Medicare and Medicaid Fraud, Waste, and Abuse
Effective Implementation of Recent Laws and Agency Actions Could Help Reduce Improper Payments
Gao ID: GAO-11-409T March 9, 2011
GAO has designated Medicare and Medicaid as high-risk programs because they are particularly vulnerable to fraud, waste, abuse, and improper payments (payments that should not have been made or were made in an incorrect amount). Medicare is considered high-risk in part because of its complexity and susceptibility to improper payments, and Medicaid because of concerns about the adequacy of its fiscal oversight to prevent inappropriate spending. In fiscal year 2010, the Centers for Medicare & Medicaid Services (CMS)--the agency that administers Medicare and Medicaid--estimated that these programs made a total of over $70 billion in improper payments. This statement focuses on how implementing prior GAO recommendations and recent laws, as well as other agency actions, could help CMS carry out five key strategies GAO identified in previous reports to help reduce fraud, waste, and abuse and improper payments in Medicare and Medicaid. It is based on 16 GAO products issued from April 2004 through June 2010 using a variety of methodologies, such as analyses of Medicare or Medicaid claims, review of relevant policies and procedures, and interviews with officials. In February 2011, GAO also received updated information from CMS on agency actions.
The amount of improper payments creates urgency for CMS to effectively implement prior GAO recommendations, provisions in recently enacted laws, and recent guidance related to five key strategies to help reduce fraud, waste, abuse, and improper payments in Medicare and Medicaid. 1. Strengthening provider enrollment standards and procedures. Strengthening the standards and procedures for provider enrollment can help reduce the risk of enrolling entities intent on defrauding the program. The Patient Protection and Affordable Care Act as amended (PPACA) strengthens aspects of provider enrollment in Medicare and Medicaid. CMS is implementing these provisions, which include designating providers by levels of risk and providing more stringent review of high-risk providers. 2. Improving prepayment review of claims. Prepayment reviews of claims help ensure that Medicare pays correctly the first time. CMS is implementing a PPACA provision requiring states to add automated prepayment controls in their Medicaid programs. In addition, CMS is seeking contractors to apply predictive modeling analysis to claims as a way to develop new prepayment controls to add to Medicare; however, CMS has not implemented certain GAO recommendations related to prepayment review. 3. Focusing postpayment claims review on most vulnerable areas. Postpayment reviews are critical to identifying payment errors and recouping overpayments. CMS is instituting recovery audit contractor (RAC) programs in Medicare and Medicaid to increase postpayment review. However, CMS contractors generally choose their focus for claims review, and GAO continues to contend that CMS should make it a priority to focus claims administration contractors' postpayment review on the most vulnerable areas. 4. Improving oversight of contractors. CMS's oversight of contractors' activities to address fraud, waste, and abuse is critical. CMS has taken action to address GAO recommendations to improve oversight of prescription drug plan sponsors' fraud and abuse programs and to comply with other contractor oversight provisions in PPACA. 5. Developing a robust process for addressing identified vulnerabilities. Having mechanisms in place to resolve vulnerabilities that lead to improper payment is critical, but CMS has not developed a robust corrective action process for vulnerabilities identified by Medicare RACs, and has not fully implemented GAO recommendations to improve it. Further, CMS's guidance to states on Medicaid RAC programs did not include steps to address vulnerabilities through a corrective action process. Effective implementation of these recommendations, provisions of law, and guidance will be a key factor in helping to reduce future improper payments.
GAO-11-409T, Medicare and Medicaid Fraud, Waste, and Abuse: Effective Implementation of Recent Laws and Agency Actions Could Help Reduce Improper Payments
This is the accessible text file for GAO report number GAO-11-409T
entitled 'Medicare and Medicaid Fraud, Waste, and Abuse: Effective
Implementation of Recent Laws and Agency Actions Could Help Reduce
Improper Payments' which was released on March 9, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittee on Federal Financial Management, Government
Information, Federal Services, and International Security, Committee
on Homeland Security and Governmental Affairs, U.S. Senate:
For Release on Delivery:
Expected at 2:30 p.m. EST:
Wednesday, March 9, 2011:
Medicare and Medicaid Fraud, Waste, and Abuse:
Effective Implementation of Recent Laws and Agency Actions Could Help
Reduce Improper Payments:
Statement of Kathleen M. King:
Director, Health Care:
Kay L. Daly:
Director, Financial Management and Assurance:
GAO-11-409T:
GAO Highlights:
Highlights of GAO-11-409T, a testimony before the Subcommittee on
Federal Financial Management, Government Information, Federal
Services, and International Security, Committee on Homeland Security
and Governmental Affairs, U.S. Senate.
Why GAO Did This Study:
GAO has designated Medicare and Medicaid as high-risk programs because
they are particularly vulnerable to fraud, waste, abuse, and improper
payments (payments that should not have been made or were made in an
incorrect amount). Medicare is considered high-risk in part because of
its complexity and susceptibility to improper payments, and Medicaid
because of concerns about the adequacy of its fiscal oversight to
prevent inappropriate spending.
In fiscal year 2010, the Centers for Medicare & Medicaid Services
(CMS)”-the agency that administers Medicare and Medicaid”-estimated
that these programs made a total of over $70 billion in improper
payments.
This statement focuses on how implementing prior GAO recommendations
and recent laws, as well as other agency actions, could help CMS carry
out five key strategies GAO identified in previous reports to help
reduce fraud, waste, and abuse and improper payments in Medicare and
Medicaid. It is based on 16 GAO products issued from April 2004
through June 2010 using a variety of methodologies, such as analyses
of Medicare or Medicaid claims, review of relevant policies and
procedures, and interviews with officials. In February 2011, GAO also
received updated information from CMS on agency actions.
What GAO Found:
The amount of improper payments creates urgency for CMS to effectively
implement prior GAO recommendations, provisions in recently enacted
laws, and recent guidance related to five key strategies to help
reduce fraud, waste, abuse, and improper payments in Medicare and
Medicaid.
1. Strengthening provider enrollment standards and procedures.
Strengthening the standards and procedures for provider enrollment can
help reduce the risk of enrolling entities intent on defrauding the
program. The Patient Protection and Affordable Care Act as amended
(PPACA) strengthens aspects of provider enrollment in Medicare and
Medicaid. CMS is implementing these provisions, which include
designating providers by levels of risk and providing more stringent
review of high-risk providers.
2. Improving prepayment review of claims. Prepayment reviews of claims
help ensure that Medicare pays correctly the first time. CMS is
implementing a PPACA provision requiring states to add automated
prepayment controls in their Medicaid programs. In addition, CMS is
seeking contractors to apply predictive modeling analysis to claims as
a way to develop new prepayment controls to add to Medicare; however,
CMS has not implemented certain GAO recommendations related to
prepayment review.
3. Focusing postpayment claims review on most vulnerable areas.
Postpayment reviews are critical to identifying payment errors and
recouping overpayments. CMS is instituting recovery audit contractor
(RAC) programs in Medicare and Medicaid to increase postpayment
review. However, CMS contractors generally choose their focus for
claims review, and GAO continues to contend that CMS should make it a
priority to focus claims administration contractors‘ postpayment
review on the most vulnerable areas.
4. Improving oversight of contractors. CMS‘s oversight of contractors‘
activities to address fraud, waste, and abuse is critical. CMS has
taken action to address GAO recommendations to improve oversight of
prescription drug plan sponsors‘ fraud and abuse programs and to
comply with other contractor oversight provisions in PPACA.
5. Developing a robust process for addressing identified
vulnerabilities. Having mechanisms in place to resolve vulnerabilities
that lead to improper payment is critical, but CMS has not developed a
robust corrective action process for vulnerabilities identified by
Medicare RACs, and has not fully implemented GAO recommendations to
improve it. Further, CMS‘s guidance to states on Medicaid RAC programs
did not include steps to address vulnerabilities through a corrective
action process.
Effective implementation of these recommendations, provisions of law,
and guidance will be a key factor in helping to reduce future improper
payments.
View [hyperlink, http://www.gao.gov/products/GAO-11-409T] or key
components. For more information, contact Kathleen M. King at (202)
512-7114 or kingk@gao.gov or Kay L. Daly at (202) 512-9095 or
dalykl@gao.gov.
[End of section]
Mr. Chairman, Ranking Member, and Members of the Subcommittee:
I am pleased to be here today to discuss provisions in recent laws and
agency actions that may help reduce fraud, waste, and abuse[Footnote
1] in the Medicare and Medicaid programs.[Footnote 2] Fraud, waste,
and abuse and improper payments put programs at risk. An improper
payment is any payment that should not have been made or that was made
in an incorrect amount (including overpayments and underpayments)
under statutory, contractual, administrative, or other legally
applicable requirements.[Footnote 3]
We have designated both Medicare and Medicaid as high-risk programs.
[Footnote 4] Medicare, a federally financed program, was designated as
high risk because its complexity and susceptibility to improper
payments, added to its size, have made it vulnerable to serious
management challenges. The Centers for Medicare & Medicaid Services
(CMS)--the agency in the Department of Health and Human Services (HHS)
that administers Medicare and oversees Medicaid--has estimated
improper payments for Medicare of almost $48 billion for fiscal year
2010.[Footnote 5] This estimate does not include improper payments in
Part D, the Medicare prescription drug benefit, for which the agency
has not yet estimated a total amount. Medicaid, a federal-state
program, was designated as high risk in part due to concerns about the
adequacy of fiscal oversight, which is necessary to prevent
inappropriate spending. Medicaid also has significant improper
payments. HHS estimated that the federal share of improper payments in
the Medicaid program in fiscal year 2010 was $22.5 billion.[Footnote
6] Since 2004, we have issued 16 products containing strategies we
have identified for reducing fraud, waste, abuse, and improper
payments in Medicare and Medicaid. My statement today updates our
previous work in light of certain provisions affecting Medicare and
Medicaid in PPACA;[Footnote 7] the Small Business Jobs Act of 2010;
[Footnote 8] and pertinent agency actions.
Over the years, the Congress has worked to address fraud, waste, and
abuse, and improper payments in the Medicare and Medicaid programs.
Beginning in 1997, the Congress provided funds specifically for
activities to address fraud, waste, and abuse in federal health care
programs. In addition, Congress created the Medicare Integrity Program
to conduct activities designed to reduce fraud, waste, abuse, and
improper payments in Medicare. The Deficit Reduction Act of 2005
created the Medicaid Integrity Program and included specific
appropriations to reduce fraud, waste, and abuse in Medicaid. In 2010,
PPACA provided further funding for such efforts and set new
requirements specific to Medicare and Medicaid that are designed to
address fraud, waste, and abuse. In the same year, the Improper
Payments Elimination and Recovery Act of 2010 (IPERA) amended the
Improper Payments Information Act of 2002 and established additional
governmentwide requirements related to accountability, recovery
auditing, compliance and noncompliance determinations, and reporting.
[Footnote 9] However, owing to the size and scope of Medicare and
Medicaid, reducing improper payments and addressing fraud, waste, and
abuse in these programs are continuing challenges for CMS--despite
progress made by the agency that we have recognized since the programs
were first designated as high risk.
CMS contractors play an important role in preventing improper payments
in Medicare. Within Medicare Parts A and B--also known as Medicare fee-
for-service (FFS)[Footnote 10]--CMS contractors process and pay
approximately 4.5 million claims per work day, enroll providers,
respond to beneficiary questions, and investigate potential Medicare
fraud. In addition, in Medicare Advantage (Part C) and the Medicare
prescription drug benefit (Part D),[Footnote 11] CMS contracts with
private health plans and drug plan sponsors that administer Medicare
benefits and in that capacity are responsible for helping to ensure
Medicare program integrity.
With more than 50 distinct state-based programs that are partially
federally financed, Medicaid creates complex challenges for CMS and
states. CMS is responsible for overseeing the program at the federal
level, while the states administer their respective programs'
operations. Within broad federal requirements, each state operates its
Medicaid program in accordance with a state plan. Differences in
program design can lead to differences in state programs'
vulnerabilities to improper payments and state approaches to
protecting the program. States play a critical role in implementing
strategies to reduce improper payments and address fraud, waste, and
abuse. However, CMS also has a critical role in ensuring that adequate
controls are in place and states' actions to help reduce improper
payments are effective. Like Medicare, the state Medicaid programs
also rely on contractors to help manage payments or services, but they
vary in their use of contractors.
My testimony today focuses on how implementing recent laws and our
prior recommendations, as well as other agency actions, could help CMS
carry out five key strategies we identified in previous reports to
help reduce fraud, waste, and abuse and improper payments in Medicare
[Footnote 12] and Medicaid.[Footnote 13] This statement discusses past
agency actions, actions in progress, and actions that are still needed
to implement certain recommendations that we continue to consider
important. The five key strategies, and recommendations designed to
facilitate them, are taken from the 16 products mentioned above.
Twelve of these products, which we issued from April 2004 through June
2010, focused on fraud, waste, abuse, and improper payments in
Medicare. Because Medicaid faces a similar challenge to reduce its
improper payments, these Medicare strategies can also be helpful when
tailored to Medicaid. The other 4 products, which we issued since July
2004, focused on reducing fraud, waste, abuse, and improper payments
in Medicaid.[Footnote 14]
The products on which this statement is based were developed by using
a variety of methodologies, including analyses of Medicare and
Medicaid claims, review of relevant policies and procedures,
interviews with agency officials and other stakeholders, and site
visits.[Footnote 15] We also received updated information from CMS in
February 2011 on its actions related to the laws, regulations,
guidance, and open recommendations that we discuss in this statement.
Our work was performed in accordance with generally accepted
government auditing standards. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to
provide a reasonable basis for our findings and conclusions based on
our audit objectives. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on our audit
objectives.
Implementation of Our Prior Recommendations and Recent Laws, as Well
as Other Agency Actions, Could Help CMS Reduce Medicare and Medicaid
Fraud, Waste, and Abuse:
The implementation of specific recommendations made in our prior
reports[Footnote 16] and provisions in PPACA and the Small Business
Jobs Act of 2010, as well as other agency actions, could help in
reducing fraud, waste, and abuse in Medicare and Medicaid. In reports
we have issued from 2004 through 2010, we have identified five key
strategies as important to reducing Medicare and Medicaid fraud,
waste, and abuse, and ultimately improper payments:[Footnote 17]
* strengthening provider enrollment standards and procedures,
* improving prepayment review of claims,
* focusing postpayment claims review on the most vulnerable areas and
adding new recovery audit contractors,
* improving oversight of contractors, and:
* developing a robust process for addressing identified
vulnerabilities.[Footnote 18]
PPACA has a number of provisions that could also aid CMS in its
efforts to minimize improper payments, and CMS has issued final rules
implementing some of these provisions. Furthermore, the Small Business
Jobs Act of 2010 and the Presidential Memorandum, "Enhancing Payment
Accuracy through a Do Not Pay List," focus on preventing, reducing,
and recovering improper payments, which could also help CMS in
reducing improper payments in Medicare and Medicaid.
Strengthening Provider Enrollment Procedures for Medicare and Medicaid
Could Reduce the Risk of Enrolling Providers Intent on Defrauding or
Abusing the Program:
Our work on Medicare indicates that strengthening the standards and
procedures for provider enrollment could help reduce the risk of
enrolling providers intent on defrauding or abusing the program.
[Footnote 19] CMS has previously identified two types of providers
whose services and items are especially vulnerable to improper
payments--home health agencies (HHA) and suppliers of durable medical
equipment, prosthetics, orthotics, and supplies (DMEPOS). In our 2009
report on HHAs, we found problems with the enrollment procedures--for
example, CMS's contractors were not requiring HHAs to re-submit
enrollment information (including information about key officials,
operating capital, and practice location) for re-verification every 5
years as required by CMS.[Footnote 20] In a 2005 report on DMEPOS
suppliers, we found that CMS had not taken sufficient steps to prevent
entities intent on defrauding Medicare from enrolling, and we reported
that more effective screening and stronger enrollment standards were
needed to ensure that new suppliers were legitimate businesses.
[Footnote 21] Partly in response to our recommendation to improve the
provider enrollment process, CMS took steps to implement new supplier
quality standards as part of an accreditation rule issued in August
2006 and proposed new supplier enrollment standards in January 2008.
Suppliers were required to meet these new accreditation standards in
2009; however, the new supplier enrollment standards were not
finalized until August 2010. Prior to the implementation of the new
supplier enrollment standards, we exposed persisting weaknesses when
we created two fictitious DMEPOS suppliers, which were subsequently
enrolled by CMS's contractor and given permission to begin billing
Medicare.[Footnote 22] As an enrollment requirement, suppliers must,
upon request, show that they have contracts for obtaining inventory if
the suppliers do not produce their own inventory. Review would have
shown that the contracts provided by our fictitious companies had been
fabricated.
For Medicaid, states have adopted requirements to check providers'
backgrounds before enrollment or during re-enrollment; however, these
enrollment procedures have not been sufficient to protect Medicaid.
For example, in September 2009, we reported that in five states
Medicaid paid over $2 million in controlled substance prescriptions
during fiscal years 2006 and 2007 that were written or filled by 65
medical practitioners and pharmacies that were barred, excluded, or
both from federal health care programs, including Medicaid, for such
offenses as illegally selling controlled substances.[Footnote 23] As a
result, we recommended that CMS consider issuing guidance to state
Medicaid programs to provide assurance that their program requirements
and systems prevent the processing of claims from providers and
pharmacies that were barred from federal contracts or excluded from
Medicare and Medicaid. We also recommended that CMS periodically
identify deaths of Medicaid providers and prevent the approval of
claims associated with providers who had died.
Implementation of PPACA provisions related to provider enrollment
could protect Medicare and Medicaid from making improper payments and
address some of our previous concerns and recommendations. PPACA
requires the Secretary, in consultation with the HHS Office of
Inspector General (OIG), to establish procedures for screening
providers enrolling in Medicare and Medicaid,[Footnote 24] including
assessing the risk levels of fraud, waste, and abuse by categories of
providers. At a minimum, PPACA requires all providers to be subject to
licensure checks, which may include checks across state lines.
Depending on the risks presented by the type of provider, CMS may
require additional screening procedures, such as criminal history
checks.[Footnote 25] Further, PPACA provides for enhanced oversight
for specific periods for new providers and of initial claims of DMEPOS
suppliers. In addition, PPACA directs HHS to promulgate a regulation
requiring providers to include their National Provider Identifier on
all Medicare and Medicaid enrollment applications and claims for
payment.
On February 2, 2011, CMS and the HHS OIG published a final rule to
implement these new screening procedures.[Footnote 26] The rule is
designed to institute a consistent set of enrollment procedures for
Medicare and Medicaid, but not to abridge CMS's established screening
authority or diminish the screening that providers currently undergo.
Therefore, if states have additional Medicaid screening procedures,
they will be able to maintain them.[Footnote 27]
For Medicare, CMS designated three levels of risk--high, moderate, and
limited--with different screening procedures for providers at each
level. Based in part on our work and that of the HHS OIG and its own
experience, CMS designated newly enrolling HHAs and DMEPOS suppliers
as high risk and designated other providers at the lower levels.
[Footnote 28] Providers in all risk levels are to be screened to
verify that they meet specific requirements established by Medicare.
This includes checking providers' licenses, including checks across
state lines; and checking certain databases, to verify items such as
Social Security numbers, on a pre-and post-enrollment basis to ensure
that they continue to meet enrollment criteria.[Footnote 29] Moderate-
and high-risk providers are also subject to unannounced site visits.
All individuals who own a 5 percent or greater interest in high-risk
providers are subject to fingerprinting and criminal background
checks.[Footnote 30] CMS's implementation of fingerprinting and
criminal history checks would address our 2009 recommendation for CMS
to assess the feasibility of verifying the criminal history of all key
HHA officials named on the provider enrollment applications.
In its discussion of the February 2, 2011 final rule, CMS indicated
that the agency intended to review the criteria for its screening
levels on a consistent and ongoing basis and would publish changes if
the agency decided to update the assignment of screening levels for
Medicare providers. This may become necessary, because fraud is not
confined to newly enrolling HHAs and DMEPOS. As more scrutiny is given
to these two types of providers, the types of providers that CMS is
classifying as moderate risk, such as physical therapy practices, may
begin to attract more individuals who are intent on defrauding
Medicare or Medicaid. In their 2010 annual report on the Health Care
Fraud and Abuse Control Program, DOJ and HHS reported convictions or
other legal actions, such as exclusions or civil monetary penalties,
against several types of Medicare providers other than DMEPOS
suppliers and HHAs, such as medical clinics and physical therapy
practices.[Footnote 31] CMS has also established triggers for
adjustments to an individual provider's risk level. For example, if an
individual limited-or moderate-risk provider has been excluded from
Medicare by the HHS OIG, that individual provider would move to the
high-risk level.
For Medicaid, one requirement in CMS's February 2011 rule is that
state Medicaid agencies are to establish categorical levels of risk
for their providers. For the moderate-and high-risk providers, a state
Medicaid agency must conduct site visits, and for high-risk providers,
it must conduct fingerprinting and criminal background checks.
In addition to enhancing screening procedures, PPACA includes two
provisions that strengthen other aspects of provider enrollment for
Medicare and Medicaid. CMS implemented these provisions in its
February 2011 final rule. First, PPACA allows CMS to declare a
moratorium on enrollment of new Medicare and Medicaid providers when
the agency determines such a moratorium to be necessary to prevent or
combat fraud, waste, and abuse. State Medicaid agencies may also
authorize such a moratorium. Second, PPACA also requires state
Medicaid programs to terminate providers that have been terminated
from Medicare or other state Medicaid programs.
PPACA also imposes new requirements on Medicare and Medicaid
providers, including a requirement for establishing compliance
programs that adhere to standards established by the Secretary in
consultation with the OIG.[Footnote 32] CMS sought public comment on
establishing such compliance programs in a proposed rule on September
23, 2010.[Footnote 33] The agency indicated in explaining its February
2011 final rule that it intended to conduct further rulemaking on
compliance program requirements and would advance specific proposals
in the future. In addition, PPACA imposes specific requirements for
providers to disclose any current or previous affiliation with a
provider that has uncollected debt; has been or is subject to a
payment suspension under a federal health care program; has been
excluded from participation under Medicare, Medicaid, or CHIP; or has
had its billing privileges denied or revoked. The law allows CMS to
deny enrollment to any such provider whose previous affiliations pose
an undue risk. In February 2011, CMS told us that it was drafting a
proposed rule to implement this authority. Further, providers that
order home health services must have a face-to-face encounter with the
beneficiary before the services can be ordered. CMS issued a final
rule regarding this requirement in November 2010.[Footnote 34]
Finally, providers that order DMEPOS or home health services for
beneficiaries will have to be enrolled in Medicare or Medicaid and
maintain documentation on the services or items ordered, and the
claims for these services and items must contain their National
Provider Identifier number.
Before PPACA, CMS had taken other steps over the past 3 years
regarding the legitimacy of providers, and PPACA has provisions that
are consistent with some of these steps. First, the agency implemented
a statutory requirement for DMEPOS suppliers to post a surety bond to
help Medicare recoup erroneous payments that result from fraudulent or
abusive billing practices.[Footnote 35] PPACA extended CMS's authority
to impose surety bonds consistent with billing volume to all Medicare
providers.[Footnote 36] Second, as directed by law, CMS required that
all DMEPOS suppliers be accredited by a CMS-approved accrediting
organization to ensure that they meet minimum standards. In June 2010,
CMS told us that approximately 9,000 DMEPOS suppliers were dis-
enrolled as result of these surety bond and accreditation
requirements. Third, CMS began to implement a Medicare competitive
bidding program for durable medical equipment and supplies with prices
that took effect in January 2011 from the first round of bidding. This
program could also help reduce fraud, waste, and abuse because it
requires CMS to select DMEPOS suppliers based in part on new scrutiny
of their financial documents and other application materials, among
other things. The program took effect initially in nine metropolitan
areas. PPACA built upon some of these efforts. It required CMS to
speed up implementation of the competitive bidding program, expanding
the number of areas to be included in the second round of bidding from
70 to 91 by the end of 2011.
Improving Prepayment Review of Claims Could Prevent Improper Payments
from Being Made:
Our work on Medicare has shown that prepayment reviews of claims are
essential to help ensure that Medicare pays correctly the first time.
Conducting these reviews is challenging due to the volume of claims.
Overall, less than 1 percent of Medicare's claims are subject to a
medical record review by trained contractor personnel. Therefore,
having robust automated payment controls--called edits--in place that
can deny inappropriate claims or flag them for further review is
critical. However, we have found weaknesses in these prepayment
controls. For example, in 2007, we found that contractors responsible
for reviewing DMEPOS claims did not have automated prepayment controls
in place to identify questionable claims, such as those associated
with atypically rapid increases in billing or for items unlikely to be
prescribed in the normal course of medical care.[Footnote 37] Lack of
such prepayment controls has resulted in losses to Medicare.[Footnote
38] As a result, we recommended in 2007 that CMS require its
contractors to develop thresholds for unexplained increases in billing
and use them to develop automated prepayment controls. Although CMS
has not implemented that recommendation specifically, it has added
edits to flag claims for services unlikely to be provided in the
normal course of medical care. Additional prepayment controls, such as
those based on thresholds for unexplained increases in billing, could
further enhance CMS's ability to identify improper claims before they
are paid.
PPACA requires state Medicaid agencies to add some specific prepayment
edits. Beginning with claims submitted on October 1, 2010, PPACA
requires states to incorporate into their Medicaid Management
Information System compatible National Correct Coding Initiative
(NCCI) methodologies in order to promote correct coding and to control
improper coding leading to inappropriate payment.[Footnote 39] These
methodologies are in use in the Medicare program for edits related to
certain practitioner services, ambulatory surgical center services,
outpatient hospital services, and supplier claims for durable medical
equipment. For example, NCCI edits can detect claims with duplicate
services delivered to the same beneficiary on the same date of
service, such as more than one excision of a gallbladder for the same
beneficiary. CMS provided guidance on how to implement this
requirement through a state Medicaid directors' letter issued on
September 1, 2010.
The Small Business Jobs Act of 2010 also has a provision regarding
claims review to prevent improper payments. It requires CMS to use
predictive modeling and other analytic techniques--known as predictive
analytic technologies--both to identify and to prevent improper
payments under the Medicare FFS program.[Footnote 40] The law requires
these predictive analytic technologies to be used to analyze and
identify Medicare provider networks, billing patterns, and beneficiary
utilization patterns and detect those that represent a high risk of
fraudulent activity. Through such analysis, unusual or suspicious
patterns or abnormalities could be identified that could be used to
prioritize additional review of suspicious transactions before payment
is made. CMS published a solicitation in December 2010 for these
technologies and a case management system to track findings. The law
requires that the solicitation require contractors that are selected
to begin using these technologies on July 1, 2011, in the 10 states
identified by CMS as having the highest risk of waste, fraud, or abuse
in Medicare FFS payments. After the initial year, based on the results
of the predictive analytic technologies, their use will be expanded to
other states. Based on the results after year 3, the technologies are
to be expanded to Medicaid. In September 2010, CMS indicated that it
was conducting pilots to test the ability of the technologies to
identify potential fraud in paid claims. Agency officials told us that
the experience from the pilot projects helped them develop the
solicitation. CMS reported that it planned to incorporate the
technologies for prepayment review after testing them through
postpayment review to ensure that the new technologies work as
intended and do not disrupt claims from legitimate providers or
diminish access to care for legitimate beneficiaries.
In addition, a June 2010 Presidential Memorandum directed agencies to
check certain databases--known as the "Do Not Pay List"--before making
payments, to ensure that payments did not go to individuals who were
dead or excluded from receiving federal payments or to entities that
had been excluded from receiving federal payments. CMS officials
stated that, in response to the Presidential Memorandum, the agency
reviewed the databases that it and its Medicare contractors were using
to determine payment eligibility for providers and took action to
ensure that the agency's method of ensuring payment eligibility was
consistent with the intent of the "Do Not Pay List". Specifically, CMS
told us that it is currently reviewing the following databases: (1)
the Social Security Administration's (SSA) Death Master File, (2) HHS
OIG's Exclusions Database, (3) the Federal Payment Levy Program
(FPLP), (4) the Treasury Offset Program, and (5) General Services
Administration's Excluded Parties List System (EPLS).[Footnote 41] CMS
reported that it uses information from these databases to update its
provider enrollment system. Specifically, provider enrollment
information is checked monthly against the Medicare Exclusion
Database, which contains information from the HHS OIG's Exclusions
Database, the GSA's EPLS, and the SSA's Death Master File to update
providers' enrollment status. Agency officials told us that CMS's
contractors integrate updated provider enrollment information into
CMS's payment system. Specifically, changes in CMS's provider
enrollment system are downloaded nightly to the CMS contractors that
pay claims.[Footnote 42] Claims are then run through prepayment edits
to check that providers are active and eligible for payment. With
regard to Medicaid, CMS officials said that the state programs use
some of these data sets, such as SSA's Death Master File, but that the
states' abilities to complete checks consistent with the Presidential
Memorandum would depend on whether they could obtain access to other
databases, such as the FPLP, which has information on federal tax
debt. The CMS officials added that they have encouraged states to
review the databases available to them prior to making payments.
Focusing Postpayment Claims Review on the Most Vulnerable Areas and
Adding New Recovery Audit Contractors Could Increase Identification of
Improper Payments:
We have found that postpayment reviews are critical to identifying
payment errors to recoup overpayments in Medicare and that there are
steps that could strengthen postpayment review. These steps involve
focusing postpayment claims review on the most vulnerable areas and
increasing the amount of postpayment review by using recovery audit
contractors (RAC) for the Medicare and Medicaid programs.
CMS's claims administration contractors conduct limited postpayment
reviews; therefore, it is important that they target their postpayment
review resources on providers with a demonstrated high risk of
improper payments.[Footnote 43] For example, in 2009 we recommended
that postpayment reviews be conducted on claims submitted by HHAs with
high rates of improper billing identified through prepayment review.
[Footnote 44] To date, CMS has not implemented this recommendation;
however, in February 2011 CMS told us that its contractors are
developing medical review strategies that may include postpayment
reviews on HHAs. We continue to believe that focusing postpayment
claims review on the most vulnerable areas should be a priority.
Cross-checking claims for home health services with the physicians who
prescribed them can be a further safeguard against fraud, waste, and
abuse, but, as we reported in 2009, this is not routinely done.
[Footnote 45] For example, a physician must certify that a beneficiary
needs home health services before services can be provided, but CMS
does not routinely provide physicians with information that would
enable a physician to determine whether an HHA was billing for
services that the physician had not authorized or services that the
physician would not consider necessary for the beneficiary's care. We
recommended that CMS require that physicians receive a statement of
services beneficiaries received based on the physicians'
certification, but to date, the agency has not taken action. Taking
such action also could be beneficial for other services and items
susceptible to fraud and abuse that are not billed directly by
physicians, such as DMEPOS. In February 2011, CMS indicated that it
did not plan to implement this recommendation because agency officials
thought that it would involve extensive resources to do so.
Prior to PPACA, CMS had efforts focusing on postpayment review of
claims, most recently its new national RAC program, which began in
March 2009, after completion of a 3-year demonstration program in
2008.[Footnote 46] The national program is designed to help the agency
supplement the postpayment reviews conducted by contractors other than
RACs. The RACs review Part A and B claims after payment, but because
RACs are paid a contingent fee based on the dollar value of the
improper payments identified, they have focused on claims from
inpatient hospital stays, which are generally more costly services. We
pointed out to CMS in our previous work that other contractors'
postpayment review activities could be more valuable if CMS directed
these contractors to focus on items and services where RACs are not
expected to focus their reviews, and where improper payments are known
to be high, such as home health services claims.[Footnote 47]
PPACA expands Medicare's RAC program to Parts C and D. CMS published a
request for comments on the development of Parts C and D RACs in
December 2010. CMS awarded a Part D RAC task order for a 1-year base
period that began January 2011 and 4 option years.
PPACA also requires state Medicaid programs to establish contracts,
consistent with state law and similar to the contracts established for
the Medicare RAC program, with one or more RACs. These state RACs are
to identify underpayments and identify and recoup overpayments made
for services provided by state Medicaid programs. In November 2010,
CMS issued a proposed rule and guidance to states on establishing a
Medicaid Recovery Audit Contractor program. CMS's proposed rule
covered issues such as contingency fees and establishing a process for
provider appeals of RAC determinations. States can ask CMS for an
exception to the Medicaid RAC requirements. CMS officials told us that
as of February 2011, 55 state Medicaid agencies have submitted their
plans for addressing the Medicaid RAC PPACA provision, and 14 states
have asked for exceptions in part or in whole. CMS plans to make
public its decisions on any exceptions granted.
Improving Oversight of Contractors Could Help Ensure That Safeguard
Activities Are Conducted:
Overseeing the activities of contractors that provide services to
Medicare beneficiaries is critical to addressing fraud, waste, and
abuse and preventing improper payments. Over the years, we found areas
where CMS's oversight had been insufficient to ensure that required
program control activities were conducted and working well. For
example, all Part D drug plan sponsors are required to have programs
to detect, correct, and prevent fraud, waste, and abuse--also referred
to as fraud and abuse programs. CMS is responsible for ensuring that
sponsors are in compliance with this requirement; however, in 2008 we
found that CMS's oversight of these programs had been limited.
[Footnote 48] We recommended that CMS conduct timely audits of
sponsors' fraud and abuse programs. CMS agreed with this
recommendation, and in March 2010 we reported that CMS had completed
desk audits of selected sponsors' programs and was beginning to
implement an expanded oversight strategy, including on-site audits to
assess the effectiveness of these programs more thoroughly.[Footnote
49] In November 2010, CMS officials reported that the agency had
conducted on-site audits of 33 of the 290 sponsors in 2010, which
covered 62 percent of the enrolled beneficiaries in 2010. As a result
of the on-site audits, CMS had taken formal enforcement actions
against several sponsors. In addition, CMS published a final rule in
April 2010 to increase its oversight efforts and ensure that sponsors
have effective programs in place.[Footnote 50]
PPACA included new requirements for CMS to evaluate contractors
receiving Medicare Integrity Program and Medicaid Integrity Program
funding every 3 years. In addition, PPACA requires these contractors
to provide performance statistics to HHS and OIG upon request. These
statistics may include the number and amount of overpayments
recovered, the number of fraud referrals, and the return on investment
of such activities. In February 2011, CMS officials told us that they
are taking action to implement these requirements for Medicare and
Medicaid. For Medicare, CMS reported that it is currently tracking
performance statistics and is adding to and refining these statistics.
CMS is also currently developing the specific performance statistics
for its Part D integrity contractors and expects to finalize these
statistics this year. For Medicaid, CMS also reported that it is
requiring states to track performance statistics and anticipates
finalizing the specific performance statistics to be tracked by March
2011.
Developing a Robust Process for Addressing Identified Vulnerabilities
Could Help Reduce Improper Payments:
Having mechanisms in place to resolve vulnerabilities that lead to
improper payment is critical to effective program management, but our
work has shown that CMS has not developed a robust process to
specifically address identified vulnerabilities that lead to improper
payments in Medicare. We have reported that an agency should have
policies and procedures to ensure that (1) the findings of all audits
and reviews are promptly evaluated, (2) decisions are made about the
appropriate response to these findings, and (3) actions are taken to
correct or resolve the issues promptly.[Footnote 51] We have also
stressed the importance of holding individuals accountable for
achieving agency objectives.
As we reported in March 2010, CMS did not establish an adequate
process during its recovery audit contracting demonstration or in
planning for the national program to ensure prompt resolution of
identified improper payment vulnerabilities in Medicare.[Footnote 52]
During the demonstration, CMS did not assign responsibility to agency
officials or contractors for taking corrective action. According to
CMS officials, the agency took corrective action only for
vulnerabilities with national implications, and let the contractors
that processed and paid claims decide whether to take action for
vulnerabilities that might occur only in certain geographic areas.
Additionally, during the demonstration CMS did not specify in a plan
what type of corrective action was required or establish a time frame
for corrective action. The documented lack of assigned
responsibilities impeded CMS's efforts to promptly resolve the
vulnerabilities identified during the demonstration.
For the national Medicare RAC program, although CMS established a
corrective action team to compile, review, and categorize identified
vulnerabilities and discuss corrective action recommendations, the
corrective action process is still incomplete. CMS appointed the
Director of the Office of Financial Management to be responsible for
the day-to-day operations of the program, and the CMS Administrator to
be responsible for vulnerabilities that span agency components.
However, the corrective action process still does not include any
steps to either assess the effectiveness of the corrective actions
taken or adjust them as necessary based on the results of the
assessments. Further, the agency has not developed time frames for
implementing corrective actions.
Because of these weaknesses, we recommended that CMS develop and
implement a corrective action process that includes policies and
procedures to ensure that the agency promptly (1) evaluates findings
of RAC audits, (2) decides on the appropriate response and a time
frame for taking action based on established criteria, and (3) acts to
correct the vulnerabilities identified.[Footnote 53] CMS concurred
with this recommendation. Agency officials said they intended to
review vulnerabilities on a case-by-case basis and were considering
assigning them to risk categories to help prioritize their actions.
However, to date, this recommendation has not been implemented. In
February 2011, CMS reported that the agency is still working to
address the vulnerabilities identified during the demonstration
program. Specific to corrective actions, CMS told us that it now
requires its contractors to consider and evaluate vulnerabilities
identified by various entities, including the RACs.
For the Medicaid RAC program, CMS's proposed rule for state Medicaid
programs does not include any steps to collect information on
vulnerabilities to improper payment and develop a corrective action
process to address them. Lessons learned from the Medicare RAC program
indicate that collecting information on vulnerabilities and having an
adequate corrective action process are important to address
vulnerabilities. In turn, this suggests that having Medicaid RACs
report to state Medicaid agencies and CMS on the vulnerabilities they
identify and having a corrective action process to address those
vulnerabilities would be important to reduce Medicaid improper
payments. State Medicaid agencies are required to have a corrective
action process as part of their activities to reduce their Medicaid
error rates. Information from the Medicaid RAC program could be
incorporated into these processes. Although its guidance was silent on
this issue, in February 2011, CMS told us that state Medicaid programs
will be responsible for addressing RAC-identified vulnerabilities and
that it will monitor and assist states in implementing corrective
actions.
Concluding Observations:
The amount of improper payments in the Medicare and Medicaid programs
creates urgency for CMS to act decisively to reduce them. Identifying
the nature, extent, and underlying causes of improper payments is an
essential prerequisite to reducing them, as is implementing our prior
recommendation to develop an adequate corrective action process to
address vulnerabilities. CMS could also take other actions to help
better address the issue of fraud, waste, abuse, and improper payments
in the Medicare and Medicaid programs. For Medicare, these include (1)
developing thresholds for unexplained increases in billing and using
them to develop automated prepayment controls, (2) conducting
postpayment reviews on claims submitted by HHAs with high rates of
improper billing identified through prepayment review, (3) cross-
checking claims for home health services with the physicians who
prescribed them, and (4) focusing claims administration contractors'
postpayment reviews on items and services where RACs are not expected
to focus their reviews, and where improper payments are known to be
high. For Medicaid, other actions include ensuring that states develop
adequate corrective action processes to address vulnerabilities to
improper Medicaid payments to providers and issuing guidance to states
to better prevent payment of improper claims for controlled substances.
As it implements PPACA provisions concerning Medicare and Medicaid,
CMS has an opportunity to address fraud, waste, abuse, and improper
payments in the two programs. CMS has made progress in rulemaking and
issuing guidance to implement this law, the Small Business Jobs Act,
and the "Do Not Pay List" memorandum. CMS's implementation efforts are
in process, so it is too early to gauge their effects. As these
requirements become part of Medicare and Medicaid operations,
additional evaluation and oversight will help determine whether they
are implemented as intended and have the desired effect on better
ensuring proper payment. As the implementation process proceeds, we
are continuing to monitor these issues. Notably, we are beginning new
work to assess CMS's efforts to strengthen the standards and
procedures for Medicare provider enrollment to reduce the risk of
enrolling providers that are intent on defrauding or abusing the
program. We also plan to examine the effectiveness of different types
of prepayment edits in Medicare and of CMS's oversight of its
contractors in implementing those edits to help ensure that Medicare
pays claims correctly the first time. The level of importance placed
on effectively implementing our recommendations and the requirements
established by recent laws and guidance will be a key factor in
reducing improper payments in the Medicare and Medicaid programs and
ensuring that federal funds are used efficiently and for their
intended purposes.
Mr. Chairman, this concludes my prepared statement. I would be happy
to answer any questions you or other members of the subcommittee may
have.
Contacts and Acknowledgments:
For further information about this statement, please contact Kathleen
M. King at (202) 512-7114 or kingk@gao.gov or Kay L. Daly at (202) 512-
9095 or DalyKL@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this statement. Sheila K. Avruch and Sabrina Springfield,
Assistant Directors; Jennel Harvey; Jawaria Gilani; Shannon Legeer;
Chelsea Lounsbury; Roseanne Price; Lisa Rogers; and Jennifer Whitworth
were key contributors to this statement.
[End of section]
Appendix I: Abbreviations:
CHIP: Children's Health Insurance Plan:
CMS: Centers for Medicare & Medicaid Services:
DMEPOS: durable medical equipment, prosthetics, orthotics, and
supplies:
EPLS: General Services Administration's Excluded Parties List System:
FFS: Medicare fee-for-service:
FPLP: Federal Payment Levy Program:
HCERA: Health Care and Education Reconciliation Act of 2010:
HHA: home health agencies:
HHS: Department of Health and Human Services:
NCCI: National Correct Coding Initiative:
OIG: Office of the Inspector General:
PPACA: Patient Protection and Affordable Care Act:
RAC: Recovery Audit Contractor:
SSA: Social Security Administration:
[End of section]
Appendix II: Open Recommendations:
Durable Medical Equipment, Prosthetics, Orthotics, and Supplies
(DMEPOS):
GAO report title and number: Medicare: Improvements Needed to Address
Improper Payments for Medical Equipment and Supplies, GAO-07-59;
GAO recommendation: 1. The Administrator of CMS should require the
Program Safeguard Contractors to develop thresholds for unexplained
increases in billing--and use them to develop automated prepayment
controls as one component of their manual medical review strategies;
Centers for Medicare & Medicaid Services (CMS) implementation status:
CMS has not implemented our recommendation specifically, but has added
edits to flag claims for services that were unlikely to be provided in
the normal course of medical care. CMS told us they are in the process
of awarding contracts to implement advanced fraud detection and some
contract awardees may have the ability to include increases in billing
as part of those fraud detection efforts.
Home Health Agencies (HHA):
GAO report title and number: Medicare: Improvements Needed to Address
Improper Payments in Home Health, GAO-09-185;
GAO recommendation: 2. To strengthen the controls on improper payments
in the Medicare home health benefit, the Administrator of CMS should
assess the feasibility of verifying the criminal history of all key
officials named on an HHA enrollment application;
Centers for Medicare & Medicaid Services (CMS) implementation status:
The Patient Protection and Affordable Care Act requires CMS to
establish additional screening procedures for providers enrolling in
Medicare and Medicaid. CMS has published a final rule that subjects
high-risk providers in Medicare to fingerprinting and criminal
background checks. Implementation of these efforts would address our
recommendation.
GAO report title and number: Medicare: Improvements Needed to Address
Improper Payments in Home Health, GAO-09-185;
GAO recommendation: 3. To strengthen the controls on improper payments
in the Medicare home health benefit, the Administrator of CMS should
give physicians whose identification number was used to certify or
recertify a plan of care a statement of services the HHA provided to
that beneficiary based on the physician's certification;
Centers for Medicare & Medicaid Services (CMS) implementation status:
CMS has no plans to implement this recommendation. The agency
indicated that doing so would require extensive resources and funding.
GAO report title and number: Medicare: Improvements Needed to Address
Improper Payments in Home Health, GAO-09-185;
GAO recommendation: 4. To strengthen the controls on improper payments
in the Medicare home health benefit, the Administrator of CMS should
direct CMS contractors to conduct postpayment medical reviews on
claims submitted by HHAs with high rates of improper billing
identified through prepayment review;
Centers for Medicare & Medicaid Services (CMS) implementation status:
CMS has not implemented this recommendation, but CMS reported that its
contractors are developing medical review strategies that may include
postpayment reviews on HHA claims. We believe there is an opportunity
to further strengthen controls on improper payments if CMS were to
direct its contractors to specifically conduct postpayment medical
reviews on claims submitted with high rates of billing identified
through prepayment review.
GAO report title and number: Medicare: Improvements Needed to Address
Improper Payments in Home Health, GAO-09-185;
GAO recommendation: 5. To strengthen the controls on improper payments
in the Medicare home health benefit, the Administrator of CMS should
amend current regulations to expand the types of improper billing
practices that are grounds for revocation of billing privileges.
Grounds for revocation could include a pattern of submitting claims
that are falsified, for persons who do not meet Medicare's coverage
criteria, or are for services that are not medically necessary;
Centers for Medicare & Medicaid Services (CMS) implementation status:
CMS has not implemented this recommendation.
Controlled Substances:
GAO report title and number: Medicaid: Fraud and Abuse Related to
Controlled Substances Identified in Selected States, GAO-09-957;
GAO recommendation: 6. To establish an effective fraud prevention
system for the Medicaid program, the Administrator of CMS should
evaluate our findings and consider issuing guidance to the state
programs to provide assurance that claims processing systems prevent
the processing of claims from providers and pharmacies debarred from
federal contracts (i.e., on the Excluded Parties List System (EPLS)),
excluded from the Medicare and Medicaid programs (i.e., on the List of
Excluded Individuals/Entities (LEIE)), or both;
Centers for Medicare & Medicaid Services (CMS) implementation status:
CMS told us it has taken various steps to implement this
recommendation. It issued guidance to state Medicaid directors
regarding the frequency with which states should check for excluded
parties and directing them to provide guidance to enrolled providers
and managed care organizations regarding checking for excluded
employers, contractors, agents, etc. CMS also conducts triennial
comprehensive program integrity reviews of states, in which they
examine a sample of providers to determine if they contained excluded
individuals.
GAO report title and number: Medicaid: Fraud and Abuse Related to
Controlled Substances Identified in Selected States, GAO-09-957;
GAO recommendation: 7. To establish an effective fraud prevention
system for the Medicaid program, the Administrator of CMS should
evaluate our findings and consider issuing guidance to the state
programs to provide assurance that Drug Utilization Review and
restricted recipient program requirements adequately identify and
prevent doctor shopping and other abuses of controlled substances;
Centers for Medicare & Medicaid Services (CMS) implementation status:
CMS has taken some steps to address this recommendation. Beginning in
fiscal year 2011, as part of the triennial comprehensive program
integrity reviews, CMS staff reviewed states' recipient restriction
programs. CMS also made efforts to educate providers, beneficiaries,
and others on related payment integrity and quality assurance issues.
GAO report title and number: Medicaid: Fraud and Abuse Related to
Controlled Substances Identified in Selected States, GAO-09-957;
GAO recommendation: 8. To establish an effective fraud prevention
system for the Medicaid program, the Administrator of CMS should
evaluate our findings and consider issuing guidance to the state
programs to provide assurance that effective claims processing systems
are in place to periodically identify both duplicate enrollments and
deaths of Medicaid beneficiaries and to prevent the approval of claims
when appropriate;
Centers for Medicare & Medicaid Services (CMS) implementation status:
CMS has begun to take steps to address aspects of this recommendation.
The agency is in the process of working with states to validate their
processes to prevent the approval of claims for deceased Medicaid
beneficiaries.
GAO report title and number: Medicaid: Fraud and Abuse Related to
Controlled Substances Identified in Selected States, GAO-09-957;
GAO recommendation: 9. To establish an effective fraud prevention
system for the Medicaid program, the Administrator of CMS should
evaluate our findings and consider issuing guidance to the state
programs to provide assurance that effective claims processing systems
are in place to periodically identify deaths of Medicaid providers and
prevent the approval of claims when appropriate;
Centers for Medicare & Medicaid Services (CMS) implementation status:
CMS has taken some steps to improve how deceased provider information
is incorporated into claims processing in the Medicaid program.
Specifically, CMS told us that it is currently implementing steps to
access Medicare's provider enrollment system, which is updated monthly
to reflect excluded and deceased providers, in order to inform
Medicaid's provider data.
Recovery Audit Contracting:
GAO report title and number: Medicare Recovery Audit Contracting:
Weaknesses Remain in Addressing Vulnerabilities to Improper Payments,
Although Improvements Made to Contractor Oversight, GAO-10-143;
GAO recommendation: 10. To help reduce future improper payments, the
Administrator of CMS should develop and implement a process that
includes policies and procedures to ensure that the agency promptly:
(1) evaluates findings of recovery audit contractors (RAC) audits, (2)
decides on the appropriate response and a time frame for taking action
based on established criteria, and (3) acts to correct the
vulnerabilities identified;
Centers for Medicare & Medicaid Services (CMS) implementation status:
Although CMS has not implemented our recommendation specifically, it
has taken some steps to address vulnerabilities identified by the RAC
demonstration program. For example, CMS has developed provider-
specific reports related to the demonstration program and established
a team to facilitate the corrective action process. In addition, CMS
told us that it now requires its contractors to consider and evaluate
vulnerabilities identified by various entities, including the RACs.
Source: GAO and GAO analysis of CMS information.
[End of table]
[End of section]
Related GAO Products:
Medicare Fraud, Waste, and Abuse: Challenges and Strategies for
Preventing Improper Payments. [hyperlink,
http://www.gao.gov/products/GAO-10-844T]. Washington, D.C.: June 15,
2010.
Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing
Vulnerabilities to Improper Payments, Although Improvements Made to
Contractor Oversight. [hyperlink,
http://www.gao.gov/products/GAO-10-143]. Washington, D.C.: March 31,
2010.
Medicare Part D: CMS Oversight of Part D Sponsors' Fraud and Abuse
Programs Has Been Limited, but CMS Plans Oversight Expansion.
[hyperlink, http://www.gao.gov/products/GAO-10-481T]. Washington,
D.C.: March 3, 2010.
Medicare: CMS Working to Address Problems from Round 1 of the Durable
Medical Equipment Competitive Bidding Program. [hyperlink,
http://www.gao.gov/products/GAO-10-27]. Washington, D.C.: November 6,
2009.
Medicaid: Fraud and Abuse Related to Controlled Substances Identified
in Selected States. [hyperlink,
http://www.gao.gov/products/GAO-09-957]. Washington, D.C.: September
9, 2009.
Improper Payments: Progress Made but Challenges Remain in Estimating
and Reducing Improper Payments. [hyperlink,
http://www.gao.gov/products/GAO-09-628T]. Washington, D.C.: April 22,
2009.
Medicare: Improvements Needed to Address Improper Payments in Home
Health. [hyperlink, http://www.gao.gov/products/GAO-09-185].
Washington, D.C.: February 27, 2009.
Medicare Part D: Some Plan Sponsors Have Not Completely Implemented
Fraud and Abuse Programs, and CMS Oversight Has Been Limited.
[hyperlink, http://www.gao.gov/products/GAO-08-760]. Washington, D.C.:
July 21, 2008.
Medicare: Covert Testing Exposes Weaknesses in the Durable Medical
Equipment Supplier Screening Process. [hyperlink,
http://www.gao.gov/products/GAO-08-955]. Washington, D.C.: July 3,
2008.
Medicare: Competitive Bidding for Medical Equipment and Supplies Could
Reduce Program Payments, but Adequate Oversight Is Critical.
[hyperlink, http://www.gao.gov/products/GAO-08-767T]. Washington,
D.C.: May 6, 2008.
Improper Payments: Status of Agencies' Efforts to Address Improper
Payment and Recovery Auditing Requirements. [hyperlink,
http://www.gao.gov/products/GAO-08-438T]. Washington, D.C.: January
31, 2008.
Improper Payments: Federal Executive Branch Agencies' Fiscal Year 2007
Improper Payment Estimate Reporting. [hyperlink,
http://www.gao.gov/products/GAO-08-377R]. Washington, D.C.: January
23, 2008.
Medicare: Improvements Needed to Address Improper Payments for Medical
Equipment and Supplies. [hyperlink,
http://www.gao.gov/products/GAO-07-59]. Washington, D.C.: January 31,
2007.
Medicaid Financial Management: Steps Taken to Improve Federal
Oversight but Other Actions Needed to Sustain Efforts. [hyperlink,
http://www.gao.gov/products/GAO-06-705]. Washington, D.C.: June 22,
2006.
Medicare: More Effective Screening and Stronger Enrollment Standards
Needed for Medical Equipment Suppliers. [hyperlink,
http://www.gao.gov/products/GAO-05-656]. Washington, D.C.: September
22, 2005.
Medicaid Fraud and Abuse: CMS's Commitment to Helping States Safeguard
Program Dollars Is Limited. [hyperlink,
http://www.gao.gov/products/GAO-05-855T]. Washington, D.C.: June 28,
2005.
Medicare: CMS's Program Safeguards Did Not Deter Growth in Spending
for Power Wheelchairs. [hyperlink,
http://www.gao.gov/products/GAO-05-43]. Washington, D.C.: November 17,
2004.
Medicaid Program Integrity: State and Federal Efforts to Prevent and
Detect Improper Payments. [hyperlink,
http://www.gao.gov/products/GAO-04-707]. Washington, D.C.: July 16,
2004.
Medicare: CMS Did Not Control Rising Power Wheelchair Spending.
[hyperlink, http://www.gao.gov/products/GAO-04-716T]. Washington,
D.C.: April 28, 2004.
[End of section]
Footnotes:
[1] Fraud represents intentional acts of deception with knowledge that
the action or representation could result in an inappropriate gain.
Waste includes inaccurate payments for services, such as unintentional
duplicate payments. Abuse represents actions inconsistent with
acceptable business or medical practices.
[2] Medicare is the federally financed health insurance program for
persons age 65 or over, certain individuals with disabilities, and
individuals with end-stage renal disease. Medicaid is the federal-
state program that covers acute health care, long-term care, and other
services for low-income people and consists of more than 50 distinct
state-based programs. In fiscal year 2009, Medicaid covered about 65
million people. The federal government matches states' expenditures
for most Medicaid services using a statutory formula based on each
state's per capita income.
[3] This definition includes any payment to an ineligible recipient,
any payment for an ineligible good or service, any duplicate payment,
any payment for a good or service not received (except where
authorized by law), and any payment that does not account for credit
for applicable discounts. Pub. L. No. 111-204, § 2(e), 124 Stat. 2224,
2227 (2010) (codified at 31 U.S.C. § 3321 note).
[4] In 1990, we began to report on government operations that we
identified as "high risk" for serious weaknesses in areas that involve
substantial resources and provide critical services to the public. See
GAO, High-Risk Series: An Update, [hyperlink,
http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February
2011). [hyperlink,
http://www.gao.gov/highrisk/risks/insurance/medicare_program.php].
[5] HHS, "Improper Payment Reduction Outlook FY 2009 through 2013," in
Fiscal Year 2010 Agency Financial Report (Washington, D.C.: Nov. 15,
2010). The Secretary of HHS has delegated administration of the
Medicare program to the Administrator of CMS. See Appendix I for
abbreviations used in this statement.
[6] In its Fiscal Year 2010 Agency Financial Report, HHS calculated
and reported the 3-year (2008, 2009, and 2010) weighted average
national payment error rate for Medicaid of 9.4 percent. See
Department of Health and Human Services FY 2010 Agency Financial
Report (Washington, D.C.: Nov. 15, 2010).
[7] Pub. L. No. 111-148, 124 Stat. 119 (2010), as amended by the
Health Care and Education Reconciliation Act of 2010 (HCERA), Pub. L.
No. 111-152, 124 Stat. 1029, which we refer to collectively as PPACA.
The program integrity provisions discussed in this statement are
generally located in sections 6401 through 6411 and 10603 and 10605 of
PPACA as well as section 1304 of HCERA. For our previous work, see a
list of related products at the end of this statement.
[8] Pub. L. No. 111-240, § 4241, 124 Stat. 2504, 2599.
[9] Implementing guidance has not been issued, and therefore it is too
early to assess the implementation of these requirements.
[10] Medicare Parts A and B are known as original Medicare or Medicare
FFS. Medicare Part A covers hospital and other inpatient stays.
Medicare Part B is optional, and covers hospital outpatient,
physician, and other services.
[11] Medicare beneficiaries have the option of obtaining coverage for
Part A and B services from private health plans that participate in
Medicare Advantage--Medicare's managed care program--also known as
Part C. All Medicare beneficiaries may purchase coverage for
outpatient prescription drugs under Part D.
[12] These strategies were identified in our June 2010 testimony as
critical to helping prevent fraud, waste, and abuse in Medicare. See
GAO, Medicare Fraud, Waste, and Abuse: Challenges and Strategies for
Preventing Improper Payments, [hyperlink,
http://www.gao.gov/products/GAO-10-844T] (Washington, D.C.: June 15,
2010).
[13] This statement deals with the challenge of reducing improper
payments to providers and plans, but Medicaid has additional areas of
concern, such as supplemental payments to providers that can lead to
inappropriate federal payments to states. For a discussion of these
areas, see GAO, High Risk Series: An Update, [hyperlink,
http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February
2011).
[14] A list of both sets of products appears at the end of this
statement.
[15] For more detailed information on the methodologies used in our
work, please consult the products listed at the end of this statement.
[16] For a list of recommendations that we made that CMS has not
implemented, see appendix II.
[17] See GAO, Medicare Fraud, Waste, and Abuse: Challenges and
Strategies for Preventing Improper Payments, [hyperlink,
http://www.gao.gov/products/GAO-10-844T] (Washington, D.C.: June 15,
2010). While the June 2010 statement specifically focused on the
Medicare program, the strategies it presented are also applicable to
the Medicaid program.
[18] Vulnerabilities are service-specific errors that result in
improper overpayments and underpayments. An example of a vulnerability
that leads to improper payments is providers billing for more than one
blood transfusion in a hospital outpatient setting for a Medicare
beneficiary in a day, which Medicare policy does not allow.
[19] Enrolling as a provider in Medicare and Medicaid allows a
provider to provide services to beneficiaries and bill for those
services.
[20] See GAO, Medicare: Improvements Needed to Address Improper
Payments in Home Health, [hyperlink,
http://www.gao.gov/products/GAO-09-185] (Washington, D.C.: Feb. 27,
2009). CMS's contractors began to revalidate HHA enrollment during the
course of our work on that engagement.
[21] See GAO, Medicare: More Effective Screening and Stronger
Enrollment Standards Needed for Medical Equipment Suppliers,
[hyperlink, http://www.gao.gov/products/GAO-05-656] (Washington, D.C.:
Sept. 22, 2005).
[22] See GAO, Medicare: Covert Testing Exposes Weaknesses in the
Durable Medical Equipment Supplier Screening Process, [hyperlink,
http://www.gao.gov/products/GAO-08-955] (Washington, D.C.: July 3,
2008).
[23] See GAO, Medicaid: Fraud and Abuse Related to Controlled
Substances Identified in Selected States, [hyperlink,
http://www.gao.gov/products/GAO-09-957] (Washington, D.C.: Sept. 9,
2009). The five states whose claims we reviewed for this report were
California, Illinois, New York, North Carolina, and Texas.
[24] This law also applies to certain provisions related to Medicaid
or to the state Children's Health Insurance Program (CHIP), which is
the joint federal-state program that provides health coverage to
children whose families have incomes that are low, but not low enough
to qualify for Medicaid. This statement does not address how PPACA
will affect CHIP.
[25] The enhanced screening procedures that PPACA provided for will
apply to new providers beginning 1 year after the date of enactment
and to currently enrolled providers 2 years after that date.
[26] Medicare, Medicaid, and Children's Health Insurance Programs;
Additional Screening Requirements, Application Fees, Temporary
Enrollment Moratoria, Payment Suspensions and Compliance Plans for
Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011).
[27] In discussing the final rule, CMS noted that Medicare already
employs a number of the screening practices described in PPACA to
determine if a provider is in compliance with federal and state
requirements to enroll or to maintain enrollment in the Medicare
program.
[28] CMS considered issues such as past levels of improper payments
and occurrences of fraud among different provider types to determine
risk levels. The moderate level comprises re-enrolling HHAs and re-
enrolling DMEPOS suppliers; ambulance suppliers; community mental
health centers; comprehensive outpatient rehabilitation facilities;
hospice organizations; independent diagnostic testing facilities;
independent clinical laboratories; and physical therapists, including
physical therapy groups and portable X-ray suppliers. Other providers,
such as physicians and ambulatory surgical centers, are in the limited
risk level.
[29] The database checks may include verification of the following:
Social Security number; National Provider Identifier; National
Practitioner Databank licensure; whether the provider has been
excluded from federal health care programs by the OIG; taxpayer
identification number; and death of an individual practitioner, owner,
authorized official, delegated official, or supervising physician.
[30] In February 2011, CMS told us that the agency had requested
additional comments on how best to implement the fingerprinting and
criminal history record check requirements and might adopt some of the
comments in implementing this provision. CMS will not implement
fingerprinting and criminal history record checks until after
subregulatory guidance is published that explains how the agency plans
to ensure that privacy rights are respected and that addresses other
operational concerns.
[31] The Department of Health and Human Services and the Department of
Justice Health Care Fraud and Abuse Control Program Annual Report for
Fiscal Year 2010 (Washington, D.C.: January 2011).
[32] In general, a compliance program is the internal set of policies,
processes, and procedures that a provider organization implements to
help it act ethically and lawfully. In this context, compliance plans
help provider organizations prevent and detect violations of Medicare
laws and regulations.
[33] Medicare, Medicaid, and Children's Health Insurance Programs;
Additional Screening Requirements, Application Fees, Temporary
Enrollment Moratoria, Payment Suspensions and Compliance Plans for
Providers and Suppliers. 75 Fed. Reg. 58204 (Sept. 23, 2010).
[34] Medicare Program; Home Health Prospective Payment System Rate
Update for Calendar Year 2011; Changes in Certification Requirements
for Home Health Agencies and Hospices. 75 Fed. Reg. 70,372 (Nov. 17,
2010).
[35] Social Security Act §1834(a)(16)(B). As of October 2009, DMEPOS
suppliers were required to obtain and submit a surety bond in the
amount of at least $50,000. A DMEPOS surety bond is a bond issued by
an entity guaranteeing that a DMEPOS supplier will fulfill its
obligation to Medicare. If the obligation is not met, Medicare will
recover its losses via the surety bond. Medicare Program; Surety Bond
Requirement for Suppliers of Durable Medical Equipment, Prosthetics,
Orthotics, and Supplies (DMEPOS), 74 Fed. Reg. 166 (Jan. 2, 2009).
[36] Before PPACA, the Social Security Act also required CMS to impose
surety bonds on HHAs and permitted the imposition of surety bonds on
certain other Medicare providers. PPACA requires any surety bond
imposed to be commensurate with the provider's billing volume. CMS
officials stated that the agency is drafting a rule to implement this
authority, in which the agency will propose imposing surety bonds on
additional providers.
[37] See GAO, Medicare: Improvements Needed to Address Improper
Payments for Medical Equipment and Suppliers, [hyperlink,
http://www.gao.gov/products/GAO-07-59] (Washington, D.C.: Jan. 31,
2007).
[38] For example, we found that from the first quarter of 2003 through
the first quarter of 2005, due to an absence of such prepayment
controls, 225 suppliers increased their billing to Medicare both by at
least 500,000 and by at least 50 percent from at least one 3-month
period to the next. In November 2004, the U.S. government won a
default civil judgment against 16 of these suppliers for filing false
claims against Medicare for services not rendered--after they were
paid almost $40 million from January 2003 through September 2004.
[39] NCCI, a CMS program that consists of coding policies and edits,
was initiated for Medicare in 1996 to help ensure correct payment for
Medicare Part B for physician, laboratory, and radiology services
claims. Under NCCI, CMS's contractors screen Medicare Part B claims
with automated prepayment edits designed to detect anomalies that
indicate a claim has incorrect information.
[40] The law requires these predictive analytic technologies to be
integrated into the Medicare FFS claims flow and prevent the payment
of claims identified as potentially fraudulent, wasteful, or abusive
until the claims can be verified as valid.
[41] See [hyperlink, http://www.ntis.gov/products/ssa-dmf.aspx] [SSA
death master]; [hyperlink, http://oig.hhs.gov/fraud/exclusions.asp];
[HHS OIG Exclusions] [hyperlink,
http://www.irs.gov/individuals/article/0,,id=100551,00.html] [FPLP];
and [hyperlink, http://fms.treas.gov/debt/top.html].
[42] These contractors include Medicare Administrative Contractors
(MAC) and any fiscal intermediaries or carriers still administering
claims. These MACs, carriers, and fiscal intermediaries are
responsible for ensuring that they only pay claims to eligible
providers.
[43] We reported in 2009 that two contractors paying home health
services claims conducted postpayment reviews on fewer than 700 of the
8.7 million claims they paid in fiscal year 2007. See [hyperlink,
http://www.gao.gov/products/GAO-09-185].
[44] See [hyperlink, http://www.gao.gov/products/GAO-09-185].
[45] See [hyperlink, http://www.gao.gov/products/GAO-09-185].
[46] The Medicare Prescription Drug, Improvement and Modernization Act
of 2003 directed CMS to conduct a project to demonstrate how effective
the use of RACs would be in identifying underpayments and
overpayments, and in recouping overpayments in Medicare. Pub. L. No.
108-173, § 306, 117 Stat. 2066, 2256. Subsequently, in December 2006
the Tax Relief and Health Care Act of 2006 required CMS to implement a
national RAC program by January 1, 2010. Pub. L. No. 109-342, div. B,
title III, § 302, 120 Stat. 2924, 2991 (codified at 42 U.S.C. §
1395ddd(h)).
[47] See GAO, Medicare Fraud, Waste and Abuse: Challenges and
Strategies for Preventing Improper Payments, [hyperlink,
http://www.gao.gov/products/GAO-10-844T] (Washington, D.C.: June 15,
2010).
[48] GAO, Medicare Part D: Some Plan Sponsors Have Not Completely
Implemented Fraud and Abuse Programs, and CMS Oversight Has Been
Limited, [hyperlink, http://www.gao.gov/products/GAO-08-760]
(Washington, D.C.: July 21, 2008).
[49] See Medicare Part D: CMS Oversight of Part D Sponsors' Fraud and
Abuse Programs Has Been Limited, but CMS Plans Oversight Expansion.
[hyperlink, http://www.gao.gov/products/GAO-10-481T] (Washington,
D.C.: March 3, 2010). A desk audit includes reviews of requested
documents only, in contrast to site visits, which include other tasks,
such as interviews with sponsor officials.
[50] Policy and Technical Changes to the Medicare Advantage and the
Medicare Prescription Drug Benefit Programs, 75 Fed. Reg. 19,678 (Apr.
15, 2010).
[51] These are all aspects of internal control, which is the component
of an organization's management that provides reasonable assurance
that the organization achieves effective and efficient operations,
reliable financial reporting, and compliance with applicable laws and
regulations. Internal control standards provide a framework for
identifying and addressing major performance challenges and areas at
greatest risk for mismanagement. GAO, Internal Control Standards:
Internal Control Management and Evaluation Tool [hyperlink,
http://www.gao.gov/products/GAO-01-1008G] (Washington, D.C.: August
2001).
[52] GAO, Medicare Recovery Audit Contracting: Weaknesses Remain in
Addressing Vulnerabilities to Improper Payments, Although Improvements
Made to Contractor Oversight, [hyperlink,
http://www.gao.gov/products/GAO-10-143] (Washington, D.C.: March 31,
2010).
[53] [hyperlink, http://www.gao.gov/products/GAO-10-143].
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: