Medicaid Program Integrity
Expanded Federal Role Presents Challenges to and Opportunities for Assisting States
Gao ID: GAO-12-288T December 7, 2011
The Centers for Medicare & Medicaid Services (CMS), the federal agency that oversees Medicaid, estimated that improper payments in the federal-state Medicaid program were $21.9 billion in fiscal year 2011. The Deficit Reduction Act of 2005 established the Medicaid Integrity Program and gave CMS an expanded role in assisting and improving the effectiveness of state activities to ensure proper payments. Making effective use of this expanded role, however, requires that federal resources are targeted appropriately and do not duplicate state activities. GAO was asked to testify on Medicaid program integrity. GAO's statement focuses on how CMS's expanded role in ensuring Medicaid program integrity (1) poses a challenge because of overlapping state and federal activities regarding provider audits and (2) presents opportunities through oversight to enhance state program integrity efforts. To do this work, GAO reviewed CMS reports and documents on Medicaid program integrity as well as its own and others' reports on this topic. In particular, GAO reviewed CMS reports that documented the results of its state oversight and monitoring activities. GAO also interviewed CMS officials in the agency's Medicaid Integrity Group (MIG), which was established to implement the Medicaid Integrity Program. This work was conducted in November and December 2011. GAO discussed the facts in this statement with CMS officials.
The key challenge faced by the Medicaid Integrity Group (MIG) is the need to avoid duplication of federal and state program integrity efforts, particularly in the area of auditing provider claims. In 2011, the MIG reported that it was redesigning its national provider audit program. Previously, its audit contractors were using incomplete claims data to identify overpayments. According to MIG data, overpayments identified by its audit contractors since fiscal year 2009 were not commensurate with its contractors' costs. The MIG's redesign will result in greater coordination with states on a variety of factors, including the data to be used. It remains to be seen, however, whether these changes will result in an increase in identified overpayments. The table below highlights the MIG's core oversight activities, which were implemented from fiscal years 2007 through 2009. The MIG's core oversight activities present an opportunity to enhance state efforts through the provision of technical assistance and the identification of training opportunities. The MIG's assessment of state program integrity efforts during triennial onsite reviews and annual assessments will need to address data inconsistencies identified during these two activities. Improved consistency will help ensure that the MIG is appropriately targeting its resources. The Medicaid Integrity Institute appears to address a state training need and create networking opportunities for program integrity staff.
GAO-12-288T, Medicaid Program Integrity: Expanded Federal Role Presents Challenges to and Opportunities for Assisting States
This is the accessible text file for GAO report number GAO-12-288T
entitled 'Medicaid Program Integrity: Expanded Federal Role Presents
Challenges to and Opportunities for Assisting States' which was
released on December 7, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittees on Government Organization, Efficiency and
Financial Management and Health Care, District of Columbia, Census and
the National Archives, Committee on Oversight and Government Reform,
House of Representatives:
For Release on Delivery:
Expected at 10:00 a.m. EST:
Wednesday, December 7, 2011:
Medicaid Program Integrity:
Expanded Federal Role Presents Challenges to and Opportunities for
Assisting States:
Statement of Carolyn L. Yocom:
Director, Health Care:
GAO-12-288T:
GAO Highlights:
Highlights of GAO-12-288T, a testimony before the Subcommittees on
Government Organization, Efficiency and Financial Management and
Health Care, District of Columbia, Census and the National Archives,
Committee on Oversight and Government Reform, House of Representatives.
Why GAO Did This Study:
The Centers for Medicare & Medicaid Services (CMS), the federal agency
that oversees Medicaid, estimated that improper payments in the
federal-state Medicaid program were $21.9 billion in fiscal year 2011.
The Deficit Reduction Act of 2005 established the Medicaid Integrity
Program and gave CMS an expanded role in assisting and improving the
effectiveness of state activities to ensure proper payments. Making
effective use of this expanded role, however, requires that federal
resources are targeted appropriately and do not duplicate state
activities.
GAO was asked to testify on Medicaid program integrity. GAO‘s
statement focuses on how CMS‘s expanded role in ensuring Medicaid
program integrity (1) poses a challenge because of overlapping state
and federal activities regarding provider audits and (2) presents
opportunities through oversight to enhance state program integrity
efforts.
To do this work, GAO reviewed CMS reports and documents on Medicaid
program integrity as well as its own and others‘ reports on this
topic. In particular, GAO reviewed CMS reports that documented the
results of its state oversight and monitoring activities. GAO also
interviewed CMS officials in the agency‘s Medicaid Integrity Group
(MIG), which was established to implement the Medicaid Integrity
Program. This work was conducted in November and December 2011. GAO
discussed the facts in this statement with CMS officials.
What GAO Found:
The key challenge faced by the Medicaid Integrity Group (MIG) is the
need to avoid duplication of federal and state program integrity
efforts, particularly in the area of auditing provider claims. In
2011, the MIG reported that it was redesigning its national provider
audit program. Previously, its audit contractors were using incomplete
claims data to identify overpayments. According to MIG data,
overpayments identified by its audit contractors since fiscal year
2009 were not commensurate with its contractors‘ costs. The MIG‘s
redesign will result in greater coordination with states on a variety
of factors, including the data to be used. It remains to be seen,
however, whether these changes will result in an increase in
identified overpayments. The table below highlights the MIG‘s core
oversight activities, which were implemented from fiscal years 2007
through 2009.
Table: MIG‘s Core Oversight Activities and Fiscal Year Implemented:
MIG activities: Comprehensive program integrity reviews (fiscal year
2007);
Description: Every 3 years, the MIG conducts a comprehensive
management review of each state‘s Medicaid program integrity
procedures and processes. Through the reviews, CMS assesses the
effectiveness of the state‘s program integrity efforts and determines
whether the state‘s policies and procedures comply with federal
regulations.
MIG activities: Technical assistance (fiscal year 2007);
Description: In fiscal year 2009, the MIG responded to 504 requests
for technical assistance from 49 states, providers, advocates and
others. Common topics included policy/regulatory requirements on
disclosures, law enforcement activities, and fraud detection tools.
MIG activities: Medicaid Integrity Institute (fiscal year 2007);
Description: The institute is the first national Medicaid integrity
training program. CMS executed an interagency agreement with the
Department of Justice to house the institute at the Department‘s
National Advocacy Center, located at the University of South Carolina.
The institute offers substantive training, technical assistance, and
support to states in a structured learning environment.
MIG activities: National Provider Audit Program (fiscal year 2009);
Description: Separate contractors (1) analyze claims data to identify
aberrant claims, and potential billing vulnerabilities; and (2)
conduct post-payment audits based on data analysis leads in order to
identify overpayments to Medicaid providers.
MIG activities: State program integrity assessments (fiscal year 2009);
Description: These annual assessments represent the first national
baseline collection of data on state Medicaid integrity activities for
the purposes of program evaluation and technical assistance support.
The data provided by states are used to populate a one-page profile
covering topics such as program integrity staffing and expenditures,
audits, fraud referrals, and recoveries.
MIG activities: Education contractors (fiscal year 2009);
Description: The education contractors develop materials in order to
educate and train providers on payment integrity and quality of care
issues.
Source: CMS.
[End of table]
The MIG‘s core oversight activities present an opportunity to enhance
state efforts through the provision of technical assistance and the
identification of training opportunities. The MIG‘s assessment of
state program integrity efforts during triennial onsite reviews and
annual assessments will need to address data inconsistencies
identified during these two activities. Improved consistency will help
ensure that the MIG is appropriately targeting its resources. The
Medicaid Integrity Institute appears to address a state training need
and create networking opportunities for program integrity staff.
View [hyperlink, http://www.gao.gov/products/GAO-12-288T]. For more
information, contact Carolyn L. Yocom at (202) 512-7114 or
yocomc@gao.gov.
[End of section]
Chairmen Platts, Gowdy, and Members of the Subcommittees:
I am pleased to be here today to discuss Medicaid program integrity,
that is, preventing improper payments that result from fraud, waste,
and abuse.[Footnote 1] Until the Deficit Reduction Act of 2005 (DRA)
expanded the role of the Centers for Medicare & Medicaid Services
(CMS), the federal agency that oversees Medicaid, Medicaid program
integrity had been primarily a state responsibility.[Footnote 2] CMS's
expanded role presents an opportunity to assist and improve the
effectiveness of state activities, but also requires that federal
resources are targeted appropriately and do not duplicate state
activities.
Medicaid is jointly funded by federal and state governments. It is one
of the largest social programs in the federal budget--covering about
67 million people in fiscal year 2010--and one of the largest
components of state budgets. In fiscal year 2010, Medicaid
expenditures totaled about $401 billion, with a federal share of $270
billion and a state share of $132 billion. As a result of flexibility
in the program's design, Medicaid consists of 56 distinct state-based
programs.[Footnote 3] The challenges inherent in overseeing a program
of Medicaid's size and diversity make the program vulnerable to
improper payments, which may be the result of fraud, waste, and abuse.
[Footnote 4] Because of the program's risk of improper payments as
well as insufficient federal and state oversight, we added Medicaid to
our list of high-risk programs in January 2003.[Footnote 5] CMS
estimated that Medicaid improper payments were $21.9 billion for
fiscal year 2011.[Footnote 6]
States are the first line of defense against Medicaid improper
payments. Specifically, they must comply with federal requirements to
ensure the qualifications of the providers who bill the program,
detect improper payments, recover overpayments, and refer suspected
cases of fraud and abuse to law enforcement authorities. At the
federal level, CMS, an agency within the Department of Health and
Human Services (HHS), is responsible for supporting and overseeing
state Medicaid program integrity activities.
In 2005, we testified that CMS needed to increase its commitment--both
the alignment of resources and strategic planning--to helping states
fight Medicaid fraud, waste and abuse.[Footnote 7] Subsequently, the
DRA established the Medicaid Integrity Program and included other
provisions designed to increase CMS's support for state activities to
address Medicaid fraud, waste, and abuse. The DRA provided
appropriations to implement the Medicaid Integrity Program, and the
Patient Protection and Affordable Care Act (PPACA) enacted in March
2010 gave CMS and states additional provider and program integrity
oversight tools.[Footnote 8]
You asked GAO to testify today on Medicaid program integrity. My
remarks focus on how CMS's expanded role in ensuring Medicaid program
integrity (1) poses a challenge because of overlapping state and
federal activities, particularly in the area of auditing provider
claims; and (2) presents opportunities through oversight to enhance
state program integrity efforts. To do this work, we reviewed CMS
reports and documents on Medicaid program integrity as well as our own
and others' reports on this topic. In particular, we reviewed CMS
reports that documented the results of its state oversight and
monitoring activities. We also interviewed CMS officials in the
agency's Medicaid Integrity Group, which was established to implement
the Medicaid Integrity Program. We conducted our work in November and
December 2011 in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objectives. The data presented in this statement were obtained from
CMS and we did not independently verify their reliability. We believe
that the evidence obtained provides a reasonable basis or our findings
and conclusions based on our audit objectives.
Background:
CMS is responsible for overseeing Medicaid and state Medicaid agencies
are responsible for administering the program. Although each state is
subject to federal requirements, it develops its own Medicaid
administrative structure for carrying out the program including its
approach to program integrity. Within broad federal guidelines, each
state establishes eligibility standards and enrolls eligible
individuals; determines the type, amount, duration, and scope of
covered services; sets payment rates for covered services; establishes
standards for providers and managed care plans; and ensures that state
and federal funds are not spent improperly or diverted by fraudulent
providers. However, state Medicaid programs do not work in isolation
on program integrity; instead, there are a large number of federal
agencies, other state entities, and contractors with which states must
coordinate.
State Medicaid Program Integrity Activities:
Generally, each state's Medicaid program integrity unit uses its own
data models, data warehouses, and approach to analysis. States often
augment their in-house capabilities by contracting with companies that
specialize in Medicaid claims and utilization reviews. However, as
program administrators, states have primary responsibility for
conducting program integrity activities that address provider
enrollment, claims review, and case referrals. Specifically, CMS
expects states to:
* collect and verify basic information on providers, including whether
the providers meet state licensure requirements and are not prohibited
from participating in federal health care programs:
* maintain a mechanized claims processing and information system known
as the Medicaid Management Information System (MMIS). MMIS can be used
to make payments and to verify the accuracy of claims, the correct use
of payment codes, and a beneficiary's Medicaid eligibility.[Footnote 9]
* operate a Surveillance and Utilization Review Subsystem (SURS) in
conjunction with the MMIS that is intended to develop statistical
profiles on services, providers, and beneficiaries in order to
identify potential improper payments. For example, SURS may apply
automatic post-payment screens to Medicaid claims in order to identify
aberrant billing patterns.
* submit all processed Medicaid claims electronically to CMS's Medical
Statistical Information System (MSIS). MSIS does not contain billing
information, such as the referring provider's identification number or
beneficiary's name, because it is a subset of the claims data
submitted by states. States provide data on a quarterly basis and CMS
uses the data to (1) analyze Medicaid program characteristics and
utilization for services covered by state Medicaid programs, and (2)
generate various public use reports on national Medicaid populations
and expenditures.
* refer suspected overpayments or overutilization cases to other units
in the Medicaid agency for corrective action and refer potential fraud
cases to other appropriate entities for investigation and prosecution.
Our reports and testimonies from 2001 through 2006 identified gaps in
state program integrity activities and noted that the support provided
by CMS to states was hampered by resource constraints.[Footnote 10]
For example, in 2004, we reported that 15 of 47 states responding to
our questionnaire did not affirm that they conducted data mining,
defined as analysis of large data sets to identify unusual utilization
patterns, which might indicate provider abuse.
Recent Legislation Has Conferred New Responsibilities on CMS and
States:
The DRA established the Medicaid Integrity Program to provide
effective federal support and assistance to states to combat fraud,
waste, and abuse. To implement the Medicaid Integrity Program, CMS
created the Medicaid Integrity Group (MIG), which is now located
within the agency's Center for Program Integrity. The DRA also
required CMS to hire contractors to review and audit provider claims
and to educate providers on issues such as appropriate billing
practices.
The Medicaid Recovery Audit Contractor (RAC) program was established
by PPACA.[Footnote 11] Each state must contract with a RAC, which is
tasked with identifying and recovering Medicaid overpayments and
identifying underpayments. Each state's RAC is required to be
operational by January 1, 2012. Medicaid RACs will be paid on a
contingency fee basis--up to 12.5 percent--of any recovered
overpayments and states are required to establish incentive payments
for the detection of underpayments.[Footnote 12] Figure 1 identifies
the key federal and state entities responsible for Medicaid program
integrity.
Figure 1: Key Federal and State Entities Responsible for Medicaid
Program Integrity before and after the Deficit Reduction Act of 2005:
[Refer to PDF for image: illustration]
Federal:
Medicaid Integrity Group[D]: CMS:
Review contractors[D];
Audit contractors[D];
Education contractors[D];
Medicaid Integrity Institute[D].
State:
State Program Integrity Unit[C]:
Medicaid Fraud Control Unit[C];
Recovery Audit Contractor[A,D];
Surveillance and Utilization Review Subsystem[B,C].
Source: GAO.
Notes: Other federal entities involved in Medicaid program integrity
not included in this figure include: CMS's Office of Financial
Management and its Center for Medicaid, CHIP, Survey and
Certification; the Department of Health and Human Services' Office of
Inspector General; the Federal Bureau of Investigation; and the
Department of Justice.
[A] States are required to contract with at least one RAC, which must
be operational beginning January 2012.
[B] SURS may be performed by an outside contractor (as depicted here)
or state program integrity staff may carry out the SURS function, in
which case it would be integral to the State Program Integrity Unit.
[C] Established before Deficit Reduction Act of 2005.
[D] Established after Deficit Reduction Act of 2005.
[End of figure]
Fraud Investigation and Prosecution:
Fraud detection and investigations often require more specialized
skills than are required for the identification of improper payments
because investigators must establish that an individual or entity
intended to falsify a claim to achieve some gain. As a result, fraud
is more difficult to prove than improper payments and requires the
involvement of entities that can investigate and prosecute fraud
cases. In 1977, Congress authorized federal matching funds for the
establishment of independent state Medicaid Fraud Control Units
(MFCU).[Footnote 13] MFCUs are responsible for investigating and
prosecuting Medicaid fraud. In general, they are located in State
Attorneys Generals' offices. MFCUs can, in turn, refer some cases to
federal agencies that have longstanding responsibility for combating
fraud, waste, and abuse in Medicare and Medicaid--the HHS's Office of
Inspector General (HHS-OIG), the Federal Bureau of Investigation
(FBI), and the Department of Justice.
CMS's MIG Implemented Core Activities from 2006 through 2009 but
Effective Coordination Is Needed Because of Overlap with Ongoing State
Efforts:
A key challenge CMS faces in implementing the statutorily required
federal Medicaid Integrity Program is ensuring effective coordination
to avoid duplicating state program integrity efforts. CMS established
the MIG in 2006 and it gradually hired staff and contractors to
implement a set of core activities, including the (1) review and audit
of Medicaid provider claims; (2) education of state program integrity
officials and Medicaid providers; and (3) oversight of state program
integrity activities and provision of assistance. Because states also
routinely review and audit provider claims, the MIG recognized that
coordination was key to avoiding duplication of effort. In 2011, the
MIG reported that it was redesigning its national provider audit
program to allow for greater coordination with states on data,
policies, and audit measures. According to MIG data, overpayments
identified by its review and audit contractors over the first 3 years
of the national audit program were not commensurate with the
contractors' costs.
Core MIG Activities Were Implemented Gradually from 2006 to 2009:
The DRA provided CMS with the resources to hire staff whose sole
duties are to assist states in protecting the integrity of the
Medicaid program. The MIG's core activities were implemented gradually
from fiscal year 2006 to 2009. The DRA provided start up funding of $5
million for fiscal year 2006, increasing to $50 million for each of
the subsequent 2 fiscal years, and $75 million per year for fiscal
year 2009 and beyond.[Footnote 14] One of the first activities
initiated by the MIG in fiscal year 2007 was comprehensive program
integrity reviews to assess the effectiveness of states' activities,
which involved eight, week-long onsite visits that year.[Footnote 15]
One of the last activities to be implemented was the statutorily
required National Provider Audit Program where MIG contractors review
and audit Medicaid provider claims. In fiscal year 2005, we reported
that CMS devoted 8.1 full time equivalent staff years to support and
oversee states' anti-fraud-and-abuse operations, which, in 2010, had
grown to 83 out of the 100 DRA authorized full time equivalent staff
years.[Footnote 16] Table 1 describes six core MIG activities and the
fiscal year in which those activities began.
Table 1: Medicaid Integrity Group's Core Oversight Activities, by
Fiscal Year Implemented:
Fiscal year 2007:
MIG activities: Comprehensive program integrity reviews;
Description: Every 3 years, the MIG conducts a comprehensive
management review of each state's Medicaid program integrity
procedures and processes. Through the reviews, the MIG assesses the
effectiveness of the state's program integrity efforts and determines
whether the state's policies and procedures comply with federal
statutes and regulations. The review areas include provider
enrollment, provider disclosures, program integrity, managed care
operations, and the interaction between the state's Medicaid agency
and its Medicaid Fraud Control Unit (MFCU). Each review results in a
report which is posted on CMS's Web site that summarizes best
practices, compliance issues, and vulnerabilities. The MIG also
conducts follow-up reviews to evaluate state's corrective action plans
addressing any identified vulnerabilities.
MIG activities: Technical assistance;
Description: In fiscal year 2009, the MIG responded to 504 requests
for technical assistance from 49 states, providers, advocates and
others. Common topics included the National Provider Audit Program,
policy/regulatory requirements on disclosures, law-enforcement
activities, and fraud detection tools. Examples of other assistance
provided to the states included (1) hosting regional State Program
Integrity Director conference calls to discuss emerging issues and
best practices, and (2) issuing a State Medicaid Director letter in
January 2009 which provided guidance to Medicaid providers on
screening their employees and contractors for individuals excluded
from participation in the program.
MIG activities: Medicaid integrity institute;
Description: The institute is the first national Medicaid integrity
training program. CMS executed an interagency agreement with the
Department of Justice to house the institute at the National Advocacy
Center, located at the University of South Carolina. The institute
offers substantive training, technical assistance, and support to
states in a structured learning environment. In time, the institute
intends to create a credentialing process to elevate the professional
qualifications of state Medicaid program integrity staff.
Fiscal year 2009:
MIG activities: National Provider Audit Program[A];
Description: Separate contractors (1) analyze claims data to identify
aberrant claims and potential billing vulnerabilities, and (2) conduct
post-payment audits based on data analysis leads in order to identify
overpayments to Medicaid providers.
MIG activities: State program integrity assessments;
Description: These annual assessments represent the first national
baseline collection of data on state Medicaid integrity activities for
the purposes of program evaluation and technical assistance support.
The data provided by states are used to populate a one page profile
covering topics such as program integrity staffing and expenditures,
audits, fraud referrals to the state's MFCU, and recoveries.
MIG activities: Education contractors;
Description: The education contractors develop materials in order to
educate and train providers on payment integrity and quality of care
issues.
Source: CMS.
[A] To gain a better understanding of audit processes and procedures
as well as variation across the states, the MIG initiated test audits
in fiscal year 2007, prior to the implementation of the National
Provider Audit Program.
[End of table]
Figure 2 shows MIG expenditures by program category for fiscal year
2010. The Medicaid Integrity Institute accounted for about 2 percent
of the MIG's fiscal year 2010 expenditures, while the National
Provider Audit Program accounted for about half of expenditures.
Figure 2: MIG Expenditures by Program Category, Fiscal Year 2010, in
Millions:
[Refer to PDF for image: pie-chart]
Additional state support and assistance[A]: $1.2 million;
Medicaid Integrity Institute: $1.3 million;
Education contractors: $6.2 million;
Data strategy and information technology infrastructure: $7.1 million;
Program support, staffing and administration[B]: $19.5 million;
National Provider Audit Program: $35.9 million.
Source: CMS.
[A] These activities include courses as well as technical assistance
and outreach to states specific to the implementation of PPACA.
[B] These activities include the comprehensive program integrity
reviews, state program integrity assessments, and technical assistance.
[End of figure]
The MIG Recognized the Need for Effective Coordination:
At the outset, the MIG recognized that effective coordination with
internal and external stakeholders was essential to the success of the
Medicaid Integrity Program. In a report issued prior to establishment
of the program, we found that CMS had a disjointed organizational
structure and lacked the strategic planning necessary to face the
risks involved with the Medicaid program.[Footnote 17] We identified
the need for CMS to develop a strategic plan in order to provide
direction to the agency, its contractors, states, and its law
enforcement partners. In designing and implementing the program, the
MIG convened an advisory committee consisting of (1) state program
integrity, Medicaid, and MFCU directors from 16 states; and (2)
representatives of the FBI, HHS-OIG, and CMS regional offices. This
committee provided planning input and strategic advice and identified
key issues that the MIG needed to address, including:
* The MIG's efforts should support and complement states' Medicaid
integrity efforts, not be redundant of existing auditing efforts.
* Program integrity activities of the MIG and other federal entities
require coordination with states regarding auditing and data requests.
* The focus of state activities should be shifted from postpayment
audits to prepayment prevention activities.
The advisory committee also highlighted the lack of state resources
for staffing, technology, and training. CMS's July 2009 Comprehensive
Medicaid Integrity Plan, the fourth such plan since 2006, stated that
fostering collaboration with internal and external stakeholders of the
Medicaid Integrity Program was a primary goal of the MIG.
In implementing more recent statutory requirements, CMS again stressed
the need for effective coordination and collaboration. CMS's
commentary accompanying the final rule on the implementation of
Medicaid RACs acknowledged the potential for duplication with states'
ongoing efforts to identify Medicaid overpayments. States have been
responsible for the recovery of all identified overpayments, including
those identified since fiscal year 2009 by the MIG's audit
contractors. The new requirement for states to contract with an
independent Medicaid RAC introduces another auditor to identify and
collect Medicaid overpayments. The Medicaid RAC program was modeled
after a similar Medicare program, which was implemented in March 2009
after a 3-year demonstration.[Footnote 18] Because Medicare RACs are
paid a fixed percentage of the dollar value of any improper payments
identified, they generally focused on costly services such as
inpatient hospital stays. Our prior work on Medicare RACs noted that
the postpayment review activities of CMS's other contractors would
overlap less with the RACs' audits if those activities focused on
different Medicare services where improper payments were known to be
high, such as home health.[Footnote 19] Because Medicaid RACs are not
required to be operational until January 1, 2012, the extent to which
states will structure their RAC programs to avoid duplication and
complement their own provider review and audit activities remains to
be seen.
The MIG Is Redesigning the National Provider Audit Program, Whose
Returns Were Not Commensurate with Contractors' Costs:
In its most recent annual report to the Congress, the MIG indicated
that it was redesigning the National Provider Audit Program. According
to the MIG, the National Provider Audit Program has not identified
overpayments in the Medicaid program commensurate with the related
contractor costs. About 50 percent of the MIG's $75 million annual
budget supports the activities of its review and audit contractors.
From fiscal years 2009 through 2011, the MIG authorized 1,663 provider
audits in 44 states. However, the MIG's reported return on investment
from these audits was negative. While its contractors identified $15.2
million in overpayments, the combined cost of the National Provider
Audit Program was about $36 million in fiscal year 2010. The actual
amount of overpayments recovered is not known because states are
responsible for recovering overpayments and the MIG is not the CMS
entity that tracks recoveries. Actual recoveries may be less than the
identified overpayments.
The National Provider Audit Program has generally relied on MSIS,
which is summary data submitted by states on a quarterly basis that
may not reflect voided or adjusted claims payments. As a result, the
MIG's audit contractors may identify two MSIS claims as duplicates
when the state has already voided or denied payment on one of these
claims. For their program integrity efforts, states use their own MMIS
data systems, which generally reflect real-time payments and
adjustments of detailed claims for each health care service. States
are required to have a SURS component that performs data mining as a
part of their program integrity efforts. The MIG's review contractors
use data mining techniques that may be similar to those employed by
states, and they may not identify any additional improper claims.
Moreover, MIG officials told us that the National Provider Audit
Program did not prioritize the activities according to the dollar
amount of the claim, that is, it did not concentrate its efforts on
audits with the greatest potential for significant recoveries.
Although the amount of overpayment identified from any given audit can
vary by thousands or millions of dollars, the MIG's comprehensive
reviews of several states' Medicaid integrity programs show that these
states identified significantly higher levels of overpayments in 1
year than the National Provider Audit Program identified over 3 years.
For example, the number of national provider audits (1,663) over three
fiscal years was similar to the number that New York conducted in
fiscal year 2008 (1,352), yet CMS reported that New York had
identified more than $372 million in overpayments--considerably more
than the $15.2 million identified through national provider audits.
[Footnote 20]
The MIG's proposed redesign of the National Provider Audit Program
appears to allow for greater coordination between its contractors and
states on a variety of factors, including the data to be used.
[Footnote 21] In fiscal year 2010, the MIG launched collaborative
audits in 13 states. For these audits, the states and the MIG agreed
on the audit issues to review and, in some cases, states provided the
MIG's audit contractors with more timely and complete claims data.
These collaborative projects (1) allowed states to augment their own
audit resources, (2) addressed audit targets that states may not have
been able to initiate because of a lack of staff, and (3) provided
data analytic support for states that lacked that capability. Although
these activities are ongoing and the results have not yet been
finalized, such collaborative projects appear to be a promising
approach to audits that avoids a duplication of federal and state
efforts. It remains to be seen, however, whether these changes will
result in an increase in identified overpayments.
Expanded Role Offers Opportunity to Enhance State Efforts, but More
Consistent Data Are Needed:
While the MIG's audit program is challenged to avoid duplicating
states' own audit activities, its other core functions present an
opportunity to enhance states' efforts. The MIG's state oversight
activities are extensive and labor intensive. Although the data
collected during reviews and assessments are not always consistent
with each other, these oversight activities have a strong potential to
inform the MIG's technical assistance and help identify training
opportunities. The Medicaid Integrity Institute appears to address an
important state training need.
MIG's Core Oversight Activities Are Broad, but the Data Collected
During Reviews and Assessments Were Not Always Consistent with Each
Other:
The MIG's core oversight activities--triennial comprehensive state
program integrity reviews and annual assessments--are broad in scope
and provide a basis for the development of appropriate technical
assistance. However, we found that the information collected during
reviews and the information collected from assessments was sometimes
inconsistent with each other.
As of November 2011, the MIG had completed the first round of reviews
for 50 states and had initiated a second round of reviews in 10
states. The reviews cover the entirety of a state's program integrity
activities and assess compliance with federal regulations. In advance
of the MIG's week-long onsite visit, state program integrity officials
are asked to respond to a 71-page protocol containing 195 questions
and to provide considerable documentation.[Footnote 22] Table 2
summarizes the topics covered in the protocol. Typical compliance
issues and vulnerabilities identified during the reviews include
provider enrollment weaknesses, inadequate oversight of providers in
Medicaid managed care, and ineffective fraud referrals to state MFCUs.
Table 2: Topics Covered in MIG's Comprehensive State Program Integrity
Review Protocol:
Module: Program integrity organization and staffing;
Number of questions: 29.
Module: Claims payment review;
Number of questions: 10.
Module: Prepayment review;
Number of questions: 37.
Module: Post-payment review;
Number of questions: 13.
Module: Recovery audit contractors;
Number of questions: 6.
Module: Payment error rate measurement;
Number of questions: 6.
Module: Sampling and extrapolation;
Number of questions: 14.
Module: Fraud identification, investigation, and referral;
Number of questions:
Methods;
Number of questions: 10.
Preliminary investigation;
Number of questions: 4.
Full investigation;
Number of questions: 8.
Resolution of full investigation;
Number of questions: 7.
Reporting requirements;
Number of questions: 3.
Provider statements;
Number of questions: 7.
Recipient verification;
Number of questions: 9.
Cooperation with MFCUs;
Number of questions: 16.
Withholding payments;
Number of questions: 4.
Federal reimbursement for operation of data systems;
Number of questions: 3.
False Claims Act requirements;
Number of questions: 4.
Module: Technical assistance;
Number of questions: 5.
Source: CMS's fiscal year 2011 comprehensive state program integrity
review protocol.
[End of table]
Much of the information collected during the assessments--Medicaid
program integrity characteristics, program integrity planning,
prevention, detection, investigation and recoveries--is also collected
during the triennial comprehensive reviews.[Footnote 23] In addition,
we found inconsistencies between the information reported in the
comprehensive reviews and in the assessments for several states that
were conducted at about the same time. For example, there was a
significant discrepancy for one state in the number of staff it
reported as being dedicated to program integrity activities. According
to the MIG, knowing the size of state program integrity staff helps it
to more appropriately tailor content during training events. Improved
consistency will help the MIG ensure that it is targeting its training
and technical assistance resources appropriately. Despite the
frequency of the annual assessments, the most current data cover
fiscal year 2008, which the MIG began collecting in fiscal year 2010.
Although the MIG provides states with a glossary explaining each of
the requested data elements, it is not clear that the information
submitted is reliable or comparable across states. Our review of a
sample of assessments revealed missing data and a few implausible
measures, such as one state reporting over 38 million managed care
enrollees. In other states, there were dramatic changes in the data
reported from 2007 to 2008, which either raises a question about the
reliability of the data or suggests that states be allowed to explain
significant changes from year to year. For example, the number of
audits in one state declined from 203 to 35.
According to MIG officials, the comprehensive reviews and the
assessments inform the MIG's technical assistance activities with the
states. For example, we found that the MIG published best practices
guidance in 2008 after finding weaknesses in coordination between
state program integrity officials and their respective MFCU's in a
number of states. In its report to Congress on fiscal year 2010
activities, the MIG indicated it completed 420 requests for technical
assistance from 43 states, providers, and others. The most common
topics included the National Provider Audit Program, policy and
regulatory requirements on disclosures, provider exclusions and
enrollment, and requests for statistical assistance related to
criminal and civil court actions. Examples of assistance provided to
the states by the MIG included (1) hosting regional state program
integrity director conference calls to discuss program integrity
issues and best practices; and (2) helping develop a State Medicaid
Director Letter (issued in July 2010) on the return of federal share
of overpayments under PPACA.
Medicaid Integrity Institute Trains State Staff and Facilitates
Networking:
The federally sponsored Medicaid Integrity Institute not only offers
state officials free training but also provides opportunities to
develop relationships with program integrity staff from other states.
The institute addresses our prior finding that CMS did not sponsor any
fraud and abuse workshops or training from 2000 through 2005.[Footnote
24] From fiscal years 2008 through 2012, the institute will have
trained over 2,265 state employees at no cost to states. Given the
financial challenges states currently face, it is likely that
expenditures for training and travel are limited. Expenditures on the
institute accounted for about $1.3 million of the MIG's $75 million
annual budget. MIG officials told us that states uniformly praised the
opportunity to network and learn about best practices from other
states. A special June 2011 session at the institute brought together
Medicaid program integrity officials and representatives of MFCUs from
39 states in an effort to improve the working relations between these
important program integrity partners.
In addition to the institute, the MIG has a contractor that provides
(1) education to broad groups of providers and beneficiaries, and (2)
targeted education to specific providers on certain topics.[Footnote
25] For example, the education contractor has provided outreach
through its attendance at 17 conferences with about 36,000 attendees.
These conferences were sponsored by organizations devoted to combating
health care fraud such as the National Association of Medicaid Program
Integrity and National Health Care Anti-Fraud Association, as well as
meetings of national and regional provider organizations (hospital,
home care and hospice and pharmacy). An example of a more targeted
activity is one focused on pharmacy providers. The MIG's education
contractor is tasked with developing provider education materials to
promote best prescribing practices for certain therapeutic drug
classes and remind providers of the appropriate prescribing guidelines
based on FDA approved labeling. The education program includes some
face-to-face conversations, mailings to providers, and distribution of
materials on a website and at conferences and meetings. These
activities are collaborative efforts with the states so that states
are: aware of the aberrant providers, participate in the education
program, and can implement policy changes to address these issues, as
appropriate.
We discussed the facts in this statement with CMS officials.
Chairmen Pratts and Gowdy, this concludes my prepared remarks. I would
be happy to answer any questions that you or other Members may have.
GAO Contact and Staff Acknowledgments:
For further information about this statement, please contact Carolyn
L. Yocom at (202) 512-7114 or yocomc@gao.gov. Contact points for our
Offices of Congressional Relation and Public Affairs may be found on
the last page of this statement. Walter Ochinko, Assistant Director;
Sean DeBlieck; Iola D'Souza; Leslie V. Gordon; Drew Long; Jessica
Smith; and Jennifer Whitworth were key contributors to this statement.
[End of section]
Appendix I: Abbreviations:
CMS: Centers for Medicare & Medicaid Services:
DRA: Deficit Reduction Act of 2005:
FBI: Federal Bureau of Investigation:
FDA: Food and Drug Administration:
HCERA: Health Care Education and Reconciliation Act of 2010:
HHS: Department of Health and Human Services:
MFCU: Medicaid Fraud Control Unit:
MIG: Medicaid Integrity Group:
MIP: Medicaid Integrity Program:
MMIS: Medicaid Management Information System:
MSIS: Medicaid Statistical Information System:
OIG: Office of Inspector General:
PERM: Payment Error Rate Measurement:
PPACA: Patient Protection and Affordable Care Act:
RAC: Recovery Audit Contractor:
SURS: Surveillance and Utilization Review Subsystem:
[End of section]
Related GAO Products:
Fraud Detection Systems: Additional Actions Needed to Support Program
Integrity Efforts at Centers for Medicare and Medicaid Services.
[hyperlink, http://www.gao.gov/products/GAO-11-822T]. Washington,
D.C.: July 12, 2011.
Fraud Detection Systems: Centers for Medicare and Medicaid Services
Needs to Ensure More Widespread Use. [hyperlink,
http://www.gao.gov/products/GAO-11-475]. Washington, D.C.: June 30,
2011.
Improper Payments: Recent Efforts to Address Improper Payments and
Remaining Challenges. [hyperlink,
http://www.gao.gov/products/GAO-11-575T]. Washington, D.C.: April 15,
2011.
Status of Fiscal Year 2010 Federal Improper Payments Reporting.
[hyperlink, http://www.gao.gov/products/GAO-11-443R]. Washington,
D.C.: March 25, 2011.
Medicare and Medicaid Fraud, Waste, and Abuse: Effective
Implementation of Recent Laws and Agency Actions Could Help Reduce
Improper Payments. [hyperlink,
http://www.gao.gov/products/GAO-11-409T]. Washington, D.C.: March 9,
2011.
Medicare: Program Remains at High Risk Because of Continuing
Management Challenges. [hyperlink,
http://www.gao.gov/products/GAO-11-430T]. Washington, D.C.: March 2,
2011.
Opportunities to Reduce Potential Duplication in Government Programs,
Save Tax Dollars, and Enhance Revenue. [hyperlink,
http://www.gao.gov/products/GAO-11-318SP]. Washington, D.C.: March 1,
2011.
High-Risk Series: An Update. [hyperlink,
http://www.gao.gov/products/GAO-11-278]. Washington, D.C.: February
2011.
Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing
Vulnerabilities to Improper Payments, Although Improvements Made to
Contractor Oversight. [hyperlink,
http://www.gao.gov/products/GAO-10-143]. Washington, D.C.: March 31,
2010.
Medicaid: Fraud and Abuse Related to Controlled Substances Identified
in Selected States. [hyperlink,
http://www.gao.gov/products/GAO-09-1004T]. Washington, D.C.: September
30, 2009.
Medicaid: Fraud and Abuse Related to Controlled Substances Identified
in Selected States. [hyperlink,
http://www.gao.gov/products/GAO-09-957]. Washington, D.C.: September
9, 2009.
Improper Payments: Progress Made but Challenges Remain in Estimating
and Reducing Improper Payments. [hyperlink,
http://www.gao.gov/products/GAO-09-628T]. Washington, D.C.: April 22,
2009.
Medicaid: Thousands of Medicaid Providers Abuse the Federal Tax
System. [hyperlink, http://www.gao.gov/products/GAO-08-239T].
Washington, D.C.: November 14, 2007.
Medicaid: Thousands of Medicaid Providers Abuse the Federal Tax
System. [hyperlink, http://www.gao.gov/products/GAO-08-17].
Washington, D.C.: November 14, 2007.
Medicaid Financial Management: Steps Taken to Improve Federal
Oversight but Other Actions Needed to Sustain Efforts. [hyperlink,
http://www.gao.gov/products/GAO-06-705]. Washington, D.C.: June 22,
2006.
Medicaid Integrity: Implementation of New Program Provides
Opportunities for Federal Leadership to Combat Fraud, Waste, and
Abuse. [hyperlink, http://www.gao.gov/products/GAO-06-578T].
Washington, D.C.: March 28, 2006.
Medicaid Fraud and Abuse: CMS's Commitment to Helping States Safeguard
Program Dollars Is Limited. [hyperlink,
http://www.gao.gov/products/GAO-05-855T]. Washington, D.C.: June 28,
2005.
Medicaid Program Integrity: State and Federal Efforts to Prevent and
Detect Improper Payments. [hyperlink,
http://www.gao.gov/products/GAO-04-707]. Washington, D.C.: July 16,
2004.
Medicaid: State Efforts to Control Improper Payments. [hyperlink,
http://www.gao.gov/products/GAO-01-662]. Washington, D.C.: June 7,
2001.
[End of section]
Footnotes:
[1] Medicaid is the federal-state program that covers acute health
care, long-term care, and other services for certain categories of low-
income individuals.
[2] See Pub. L. No. 109-171, § 6034, 120 Stat. 3, 74-78 (2006).
[3] The federal government matches states' expenditures for most
Medicaid services using a statutory formula based on each state's per
capita income. The 56 Medicaid programs include one for each of the 50
states, the District of Columbia, Puerto Rico, Samoa, Guam, the
Commonwealth of the Northern Mariana Islands, and the United States
Virgin Islands.
[4] Fraud involves an intentional act or representation to deceive
with the knowledge that the action or representation could result in
gain. Waste results from clerical errors or the provision of medically
unnecessary services. Abuse typically involves actions that are
inconsistent with acceptable business and medical practices that
result in unnecessary program costs. See, e.g., 42 C.F.R. § 455.2
(2010).
[5] See GAO, Major Management Challenges and Program Risks: Department
of Health and Human Services, [hyperlink,
http://www.gao.gov/products/GAO-03-101] (Washington, D.C.: January
2003).
[6] In its Fiscal Year 2011 Agency Financial Report, HHS calculated
and reported the 3-year (2009, 2010, and 2011) weighted average
national payment error rate for Medicaid of 8.1 percent. See
Department of Health and Human Services FY 2011 Agency Financial
Report (Washington, D.C.: Nov. 15, 2011).
[7] See GAO, Medicaid Fraud and Abuse: CMS's Commitment to Helping
States Safeguard Program Dollars Is Limited, [hyperlink,
http://www.gao.gov/products/GAO-05-855T] (Washington, D.C.: June 28,
2005).
[8] Pub. L. No. 111-148, 124 Stat. 119, as amended by the Health Care
Education Reconciliation Act of 2010 (HCERA), Pub. L. No. 111-152, 124
Stat. 1029. For example, PPACA required states to have Medicaid
Recovery Audit Contractors, increased provider ownership reporting
requirements, and allowed CMS to suspend payments to providers on the
basis of a credible allegation of fraud.
[9] States provide CMS with claims data for use in estimating a
Medicaid payment error rate. CMS developed the Payment Error Rate
Measurement program to comply with the Improper Payments Information
Act of 2002. The error rate is not a "fraud rate" but simply a
measurement of payments made that did not meet statutory, regulatory,
or administrative requirements.
[10] See GAO, Medicaid: State Efforts to Control Improper Payments
Vary, [hyperlink, http://www.gao.gov/products/GAO-01-662] (Washington,
D.C.: June 7, 2001); Medicaid Program Integrity: State and Federal
Efforts to Prevent and Detect Improper Payments, [hyperlink,
http://www.gao.gov/products/GAO-04-707] (Washington, D.C.: July 16,
2004); [hyperlink, http://www.gao.gov/products/GAO-05-855T]; Medicaid
Integrity: Implementation of New Program Provides Opportunities For
Federal Leadership to Combat Fraud, Waste, and Abuse, [hyperlink,
http://www.gao.gov/products/GAO-06-578T] (Washington, D.C.: March 28,
2006).
[11] Pub. L. No. 111-148, §6411, 124 Stat. 119,773.
[12] CMS will not provide federal financial participation for
administrative expenditure claims if a state establishes a RAC
contingency fee that is in excess of the highest Medicare RAC
contingency fee rate, unless a state requests an exception from CMS
and provides an acceptable justification. Any additional fees must be
paid out of state-only funds.
[13] Medicare-Medicaid Anti-Fraud and Abuse Amendments, Pub. L. No. 95-
142, §91 Stat. 1175, 1201.
[14] HCERA provided that for each fiscal year after 2010 the amount
appropriated would be adjusted to take into account inflation.
§1303(b)(3), 124 Stat. at 1058.
[15] The states the MIG visited included Arkansas, Connecticut,
Delaware, Michigan, Missouri, Nevada, Oregon, and Virginia.
[16] See [hyperlink, http://www.gao.gov/products/GAO-05-855T].
[17] See [hyperlink, http://www.gao.gov/products/GAO-05-855T].
[18] The Medicare Prescription Drug, Improvement, and Modernization
Act of 2003 directed CMS to conduct a project to demonstrate how
effective the use of RACs would be in identifying underpayments and
overpayments, and in recouping overpayments in Medicare. Pub. L. No.
108-173, § 306, 117 Stat. 2066, 2256. Subsequently, in December 2006
the Tax Relief and Health Care Act of 2006 required CMS to implement a
national Medicare RAC program by January 1, 2010. Pub. L. No. 109-342,
div. B, title III, § 302, 120 Stat. 2924, 2991 (codified at 42 U.S.C.
§ 1395ddd(h)).
[19] See GAO, Medicare and Medicaid Fraud, Waste, and Abuse: Effective
Implementation of Recent Laws and Agency Actions Could Help Reduce
Improper Payments, [hyperlink,
http://www.gao.gov/products/GAO-11-409T] (Washington, D.C.: Mar. 9,
2011).
[20] Department of Health and Human Services, Centers for Medicare &
Medicaid Services, New York Comprehensive Program Integrity Review:
Final Report (Washington, D.C.: 2010).
[21] Kathleen Sebelius, Secretary of Health and Human Services, Annual
Report to Congress on the Medicaid Integrity Program for Fiscal Year
2010 (Washington, D.C.: 2011).
[22] The MFCU and managed care entities receive separate protocols and
requests for documentation.
[23] The MIG collects the data for the assessments through an online
questionnaire that has 56 questions. The responses are used to develop
a one-page profile on state activities.
[24] See [hyperlink, http://www.gao.gov/products/GAO-05-855T].
[25] The MIG has two education contractors, however, it has only
issued task orders to one of the contractors.
[End of section]
GAO‘s Mission:
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the
performance and accountability of the federal government for the
American people. GAO examines the use of public funds; evaluates
federal programs and policies; and provides analyses, recommendations,
and other assistance to help Congress make informed oversight, policy,
and funding decisions. GAO‘s commitment to good government is
reflected in its core values of accountability, integrity, and
reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO‘s website [hyperlink, http://www.gao.gov]. Each
weekday afternoon, GAO posts on its website newly released reports,
testimony, and correspondence. To have GAO e mail you a list of newly
posted products, go to [hyperlink, http://www.gao.gov] and select ’E-
mail Updates.“
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black
and white. Pricing and ordering information is posted on GAO‘s
website, [hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
Connect with GAO:
Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at [hyperlink, http://www.gao.gov].
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm];
E-mail: fraudnet@gao.gov;
Automated answering system: (800) 424-5454 or (202) 512-7470.
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548.
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548.