayments for which the
beneficiary's other insurance, rather than Medicare Fee-for-Service,
should have served as the primary payer of the claim.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: