While supplies last! Free 2022 Coding Essentials for Infusion & Injection Therapy Services book with every RACmonitor webcast order. No code required. Order now >

c-buckRecognizing that Medicare and Medicaid received improper payments of more than $69 billion in 2011, the General Accounting Office said both are on its list of high-risk federal programs and further action is needed to bolster their vulnerabilities to fraud, waste, and abuse.

That’s the assessment of the GAO in testimony delivered earlier this month before a congressional subcommittee of oversight and reform. The GAO, citing statistics from The Centers for Medicare & Medicaid Services, said Medicare received improper payments of $21.9 billion, and nearly $43 billion were made to Medicaid.

“Medicaid and Medicare are two of the largest programs in the federal government, financing healthcare services for a combined total of approximately 119 million individuals at a cost of about $983 billion in 2011,” testified the GAO’s director of healthcare, Kathleen M. King, before members of the subcommittee.

Program integrity challenges are different for both programs, noted the GAO. As a state-based program, with 51 distinct states, the challenge for Medicaid is to find what it described as an appropriate balance between the states and the federal government.

Medicaid Faces Complex Challenges, Balancing Federal and State Efforts

In her testimony for subcommittee members, King outlined four strategies the CMS and Medicaid need to execute.

  1. Strengthening provider enrollment standards and procedures to ensure only legitimate providers participate in the program;
  2. Improving prepayment controls;
  3. Improving post-payment claims review and recovery of improper payments; and
  4. Developing a robust process for addressing identified vulnerabilities.

Provider Enrollment

CMS’ comprehensive state program integrity reviews identified provider enrollment as the most frequently cited area of concern, but the agency has noted a positive trend in states’ awareness of regulatory requirements.

“Our analysis of final reports from CMS’ most recent comprehensive reviews for all 51 states found 230 instances of non-compliance with federal laws or federal regulatory requirements related to states’ provider enrollment standards and procedures,” King told subcommittee members. “Most of the reviews we analyzed were conducted prior to CMS’ final rule implementing PPACA (Patient Protection and Affordable Care Act) provider enrollment provisions.”

Prepayment Reviews

CMS noted vulnerabilities in the prepayment reviews of claims in five states and effective practices in seven others. In anticipation of new analytic tools to predict vulnerabilities before claims are paid, the agency has initiated discussions with and provided guidance to states.

“CMS officials also told us that states are in varying stages of implementing predictive analytics based on Medicare’s experience,” said King, noting that the Small Business Jobs Act of 2010 requires the use of predictive analytics in Medicaid beginning in 2015.


CMS has begun collaborating with states to identify targets for federal post-payment audits, which should help avoid duplication of federal and state audit efforts.

King said that since implementing federal audits in 2008, CMS’ contractors have conducted a total of 1,662 post-payment audits, 1,550 of which were federal audits in which CMS identified the audit targets, and 112 of which were collaborative audits in which CMS relied on state Medicaid integrity programs to identify audit targets.

A GAO analysis shows that since shifting to a more collaborative approach in 2010, the focus of audits has changed from hospitals to long-term care and pharmacy.

Number and Percentage of Provider Types Targeted by Federal/Collaborative Audits


Provider Type Number and % federal audits Number and % collaborative audits
Hospital 584          38% 11          10%
Long-term care 284          18% 33          29%
Physician 227          15% 8            7%
Pharmacy 225          15% 1            6%
Home health 9              1% 6            5%
DME 45            3% 1            1%
Other 176          11% 18          16%
TOTAL 1,500       100 112        100


Source: GAO analysis of CMS Data. Note: Data presented from 2008 through February 29, 2012. “Other” includes clinic, behavioral health, dental, personal care, managed care, hospice, ambulatory health care facilities, direct service providers, disability care services, home office, provider agency, transportation, therapeutic residential child care facility, and cases that CMS labeled “other.” Percent of federal audits does not add up to 100 due to rounding.


PPACA requires state Medicaid programs to establish contracts with RACs, consistent with state law and similar to the contracts established for the Medicare program, subject to exceptions or requirements provided by CMS.

King said that according to CMS officials, 32 states had signed contracts with RAC vendors as of May 31, 2012, but few states’ Medicaid RAC programs were operational. In addition, officials told us that 17 states had requested exceptions due to implementation delays.

The few states with operational RAC programs had not yet reported on whether RACs had increased state collections of improper payments. As a result, noted King, it is too early to assess the initial results and the potential for duplication, including the steps CMS and the states will take to avoid duplication.

Identifying Vulnerabilities

The GAO in its testimony reported that CMS “has not established a robust process for incorporating identified vulnerabilities in state corrective action plans.”

“Our prior work has demonstrated that CMS had not developed a robust process to specifically address identified vulnerabilities that lead to improper payments in Medicaid,” stated King. “Previously we reported that CMS, in its proposed rule for the Medicaid RAC program, did not include steps for states to collect information on RAC-identified vulnerabilities and develop a corrective action plan to address them.”

King said information from the Medicaid RAC program could be incorporated into these processes.

Medicare: Further Actions are Needed

For Medicare, the GAO said that although CMS has strengthened its efforts to ensure program integrity, other work remains to be done.

Congress authorized CMS to implement several new or improved enrollment safeguards, including screening enrollment applications for categories of Medicare providers by risk level, reported the GAO.

Although CMS has issued a final rule to implement this and other changes, the agency has not completed other final rules and additional actions that could further strengthen enrollment procedures, such as rules to implement new surety bond provisions and provider and supplier disclosures, according to the GAO.

Enrollment Safeguards

King told members of the subcommittee that CMS had added screenings of categories of provider enrollment applications by risk level, and new national enrollment screening and site visit contractors.

Provider Screening

King said providers in the high-risk level are subject to the most rigorous screening. She reported that CMS designated newly enrolling home health agencies and durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) suppliers as high risk and designated other providers at lower levels. High- and moderate-risk providers are additionally subject to unannounced site visits, reported King, concluding that, depending on the risks presented, PPACA authorizes CMS to require fingerprint-based criminal history checks, and the posting of surety bonds for certain providers.

Surety Bonds

“Our prior work found that CMS had not implemented other enrollment screening actions authorized by PPACA,” said King. “These include issuing a rule to implement surety bonds for providers, completing contract awards to begin fingerprint-based criminal background checks, issuing a rule on provider and supplier disclosure requirements, and establishing the core elements for provider and supplier compliance programs.”


King said PPACA authorizes CMS to require a surety bond for certain types of at-risk providers, noting that surety bonds may serve as a source for recoupment of erroneous payments. CMS, she said, has not developed a proposed rule to require surety bonds as conditions of enrollment to implement this requirement.

While CMS had required surety bonds from DMEPOS suppliers since 2009, CMS did not issue instructions for recovering overpayments through surety bonds until January 2012, to take effect in February 2012. As of May 2012, CMS had not collected any funds from surety bond companies, King told subcommittee members.


On the issue of fingerprint-based criminal background checks, King reported that CMS officials told the GAO they are working with the Federal Bureau of Investigation to arrange a contract that will enable the agency to access information to help conduct fingerprint-based criminal background checks of high-risk providers and suppliers, a tool authorized by PPACA. King told the subcommittee that CMS expects to have the necessary contract in place by early 2013.

King said CMS had not completed development of regulations for increased disclosures of prior actions taken against providers and suppliers enrolling or revalidating enrollment in Medicare, such as whether the provider or supplier has been subject to a payment suspension from a federal health care program.

King said increased efforts to review claims on a prepayment basis could better prevent payments that should not be made. Due to the volume of claims, she noted, CMS has reported that less than one percent of Medicare claims are subject to manual medical record review by trained personnel.

Provider Enrollment Chain and Ownership System

“Having effective prepayment edits that deny claims for ineligible providers and suppliers depends on having timely and accurate information about them, such as whether the providers are currently enrolled and have the appropriate license or accreditation to provide specific services,” said King. “We have previously identified flaws in the timeliness and accuracy of data in the Provider Enrollment Chain and Ownership System (PECOS)-the database that maintains Medicare provider and supplier enrollment information, which may result in CMS making improper payments to ineligible providers and suppliers.”

King told subcommittee members that having effective edits to implement coverage and payment policies before payment is made could also prevent improper payments. The Medicare program has defined categories of items and services eligible for coverage and excludes from coverage items or services that are determined not to be “reasonable and necessary for the diagnosis and treatment of an illness or injury or to improve functioning of a malformed body part.”

“Our prior work found certain gaps in Medicare’s prepayment edits based on coverage and payment policies and made recommendations for improvement, which have not all been implemented,” said King. “CMS has not developed edits to identify abnormally rapid increases in billing by DMEPOS suppliers, which is associated with fraudulent billing. We are currently assessing CMS’ implementation of edits on coverage and payment policies.”

Fraud Prevention System

King said the GAO is also currently evaluating a new CMS effort, the Fraud Prevention System (FPS), which uses predictive analytic technologies to analyze Medicare fee-for-service (FFS) claims.

“According to CMS, FPS may enhance CMS’ ability to identify potential fraud because it simultaneously analyzes large numbers of claims from multiple data sources nationwide before payment is made, thus allowing CMS to examine billing patterns across geographic regions for those that may indicate fraud,” said King. “The results of FPS could lead to the initiation of payment suspensions, implementation of automatic claim denials, identification of additional prepayment edits, investigations, or the revocation of Medicare billing privileges.”

Adding More RACs

King reported CMS has begun using recovery auditing in its prescription drug program but not for its Medicare managed care plans, noting that adding new RACs into the Medicare program may help in identifying under- or overpayments, and in recouping overpayments. King explained that PPACA required the expansion of Medicare RACs to Parts C and D. CMS has implemented a RAC for Part D, but not for Part C.

King said CMS has approved the Part D RAC to conduct post-payment review of claims to identify several issues leading to improper payments, such as payments to excluded providers and duplicate payments.


King said that CMS officials told the GAO that the Part D RAC had started its review of 2007 claims data for prescription drug events and has identified potential overpayments to recoup. She said CMS is still considering different options for implementing a Part C RAC program to address improper Medicare Advantage plan payments, noting that the agency had indicated concern that adding additional contractors to identify Medicare Advantage plan payment errors would duplicate current efforts.

Integrated Data Repository

Although the Integrated Data Repository (IDR) became operational in September 2006 to help CMS program integrity staff and contractors detect improper payments of claims, the GAO found that IDR did not include all the data that was planned to be incorporated by fiscal year 2010, because of technical obstacles and delays in funding. Further, as of December 2011, CMS had not finalized plans or developed reliable schedules for efforts to incorporate these data, which could lead to additional delays.

One Program Integrity

One Program Integrity (One PI), operational as of May 2011, was not being widely used, according to the GAO. Therefore, the GAO recommended that CMS take steps to finalize plans and reliable schedules for fully implementing and expanding the use of both IDR and One PI and to define measurable benefits. King said CMS officials indicated they began incorporating additional Medicare claims data into IDR in September 2011 and, as of November 2011, had trained more than 200 analysts who were using One PI. However, King noted that as of April 2012, CMS had not fully addressed our recommendations-for example, the agency had not finalized plans for adding Medicaid data into IDR.

Process for Identifying Vulnerabilities

GAO recommended that CMS establish an adequate process to ensure prompt resolution of identified vulnerabilities in Medicare and is currently evaluating recent steps CMS has taken. The GAO said having mechanisms in place to resolve vulnerabilities that lead to improper payments is critical to effective program management, but its study had shown weaknesses in CMS’ processes to address such vulnerabilities.

Therefore, the GAO recommended that CMS develop and implement a corrective action process that includes policies and procedures to ensure the agency promptly…

  1. Evaluates findings of RAC audits,
  2. Decides on the appropriate response and a time frame for taking action based on established criteria, and
  3. Acts to correct the vulnerabilities identified.

GAO said that in December 2011, the HHS-OIG found that CMS had not resolved or taken significant action to resolve 48 of 62 vulnerabilities reported in 2009 by CMS contractors specifically charged with addressing fraud.

The HHS-OIG recommended that CMS have written procedures and time frames to assure that vulnerabilities were resolved, the GAO reported. CMS has indicated it is now tracking vulnerabilities identified from several types of contractors through a single vulnerability tracking process, and the agency has developed some written guidance on the process.

“We are currently examining aspects of CMS’ vulnerability tracking process and will be reporting on it soon,” concluded King.

About the Author

Chuck Buck is the publisher of RACmonitor.

Contact the Author


To comment on this article please go to editor@racmonitor.com


Chuck Buck

Chuck Buck is the publisher of RACmonitor and is the program host and executive producer of Monitor Monday.

You May Also Like

Leave a Reply

Your Name(Required)
Your Email(Required)