United States Government Accountability Office GAO Testimony Before the Committee on Finance, U.S. Senate MEDICARE For Release on Delivery Expected at 10:00 a.m. EDT Tuesday, April 24, 2012 Important Steps Have Been Taken, but More Could Be Done to Deter Fraud Statement of Kathleen King Director, Health Care GAO-12-671T April 24, 2012 MEDICARE Important Steps Have Been Taken, but More Could Be Done to Deter Fraud Highlights of GAO-12-671T, a testimony before the Committee on Finance, U.S. Senate Why GAO Did This Study What GAO Found GAO has designated Medicare as a The Centers for Medicare & Medicaid Services (CMS)—the agency that high-risk program, in part because its administers Medicare—has made progress in implementing several key complexity makes it particularly strategies GAO identified in prior work as helpful in protecting Medicare from vulnerable to fraud. Fraud involves an fraud; however, some actions that could help combat fraud remain incomplete. intentional act or representation to deceive with the knowledge that the Provider Enrollment: GAO’s previous work found persistent weaknesses in action or representation could result in Medicare’s enrollment standards and procedures that increased the risk of gain. The deceptive nature of fraud enrolling entities intent on defrauding the program. CMS has strengthened makes its extent in the Medicare provider enrollment—for example, in February 2011, CMS designated three program difficult to measure in a levels of risk—high, moderate, and limited—with different screening procedures reliable way, but it is clear that fraud for categories of providers at each level. However, CMS has not completed other contributes to Medicare’s fiscal actions, including implementation of some relevant provisions of the Patient problems. Reducing fraud could help Protection and Affordable Care Act (PPACA). Specifically, CMS has not rein in the escalating costs of the (1) determined which providers will be required to post surety bonds to help program. ensure that payments made for fraudulent billing can be recovered, This statement focuses on the (2) contracted for fingerprint-based criminal background checks, (3) issued a progress made and steps that remain final regulation to require additional provider disclosures of information, and to be taken by CMS to implement (4) established core elements for provider compliance programs. recent legislation and GAO’s past Pre- and Post-payment Claims Review: GAO had previously found that recommendations to prevent or reduce increased efforts to review claims on a prepayment basis can prevent payments fraud in Medicare. It is based on relevant GAO products issued from from being made for potentially fraudulent claims, while improving systems used April 2004 through April 2012 using a to review claims on a post-payment basis could better identify patterns of variety of methodologies, such as potentially fraudulent billing for further investigation. CMS has controls in analyses of Medicare claims, review of Medicare’s claims processing systems to determine if claims should be paid, relevant policies and procedures, and denied, or reviewed further by comparing information on claims with information interviews with officials. In April 2012, on providers and Medicare coverage and requirements. These controls require GAO also received updated timely and accurate information about providers that GAO has previously information from CMS on agency recommended that CMS strengthen. GAO is currently examining CMS’s use of actions. prepayment edits to implement coverage and payment policies and CMS’s new Fraud Prevention System, which uses analytic methods to examine claims before payment. CMS could better use post-payment claims review to identify patterns of fraud by incorporating prior GAO recommendations to develop plans and timelines for fully implementing and expanding two information technology systems it developed. These systems are a central storehouse of Medicare and other data and a Web portal to the storehouse with tools for analysis. Robust Process to Address Identified Vulnerabilities: Having mechanisms in place to resolve vulnerabilities that lead to erroneous payments is critical to effective program management and could help address fraud. Such vulnerabilities are service- or system-specific weaknesses that can lead to payment errors—for example, providers receiving multiple payments as a result of incorrect coding. GAO has previously identified weaknesses in this process, which resulted in vulnerabilities being left unaddressed. GAO is evaluating the current status of the process for assessing and developing corrective actions to address vulnerabilities. View GAO-12-671T. For more information, contact Kathleen King at (202) 512-7114 or firstname.lastname@example.org. United States Government Accountability Office Mr. Chairman, Ranking Member, and Other Members of the Committee: I am pleased to be here today to discuss our work regarding fraud in the Medicare program, and provisions in recent laws and agency actions that may help address this problem. 1 Fraud involves an intentional act or representation to deceive with the knowledge that the action or representation could result in gain. Although there have been convictions for multimillion dollar schemes that defrauded the Medicare program, the extent of the problem is unknown. There are no reliable estimates of the extent of fraud in the Medicare program or for the health care industry as a whole. By its very nature, fraud is difficult to detect, as those involved are engaged in intentional deception. For example, fraud may involve providers submitting a claim with false documentation for services not provided, while the claim on its face may appear valid. Fraud also can involve efforts to hide ownership of companies or kickbacks to obtain beneficiary information. Although the full extent of the problem is unknown, it is clear that the Medicare program is vulnerable to fraud, which contributes to Medicare’s fiscal problems. Reducing fraud could help rein in the escalating costs of the program. We have repeatedly designated Medicare as a high-risk program, as its complexity, and susceptibility to payment errors from various causes, added to its size, have made it vulnerable to loss. 2 As one example, the fee-for-service (FFS) portion of the Medicare program processes over a billion claims a year from about 1.5 million providers and suppliers; working to ensure that those payments are accurate is a complex, ongoing task. Medicare has many individual vulnerabilities, which are service- or system-specific weaknesses that can lead to payment errors, 1 Medicare is the federally financed health insurance program for persons age 65 or over, certain individuals with disabilities, and individuals with end-stage renal disease. Medicare Parts A and B are known as Medicare fee-for-service (FFS). Medicare Part A covers hospital and other inpatient stays. Medicare Part B is optional, and covers hospital outpatient, physician, and other services. Medicare beneficiaries have the option of obtaining coverage for Medicare services from private health plans that participate in Medicare Advantage—Medicare’s managed care program—also known as Part C. All Medicare beneficiaries may purchase coverage for outpatient prescription drugs under Part D, either as a stand-alone benefit or as part of a Medicare Advantage plan. 2 In 1990, we began to report on government operations that we identified as “high risk” for serious weaknesses in areas that involve substantial resources and provide critical services to the public. Medicare has been included among such programs since 1990. See GAO, High-Risk Series: An Update, GAO-11-278 (Washington, D.C.: February 2011). http://www.gao.gov/highrisk/risks/insurance/medicare_program.php. Page 1 GAO-12-671T including those due to fraud. 3 If the Centers for Medicare & Medicaid Services (CMS), the agency within the Department of Health and Human Services (HHS) that administers the program, suspects that providers or suppliers are billing fraudulently, it can take action, including suspending claims payment, revoking billing privileges, or referring cases to law enforcement for investigation. 4 Further, it can impose a moratorium on new enrollment of providers or suppliers. 5 Since 1997, Congress has provided funds specifically for activities to address fraud, as well as waste and abuse, 6 in Medicare and other federal health care programs. In addition, Congress created the Medicare Integrity Program to conduct activities to reduce fraud, waste, abuse, and improper payments. 7 In 2010, Congress passed the Patient Protection and Affordable Care Act (PPACA), which provided additional funding for such efforts and set a number of new requirements specific to Medicare. 8 Furthermore, the Small Business Jobs Act of 2010 9 established new Medicare fee-for- 3 CMS defines vulnerabilities to the Medicare program as issues that can lead to fraud, waste, or abuse, which can either be specific, such as providers receiving multiple payments as a result of incorrect coding for a service, or general and programwide, such as weaknesses in online application processes. 4 In this testimony, the term provider includes entities such as hospitals or physicians, and supplier means an entity that supplies Medicare beneficiaries with durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) such as walkers and wheelchairs. 5 Enrolling as a provider or supplier in Medicare allows an entity to provide services or equipment to beneficiaries and bill for those services. 6 Waste includes inaccurate payments for services, such as unintentional duplicate payments. Abuse represents actions inconsistent with acceptable business or medical practices. 7 An improper payment is any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. This definition includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except where authorized by law), and any payment that does not account for credit for applicable discounts. Improper Payments Elimination and Recovery Act of 2010, Pub. L. No. 111- 204, § 2(e), 124 Stat. 2224, 2227 (codified at 31 U.S.C. § 3321 note). 8 Pub. L. No. 111-148, 124 Stat.119 (2010), as amended by Health Care and Education Reconciliation Act of 2010 (HCERA), Pub. L. No. 111-152, 124 Stat. 1029, which we refer to collectively as PPACA. The provisions discussed in this statement are generally located in sections 6401 through 6411 and 10603 and 10605 of PPACA, as well as sections 1303 and 1304 of HCERA. 9 Pub. L. No. 111-240, § 4241, 124 Stat. 2504, 2599. Page 2 GAO-12-671T service claims review requirements and provided funding to implement these requirements. My testimony today focuses on the progress made and steps that remain to be taken by CMS to reduce fraud in Medicare. It is informed by 8 years of our work on Medicare fraud, waste, abuse, and improper payments, including our most recent report assessing CMS’s efforts to strengthen the screening of providers and suppliers, which can help prevent entities intent on committing fraud from obtaining billing privileges. 10 I will focus on several key strategies CMS can undertake to help reduce fraud identified in our prior work from 2004 to 2012, namely: 11 • strengthening provider enrollment standards and procedures, • improving pre- and post-payment claims review, and • developing a robust process for addressing identified vulnerabilities. The products on which this statement is based were developed by using a variety of methodologies, including analyses of Medicare claims, review of relevant policies and procedures, interviews with agency officials and other stakeholders, and site visits. 12 We also received updated information from CMS in April 2012 on its actions related to the laws, regulations, guidance, and open recommendations that we discuss in this statement. Our prior work was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. 10 See GAO, Medicare Program Integrity: CMS Continues Efforts to Strengthen the Screening of Providers and Suppliers, GAO-12-351 (Washington, D.C.: Apr. 10, 2012). 11 These strategies were among those identified in our June 2010 testimony as critical to helping prevent fraud, waste, and abuse in Medicare. See GAO, Medicare Fraud, Waste, and Abuse: Challenges and Strategies for Preventing Improper Payments, GAO-10-844T (Washington, D.C.: June 15, 2010). A list of related products appears at the end of this statement. 12 The products listed at the end of this statement contain detailed information on the methodologies used in our work. Page 3 GAO-12-671T CMS has made progress strengthening provider enrollment to try to better CMS Has Made ensure that only legitimate providers and suppliers are allowed to bill Progress in Medicare. However, CMS has not completed other actions that could help prevent individuals intent on fraud from enrolling, including Strengthening implementation of some relevant PPACA provisions. Provider Enrollment, but Further Actions Are Needed Past CMS efforts to Our previous work found persistent weaknesses in Medicare’s enrollment strengthen provider standards and procedures that increased the risk of enrolling entities enrollment intent on defrauding the Medicare program. 13 We, CMS, and the HHS Office of Inspector General (OIG) have previously identified two types of providers whose services and items are especially vulnerable to improper payments and fraud—home health agencies (HHA) and suppliers of durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS). We found weaknesses in oversight of providers’ and suppliers’ enrollment. For example, in 2008, we identified weaknesses when we created two fictitious DMEPOS companies, which were subsequently enrolled by CMS’s contractor and given permission to begin billing Medicare. 14 In 2009, we found that CMS’s contractors were not requiring HHAs to resubmit enrollment information for re-verification every 5 years as required by CMS. 15 To strengthen the Medicare enrollment process in 2006 CMS began requiring all providers and suppliers—including those who order HHA services or DMEPOS for beneficiaries to be enrolled in Medicare. The agency also required all providers and suppliers to report their National 13 See GAO, Medicare: CMS’s Program Safeguards Did Not Deter Growth in Spending for Power Wheelchairs; GAO-05-43 (Washington, D.C.: Nov. 17, 2004); Medicare: More Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment Suppliers, GAO-05-656 (Washington, D.C.: Sept. 22, 2005); Medicare: Improvements Needed to Address Improper Payments for Medical Equipment and Supplies, GAO-07-59 (Washington, D.C.: Jan. 31, 2007); and Medicare: Improvements Needed to Address Improper Payments in Home Health, GAO-09-185 (Washington, D.C.: Feb. 27, 2009). 14 GAO, Medicare: Covert Testing Exposes Weaknesses in the Durable Medical Equipment Supplier Screening Process, GAO-08-955 (Washington, D.C.: July 3, 2008). 15 GAO-09-185. Page 4 GAO-12-671T Provider Identifiers (NPI) on enrollment applications, which can help address fraud because providers and suppliers must submit either their Social Security Number or their employer identification number and state licensing information to obtain an NPI. 16 In 2007, CMS initiated the first phase of a Medicare competitive bidding program for DMEPOS. 17 This program requires suppliers’ bids to include new financial documentation for the year prior to submitting the bids. Because CMS can now disqualify suppliers based in part on scrutiny of their financial new documents, competitive bidding can help reduce fraud. Finally, in 2010, CMS also required that all DMEPOS suppliers be accredited by a CMS-approved accrediting organization to ensure that they meet certain quality standards. Such accreditation also increased scrutiny of these businesses. CMS Has Taken Action on PPACA authorized CMS to implement several actions to strengthen Certain PPACA Provider provider enrollment. As of April 2012, the agency has completed some of Enrollment Provisions these actions. Screening Provider Enrollment Applications by Risk Level: CMS and OIG issued a final rule with comment period in February 2011 to implement some of the new screening procedures required by PPACA. 18 CMS designated three levels of risk—high, moderate, and limited—with different screening procedures for categories of Medicare providers at each level. Providers in the high-risk level are subject to the most rigorous 16 HIPAA required that HHS adopt standards for unique health identifiers. CMS adopted the NPI as the standard unique health identifier for its health care providers and suppliers in its Final Rule: HIPAA Administrative Simplification: Standard Unique Health Identifier for Health Care Providers, 69 Fed. Reg. 3434 (Jan. 23, 2004). Consistent with the NPI Final Rule, beginning in 2006, the Medicare program required providers and suppliers to report their NPIs on their enrollment applications. 17 Competitive bidding is a process in which suppliers of medical equipment and supplies compete for the right to provide their products on the basis of established criteria, such as quality and price. 18 Medicare, Medicaid, and Children’s Health Insurance Programs; Additional Screening Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011). In discussing the final rule, CMS noted that Medicare had already employed a number of the screening practices described in PPACA to determine if a provider is in compliance with federal and state requirements to enroll or to maintain enrollment in the Medicare program. Page 5 GAO-12-671T screening. 19 To determine which providers to place in these risk levels, CMS considered issues such as past occurrences of improper payments and fraud among different categories of providers. Based in part on our work and that of the OIG, CMS designated newly enrolling HHAs and DMEPOS suppliers as high risk and designated other providers at lower levels. (See table 1.) Providers at all risk levels are screened to verify that they meet specific requirements established by Medicare such as having current licenses or accreditation and valid Social Security numbers. 20 High- and moderate-risk providers are additionally subject to unannounced site visits. Further, depending on the risks presented, PPACA authorizes CMS to require fingerprint-based criminal history checks, and the posting of surety bonds for certain providers. 21 CMS may also provide enhanced oversight for specific periods for new providers and for initial claims of DMEPOS suppliers. 19 PPACA specified that the enhanced screening procedures would apply to new providers and suppliers beginning 1 year after the date of enactment and to currently enrolled providers and suppliers 2 years after that date. 20 Screening may include verification of the following: Social Security number; NPI; National Practitioner Databank licensure; whether the provider has been excluded from federal health care programs by the OIG; taxpayer identification number; and death of an individual practitioner, owner, authorized official, delegated official, or supervising physician. 21 A surety bond is a three-party agreement in which a company, known as a surety, agrees to compensate the bondholder if the bond purchaser fails to keep a specified promise. Page 6 GAO-12-671T Table 1: Categories of Medicare Providers and Suppliers Designated by Risk Level for Enrollment Screening Risk level Categories of Medicare providers and suppliers Limited Physician or nonphysician practitioners and medical groups or clinics, with the exception of physical therapists and physical therapy groups. Ambulatory surgical centers, competitive acquisition programs/Part B vendors, end-stage renal disease facilities, federally qualified health centers, a histocompatibility laboratories, hospitals, including critical access hospitals, Indian Health Service facilities, mammography screening centers, mass b immunization roster billers, organ procurement organizations, pharmacies newly enrolling or revalidating, radiation therapy centers, religious nonmedical health care institutions, rural health clinics, and skilled nursing facilities. Moderate Ambulance suppliers, community mental health centers, comprehensive outpatient rehabilitation facilities, hospice organizations, independent diagnostic testing facilities, independent clinical laboratories, physical therapy including physical therapy groups, portable X-ray suppliers, and currently enrolled (revalidating) home health agencies. High Prospective (newly enrolling) home health agencies and prospective (newly enrolling) suppliers of durable medical equipment, prosthetics, orthotics, and supplies. Source: GAO analysis of CMS Final Rule with Comment Period, Medicare, Medicaid, and Children’s Health Insurance Programs: Additional Screening Requirements, Applications Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011). a Histocompatibility laboratories provide evaluations of certain genetic data and pertinent patient immunologic risk factors to allow clinician and patient to make decisions about whether transplantation is in the patient’s best interest. b Mass immunization roster billers are providers and suppliers who enroll in the Medicare program to offer influenza (flu) vaccinations to a large number of individuals, and they must be properly licensed in the states in which they plan to operate influenza clinics. CMS indicated that the agency will continue to review the criteria for its screening levels on an ongoing basis and would publish changes if the agency decided to update the assignment of screening levels for categories of Medicare providers. This may become necessary because fraud is not confined to HHAs and DMEPOS suppliers. We are currently examining the types of providers involved in fraud cases investigated by the OIG and the Department of Justice (DOJ), which may help illuminate risk to the Medicare program from different types of providers. Further, in their 2011 annual report on the Health Care Fraud and Abuse Control Program, DOJ and HHS reported convictions or other legal actions, such as exclusions or civil monetary penalties, against several types of Medicare providers other than DMEPOS suppliers and HHAs, including pharmacists, orthopedic surgeons, infusion and other types of medical Page 7 GAO-12-671T clinics, and physical therapy services. 22 CMS also has established triggers for adjustments to an individual provider’s risk level. For example, CMS regulations state that an individual provider or supplier at the limited- or moderate-risk level that has had its billing privileges revoked by a Medicare contractor within the last 10 years and is attempting to re- enroll, would move to the high-risk level for screening. New National Enrollment Screening and Site Visit Contractors: In a further effort to strengthen its enrollment processes, CMS contracted with two new entities at the end of 2011 to assume centralized responsibility for automated screening of provider and supplier enrollment and for conducting site visits of providers. • Automated screening contractor. In December 2011, the new contractor began to establish systems to conduct automated screening of providers and suppliers to ensure they meet Medicare eligibility criteria (such as valid licensure, accreditation, a valid NPI, and no presence on the OIG list of providers and suppliers excluded from participating in federal health care programs). 23 Prior to the implementation of this new automated screening, such screening was done manually for the 30,000 enrollees each month by CMS’s Medicare Administrative Contractors (MAC), which enroll Medicare providers, and the National Supplier Clearinghouse (NSC), which enrolls DMEPOS suppliers. According to CMS, the old screening process was neither efficient nor timely. CMS officials said that in 2012, the automated screening contractor began automated screening of the licensure status of all currently enrolled Medicare providers and suppliers. The agency said it expects the automated screening contractor to begin screening newly enrolling providers and suppliers later this year. CMS expects that the new, national contractor will enable better monitoring of providers and suppliers on a continuous basis to help ensure they continue to meet Medicare enrollment requirements. The new screening contractor will also help the MACs and the NSC maintain enrollment information in CMS’s 22 The Department of Health and Human Services and the Department of Justice Health Care Fraud and Abuse Control Program Annual Report for Fiscal Year 2011 (Washington, D.C.: February 2012). 23 Licensure is a mandatory process by which a state government grants permission to an individual practitioner or health care organization to engage in an occupation or profession. Page 8 GAO-12-671T Provider Enrollment Chain and Ownership System (PECOS)—a database that contains details on enrolled providers and suppliers. In addition, CMS officials said the automated screening contractor is developing an individual risk score for each provider or supplier, similar to a credit risk score. Although these individual scores are not currently used to determine an individual provider’s placement in a risk level, CMS indicated that this risk score may be used eventually as additional risk criteria in the screening process. • Site visits for all providers designated as moderate and high risk. Beginning in February 2012, a single national site visit contractor began conducting site visits of moderate- and high-risk providers to determine if sites are legitimate and the providers meet certain Medicare standards. 24 The contractor collects the same information from each site visit, including photographic evidence that will be available electronically through a web portal accessible to CMS and its other contractors. The national site visit contractor is expected to validate the legitimacy of these sites. CMS officials told us that the contractor will provide consistency in site visits across the country, in contrast to CMS relying on different MACs to conduct any required site visits. CMS Has Not Completely Implementation of other enrollment screening actions authorized by Implemented Some PPACA PPACA that could help CMS reduce the enrollment of providers and Enrollment Provisions suppliers intent on defrauding the Medicare program remains incomplete, including: • Surety bond—PPACA authorizes CMS to require a surety bond for certain types of at-risk providers, which can be helpful in recouping erroneous payments. CMS officials expect to issue a proposed rule to require surety bonds as conditions of enrollment for certain types of providers. Extending the use of surety bonds to new entities would augment a previous statutory requirement for DMEPOS suppliers to 24 Starting March 25, 2011, CMS required the MACs to conduct site visits for categories of providers and suppliers designated as moderate and high risk. The national site visit contractor assumed these responsibilities in 2012. The NSC continues to conduct site visits related to provider enrollment of DMEPOS suppliers. In addition, CMS at times exercises its authority to conduct a site visit or requests its contractors to conduct a site visit for any Medicare provider or supplier. Page 9 GAO-12-671T post a surety bond at the time of enrollment. 25 CMS issued final instructions to its MACs, effective February 2012, for recovering DMEPOS overpayments through surety bonds. CMS officials reported that as of April 19, 2012, they had issued notices to 20 surety bond companies indicating intent to collect funds, but had not collected any funds as of that date. • Fingerprint-based Criminal Background Checks—CMS officials told us that they are working with the Federal Bureau of Investigation to arrange contracts to help conduct fingerprint-based criminal background checks of high-risk providers and suppliers. On April 13, 2012, CMS issued a request for information regarding a contract to conduct Medicare provider and supplier fingerprint-based background checks. The agency expects to have the contract in place before the end of 2012. • Providers and Suppliers Disclosure—CMS officials said the agency is reviewing options for increased disclosures of prior actions taken against providers and suppliers enrolling or revalidating enrollment in Medicare, such as whether the provider or supplier has been subject to a payment suspension from a federal health care program. 26 In April 2012, agency officials indicated that they were not certain when the regulation would be published. CMS officials noted that the additional disclosure requirements are complicated by provider and supplier concerns about what types of information will be collected, what CMS will do with it, and how the privacy and security of this information will be maintained. 25 42 U.S.C. § 1395m(a)(16)(B). As of October 2009, DMEPOS suppliers were required to obtain and submit a surety bond in the amount of at least $50,000. A DMEPOS surety bond is a bond issued by an entity guaranteeing that a DMEPOS supplier will fulfill its obligation to Medicare. If the obligation is not met, Medicare will recover its losses via the surety bond. Medicare Program; Surety Bond Requirement for Suppliers of Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS), 74 Fed. Reg. 166 (Jan. 2, 2009). 26 At the time of initial enrollment or revalidation of enrollment, PPACA requires providers and suppliers to disclose any current or previous affiliation with another provider or supplier that has uncollected debt; has been or is subject to a payment suspension under a federal health care program; has been excluded from participation under Medicare, Medicaid, or the State Children’s Health Insurance Program; or has had its billing privileges denied or revoked. Page 10 GAO-12-671T • Compliance and Ethics Program—CMS officials said that the agency was studying criteria found in OIG model plans as it worked to address the PPACA requirement that the agency establish the core elements of compliance programs for providers and suppliers. 27 In April 2012, CMS did not have a projected target date for implementation. Increased efforts to review claims on a prepayment basis can better Additional Action May prevent payments that should not be made, while improving systems Help Better Identify used to review claims on a post-payment basis could better identify patterns of fraudulent billing for further investigation. Potential Fraud through Pre- and Post- Payment Claims Review Additional Efforts to Having robust controls in claims payment systems to prevent payment of Improve Prepayment problematic claims can help reduce loss. As claims go through Claims Review May Help Medicare’s electronic claims payment systems, they are subjected to automated prepayment controls called “edits,” instructions programmed in Reduce Fraud the systems to prevent payment of incomplete or incorrect claims. Some edits use provider enrollment information, while others use information on coverage or payment policies, to determine if claims should be paid. Most of these controls are fully automated; if a claim does not meet the criteria of the edit, it is automatically denied. Other prepayment edits are manual; they flag a claim for individual review by trained staff who determine if it should be paid. Due to the volume of claims, CMS has reported that approximately 25 in a million Medicare claims are subject to manual medical record review by trained personnel. 27 A compliance program is an internal set of policies, processes, and procedures that a provider organization implements to help it act ethically and lawfully. In this context, a compliance program is intended to help provider and supplier organizations prevent and detect violations of Medicare laws and regulations. CMS has used the phrase “compliance and ethics program” and indicated it may base its program on the seven elements of effective compliance and ethics programs found in the U. S. Federal Sentencing Guidelines Manual. Page 11 GAO-12-671T Having effective pre-payment edits that deny claims for ineligible providers and suppliers depends on having timely and accurate information about them, such as whether the providers are currently enrolled and have the appropriate license or accreditation to provide specific services. We have previously identified flaws in the timeliness and accuracy of PECOS—the database that maintains Medicare provider and supplier enrollment information. We noted that weaknesses in PECOS data may result in CMS making improper payments to ineligible providers and suppliers. 28 These weaknesses are related to the frequency with which CMS’s contractors update enrollment information and the timeliness and accuracy of information obtained from outside entities, such as state licensing boards, the OIG, and the Social Security Administration’s Death Master File, which contains information on deceased individuals that can be used to identify deceased providers in order to terminate those providers’ Medicare billing privileges. These sources vary in the ease in which CMS contractors have been able to access their data and the frequency with which they are updated. CMS has indicated that its new national screening contractor should improve the timeliness and accuracy of the provider and supplier information in PECOS by centralizing the process, increasing automation of the process, continuously checking databases, and incorporating new sources of data, such as financial, business, tax, and geospatial data. However, it is too soon to tell if these efforts will better prevent payments to ineligible providers and suppliers. Having effective edits to implement coverage and payment policies before payment is made can also help to deter fraud. The Medicare program has defined categories of items and services eligible for coverage and excludes from coverage items or services that are determined not to be “reasonable and necessary for the diagnosis and treatment of an illness or injury or to improve functioning of a malformed body part.” 29 CMS and its contractors set policies regarding when and how items and services will be covered by Medicare, as well as coding and billing requirements for payment, which also can be implemented in the payment systems through edits. We have previously found Medicare’s payment systems did not have edits for items and services unlikely to be provided in the normal 28 GAO-12-351. 29 42 U.S.C. § 1395y(a)(1)(A). Page 12 GAO-12-671T course of medical care. 30 CMS has since implemented edits to flag such claims—called Medically Unlikely Edits. We are currently assessing Medicare’s prepayment edits based on coverage and payment policies, including the Medically Unlikely Edits, and oversight of its contractors implementing these edits. Additionally, suspending payments to providers suspected of fraudulent billing can be an effective tool to prevent excess loss to the Medicare program while suspected fraud is being investigated. For example, in March 2011, the OIG testified that payment suspensions and pre- payment edits on 18 providers and suppliers stopped the potential loss of more than $1.3 million submitted in claims by these individuals. Furthermore, HHS recently reported that it imposed payment suspensions on 78 home health agencies in conjunction with arrests related to a multimillion dollar health care fraud scheme. While CMS had the authority to impose payment suspensions prior to PPACA, the law specifically authorized CMS to suspend payments to providers pending the investigation of credible allegations of fraud. 31 This ability would enable CMS to suspend payments beyond the 180-day time limit established by regulation prior to PPACA. CMS officials reported that the agency had imposed 212 payment suspensions since the regulations implementing the PPACA provisions took effect. Agency officials indicated that almost half of these suspensions were imposed this calendar year, representing about $6 million in Medicare claims. We are currently evaluating a new CMS effort, the Fraud Prevention System (FPS) which uses predictive analytic technologies to analyze FFS claims on a prepayment basis. The Small Business Jobs Act of 2010 requires CMS to use predictive analytic technologies both to identify and to prevent improper payments under Medicare FFS. 32 The law requires 30 GAO-07-59. 31 CMS is required to consult with the HHS OIG in determining whether a credible allegation of fraud exists. Based on how CMS used its previous payment suspension authority, in November 2010, the OIG found weaknesses in CMS’s implementation of payment suspensions that could lead to delays in the suspension process. Such delays would allow payments to continue to providers suspected of fraud. Specifically, the OIG found that CMS’s guidance to its contractors on procedures for implementing payment suspensions was incomplete and inconsistent. Although the OIG made no recommendations, it suggested that these weaknesses could be addressed through CMS rulemaking pursuant to PPACA. 32 Pub. L. No. 111-240, § 4241, 124 Stat. 2504, 2599. Page 13 GAO-12-671T these predictive analytic technologies to be used to review claims for potential fraud by identifying unusual or suspicious patterns or abnormalities in Medicare provider networks, claims billing patterns, and beneficiary utilization. According to CMS, FPS may enhance CMS’s ability to identify potential fraud because it analyzes large numbers of claims from multiple data sources nationwide simultaneously before payment is made, thus allowing CMS to examine billing patterns across geographic regions for those that may indicate fraud. The results of FPS could lead to the initiation of payment suspensions, implementation of automatic claim denials, identification of additional pre-payment edits, investigations, or the revocation of Medicare billing privileges. CMS began using FPS to screen all FFS claims nationwide prior to payment as of June 30, 2011. Because FPS is relatively new, and we have not completed our work, it is too soon to determine whether FPS will improve CMS’s ability to address fraud. “Bust-out” fraud schemes in which providers or suppliers suddenly bill very high volumes of claims to obtain large payments from Medicare could be addressed by adding a prepayment edit. Such an edit would set thresholds to stop payment for atypically rapid increases in billing thus helping to stem losses from these schemes. In our prior work on DMEPOS, we recommended that CMS require its contractors to develop thresholds for unexplained increases in billing and use them to develop pre-payment controls that could suspend these claims for further review before payment. 33 Members of this Committee have recently requested information from CMS about what the agency is doing to implement payment caps to protect Medicare from “bust out” schemes. CMS officials told us that they are currently considering analytic models in FPS that could help them address billing practices suggestive of “bust outs.” 33 See GAO, 2012 Annual Report: Opportunities to Reduce Duplication, Overlap and Fragmentation, Achieve Savings, and Enhance Revenue. GAO-12-342SP (Washington, D.C.: Feb. 28, 2012) and GAO-07-59. Page 14 GAO-12-671T Actions Needed to Further actions are needed to improve use of two CMS information Improve Use of Systems technology systems that could help analysts identify fraud after Intended for Post-payment payment. 34 Claims Review • The Integrated Data Repository (IDR) became operational in September 2006 as a central storehouse of Medicare and other data needed to help CMS program integrity staff and contractors prevent and detect improper payments of claims. However, we found IDR did not include all the data that were planned to be incorporated by fiscal year 2010, because of technical obstacles and delays in funding. Further, as of December 2011 the agency had not finalized plans or developed reliable schedules for efforts to incorporate these data, which could lead to additional delays. • One Program Integrity (One PI) is a web portal intended to provide CMS staff and contractors with a single source of access to data contained in IDR, as well as tools for analyzing those data. While One PI is operational, we reported in December 2011 that CMS had trained few program integrity analysts and the system was not being widely used GAO recommended that CMS take steps to finalize plans and reliable schedules for fully implementing and expanding the use of both IDR and One PI. Although the agency told us in April 2012 that it had initiated activities to incorporate some additional data into IDR and expand the use of One PI, such as training more CMS staff and contractors, they have not fully addressed our recommendations. 34 GAO, Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Ensure More Widespread Use, GAO-11-475 (Washington, D.C.: June 30, 2011). Page 15 GAO-12-671T Having mechanisms in place to resolve vulnerabilities that lead to A Robust Process to improper payments is critical to effective program management and could Address Identified help address fraud. 35 However, our work has shown weaknesses in Vulnerabilities Could CMS’s processes to address such identified vulnerabilities. Help Reduce Fraud CMS’s Recovery Auditing Contractors (RAC) are specifically charged with identifying improper payments and vulnerabilities that could lead to such payment errors. However, in our March 2010 report on the RAC demonstration program, we found that CMS had not established an adequate process during the demonstration or in planning for the national program to ensure prompt resolution of such identified vulnerabilities in Medicare; further, the majority of the most significant vulnerabilities identified during the demonstration were not addressed. 36 We therefore recommended that CMS develop and implement a corrective action process that includes policies and procedures to ensure the agency promptly (1) evaluates findings of RAC audits, (2) decides on the appropriate response and a time frame for taking action based on established criteria, and (3) acts to correct the vulnerabilities identified. 37 Our recommendations will not be fully addressed until CMS has put policies and procedures in place that will lead the agency to act promptly to correct identified vulnerabilities. In December 2011, the OIG found that CMS had not resolved or taken significant action to resolve 48 (77 percent) of 62 vulnerabilities reported in 2009 by CMS contractors specifically charged with addressing fraud. Only 2 vulnerabilities had 35 We have reported that an agency should have policies and procedures to ensure that (1) the findings of all audits and reviews are promptly evaluated, (2) decisions are made about the appropriate response to these findings, and (3) actions are taken to correct or resolve the issues promptly. These are all aspects of internal control, which is the component of an organization’s management that provides reasonable assurance that the organization achieves effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. Internal control standards provide a framework for identifying and addressing major performance challenges and areas at greatest risk for mismanagement. GAO, Internal Control Standards: Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001). 36 GAO, Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight, GAO-10-143 (Washington, D.C.: Mar. 31, 2010). 37 GAO-10-43. Page 16 GAO-12-671T been fully resolved by January 2011. 38 The OIG made several recommendations, including that CMS have written procedures and time frames to assure that vulnerabilities were resolved. CMS has indicated that it is now tracking vulnerabilities identified by several types of contractors through a single vulnerability tracking process. We are currently examining aspects of CMS’s vulnerability tracking process and will be reporting on it soon. Although CMS has taken some important steps to identify and prevent Concluding fraud, including implementing provisions in PPACA and the Small Observations Business Jobs Act, more remains to be done to prevent making erroneous Medicare payments due to fraud. In particular, we have found that CMS could do more to strengthen provider enrollment screening to avoid enrolling those intent on committing fraud, improve pre- and post-payment claims review to identify and respond to patterns of suspicious billing activity more effectively, and identify and address vulnerabilities to reduce the ease with which fraudulent entities can obtain improper payments. It is critical that CMS implement and make full use of new authorities granted by recent legislation, as well as incorporating recommendations made by us, as well as the OIG. Moving from responding once fraud has already occurred to preventing it from occurring in the first place is key to ensuring that federal funds are used efficiently and for their intended purposes. As all of these new authorities and requirements become part of Medicare’s operations, additional evaluation and oversight will be necessary to determine whether they are implemented as required and have the desired effect. We have several studies underway that assess efforts to fight fraud in Medicare and that should continue to help CMS refine and improve its fraud detection and prevention efforts. Notably, we are assessing the effectiveness of different types of pre-payment edits in Medicare and of CMS’s oversight of its contractors in implementing those edits to help ensure that Medicare pays claims correctly the first time. We are also examining the use of predictive analytics to improve fraud prevention and detection. Additionally, we have work underway to identify the types of providers and suppliers currently under investigation and 38 HHS-OIG, Addressing Vulnerabilities Reported by Medicare Benefit Integrity Contractors, OEI-03-10-00500 (December 2011). Page 17 GAO-12-671T those who have been found to have engaged in fraudulent activities. These studies may enable us to point out additional actions for CMS that could help the agency more systematically reduce fraud in the Medicare program. Due to the amount of program funding at risk, fraud will remain a continuing threat to Medicare, so continuing vigilance to reduce vulnerabilities will be necessary. Individuals who want to defraud Medicare will continue to develop new approaches to try to circumvent CMS’s safeguards and investigative and enforcement efforts. In particular, although targeting particular types of providers whom the agency has identified as high risk may be useful, it may allow other types of providers committing fraud to go unnoticed. We will continue to assess efforts to fight fraud and provide recommendations to CMS, as appropriate, that we believe will assist the agency in this important task. We urge CMS to continue its efforts as well. Mr. Chairman, this concludes my prepared statement. I would be happy to answer any questions you or other members of the committee may have. For further information about this statement, please contact Kathleen M. King at (202) 512-7114 or email@example.com. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement. Sheila Avruch, Assistant Director; Jennie Apter; Jennel Harvey; Anne Hopewell; Lisa Rogers; and Jennifer Whitworth were key contributors to this statement. Page 18 GAO-12-671T Related GAO Products Related GAO Products Medicare Program Integrity: CMS Continues Efforts to Strengthen the Screening of Providers and Suppliers. GAO-12-351. Washington, D.C.: April 10, 2012. Improper Payments: Remaining Challenges and Strategies for Governmentwide Reduction Efforts. GAO-12-573T. Washington, D.C.: March 28, 2012. 2012 Annual Report: Opportunities to Reduce Duplication, Overlap and Fragmentation, Achieve Savings, and Enhance Revenue. GAO-12-342SP. Washington, D.C.: February 28, 2012. Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Expand Efforts to Support Program Integrity Initiatives. GAO-12-292T. Washington, D.C.: December 7, 2011. Medicare Part D: Instances of Questionable Access to Prescription Drugs. GAO-12-104T. Washington, D.C.: October 4, 2011. Medicare Part D: Instances of Questionable Access to Prescription Drugs. GAO-11-699. Washington, D.C.: September 6, 2011. Medicare Integrity Program: CMS Used Increased Funding for New Activities but Could Improve Measurement of Program Effectiveness. GAO-11-592. Washington, D.C.: July 29, 2011. Improper Payments: Reported Medicare Estimates and Key Remediation Strategies. GAO-11-842T. Washington, D.C.: July 28, 2011. Fraud Detection Systems: Additional Actions Needed to Support Program Integrity Efforts at Centers for Medicare and Medicaid Services. GAO-11-822T. Washington, D.C.: July 12, 2011. Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Ensure More Widespread Use. GAO-11-475. Washington, D.C.: June 30, 2011. Medicare and Medicaid Fraud, Waste, and Abuse: Effective Implementation of Recent Laws and Agency Actions Could Help Reduce Improper Payments. GAO-11-409T. Washington, D.C.: March 9, 2011. Page 19 GAO-12-671T Related GAO Products Medicare: Program Remains at High Risk Because of Continuing Management Challenges. GAO-11-430T. Washington, D.C.: March 2, 2011. High-Risk Series: An Update. GAO-11-278. Washington, D.C.: February 2011. Medicare Part D: CMS Conducted Fraud and Abuse Compliance Plan Audits, but All Audit Findings Are Not Yet Available. GAO-11-269R. Washington, D.C.: February 18, 2011. Medicare Fraud, Waste, and Abuse: Challenges and Strategies for Preventing Improper Payments. GAO-10-844T. Washington, D.C.: June 15, 2010. Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight. GAO-10-143. Washington, D.C.: March 31, 2010. Medicare Part D: CMS Oversight of Part D Sponsors’ Fraud and Abuse Programs Has Been Limited, but CMS Plans Oversight Expansion. GAO-10-481T. Washington, D.C.: March 3, 2010. Medicare: CMS Working to Address Problems from Round 1 of the Durable Medical Equipment Competitive Bidding Program. GAO-10-27. Washington, D.C.: November 6, 2009. Improper Payments: Progress Made but Challenges Remain in Estimating and Reducing Improper Payments. GAO-09-628T. Washington, D.C.: April 22, 2009. Medicare: Improvements Needed to Address Improper Payments in Home Health. GAO-09-185. Washington, D.C.: February 27, 2009. Medicare Part D: Some Plan Sponsors Have Not Completely Implemented Fraud and Abuse Programs, and CMS Oversight Has Been Limited. GAO-08-760. Washington, D.C.: July 21, 2008. Medicare: Covert Testing Exposes Weaknesses in the Durable Medical Equipment Supplier Screening Process. GAO-08-955. Washington, D.C.: July 3, 2008. Page 20 GAO-12-671T Related GAO Products Medicare: Thousands of Medicare Providers Abuse the Federal Tax System. GAO-08-618. Washington, D.C.: June 13, 2008. Medicare: Competitive Bidding for Medical Equipment and Supplies Could Reduce Program Payments, but Adequate Oversight Is Critical. GAO-08-767T. Washington, D.C.: May 6, 2008. Improper Payments: Status of Agencies’ Efforts to Address Improper Payment and Recovery Auditing Requirements. GAO-08-438T. Washington, D.C.: January 31, 2008. Improper Payments: Federal Executive Branch Agencies’ Fiscal Year 2007 Improper Payment Estimate Reporting. GAO-08-377R. Washington, D.C.: January 23, 2008. Medicare: Improvements Needed to Address Improper Payments for Medical Equipment and Supplies. GAO-07-59. Washington, D.C.: January 31, 2007. Medicare: More Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment Suppliers. GAO-05-656. Washington, D.C.: September 22, 2005. Medicare: CMS’s Program Safeguards Did Not Deter Growth in Spending for Power Wheelchairs. GAO-05-43. Washington, D.C.: November 17, 2004. Medicare: CMS Did Not Control Rising Power Wheelchair Spending. GAO-04-716T. Washington, D.C.: April 28, 2004. (291041) Page 21 GAO-12-671T This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon, GAO Reports and GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, Testimony go to www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm E-mail: firstname.lastname@example.org Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, email@example.com, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, firstname.lastname@example.org, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Medicare: Important Steps Have Been Taken, but More Could Be Done to Deter Fraud
Published by the Government Accountability Office on 2012-04-24.
Below is a raw (and likely hideous) rendition of the original report. (PDF)