United States Government Accountability Office GAO Report to Congressional Requesters November 2012 MEDICAID INTEGRITY PROGRAM CMS Should Take Steps to Eliminate Duplication and Improve Efficiency To access this report electronically, scan this QR Code. Don't have a QR code reader? Several are available for free online. GAO-13-50 November 2012 MEDICAID INTEGRITY PROGRAM CMS Should Take Steps to Eliminate Duplication and Improve Efficiency Highlights of GAO-13-50, a report to congressional requesters Why GAO Did This Study What GAO Found Medicaid has the second-highest The Medicaid Integrity Group’s (MIG) hiring of separate review and audit estimated improper payments of any contractors for its National Medicaid Audit Program (NMAP) was inefficient and federal program that reports such data. led to duplication because key functions were performed by both entities. Review The Deficit Reduction Act of 2005 contractors analyze state claims data to identify aberrant claims or billing created the Medicaid Integrity Program anomalies while audit contractors conduct postpayment audits to determine if to oversee and support state program payments to providers were improper. Because both types of contractors had to integrity activities. CMS, the federal assess whether payments were improper under state Medicaid policies, having agency within HHS that oversees separate contractors doubled states’ burden in ensuring that state policies were Medicaid, established the MIG to being correctly applied. Also, poor coordination and communication between the implement this new program. This two types of contractors resulted in duplicative data analysis. In turn, these report assesses (1) the MIG’s use of two types of contractors to review and inefficiencies added to the length of audits, which on average took almost audit state Medicaid claims, (2) the 23 months to complete. By contrast, the average duration of six audits using a MIG’s implementation of other more collaborative and coordinated approach was 16 months, and the amount of oversight and support activities, and identified overpayments increased significantly. (3) CMS and state reporting on the Other MIG oversight and support activities—the free training provided to state results of their program integrity officials through the Medicaid Integrity Institute, the evaluation of state program activities. GAO analyzed MIG data on integrity procedures through triennial comprehensive reviews, and the collection its contractors’ audits, training program of data from states through annual assessments—show mixed results in for state officials, comprehensive state enhancing program integrity efforts. According to state officials, the modest reviews, and state assessments; analyzed reports that summarized the expenditures on the institute result in valuable training and networking monetary returns from MIG and state opportunities. The MIG, however, has not taken advantage of the potential for program integrity activities; and comprehensive reviews to inform the selection of states for federal audits. interviewed MIG officials, contractors, Although the MIG’s comprehensive reviews yield considerable information about and state program integrity officials. state program integrity vulnerabilities, states with serious program integrity vulnerabilities often had few NMAP audits. Furthermore, the data collected What GAO Recommends through state program integrity assessments (SPIA) duplicate data collected GAO recommends that the CMS through comprehensive reviews and other reports, are not validated, and, even if Administrator (1) eliminate duplication the data were accurate, are less current than similar data from other sources. by merging contractor functions, Reporting by the Centers for Medicaid & Medicaid Services (CMS) on the return (2) use comprehensive reviews to on investment (ROI) from the activities of the MIG is inadequate. CMS’s annual better target audits, (3) follow up with reports to Congress provide a limited picture of ROI for NMAP audits, which states to ensure reliable reporting of account for over half of the MIG’s annual expenditures, and it is difficult to their program integrity recoveries, calculate an ROI with the expenditure and activity information provided. The (4) discontinue the SPIA, and Department of Health and Human Services (HHS) recently announced that it will (5) reevaluate and publish its ROI methodology. In response, HHS discontinue reporting a separate ROI for NMAP. In addition, CMS’s ROI concurred with three of GAO’s methodology includes a percentage of state-identified overpayments reported on recommendations and partially the SPIA, which is questionable. To date, CMS has not published an ROI concurred with the need to eliminate methodology. Regarding state reporting of recoveries, we found that most states SPIA-related duplication and to were not fully reporting recoveries according to specific program integrity reevaluate CMS’s ROI methodology. activities and that a sizable number appeared to underreport aggregate As discussed in this report, GAO recoveries compared to other sources. For example, one state reported continues to believe that its aggregate recoveries of about $195,000 over 3 years to CMS but about recommendations are valid. $36 million in its annual report to the governor for 2 of these years. The apparent gaps in state reporting of such recoveries make it difficult to determine whether View GAO-13-50. For more information, contact Carolyn L. Yocom at (202) 512-7114 states are returning the federal share of recovered overpayments. A full or firstname.lastname@example.org. accounting of state and NMAP related recoveries is vital for measuring the effectiveness of efforts to reduce improper payments. United States Government Accountability Office Contents Letter 1 Background 5 Use of Separate Review and Audit Contractors Was Inefficient, Led to Duplication, and Contributed to a Longer Audit Process 14 Other MIG Activities Show Mixed Results in Overseeing and Supporting States’ Program Integrity Activities 19 Reporting on Program Integrity Results Is Inadequate 24 Conclusions 30 Recommendations for Executive Action 31 Agency Comments and Our Evaluation 31 Appendix I Number of National Medicaid Audit Program Audits 35 Appendix II Recoveries from State Medicaid Program Integrity Activities 37 Appendix III Comments from the Department of Health and Human Services 39 Appendix IV GAO Contact and Staff Acknowledgments 43 Related GAO Products 44 Tables Table 1: States with Serious Program Integrity Vulnerabilities Identified in Comprehensive Reviews and the Number of Assigned NMAP Audits and State Rank as of February 2012 22 Table 2: MIG’s Strategy to Measure Return on Investment across Activities 26 Table 3: Number of National Medicaid Audit Program Audits by State as of February 2012 35 Table 4: Fraud, Waste, and Abuse Recoveries from State Medicaid Program Integrity Activities, Fiscal Years 2009 through 2011 37 Page i GAO-13-50 Medicaid Integrity Program Figures Figure 1: Review and Audit Contractors by State as of July 2012 7 Figure 2: Number of Audits and Total Potential Overpayments Identified and Sent to States for Recoupment (in millions of dollars) by Audit Approach, from fiscal year 2007 through February 29, 2012 10 Figure 3: Description of the MIG’s Comprehensive Program Integrity Reviews 12 Figure 4: Number and Duration of MSIS Audits that Identified Potential Overpayments, by Fiscal Year in which Audit Was Assigned, Fiscal Years 2008 through 2010 18 Figure 5: Number of States Reporting No Recoveries to CMS for State-Based Data Analysis, Provider Audits, and Medicaid Fraud Control Unit Investigations, Fiscal Years 2010 and 2011 28 Abbreviations CMS Centers for Medicare & Medicaid Services DRA Deficit Reduction Act of 2005 HHS Department of Health and Human Services MBES Medicaid Budget & Expenditure System MFCU Medicaid Fraud Control Unit MIG Medicaid Integrity Group MMIS Medicaid Management Information System MSIS Medicaid Statistical Information System NMAP National Medicaid Audit Program OIG Office of Inspector General ROI return on investment SPIA state program integrity assessment SURS Surveillance and Utilization Review Subsystem This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page ii GAO-13-50 Medicaid Integrity Program United States Government Accountability Office Washington, DC 20548 November 13, 2012 The Honorable Thomas R. Carper Chairman The Honorable Scott P. Brown Ranking Member Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security Committee on Homeland Security and Governmental Affairs United States Senate The Honorable Tom Coburn Ranking Member Permanent Subcommittee on Investigations Committee on Homeland Security and Governmental Affairs United States Senate The size and diversity of the Medicaid program make it particularly vulnerable to improper payments—including payments made for treatments or services that were not covered by program rules, that were not medically necessary, or that were billed for but never provided. 1, 2 Medicaid, the joint federal-state health care financing program for certain low-income individuals, is one of the largest social programs in federal and state budgets, providing care to about 70 million individuals at a cost 1 Medicaid consists of 56 distinct programs, and, within broad federal parameters, states are responsible for the day-to-day operations of their Medicaid programs. The 56 Medicaid programs include one for each of the 50 states, the District of Columbia, Puerto Rico, the Commonwealth of the Northern Mariana Islands, American Samoa, Guam, and the United States Virgin Islands. 2 An improper payment is any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. This definition includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except where authorized by law), and any payment that does not account for credit for applicable discounts. Improper Payments Elimination and Recovery Act of 2010, Pub. L. No. 111- 204, § 2(e), 124 Stat. 2224, 2227 (codified at 31 U.S.C. § 3321 note). Page 1 GAO-13-50 Medicaid Integrity Program of $436 billion in fiscal year 2011. 3 The Centers for Medicare & Medicaid Services (CMS), the federal agency within the Department of Health and Human Services (HHS) that oversees Medicaid, estimated that $21.9 billion (8.1 percent) of federal Medicaid expenditures for that fiscal year were improper—the second-highest of any federal program that reports such data. We have had long-standing concerns about Medicaid’s program integrity. In January 2003 we added Medicaid to our list of high-risk programs because of concerns about the sufficiency of federal and state oversight. 4 Two years later, we testified that CMS needed to increase its commitment—both the alignment of resources and strategic planning—to helping states fight Medicaid fraud, waste, and abuse. 5 More recently, we highlighted the program’s vulnerability to improper payments. 6 Until the Deficit Reduction Act of 2005 (DRA) expanded CMS’s role, Medicaid program integrity had been primarily a state responsibility. While states remain the first line of defense against Medicaid improper payments, the DRA established the Medicaid Integrity Program to provide effective federal support and assistance to states’ efforts to prevent improper payments. 7 To implement this program, CMS established the Medicaid Integrity Group (MIG) in 2006, whose core activities consist of • the National Medicaid Audit Program (NMAP), which uses contractors to analyze and audit state provider claims data in order to identify overpayments; 3 The federal government matches states’ expenditures for most Medicaid services using a statutory formula based on each state’s per capita income. In fiscal year 2011, the federal share of Medicaid spending was $275 billion, while the state share was $161 billion. 4 See GAO, Major Management Challenges and Program Risks: Department of Health and Human Services, GAO-03-101 (Washington, D.C.: Jan. 2003). 5 See GAO, Medicaid Fraud and Abuse: CMS’s Commitment to Helping States Safeguard Program Dollars Is Limited, GAO-05-855T (Washington, D.C.: June 28, 2005). 6 See GAO, Medicare and Medicaid Fraud, Waste, and Abuse: Effective Implementation of Recent Laws and Agency Actions Could Help Reduce Improper Payments, GAO-11-409T (Washington, D.C.: Mar. 9, 2011). 7 See Pub. L. No. 109-171, § 6034, 120 Stat. 4, 74-78 (2006) (codified at 42 U.S.C. § 1396u-6). Page 2 GAO-13-50 Medicaid Integrity Program • the Medicaid Integrity Institute—a national Medicaid integrity training program for state officials; • state comprehensive reviews—triennial assessments of states’ program integrity procedures and processes; • state program integrity assessments (SPIA)—the annual collection of data on state Medicaid integrity activities; • state technical assistance; and • education and training of providers on payment integrity and quality of care issues. You asked us to examine CMS’s support for and oversight of states’ efforts to prevent and reduce improper payments. To address your request, we first reported on the results of the MIG’s efforts to redesign the NMAP, which accounts for about half of the MIG’s expenditures. 8 This report further examines the NMAP as well as the MIG’s other activities. It assesses (1) how the MIG used contractors to conduct NMAP audits, (2) the MIG’s implementation of several other oversight and support activities, and (3) the reporting of the results of program integrity activities by CMS and states. To assess how the MIG used contractors to conduct NMAP audits, we analyzed MIG data on audit assignments and its contractors’ lessons learned reports. We discussed the NMAP program with MIG officials, representatives of the MIG’s review and audit contractors, and program integrity officials in 11 states. 9 Finally, we reviewed relevant HHS Office of the Inspector General (HHS-OIG) reports, and interviewed HHS-OIG officials involved in early assessments of the work of the MIG’s review and audit contractors. To ensure the reliability of the data provided by the MIG, we reviewed the accompanying data descriptions and interviewed 8 See GAO, National Medicaid Audit Program: CMS Should Improve Reporting and Focus on Audit Collaboration with States, GAO-12-627 (Washington, D.C.: June 14, 2012). 9 The 11 states were Arizona, California, Connecticut, Florida, Kentucky, New York, Ohio, Pennsylvania, Texas, Washington, and Wisconsin. We selected these states because of their geographic diversity and because together they account for almost half of all Medicaid spending and beneficiaries. Page 3 GAO-13-50 Medicaid Integrity Program knowledgeable MIG officials. We determined that the data were reliable for our purposes. To assess the MIG’s implementation of other oversight and support activities, we collected and analyzed available information on its three core activities. Specifically, we (1) examined materials related to the operation of the MIG’s Medicaid Integrity Institute, such as the institute’s 2011 training calendar and one course’s after action evaluation report; (2) analyzed final reports for the MIG’s most recent triennial comprehensive reviews of the 50 states and the District of Columbia for state program integrity vulnerabilities and compliance issues; and (3) reviewed the summary statistics collected annually as a part of the SPIA. 10 We discussed these three activities with MIG officials and with program integrity staff in the same 11 states mentioned above, and reviewed other pertinent reports and documents related to these activities. We also performed reliability checks on the comprehensive reviews and SPIA data, such as reviewing relevant documentation and discussing these data sources and their internal controls with knowledgeable CMS officials. These officials told us that the SPIA data are self-reported and not validated. As a result, we discuss the SPIA’s data limitations in this report but did not use these data to analyze states’ reported recoveries. To assess the reporting of the results of program integrity activities by CMS and states, we reviewed CMS’s annual budget justifications for fiscal years 2010-2013, the MIG’s annual reports to Congress for fiscal years 2008-2010, and the HHS’s performance management website; and we interviewed MIG officials. We also analyzed state-reported program integrity recoveries from the Medicaid Budget & Expenditures System (MBES), and discussed state reporting with officials in CMS’s Center for Medicaid and CHIP Services, which is responsible for the database that captures state reporting. 11 We performed reliability checks on the MBES data and discussed these data and their internal controls with knowledgeable CMS officials. Because we found that the MBES data 10 We did not review technical assistance provided to states by the MIG or the activities of the MIG’s education contractor, which works with providers on payment integrity and quality of care issues. 11 CHIP is the acronym for the State Children’s Health Insurance Program, a federal-state program that provides health care coverage to children 18 years of age and younger living in low-income families whose incomes exceed the eligibility requirement for Medicaid. Page 4 GAO-13-50 Medicaid Integrity Program were incomplete in their reporting of states’ recoveries, we did not use this data source but do discuss the data limitations we identified in this report. We conducted this performance audit from July 2011 through November 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The MIG implemented its set of core activities gradually from fiscal years Background 2006 to 2009 when it reached its annual funding level of $75 million. 12 For example, the MIG initiated comprehensive reviews in fiscal year 2007, completing eight, week-long site visits and implemented NMAP audits in fiscal year 2009. To track the value of its program integrity activities, the MIG developed a formula to measure return on investment (ROI), including both direct and indirect benefits. The MIG, in conjunction with Center for Medicaid and CHIP Services, also developed a mechanism for states to report recoveries from fraud, waste, and abuse at a more detailed level than previously as a part of CMS’s fiscal oversight of state Medicaid expenditures. NMAP Audits The NMAP program accounts for about half of the $75 million appropriated annually for the Medicaid integrity program. In each of five geographic areas, two separate contractors are responsible for the review and audit functions (see fig. 1): 12 Under the DRA provision, as amended, $5 million was appropriated for the Medicaid Integrity Program for fiscal year 2006, increasing to $50 million for each of the subsequent 2 fiscal years, and $75 million for fiscal years 2009 and 2010. For each fiscal year since 2010, the amount appropriated has been the previous year’s appropriation adjusted for inflation. Page 5 GAO-13-50 Medicaid Integrity Program • Review function. One contractor reviews states’ paid claims data to identify aberrant claims or billing anomalies. 13 • Audit function. A different audit contractor conducts targeted provider audits to determine whether or not the provider received an overpayment. 14 As of July 2012, the MIG had two review contractors and three separate audit contractors. 13 The MIG’s review contractors conduct data analysis intended to help identify potential audit targets using algorithms that target specific types of overpayments, such as duplicate claims for the same service, and specify a set of rules to analyze the data. The MIG maintains about 100 algorithms. 14 Audit contractors notify the providers and request documentation. Audit work involves reviewing provider records and interviewing providers and personnel. The audit contractors prepare draft audit reports and incorporate provider and state comments. The MIG reviews the audit contractors’ submission and when it is considered complete sends a final audit report to the state to pursue and collect any overpayments. Page 6 GAO-13-50 Medicaid Integrity Program Figure 1: Review and Audit Contractors by State as of July 2012 Notes: Each contractor is assigned to one or multiple geographic areas outlined in this map. For example, IPRO works in one geographic area but IntegriGuard works in three geographic areas. In addition, the MIG selected a new audit contractor in one area and the original audit contractor is still completing its remaining work. a Booz Allen Hamilton was the initial audit contractor and is still completing its remaining work. b IntegriGuard was formerly known as HMS. Page 7 GAO-13-50 Medicaid Integrity Program Since its inception, the MIG has used three different approaches to conducting NMAP audits—test audits, Medicaid Statistical Information System (MSIS) audits, and, more recently, collaborative audits. 15 As we noted in our June 2012 report on NMAP, the test and collaborative audits differed from the MSIS audits in two important ways: the test and collaborative audits (1) leveraged state expertise to identify potential audit targets, rather than having the MIG select potential targets on the basis of the work of its review contractors; and (2) primarily used state Medicaid Management Information System (MMIS) data rather than MSIS data. 16 The MMIS is a mechanized claims-processing and information-retrieval system maintained by individual states that generally reflects real-time payments and adjustments of detailed claims for each health care service provided. The MSIS audits relied on MSIS data, which contains extracts from states’ MMIS databases. Because MSIS is a subset of states’ MMIS data files, MSIS data are missing elements that can assist in audits, such as the explanations of benefit codes and the names of providers and beneficiaries. In addition, MSIS data are not current because of late state submissions and the time it takes CMS’s contractors to review and validate the data. 17 We recently reported that the identified overpayments from MSIS audits were significantly lower than those identified by test and collaborative audits. 18 As of February 2012, 59 of the 1,550 MSIS audits identified $7.4 million in potential overpayments. In contrast, 26 test audits and 6 collaborative audits together identified $12.5 million in potential overpayments (see fig. 2). 19 While the newer collaborative audits have not yet identified more in overpayments than MSIS audits, only 6 of the 112 collaborative audits had final audit reports through February 2012, and thus the total overpayment amounts identified through collaborative 15 The MIG began implementing collaborative audits in 2010 and, in February 2011, stopped assigning MSIS audits. As of June 2012, however, about 90 MSIS audits were still underway. 16 See GAO-12-627. 17 HHS-OIG, MSIS Data Usefulness for Detecting Fraud, Waste, and Abuse, OEI-04-07- 00240 (August 2009); HHS-OIG, Top Management and Performance Challenges Facing the Department of Health and Human Services in Fiscal Year 2011 (November 2011). 18 See GAO-12-627. 19 As of February 2012, 123 of the 1,550 MSIS audits were on-going and 286 were in the draft audit report stage. Page 8 GAO-13-50 Medicaid Integrity Program audits will likely continue to grow. In addition, we reported that (1) half of the MSIS audits were for potential overpayments of $16,000 or less, compared to a median of about $140,000 for test audits and $600,000 for collaborative audits, and (2) over two-thirds (69 percent) of the 1,550 MSIS audits assigned to contractors were either discontinued (625), had low or no findings (415), or were put on hold (37). 20 Finally, we also reported that the main reason the NMAP audits were ineffective was the use of MSIS data, which are inadequate for reviewing claims and selecting audit targets. Further, the MSIS audits were not well coordinated with states, duplicated state program integrity activities, and diverted resources from states’ activities. When we spoke about the MSIS audits with 11 states, some indicated that participation in MSIS audits diverted staff from their regular duties. 20 These data are as of February 2012. The MIG generally considers overpayments of $2,000 or less as too low to merit collection, but it has issued final audit reports for less than that amount. Page 9 GAO-13-50 Medicaid Integrity Program Figure 2: Number of Audits and Total Potential Overpayments Identified and Sent to States for Recoupment (in millions of dollars) by Audit Approach, from fiscal year 2007 through February 29, 2012 Notes: Test audits were conducted from fiscal year 2007 through 2010. Medicaid Statistical Information System (MSIS) audits began in 2008 and are ongoing. Collaborative audits began in 2010 as part of the redesign of the NMAP and are also ongoing. Dollar amounts shown are potential overpayments in final audit reports sent to states for recovery. They do not reflect the amounts in draft audit reports or the amounts actually recovered by the states. MIG Support, Oversight, In addition to the NMAP, the MIG has implemented three activities that and Reporting are the core of its support and oversight of state program integrity—the Medicaid Integrity Institute, comprehensive reviews, and SPIA. Less than half of the MIG’s $75 million annual budget supports these three activities. The MIG has also developed a methodology for computing the ROI for its activities. Page 10 GAO-13-50 Medicaid Integrity Program Medicaid Integrity Institute. In 2007, the MIG established the Medicaid Integrity Institute, the first national Medicaid training program for state program integrity officials. CMS executed an interagency agreement with the Department of Justice to house the institute at the National Advocacy Center, located at the University of South Carolina. At no cost to states, the institute offers substantive training and support in a structured learning environment. In time, the institute intends to create a credentialing process to elevate the professional qualifications of state Medicaid program integrity staff. Comprehensive reviews. In 2007, the MIG initiated triennial comprehensive state program integrity reviews, which assess each state’s Medicaid program integrity procedures and processes. 21 Topics covered include program integrity organization and staffing, postpayment review and fraud identification, investigation, and referral. The objective of the reviews is to assess the effectiveness of states’ program integrity activities and compliance with federal program integrity laws. As of fiscal year 2011, the MIG had reviewed all states once (as well as the District of Columbia, and Puerto Rico) and 26 states twice. Eighteen states have been scheduled for review in fiscal year 2012. State comprehensive reviews are guided by a detailed protocol and represent a significant investment of staff time and resources for both states and the MIG. In advance of a 1-week on-site review, state staff respond to the review protocol and provide documentation on a state’s program integrity activities (see fig. 3.) After the week-long visit, MIG staff draft a report, obtain state comments, and follow up with the state on the implementation of any corrective actions required to address findings. The culmination of a review is a final report that details the MIG’s assessment of each state’s program integrity vulnerabilities, compliance with federal laws, and effective practices. These reports are posted on CMS’s website and the MIG prepares an annual report that summarizes the results for all states reviewed each year. 22 21 Prior to the MIG, CMS conducted comprehensive reviews of state program integrity activities every 7 years. 22 http://www.cms.gov/Medicare-Medicaid-Coordination/Fraud- Prevention/FraudAbuseforProfs/StateProgramIntegrityReviews.html. Page 11 GAO-13-50 Medicaid Integrity Program Figure 3: Description of the MIG’s Comprehensive Program Integrity Reviews State Program Integrity Assessments. Annually, the MIG collects information through a web-based portal from each state about its program integrity activities, which results in a publication of a one-page summary that provides statistics on states’ program integrity staffing, expenditures, audits for improper payments, and recoveries. 23 According to MIG officials, the SPIA represent the first national baseline collection of data 23 The SPIA online database contains more detailed information than is presented in the one-page summaries. SPIA results covering all states are also summarized in a three- page executive summary, and detailed data for each state are available for all SPIA years. Page 12 GAO-13-50 Medicaid Integrity Program on state Medicaid integrity activities for the purpose of program evaluation and technical assistance. Although the profiles are published every year, there is a 2-year lag in the SPIA data collection. For example, the 2010 SPIA covered state fiscal year 2008 activities. Return on Investment. Federal law requires HHS to annually report to Congress on the effectiveness of the use of the funds appropriated for the Medicaid Integrity Program. 24 However, the benefit derived from some of the activities, such as the Medicaid Integrity Institute or technical assistance, are difficult to quantify because they contribute to cost avoidance rather than recoveries of overpayments. The MIG has developed a strategy for reporting the ROI for the NMAP and its other activities, which has changed over the program’s existence. Typically, an ROI is calculated as a percentage—the benefits identified through a program or set of activities relative to the total costs of that program or activities. Medicaid Overpayment CMS has had a long-standing requirement that states report the Recovery Reporting aggregated amount of recoveries from provider overpayments as a part of their quarterly reporting on Medicaid program expenditures. During fiscal year 2009, the MIG helped the CMS unit responsible for validating state reporting of Medicaid expenditures develop more detailed reporting of states’ recoveries of provider overpayments. Beginning in fiscal year 2010, CMS required states to report recoveries for specific activities separately, such as NMAP, state program integrity activities, or the activities of the HHS-OIG. The more detailed reporting of fraud, waste, and abuse recoveries was initiated to allow CMS to track recouped amounts according to specific program activities. CMS regional office staff validates and audits the reported expenditure data and accompanying detailed information; state officials must also attest to the data’s accuracy. 25 Recovered overpayments are subtracted from the states’ Medicaid expenditures, which forms the basis for computing the federal share of program costs. 24 42 U.S.C. §1396u-6(e)(5). 25 CMS’s Financial Review Guide describes the protocol that its staff uses to validate the state-reported data. Page 13 GAO-13-50 Medicaid Integrity Program The MIG’s decision to establish separate review and audit contractors for Use of Separate each state was inefficient and led to duplication because key functions Review and Audit such as data analysis were performed by both types of contractors. In turn, these inefficiencies contributed to lengthy MSIS audits, which, on Contractors Was average, took almost 2 years to complete. Inefficient, Led to Duplication, and Contributed to a Longer Audit Process Use of Separate Review The MIG’s decision to establish separate review and audit contractors for and Audit Contractors Was each state was inefficient and led to duplication in two key areas—state Inefficient and Led to Medicaid policies and data analysis. The DRA required CMS to hire contractors to review and audit provider claims. According to MIG Duplication officials, they initially believed that the DRA required the use of separate contractors but, in hindsight, concluded that these activities could have been performed by one contractor. 26 State Medicaid policies. The MIG’s decision to use separate review and audit contractors meant that both entities had to master the details of numerous state Medicaid policies related to eligibility, benefits, and claims processing in order to appropriately assess whether payments were improper. 27 Although MIG officials told us that they were sensitive to the burden placed on states by the establishment of NMAP, the use of separate review and audit contractors nonetheless increased states’ administrative burden because both types of contractors performed the same function and states had to review the contractors’ work to ensure that state policies were applied correctly. States provided feedback about the samples prepared by the review contractors, which in some cases reflected a misunderstanding of state policy. 28 In addition, state officials 26 MIG officials told us that they consulted CMS’s Office of Acquisition and Grants Management before deciding to hire separate review and audit contractors. This office manages contracting activities and is responsible for developing acquisition policy and procedures. 27 The MIG required both type of contractors to execute Joint Operating Agreements with state Medicaid agencies. 28 As part of their data analyses, the review contractors submitted samples of their potential findings to the states, via the MIG, for review and validation. See GAO-12-627. Page 14 GAO-13-50 Medicaid Integrity Program told us that they found themselves educating audit contractors about state Medicaid policies. 29 The MIG’s two review contractors were responsible for learning and correctly applying the policies of 22 and 28 states, respectively, while the three audit contractors were required to master the policies of from 8 to as many as 24 states. Officials from one state noted that becoming fully knowledgeable about all the policies affecting state program integrity audits could take 2 to 3 years. According to several state officials, the lack of an in-depth knowledge of state policy contributed to unproductive provider audits. For example, according to one state official, the MIG and its contractors had mistakenly identified overpayments for federally qualified health centers because they assumed that centers should receive reduced payments for an established patient on subsequent visits. The contractors were not aware that these types of centers are paid on an encounter basis, which makes the same payment for the first and follow-up visits. Data analysis. The use of separate review and audit contractors increased inefficiencies in data analysis, which also led to duplication of effort. The review contractors’ primary function was using algorithms to analyze MSIS data with the goal of identifying potential improper payments. Audit contractors also analyzed MSIS data to learn more about targeted providers and the services for which they billed. However, the audit contractors duplicated certain data analyses that had already been performed by the review contractors, such as performing their own verification of the completeness and accuracy of MSIS data. For example, one audit contractor reported that the presence of large numbers of duplicate claims in the MSIS data resulted in a significant commitment of the contractor’s analytical and data management resources for 66 audit targets that were subsequently discontinued. The inefficiencies of having both review and audit contractors were exacerbated by the MIG’s communication policies. All communication, whether between review and audit contractors or between contractors and states, went through a multistep process controlled by the MIG and, as a result, the audit contractors could not easily communicate with the review contractors to verify specific details of the review contractors’ data analyses. Two audit contractors’ lessons-learned reports recommended 29 Since the implementation of NMAP, the MIG has changed audit contractors in two of the five geographic areas and thus new contractors had to become familiar with state Medicaid policies while the original audit contractors completed any remaining work. Page 15 GAO-13-50 Medicaid Integrity Program closer collaboration between audit and review contractors during the algorithm vetting process and target selection to prevent duplicative data analysis. In addition, the inability to communicate freely inhibited contractors from taking full advantage of states’ knowledge of their own Medicaid policies. The HHS-OIG reported a similar finding that the MIG’s communication policy also contributed to a duplication of contractor functions. 30 To improve coordination and communication between the contractors, MIG officials told us they began monthly conference calls in mid-2011 that included both the review and audit contractors working in the same geographic area. One audit contractor stated that the improved communication with the review contractor has increased the efficacy of their audits specifically related to early readmissions and hospice. Several of the MIG’s recent changes to NMAP may reduce, but not eliminate, duplication. Although review contractors were not initially involved in collaborative audits, MIG officials told us that collaborative audits were evolving and in some cases the review contractors are conducting data analysis on state supplied MMIS data or are continuing to analyze MSIS data in order to identify potential audit targets. 31 However, they told us that review contractors are collaborating more closely with states to validate any MSIS data findings using MMIS data. Moreover, in July 2012, the MIG told us that while it planned to retain two review contractors, it would reduce their workload overall and realign their geographic areas of responsibility to ensure that all states are still supported. Despite these changes, both review and audit contractors must still correctly apply states’ Medicaid policies because both continue to be involved in collaborative audits. MSIS Audits Were Lengthy MIG officials acknowledged that MSIS audits were lengthy and told us that, among other factors, better communication among the MIG, its contractors, and states would have contributed to shorter audits. The duration of successful MSIS audits, that is, those that identified overpayments, decreased from 2008 through 2010; however, the typical 30 HHS-OIG, Early Assessment of Audit Medicaid Integrity Contractors, OEI-05-1-00210 (March 2012). 31 According to MIG officials, in cases where MMIS data are not available at the outset, the review contractors run algorithms on MSIS data. The review contractors conducted data analysis on 34 percent of the 112 collaborative audits assigned to the MIG’s audit contractors from January 2010 through December 2011. Page 16 GAO-13-50 Medicaid Integrity Program length of time from assignment of audit until submission of the final audit report for these 58 successful MSIS audits was 23 months, ranging from 11 months to 38 months, with half of these audits taking 23 months or more to complete (see fig. 4). 32 In addition, for the 118 audits that were assigned from 2009 to 2011 and still in progress, the average duration as of February 2012 was 21 months. 33 As the MIG shifts to collaborative audits, preliminary results suggest these audits are completed more quickly than MSIS audits. Although only six collaborative audits had final audit reports as of February 2012, the average duration of those successful audits was 16 months compared to 23 months for successful MSIS audits. 32 Data reported is as of February 29, 2012. We only report the duration for 58 of the 59 MSIS audits that resulted in a final audit report because of the ambiguity of the duration of one audit. The duration of MSIS audits includes the several weeks that the MIG takes to review the draft findings and release the final audit report to states. 33 According to CMS, 13 of these ongoing 118 audits had low or no findings and 15 have resulted in draft audit reports as of June 2012. In addition, MIG officials told us that two audits in progress were consolidated into one draft audit report, which reduces the number of audits in progress by two rather than one. Page 17 GAO-13-50 Medicaid Integrity Program Figure 4: Number and Duration of MSIS Audits that Identified Potential Overpayments, by Fiscal Year in which Audit Was Assigned, Fiscal Years 2008 through 2010 Note: Data as of February 29, 2012, and include 58 out of 59 audits because of the ambiguity of one audit’s duration. As of this date, CMS had not yet issued final audit reports for MSIS audits assigned in fiscal year 2011. An additional 16 audits had reached the final audit report stage but were still being reviewed by the MIG. Duration is the average number of months between audit assignment and submission of the final audit report to the state. Successful MSIS audits, those that identified overpayments, took nearly 2 years to complete, longer than some states and HHS-OIG typically allow for Medicaid provider audits. Several state officials we interviewed told us that MSIS audits took too long to complete. One state official indicated that the state expected its new recovery audit contractor would produce results within 9 months of the start of the contract, and an official from a different state said that his staff attempt to produce draft audit reports within 60 days of initiating an audit. 34 Additionally, the HHS-OIG 34 The Patient Protection and Affordable Care Act requires state Medicaid programs to establish contracts with recovery audit contractors to identify and recoup overpayments, consistent with state law and similar to the contracts established for the Medicare program. Pub. L. No. 111-148, § 6411, 124 Stat. 119,773 (2010). Page 18 GAO-13-50 Medicaid Integrity Program allows about a year for audits to be conducted and completed before reviewing or reporting on them. 35 MIG officials told us that they were aware of the time-consuming nature of MSIS audits and do track audit progress, such as “days remaining to completion.” On the basis of a 2010 suggestion by one of its audit contractors, the MIG is taking steps to build the capability to generate audit aging reports that would be available to its contractors in its new workflow management system, but officials told us that these changes are still in the implementation and testing phase. The MIG’s modest spending on the Medicaid Integrity Institute enhances Other MIG Activities states’ capabilities. Comprehensive reviews, a MIG oversight activity, Show Mixed Results have the potential to inform state selection for federal audits. But, the data collected through the SPIA, another MIG oversight activity, has been of in Overseeing and limited value as it is inconsistently reported, not validated, and overlaps Supporting States’ with information collected through comprehensive reviews and other state Program Integrity reporting mechanisms. Activities Modest MIG Spending on Spending on the Medicaid Integrity Institute is a small fraction of the Training through the MIG’s overall budget, and the 11 state program integrity officials we Institute Enhances States’ interviewed affirmed the value of the institute for the substantive training it provided. In addition, officials from 10 states described the benefits Program Integrity derived from the opportunity to network with other states (see text box for Capabilities examples of state officials’ comments). The cost of the institute is modest compared with overall MIG funding; the MIG reported that $1.7 million of the approximately $75 million appropriated for the Medicaid Integrity Program in fiscal year 2011 was spent on the institute. 36 From fiscal years 2008 to 2012, the institute trained over 3,000 state employees. While officials from the 11 states we spoke with commended the institute, some also offered suggestions for expanding the reach of the institute’s activities: 35 OEI-05-1-00210. 36 The MIG funds state officials’ attendance at and travel to the institute. Page 19 GAO-13-50 Medicaid Integrity Program • Officials from three states suggested that the MIG expand opportunities for additional staff to attend, such as staff from the Medicaid Fraud Control Units (MFCU) or the clinical staff that work with program integrity staff, or allow attendance by more staff from larger states. 37 • Furthermore, officials from three states recommended that the institute offer Medicaid audit certification to state program integrity staff. The National Association of Medicaid Directors and the Medicaid and CHIP Payment and Access Commission also recommended that CMS expand the institute to make it more accessible to state officials. 38 The MIG’s Comprehensive Comprehensive reviews yield important information about all aspects of Reviews Could Help states’ program integrity capabilities and vulnerabilities, and such Inform the Selection of information could be used to target NMAP audits towards states with serious vulnerabilities. In its comprehensive reviews of 51 states, the MIG States for NMAP Audits identified 7 states as having serious program integrity infrastructure vulnerabilities, such as not maintaining a centralized program integrity function, yet 5 of these states had less than the typical number of audits assigned. 39 Two of the 7 states had no NMAP audits assigned, 3 states had less than 1 percent of assigned audits in their states, and 2 other states had 16 and 23 audits, respectively; these last 2 states ranked 29th and 22nd in the assignment of 1,662 NMAP audits as of February 2012. (See table 1.) In the same set of 51 state comprehensive reviews, the 37 MFCUs, which are generally located in state Attorney Generals’ offices, are responsible for investigating and prosecuting Medicaid fraud. State program integrity offices refer cases to these units. 38 National Association of Medicaid Directors, Rethinking Medicaid Program Integrity: Eliminating Duplication and Investing in Effective, High-value Tools (March 2012) and Medicaid and CHIP Payment and Access Commission, Report to Congress on Medicaid and CHIP (March 2012). 39 The comprehensive reviews of 51 states were performed from 2008 through 2011 and were the most recently available as of May 2012. Page 20 GAO-13-50 Medicaid Integrity Program MIG identified 6 states that had a limited or ineffective Surveillance Utilization Review Subsystem (SURS), another serious vulnerability involving the required claims-data surveillance system. 40 Only 1 of these states was among the top 10 states for assigned NMAP audits. The number of assigned audits in these 6 states ranged from 0 to 110, with 3 states having 10 or fewer audits, 2 states having about 30 audits, and one state having 110 audits. The state with the highest number of NMAP audits was Louisiana, which accounted for 10 percent of all NMAP audits (195); yet, according to the MIG’s comprehensive review, the state did not have a vulnerable program integrity infrastructure or any identified SURS weaknesses. (See app. I for the number of NMAP audits assigned to each state.) 40 SURS is intended to develop statistical profiles of services, providers, and beneficiaries in order to identify potential improper payments. For example, SURS may apply automatic postpayment screens to Medicaid claims in order to identify aberrant billing patterns. Page 21 GAO-13-50 Medicaid Integrity Program Table 1: States with Serious Program Integrity Vulnerabilities Identified in Comprehensive Reviews and the Number of Assigned NMAP Audits and State Rank as of February 2012 Federal fiscal year comprehensive Assigned State rank in review was NMAP terms of States conducted Finding audits assigned audits Infrastructure vulnerability Michigan 2010 Ineffective program oversight and operations 0 45 Maine 2009 Not having resources with diverse medical expertise 0 45 Oregon 2010 Program integrity function is not centrally organized 2 41 within Medicaid agency Indiana 2010 Limited effectiveness of program integrity/SURS 9 32 Wyoming 2008 Not maintaining a centralized program integrity 9 32 function Alaska 2010 Not maintaining a centralized program integrity 16 29 function Nevada 2010 Not maintaining a centralized program integrity 23 22 function and backlog of program integrity cases Surveillance Utilization Review Subsystem (SURS) vulnerability Maine 2009 State does not have a functioning SURS 0 45 Hawaii 2010 State does not have an effective SURS 5 39 Indiana 2010 Limited effectiveness of program integrity/SURS 9 32 Nebraska 2009 State does not maintain an effective SURS operation 26 20 West Virginia 2009 State has less than effective SURS operation 33 17 Arkansas 2010 State does not have statewide SURS program 110 4 Source: GAO analysis of CMS data. Note: Our analysis of NMAP audits considered both MSIS and collaborative audits. As a part of its comprehensive reviews, the MIG identifies findings or vulnerabilities that continue to persist from the state’s prior comprehensive review. Of the 51 comprehensive reviews we analyzed, the MIG found that one quarter of states had uncorrected repeat or partial repeat findings or vulnerabilities that had not been addressed since the prior reviews. 41 Nonetheless, of the 10 states that received 62 percent of 41 According to MIG officials, partial repeat findings are cited when a state has (1) started, but not completed, steps to correct a vulnerability, or (2) not yet addressed a new statutory requirement. Page 22 GAO-13-50 Medicaid Integrity Program the 1,662 NMAP audits, 8 states had no uncorrected repeat findings or vulnerabilities. SPIA Data Are Not On an annual basis, states self-report the data submitted to the SPIA, and Validated, Are MIG staff told us that they do not review all 220 state-reported data Inconsistently Reported, elements or validate the data for reliability. Yet, MIG staff told us that they do check the states’ data submissions for reasonableness and follow up and Overlap with Other with states to confirm extreme responses. We have reported that the Efforts SPIA contained significant errors and were inconsistent with data reported in state comprehensive reviews covering the same year. 42 Overall, the data are not reported in a consistent enough manner to allow for comparisons across states. For example, the instructions specify which collections a state may include in the category of recovered overpayments, but one state official told us the state’s recoveries included collections that were supposed to be excluded. State reporting is further complicated because the collection instrument does not allow state officials to comment on or explain their responses. Thus, states unable to report data as requested also cannot explain why or how their data deviates from what was requested, resulting in inconsistent reporting and blank items. In addition, much of the information is collected through other reporting mechanisms as well. State officials have told us that the SPIA is burdensome because the website interface is difficult to use and asks again for information that they already provide as part of other reporting. For example, the SPIA includes program integrity expenditures and recoveries—two key metrics for accountability and oversight—that are also collected through the required quarterly reporting of state Medicaid expenditures to CMS and which are also subject to validation and audit. 43 Several other items reported on the SPIA—Medicaid enrollees, managed care enrollment, participating providers, the state program integrity 42 See GAO, Medicaid Program Integrity: Expanded Federal Role Presents Challenges to and Opportunities for Assisting States, GAO-12-288T (Washington, D.C.: Dec. 7, 2011). 43 According to CMS, not all of the information that the SPIA collects on expenditures is available through quarterly reports. For example, unlike the quarterly reporting form, the SPIA asks for expenditure information by activity. Many states, however, do not report such information and the information provided is not validated. If CMS believed that such detailed program integrity expenditure data were valuable, it could revise states’ quarterly reporting requirements. Page 23 GAO-13-50 Medicaid Integrity Program organizational structure, number of staff, use of contractors, SURS, and recoveries—are also collected during the comprehensive reviews every 3 years and included in the published reports available on the MIG’s website. MIG officials acknowledged that the SPIA duplicated other requests for information and told us they were examining ways to reduce the duplication. MIG officials told us that states use the SPIA as a reference tool to familiarize themselves with other states’ program integrity activities, plan program integrity activities and training, and identify how the MIG can provide support to them. However, representatives from 10 out of 11 states we spoke with told us that they had not looked at other states’ assessment data posted on the MIG’s website. One state official explained that smaller states or those with newer program integrity activities may refer to the SPIA, but the larger states we contacted had not. In addition, representatives from 4 states commented that SPIA reporting is not consistent or comparable across states. Correcting inconsistencies in the SPIA data, however, would be of limited value. The 2-year time lag in the SPIA data undermines its usefulness in determining which states would benefit from technical assistance and developing measures to assess states’ performance. Other sources, such as comprehensive reviews, provide more timely and useful information. CMS’s limited reporting on the ROI from the Medicaid Integrity Program is Reporting on Program inadequate. State reporting of recoveries is similarly insufficient because Integrity Results Is we found that most states were not fully reporting recoveries according to specific program integrity activities and that almost half appeared to Inadequate underreport aggregate annual recoveries. CMS’s Limited ROI CMS’s annual reports to Congress do not provide a clear picture of the Reporting Is Inadequate ROI for NMAP audits because they combined the results of MSIS and test audits, which performed very differently. In its annual report covering fiscal year 2010, CMS reported that 947 MSIS and test audits were underway in 45 states and that its contractors had identified cumulative Page 24 GAO-13-50 Medicaid Integrity Program potential overpayments of about $10.7 million. 44 Our analysis of CMS’s data, which summarized these results by audit approach, found that over three-fourths of the overpayments—$8.4 million—were identified by the small number of test audits, in which states identified the audit targets and supplied their own data. Reporting combined overpayments for MSIS and test audits gave the impression that NMAP was more successful than was the case. Moreover, the annual report did not provide information on the number of audits that were discontinued because of no or low overpayments. Finally, the $42 million in expenditures for Medicaid integrity contractors reported in the fiscal year 2010 annual report combined the cost of both NMAP and education contractors, making it difficult to compute an ROI for NMAP. ROI reporting for the Medicaid Integrity Program as a whole has changed over time. • For fiscal year 2008, HHS’s budget justification for CMS reported an ROI of 300 percent for the test audits covering a 3-month period—the amount of identified overpayments from the test audits as a percentage of the contractor expenses for that time period. 45 • For fiscal year 2009, the ROI formula was broadened to capture MIG overpayment identification activities beyond the NMAP. As such, it included the identification and recovery of overpayment amounts through the MIG’s identification of systematic errors in state payment systems and comprehensive state program integrity reviews as a percentage of its fiscal year 2009 funding for the Medicaid Integrity Program. HHS reported a 2009 ROI of 175 percent using this new formula. 46 44 Secretary of Health and Human Services, Annual Report to Congress on the Medicaid Integrity Program, Center for Program Integrity, Centers for Medicare & Medicaid Services, Fiscal Year 2010. (Washington, D.C.: June 2010). 45 Department of Health and Human Services, Centers for Medicare & Medicaid Services Justification of Estimates for Appropriations Committees, Fiscal Year 2010 (Washington, D.C.: May 7, 2009). 46 Department of Health and Human Services, Centers for Medicare & Medicaid Services Justification of Estimates for Appropriations Committees, Fiscal Year 2011 (Washington, D.C.: Feb. 1, 2010). Page 25 GAO-13-50 Medicaid Integrity Program • Although an ROI has not been released for fiscal years 2010 or 2011, HHS has announced that it will calculate the ROI to better reflect the resources invested through the Medicaid Integrity Program and will discontinue reporting an ROI for the NMAP. 47 In several reports to the Congress, CMS has indicated that it was developing a methodology for calculating an ROI based on its activities. The MIG has not published its ROI methodology, but did provide it to us for our review. 48 The methodology incorporates identified overpayments from activities for which the MIG was directly responsible as well as benefits from activities where the MIG provided support and assistance (see table 2). Table 2: MIG’s Strategy to Measure Return on Investment across Activities Amount included in Organization that identifies federal Medicaid Medicaid Integrity Group overpayment/cost Measurement of overpayment/cost Integrity Program ROI activity avoidance avoidance (percentage) National Medicaid Audit MIG and review and audit Identified overpayments from NMAP Final 100 Program contractors Audit Reports Comprehensive reviews MIG Identified overpayments such as payments 100 to excluded providers Medicaid Integrity Institute States Savings projected by state attendees 100 Support and assistance to States Identified overpayments from audits in 20 states which MIG provided staff support, an effort known as “Boots on the Ground” Support and assistance to Department of Justice and Findings and awards from actions in which 20 stakeholders other stakeholders MIG provided technical support, such as fraud prosecutions a State Program Integrity States State identified overpayments 16 Assessment Source: CMS. a The MIG apportions the amount of identified overpayments listed on the SPIA using the percentage of the MIG’s annual budget compared to the total reported spending on state program integrity activities and the MIG budget. 47 Department of Health and Human Services, Centers for Medicare & Medicaid Services Justification of Estimates for Appropriations Committees, Fiscal Year 2013 (Washington, D.C.: Feb. 13, 2012). 48 State program integrity units are required to report on their methodology for calculating ROI as a part of the comprehensive reviews and some describe their methodology in reports to their legislatures. Page 26 GAO-13-50 Medicaid Integrity Program The MIG’s ROI strategy includes a variety of elements, some of which may be difficult to quantify, and others that may be less valid or duplicative of other ROI calculations. For example, although difficult to measure, the MIG is attempting to quantify cost savings realized from states’ participation at the institute so that they can be incorporated into an overall calculation of the ROI for the MIG’s activities. However, it also incorporates a percentage of the identified overpayments reported on the SPIA, which are self-reported and not validated. Given that the MIG’s methodology already includes the benefit from comprehensive reviews and technical assistance to states, its rationale for claiming an additional percentage of states’ own identified overpayments is questionable. Most States Are Not Fully Even though the reporting of aggregated program integrity recoveries has Reporting Recoveries been a longstanding requirement, many states appear to be underreporting aggregate annual recoveries when compared with other data sources, such as their CMS comprehensive program integrity reviews or reports states prepare on the results of their program integrity activities. For example: • One state reported aggregate recoveries of $3 million for federal fiscal years 2009 and 2010—$0 and $3 million—but about $37 million for state fiscal years 2009 and 2010 in its comprehensive review. • Another state reported aggregate recoveries of about $195,000 over 3 years to CMS—$0, $130,000, and $65,000—but about $36 million in its annual report to the governor for 2 of these years. • A third state reported about $6,000 in aggregate recoveries for federal fiscal year 2009 but about $3 million for state fiscal year 2009 in its comprehensive review. Overall from federal fiscal years 2009 through 2011, 15 states reported no fraud, waste, and abuse recoveries in at least 1 fiscal year (see app. II). These results appear questionable given that 5 of the 15 states were among the 20 states with the highest Medicaid expenditures in fiscal year 2010. Additionally, total reported recoveries for all states in fiscal year 2010 represented only about 0.28 percent of state Medicaid expenditures, significantly less than CMS’s estimate that improper payments accounted for about 8 percent of state Medicaid expenditures in fiscal year 2011. Page 27 GAO-13-50 Medicaid Integrity Program In addition, although CMS implemented more detailed state reporting of recovered overpayments beginning in fiscal year 2010, we found that most states were not fully reporting recoveries by the specific type of activity that resulted in the recovery. In fiscal year 2011, the second year of detailed reporting of program integrity recoveries, 36 or more states reported no recoveries for specific state-based activities that generally produce program integrity recoveries, such as state data analysis, provider audits, or MFCU investigations (see fig. 5). Figure 5: Number of States Reporting No Recoveries to CMS for State-Based Data Analysis, Provider Audits, and Medicaid Fraud Control Unit Investigations, Fiscal Years 2010 and 2011 The underreporting of program integrity recoveries occurs despite CMS’s validation efforts. CMS’s financial review protocols specify that quarterly desk reviews must be completed for every state in every quarter, and yearly on-site reviews must be completed for the 20 states with the greatest Medicaid expenditures in the preceding fiscal year. On-site review protocols explicitly instruct the reviewer to verify the reported aggregated amount of fraud, waste, and abuse recoveries, and CMS regional office staff may conduct on-site reviews in additional states as Page 28 GAO-13-50 Medicaid Integrity Program appropriate. CMS staff told us that its financial review protocols encompass hundreds of pages and that reporting of fraud, waste, and abuse recoveries is a small portion of the items they are responsible for validating. They commented that their limited reviews did not allow them to know whether or not fraud, waste, and abuse recoveries were listed elsewhere as a part of the state’s quarterly expenditure reporting because states may report recoveries as an offset to other expenditures or may report them comingled with other credits that are not fraud, waste, or abuse-related. 49 Further, CMS staff offered several explanations for the reporting gaps we identified, including the observation that it is not unusual for states to take several years to come into compliance with new reporting requirements. This delay may reflect the fact that states’ accounting processes may differ from the new instructions and states may need to change their processes or data systems to accommodate the new reporting requirements. CMS officials also said that states may have reported their recoveries as an adjustment that decreased claims from prior quarters. 50 While it is plausible that state accounting systems may differ from the recently implemented federal reporting requirements, states have had a long-standing requirement to report their recoveries of overpayments in the aggregate. Additionally, states report recovered overpayments as a part of their state comprehensive reviews, and some states include the results of their program integrity activities in their Medicaid annual reports. 51 49 According to CMS officials, when such occurrences are identified, they notify the state to make a correction. 50 Again, CMS officials told us that they notify the state to make a correction when such issues are identified. 51 For examples of state annual reports see Florida Agency for Heathcare Administration and Medicaid Fraud Control Unit Department of Legal Affairs, The State’s Efforts to Control Medicaid Fraud and Abuse, 2010-2011 (December 2011), accessed June 29, 2012. Available at http://ahca.myflorida.com/Executive/Inspector_General/index.shtml and Illinois Department of Healthcare and Family Services, Medical Assistance Program Annual Report Fiscal Years 2008, 2009 and 2010 (Apr. 1, 2011). Page 29 GAO-13-50 Medicaid Integrity Program The MIG’s activities to support and oversee state Medicaid program Conclusions integrity efforts are relatively new and have had mixed success. The Medicaid Integrity Institute is widely acclaimed by state officials. However, the MIG has had to make significant changes to NMAP, the use of comprehensive reviews have shortcomings, and the SPIAs are unreliable. In addition, CMS and states’ reporting on the results of their program integrity activities are not transparent and are incomplete. Specifically: • The MIG’s decision to hire separate review and audit contractors was inefficient and contributed to overlap and duplication. For example, both types of contractors were engaged in data analysis and both had to be cognizant of state Medicaid policies, which increased the burden on states. • Although the MIG’s comprehensive reviews yield considerable information about state structural and data-analysis vulnerabilities, there is no apparent connection between the reviews’ findings and the selection of states for NMAP audits. Thus, states with serious program integrity vulnerabilities often had few NMAP audits. • Information that the MIG collects through the SPIAs is unreliable. Even if SPIAs were accurate, their value is unclear because similar and more timely information is collected through other sources, such as the comprehensive reviews. • Computing an ROI for the entire Medicaid Integrity Program that reflects the outcomes from all MIG expenditures is complex because it involves measuring both direct and indirect benefits. To date, CMS has provided a misleading picture of the ROI for NMAP audits and its unpublished methodology incorporates a percentage of identified overpayments reported on the SPIA, which is questionable. • A full accounting of state and NMAP-related recoveries is an important yardstick for measuring the effectiveness of efforts to reduce improper payments. The apparent gaps in state reporting of such recoveries, however, hamper federal efforts to quantify the results of state and federal activities and make it difficult to determine whether states are returning the federal share of recovered overpayments. Given the magnitude of the estimated Medicaid improper payments, federal support and oversight of Medicaid program integrity is important, and it is essential that federal efforts are carried out efficiently without placing an undue burden on states. Page 30 GAO-13-50 Medicaid Integrity Program To strengthen the Medicaid Integrity Program, we are making five Recommendations for recommendations to the CMS Acting Administrator: Executive Action • To eliminate duplication and more efficiently use audit resources, the CMS Acting Administrator should merge the functions of the federal review and audit contractors within a state or geographic region. • To ensure that the MIG’s comprehensive reviews inform its management of NMAP, the CMS Acting Administrator should use the knowledge gained from the comprehensive reviews as a criterion for focusing NMAP resources towards states that have structural or data- analysis vulnerabilities. • To avoid unnecessary duplication overlap with other efforts, as well as the reporting of unverified and inaccurate data, the CMS Acting Administrator should discontinue the annual state program integrity assessments. • To ensure the most effective use of federal Medicaid program integrity funding, the CMS Acting Administrator should reevaluate the agency’s methodology for calculating an ROI for the Medicaid Integrity Program, including reporting separately on the NMAP, and share its methodology with Congress and the states. • To ensure the appropriate tracking of the results of states’ program integrity activities, the CMS Acting Administrator should increase the agency’s efforts to hold states accountable for reliably reporting program integrity recoveries as a part of their quarterly expenditure reporting. We provided a draft of this report to HHS for comment. In its written Agency Comments comments, HHS stated that CMS was currently revising its and Our Evaluation Comprehensive Medicaid Integrity Plan covering fiscal years 2013 through 2017 in order to address the duplication and inefficiencies that we had identified in the Medicaid Integrity Program. According to HHS, the plan will unveil significant changes to improve the efficiency of the agency’s Medicaid integrity activities. In response to our five recommendations, HHS concurred with three recommendations and partially concurred with two others. Review and audit contractor functions. HHS said that it concurred with our recommendation to merge the functions of its review and audit Page 31 GAO-13-50 Medicaid Integrity Program contractors in order to eliminate duplication and use contractor resources more efficiently. The department stated that it was evaluating options for consolidating its contractors’ work within current statutory and procurement requirements. Comprehensive reviews and recovery reporting. HHS also concurred with our recommendations to (1) use the comprehensive program integrity reviews to better inform NMAP, and (2) increase efforts to hold states accountable for reliably reporting program integrity recoveries as part of their quarterly expenditure reporting. With regard to the comprehensive reviews, HHS stated that CMS would work to improve the integration of the knowledge gained from the comprehensive reviews to help identify the states and program areas representing the greatest risks to the Medicaid program, which, in turn, would influence the agency’s national audit strategy. In terms of holding states accountable, the department indicated that it would work through its regional offices to include state recovery reporting in the risk assessment used to select areas for financial management reviews, which validate state reported data. In addition, it will continue to provide the necessary training to states to help facilitate reliable recovery reporting. ROI methodology and reporting. HHS partially concurred with our recommendation to reevaluate the methodology used to calculate an ROI for the Medicaid Integrity Program, including reporting separately on NMAP, and to share its methodology with Congress and the states. HHS indicated that CMS annually reevaluates the methodology and has provided descriptions of the methodology in documents that are, or will soon be, available to the public, such as the fiscal year 2013 annual budget justification for CMS. We found that those descriptions were limited and that the budget justification was less detailed than the ROI methodology that CMS shared with us, which is summarized in table 2 of this report. HHS also noted that CMS’s methodology will become public when our report is published. HHS said that CMS will be reviewing the scope of what should be included in the calculation of ROI for the Medicaid Integrity Program but it did not address our concern that taking an additional percentage of states’ own identified overpayments was questionable. HHS did not concur that an ROI should be reported separately for NMAP because it believes that CMS’s Medicaid program integrity investments interact with one another and NMAP ROI would be a misleading index of the work and impact of the Medicaid Integrity Program. We continue to believe that separately reporting an NMAP ROI is essential to hold CMS accountable for the effective operation of those Page 32 GAO-13-50 Medicaid Integrity Program audits, which constituted about half of CMS’s annual expenditures on the Medicaid Integrity Program. SPIA. HHS partially concurred with our recommendation and said that it would suspend the annual state program integrity assessments while taking steps to address the limitations that we had identified. HHS stated that the triennial comprehensive state program integrity reviews alone may not provide adequate data to inform CMS oversight. Although the department acknowledged the reporting overlap between the SPIA and comprehensive reviews, it stated that CMS was now working to streamline the comprehensive review questionnaires to eliminate duplication. HHS also indicated that CMS’s forthcoming Comprehensive Medicaid Integrity Plan would outline plans to enhance the SPIA by refining the data collection tool, reducing the reporting time lag, and providing for data validation and correction by CMS staff during the triennial comprehensive reviews. We believe that CMS’s efforts to address overlap by eliminating duplicative information collected though the comprehensive reviews does not take into account the considerable resources that states devote to filling out the comprehensive review questionnaires, which CMS officials have the opportunity to discuss and verify during week-long site visits. In contrast, SPIA data are collected through a web-based survey, which is inconsistently completed and viewed as a burden by states. Although CMS believes the annual SPIA data are important to its program integrity mission and plans to reduce the current reporting time lag, it has not clearly articulated how it will or could use this information to inform its oversight. In addition, state recoveries and program integrity expenditures are reported to CMS on a quarterly basis, which would provide a more reliable financial accounting of states’ program integrity activities. As a result, we continue to believe that the SPIA should be permanently, not just temporarily, discontinued. HHS’s comments are reproduced in appendix III. HHS also provided technical comments, which we incorporated as appropriate. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to the Secretary of Health and Human Services, the Acting Administrator of CMS, appropriate congressional committees, and other interested parties. In addition, the report will be available at no charge on the GAO website at http://www.gao.gov. Page 33 GAO-13-50 Medicaid Integrity Program If you or your staff has any questions about this report, please contact me at (202) 512-7114 or at email@example.com. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix IV. Carolyn L. Yocom Director, Health Care Page 34 GAO-13-50 Medicaid Integrity Program Appendix I: Number of National Medicaid Appendix I: Number of National Medicaid Audit Program Audits Audit Program Audits Table 3: Number of National Medicaid Audit Program Audits by State as of February 2012 Medicaid Statistical State Information System audits Collaborative audits Total Alabama 67 67 Alaska 16 16 Arkansas 104 6 110 California 17 21 38 Colorado 21 21 Connecticut 20 20 Delaware 35 35 District of Columbia 19 19 Florida 35 35 Georgia 28 10 38 Hawaii 5 5 Idaho 12 2 14 Indiana 9 9 Iowa 15 15 Kansas 70 70 Kentucky 9 9 Louisiana 195 195 Maryland 17 5 22 Massachusetts 75 75 Minnesota 6 6 Mississippi 8 10 18 Missouri 1 1 Montana 5 5 Nebraska 26 26 Nevada 23 23 New Jersey 63 5 68 New Mexico 26 26 New York 93 5 98 North Carolina 18 18 North Dakota 1 1 Ohio 34 3 37 Oklahoma 1 1 Oregon 2 2 Pennsylvania 86 86 Page 35 GAO-13-50 Medicaid Integrity Program Appendix I: Number of National Medicaid Audit Program Audits Medicaid Statistical State Information System audits Collaborative audits Total South Carolina 28 28 South Dakota 8 8 Texas 124 34 158 Utah 6 6 Vermont 9 9 Virginia 111 111 Washington 16 11 27 West Virginia 33 33 Wisconsin 44 44 Wyoming 9 9 Grand total 1,550 112 1,662 Source: GAO analysis of CMS data. Page 36 GAO-13-50 Medicaid Integrity Program Appendix II: Recoveries from State Medicaid Appendix II: Recoveries from State Medicaid Program Integrity Activities Program Integrity Activities Table 4: Fraud, Waste, and Abuse Recoveries from State Medicaid Program Integrity Activities, Fiscal Years 2009 through 2011 Fiscal Year State 2009 2010 2011 Alabama $7,575,771 $4,215,561 $9,274,724 Alaska 0 0 0 Arizona 22,891 1,870,637 632,018 Arkansas 1,569,617 1,548,437 1,918,939 California 11,280,386 99,465,305 104,327,782 Colorado 218,625 180 22,168 Connecticut 8,940,819 8,787,546 9,737,835 Delaware 12,679 0 0 District of Columbia 1,323,039 13,469,478 2,239,303 Florida 0 129,789 65,352 Georgia 22,384,808 24,477,927 5,808,151 Hawaii 90,979 816 0 Idaho 1,368,716 810,147 1,057,442 Illinois 0 3,342,569 13,548,145 Indiana 10,512,856 5,265,908 1,919,964 Iowa 64,947 1,761,559 2,931,565 Kansas 1,613 9,909,765 664,779 Kentucky 17,362,774 7,601,953 15,523,861 Louisiana 6,462,291 4,423,355 8,778,553 Maine 0 0 0 Maryland 455,647 0 572,079 Massachusetts 10,914,670 10,527,899 2,649,756 Michigan 1,248,709 0 368,362 Minnesota 7,574,378 2,361,639 1,068,457 Mississippi 4,790,498 15,594,880 2,100,269 Missouri 5,687,808 6,361,228 5,698,735 Montana 256,310 673,212 156,451 Nebraska 319,467 435,881 578,054 Nevada 494,682 104,427 310,901 New Hampshire 244,903 350,048 522,046 New Jersey 2,031,217 1,202,775 10,865,626 New Mexico 554,109 698,303 2,107,263 New York 500,247,430 666,653,864 640,475,184 North Carolina 12,547,969 9,865,891 13,602,193 Page 37 GAO-13-50 Medicaid Integrity Program Appendix II: Recoveries from State Medicaid Program Integrity Activities Fiscal Year State 2009 2010 2011 North Dakota 500 0 0 Ohio 912,840 857,611 765,912 Oklahoma 5,114,226 20,920,971 8,118,075 Oregon 0 0 6,371 Pennsylvania 8,998,928 19,024,320 13,513,771 Rhode Island 0 303,984 38,891 South Carolina 26,795,683 11,407,888 16,910,564 South Dakota 6,423 935,041 0 Tennessee 19,545 506 157,502 Texas 40,083,547 135,572,616 60,914,245 Utah 4,269,364 0 27,521 Vermont 0 0 0 Virginia 3,242,994 2,508,097 5,638,203 Washington 0 105,915 503 West Virginia 1,716 1,716 1,205 Wisconsin 3,609,194 1,452,573 1,111,085 Wyoming 1,535,178 768,078 1,334,446 Source: CMS’s Medicaid Budget & Expenditure System. Page 38 GAO-13-50 Medicaid Integrity Program Appendix III: Comments from the Appendix III: Comments from the Department of Health and Human Services Department of Health and Human Services Page 39 GAO-13-50 Medicaid Integrity Program Appendix III: Comments from the Department of Health and Human Services Page 40 GAO-13-50 Medicaid Integrity Program Appendix III: Comments from the Department of Health and Human Services Page 41 GAO-13-50 Medicaid Integrity Program Appendix III: Comments from the Department of Health and Human Services Page 42 GAO-13-50 Medicaid Integrity Program Appendix IV: GAO Contact and Staff Appendix IV: GAO Contact and Staff Acknowledgments Acknowledgments Carolyn L. Yocom, (202) 512-7114 or firstname.lastname@example.org GAO Contact In addition to the contact named above, key contributors to this report Staff were: Water Ochinko, Assistant Director; Leslie V. Gordon; Drew Long; Acknowledgments and Jasleen Modi. Page 43 GAO-13-50 Medicaid Integrity Program Related GAO Products Related GAO Products National Medicaid Audit Program: CMS Should Improve Reporting and Focus on Audit Collaboration with States. GAO-12-814T. (Washington, D.C.: June 14, 2012). National Medicaid Audit Program: CMS Should Improve Reporting and Focus on Audit Collaboration with States. GAO-12-627. (Washington, D.C.: June 14, 2012). Program Integrity: Further Action Needed to Address Vulnerabilities in Medicaid and Medicare Programs. GAO-12-803T. (Washington, D.C.: June 7, 2012). Medicaid: Federal Oversight of Payments and Program Integrity Needs Improvement. GAO-12-674T. Washington, D.C.: April 25, 2012. Medicaid Program Integrity: Expanded Federal Role Presents Challenges to and Opportunities for Assisting States. GAO-12-288T. Washington, D.C.: December 7, 2011. Fraud Detection Systems: Additional Actions Needed to Support Program Integrity Efforts at Centers for Medicare and Medicaid Services. GAO-11-822T. Washington, D.C.: July 12, 2011. Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Ensure More Widespread Use. GAO-11-475. Washington, D.C.: June 30, 2011. Improper Payments: Recent Efforts to Address Improper Payments and Remaining Challenges. GAO-11-575T. Washington, D.C.: April 15, 2011. Status of Fiscal Year 2010 Federal Improper Payments Reporting. GAO-11-443R. Washington, D.C.: March 25, 2011. Medicare and Medicaid Fraud, Waste, and Abuse: Effective Implementation of Recent Laws and Agency Actions Could Help Reduce Improper Payments. GAO-11-409T. Washington, D.C.: March 9, 2011. Medicare: Program Remains at High Risk Because of Continuing Management Challenges. GAO-11-430T. Washington, D.C.: March 2, 2011. Page 44 GAO-13-50 Medicaid Integrity Program Related GAO Products Opportunities to Reduce Potential Duplication in Government Programs, Save Tax Dollars, and Enhance Revenue. GAO-11-318SP. Washington, D.C.: March 1, 2011. High-Risk Series: An Update. GAO-11-278. Washington, D.C.: February 2011. Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight. GAO-10-143. Washington, D.C.: March 31, 2010. Medicaid: Fraud and Abuse Related to Controlled Substances Identified in Selected States. GAO-09-1004T. Washington, D.C.: September 30, 2009. Medicaid: Fraud and Abuse Related to Controlled Substances Identified in Selected States. GAO-09-957. Washington, D.C.: September 9, 2009. Improper Payments: Progress Made but Challenges Remain in Estimating and Reducing Improper Payments. GAO-09-628T. Washington, D.C.: April 22, 2009. Medicaid: Thousands of Medicaid Providers Abuse the Federal Tax System. GAO-08-239T. Washington, D.C.: November 14, 2007. Medicaid: Thousands of Medicaid Providers Abuse the Federal Tax System. GAO-08-17. Washington, D.C.: November 14, 2007. Medicaid Financial Management: Steps Taken to Improve Federal Oversight but Other Actions Needed to Sustain Efforts. GAO-06-705. Washington, D.C.: June 22, 2006. Medicaid Integrity: Implementation of New Program Provides Opportunities for Federal Leadership to Combat Fraud, Waste, and Abuse. GAO-06-578T. Washington, D.C.: March 28, 2006. Medicaid Fraud and Abuse: CMS’s Commitment to Helping States Safeguard Program Dollars Is Limited. GAO-05-855T. Washington, D.C.: June 28, 2005. Page 45 GAO-13-50 Medicaid Integrity Program Related GAO Products Major Management Challenges and Program Risks: Department of Health and Human Services. GAO-03-101. Washington, D.C.: January 2003. (290965) Page 46 GAO-13-50 Medicaid Integrity Program GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (http://www.gao.gov). Each weekday GAO Reports and afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted Testimony products, go to http://www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: http://www.gao.gov/fraudnet/fraudnet.htm E-mail: email@example.com Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, firstname.lastname@example.org, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, email@example.com, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Medicaid Integrity Program: CMS Should Take Steps to Eliminate Duplication and Improve Efficiency
Published by the Government Accountability Office on 2012-11-13.
Below is a raw (and likely hideous) rendition of the original report. (PDF)