United States Government Accountability Office GAO Testimony Before the Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, House of Representatives MEDICARE For Release on Delivery Expected at 9:30 a.m. EDT Friday, June 8, 2012 Progress Made to Deter Fraud, but More Could Be Done Statement of Kathleen M. King Director, Health Care To access this report electronically, scan this QR Code. Don't have a QR code reader? Several are available for free online. GAO-12-801T June 8, 2012 MEDICARE Progress Made to Deter Fraud, but More Could Be Done Highlights of GAO-12-801T, a testimony before the Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, House of Representatives Why GAO Did This Study What GAO Found GAO has designated Medicare as a The Centers for Medicare & Medicaid Services (CMS)—the agency that high-risk program. Since 1990, every administers Medicare—has made progress in implementing several key two years GAO has provided Congress strategies GAO identified in prior work as helpful in protecting Medicare from with an update on this program, which fraud; however, important actions that could help CMS and its program integrity highlights government operations that contractors combat fraud remain incomplete. are at high risk for waste, fraud, abuse mismanagement or in need of broad Provider Enrollment: GAO’s previous work found persistent weaknesses in reform. Medicare has been included in Medicare’s enrollment standards and procedures that increased the risk of this program in part because its enrolling entities intent on defrauding the program. CMS has strengthened complexity makes it particularly provider enrollment—for example, in February 2011, CMS designated three vulnerable to fraud. Fraud involves an levels of risk—high, moderate, and limited—with different screening procedures intentional act or representation to for categories of providers at each level. However, CMS has not completed other deceive with the knowledge that the actions, including implementation of some relevant provisions of the Patient action or representation could result in Protection and Affordable Care Act (PPACA). Specifically, CMS has not gain. The deceptive nature of fraud (1) determined which providers will be required to post surety bonds to help makes its extent in the Medicare ensure that payments made for fraudulent billing can be recovered, program difficult to measure in a (2) contracted for fingerprint-based criminal background checks, (3) issued a final reliable way, but it is clear that fraud regulation to require additional provider disclosures of information, and contributes to Medicare’s fiscal (4) established core elements for provider compliance programs. problems. Reducing fraud could help rein in the escalating costs of the Pre- and Post-payment Claims Review: GAO had previously found that program. increased efforts to review claims on a prepayment basis can prevent payments This statement focuses on the from being made for potentially fraudulent claims, while improving systems used progress made and important steps to by CMS and its contractors to review claims on a post-payment basis could be taken by CMS and its program better identify patterns of potentially fraudulent billing for further investigation. integrity contractors to reduce fraud in CMS has controls in Medicare’s claims-processing systems to determine if Medicare. These contractors perform claims should be paid, denied, or reviewed further. These controls require timely functions such as screening and and accurate information about providers that GAO has previously recommended enrolling providers, detecting and that CMS strengthen. GAO is currently examining CMS’s new Fraud Prevention investigating potential fraud, and System, which uses analytic methods to examine claims before payment to identifying improper payments and develop investigative leads for Zone Program Integrity Contractors (ZPIC), the vulnerabilities that could lead to contractors responsible for detecting and investigating potential fraud. payment errors. This statement is Additionally, CMS could improve its post-payment claims review to identify based on relevant GAO products and patterns of fraud by incorporating prior GAO recommendations to develop plans recommendations issued from 2004 and timelines for fully implementing and expanding two information technology through 2012 using a variety of systems it developed. methodologies, such as analyses of Medicare claims, review of relevant Robust Process to Address Identified Vulnerabilities: Having mechanisms in policies and procedures, and place to resolve vulnerabilities that lead to erroneous payments is critical to interviews with officials. effective program management and could help address fraud. Such vulnerabilities are service- or system-specific weaknesses that can lead to payment errors—for example, providers receiving multiple payments as a result of incorrect coding. GAO has previously identified weaknesses in CMS’s process for addressing identified vulnerabilities and the Department of Health and Human Services’ Office of Inspector General recently reported on CMS’s inaction in addressing vulnerabilities identified by its contractors, including ZPICs. GAO is View GAO-12-801T. For more information, evaluating the current status of the process for assessing and developing contact Kathleen M. King at (202) 512-7114 or corrective actions to address vulnerabilities. firstname.lastname@example.org. United States Government Accountability Office Mr. Chairman, Ranking Member, and Other Members of the Committee: I am pleased to be here today to discuss our work regarding fraud in the Medicare program, Medicare contractors’ roles in detecting and preventing fraud, and provisions in recent laws and agency actions that may help address this problem. 1 Fraud involves an intentional act or representation to deceive with the knowledge that the action or representation could result in gain. Although there have been convictions for multi-million dollar schemes that defrauded the Medicare program, the extent of the problem is unknown. There are no reliable estimates of the extent of fraud in the Medicare program or for the health care industry as a whole. By its very nature, fraud is difficult to detect, as those involved are engaged in intentional deception. For example, fraud may involve providers submitting a claim with false documentation for services not provided, while the claim on its face may appear valid. Fraud also can involve efforts to hide ownership of companies or kickbacks to obtain beneficiary information. Although the full extent of the problem is unknown, it is clear that the Medicare program is vulnerable to fraud, which contributes to Medicare’s fiscal problems. Reducing fraud could help rein in the escalating costs of the program. We have repeatedly designated Medicare as a high-risk program, as its complexity and susceptibility to payment errors from various causes, added to its size, have made it vulnerable to loss. 2 As one example, the fee-for-service (FFS) portion of the Medicare program processes over a billion claims a year from about 1.5-million providers and suppliers; working to ensure that those payments are accurate is a complex, ongoing task. Medicare has many individual vulnerabilities, which are 1 Medicare is the federally financed health insurance program for persons age 65 or over, certain individuals with disabilities, and individuals with end-stage renal disease. Medicare Parts A and B are known as Medicare fee-for-service (FFS). Medicare Part A covers hospital and other inpatient stays. Medicare Part B is optional, and covers hospital outpatient, physician, and other services. Medicare beneficiaries have the option of obtaining coverage for Medicare services from private health plans that participate in Medicare Advantage—Medicare’s managed care program—also known as Part C. All Medicare beneficiaries may purchase coverage for outpatient prescription drugs under Part D, either as a stand-alone benefit or as part of a Medicare Advantage plan. 2 In 1990, we began to report on government operations that we identified as “high risk” for serious weaknesses in areas that involve substantial resources and provide critical services to the public. Medicare has been included among such programs since 1990. See GAO, High-Risk Series: An Update, GAO-11-278 (Washington, D.C.: February 2011). http://www.gao.gov/highrisk/risks/insurance/medicare_program.php. Page 1 GAO-12-801T Medicare Fraud service- or system-specific weaknesses that can lead to payment errors, including those due to fraud. 3 If the Centers for Medicare & Medicaid Services (CMS), the agency within the Department of Health and Human Services (HHS) that administers the program, suspects that providers or suppliers are billing fraudulently, it can take action, including suspending claims payment, revoking billing privileges, or referring cases to law enforcement for investigation. 4 Further, it can impose a moratorium on new enrollment of providers or suppliers. 5 Since 1997, Congress has provided funds specifically for activities to address fraud, as well as waste and abuse, 6 in Medicare and other federal health care programs. In addition, Congress created the Medicare Integrity Program to conduct activities to reduce fraud, waste, abuse, and improper payments. 7 In 2010, Congress passed the Patient Protection and Affordable Care Act (PPACA), which provided additional funding for such efforts and set a number of new requirements specific to Medicare. 8 Furthermore, the 3 CMS defines vulnerabilities to the Medicare program as issues that can lead to fraud, waste, or abuse, which can either be specific, such as providers receiving multiple payments as a result of incorrect coding for a service, or general and programwide, such as weaknesses in online application processes. 4 In this testimony, the term provider includes entities such as hospitals or physicians, and supplier means an entity that supplies Medicare beneficiaries with durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) such as walkers and wheelchairs. 5 Enrolling as a provider or supplier in Medicare allows an entity to provide services or equipment to beneficiaries and bill for those services. 6 Waste includes inaccurate payments for services, such as unintentional duplicate payments. Abuse represents actions inconsistent with acceptable business or medical practices. 7 An improper payment is any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. This definition includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except where authorized by law), and any payment that does not account for credit for applicable discounts. Improper Payments Elimination and Recovery Act of 2010, Pub. L. No. 111- 204, § 2(e), 124 Stat. 2224, 2227 (codified at 31 U.S.C. § 3321 note). 8 Pub. L. No. 111-148, 124 Stat.119 (2010), as amended by Health Care and Education Reconciliation Act of 2010 (HCERA), Pub. L. No. 111-152, 124 Stat. 1029, which we refer to collectively as PPACA. The provisions discussed in this statement are generally located in sections 6401 through 6411 and 10603 and 10605 of PPACA, as well as sections 1303 and 1304 of HCERA. Page 2 GAO-12-801T Medicare Fraud Small Business Jobs Act of 2010 9 established new Medicare fee-for- service claims review requirements and provided funding to implement these requirements. My testimony today focuses on the progress made and steps that remain to be taken by CMS and its program integrity contractors to reduce fraud in Medicare. CMS contractors perform a number of key program integrity functions, such as screening and enrolling providers, detecting and investigating potential fraud, and identifying improper payments and vulnerabilities that could lead to payment errors. This testimony is informed by 8 years of our work on Medicare fraud, waste, abuse, and improper payments. I will focus on several key strategies CMS can undertake to help reduce fraud discussed in our prior work from 2004 to 2012, specifically: 10 • strengthening provider enrollment standards and procedures, • improving pre- and post-payment claims review, and • developing a robust process for addressing identified vulnerabilities. The products on which this statement is based were developed by using a variety of methodologies, including analyses of Medicare claims, review of relevant policies and procedures, interviews with agency officials and other stakeholders, and site visits. 11 The work on which these products were based was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. 9 Pub. L. No. 111-240, § 4241, 124 Stat. 2504, 2599. 10 These strategies were among those identified in our June 2010 testimony as critical to helping prevent fraud, waste, and abuse in Medicare. See GAO, Medicare Fraud, Waste, and Abuse: Challenges and Strategies for Preventing Improper Payments, GAO-10-844T (Washington, D.C.: June 15, 2010). A list of related products appears at the end of this statement. 11 The products listed at the end of this statement contain detailed information on the methodologies used in our work. Page 3 GAO-12-801T Medicare Fraud CMS has made progress strengthening provider enrollment to try to better CMS Has Made ensure that only legitimate providers and suppliers are allowed to bill Progress in Medicare. However, CMS has not completed other actions that could help prevent individuals intent on fraud from enrolling, including Strengthening implementation of some relevant PPACA provisions. Provider Enrollment, but Further Actions Are Needed Past CMS Efforts to Our previous work found persistent weaknesses in Medicare’s enrollment Strengthen Provider standards and procedures that increased the risk of enrolling entities Enrollment intent on defrauding the Medicare program. 12 We, CMS, and the HHS Office of Inspector General (OIG) have previously identified two types of providers whose services and items are especially vulnerable to improper payments and fraud—home health agencies (HHA) and suppliers of durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS). We found weaknesses in oversight of these providers’ and suppliers’ enrollment. For example, in 2008, we identified weaknesses when we created two fictitious DMEPOS companies, which were subsequently enrolled by CMS’s contractor and given permission to begin billing Medicare. 13 In 2009, we found that CMS’s contractors were not requiring HHAs to resubmit enrollment information for re-verification every 5 years as required by CMS. 14 To strengthen the Medicare enrollment process, in 2006 CMS began requiring all providers and suppliers—including those that order HHA services or DMEPOS for beneficiaries to be enrolled in Medicare. The agency also required all providers and suppliers to report their National Provider Identifiers (NPI) on enrollment applications, which can help 12 See GAO, Medicare: CMS’s Program Safeguards Did Not Deter Growth in Spending for Power Wheelchairs; GAO-05-43 (Washington, D.C.: Nov. 17, 2004); Medicare: More Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment Suppliers, GAO-05-656 (Washington, D.C.: Sept. 22, 2005); Medicare: Improvements Needed to Address Improper Payments for Medical Equipment and Supplies, GAO-07-59 (Washington, D.C.: Jan. 31, 2007); and Medicare: Improvements Needed to Address Improper Payments in Home Health, GAO-09-185 (Washington, D.C.: Feb. 27, 2009). 13 GAO, Medicare: Covert Testing Exposes Weaknesses in the Durable Medical Equipment Supplier Screening Process, GAO-08-955 (Washington, D.C.: July 3, 2008). 14 GAO-09-185. Page 4 GAO-12-801T Medicare Fraud address fraud because providers and suppliers must submit either their Social Security Number or their employer identification number and state licensing information to obtain an NPI. 15 In 2007, CMS initiated the first phase of a Medicare competitive-bidding program for DMEPOS. 16 This program requires suppliers’ bids to include new financial documentation for the year prior to submitting the bids. Because CMS can now disqualify suppliers based in part on new scrutiny of their financial documents, competitive bidding can help reduce fraud. Finally, in 2010, CMS also required that all DMEPOS suppliers be accredited by a CMS-approved accrediting organization to ensure that they meet certain quality standards. Such accreditation also increased scrutiny of these businesses. CMS Has Taken Action on PPACA authorized CMS to implement several actions to strengthen Certain PPACA Provider provider enrollment. As of April 2012, the agency has completed some of Enrollment Provisions these actions. Screening Provider Enrollment Applications by Risk Level: CMS and OIG issued a final rule with comment period in February 2011 to implement some of the new screening procedures required by PPACA. 17 CMS designated three levels of risk—high, moderate, and limited—with different screening procedures for categories of Medicare providers at each level. Providers in the high-risk level are subject to the most rigorous 15 The Health Insurance Portability and Accountability Act of 1996 required that HHS adopt standards for unique health identifiers. CMS adopted the NPI as the standard unique health identifier for its health care providers and suppliers in its final rule: HIPAA Administrative Simplification: Standard Unique Health Identifier for Health Care Providers, 69 Fed. Reg. 3434 (Jan. 23, 2004). Consistent with the NPI final rule, beginning in 2006, the Medicare program required providers and suppliers to report their NPIs on their enrollment applications. 16 Competitive bidding is a process in which suppliers of medical equipment and supplies compete for the right to provide their products on the basis of established criteria, such as quality and price. 17 Medicare, Medicaid, and Children’s Health Insurance Programs; Additional Screening Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011). In discussing the final rule, CMS noted that Medicare had already employed a number of the screening practices described in PPACA to determine if a provider is in compliance with federal and state requirements to enroll or to maintain enrollment in the Medicare program. Page 5 GAO-12-801T Medicare Fraud screening. 18 To determine which providers to place in these risk levels, CMS considered issues such as past occurrences of improper payments and fraud among different categories of providers. Based in part on our work and that of the OIG, CMS designated newly enrolling HHAs and DMEPOS suppliers as high risk and designated other providers at lower levels. (See table 1.) Providers at all risk levels are screened to verify that they meet specific requirements established by Medicare such as having current licenses or accreditation and valid Social Security numbers. 19 High- and moderate-risk providers are additionally subject to unannounced site visits. Further, depending on the risks presented, PPACA authorizes CMS to require fingerprint-based criminal history checks, and the posting of surety bonds for certain providers. 20 CMS may also provide enhanced oversight for specific periods for new providers and for initial claims of DMEPOS suppliers. 18 PPACA specified that the enhanced-screening procedures would apply to new providers and suppliers beginning 1 year after the date of enactment and to currently enrolled providers and suppliers 2 years after that date. 19 Screening may include verification of the following: Social Security number; NPI; National Practitioner Databank licensure; whether the provider has been excluded from federal health care programs by the OIG; taxpayer identification number; and death of an individual practitioner, owner, authorized official, delegated official, or supervising physician. 20 A surety bond is a three-party agreement in which a company, known as a surety, agrees to compensate the bondholder if the bond purchaser fails to keep a specified promise. Page 6 GAO-12-801T Medicare Fraud Table 1: Categories of Medicare Providers and Suppliers Designated by Risk Level for Enrollment Screening Risk level Categories of Medicare providers and suppliers Limited Physician or nonphysician practitioners and medical groups or clinics, with the exception of physical therapists and physical therapy groups. Ambulatory surgical centers, competitive acquisition programs/Part B vendors, end-stage a renal disease facilities, federally qualified health centers, histocompatibility laboratories, Indian Health Service b facilities, mammography screening centers, mass immunization roster billers, organ procurement organizations, pharmacies newly enrolling or revalidating, radiation therapy centers, religious nonmedical health care institutions, rural health clinics, skilled nursing facilities, and hospitals, including critical access hospitals. Moderate Ambulance suppliers, community mental health centers, comprehensive outpatient rehabilitation facilities, hospice organizations, independent diagnostic testing facilities, independent clinical laboratories, portable X-ray suppliers, currently enrolled (revalidating) home health agencies, and physical therapy, including physical therapy groups. High Prospective (newly enrolling) home health agencies and prospective (newly enrolling) suppliers of durable medical equipment, prosthetics, orthotics, and supplies. Source: GAO analysis of CMS Final Rule with Comment Period, Medicare, Medicaid, and Children’s Health Insurance Programs: Additional Screening Requirements, Applications Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011). a Histocompatibility laboratories provide evaluations of certain genetic data and pertinent patient immunologic risk factors to allow clinician and patient to make decisions about whether transplantation is in the patient’s best interest. b Mass immunization roster billers are providers and suppliers that enroll in the Medicare program to offer influenza (flu) vaccinations to a large number of individuals, and these entities must be properly licensed in the states in which they plan to operate influenza clinics. CMS indicated that the agency will continue to review the criteria for its screening levels on an ongoing basis and would publish changes if the agency decided to update the assignment of screening levels for categories of Medicare providers. This may become necessary because fraud is not confined to HHAs and DMEPOS suppliers. We are currently examining the types of providers involved in fraud cases investigated by the OIG and the Department of Justice (DOJ), which may help illuminate risk to the Medicare program from different types of providers. Further, in their 2011 annual report on the Health Care Fraud and Abuse Control Program, DOJ and HHS reported convictions or other legal actions, such as exclusions or civil monetary penalties, against several types of Medicare providers other than DMEPOS suppliers and HHAs, including pharmacists, orthopedic surgeons, infusion and other types of medical clinics, and physical therapy services. 21 CMS also has established triggers for adjustments to an individual provider’s risk level. For example, CMS regulations state that an individual provider or supplier at the 21 The Department of Health and Human Services and the Department of Justice Health Care Fraud and Abuse Control Program Annual Report for Fiscal Year 2011 (Washington, D.C.: February 2012). Page 7 GAO-12-801T Medicare Fraud limited- or moderate-risk level that has had its billing privileges revoked by a Medicare contractor within the last 10 years and is attempting to re- enroll, would move to the high-risk level for screening. New National Enrollment Screening and Site Visit Contractors: In a further effort to strengthen its enrollment processes, CMS contracted with two new entities at the end of 2011 to assume centralized responsibility for automated screening of provider and supplier enrollment and for conducting site visits of providers. • Automated-screening contractor. In December 2011, the new contractor began to establish systems to conduct automated screening of providers and suppliers to ensure they meet Medicare eligibility criteria (such as valid licensure, accreditation, a valid NPI, and no presence on the OIG list of providers and suppliers excluded from participating in federal health care programs). 22 Prior to the implementation of this new automated screening, such screening was done manually for the 30,000 enrollees each month by CMS’s Medicare Administrative Contractors (MAC), which enroll Medicare providers, and the National Supplier Clearinghouse (NSC), which enrolls DMEPOS suppliers. According to CMS, the old screening process was neither efficient nor timely. CMS officials said that in 2012, the automated-screening contractor began automated screening of the licensure status of all currently enrolled Medicare providers and suppliers. The agency said it expects the automated- screening contractor to begin screening newly enrolling providers and suppliers later this year. CMS expects that the new, national contractor will enable better monitoring of providers and suppliers on a continuous basis to help ensure they continue to meet Medicare enrollment requirements. The new screening contractor will also help the MACs and the NSC maintain enrollment information in CMS’s Provider Enrollment Chain and Ownership System (PECOS)—a database that contains details on enrolled providers and suppliers. In addition, CMS officials said the automated-screening contractor is developing an individual risk score for each provider or supplier, similar to a credit risk score. Although these individual scores are not currently used to determine an individual provider’s placement in a 22 Licensure is a mandatory process by which a state government grants permission to an individual practitioner or health care organization to engage in an occupation or profession. Page 8 GAO-12-801T Medicare Fraud risk level, CMS indicated that this risk score may be used eventually as additional risk criteria in the screening process. • Site visits for all providers designated as moderate and high risk. Beginning in February 2012, a single national site-visit contractor began conducting site visits of moderate- and high-risk providers to determine if sites are legitimate and the providers meet certain Medicare standards. 23 The contractor collects the same information from each site visit, including photographic evidence that will be available electronically through a Web portal accessible to CMS and its other contractors. The national site-visit contractor is expected to validate the legitimacy of these sites. CMS officials told us that the contractor will provide consistency in site visits across the country, in contrast to CMS relying on different MACs to conduct any required site visits. CMS Has Not Completely Implementation of other enrollment screening actions authorized by Implemented Some PPACA PPACA that could help CMS reduce the enrollment of providers and Enrollment Provisions suppliers intent on defrauding the Medicare program remains incomplete, including: • Surety bond—PPACA authorizes CMS to require a surety bond for certain types of at-risk providers, which can be helpful in recouping erroneous payments. CMS officials expect to issue a proposed rule to require surety bonds as conditions of enrollment for certain other types of providers. Extending the use of surety bonds to these new entities would augment a previous statutory requirement for DMEPOS suppliers to post a surety bond at the time of enrollment. 24 CMS 23 Starting March 25, 2011, CMS required the MACs to conduct site visits for categories of providers and suppliers designated as moderate and high risk. The national site-visit contactor assumed these responsibilities in 2012. The NSC will continue to conduct site visits related to provider enrollment of DMEPOS suppliers. In addition, CMS at times exercises its authority to conduct a site visit or requests its contractors to conduct a site visit for any Medicare provider or supplier. 24 42 U.S.C. § 1395m(a)(16)(B). As of October 2009, DMEPOS suppliers were required to obtain and submit a surety bond in the amount of at least $50,000. A DMEPOS surety bond is a bond issued by an entity guaranteeing that a DMEPOS supplier will fulfill its obligation to Medicare. If the obligation is not met, the surety bond is paid to Medicare. Medicare Program; Surety Bond Requirement for Suppliers of Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS), 74 Fed. Reg. 166 (Jan. 2, 2009). Page 9 GAO-12-801T Medicare Fraud issued final instructions to its MACs, effective February 2012, for recovering DMEPOS overpayments through surety bonds. CMS officials reported that as of April 19, 2012, they had issued notices to 20 surety bond companies indicating intent to collect funds, but had not collected any funds as of that date. • Fingerprint-based criminal background checks—CMS officials told us that they are working with the Federal Bureau of Investigation to arrange contracts to help conduct fingerprint-based criminal background checks of high-risk providers and suppliers. On April 13, 2012, CMS issued a request for information regarding the potential solicitation of a single contract for Medicare provider and supplier fingerprint-based background checks. The agency expects to have the contract in place before the end of 2012. • Providers and suppliers disclosure—CMS officials said the agency is reviewing options to include in regulations for increased disclosures of prior actions taken against providers and suppliers enrolling or revalidating enrollment in Medicare, such as whether the provider or supplier has been subject to a payment suspension from a federal health care program. 25 In April 2012, agency officials indicated that they were not certain when the regulation would be published. CMS officials noted that the additional disclosure requirements are complicated by provider and supplier concerns about what types of information will be collected, what CMS will do with it, and how the privacy and security of this information will be maintained. • Compliance and ethics program—CMS officials said that the agency was studying criteria found in OIG model plans as it worked to address the PPACA requirement that the agency establish the core 25 At the time of initial enrollment or revalidation of enrollment, PPACA requires providers and suppliers to disclose any current or previous affiliation with another provider or supplier that has uncollected debt; has been or is subject to a payment suspension under a federal health care program; has been excluded from participation under Medicare, Medicaid, or the State Children’s Health Insurance Program; or has had its billing privileges denied or revoked. Pub. L. No. 111-148, § 6401(a)(4), 124 Stat. 119, 740 (2010). Page 10 GAO-12-801T Medicare Fraud elements of compliance programs for providers and suppliers. 26 As of April 2012, CMS did not have a projected target date for implementation. Increased efforts to review claims on a prepayment basis can better Additional Action May prevent payments that should not be made, while improving systems Help Better Identify used to review claims on a post-payment basis could better identify patterns of fraudulent billing for further investigation. Potential Fraud through Pre- and Post- Payment Claims Review Additional Efforts to Having robust controls in claims payment systems to prevent payment of Improve Prepayment problematic claims can help reduce loss. As claims go through Claims Review May Help Medicare’s electronic claims payment systems, they are subjected to automated prepayment controls called “edits,” instructions programmed in Reduce Fraud the systems to prevent payment of incomplete or incorrect claims. Some edits use provider enrollment information, while others use information on coverage or payment policies, to determine if claims should be paid. Most of these controls are fully automated; if a claim does not meet the criteria of the edit, it is automatically denied. Other prepayment edits are manual; they flag a claim for individual review by trained staff who determine if it should be paid. Due to the volume of claims, CMS has reported that less than 1 percent of Medicare claims are subject to manual medical record review by trained staff. Having effective pre-payment edits that deny claims for ineligible providers and suppliers depends on having timely and accurate information about them, such as whether the providers are currently enrolled and have the appropriate license or accreditation to provide specific services. We previously recommended that CMS take action to 26 A compliance program is an internal set of policies, processes, and procedures that a provider organization implements to help it act ethically and lawfully. In this context, a compliance program is intended to help provider and supplier organizations prevent and detect violations of Medicare laws and regulations. CMS has used the phrase “compliance and ethics program” and indicated it may base its program on the seven elements of effective compliance and ethics programs found in the U.S. Federal Sentencing Guidelines Manual. Page 11 GAO-12-801T Medicare Fraud ensure the timeliness and accuracy of PECOS—the database that maintains Medicare provider and supplier enrollment information. We noted that weaknesses in PECOS data may result in CMS making improper payments to ineligible providers and suppliers. 27 These weaknesses are related to the frequency with which CMS’s contractors update enrollment information and the timeliness and accuracy of information obtained from outside entities, such as state licensing boards, the OIG, and the Social Security Administration’s Death Master File, which contains information on deceased individuals that can be used to identify deceased providers in order to terminate those providers’ Medicare billing privileges. These sources vary in the ease in which CMS contractors have been able to access their data and the frequency with which they are updated. CMS has indicated that its new national- screening contractor should improve the timeliness and accuracy of the provider and supplier information in PECOS by centralizing the process, increasing automation of the process, continuously checking databases, and incorporating new sources of data, such as financial, business, tax, and geospatial data. However, it is too soon to tell if these efforts will better prevent payments to ineligible providers and suppliers. Having effective edits to implement coverage and payment policies before payment is made can also help to deter fraud. The Medicare program has defined categories of items and services eligible for coverage and excludes from coverage items or services that are determined not to be “reasonable and necessary for the diagnosis and treatment of an illness or injury or to improve functioning of a malformed body part.” 28 CMS and its contractors set policies regarding when and how items and services will be covered by Medicare, as well as coding and billing requirements for payment, which also can be implemented in the payment systems through edits. We have previously found Medicare’s payment systems did not have edits for items and services unlikely to be provided in the normal course of medical care. 29 CMS has since implemented edits to flag such claims—called Medically Unlikely Edits. We are currently assessing Medicare’s prepayment edits based on coverage and payment policies, including the Medically Unlikely Edits. 27 GAO-12-351. 28 42 U.S.C. § 1395y(a)(1)(A). 29 GAO-07-59. Page 12 GAO-12-801T Medicare Fraud Additionally, suspending payments to providers suspected of fraudulent billing can be an effective tool to prevent excess loss to the Medicare program while suspected fraud is being investigated. For example, in March 2011, the OIG testified that payment suspensions and pre- payment edits on 18 providers and suppliers stopped the potential loss of more than $1.3 million submitted in claims by these individuals. Furthermore, HHS recently reported that it imposed payment suspensions on 78 home health agencies in conjunction with arrests related to a multimillion-dollar health care fraud scheme. While CMS had the authority to impose payment suspensions prior to PPACA, the law specifically authorized CMS to suspend payments to providers pending the investigation of credible allegations of fraud. 30 CMS officials reported that the agency had imposed 212 payment suspensions since the regulations implementing the PPACA provisions took effect. Agency officials indicated that almost half of these suspensions were imposed this calendar year, representing about $6 million in Medicare claims. We are currently evaluating a new CMS effort, the Fraud Prevention System (FPS), which uses predictive analytic technologies to analyze FFS claims on a prepayment basis to develop investigative leads for CMS’s Zone Program Integrity Contractors (ZPIC), the contractors responsible for detecting and investigating potential fraud. 31 The Small Business Jobs Act of 2010 requires CMS to use predictive analytic technologies both to identify and to prevent improper payments under Medicare FFS. 32 The law requires these predictive analytic technologies to be used to review claims for potential fraud by identifying unusual or 30 CMS is required to consult with the HHS OIG in determining whether a credible allegation of fraud exists. Based on how CMS used its previous payment suspension authority, in November 2010, the OIG found weaknesses in CMS’s implementation of payment suspensions that could lead to delays in the suspension process. Such delays would allow payments to continue to providers suspected of fraud. Specifically, the OIG found that CMS’s guidance to its contractors on procedures for implementing payment suspensions was incomplete and inconsistent. Although the OIG made no recommendations, it suggested that these weaknesses could be addressed through CMS rulemaking pursuant to PPACA. 31 CMS is replacing its legacy Program Safeguard Contractors (PSC) with seven ZPICs. While the PSCs were responsible for program integrity for specific parts of Medicare, such as Part A, the ZPICs are responsible for Medicare’s fee-for-service program integrity in their geographic zones. For simplicity, we refer to these program integrity contractors as ZPICs throughout the testimony. 32 Pub. L. No. 111-240, § 4241, 124 Stat. 2504, 2599. Page 13 GAO-12-801T Medicare Fraud suspicious patterns or abnormalities in Medicare provider networks, claims billing patterns, and beneficiary utilization. According to CMS, FPS may enhance CMS’s ability to identify potential fraud because it analyzes large numbers of claims from multiple data sources nationwide simultaneously before payment is made, thus allowing CMS to examine billing patterns across geographic regions for those that may indicate fraud. The results of FPS are used by the ZPICs to initiate investigations that could result in payment suspensions, implementation of automatic claim denials, identification of additional prepayment edits, or the revocation of Medicare billing privileges. CMS began using FPS to screen all FFS claims nationwide prior to payment as of June 30, 2011, and CMS has been directing the ZPICs to investigate high priority leads generated by the system. Because FPS is relatively new and we have not completed our work, it is too soon to determine whether FPS will improve CMS’s ability to address fraud. Questions have also been raised about CMS’s ability to adequately assess ZPICs’ performance and we have been asked to examine CMS’s management of the ZPICs, including criteria used by CMS to evaluate their effectiveness. “Bust-out” fraud schemes in which providers or suppliers suddenly bill very high volumes of claims to obtain large payments from Medicare could be addressed by adding a prepayment edit. Such an edit would set thresholds to stop payment for atypically rapid increases in billing thus helping them to stem losses from these schemes. In our prior work on DMEPOS, we recommended that CMS require its contractors to develop thresholds for unexplained increases in billing and use them to develop pre-payment controls that could suspend these claims for further review before payment. 33 CMS officials told us that they are currently considering developing analytic models in FPS that could help CMS and ZPICs identify and address billing practices suggestive of bust outs. 33 See GAO, 2012 Annual Report: Opportunities to Reduce Duplication, Overlap and Fragmentation, Achieve Savings, and Enhance Revenue. GAO-12-342SP (Washington, D.C.: Feb. 28, 2012) and GAO-07-59. Page 14 GAO-12-801T Medicare Fraud Actions Needed to Further actions are needed to improve use of two CMS information Improve Use of Systems technology systems that could help CMS and program integrity Intended for Post-payment contractors identify fraud after claims have been paid. 34 Claims Review • The Integrated Data Repository (IDR) became operational in September 2006 as a central data store of Medicare and other data needed to help CMS’s program integrity staff, ZPICs, and other contractors prevent and detect improper payments of claims. However, we found IDR did not include all the data that were planned to be incorporated by fiscal year 2010, because of technical obstacles and delays in funding. Further, as of December 2011 the agency had not finalized plans or developed reliable schedules for efforts to incorporate these data, which could lead to additional delays. • One Program Integrity (One PI) is a Web portal intended to provide CMS staff, ZPICs, and other contractors with a single source of access to data contained in IDR, as well as tools for analyzing those data. While One PI is operational, we reported in December 2011 that CMS had trained few program integrity analysts and that the system was not being widely used. GAO recommended that CMS take steps to finalize plans and reliable schedules for fully implementing and expanding the use of both IDR and One PI. Although the agency told us in April 2012 that it had initiated activities to incorporate some additional data into IDR and expand the use of One PI, such as training more ZPIC and other staff, it has not fully addressed our recommendations. 34 GAO, Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Ensure More Widespread Use, GAO-11-475 (Washington, D.C.: June 30, 2011). Page 15 GAO-12-801T Medicare Fraud Having mechanisms in place to resolve vulnerabilities that lead to A Robust Process to improper payments is critical to effective program management and could Address Identified help address fraud. 35 A number of different types of program integrity Vulnerabilities Could contractors are responsible for identifying and reporting vulnerabilities to CMS. However, our work and the work of OIG have shown weaknesses Help Reduce Fraud in CMS’s processes to address vulnerabilities identified by these contractors. CMS’s Recovery Audit Contractors (RAC) are specifically charged with identifying improper payments and vulnerabilities that could lead to such payment errors. However, in our March 2010 report on the RAC demonstration program, we found that CMS had not established an adequate process during the demonstration or in planning for the national program to ensure prompt resolution of such identified vulnerabilities in Medicare; further, the majority of the most significant vulnerabilities identified during the demonstration were not addressed. 36 We therefore recommended that CMS develop and implement a corrective action process that includes policies and procedures to ensure the agency promptly (1) evaluates findings of RAC audits, (2) decides on the appropriate response and a time frame for taking action based on established criteria, and (3) acts to correct the vulnerabilities identified. 37 Our recommendations will not be fully addressed until CMS has put policies and procedures in place that will lead the agency to act promptly to correct identified vulnerabilities. In December 2011, the OIG similarly found that CMS lacked procedures to ensure that vulnerabilities identified 35 We have reported that an agency should have policies and procedures to ensure that (1) the findings of all audits and reviews are promptly evaluated, (2) decisions are made about the appropriate response to these findings, and (3) actions are taken to correct or resolve the issues promptly. These are all aspects of internal control, which is the component of an organization’s management that provides reasonable assurance that the organization achieves effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. Internal control standards provide a framework for identifying and addressing major performance challenges and areas at greatest risk for mismanagement. GAO, Internal Control Standards: Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001). 36 GAO, Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight, GAO-10-143 (Washington, D.C.: Mar. 31, 2010). 37 GAO-10-143. Page 16 GAO-12-801T Medicare Fraud by other contractors were resolved. 38 CMS had not resolved or taken significant action to resolve 38 of 44 vulnerabilities (86 percent) reported in 2009 by ZPICs. Only 1 vulnerability had been fully resolved by January 2011. 39 The OIG made several recommendations, including that CMS have written procedures and time frames to assure that vulnerabilities were resolved. CMS has indicated that it is now tracking vulnerabilities identified from several types of contractors through a single vulnerability tracking process. We are currently examining aspects of CMS’s vulnerability tracking process and will be reporting on it soon. Although CMS has taken some important steps to identify and prevent Concluding fraud, including implementing provisions in PPACA and the Small Observations Business Jobs Act, more remains to be done to prevent making erroneous Medicare payments due to fraud. In particular, we have found CMS could do more to strengthen provider enrollment screening to avoid enrolling those intent on committing fraud, improve pre- and post- payment claims review to identify and respond to patterns of suspicious billing activity more effectively, and identify and address vulnerabilities to reduce the ease with which fraudulent entities can obtain improper payments. It is critical that CMS implement and make full use of new authorities granted by recent legislation, as well as incorporate recommendations made by us, as well as the OIG in these areas. Moving from responding once fraud has already occurred to preventing it from occurring in the first place is key to ensuring that federal funds are used efficiently and for their intended purposes. As all of these new authorities and requirements become part of Medicare’s operations, additional evaluation and oversight will be necessary to determine whether they are implemented as required and have the desired effect. We have several studies underway that assess efforts to fight fraud in Medicare and that should continue to help CMS refine and improve its fraud detection and prevention efforts. Notably, we are assessing the effectiveness of different types of pre-payment edits in 38 HHS-OIG, Addressing Vulnerabilities Reported by Medicare Benefit Integrity Contractors, OEI-03-10-00500 (December 2011). 39 OIG also found that CMS had not resolved or taken significant action to resolve 10 of 18 vulnerabilities (56 percent) reported in 2009 by Medicare Prescription Drug Integrity Contractors (MEDICs)—program integrity contractors for Medicare Parts C and D. Only 1 of those 18 vulnerabilities had been fully resolved by January 2011. Page 17 GAO-12-801T Medicare Fraud Medicare and of CMS’s oversight of its contractors in implementing those edits to help ensure that Medicare pays claims correctly the first time. We are also examining the use of predictive analytics by CMS and the ZPICs to improve fraud prevention and detection. ZPICs play an important role in detecting and investigating fraud and identifying vulnerabilities, and FPS will likely play an increasing role in how ZPICs conduct their work. Additionally, we have work under way to identify the types of providers and suppliers currently under investigation and those that have been found to have engaged in fraudulent activities. These studies may enable us to point out additional actions for CMS that could help the agency more systematically reduce fraud in the Medicare program. Due to the amount of program funding at risk, fraud will remain a continuing threat to Medicare, so continuing vigilance to reduce vulnerabilities will be necessary. Individuals who want to defraud Medicare will continue to develop new approaches to try to circumvent CMS’s safeguards and investigative and enforcement efforts. Although targeting certain types of providers that the agency has identified as high risk may be useful, it may allow other types of providers committing fraud to go unnoticed. We will continue to assess efforts to fight fraud and provide recommendations to CMS, as appropriate, that we believe will assist the agency and its contractors in this important task. We urge CMS to continue its efforts as well. Mr. Chairman, this concludes my prepared statement. I would be happy to answer any questions you or other members of the committee may have. For further information about this statement, please contact Kathleen M. King at (202) 512-7114 or email@example.com. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement. Thomas Walke, Assistant Director; Michael Erhardt; Eden Savino; and Jennifer Whitworth were key contributors to this statement. Page 18 GAO-12-801T Medicare Fraud Related GAO Products Related GAO Products Medicare Program Integrity: CMS Continues Efforts to Strengthen the Screening of Providers and Suppliers. GAO-12-351. Washington, D.C.: April 24, 2012. Improper Payments: Remaining Challenges and Strategies for Governmentwide Reduction Efforts. GAO-12-573T. Washington, D.C.: March 28, 2012. 2012 Annual Report: Opportunities to Reduce Duplication, Overlap and Fragmentation, Achieve Savings, and Enhance Revenue. GAO-12-342SP. Washington, D.C.: February 28, 2012. Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Expand Efforts to Support Program Integrity Initiatives. GAO-12-292T. Washington, D.C.: December 7, 2011. Medicare Part D: Instances of Questionable Access to Prescription Drugs. GAO-12-104T. Washington, D.C.: October 4, 2011. Medicare Part D: Instances of Questionable Access to Prescription Drugs. GAO-11-699. Washington, D.C.: September 6, 2011. Medicare Integrity Program: CMS Used Increased Funding for New Activities but Could Improve Measurement of Program Effectiveness. GAO-11-592. Washington, D.C.: July 29, 2011. Improper Payments: Reported Medicare Estimates and Key Remediation Strategies. GAO-11-842T. Washington, D.C.: July 28, 2011. Fraud Detection Systems: Additional Actions Needed to Support Program Integrity Efforts at Centers for Medicare and Medicaid Services. GAO-11-822T. Washington, D.C.: July 12, 2011. Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Ensure More Widespread Use. GAO-11-475. Washington, D.C.: June 30, 2011. Medicare and Medicaid Fraud, Waste, and Abuse: Effective Implementation of Recent Laws and Agency Actions Could Help Reduce Improper Payments. GAO-11-409T. Washington, D.C.: March 9, 2011. Page 19 GAO-12-801T Medicare Fraud Related GAO Products Medicare: Program Remains at High Risk Because of Continuing Management Challenges. GAO-11-430T. Washington, D.C.: March 2, 2011. High-Risk Series: An Update. GAO-11-278. Washington, D.C.: February 2011. Medicare Part D: CMS Conducted Fraud and Abuse Compliance Plan Audits, but All Audit Findings Are Not Yet Available. GAO-11-269R. Washington, D.C.: February 18, 2011. Medicare Fraud, Waste, and Abuse: Challenges and Strategies for Preventing Improper Payments. GAO-10-844T. Washington, D.C.: June 15, 2010. Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight. GAO-10-143. Washington, D.C.: March 31, 2010. Medicare Part D: CMS Oversight of Part D Sponsors’ Fraud and Abuse Programs Has Been Limited, but CMS Plans Oversight Expansion. GAO-10-481T. Washington, D.C.: March 3, 2010. Medicare: CMS Working to Address Problems from Round 1 of the Durable Medical Equipment Competitive Bidding Program. GAO-10-27. Washington, D.C.: November 6, 2009. Improper Payments: Progress Made but Challenges Remain in Estimating and Reducing Improper Payments. GAO-09-628T. Washington, D.C.: April 22, 2009. Medicare: Improvements Needed to Address Improper Payments in Home Health. GAO-09-185. Washington, D.C.: February 27, 2009. Medicare Part D: Some Plan Sponsors Have Not Completely Implemented Fraud and Abuse Programs, and CMS Oversight Has Been Limited. GAO-08-760. Washington, D.C.: July 21, 2008. Medicare: Covert Testing Exposes Weaknesses in the Durable Medical Equipment Supplier Screening Process. GAO-08-955. Washington, D.C.: July 3, 2008. Page 20 GAO-12-801T Medicare Fraud Related GAO Products Medicare: Thousands of Medicare Providers Abuse the Federal Tax System. GAO-08-618. Washington, D.C.: June 13, 2008. Medicare: Competitive Bidding for Medical Equipment and Supplies Could Reduce Program Payments, but Adequate Oversight Is Critical. GAO-08-767T. Washington, D.C.: May 6, 2008. Improper Payments: Status of Agencies’ Efforts to Address Improper Payment and Recovery Auditing Requirements. GAO-08-438T. Washington, D.C.: January 31, 2008. Improper Payments: Federal Executive Branch Agencies’ Fiscal Year 2007 Improper Payment Estimate Reporting. GAO-08-377R. Washington, D.C.: January 23, 2008. Medicare: Improvements Needed to Address Improper Payments for Medical Equipment and Supplies. GAO-07-59. Washington, D.C.: January 31, 2007. Medicare: More Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment Suppliers. GAO-05-656. Washington, D.C.: September 22, 2005. Medicare: CMS’s Program Safeguards Did Not Deter Growth in Spending for Power Wheelchairs. GAO-05-43. Washington, D.C.: November 17, 2004. Medicare: CMS Did Not Control Rising Power Wheelchair Spending. GAO-04-716T. Washington, D.C.: April 28, 2004. (291056) Page 21 GAO-12-801T Medicare Fraud This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon, GAO Reports and GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, Testimony go to www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm E-mail: firstname.lastname@example.org Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, email@example.com, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, firstname.lastname@example.org, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Medicare: Progress Made to Deter Fraud, but More Could Be Done
Published by the Government Accountability Office on 2012-06-08.
Below is a raw (and likely hideous) rendition of the original report. (PDF)