oversight

Medicare Program Integrity: CMS Continues Efforts to Strengthen the Screening of Providers and Suppliers

Published by the Government Accountability Office on 2012-04-10.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

             United States Government Accountability Office

GAO          Report to the Chairman, Committee on
             Finance, U.S. Senate



April 2012
             MEDICARE
             PROGRAM
             INTEGRITY
             CMS Continues
             Efforts to Strengthen
             the Screening of
             Providers and
             Suppliers




GAO-12-351
                                                April 2012

                                                MEDICARE PROGRAM INTEGRITY
                                                CMS Continues Efforts to Strengthen the Screening
                                                of Providers and Suppliers
Highlights of GAO-12-351, a report to the
Chairman, Committee on Finance, U.S.
Senate




Why GAO Did This Study                          What GAO Found
According to the Centers for Medicare           Medicare claims are screened against enrollment information, using automated
& Medicaid Services (CMS)—the                   enrollment-related prepayment edits, in an effort to prevent improper payments to
agency within the Department of                 ineligible providers and suppliers—such as those that are no longer active in the
Health and Human Services (HHS)                 Medicare program or are not properly licensed to provide the services for which
that administers the Medicare                   they have submitted claims. Officials with the contractors we interviewed
program—more than 1.5 million health            described the use of several types of prepayment edits to ensure that claims data
providers and suppliers of medical              are valid. For example, verification edits are intended to check the provider’s
equipment were enrolled in the                  National Provider Identifier (NPI), which indicates whether the claim was
Medicare program in 2011, and 30,000            submitted by an active provider or supplier. However, factors such as the
more enroll each month. CMS has                 frequency with which contractors have updated provider and supplier enrollment
established Medicare enrollment                 information and limitations of the data used may affect the timeliness and
standards and procedures intended to            accuracy of data used to screen claims—in turn limiting the ability of the edits to
ensure that only qualified providers            prevent improper payments from occurring. For example, to update information
and suppliers can enroll. While most
                                                maintained in the Provider Enrollment, Chain and Ownership System (PECOS)—
providers and suppliers pose a limited
                                                CMS’s centralized database for Medicare enrollment information—the
risk to the Medicare program, our
previous work found persistent
                                                contractors have relied on a variety of data sources that vary in the frequency
weaknesses in CMS’s Medicare                    with which they are updated and the ease with which the data can be accessed.
enrollment standards and procedures             We have previously reported concerns about the accuracy of the enrollment
that increased the risk of enrolling            information in PECOS and recommended CMS increase its oversight of its
entities intent on defrauding the               contractors’ provider and supplier enrollment activities. CMS acknowledged
program. In 2010, the Patient                   these concerns and indicated that the agency is working to address these issues.
Protection and Affordable Care Act              Since the enactment of PPACA, CMS has implemented some new provider and
(PPACA) authorized CMS to
                                                supplier enrollment screening procedures and other measures intended to
implement procedures to strengthen
                                                strengthen the existing Medicare enrollment process. New screening procedures
the Medicare enrollment process.
                                                include the designation of three different levels of risk of fraud, waste, and abuse,
GAO was asked to review CMS’s                   with categories of providers and suppliers assigned to limited, moderate, and
Medicare provider enrollment                    high-risk levels—and those in the highest level subject to the most rigorous
procedures. In this report, GAO                 screening. For example, providers and suppliers in all three risk levels must
describes (1) how CMS and its                   undergo licensure checks, while those in moderate- and high-risk levels are
contractors use provider and supplier           subject to unannounced site visits. In addition, CMS implemented new
enrollment information to prevent               application fees for some providers and suppliers. CMS also added two new
improper payments and factors that              Medicare contractors, an automated screening contractor and a site visit
may affect the usefulness of this
                                                contractor, to conduct enhanced enrollment screening and site visits. CMS
information, and (2) the extent to which
                                                officials said that they expect the new automated screening contractor to identify
CMS has implemented new provider
and supplier enrollment screening
                                                additional data sources against which to screen, such as financial, tax, and
procedures since the enactment of               business data sources. CMS’s implementation of some additional enrollment
PPACA. To do so, GAO reviewed                   screening procedures is still in progress. For example, by the end of 2012, CMS
relevant regulations and documents,             plans to contract with two Federal Bureau of Investigation-approved contractors
and interviewed officials from CMS and          to conduct fingerprint-based criminal background checks of high-risk providers
a sample of four of the agency’s                and suppliers. In addition, the agency plans to extend the requirement for surety
contractors based on the volume of              bonds to high-risk providers and suppliers beyond those already required of
claims they processed and the status            suppliers of durable medical equipment, orthotics and supplies. A surety bond
of their contracts with CMS.                    guarantees that if a provider or supplier does not fulfill its obligation to Medicare,
                                                CMS can recover its losses via the surety bond.
View GAO-12-351. For more information,          HHS reviewed a draft of this report and in its written comments noted CMS’s
contact Kathleen M. King at (202) 512-7114 or
kingk@gao.gov.
                                                ongoing efforts to improve provider and supplier enrollment procedures. HHS
                                                also provided technical comments, which were incorporated as appropriate.
                                                                                          United States Government Accountability Office
Contents


Letter                                                                                       1
              Background                                                                     6
              Claims Are Screened against Enrollment Information to Prevent
                Improper Payments, but Prevention Depends on Timely and
                Accurate Information                                                       13
              CMS Has Implemented Some New Enrollment Screening
                Procedures Since PPACA, While Others Remain in Progress                    18
              Concluding Observations                                                      27
              Agency Comments                                                              28

Appendix I    Comments from the Department of Health and Human Services                    30



Appendix II   GAO Contact and Staff Acknowledgments                                        32



Table
              Table 1: Categories of Medicare Providers and Suppliers
                       Designated by Risk Level for Enrollment Screening                   20


Figure
              Figure 1: Medicare Enrollment and Claims Payment Process Prior
                       to January 2012                                                     11




              Page i                       GAO-12-351 Provider and Supplier Medicare Enrollment
Abbreviations

A/B MAC           Medicare Administrative Contractor servicing both Part A
                    and Part B lines of business
CHIP              State Children’s Health Insurance Program
CMS               Centers for Medicare & Medicaid Services
CPI               Center for Program Integrity
DME               durable medical equipment
DMEPOS            durable medical equipment, prosthetics, orthotics, and
                    supplies
DME MAC           Durable Medical Equipment Medicare Administrative
                    Contractor
DMF               Death Master File
EDI               Electronic Data Interchange
EPLS              Excluded Parties List System
FBI               Federal Bureau of Investigation
FFS               fee-for-service
HHS               Department of Health and Human Services
HIPAA             Health Insurance Portability and Accountability Act
IRS               Internal Revenue Service
LEIE              List of Excluded Individuals/Entities
NPI               National Provider Identifier
NSC               National Supplier Clearinghouse
OIG               Office of Inspector General
PECOS             Provider Enrollment, Chain and Ownership System
PPACA             Patient Protection and Affordable Care Act
QASP              Quality Assurance Surveillance Plan
SSA               Social Security Administration



This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.




Page ii                             GAO-12-351 Provider and Supplier Medicare Enrollment
United States Government Accountability Office
Washington, DC 20548




                                   April 10, 2012

                                   The Honorable Max Baucus
                                   Chairman
                                   Committee on Finance
                                   United States Senate

                                   Dear Mr. Chairman:

                                   For more than 20 years, we have designated Medicare as a high-risk
                                   program because of serious management challenges due to its size,
                                   complexity, and susceptibility to fraud, waste, abuse, and improper
                                   payments. 1 In 2011, Medicare covered 48.4 million individuals 65 years
                                   and older and eligible individuals with disabilities, and total Medicare
                                   program expenditures were $565 billion. 2 For fiscal year 2011, the
                                   Department of Health and Human Services (HHS) estimated the agency
                                   made improper payments of nearly $29 billion in the Medicare fee-for-
                                   service (FFS) program. 3

                                   More than 1.5 million health providers and suppliers of medical equipment
                                   were enrolled in the Medicare program in 2011, according to the Centers



                                   1
                                    Fraud represents intentional acts of deception with knowledge that the action or
                                   representation could result in an inappropriate gain. Waste includes inaccurate payments
                                   for services, such as unintentional duplicate payments. Abuse represents actions
                                   inconsistent with acceptable business or medical practices. An improper payment is any
                                   payment that should not have been made or that was made in an incorrect amount
                                   (including overpayments and underpayments) under statutory, contractual, administrative,
                                   or other legally applicable requirements. In 1990, we began to report on government
                                   operations that we identified as “high risk” for serious weaknesses in areas that involve
                                   substantial resources and provide critical services to the public. See GAO, High-Risk
                                   Series: An Update, GAO-11-278 (Washington, D.C.: February 2011).
                                   2
                                    Medicare consists of four parts. Medicare Part A covers inpatient hospital care, skilled
                                   nursing facility care, some home health care services, and hospice care. Part B services
                                   include physician and outpatient hospital services, diagnostic tests, mental health
                                   services, outpatient physical and occupational therapy, ambulance services, prosthetics,
                                   orthotics, and supplies. Medicare Parts A and B are known as original Medicare or
                                   Medicare Fee-for-Service (FFS). CMS also contracts with private health plans to
                                   administer a Medicare private plan, known as Medicare Part C or Medicare Advantage,
                                   and drug plan sponsors to administer the Medicare outpatient prescription drug benefit
                                   known as Medicare Part D.
                                   3
                                    HHS, Fiscal Year 2011 Agency Financial Report (Washington, D.C.: Nov. 15, 2011).




                                   Page 1                              GAO-12-351 Provider and Supplier Medicare Enrollment
for Medicare & Medicaid Services (CMS)—the agency within HHS that
administers the Medicare program—and 30,000 more enroll each month.
CMS has established Medicare enrollment standards and procedures
intended to ensure that only qualified providers and suppliers can enroll in
the Medicare program. 4 For example, standards for suppliers of durable
medical equipment, prosthetics, orthotics, and supplies (DMEPOS)
include proper licensure and a physical facility on an appropriate site that
is accessible to beneficiaries and CMS. This information must be verified
prior to enrollment. 5 Screening at the time of enrollment is a crucial step
to reduce the risk of enrolling providers intent on defrauding or abusing
the program.

According to CMS, the majority of providers and suppliers enrolling in
Medicare are legitimate and pose a limited risk to the Medicare program.
However, our previous work found persistent weaknesses in CMS’s
Medicare enrollment standards and procedures that increased the risk of
enrolling entities intent on defrauding the Medicare program. For
example, we found that the Medicare enrollment process for home health
agencies did not routinely include verification of the criminal background
of applicants, and without this information individuals and businesses that
misrepresent their criminal backgrounds could be allowed to enroll in the
Medicare program. 6 We also conducted covert testing and found that
DMEPOS suppliers were enrolled who did not meet Medicare’s standards




4
 The term provider refers collectively to institutional providers such as hospitals, and
health care facilities, as well as physicians and nonphysician practitioners who provide
health care services to Medicare beneficiaries. Providers also include organ procurement
organizations, skilled nursing facilities, hospice, and end-stage renal disease centers. The
term suppliers refers to certain Part B entities such as ambulance service providers,
mammography centers, and portable X-ray facilities. Suppliers also include entities that
supply Medicare beneficiaries with durable medical equipment, prosthetics, orthotics, and
supplies (DMEPOS) such as walkers and wheelchairs. Medicare law defines durable
medical equipment (DME) as equipment that serves a medical purpose, can withstand
repeated use, is generally not useful in the absence of an illness or injury, and is
appropriate for use in the home. This report will use the term providers and suppliers
when referring to all Medicare providers and suppliers but will specify DMEPOS suppliers
when necessary.
5
 Enrolling in Medicare enables providers or suppliers to submit claims for services and
supplies provided to Medicare beneficiaries.
6
 See GAO, Medicare: Improvements Needed to Address Improper Payments in Home
Health, GAO-09-185 (Washington, D.C.: Feb. 27, 2009).




Page 2                               GAO-12-351 Provider and Supplier Medicare Enrollment
or were not legitimate businesses. 7 We recommended stricter scrutiny of
the enrollment processes for home health agencies and DMEPOS
suppliers due to the higher incidence of improper payments among these
providers. We also recommended strengthening Medicare enrollment
standards and procedures as a key strategy for reducing fraud, waste,
abuse, and improper payments in Medicare.

In 2010, the Congress passed the Patient Protection and Affordable Care
Act (PPACA), which included provisions that will expand health insurance
coverage to millions of individuals, and provided CMS with increased
authority to combat fraud, waste, and abuse in Medicare. 8 Certain of
these provisions are designed to strengthen Medicare’s provider
enrollment standards and procedures. For example, PPACA requires
HHS to designate a level of screening according to the assessed risk of
fraud, waste, and abuse with respect to the category of provider or
supplier. At a minimum, PPACA requires all providers and suppliers to be
subject to licensure checks, which may include checks in multiple states.
PPACA gives CMS the authority to require additional screening
procedures, such as criminal background checks, depending on the type
of risk presented by the type of provider or supplier. 9

CMS oversees a network of contractors that implement and monitor the
Medicare program. Among these contractors are the Medicare
Administrative Contractors (A/B MAC) that enroll and pay providers and
suppliers, except for DMEPOS suppliers, for the services they provide to
Medicare beneficiaries for Medicare Part A and Part B, the National
Supplier Clearinghouse (NSC) that manages DMEPOS supplier
enrollment, and the Durable Medical Equipment Medicare Administrative
Contractors (DME MAC) that pay claims for DMEPOS items. 10 The A/B


7
 See GAO, Medicare: Covert Testing Exposes Weaknesses in the Durable Medical
Equipment Supplier Screening Process, GAO-08-955 (Washington, D.C.: July 3, 2008).
8
 Pub. L. No. 111-148, 124 Stat. 119 (2010), as amended by the Health Care and
Education Reconciliation Act of 2010 (HCERA), Pub. L. No. 111-152, 124 Stat. 1029,
which we refer to collectively as PPACA.
9
 PPACA, § 6401, 124 Stat. 119, 747-753, amended by § 10603, 124 Stat. 119. 1006
(codified at 42 U.S.C. § 1395cc(j)).
10
  CMS currently contracts with 10 A/B MACs that are responsible for their own geographic
regions, known as jurisdictions. A total of 14 jurisdictions now exist and future
consolidations will bring the total to 10 jurisdictions. There are four DME MACs that
process claims for DMEPOS supplies.




Page 3                             GAO-12-351 Provider and Supplier Medicare Enrollment
MACs also educate their enrolled providers and suppliers on CMS
policies and procedures, provide information to beneficiaries, and
undertake efforts to detect and prevent fraud and abuse. The NSC serves
as the centralized contractor for the enrollment process and site visits for
DMEPOS suppliers. In 2011, CMS awarded contracts to two new
contractors—an automated screening and a national site visit
contractor—to perform aspects of the provider and supplier enrollment
screening process, including various screening activities and site visits
beginning in 2012. Effective implementation by CMS of PPACA’s provider
and supplier enrollment provisions, through these and other contractors,
is expected to aid CMS in its efforts to ensure that it only enrolls and pays
providers and suppliers that meet Medicare’s enrollment standards.

You asked us to examine how CMS uses enrollment information to
prevent payment of improper or potentially fraudulent Medicare claims
and to assess changes to CMS’s Medicare provider enrollment
procedures since the passage of PPACA. This report addresses (1) how
CMS and its contractors use provider and supplier information to prevent
improper payments and factors that may affect the usefulness of the
enrollment information, and (2) the extent to which CMS has implemented
new provider and supplier enrollment screening procedures since
enactment of PPACA.

To assess how CMS and its contractors use provider and supplier
enrollment information to prevent improper payments and factors that
may affect the usefulness of the information, we obtained and reviewed:
claims processing documents, including CMS procedural manuals and
directives; claims processing schematics; and the criteria used to develop
and implement prepayment edits that use enrollment information to
ensure claims are only paid to providers and suppliers that are eligible to
bill Medicare. 11 We examined the role of the data in the Provider
Enrollment, Chain and Ownership System (PECOS) —CMS’s centralized
database for Medicare enrollment information—in the Medicare claims
payment process. In addition, we reviewed our past reports and those
issued by the HHS Office of Inspector General (HHS OIG) that discussed




11
  We did not assess prepayment edits based on CMS policies on coverage of medical
care or medical necessity.




Page 4                            GAO-12-351 Provider and Supplier Medicare Enrollment
the accuracy of PECOS data. 12 We interviewed CMS officials and a total
of four A/B and DME MACs on how they use provider and supplier
enrollment information to prevent improper payments. We interviewed
A/B MACs whose workloads were fully implemented by 2010 and whose
contracts were not being recompeted during the course of our work. 13 In
addition, we assessed A/B MAC claims processing workloads in order to
select A/B MACs that had the largest percentages of the national
workload. Our sample selection strategy resulted in two A/B MACs and
two DME MACs.

To assess the extent to which CMS has implemented new provider and
supplier enrollment screening procedures since the enactment of PPACA,
we reviewed agency documents, including the Proposed and Final Rule
that implemented PPACA’s provider screening and other enrollment
provisions, documents that described how PPACA-related enrollment
processes compared to previous CMS enrollment procedures, and
documents describing new processes that were not yet fully
implemented. 14 We limited our review to only those PPACA provisions
that establish provider and supplier enrollment conditions that must be
met before enrollment in Medicare. We also interviewed CMS officials
about provider and supplier enrollment screening procedures that were
developed and implemented as a result of these PPACA provisions. In
addition, we conducted interviews with the two A/B MACs to learn about
their experiences implementing new enrollment procedures authorized by
PPACA. We also interviewed NSC officials responsible for enrolling
Medicare DMEPOS suppliers.




12
  Due to CMS’s recent implementation of agreements with new contractors to manage
certain aspects of the Medicare provider enrollment process, we did not assess whether
these contractors will improve the accuracy of the data in PECOS.
13
  In response to contracting reform requirements in the Medicare Prescription Drug,
Improvement, and Modernization Act of 2003, CMS has been transitioning its claims
processing contracts from 51 contractors to no more than 10 MACs that will process
Medicare Part A and Part B provider and supplier enrollment applications and pay claims,
except for DMEPOS enrollment and claims. Due to this consolidation and transitioning of
workloads between contractors, we avoided selecting MACs that could have lost their
contracts during the course of our engagement.
14
  Medicare, Medicaid, and Children’s Health Insurance Programs; Additional Screening
Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions
and Compliance Plans for Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011).




Page 5                              GAO-12-351 Provider and Supplier Medicare Enrollment
             We conducted this performance audit from July 2011 to February 2012 in
             accordance with generally accepted government auditing standards.
             Those standards require that we plan and perform the audit to obtain
             sufficient, appropriate evidence to provide a reasonable basis for our
             findings and conclusions based on our audit objectives. We believe that
             the evidence obtained provides a reasonable basis for our findings and
             conclusions based on our audit objectives.

             Medicare comprises 12 percent of the federal budget and is the third
Background   largest federal program after defense and Social Security. For fiscal year
             2011, HHS reported an estimate of almost $29 billion in Medicare FFS
             improper payments. Our Standards for Internal Control in the Federal
             Government suggests that agencies should continually perform
             monitoring activities to reduce the incidence of improper payments. 15
             However, our prior reports found weaknesses in CMS’s monitoring of
             Medicare provider and supplier enrollment and claims payment
             contractors. 16 Partly in response to our work, CMS took steps to
             implement new DMEPOS supplier quality standards in an accreditation
             rule issued in August 2006 and proposed additional DMEPOS supplier
             enrollment standards in January 2008. To further address these concerns
             and create a focal point for all Medicare program integrity activities, in
             2010, CMS established a Center for Program Integrity (CPI). 17 CPI, in
             collaboration with other components within CMS, develops and
             implements the agency’s Medicare program integrity mission and goals.
             Among these goals is a reduction in instances of fraud, waste, and abuse,




             15
               GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1
             (Washington, D.C.: November 1999). Internal controls are components of an
             organization’s management that provide reasonable assurances that certain objectives,
             including effectiveness and efficiency of operations, are being achieved.
             16
               See GAO, Medicare: CMS’s Program Safeguards Did Not Deter Growth in Spending for
             Power Wheelchairs, GAO-05-43 (Washington, D.C.: Nov. 17, 2004), Medicare: More
             Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment
             Suppliers, GAO-05-656 (Washington, D.C.: Sept. 22, 2005), Medicare: Improvements
             Needed to Address Improper Payments for Medical Equipment and Supplies, GAO-07-59
             (Washington, D.C.: Jan. 31, 2007), Medicare: Improvements Needed to Address Improper
             Payments in Home Health, GAO-09-185 (Washington, D.C.: Feb. 27, 2009), and Medicare
             Contracting Reform: Agency Has Made Progress with Implementation, but Contractors
             Have Not Met All Performance Standards, GAO-10-71 (Washington, D.C.: Mar. 25, 2010).
             17
              CPI also coordinates CMS’s program integrity efforts for Medicaid and the Children’s
             Health Insurance Program.




             Page 6                              GAO-12-351 Provider and Supplier Medicare Enrollment
                       as well as strategies to ensure program vulnerabilities are identified and
                       resolved.

                       According to CMS, the agency is pursuing an aggressive program
                       integrity strategy to prevent payment of potentially fraudulent claims,
                       rather than to recover funds from providers and suppliers after payment
                       has already been made. Because identifying and prosecuting providers
                       and suppliers engaged in potentially fraudulent activity is time consuming,
                       resource intensive, and costly, CMS has designed measures intended to
                       prevent enrollment by entities that might attempt to defraud or abuse the
                       Medicare program. For example, the agency requires that applicants use
                       a unique 10 digit National Provider Identifier (NPI) number and affirm that
                       they are not excluded from participating in another federal health
                       program. DMEPOS suppliers must also undergo pre-enrollment site
                       visits. In addition, the agency requires enrollment information to be
                       entered into PECOS, a single, centralized, provider and supplier
                       enrollment database that assists with data sharing across the contractors’
                       different geographic coverage areas. In addition, CMS has historically
                       required the A/B MACs and the NSC to conduct activities, such as
                       monthly reviews of state licensing board actions, to determine if individual
                       providers continue to meet state licensing requirements and to conduct
                       periodic checks to determine if entities continue to meet federal and state
                       requirements for their respective provider or supplier type. With the
                       implementation of the automated screening contract, these checks will be
                       automated and conducted on a continuous basis, according to CMS.


Medicare Contractors   Since the Medicare program was created in 1965, it has been
                       administered through a network of private contractors. CMS uses these
                       contractors to conduct claims administration activities, to implement
                       provider outreach and education, and to answer beneficiary inquiries
                       through the 1-800-Medicare help line. Contractors also perform program
                       integrity activities such as auditing providers and suppliers, reviewing
                       claims for medical necessity, and conducting investigations of potential
                       fraud, waste, and abuse. Central to program operations are the
                       A/B MACs that manage Medicare provider and supplier enrollment,
                       except for DMEPOS suppliers, and pay and review the claims submitted
                       in their jurisdictions. In 2011, A/B MACs managed more than 1.5 million
                       Medicare providers and suppliers. The previous year, A/B and DME
                       MACs paid approximately 4.5 million claims each work day on behalf of
                       CMS. Additionally, CMS contracts with the NSC to centralize the
                       enrollment process and site visits for DMEPOS suppliers. In 2010,
                       Medicare spent about $8.1 billion on DMEPOS supplies. In 2011, CMS


                       Page 7                        GAO-12-351 Provider and Supplier Medicare Enrollment
                      added two new Medicare contractors to centralize and standardize the
                      provider and supplier enrollment screening process.


Medicare Enrollment   To become eligible to bill for services or supplies provided to Medicare
Process               beneficiaries, providers and suppliers must apply to the program. 18
                      Entities applying to the Medicare program may complete an online
                      enrollment form using PECOS or submit a paper application that is
                      manually entered into PECOS by the A/B MACs or the NSC. Enrolling
                      providers and suppliers submit identifying information such as their name,
                      address, specialty area, and information about applicable licensure and
                      accreditation. 19

                      After the enrollment data are entered into PECOS, the A/B MACs and the
                      NSC handle different aspects of the application process. The A/B MACs
                      process all provider and supplier applications except for those for
                      DMEPOS suppliers and the NSC processes all enrollment applications
                      from DMEPOS suppliers nationally. Provider and supplier applications in
                      PECOS are confirmed by the A/B MAC overseeing the jurisdiction where
                      the services will be provided and by the NSC for DMEPOS suppliers.
                      Contracts awarded in 2011 to new automated screening and site visit
                      contractors altered this structure. CMS’s new provider screening
                      contractor will automate many of the required enrollment checks that the
                      A/B MACs and the NSC have done manually and will allow CMS to
                      monitor all providers and suppliers on a continuous basis to help ensure
                      they continue to meet Medicare enrollment requirements. These
                      contractors assumed some functions from the A/B MACS and the NSC in
                      early 2012.




                      18
                        To remain eligible for payment, providers and suppliers must continue to meet CMS’s
                      Medicare enrollment requirements and periodically revalidate their enrollment information
                      with the A/B MACs or the NSC.
                      19
                        Licensure is a mandatory process by which a state government grants permission to an
                      individual practitioner or health care organization to engage in an occupation or
                      profession. Accreditation is a formal process by which a recognized body, usually a
                      nongovernmental organization, assesses and recognizes that a health care organization
                      meets applicable predetermined standards. Whereas licensure is a mandatory process,
                      accreditation is usually voluntary although CMS requires accreditation as a condition for
                      suppliers enrolling in Medicare. Some of the other required enrollment information
                      includes: an agreement for electronic funds transfer, a Social Security or tax identification
                      number, name of medical or professional school and year graduated, or residency status.




                      Page 8                                GAO-12-351 Provider and Supplier Medicare Enrollment
Prior to CMS’s automated screening contractor assuming these
responsibilities, the A/B MACs and the NSC confirmed the provider and
supplier enrollment information by checking various data sources such as
the Social Security Administration (SSA) to verify an individual’s Social
Security number, the National Plan and Provider Enumeration System to
verify the provider’s NPI, and state licensing boards to determine if the
provider is appropriately licensed to furnish medical services within a
given state. CMS also required the A/B MACs and the NSC to check
additional data sources including the HHS OIG’s List of Excluded
Individuals/Entities 20 (LEIE) and the General Service Administration’s
Excluded Parties List System 21 (EPLS). Starting March 25, 2011, CMS
required the A/B MACs to conduct site visits for categories of providers
and suppliers designated as moderate and high risk. The NSC will
continue to conduct site visits related to enrollment of DMEPOS suppliers.
In addition, due to long-standing concerns about high rates of fraud,
waste, and abuse by DMEPOS suppliers, they have been subject to
additional enrollment requirements. 22 For example, DMEPOS suppliers
must meet additional quality standards before they can be enrolled in
Medicare, including proper accreditation, the successful completion of a
site visit inspection, and posting of a $50,000 surety bond. 23



20
  The OIG’s LEIE includes all individuals and entities currently excluded from participating
in federally funded health care programs including Medicare and Medicaid. Exclusions are
imposed for a number of reasons including: (1) Medicare or Medicaid fraud, as well as any
other offenses related to the delivery of items or services under Medicare, Medicaid,
CHIP, or other State health care programs; (2) patient abuse or neglect; (3) felony
convictions for other health care-related fraud, theft, or other financial misconduct; and
(4) felony convictions relating to unlawful manufacture, distribution, prescription, or
dispensing of controlled substances.
21
   The EPLS includes information on entities debarred, suspended, proposed for
debarment, excluded, or disqualified by federal government agencies from receiving
federal contracts or federally approved subcontracts and from certain types of federal
financial and nonfinancial assistance and benefits.
22
 The Medicare Prescription Drug Improvement and Modernization Act required the
Secretary to establish and implement quality standards for DMEPOS suppliers. Pub. L.
No. 108-173, § 302, 117 Stat. 2066, 2223 (Dec. 8, 2003).
23
  A surety bond is a bond issued by an entity guaranteeing that a provider or supplier will
fulfill its obligation to Medicare. If the obligation is not met, CMS is required to recover its
losses via the surety bond. DMEPOS suppliers are required to obtain and submit a bond
of no less than $50,000 for each NPI that is assigned by CMS. Because DMEPOS
suppliers must obtain an NPI by practice location, a DMEPOS supplier with 20 practice
locations would be required to secure a $1 million surety bond.




Page 9                                 GAO-12-351 Provider and Supplier Medicare Enrollment
Claims Processing and   CMS oversees contractors that manage the three major computer
Enrollment-Related      systems used to process Medicare Part A, Part B, and DMEPOS claims.
Prepayment Edits        Together, these computer systems are referred to as the “shared
                        systems,” because claims from all the A/B MACs and DME MACs are
                        processed by these systems. CMS refers to the contractors that manage
                        these systems as the “shared systems maintainers.” 24 Provider and
                        supplier enrollment information in PECOS is downloaded to the shared
                        systems in provider files that are used in claims processing. 25 Information
                        in the provider files is intended to ensure that providers and suppliers are
                        eligible to receive payment for the services for which they have submitted
                        claims. Although multiple contractors are involved in the claims payment
                        process, the A/B and DME MACs are ultimately responsible for timely and
                        accurate processing and payment of provider and supplier claims. For the
                        relationship between the various contractors prior to January 2012 see
                        figure 1.




                        24
                          System maintenance includes activities such as programming software changes needed
                        to correct errors or to implement functionality through “hard coded” edits.
                        25
                          Although the A/B and DME MACs we interviewed referred to it as a provider file, it also
                        includes enrollment information on suppliers.




                        Page 10                             GAO-12-351 Provider and Supplier Medicare Enrollment
Figure 1: Medicare Enrollment and Claims Payment Process Prior to January 2012




                                       a
                                        Providers and suppliers include institutional providers such as hospitals and health care facilities, as
                                       well as physicians and nonphysician practitioners, who provide health care services to Medicare
                                       beneficiaries as well as certain Part B entities such as ambulance service providers, mammography
                                       centers, and portable X-ray facilities. The A/B MACS do not manage enrollment or claims processing
                                       for DMEPOS.
                                       b
                                        DMEPOS suppliers include organizations that supply Medicare beneficiaries with durable medical
                                       equipment such as walkers and wheelchairs.


                                       Providers and suppliers submit most claims to Medicare electronically.
                                       Upon electronic submission, claims first pass through an Electronic Data
                                       Interchange (EDI) process that makes sure the claims are formatted
                                       using the nationally established standards to exchange electronic




                                       Page 11                                   GAO-12-351 Provider and Supplier Medicare Enrollment
information between business entities. 26 In the EDI process, the claim is
subject to automated prepayment controls called “edits.” Here, front end
edits screen the claim for formatting errors or missing data. For example,
a front end edit checks the claim to ensure that it contains the required
10 digit NPI but would not check the validity of the NPI. Medicare
contractors reported that Medicare Parts A and B and DMEPOS claims
that do not pass front end edits are considered unprocessable and are
returned by the contractors to the appropriate provider or supplier, which
may then correct the error(s) and resubmit the claim.

If a Medicare claim is in the correct electronic format and passes the front
end edits, it is then sent for further processing in the shared systems.
There, the claim is subject to a series of prepayment edits that can
prevent payment of an incomplete or incorrect claim and may reduce
improper payments and help minimize the extent to which the program is
vulnerable to fraud, waste, and abuse. Prepayment edits include provider
enrollment-related edits and subsequent edits that screen Medicare
claims against other criteria, such as medical necessity.

Enrollment-related prepayment edits can be implemented on either the
national or local level. The national enrollment-related prepayment edits
are CMS-directed edits that are “hard coded” into the shared systems by
the systems maintainers. National edits are updated quarterly and are
standard across all A/B or DME MACs. In contrast, local prepayment
edits are created and managed by the individual A/B or DME MACs. They
may develop local enrollment-related prepayment edits based on
differences in state law that determine the scope of a provider’s or
supplier’s practice. CMS may also direct the A/B and DME MACs to
develop local edits because they can be implemented on a more flexible
schedule than CMS’s quarterly updates to national edits.




26
  The Health Insurance Portability and Accountability Act (HIPAA) mandated that covered
entities in the health care industry use standard formats for electronic claims and claims-
related transactions. 42 U.S.C. § 1320d-2. CMS’s EDI includes two systems—the
Common Edits and Enhancements module and the Common Electronic Data
Interchange—that are used for Medicare Part A and Part B claims and DMEPOS claims,
respectively. Paper claims are put into electronic format for processing.




Page 12                              GAO-12-351 Provider and Supplier Medicare Enrollment
                          Medicare claims are screened during the payment process by a series of
Claims Are Screened       enrollment-related prepayment edits that check claims against provider
against Enrollment        and supplier information maintained in PECOS. Such edits are designed
                          to prevent payments to providers and suppliers that the data indicate are
Information to            ineligible to receive Medicare payment. While prepayment edits are in
Prevent Improper          place to prevent improper payments, factors such as frequency of
Payments, but             information updates and the limitations of the data used to update
                          information in PECOS may affect the timeliness and accuracy of provider
Prevention Depends        and supplier information. In turn, this may limit the extent to which
on Timely and             enrollment-related edits prevent payments to ineligible providers and
                          suppliers.
Accurate Information
Enrollment-Related        Enrollment-related prepayment edits are designed to prevent payments to
Prepayment Edits Are      ineligible providers and suppliers—such as those that are no longer active
Designed to Prevent       in the Medicare program or that are not properly credentialed or licensed
                          to provide the services for which they have submitted claims. Ineligible
Payments to Ineligible    providers and suppliers may be enrolled in Medicare despite CMS’s and
Providers and Suppliers   its contractors’ enrollment screening efforts. Officials with the A/B and
                          DME MACs we interviewed described the application of prepayment edits
                          to claims as a cascading series of checks that occurs progressively as the
                          claim moves through the process according to the edits’ “if/then” logic.
                          For example, a certain edit will compare the NPI contained in a provider’s
                          file with the date of service contained in the claim, and if the NPI was
                          active on the date of service, then the claim would move to the next stage
                          of processing. The two types of enrollment-related prepayment edits are
                          provider and supplier verification edits and specialty edits.

                          •   Provider and supplier verification prepayment edits: Medicare
                              claims are subject to edits that verify basic provider and supplier
                              enrollment information. These enrollment-related verification edits
                              screen the claim’s data to ensure that the provider or supplier is
                              eligible for payment. For example, such edits verify the validity of the
                              entity’s NPI, which indicates whether the claim was submitted by an
                              active provider or supplier. Verification edits at this stage of claims
                              processing also screen claims to ensure that the provider’s or
                              supplier’s enrollment date is before the claim’s date of service, thus
                              indicating that they were an active provider or supplier on that date
                              and therefore generally eligible for payment. A/B and DME MAC
                              officials reported that claims failing these enrollment verification
                              prepayment edits are not paid. Information on a denied claim due to
                              provider or supplier ineligibility, including reason codes that explain
                              the reason(s) for which the claim was not paid, is sent to the provider



                          Page 13                        GAO-12-351 Provider and Supplier Medicare Enrollment
     or supplier. These codes include reasons such as “the provider must
     update license information with the payer” and “invalid provider
     identifier.” One DME MAC estimated that the number of claims denied
     due to the claim’s date of service occurring outside of a DMEPOS
     supplier’s “effective dates” for billing eligibility was only about 36,000
     claims out of a total of about 50 million claims per year.

•    Specialty prepayment edits: Enrollment-related specialty
     prepayment edits screen for provider- or item-specific information
     about providers or suppliers, such as their eligibility to bill for certain
     services that can only be provided by a certain provider type or
     specialty. For example, limited license providers such as chiropractors
     can only be paid for a limited number of allowable billing codes
     determined by CMS. Specialty edits screen claims to ensure that the
     claim contains these allowable codes. DME MAC officials told us that
     edits at this stage would also ensure, for example, that a podiatrist is
     only paid for podiatry services and not ophthalmology services. 27

Verification and specialty enrollment-related prepayment edits may be
implemented as either national or local edits. According to one A/B MAC
we spoke with, because there is little differentiation among Part A
providers most enrollment-related prepayment edits for these providers
are implemented as national edits, which are programmed into the shared
systems. A/B MAC officials reported that additional enrollment-related
local edits are more likely to be implemented for Part B provider claims
due to differences among states regarding reimbursement for certain
services and provider types. These Part B specialty edits are
implemented as local edits by the A/B MAC responsible for that state.
Regarding DME claims, one contractor we spoke with reported that CMS
more frequently standardizes the DME claims payment process. This
assures uniform coverage decisions across all DME MACs. DME MAC
officials reported that DME specialty edits include those applied to
oxygen, pharmacy, prosthetics, and orthotics claims. For example, DME
MAC officials told us that the edits applied to oxygen claims ensure that
only suppliers who have the required valid license to provide oxygen
services receive payment. All three types of claims—Part A, Part B, and
DME—that fail prepayment edits, whether at the national or local level,



27
  Medicare claims also undergo prepayment edits that are not related to provider
enrollment information. Examples include edits that screen for excessive units of service—
known as medically unlikely edits—and compliance with Medicare coverage policies.




Page 14                             GAO-12-351 Provider and Supplier Medicare Enrollment
                           are denied and returned to the provider or supplier with a reason code
                           that explains why the claim was not paid. For example, it may indicate
                           “this provider type/provider specialty may not bill this service.”

                           While prepayment edits are implemented to reduce the likelihood of
                           improper payments due to provider or supplier ineligibility, the
                           effectiveness of specific enrollment-related edits is not assessed by the
                           A/B or DME MACs or CMS. A/B MAC officials reported that they generally
                           do not need to analyze data on claims that are not paid because a
                           prepayment edit indicates the provider or supplier is ineligible to bill for
                           services. Thus, these contractors do not report on which of the
                           prepayment edits prevented the improper payment. A/B MAC officials
                           explained that each enrollment-related prepayment edit is developed to
                           perform a specific function and therefore they do not rank edits in order of
                           their effectiveness in preventing improper payments. Additionally, they
                           told us that they do not submit reports to CMS that identify which
                           enrollment-related prepayment edits are most effective. CMS requires
                           A/B MACs to submit quarterly supplements to monthly workload reports
                           that provide the agency with information on the number of denied claims
                           and reasons for denials, but this information is used to identify problem
                           areas for resolution, measure trends in denial rates, and monitor fraud
                           and abuse workloads. Although officials from one A/B and two DME
                           MACs told us that they may generate reports on claim activity, these data
                           generally are used for internal workload planning purposes or as the
                           basis for provider education on proper coding, not to determine the
                           effectiveness of certain categories of edits. 28


Edits Depend on Timely     The ability of enrollment-related edits to prevent improper payments
and Accurate Information   depends on the timeliness and accuracy of provider and supplier
in PECOS                   enrollment information contained in PECOS. In turn, the timeliness and
                           accuracy of information in PECOS—which is downloaded as provider files
                           into the shared systems each night—is affected by factors such as the
                           frequency with which contractors update this information and limitations of
                           the sources of the information used. A/B MACs and the NSC are
                           responsible for updating PECOS when conducting initial and revalidation




                           28
                             For example, A/B MACs indicated that many provider-related claim denials are due to
                           providers submitting claims for dates of service outside of the provider’s eligibility dates.




                           Page 15                               GAO-12-351 Provider and Supplier Medicare Enrollment
enrollment for providers and suppliers. 29 However, A/B MACs and the
NSC were not able to confirm the status, such as licensure, of every
provider or supplier in PECOS on a daily basis. Instead, certain aspects
of provider and supplier status have been checked less frequently. For
example, A/B MACs were required to conduct monthly reviews of provider
licensure status and an A/B MAC official told us that they searched
individual state websites for this information. A/B MACs and NSC also
have relied on a variety of data sources such as state licensure boards,
the HHS OIG’s exclusions list, and SSA’s Death Master File (DMF) to
update provider and supplier information in PECOS. These sources vary
in the ease with which A/B MACs and the NSC have been able to access
their data and the frequency with which they are updated. For example,
CMS officials reported that the A/B MACs had to manually access state
data sources to update licensure status. In addition, contractors we spoke
with said SSA releases updates to its DMF monthly and therefore there is
an interval between a provider’s death and when that information can be
updated in PECOS. As a result, payments may still be made for claims
submitted under a deceased provider’s NPI for medical services allegedly
provided after the provider’s death. One A/B MAC official said that
PECOS must first be updated to reflect the provider’s status and this
information in turn must be downloaded into the shared systems in a
timely manner to prevent an improper payment from being made. This is
because, while enrollment-related prepayment edits can identify and deny
invalid claims, the edits use the existing provider and supplier information
to do so. Thus, if the PECOS provider and supplier information is not
current or is inaccurate, the edits will be ineffective in preventing improper
payments.

We have previously reported concerns about the accuracy of the provider
and supplier enrollment information in PECOS and CMS’s oversight of
A/B MACs’ provider and supplier enrollment activities. CMS has
acknowledged these concerns and indicated that the agency is working to
address these issues. For example, we recently reported that incomplete


29
  PPACA requires all existing provider and supplier information to be revalidated by 2015.
PPACA, § 6401, 124 Stat. 119, 749, amended by § 10603, 124 Stat. 119. 1006 (codified
at 42 U.S.C. § 1395cc(j)). After the revalidation of all providers and suppliers required by
PPACA, CMS’s current cycle for revalidation—3 years for DMEPOS suppliers and 5 years
for all other providers and suppliers—will apply. CMS retains the authority to require a
provider or supplier to revalidate off-cycle when certain compliance-related concerns
arise. PECOS data must also be updated when there is a change of address or other
change to provider or supplier status.




Page 16                              GAO-12-351 Provider and Supplier Medicare Enrollment
or conflicting provider contact information in PECOS limited CMS from
using its own data to operate its Physician Feedback Program. 30
Furthermore, in 2010 we reported that A/B MACs had difficulty
recognizing when nursing home provider information in PECOS was
incomplete or inaccurate and CMS oversight of A/B MACs in this regard
was limited. 31 In that same report, we found that although CMS conducted
desk reviews and onsite audits from years 2000 through 2009 to review
contractors’ management of nursing home providers’ enrollment
functions, these audits were limited. In addition, beyond these audits,
CMS did not conduct checks on the PECOS database for internal
consistency. According to a CMS official, this limited oversight was due to
a lack of resources and competing priorities within the agency. As a result
of these findings, we recommended that CMS more closely monitor the
activities of A/B MACs’ provider and supplier enrollment activities to help
ensure the accuracy and completeness of PECOS data. CMS concurred
with this recommendation and recently reported that the agency is
evaluating the criteria it uses to assess A/B MACs’ performance as it
relates to the timeliness and accuracy of processing Medicare enrollment
applications. 32 Further, the agency reported that it plans to evaluate the
completeness and accuracy of provider and supplier enrollment data as
part of reviews of the contractors’ enrollment operations. Given that these
activities have not been implemented, we could not determine their effect
on the completeness and accuracy of PECOS data used to process
claims or whether improper payments result from inaccurate information
in the provider files.




30
  The Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) required
HHS to establish and begin implementing by January 1, 2009, a Physician Feedback
Program that would include distribution of confidential feedback reports to physicians on
the resources used to provide care to Medicare beneficiaries. Pub. L. No. 110-275, § 131,
122 Stat. 2492, 2526-2527 (July 15, 2008). See GAO, Medicare Physician Feedback
Program: CMS Faces Challenges with Methodology and Distribution of Physician Reports,
GAO-11-720 (Washington, D.C.: Aug. 12, 2011).
31
 See GAO, Nursing Homes: Complexity of Private Investment Purchases Demonstrates
Need for CMS to Improve the Usability and Completeness of Ownership Data,
GAO-10-710 (Washington, D.C.: Sept. 30, 2010).
32
  CMS uses its Quality Assurance Surveillance Plans (QASP) to evaluate A/B and DME
MAC’s fulfillment of contract requirements. The QASP describes CMS’s plan for
inspecting the work within the various business functions that the MACs conduct.




Page 17                             GAO-12-351 Provider and Supplier Medicare Enrollment
                             Since the enactment of PPACA, CMS has implemented new provider and
CMS Has                      supplier enrollment screening procedures and has also implemented
Implemented Some             other measures intended to strengthen existing procedures. However, the
                             implementation of some additional enrollment screening procedures by
New Enrollment               CMS is still in progress.
Screening Procedures
Since PPACA, While
Others Remain in
Progress
CMS Implemented Some         Since the enactment of PPACA, CMS has implemented some new
New Screening Procedures     provider and supplier enrollment screening procedures, and put in place
and Added Measures           other measures intended to strengthen existing procedures. 33 New
                             screening procedures that define conditions for provider and supplier
Intended to Strengthen
                             enrollment in Medicare include CMS’s determination of different levels of
Other Existing Procedures    screening according to the risk of fraud, waste, and abuse with respect to
                             categories of providers or suppliers, and a new application fee for some
                             types of providers. CMS also published a regulation consistent with its
                             existing practice, requiring providers and suppliers to include their NPI on
                             all enrollment applications and claims, and added two new Medicare
                             contractors—an automated screening contractor and a site visit
                             contractor—that are intended to conduct enhanced enrollment screening
                             and site visits.

Provider and Supplier Risk   To strengthen the screening activities already conducted by CMS’s
Levels                       contractors, PPACA required that the level of screening applied to each
                             category of provider and supplier be based on their assessed risk of
                             fraud, waste, and abuse and that screening procedures for Medicare
                             providers and suppliers be explicitly established. On February 2, 2011,
                             CMS published a Final Rule to implement these new screening
                             procedures. The Final Rule requires, among other things, that the A/B
                             MACs and the NSC conduct enrollment screening based on categories of




                             33
                               PPACA also applies to certain enrollment provisions related to Medicaid or to the state
                             Children’s Health Insurance Program (CHIP). Medicaid is the federal-state program that
                             covers acute health care, long-term care, and other services for low-income people. CHIP
                             is the joint federal-state program that provides health coverage to children whose families
                             have incomes that are low, but not low enough to qualify for Medicaid. This report does
                             not discuss how PPACA affects either Medicaid or CHIP.




                             Page 18                              GAO-12-351 Provider and Supplier Medicare Enrollment
providers and suppliers and levels of risk. 34 CMS assigned these new risk
levels—limited, moderate, and high—to categories of providers and
suppliers based on determinations of which categories were at a greater
risk for fraud, waste, and abuse. (See table 1.) A/B MACs and the NSC
designate the appropriate screening level in PECOS for each enrolling
provider and supplier upon submission of an application. Screening levels
are designated based upon CMS guidance. As of October 2011, A/B
MACs and the NSC had entered the screening level information in
PECOS for all providers and suppliers that submitted an application.

CMS stated that it assigned these categories of provider and supplier risk
levels based on the agency’s experience with claims data used to identify
potentially fraudulent billing practices, as well as on the expertise of its
contractors charged with investigating and identifying instances of
Medicare fraud across providers and suppliers. The agency also based
these risk levels on prior findings in reports by GAO and HHS OIG. In
addition, CMS will adjust the screening level of an individual provider or
supplier from ‘‘limited’’ or ‘‘moderate’’ to ‘‘high’’ based on other factors,
such as whether the provider or supplier has had its Medicare billing
privileges revoked, has been terminated or is otherwise precluded from
billing Medicaid, or has been subject to any final adverse action within the
past 10 years such as license revocation or suspension, or certain felony
convictions.




34
  Medicare, Medicaid, and Children’s Health Insurance Programs; Additional Screening
Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions
and Compliance Plans for Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011).




Page 19                           GAO-12-351 Provider and Supplier Medicare Enrollment
Table 1: Categories of Medicare Providers and Suppliers Designated by Risk Level for Enrollment Screening

Risk level      Categories of Medicare providers and suppliers
Limited         Physician or nonphysician practitioners and medical groups or clinics, with the exception of physical therapists and
                physical therapy groups. Ambulatory surgical centers, competitive acquisition programs/Part B vendors, end-stage
                                                                                                              a
                renal disease facilities, federally qualified health centers, histocompatibility laboratories, hospitals, including critical
                access hospitals, Indian Health Service facilities, mammography screening centers, mass immunization roster
                        b
                billers, organ procurement organizations, pharmacies newly enrolling or revalidating, radiation therapy centers,
                religious nonmedical health care institutions, rural health clinics, and skilled nursing facilities.
Moderate        Ambulance suppliers, community mental health centers, comprehensive outpatient rehabilitation facilities, hospice
                organizations, independent diagnostic testing facilities, independent clinical laboratories, physical therapy including
                physical therapy groups, portable X-ray suppliers, and currently enrolled (revalidating) home health agencies.
High            Prospective (newly enrolling) home health agencies and prospective (newly enrolling) suppliers of durable medical
                equipment, prosthetics, orthotics, and supplies.
                                             Source: GAO analysis of CMS Final Rule with Comment Period, Medicare, Medicaid, and Children’s Health Insurance Programs:
                                             Additional Screening Requirements, Applications Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans
                                             for Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011).
                                             a
                                              The responsibility of the histocompatibility laboratory is to provide an evaluation of certain genetic
                                             data and pertinent patient immunologic risk factors that will allow the clinician and patient to decide
                                             which approaches to transplantation are in the patient’s best interest.
                                             b
                                               Mass immunization roster billers are providers and suppliers who enroll in the Medicare program to
                                             offer the influenza (flu) vaccinations to a large number of individuals, and they must be properly
                                             licensed in the states in which they plan to operate influenza clinics.


                                             Based on these new risk levels, providers and suppliers are subject to
                                             different screening procedures, with those in the high-risk level subject to
                                             the most rigorous screening. While PPACA requires that all categories of
                                             providers and suppliers be subject to licensure checks, it gave CMS
                                             discretion to establish a risk-based application of other screening
                                             procedures. CMS determined that providers and suppliers in all
                                             categories also must continue to undergo existing enrollment checks
                                             using various data sources to verify certain information such as Social
                                             Security number, NPI, HHS OIG exclusion, and taxpayer identification
                                             number. 35 According to CMS’s new risk-based screening, moderate- and
                                             high-risk providers and suppliers additionally must undergo unscheduled
                                             or unannounced site visits, while high-risk providers and suppliers also
                                             will be subject to fingerprint-based criminal background checks. 36



                                             35
                                               A taxpayer identification number is an identification number used by the Internal
                                             Revenue Service (IRS) in the administration of tax laws. It is issued either by the SSA or
                                             by the IRS.
                                             36
                                                All individuals with a direct or indirect ownership interest of 5 percent or greater in high-
                                             risk providers and suppliers are subject to fingerprint-based criminal background checks.




                                             Page 20                                            GAO-12-351 Provider and Supplier Medicare Enrollment
Application Fee   PPACA required HHS, for the first time, to impose an application fee on
                  each institutional provider and on suppliers. In response, effective
                  March 25, 2011, CMS, in its Final Rule, required all institutional providers
                  and suppliers enrolling in Medicare, adding a practice location, or
                  revalidating their enrollment to pay a $505 application fee. 37 PPACA
                  specifies that amounts collected as the result of the application fee shall
                  be used for program integrity efforts, including to cover the cost of
                  enrollment screening and to carry out other screening. 38 However,
                  PPACA permits CMS to grant a hardship exception for institutional
                  providers and suppliers on a case-by-case basis if the agency determines
                  that the imposition of the application fee would cause a hardship. 39
                  According to CMS officials, an institutional provider or supplier working
                  with underserved populations or engaged in extensive charity work would
                  be a possible candidate for a hardship exception. CMS has instructed its
                  contractors in guidance on March 23, 2011, not to process any Medicare
                  enrollment applications without the proper application fee having been
                  paid or a hardship exception approved. 40 CMS transmits information
                  about application fee payments by institutional providers and suppliers—




                  37
                    Institutional providers include hospitals, home health agencies, community mental health
                  centers, and skilled nursing facilities. Application fees do not apply to physicians,
                  nonphysician practitioners, physician organizations, and nonphysician organizations.
                  Suppliers include DMEPOS suppliers and other suppliers including ambulance service
                  providers, mammography centers, and independent clinical laboratories.
                  38
                    PPACA, § 6401, 124 Stat. 119, 748, amended by § 10603, 124 Stat. 119. 1006 (codified
                  at 42 U.S.C. § 1395cc(j)). PPACA established that fee amounts for subsequent years
                  would be equal to the preceding year’s fee adjusted by the percentage change in the
                  Consumer Price Index (for all urban consumers) for the 12-month period ending on
                  June 30 of the prior year.
                  39
                    CMS stated that a provider or supplier requesting a hardship exception must submit
                  documentation of the need for an exception. For example, the application must include a
                  letter and supporting documentation that describe the significant burden and why it merits
                  an exception.
                  40
                    A/B MACs and the NSC must notify a provider or supplier who does not submit a fee or
                  hardship exception request that it has 30 days from the date of the letter to pay the
                  application fee, and that failure to do so will result in the rejection of the enrollment
                  application (for initial enrollments and new practice locations) or revocation of the
                  provider’s Medicare billing privileges (for revalidation). The letter must also state that
                  because a hardship exemption request was not submitted with the original application,
                  such a request will not be considered in lieu of the fee. If the fee is paid within the 30 day
                  period, the contractor may begin processing the application.




                  Page 21                               GAO-12-351 Provider and Supplier Medicare Enrollment
                               which are made through an electronic payment system—to the A/B
                               MACS or the NSC via PECOS. 41

NPI Regulation                 PPACA required HHS to promulgate a regulation for the inclusion of an
                               NPI on all Medicare applications and claims by all providers and suppliers
                               that qualify for an NPI—a practice that was already in effect. 42 The
                               regulation was published as an interim Final Rule on May 5, 2010, and
                               was effective July 6, 2010. 43 Prior to the PPACA requirement for a
                               specific regulation, CMS had required contractors to confirm that
                               providers and suppliers included their NPI on Medicare enrollment
                               applications and claims. Since 2006, the agency has required that
                               enrollment applications include an NPI and since 2008 providers and
                               suppliers have been required to report their NPI on Medicare claims. 44

New Screening and Site Visit   In a further effort to strengthen its enrollment processes, at the end of
Contractors                    2011, CMS contracted with an automated screening contractor to assume
                               screening responsibilities from the A/B MACs and the NSC, and a site
                               visit contractor to assume site visit responsibilities from the A/B MACs.
                               CMS awarded a contract in September 2011 to an automated screening
                               contractor that began screening new Medicare enrollments for all
                               providers and suppliers, on December 31, 2011. Additionally, CMS
                               officials said that the screening contractor was setting up baseline data
                               and will assume the screening function for the A/B MACs and the NSC by
                               the end of March 2012. The screening contractor will screen all providers
                               and suppliers including DMEPOS suppliers. The automated screening
                               contractor is responsible for electronically screening applicant information
                               against various data sources used for enrollment to determine that the


                               41
                                 The provider or supplier must pay the application fee electronically through
                               http://www.pay.gov. Pay.gov is the federal government website where individuals can
                               submit payment to various federal agencies on-line.
                               42
                                PPACA, § 6402, 124 Stat. 119, 753-763 (codified at 42 U.S.C. § 1320a-7k).
                               43
                                Medicare and Medicaid Programs; Changes in Provider and Supplier Enrollment,
                               Ordering and Referring, and Documentation Requirements, and Changes in Provider
                               Agreements, 75 Fed. Reg. 24437 (May 5, 2010).
                               44
                                 HIPAA required that HHS adopt standards for unique health identifiers. In a Final Rule,
                               CMS adopted the NPI as the standard unique health identifier for health care providers.
                               Centers for Medicare & Medicaid Services, The National Provider Identifier Rule, 69 Fed.
                               Reg. 3434 (Jan. 23, 2004). Consistent with the NPI Final Rule, beginning in 2006, the
                               Medicare program required providers and suppliers to report their NPIs on their enrollment
                               applications.




                               Page 22                             GAO-12-351 Provider and Supplier Medicare Enrollment
provider or supplier meets Medicare eligibility criteria such as valid
licensure, accreditation, and a valid NPI, and is not on exclusion lists,
such as the HHS OIG list of providers and suppliers excluded from
participating in federally funded health care programs. This screening
process results in a report to the A/B MACs and NSC that indicates the
screening components that the applicant passed and also screening
components flagged for additional review. The A/B MACs and NSC,
which remain responsible for enrollment and revalidation, obtain
documentation from the provider or supplier on any flagged information
that requires additional review to determine if the applicant meets
Medicare enrollment or revalidation requirements. In addition to
conducting screening at enrollment and revalidation, the automated
screening contractor conducts checks of certain screening information on
an ongoing basis. For example, the automated screening contractor is
responsible for validating licensure status at least weekly. Previously, A/B
MACs and the NSC were responsible for manually reviewing state-
provided licensure information monthly to determine if any enrolled
Medicare providers’ or suppliers’ licenses had been revoked, suspended,
or otherwise inactivated in the last 60 days.

CMS officials said that the automated screening contractor is developing
an individual risk score for each provider or supplier. This individual risk
score is similar to a credit risk score. The contractor’s risk scores may be
used eventually as additional risk criteria that determine screening
activities for providers and suppliers.

CMS officials said the new automated screening contractor provides a
centralized point for Medicare enrollment screening and allows for a
national view of provider and supplier information, rather than the more
limited regional view that the A/B MACs provided previously. For
example, the automated screening contractor has been able to access
information about providers and suppliers who operate across geographic
regions. In addition, CMS officials said that the agency has taken a
centralized approach to automated screening of enrollment data because
of weaknesses observed in enrollment screening efforts, which were due
generally to the large number of providers and suppliers for which the A/B
MACs and the NSC had to manually screen applications and the lack of
efficient access to data sources containing enrollment information.
According to CMS officials, they expect the new automated screening
contractor to improve the integrity of the enrollment and revalidation
processes by automating the data checks and integrating new data
sources. For example, CMS has directed the automated screening



Page 23                        GAO-12-351 Provider and Supplier Medicare Enrollment
contractor to identify additional data sources for screening checks, such
as financial, tax and business, and geospatial data sources.

Additionally, in December 2011, CMS contracted with a site visit
contractor to perform nationwide physical site visits for all providers and
suppliers, except DMEPOS suppliers, in the moderate- and high-risk
screening categories in all states and six U.S. territories. The site visit
contractor began conducting site visits and making site visit reports
available electronically through a portal accessible to CMS and its other
contractors in February 2012. These site visits previously were performed
by the A/B MACs. The A/B MACs will order any required on-site visits
through the site visit contractor, which will schedule and conduct them
and provide the results to the appropriate A/B MAC. However, the NSC
will continue to conduct site visits related to provider enrollment of
DMEPOS suppliers. 45

CMS requires two types of site visits: routine and rapid response.
According to CMS, routine site visits involve a physical location
verification and collection of required data elements using predefined
checklists. Rapid response site visits are triggered by an alert of possible
fraudulent activity, and may require the same elements as a routine site
visit but with rapid reporting and response due to the alert. Except for
DMEPOS suppliers, the national site visit contractor collects site visit
information at the physical provider or supplier site using defined
questionnaires and gathers photographic evidence for transmission to
CMS. The data elements required during routine and rapid response site
visits include validation of the physical location of the provider or supplier,
including capturing global positioning system coordinates of the site,
photographs of the door of the provider or supplier office, and signage of
the office. The contractor is required to conduct site visits and deliver
completed site visit reports within a specified time period. Depending on
the request from CMS or an A/B MAC, the contractor will make site visits
within 30, 15, or 7 days, for routine visits, or within 36 hours for rapid
response visits. CMS estimated that in the first year of the contract, the
site visit contractor would conduct nearly 60,000 site visits within 30 days,
almost 5,000 site visits within 15 days, almost 1,000 site visits within
7 days, and about 30 rapid response site visits. CMS officials said the



45
  CMS at times exercises its authority to conduct a site visit or request its contractors to
conduct a site visit for any Medicare provider or supplier.




Page 24                               GAO-12-351 Provider and Supplier Medicare Enrollment
                             national site visit contractor is expected to provide consistency of site
                             visits across the country and, similar to the automated screening
                             contractor, reduce the A/B MACs’ workloads.


Several New Screening        CMS’s implementation of some enrollment screening procedures
Procedures Remain in         authorized by PPACA remains in progress, including efforts to (1) extend
Progress                     surety bond requirements to additional providers and suppliers,
                             (2) conduct fingerprint-based criminal background checks of high-risk
                             providers and suppliers, (3) require enrolling providers and suppliers to
                             disclose additional types of information, and (4) require compliance and
                             ethics programs for providers and suppliers.

Extend Surety Bond           CMS is in the process of drafting a proposed rule to extend the surety
Requirements to Additional   bond requirement to certain providers and other suppliers. 46 Previously,
Providers and Suppliers      surety bonds generally had been required only for DMEPOS suppliers. 47
                             Specifically, CMS officials said that they are seeking comments on
                             extending surety bonds to home health agencies and independent
                             diagnostic testing facilities (and, potentially, outpatient rehabilitation
                             facilities) and that they expected to issue a proposed rule to require
                             surety bonds as conditions of enrollment for certain other types of
                             providers in the fall of 2012. PPACA extended CMS’s authority to impose
                             surety bonds on certain additional providers and suppliers, based on a
                             determination about their level of risk. 48 The surety bond would be in an
                             amount commensurate with the provider’s or supplier’s billing volume, but
                             not less than $50,000. CMS officials also said they are considering giving
                             a new supplier provisional enrollment and then setting the amount of the
                             surety bond after a review of billing activities.

                             While CMS is considering extending surety bonds to additional providers
                             and suppliers, a 2011 HHS OIG report stated that CMS did not have
                             finalized procedures for recovering DMEPOS overpayments through
                             surety bonds, and therefore, as of July 2011, no overpayments had been
                             recovered through surety bonds since October 2, 2009, the date the


                             46
                               A surety bond is a three-party agreement in which a company, known as a surety,
                             agrees to compensate the bondholder if the bond purchaser fails to keep a specified
                             promise.
                             47
                              Social Security Act § 1834(a)(16)(B).
                             48
                              PPACA, § 6402, 124 Stat. 119, 753-763.




                             Page 25                             GAO-12-351 Provider and Supplier Medicare Enrollment
                             surety bond requirement became effective. 49 However, in January 2012,
                             CMS released guidance on claims against surety bonds for DMEPOS
                             suppliers. 50 The guidance states that the surety—a company that
                             provides the surety bond —is liable for any overpayments incurred during
                             the term of the surety bond and that the surety must pay CMS within
                             30 days of receiving written notice of an overpayment. CMS’s guidance
                             also advises DME MACs on how to collect overpayments incurred during
                             the term of a surety bond. CMS officials said that they expect that many
                             of the requirements for obtaining and maintaining DMEPOS surety bonds
                             can be easily applied to home health agencies and independent
                             diagnostic testing facilities.

Conduct Fingerprint-Based    CMS officials said the agency was working with the Federal Bureau of
Criminal Background Checks   Investigation (FBI) to gain access to its criminal background information
of High-Risk Providers and   for use in conducting fingerprint-based criminal background checks of
Suppliers                    high-risk providers and suppliers. PPACA authorized, but did not require,
                             the use of criminal background checks in its risk-based provider and
                             supplier screening. In order to conduct criminal background checks, CMS
                             officials said they will contract with FBI channelers, whose contracts were
                             recently recompeted by the FBI; CMS officials said that as of December
                             2011, 20 contracts were approved and 13 had been awarded by the
                             FBI. 51 CMS plans to contract with two channelers, one to conduct
                             background checks and one to handle provider and supplier
                             fingerprinting. CMS officials said they are developing a scope of work to
                             solicit among the FBI-approved channelers and expect to have contracts
                             in place before the end of 2012. CMS officials also said that they plan to
                             develop guidance to further define A/B MAC and NSC responsibilities and
                             work flow of these checks.


                             49
                              HHS-OIG, Use of Surety Bonds to Recover Overpayments Made to Suppliers of Durable
                             Medical Equipment, Prosthetics, Orthotics, and Supplies: Early Findings,
                             OEI-03-11-00351 (Sept. 12, 2011).
                             50
                               The guidance states that payment from the surety bond includes amounts up to the
                             maximum obligation of the bond including: the amount of any unpaid claim, plus accrued
                             interest, for which the DMEPOS supplier is responsible; and the amount of any unpaid
                             claim, civil monetary penalty, or assessment imposed by CMS or the HHS OIG on the
                             DMEPOS supplier, plus accrued interest.
                             51
                               Channelers are contractors who help collect the criminal history record information for
                             the FBI. FBI-approved channelers receive the fingerprint submission and relevant data,
                             collect the associated fee(s), electronically forward the fingerprint submission with the
                             necessary information to the FBI for a national criminal background check, and receive the
                             electronic record check result for dissemination to the individual or authorized recipient.




                             Page 26                             GAO-12-351 Provider and Supplier Medicare Enrollment
Requiring Providers and          CMS officials said the agency was developing and reviewing regulations
Suppliers to Disclose            to address the requirement for increased disclosures for enrolling or
Additional Information           revalidating Medicare providers and suppliers. PPACA requires providers
                                 and suppliers to disclose any current or previous affiliation with another
                                 provider or supplier that has uncollected debt; has been or is subject to a
                                 payment suspension under a federal health care program; has been
                                 excluded from participation under Medicare, Medicaid, or CHIP; or has
                                 had its billing privileges denied or revoked at the time of initial enrollment
                                 or revalidation of enrollment. CMS officials noted that the development of
                                 these regulations is complicated by many issues that need to be
                                 addressed, such as provider and supplier concern about what information
                                 will be collected, what CMS will do with information once it is collected,
                                 and how to address concerns about maintaining the privacy and security
                                 of the information. CMS officials said the agency did not meet its own
                                 time frame for publishing a regulation to address this PPACA provision by
                                 November 2011 and they are not certain when the regulation will be
                                 published.

Development of Regulations for   CMS officials said that the agency was studying criteria found in HHS
a Compliance and Ethics          OIG model plans as it worked to address the PPACA requirement that the
Program                          agency establish the core elements of compliance and ethics programs
                                 for providers and suppliers. PPACA required that Medicare providers
                                 establish compliance programs that contain the core elements
                                 established by CMS in consultation with the HHS OIG. In general, a
                                 compliance program is the internal set of policies, processes, and
                                 procedures that a provider organization implements to help it act ethically
                                 and lawfully. In this context, a compliance program is intended to help
                                 provider and supplier organizations prevent and detect violations of
                                 Medicare laws and regulations. CMS does not have a projected target
                                 date for implementation.


                                 Timely and accurate Medicare provider and supplier enrollment
Concluding                       information maintained in the PECOS database are essential to reducing
Observations                     fraud, waste, and abuse and the likelihood of making improper payments.
                                 Although PECOS information has been routinely updated by CMS’s A/B
                                 MACs and the NSC using multiple national and state data sources,
                                 limitations in these data sources and in the frequency with which updates
                                 are made may lead to delays in, or failures to, accurately update
                                 information in PECOS, resulting in payments to ineligible providers or
                                 suppliers. As a result of the provisions in PPACA, CMS has begun to
                                 supplement its previous provider enrollment activities with new
                                 procedures and contracts that have the potential to improve the accuracy


                                 Page 27                        GAO-12-351 Provider and Supplier Medicare Enrollment
                  and timeliness of information stored in PECOS. In particular, CMS’s new
                  enrollment screening and site visit contracts shift some provider
                  enrollment activities from the A/B MACs and NSC to centralized national
                  contractors. CMS anticipates that the new screening contractor will
                  improve the accuracy and timeliness of updates to the provider
                  enrollment information in PECOS by automating the process and using
                  additional data sources for enrollment screening. In addition, CMS
                  expects that the new site visit contractor will enable the agency to
                  conduct routine and targeted site visits of certain providers and suppliers
                  in categories considered at greater risk for submitting improper or
                  potentially fraudulent Medicare claims. Our previous work has found, and
                  we recommended, that contractor monitoring is needed to ensure that
                  CMS and its contractors identify and address the causes of improper
                  payments. However, it is too early to determine whether these new
                  contractors—and the agency’s pending action on other PPACA provisions
                  intended to strengthen provider enrollment standards—will improve the
                  integrity of the Medicare provider enrollment and claims payment
                  processes and reduce the likelihood of improper payments.


                  HHS reviewed a draft of this report and in its written comments
Agency Comments   highlighted continuing steps that CMS is taking to improve the accuracy
                  and timeliness of data used to screen providers and suppliers and to
                  further strengthen contractor oversight and PECOS data integrity. In its
                  general comments, HHS noted that, since we conducted our work, CMS
                  has increased the frequency with which it receives the SSA’s DMF and
                  now populates PECOS with this information weekly, rather than monthly.
                  In addition, CMS will use its new automated screening contractor to
                  routinely monitor changes that can affect enrollment status, such as death
                  or loss of required licenses for providers and suppliers. HHS also
                  commented that CMS is taking action to further strengthen quality control
                  by performing follow-up analysis to ensure actions reported during the
                  enrollment and revalidation processes are properly updated in PECOS.
                  HHS noted that CMS is taking steps to improve the QASP process used
                  to evaluate specific contractor functions by improving the depth at which
                  these studies are performed and concentrating on areas that affect the
                  quality of PECOS data. HHS’s comments are printed in appendix I. HHS
                  also provided technical comments, which we incorporated as appropriate.




                  Page 28                       GAO-12-351 Provider and Supplier Medicare Enrollment
As agreed with your office, unless you publicly announce the contents of
this report earlier, we plan no further distribution until 30 days from the
report date. At that time, we will send copies to the Secretary of Health
and Human Services, the Administrator of CMS and other interested
parties. The report also will be available at no charge on the GAO Web
site at http://www.gao.gov.

If you or your staff members have any questions about this report, please
contact me at (202) 512-7114 or kingk@gao.gov. Contact points for our
Offices of Congressional Relations and Public Affairs may be found on
the last page of this report. Other major contributors to this report are
listed in appendix II.

Sincerely yours,




Kathleen M. King
Director, Health Care




Page 29                        GAO-12-351 Provider and Supplier Medicare Enrollment
Appendix I: Comments from the Department
             Appendix I: Comments from the Department of
             Health and Human Services



of Health and Human Services




             Page 30                            GAO-12-351 Provider and Supplier Medicare Enrollment
Appendix I: Comments from the Department of
Health and Human Services




Page 31                            GAO-12-351 Provider and Supplier Medicare Enrollment
Appendix II: GAO Contact and Staff
                  Appendix II: GAO Contact and Staff
                  Acknowledgments



Acknowledgments

                  Kathleen M. King, (202) 512-7114 or kingk@gao.gov
GAO Contact
                  In addition to the contact named above, Karen Doran, Assistant Director;
Staff             April Brantley; Jennel Harvey; Anne Hopewell; Laurie Pachter;
Acknowledgments   Monica Perez-Nelson; and Jessica Colbert Smith made key contributions
                  to this report.




(290941)
                  Page 32                              GAO-12-351 Provider and Supplier Medicare Enrollment
GAO’s Mission         The Government Accountability Office, the audit, evaluation, and
                      investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.