This is the accessible text file for GAO report number GAO-12-351 entitled 'Medicare Program Integrity: CMS Continues Efforts to Strengthen the Screening of Providers and Suppliers' which was released on April 23, 2012. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to the Chairman, Committee on Finance, U.S. Senate: April 2012: Medicare Program Integrity: CMS Continues Efforts to Strengthen the Screening of Providers and Suppliers: GAO-12-351: GAO Highlights: Highlights of GAO-12-351, a report to the Chairman, Committee on Finance, U.S. Senate. Why GAO Did This Study: According to the Centers for Medicare & Medicaid Services (CMS)-—the agency within the Department of Health and Human Services (HHS) that administers the Medicare program—-more than 1.5 million health providers and suppliers of medical equipment were enrolled in the Medicare program in 2011, and 30,000 more enroll each month. CMS has established Medicare enrollment standards and procedures intended to ensure that only qualified providers and suppliers can enroll. While most providers and suppliers pose a limited risk to the Medicare program, our previous work found persistent weaknesses in CMS’s Medicare enrollment standards and procedures that increased the risk of enrolling entities intent on defrauding the program. In 2010, the Patient Protection and Affordable Care Act (PPACA) authorized CMS to implement procedures to strengthen the Medicare enrollment process. GAO was asked to review CMS’s Medicare provider enrollment procedures. In this report, GAO describes (1) how CMS and its contractors use provider and supplier enrollment information to prevent improper payments and factors that may affect the usefulness of this information, and (2) the extent to which CMS has implemented new provider and supplier enrollment screening procedures since the enactment of PPACA. To do so, GAO reviewed relevant regulations and documents, and interviewed officials from CMS and a sample of four of the agency’s contractors based on the volume of claims they processed and the status of their contracts with CMS. What GAO Found: Medicare claims are screened against enrollment information, using automated enrollment-related prepayment edits, in an effort to prevent improper payments to ineligible providers and suppliers—such as those that are no longer active in the Medicare program or are not properly licensed to provide the services for which they have submitted claims. Officials with the contractors we interviewed described the use of several types of prepayment edits to ensure that claims data are valid. For example, verification edits are intended to check the provider’s National Provider Identifier (NPI), which indicates whether the claim was submitted by an active provider or supplier. However, factors such as the frequency with which contractors have updated provider and supplier enrollment information and limitations of the data used may affect the timeliness and accuracy of data used to screen claims—in turn limiting the ability of the edits to prevent improper payments from occurring. For example, to update information maintained in the Provider Enrollment, Chain and Ownership System (PECOS)—CMS’s centralized database for Medicare enrollment information— the contractors have relied on a variety of data sources that vary in the frequency with which they are updated and the ease with which the data can be accessed. We have previously reported concerns about the accuracy of the enrollment information in PECOS and recommended CMS increase its oversight of its contractors’ provider and supplier enrollment activities. CMS acknowledged these concerns and indicated that the agency is working to address these issues. Since the enactment of PPACA, CMS has implemented some new provider and supplier enrollment screening procedures and other measures intended to strengthen the existing Medicare enrollment process. New screening procedures include the designation of three different levels of risk of fraud, waste, and abuse, with categories of providers and suppliers assigned to limited, moderate, and high-risk levels—and those in the highest level subject to the most rigorous screening. For example, providers and suppliers in all three risk levels must undergo licensure checks, while those in moderate- and high-risk levels are subject to unannounced site visits. In addition, CMS implemented new application fees for some providers and suppliers. CMS also added two new Medicare contractors, an automated screening contractor and a site visit contractor, to conduct enhanced enrollment screening and site visits. CMS officials said that they expect the new automated screening contractor to identify additional data sources against which to screen, such as financial, tax, and business data sources. CMS’s implementation of some additional enrollment screening procedures is still in progress. For example, by the end of 2012, CMS plans to contract with two Federal Bureau of Investigation-approved contractors to conduct fingerprint-based criminal background checks of high-risk providers and suppliers. In addition, the agency plans to extend the requirement for surety bonds to high-risk providers and suppliers beyond those already required of suppliers of durable medical equipment, orthotics and supplies. A surety bond guarantees that if a provider or supplier does not fulfill its obligation to Medicare, CMS can recover its losses via the surety bond. HHS reviewed a draft of this report and in its written comments noted CMS’s ongoing efforts to improve provider and supplier enrollment procedures. HHS also provided technical comments, which were incorporated as appropriate. View [hyperlink, http://www.gao.gov/products/GAO-12-351]. For more information, contact Kathleen M. King at (202) 512-7114 or kingk@gao.gov. [End of section] Contents: Letter: Background: Claims Are Screened against Enrollment Information to Prevent Improper Payments, but Prevention Depends on Timely and Accurate Information: CMS Has Implemented Some New Enrollment Screening Procedures Since PPACA, While Others Remain in Progress: Concluding Observations: Agency Comments: Appendix I: Comments from the Department of Health and Human Services: Appendix II: GAO Contact and Staff Acknowledgments: Table: Table 1: Categories of Medicare Providers and Suppliers Designated by Risk Level for Enrollment Screening: Figure: Figure 1: Medicare Enrollment and Claims Payment Process Prior to January 2012: Abbreviations: A/B MAC: Medicare Administrative Contractor servicing both Part A and Part B lines of business: CHIP: State Children's Health Insurance Program: CMS: Centers for Medicare & Medicaid Services: CPI: Center for Program Integrity: DME: durable medical equipment: DMEPOS: durable medical equipment, prosthetics, orthotics, and supplies: DME MAC: Durable Medical Equipment Medicare Administrative Contractor: DMF: Death Master File: EDI: Electronic Data Interchange: EPLS: Excluded Parties List System: FBI: Federal Bureau of Investigation: FFS: fee-for-service: HHS: Department of Health and Human Services: HIPAA: Health Insurance Portability and Accountability Act: IRS: Internal Revenue Service: LEIE: List of Excluded Individuals/Entities: NPI: National Provider Identifier: NSC: National Supplier Clearinghouse: OIG: Office of Inspector General: PECOS: Provider Enrollment, Chain and Ownership System: PPACA: Patient Protection and Affordable Care Act: QASP: Quality Assurance Surveillance Plan: SSA: Social Security Administration: [End of section] United States Government Accountability Office: Washington, DC 20548: April 10, 2012: The Honorable Max Baucus: Chairman: Committee on Finance: United States Senate: Dear Mr. Chairman: For more than 20 years, we have designated Medicare as a high-risk program because of serious management challenges due to its size, complexity, and susceptibility to fraud, waste, abuse, and improper payments.[Footnote 1] In 2011, Medicare covered 48.4 million individuals 65 years and older and eligible individuals with disabilities, and total Medicare program expenditures were $565 billion.[Footnote 2] For fiscal year 2011, the Department of Health and Human Services (HHS) estimated the agency made improper payments of nearly $29 billion in the Medicare fee-for-service (FFS) program. [Footnote 3] More than 1.5 million health providers and suppliers of medical equipment were enrolled in the Medicare program in 2011, according to the Centers for Medicare & Medicaid Services (CMS)--the agency within HHS that administers the Medicare program--and 30,000 more enroll each month. CMS has established Medicare enrollment standards and procedures intended to ensure that only qualified providers and suppliers can enroll in the Medicare program.[Footnote 4] For example, standards for suppliers of durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) include proper licensure and a physical facility on an appropriate site that is accessible to beneficiaries and CMS. This information must be verified prior to enrollment.[Footnote 5] Screening at the time of enrollment is a crucial step to reduce the risk of enrolling providers intent on defrauding or abusing the program. According to CMS, the majority of providers and suppliers enrolling in Medicare are legitimate and pose a limited risk to the Medicare program. However, our previous work found persistent weaknesses in CMS's Medicare enrollment standards and procedures that increased the risk of enrolling entities intent on defrauding the Medicare program. For example, we found that the Medicare enrollment process for home health agencies did not routinely include verification of the criminal background of applicants, and without this information individuals and businesses that misrepresent their criminal backgrounds could be allowed to enroll in the Medicare program.[Footnote 6] We also conducted covert testing and found that DMEPOS suppliers were enrolled who did not meet Medicare's standards or were not legitimate businesses.[Footnote 7] We recommended stricter scrutiny of the enrollment processes for home health agencies and DMEPOS suppliers due to the higher incidence of improper payments among these providers. We also recommended strengthening Medicare enrollment standards and procedures as a key strategy for reducing fraud, waste, abuse, and improper payments in Medicare. In 2010, the Congress passed the Patient Protection and Affordable Care Act (PPACA), which included provisions that will expand health insurance coverage to millions of individuals, and provided CMS with increased authority to combat fraud, waste, and abuse in Medicare. [Footnote 8] Certain of these provisions are designed to strengthen Medicare's provider enrollment standards and procedures. For example, PPACA requires HHS to designate a level of screening according to the assessed risk of fraud, waste, and abuse with respect to the category of provider or supplier. At a minimum, PPACA requires all providers and suppliers to be subject to licensure checks, which may include checks in multiple states. PPACA gives CMS the authority to require additional screening procedures, such as criminal background checks, depending on the type of risk presented by the type of provider or supplier.[Footnote 9] CMS oversees a network of contractors that implement and monitor the Medicare program. Among these contractors are the Medicare Administrative Contractors (A/B MAC) that enroll and pay providers and suppliers, except for DMEPOS suppliers, for the services they provide to Medicare beneficiaries for Medicare Part A and Part B, the National Supplier Clearinghouse (NSC) that manages DMEPOS supplier enrollment, and the Durable Medical Equipment Medicare Administrative Contractors (DME MAC) that pay claims for DMEPOS items.[Footnote 10] The A/B MACs also educate their enrolled providers and suppliers on CMS policies and procedures, provide information to beneficiaries, and undertake efforts to detect and prevent fraud and abuse. The NSC serves as the centralized contractor for the enrollment process and site visits for DMEPOS suppliers. In 2011, CMS awarded contracts to two new contractors--an automated screening and a national site visit contractor--to perform aspects of the provider and supplier enrollment screening process, including various screening activities and site visits beginning in 2012. Effective implementation by CMS of PPACA's provider and supplier enrollment provisions, through these and other contractors, is expected to aid CMS in its efforts to ensure that it only enrolls and pays providers and suppliers that meet Medicare's enrollment standards. You asked us to examine how CMS uses enrollment information to prevent payment of improper or potentially fraudulent Medicare claims and to assess changes to CMS's Medicare provider enrollment procedures since the passage of PPACA. This report addresses (1) how CMS and its contractors use provider and supplier information to prevent improper payments and factors that may affect the usefulness of the enrollment information, and (2) the extent to which CMS has implemented new provider and supplier enrollment screening procedures since enactment of PPACA. To assess how CMS and its contractors use provider and supplier enrollment information to prevent improper payments and factors that may affect the usefulness of the information, we obtained and reviewed: claims processing documents, including CMS procedural manuals and directives; claims processing schematics; and the criteria used to develop and implement prepayment edits that use enrollment information to ensure claims are only paid to providers and suppliers that are eligible to bill Medicare.[Footnote 11] We examined the role of the data in the Provider Enrollment, Chain and Ownership System (PECOS)--CMS's centralized database for Medicare enrollment information--in the Medicare claims payment process. In addition, we reviewed our past reports and those issued by the HHS Office of Inspector General (HHS OIG) that discussed the accuracy of PECOS data. [Footnote 12] We interviewed CMS officials and a total of four A/B and DME MACs on how they use provider and supplier enrollment information to prevent improper payments. We interviewed A/B MACs whose workloads were fully implemented by 2010 and whose contracts were not being recompeted during the course of our work.[Footnote 13] In addition, we assessed A/B MAC claims processing workloads in order to select A/B MACs that had the largest percentages of the national workload. Our sample selection strategy resulted in two A/B MACs and two DME MACs. To assess the extent to which CMS has implemented new provider and supplier enrollment screening procedures since the enactment of PPACA, we reviewed agency documents, including the Proposed and Final Rule that implemented PPACA's provider screening and other enrollment provisions, documents that described how PPACA-related enrollment processes compared to previous CMS enrollment procedures, and documents describing new processes that were not yet fully implemented.[Footnote 14] We limited our review to only those PPACA provisions that establish provider and supplier enrollment conditions that must be met before enrollment in Medicare. We also interviewed CMS officials about provider and supplier enrollment screening procedures that were developed and implemented as a result of these PPACA provisions. In addition, we conducted interviews with the two A/B MACs to learn about their experiences implementing new enrollment procedures authorized by PPACA. We also interviewed NSC officials responsible for enrolling Medicare DMEPOS suppliers. We conducted this performance audit from July 2011 to February 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Medicare comprises 12 percent of the federal budget and is the third largest federal program after defense and Social Security. For fiscal year 2011, HHS reported an estimate of almost $29 billion in Medicare FFS improper payments. Our Standards for Internal Control in the Federal Government suggests that agencies should continually perform monitoring activities to reduce the incidence of improper payments. [Footnote 15] However, our prior reports found weaknesses in CMS's monitoring of Medicare provider and supplier enrollment and claims payment contractors.[Footnote 16] Partly in response to our work, CMS took steps to implement new DMEPOS supplier quality standards in an accreditation rule issued in August 2006 and proposed additional DMEPOS supplier enrollment standards in January 2008. To further address these concerns and create a focal point for all Medicare program integrity activities, in 2010, CMS established a Center for Program Integrity (CPI).[Footnote 17] CPI, in collaboration with other components within CMS, develops and implements the agency's Medicare program integrity mission and goals. Among these goals is a reduction in instances of fraud, waste, and abuse, as well as strategies to ensure program vulnerabilities are identified and resolved. According to CMS, the agency is pursuing an aggressive program integrity strategy to prevent payment of potentially fraudulent claims, rather than to recover funds from providers and suppliers after payment has already been made. Because identifying and prosecuting providers and suppliers engaged in potentially fraudulent activity is time consuming, resource intensive, and costly, CMS has designed measures intended to prevent enrollment by entities that might attempt to defraud or abuse the Medicare program. For example, the agency requires that applicants use a unique 10 digit National Provider Identifier (NPI) number and affirm that they are not excluded from participating in another federal health program. DMEPOS suppliers must also undergo pre-enrollment site visits. In addition, the agency requires enrollment information to be entered into PECOS, a single, centralized, provider and supplier enrollment database that assists with data sharing across the contractors' different geographic coverage areas. In addition, CMS has historically required the A/B MACs and the NSC to conduct activities, such as monthly reviews of state licensing board actions, to determine if individual providers continue to meet state licensing requirements and to conduct periodic checks to determine if entities continue to meet federal and state requirements for their respective provider or supplier type. With the implementation of the automated screening contract, these checks will be automated and conducted on a continuous basis, according to CMS. Medicare Contractors: Since the Medicare program was created in 1965, it has been administered through a network of private contractors. CMS uses these contractors to conduct claims administration activities, to implement provider outreach and education, and to answer beneficiary inquiries through the 1-800-Medicare help line. Contractors also perform program integrity activities such as auditing providers and suppliers, reviewing claims for medical necessity, and conducting investigations of potential fraud, waste, and abuse. Central to program operations are the A/B MACs that manage Medicare provider and supplier enrollment, except for DMEPOS suppliers, and pay and review the claims submitted in their jurisdictions. In 2011, A/B MACs managed more than 1.5 million Medicare providers and suppliers. The previous year, A/B and DME MACs paid approximately 4.5 million claims each work day on behalf of CMS. Additionally, CMS contracts with the NSC to centralize the enrollment process and site visits for DMEPOS suppliers. In 2010, Medicare spent about $8.1 billion on DMEPOS supplies. In 2011, CMS added two new Medicare contractors to centralize and standardize the provider and supplier enrollment screening process. Medicare Enrollment Process: To become eligible to bill for services or supplies provided to Medicare beneficiaries, providers and suppliers must apply to the program.[Footnote 18] Entities applying to the Medicare program may complete an online enrollment form using PECOS or submit a paper application that is manually entered into PECOS by the A/B MACs or the NSC. Enrolling providers and suppliers submit identifying information such as their name, address, specialty area, and information about applicable licensure and accreditation.[Footnote 19] After the enrollment data are entered into PECOS, the A/B MACs and the NSC handle different aspects of the application process. The A/B MACs process all provider and supplier applications except for those for DMEPOS suppliers and the NSC processes all enrollment applications from DMEPOS suppliers nationally. Provider and supplier applications in PECOS are confirmed by the A/B MAC overseeing the jurisdiction where the services will be provided and by the NSC for DMEPOS suppliers. Contracts awarded in 2011 to new automated screening and site visit contractors altered this structure. CMS's new provider screening contractor will automate many of the required enrollment checks that the A/B MACs and the NSC have done manually and will allow CMS to monitor all providers and suppliers on a continuous basis to help ensure they continue to meet Medicare enrollment requirements. These contractors assumed some functions from the A/B MACS and the NSC in early 2012. Prior to CMS's automated screening contractor assuming these responsibilities, the A/B MACs and the NSC confirmed the provider and supplier enrollment information by checking various data sources such as the Social Security Administration (SSA) to verify an individual's Social Security number, the National Plan and Provider Enumeration System to verify the provider's NPI, and state licensing boards to determine if the provider is appropriately licensed to furnish medical services within a given state. CMS also required the A/B MACs and the NSC to check additional data sources including the HHS OIG's List of Excluded Individuals/Entities[Footnote 20] (LEIE) and the General Service Administration's Excluded Parties List System[Footnote 21] (EPLS). Starting March 25, 2011, CMS required the A/B MACs to conduct site visits for categories of providers and suppliers designated as moderate and high risk. The NSC will continue to conduct site visits related to enrollment of DMEPOS suppliers. In addition, due to long- standing concerns about high rates of fraud, waste, and abuse by DMEPOS suppliers, they have been subject to additional enrollment requirements.[Footnote 22] For example, DMEPOS suppliers must meet additional quality standards before they can be enrolled in Medicare, including proper accreditation, the successful completion of a site visit inspection, and posting of a $50,000 surety bond.[Footnote 23] Claims Processing and Enrollment-Related Prepayment Edits: CMS oversees contractors that manage the three major computer systems used to process Medicare Part A, Part B, and DMEPOS claims. Together, these computer systems are referred to as the "shared systems," because claims from all the A/B MACs and DME MACs are processed by these systems. CMS refers to the contractors that manage these systems as the "shared systems maintainers."[Footnote 24] Provider and supplier enrollment information in PECOS is downloaded to the shared systems in provider files that are used in claims processing.[Footnote 25] Information in the provider files is intended to ensure that providers and suppliers are eligible to receive payment for the services for which they have submitted claims. Although multiple contractors are involved in the claims payment process, the A/B and DME MACs are ultimately responsible for timely and accurate processing and payment of provider and supplier claims. For the relationship between the various contractors prior to January 2012 see figure 1. Figure 1: Medicare Enrollment and Claims Payment Process Prior to January 2012: [Refer to PDF for image: illustration] 2011 Medicare enrollment: PECOS: Provider or supplier[A] submits application; DMEPOS supplier[B] submits application; A/B MACs; National Supplier Clearinghouse. These contractors use PECOS data to: * Review applications and follow up if necessary; * Conduct site visits; * Confirm payment of application fee; * Approve initial enrollment; * Update data periodically; * Revalidate enrollment. PECOS data are downloaded nightly to shared systems. DMEPOS are Durable Medical Equipment, Prosthetics, Orthotics, and Supplies. PECOS is the Provider Enrollment Chain and Ownership System. NB MACs are Medicare Administrative Contractors for Medicare Parts A and B Medicare Part A covers hospital and other inpatient stays. Medicare Part B covers hospital outpatient, physician, and other services. DME MACs are Durable Medical Equipment Medicare Administrative Contractors. 2011 Medicare claims payment: Shared Systems: Part A claims; Part B claims; DMEPOS claims. Provider or supplier submits claim (Electronic Data Interchange); DMEPOS supplier submits claim (Electronic Data Interchange). These contractors use PECOS data to determine eligibility for claim payment. A/B MACs: Provider's or supplier's claim is paid or not paid. DME MACs: DMEPOS supplier's claim is paid or not paid. Source: GAO analysis of CMS data. [A] Providers and suppliers include institutional providers such as hospitals and health care facilities, as well as physicians and nonphysician practitioners, who provide health care services to Medicare beneficiaries as well as certain Part B entities such as ambulance service providers, mammography centers, and portable X-ray facilities. The A/B MACS do not manage enrollment or claims processing for DMEPOS. [B] DMEPOS suppliers include organizations that supply Medicare beneficiaries with durable medical equipment such as walkers and wheelchairs. [End of figure] Providers and suppliers submit most claims to Medicare electronically. Upon electronic submission, claims first pass through an Electronic Data Interchange (EDI) process that makes sure the claims are formatted using the nationally established standards to exchange electronic information between business entities.[Footnote 26] In the EDI process, the claim is subject to automated prepayment controls called "edits." Here, front end edits screen the claim for formatting errors or missing data. For example, a front end edit checks the claim to ensure that it contains the required 10 digit NPI but would not check the validity of the NPI. Medicare contractors reported that Medicare Parts A and B and DMEPOS claims that do not pass front end edits are considered unprocessable and are returned by the contractors to the appropriate provider or supplier, which may then correct the error(s) and resubmit the claim. If a Medicare claim is in the correct electronic format and passes the front end edits, it is then sent for further processing in the shared systems. There, the claim is subject to a series of prepayment edits that can prevent payment of an incomplete or incorrect claim and may reduce improper payments and help minimize the extent to which the program is vulnerable to fraud, waste, and abuse. Prepayment edits include provider enrollment-related edits and subsequent edits that screen Medicare claims against other criteria, such as medical necessity. Enrollment-related prepayment edits can be implemented on either the national or local level. The national enrollment-related prepayment edits are CMS-directed edits that are "hard coded" into the shared systems by the systems maintainers. National edits are updated quarterly and are standard across all A/B or DME MACs. In contrast, local prepayment edits are created and managed by the individual A/B or DME MACs. They may develop local enrollment-related prepayment edits based on differences in state law that determine the scope of a provider's or supplier's practice. CMS may also direct the A/B and DME MACs to develop local edits because they can be implemented on a more flexible schedule than CMS's quarterly updates to national edits. Claims Are Screened against Enrollment Information to Prevent Improper Payments, but Prevention Depends on Timely and Accurate Information: Medicare claims are screened during the payment process by a series of enrollment-related prepayment edits that check claims against provider and supplier information maintained in PECOS. Such edits are designed to prevent payments to providers and suppliers that the data indicate are ineligible to receive Medicare payment. While prepayment edits are in place to prevent improper payments, factors such as frequency of information updates and the limitations of the data used to update information in PECOS may affect the timeliness and accuracy of provider and supplier information. In turn, this may limit the extent to which enrollment-related edits prevent payments to ineligible providers and suppliers. Enrollment-Related Prepayment Edits Are Designed to Prevent Payments to Ineligible Providers and Suppliers: Enrollment-related prepayment edits are designed to prevent payments to ineligible providers and suppliers--such as those that are no longer active in the Medicare program or that are not properly credentialed or licensed to provide the services for which they have submitted claims. Ineligible providers and suppliers may be enrolled in Medicare despite CMS's and its contractors' enrollment screening efforts. Officials with the A/B and DME MACs we interviewed described the application of prepayment edits to claims as a cascading series of checks that occurs progressively as the claim moves through the process according to the edits' "if/then" logic. For example, a certain edit will compare the NPI contained in a provider's file with the date of service contained in the claim, and if the NPI was active on the date of service, then the claim would move to the next stage of processing. The two types of enrollment-related prepayment edits are provider and supplier verification edits and specialty edits. * Provider and supplier verification prepayment edits: Medicare claims are subject to edits that verify basic provider and supplier enrollment information. These enrollment-related verification edits screen the claim's data to ensure that the provider or supplier is eligible for payment. For example, such edits verify the validity of the entity's NPI, which indicates whether the claim was submitted by an active provider or supplier. Verification edits at this stage of claims processing also screen claims to ensure that the provider's or supplier's enrollment date is before the claim's date of service, thus indicating that they were an active provider or supplier on that date and therefore generally eligible for payment. A/B and DME MAC officials reported that claims failing these enrollment verification prepayment edits are not paid. Information on a denied claim due to provider or supplier ineligibility, including reason codes that explain the reason(s) for which the claim was not paid, is sent to the provider or supplier. These codes include reasons such as "the provider must update license information with the payer" and "invalid provider identifier." One DME MAC estimated that the number of claims denied due to the claim's date of service occurring outside of a DMEPOS supplier's "effective dates" for billing eligibility was only about 36,000 claims out of a total of about 50 million claims per year. * Specialty prepayment edits: Enrollment-related specialty prepayment edits screen for provider-or item-specific information about providers or suppliers, such as their eligibility to bill for certain services that can only be provided by a certain provider type or specialty. For example, limited license providers such as chiropractors can only be paid for a limited number of allowable billing codes determined by CMS. Specialty edits screen claims to ensure that the claim contains these allowable codes. DME MAC officials told us that edits at this stage would also ensure, for example, that a podiatrist is only paid for podiatry services and not ophthalmology services.[Footnote 27] Verification and specialty enrollment-related prepayment edits may be implemented as either national or local edits. According to one A/B MAC we spoke with, because there is little differentiation among Part A providers most enrollment-related prepayment edits for these providers are implemented as national edits, which are programmed into the shared systems. A/B MAC officials reported that additional enrollment-related local edits are more likely to be implemented for Part B provider claims due to differences among states regarding reimbursement for certain services and provider types. These Part B specialty edits are implemented as local edits by the A/B MAC responsible for that state. Regarding DME claims, one contractor we spoke with reported that CMS more frequently standardizes the DME claims payment process. This assures uniform coverage decisions across all DME MACs. DME MAC officials reported that DME specialty edits include those applied to oxygen, pharmacy, prosthetics, and orthotics claims. For example, DME MAC officials told us that the edits applied to oxygen claims ensure that only suppliers who have the required valid license to provide oxygen services receive payment. All three types of claims--Part A, Part B, and DME--that fail prepayment edits, whether at the national or local level, are denied and returned to the provider or supplier with a reason code that explains why the claim was not paid. For example, it may indicate "this provider type/provider specialty may not bill this service." While prepayment edits are implemented to reduce the likelihood of improper payments due to provider or supplier ineligibility, the effectiveness of specific enrollment-related edits is not assessed by the A/B or DME MACs or CMS. A/B MAC officials reported that they generally do not need to analyze data on claims that are not paid because a prepayment edit indicates the provider or supplier is ineligible to bill for services. Thus, these contractors do not report on which of the prepayment edits prevented the improper payment. A/B MAC officials explained that each enrollment-related prepayment edit is developed to perform a specific function and therefore they do not rank edits in order of their effectiveness in preventing improper payments. Additionally, they told us that they do not submit reports to CMS that identify which enrollment-related prepayment edits are most effective. CMS requires A/B MACs to submit quarterly supplements to monthly workload reports that provide the agency with information on the number of denied claims and reasons for denials, but this information is used to identify problem areas for resolution, measure trends in denial rates, and monitor fraud and abuse workloads. Although officials from one A/B and two DME MACs told us that they may generate reports on claim activity, these data generally are used for internal workload planning purposes or as the basis for provider education on proper coding, not to determine the effectiveness of certain categories of edits.[Footnote 28] Edits Depend on Timely and Accurate Information in PECOS: The ability of enrollment-related edits to prevent improper payments depends on the timeliness and accuracy of provider and supplier enrollment information contained in PECOS. In turn, the timeliness and accuracy of information in PECOS--which is downloaded as provider files into the shared systems each night--is affected by factors such as the frequency with which contractors update this information and limitations of the sources of the information used. A/B MACs and the NSC are responsible for updating PECOS when conducting initial and revalidation enrollment for providers and suppliers.[Footnote 29] However, A/B MACs and the NSC were not able to confirm the status, such as licensure, of every provider or supplier in PECOS on a daily basis. Instead, certain aspects of provider and supplier status have been checked less frequently. For example, A/B MACs were required to conduct monthly reviews of provider licensure status and an A/B MAC official told us that they searched individual state websites for this information. A/B MACs and NSC also have relied on a variety of data sources such as state licensure boards, the HHS OIG's exclusions list, and SSA's Death Master File (DMF) to update provider and supplier information in PECOS. These sources vary in the ease with which A/B MACs and the NSC have been able to access their data and the frequency with which they are updated. For example, CMS officials reported that the A/B MACs had to manually access state data sources to update licensure status. In addition, contractors we spoke with said SSA releases updates to its DMF monthly and therefore there is an interval between a provider's death and when that information can be updated in PECOS. As a result, payments may still be made for claims submitted under a deceased provider's NPI for medical services allegedly provided after the provider's death. One A/B MAC official said that PECOS must first be updated to reflect the provider's status and this information in turn must be downloaded into the shared systems in a timely manner to prevent an improper payment from being made. This is because, while enrollment-related prepayment edits can identify and deny invalid claims, the edits use the existing provider and supplier information to do so. Thus, if the PECOS provider and supplier information is not current or is inaccurate, the edits will be ineffective in preventing improper payments. We have previously reported concerns about the accuracy of the provider and supplier enrollment information in PECOS and CMS's oversight of A/B MACs' provider and supplier enrollment activities. CMS has acknowledged these concerns and indicated that the agency is working to address these issues. For example, we recently reported that incomplete or conflicting provider contact information in PECOS limited CMS from using its own data to operate its Physician Feedback Program.[Footnote 30] Furthermore, in 2010 we reported that A/B MACs had difficulty recognizing when nursing home provider information in PECOS was incomplete or inaccurate and CMS oversight of A/B MACs in this regard was limited.[Footnote 31] In that same report, we found that although CMS conducted desk reviews and onsite audits from years 2000 through 2009 to review contractors' management of nursing home providers' enrollment functions, these audits were limited. In addition, beyond these audits, CMS did not conduct checks on the PECOS database for internal consistency. According to a CMS official, this limited oversight was due to a lack of resources and competing priorities within the agency. As a result of these findings, we recommended that CMS more closely monitor the activities of A/B MACs' provider and supplier enrollment activities to help ensure the accuracy and completeness of PECOS data. CMS concurred with this recommendation and recently reported that the agency is evaluating the criteria it uses to assess A/B MACs' performance as it relates to the timeliness and accuracy of processing Medicare enrollment applications.[Footnote 32] Further, the agency reported that it plans to evaluate the completeness and accuracy of provider and supplier enrollment data as part of reviews of the contractors' enrollment operations. Given that these activities have not been implemented, we could not determine their effect on the completeness and accuracy of PECOS data used to process claims or whether improper payments result from inaccurate information in the provider files. CMS Has Implemented Some New Enrollment Screening Procedures Since PPACA, While Others Remain in Progress: Since the enactment of PPACA, CMS has implemented new provider and supplier enrollment screening procedures and has also implemented other measures intended to strengthen existing procedures. However, the implementation of some additional enrollment screening procedures by CMS is still in progress. CMS Implemented Some New Screening Procedures and Added Measures Intended to Strengthen Other Existing Procedures: Since the enactment of PPACA, CMS has implemented some new provider and supplier enrollment screening procedures, and put in place other measures intended to strengthen existing procedures.[Footnote 33] New screening procedures that define conditions for provider and supplier enrollment in Medicare include CMS's determination of different levels of screening according to the risk of fraud, waste, and abuse with respect to categories of providers or suppliers, and a new application fee for some types of providers. CMS also published a regulation consistent with its existing practice, requiring providers and suppliers to include their NPI on all enrollment applications and claims, and added two new Medicare contractors--an automated screening contractor and a site visit contractor--that are intended to conduct enhanced enrollment screening and site visits. Provider and Supplier Risk Levels: To strengthen the screening activities already conducted by CMS's contractors, PPACA required that the level of screening applied to each category of provider and supplier be based on their assessed risk of fraud, waste, and abuse and that screening procedures for Medicare providers and suppliers be explicitly established. On February 2, 2011, CMS published a Final Rule to implement these new screening procedures. The Final Rule requires, among other things, that the A/B MACs and the NSC conduct enrollment screening based on categories of providers and suppliers and levels of risk.[Footnote 34] CMS assigned these new risk levels--limited, moderate, and high--to categories of providers and suppliers based on determinations of which categories were at a greater risk for fraud, waste, and abuse. (See table 1.) A/B MACs and the NSC designate the appropriate screening level in PECOS for each enrolling provider and supplier upon submission of an application. Screening levels are designated based upon CMS guidance. As of October 2011, A/B MACs and the NSC had entered the screening level information in PECOS for all providers and suppliers that submitted an application. CMS stated that it assigned these categories of provider and supplier risk levels based on the agency's experience with claims data used to identify potentially fraudulent billing practices, as well as on the expertise of its contractors charged with investigating and identifying instances of Medicare fraud across providers and suppliers. The agency also based these risk levels on prior findings in reports by GAO and HHS OIG. In addition, CMS will adjust the screening level of an individual provider or supplier from ''limited'' or ''moderate'' to ''high'' based on other factors, such as whether the provider or supplier has had its Medicare billing privileges revoked, has been terminated or is otherwise precluded from billing Medicaid, or has been subject to any final adverse action within the past 10 years such as license revocation or suspension, or certain felony convictions. Table 1: Categories of Medicare Providers and Suppliers Designated by Risk Level for Enrollment Screening: Risk level: Limited; Categories of Medicare providers and suppliers: Physician or nonphysician practitioners and medical groups or clinics, with the exception of physical therapists and physical therapy groups. Ambulatory surgical centers, competitive acquisition programs/Part B vendors, end-stage renal disease facilities, federally qualified health centers, histocompatibility laboratories,[A] hospitals, including critical access hospitals, Indian Health Service facilities, mammography screening centers, mass immunization roster billers,[B] organ procurement organizations, pharmacies newly enrolling or revalidating, radiation therapy centers, religious nonmedical health care institutions, rural health clinics, and skilled nursing facilities. Risk level: Moderate; Categories of Medicare providers and suppliers: Ambulance suppliers, community mental health centers, comprehensive outpatient rehabilitation facilities, hospice organizations, independent diagnostic testing facilities, independent clinical laboratories, physical therapy including physical therapy groups, portable X-ray suppliers, and currently enrolled (revalidating) home health agencies. Risk level: High; Categories of Medicare providers and suppliers: Prospective (newly enrolling) home health agencies and prospective (newly enrolling) suppliers of durable medical equipment, prosthetics, orthotics, and supplies. Source: GAO analysis of CMS Final Rule with Comment Period, Medicare, Medicaid, and Children's Health Insurance Programs: Additional Screening Requirements, Applications Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011). [A] The responsibility of the histocompatibility laboratory is to provide an evaluation of certain genetic data and pertinent patient immunologic risk factors that will allow the clinician and patient to decide which approaches to transplantation are in the patient's best interest. [B] Mass immunization roster billers are providers and suppliers who enroll in the Medicare program to offer the influenza (flu) vaccinations to a large number of individuals, and they must be properly licensed in the states in which they plan to operate influenza clinics. [End of table] Based on these new risk levels, providers and suppliers are subject to different screening procedures, with those in the high-risk level subject to the most rigorous screening. While PPACA requires that all categories of providers and suppliers be subject to licensure checks, it gave CMS discretion to establish a risk-based application of other screening procedures. CMS determined that providers and suppliers in all categories also must continue to undergo existing enrollment checks using various data sources to verify certain information such as Social Security number, NPI, HHS OIG exclusion, and taxpayer identification number.[Footnote 35] According to CMS's new risk-based screening, moderate-and high-risk providers and suppliers additionally must undergo unscheduled or unannounced site visits, while high-risk providers and suppliers also will be subject to fingerprint-based criminal background checks.[Footnote 36] Application Fee: PPACA required HHS, for the first time, to impose an application fee on each institutional provider and on suppliers. In response, effective March 25, 2011, CMS, in its Final Rule, required all institutional providers and suppliers enrolling in Medicare, adding a practice location, or revalidating their enrollment to pay a $505 application fee.[Footnote 37] PPACA specifies that amounts collected as the result of the application fee shall be used for program integrity efforts, including to cover the cost of enrollment screening and to carry out other screening.[Footnote 38] However, PPACA permits CMS to grant a hardship exception for institutional providers and suppliers on a case-by-case basis if the agency determines that the imposition of the application fee would cause a hardship.[Footnote 39] According to CMS officials, an institutional provider or supplier working with underserved populations or engaged in extensive charity work would be a possible candidate for a hardship exception. CMS has instructed its contractors in guidance on March 23, 2011, not to process any Medicare enrollment applications without the proper application fee having been paid or a hardship exception approved. [Footnote 40] CMS transmits information about application fee payments by institutional providers and suppliers--which are made through an electronic payment system--to the A/B MACS or the NSC via PECOS. [Footnote 41] NPI Regulation: PPACA required HHS to promulgate a regulation for the inclusion of an NPI on all Medicare applications and claims by all providers and suppliers that qualify for an NPI--a practice that was already in effect.[Footnote 42] The regulation was published as an interim Final Rule on May 5, 2010, and was effective July 6, 2010.[Footnote 43] Prior to the PPACA requirement for a specific regulation, CMS had required contractors to confirm that providers and suppliers included their NPI on Medicare enrollment applications and claims. Since 2006, the agency has required that enrollment applications include an NPI and since 2008 providers and suppliers have been required to report their NPI on Medicare claims.[Footnote 44] New Screening and Site Visit Contractors: In a further effort to strengthen its enrollment processes, at the end of 2011, CMS contracted with an automated screening contractor to assume screening responsibilities from the A/B MACs and the NSC, and a site visit contractor to assume site visit responsibilities from the A/B MACs. CMS awarded a contract in September 2011 to an automated screening contractor that began screening new Medicare enrollments for all providers and suppliers, on December 31, 2011. Additionally, CMS officials said that the screening contractor was setting up baseline data and will assume the screening function for the A/B MACs and the NSC by the end of March 2012. The screening contractor will screen all providers and suppliers including DMEPOS suppliers. The automated screening contractor is responsible for electronically screening applicant information against various data sources used for enrollment to determine that the provider or supplier meets Medicare eligibility criteria such as valid licensure, accreditation, and a valid NPI, and is not on exclusion lists, such as the HHS OIG list of providers and suppliers excluded from participating in federally funded health care programs. This screening process results in a report to the A/B MACs and NSC that indicates the screening components that the applicant passed and also screening components flagged for additional review. The A/B MACs and NSC, which remain responsible for enrollment and revalidation, obtain documentation from the provider or supplier on any flagged information that requires additional review to determine if the applicant meets Medicare enrollment or revalidation requirements. In addition to conducting screening at enrollment and revalidation, the automated screening contractor conducts checks of certain screening information on an ongoing basis. For example, the automated screening contractor is responsible for validating licensure status at least weekly. Previously, A/B MACs and the NSC were responsible for manually reviewing state-provided licensure information monthly to determine if any enrolled Medicare providers' or suppliers' licenses had been revoked, suspended, or otherwise inactivated in the last 60 days. CMS officials said that the automated screening contractor is developing an individual risk score for each provider or supplier. This individual risk score is similar to a credit risk score. The contractor's risk scores may be used eventually as additional risk criteria that determine screening activities for providers and suppliers. CMS officials said the new automated screening contractor provides a centralized point for Medicare enrollment screening and allows for a national view of provider and supplier information, rather than the more limited regional view that the A/B MACs provided previously. For example, the automated screening contractor has been able to access information about providers and suppliers who operate across geographic regions. In addition, CMS officials said that the agency has taken a centralized approach to automated screening of enrollment data because of weaknesses observed in enrollment screening efforts, which were due generally to the large number of providers and suppliers for which the A/B MACs and the NSC had to manually screen applications and the lack of efficient access to data sources containing enrollment information. According to CMS officials, they expect the new automated screening contractor to improve the integrity of the enrollment and revalidation processes by automating the data checks and integrating new data sources. For example, CMS has directed the automated screening contractor to identify additional data sources for screening checks, such as financial, tax and business, and geospatial data sources. Additionally, in December 2011, CMS contracted with a site visit contractor to perform nationwide physical site visits for all providers and suppliers, except DMEPOS suppliers, in the moderate-and high-risk screening categories in all states and six U.S. territories. The site visit contractor began conducting site visits and making site visit reports available electronically through a portal accessible to CMS and its other contractors in February 2012. These site visits previously were performed by the A/B MACs. The A/B MACs will order any required on-site visits through the site visit contractor, which will schedule and conduct them and provide the results to the appropriate A/B MAC. However, the NSC will continue to conduct site visits related to provider enrollment of DMEPOS suppliers.[Footnote 45] CMS requires two types of site visits: routine and rapid response. According to CMS, routine site visits involve a physical location verification and collection of required data elements using predefined checklists. Rapid response site visits are triggered by an alert of possible fraudulent activity, and may require the same elements as a routine site visit but with rapid reporting and response due to the alert. Except for DMEPOS suppliers, the national site visit contractor collects site visit information at the physical provider or supplier site using defined questionnaires and gathers photographic evidence for transmission to CMS. The data elements required during routine and rapid response site visits include validation of the physical location of the provider or supplier, including capturing global positioning system coordinates of the site, photographs of the door of the provider or supplier office, and signage of the office. The contractor is required to conduct site visits and deliver completed site visit reports within a specified time period. Depending on the request from CMS or an A/B MAC, the contractor will make site visits within 30, 15, or 7 days, for routine visits, or within 36 hours for rapid response visits. CMS estimated that in the first year of the contract, the site visit contractor would conduct nearly 60,000 site visits within 30 days, almost 5,000 site visits within 15 days, almost 1,000 site visits within 7 days, and about 30 rapid response site visits. CMS officials said the national site visit contractor is expected to provide consistency of site visits across the country and, similar to the automated screening contractor, reduce the A/B MACs' workloads. Several New Screening Procedures Remain in Progress: CMS's implementation of some enrollment screening procedures authorized by PPACA remains in progress, including efforts to (1) extend surety bond requirements to additional providers and suppliers, (2) conduct fingerprint-based criminal background checks of high-risk providers and suppliers, (3) require enrolling providers and suppliers to disclose additional types of information, and (4) require compliance and ethics programs for providers and suppliers. Extend Surety Bond Requirements to Additional Providers and Suppliers: CMS is in the process of drafting a proposed rule to extend the surety bond requirement to certain providers and other suppliers.[Footnote 46] Previously, surety bonds generally had been required only for DMEPOS suppliers.[Footnote 47] Specifically, CMS officials said that they are seeking comments on extending surety bonds to home health agencies and independent diagnostic testing facilities (and, potentially, outpatient rehabilitation facilities) and that they expected to issue a proposed rule to require surety bonds as conditions of enrollment for certain other types of providers in the fall of 2012. PPACA extended CMS's authority to impose surety bonds on certain additional providers and suppliers, based on a determination about their level of risk.[Footnote 48] The surety bond would be in an amount commensurate with the provider's or supplier's billing volume, but not less than $50,000. CMS officials also said they are considering giving a new supplier provisional enrollment and then setting the amount of the surety bond after a review of billing activities. While CMS is considering extending surety bonds to additional providers and suppliers, a 2011 HHS OIG report stated that CMS did not have finalized procedures for recovering DMEPOS overpayments through surety bonds, and therefore, as of July 2011, no overpayments had been recovered through surety bonds since October 2, 2009, the date the surety bond requirement became effective.[Footnote 49] However, in January 2012, CMS released guidance on claims against surety bonds for DMEPOS suppliers.[Footnote 50] The guidance states that the surety--a company that provides the surety bond --is liable for any overpayments incurred during the term of the surety bond and that the surety must pay CMS within 30 days of receiving written notice of an overpayment. CMS's guidance also advises DME MACs on how to collect overpayments incurred during the term of a surety bond. CMS officials said that they expect that many of the requirements for obtaining and maintaining DMEPOS surety bonds can be easily applied to home health agencies and independent diagnostic testing facilities. Conduct Fingerprint-Based Criminal Background Checks of High-Risk Providers and Suppliers: CMS officials said the agency was working with the Federal Bureau of Investigation (FBI) to gain access to its criminal background information for use in conducting fingerprint-based criminal background checks of high-risk providers and suppliers. PPACA authorized, but did not require, the use of criminal background checks in its risk-based provider and supplier screening. In order to conduct criminal background checks, CMS officials said they will contract with FBI channelers, whose contracts were recently recompeted by the FBI; CMS officials said that as of December 2011, 20 contracts were approved and 13 had been awarded by the FBI.[Footnote 51] CMS plans to contract with two channelers, one to conduct background checks and one to handle provider and supplier fingerprinting. CMS officials said they are developing a scope of work to solicit among the FBI-approved channelers and expect to have contracts in place before the end of 2012. CMS officials also said that they plan to develop guidance to further define A/B MAC and NSC responsibilities and work flow of these checks. Requiring Providers and Suppliers to Disclose Additional Information: CMS officials said the agency was developing and reviewing regulations to address the requirement for increased disclosures for enrolling or revalidating Medicare providers and suppliers. PPACA requires providers and suppliers to disclose any current or previous affiliation with another provider or supplier that has uncollected debt; has been or is subject to a payment suspension under a federal health care program; has been excluded from participation under Medicare, Medicaid, or CHIP; or has had its billing privileges denied or revoked at the time of initial enrollment or revalidation of enrollment. CMS officials noted that the development of these regulations is complicated by many issues that need to be addressed, such as provider and supplier concern about what information will be collected, what CMS will do with information once it is collected, and how to address concerns about maintaining the privacy and security of the information. CMS officials said the agency did not meet its own time frame for publishing a regulation to address this PPACA provision by November 2011 and they are not certain when the regulation will be published. Development of Regulations for a Compliance and Ethics Program: CMS officials said that the agency was studying criteria found in HHS OIG model plans as it worked to address the PPACA requirement that the agency establish the core elements of compliance and ethics programs for providers and suppliers. PPACA required that Medicare providers establish compliance programs that contain the core elements established by CMS in consultation with the HHS OIG. In general, a compliance program is the internal set of policies, processes, and procedures that a provider organization implements to help it act ethically and lawfully. In this context, a compliance program is intended to help provider and supplier organizations prevent and detect violations of Medicare laws and regulations. CMS does not have a projected target date for implementation. Concluding Observations: Timely and accurate Medicare provider and supplier enrollment information maintained in the PECOS database are essential to reducing fraud, waste, and abuse and the likelihood of making improper payments. Although PECOS information has been routinely updated by CMS's A/B MACs and the NSC using multiple national and state data sources, limitations in these data sources and in the frequency with which updates are made may lead to delays in, or failures to, accurately update information in PECOS, resulting in payments to ineligible providers or suppliers. As a result of the provisions in PPACA, CMS has begun to supplement its previous provider enrollment activities with new procedures and contracts that have the potential to improve the accuracy and timeliness of information stored in PECOS. In particular, CMS's new enrollment screening and site visit contracts shift some provider enrollment activities from the A/B MACs and NSC to centralized national contractors. CMS anticipates that the new screening contractor will improve the accuracy and timeliness of updates to the provider enrollment information in PECOS by automating the process and using additional data sources for enrollment screening. In addition, CMS expects that the new site visit contractor will enable the agency to conduct routine and targeted site visits of certain providers and suppliers in categories considered at greater risk for submitting improper or potentially fraudulent Medicare claims. Our previous work has found, and we recommended, that contractor monitoring is needed to ensure that CMS and its contractors identify and address the causes of improper payments. However, it is too early to determine whether these new contractors--and the agency's pending action on other PPACA provisions intended to strengthen provider enrollment standards--will improve the integrity of the Medicare provider enrollment and claims payment processes and reduce the likelihood of improper payments. Agency Comments: HHS reviewed a draft of this report and in its written comments highlighted continuing steps that CMS is taking to improve the accuracy and timeliness of data used to screen providers and suppliers and to further strengthen contractor oversight and PECOS data integrity. In its general comments, HHS noted that, since we conducted our work, CMS has increased the frequency with which it receives the SSA's DMF and now populates PECOS with this information weekly, rather than monthly. In addition, CMS will use its new automated screening contractor to routinely monitor changes that can affect enrollment status, such as death or loss of required licenses for providers and suppliers. HHS also commented that CMS is taking action to further strengthen quality control by performing follow-up analysis to ensure actions reported during the enrollment and revalidation processes are properly updated in PECOS. HHS noted that CMS is taking steps to improve the QASP process used to evaluate specific contractor functions by improving the depth at which these studies are performed and concentrating on areas that affect the quality of PECOS data. HHS's comments are printed in appendix I. HHS also provided technical comments, which we incorporated as appropriate. As agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to the Secretary of Health and Human Services, the Administrator of CMS and other interested parties. The report also will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staff members have any questions about this report, please contact me at (202) 512-7114 or kingk@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Other major contributors to this report are listed in appendix II. Sincerely yours, Signed by: Kathleen M. King: Director, Health Care: [End of section] Appendix I: Comments from the Department of Health and Human Services: Department of Health & Human Services: Office of The Secretary: Assistant Secretary for Legislation: Washington, DC 20201: March 22, 2012: Kathleen King: Director, Healthcare: U.S. Government Accountability Office: 441 G Street NW: Washington, DC 20548: Dear Ms. King: Attached are comments on the U.S. Government Accountability Office's (GAO) draft report entitled, "Medicare Program Integrity: CMS Continues Efforts to Strengthen the Screening of Providers and Suppliers" (GAO-12-351). The Department appreciates the opportunity to review this draft section of the report prior to publication. Sincerely, Signed by: Jim R. Esquea: Assistant Secretary for Legislation: Attachment: [End of letter] General Comments Of The Department Of Health And Human Services (HHS) On The Government Accountability Office's (GAO) Draft Report Entitled, "Medicare Program Integrity: CMS Continues Efforts To Strengthen The Screening Of Providers And Suppliers" (GAO-12-351): HHS appreciates the opportunity to comment on the GAO draft report entitled, "Medicare Program Integrity: CMS Continues Efforts to Strengthen the Screening of Providers and Suppliers." The report examines how the Centers for Medicare & Medicaid Services (CMS) uses enrollment information to prevent payment of improper or potentially fraudulent Medicare claims and assesses the extent to which CMS has implemented new provider and supplier enrollment screening procedures since the enactment of the Affordable Care Act (ACA). GAO concluded in the report that CMS has instituted a number of new measures that have the potential to improve the accuracy and timeliness of enrollment information within the Provider Enrollment Chain and Ownership System (PECOS), particularly through the implementation of automated provider screening and the awarding of a national site visit contractor. GAO concluded, however, that it is too early to determine whether these new measures and CMS' pending actions on other ACA provisions intended to strengthen provider enrollment standards will improve the integrity of the Medicare provider enrollment and claims payment processes and reduce the likelihood of improper payments. GAO offered no recommendations in the report. HHS has reviewed the report findings and would like to provide additional information on measures being taken by CMS to further strengthen our enrollment processes and oversight of Medicare Administrative Contractors (MAC). CMS continues to improve the accuracy and timeliness of the data used to screen providers and suppliers to enhance program integrity and to prevent improper and potentially fraudulent payments. CMS has increased the frequency in which it receives the Social Security Administration Death Master File and currently populates PECOS on a weekly basis. In addition, CMS will use the new Automated Provider Screening contractor to routinely monitor changes that can affect enrollment status such as death or loss of required licenses for providers/suppliers. This monitoring of referential data sources will allow CMS and its contractors to take proactive measures to initiate administrative actions when warranted. CMS is also implementing steps that will further strengthen MAC oversight and PECOS data integrity. To strengthen quality control in PECOS, CMS is performing follow-up analysis to ensure actions reported during the enrollment and revalidation processes are properly updated in PECOS. In addition, CMS is taking steps to improve the Quality Assurance Surveillance Plan (QASP) process. The QASP is the method by which CMS evaluates specific contractor functions. CMS is striving to improve the depth at which these studies are performed by concentrating on areas that affect the quality of PECOS data. Finally, CMS has been able to further streamline the enrollment process and manage MAC workload by centralizing key enrollment functions such as application fee collection, site visits, and provider screening. [End of section] Appendix II: GAO Contact and Staff Acknowledgments: GAO Contact: Kathleen M. King, (202) 512-7114 or kingk@gao.gov: Staff Acknowledgments: In addition to the contact named above, Karen Doran, Assistant Director; April Brantley; Jennel Harvey; Anne Hopewell; Laurie Pachter; Monica Perez-Nelson; and Jessica Colbert Smith made key contributions to this report. [End of section] Footnotes: [1] Fraud represents intentional acts of deception with knowledge that the action or representation could result in an inappropriate gain. Waste includes inaccurate payments for services, such as unintentional duplicate payments. Abuse represents actions inconsistent with acceptable business or medical practices. An improper payment is any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. In 1990, we began to report on government operations that we identified as "high risk" for serious weaknesses in areas that involve substantial resources and provide critical services to the public. See GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 2011). [2] Medicare consists of four parts. Medicare Part A covers inpatient hospital care, skilled nursing facility care, some home health care services, and hospice care. Part B services include physician and outpatient hospital services, diagnostic tests, mental health services, outpatient physical and occupational therapy, ambulance services, prosthetics, orthotics, and supplies. Medicare Parts A and B are known as original Medicare or Medicare Fee-for-Service (FFS). CMS also contracts with private health plans to administer a Medicare private plan, known as Medicare Part C or Medicare Advantage, and drug plan sponsors to administer the Medicare outpatient prescription drug benefit known as Medicare Part D. [3] HHS, Fiscal Year 2011 Agency Financial Report (Washington, D.C.: Nov. 15, 2011). [4] The term provider refers collectively to institutional providers such as hospitals, and health care facilities, as well as physicians and nonphysician practitioners who provide health care services to Medicare beneficiaries. Providers also include organ procurement organizations, skilled nursing facilities, hospice, and end-stage renal disease centers. The term suppliers refers to certain Part B entities such as ambulance service providers, mammography centers, and portable X-ray facilities. Suppliers also include entities that supply Medicare beneficiaries with durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) such as walkers and wheelchairs. Medicare law defines durable medical equipment (DME) as equipment that serves a medical purpose, can withstand repeated use, is generally not useful in the absence of an illness or injury, and is appropriate for use in the home. This report will use the term providers and suppliers when referring to all Medicare providers and suppliers but will specify DMEPOS suppliers when necessary. [5] Enrolling in Medicare enables providers or suppliers to submit claims for services and supplies provided to Medicare beneficiaries. [6] See GAO, Medicare: Improvements Needed to Address Improper Payments in Home Health, [hyperlink, http://www.gao.gov/products/GAO-09-185] (Washington, D.C.: Feb. 27, 2009). [7] See GAO, Medicare: Covert Testing Exposes Weaknesses in the Durable Medical Equipment Supplier Screening Process, [hyperlink, http://www.gao.gov/products/GAO-08-955] (Washington, D.C.: July 3, 2008). [8] Pub. L. No. 111-148, 124 Stat. 119 (2010), as amended by the Health Care and Education Reconciliation Act of 2010 (HCERA), Pub. L. No. 111-152, 124 Stat. 1029, which we refer to collectively as PPACA. [9] PPACA, § 6401, 124 Stat. 119, 747-753, amended by § 10603, 124 Stat. 119. 1006 (codified at 42 U.S.C. § 1395cc(j)). [10] CMS currently contracts with 10 A/B MACs that are responsible for their own geographic regions, known as jurisdictions. A total of 14 jurisdictions now exist and future consolidations will bring the total to 10 jurisdictions. There are four DME MACs that process claims for DMEPOS supplies. [11] We did not assess prepayment edits based on CMS policies on coverage of medical care or medical necessity. [12] Due to CMS's recent implementation of agreements with new contractors to manage certain aspects of the Medicare provider enrollment process, we did not assess whether these contractors will improve the accuracy of the data in PECOS. [13] In response to contracting reform requirements in the Medicare Prescription Drug, Improvement, and Modernization Act of 2003, CMS has been transitioning its claims processing contracts from 51 contractors to no more than 10 MACs that will process Medicare Part A and Part B provider and supplier enrollment applications and pay claims, except for DMEPOS enrollment and claims. Due to this consolidation and transitioning of workloads between contractors, we avoided selecting MACs that could have lost their contracts during the course of our engagement. [14] Medicare, Medicaid, and Children's Health Insurance Programs; Additional Screening Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011). [15] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). Internal controls are components of an organization's management that provide reasonable assurances that certain objectives, including effectiveness and efficiency of operations, are being achieved. [16] See GAO, Medicare: CMS's Program Safeguards Did Not Deter Growth in Spending for Power Wheelchairs, [hyperlink, http://www.gao.gov/products/GAO-05-43] (Washington, D.C.: Nov. 17, 2004), Medicare: More Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment Suppliers, [hyperlink, http://www.gao.gov/products/GAO-05-656] (Washington, D.C.: Sept. 22, 2005), Medicare: Improvements Needed to Address Improper Payments for Medical Equipment and Supplies, [hyperlink, http://www.gao.gov/products/GAO-07-59] (Washington, D.C.: Jan. 31, 2007), Medicare: Improvements Needed to Address Improper Payments in Home Health, [hyperlink, http://www.gao.gov/products/GAO-09-185] (Washington, D.C.: Feb. 27, 2009), and Medicare Contracting Reform: Agency Has Made Progress with Implementation, but Contractors Have Not Met All Performance Standards, [hyperlink, http://www.gao.gov/products/GAO-10-71] (Washington, D.C.: Mar. 25, 2010). [17] CPI also coordinates CMS's program integrity efforts for Medicaid and the Children's Health Insurance Program. [18] To remain eligible for payment, providers and suppliers must continue to meet CMS's Medicare enrollment requirements and periodically revalidate their enrollment information with the A/B MACs or the NSC. [19] Licensure is a mandatory process by which a state government grants permission to an individual practitioner or health care organization to engage in an occupation or profession. Accreditation is a formal process by which a recognized body, usually a nongovernmental organization, assesses and recognizes that a health care organization meets applicable predetermined standards. Whereas licensure is a mandatory process, accreditation is usually voluntary although CMS requires accreditation as a condition for suppliers enrolling in Medicare. Some of the other required enrollment information includes: an agreement for electronic funds transfer, a Social Security or tax identification number, name of medical or professional school and year graduated, or residency status. [20] The OIG's LEIE includes all individuals and entities currently excluded from participating in federally funded health care programs including Medicare and Medicaid. Exclusions are imposed for a number of reasons including: (1) Medicare or Medicaid fraud, as well as any other offenses related to the delivery of items or services under Medicare, Medicaid, CHIP, or other State health care programs; (2) patient abuse or neglect; (3) felony convictions for other health care- related fraud, theft, or other financial misconduct; and (4) felony convictions relating to unlawful manufacture, distribution, prescription, or dispensing of controlled substances. [21] The EPLS includes information on entities debarred, suspended, proposed for debarment, excluded, or disqualified by federal government agencies from receiving federal contracts or federally approved subcontracts and from certain types of federal financial and nonfinancial assistance and benefits. [22] The Medicare Prescription Drug Improvement and Modernization Act required the Secretary to establish and implement quality standards for DMEPOS suppliers. Pub. L. No. 108-173, § 302, 117 Stat. 2066, 2223 (Dec. 8, 2003). [23] A surety bond is a bond issued by an entity guaranteeing that a provider or supplier will fulfill its obligation to Medicare. If the obligation is not met, CMS is required to recover its losses via the surety bond. DMEPOS suppliers are required to obtain and submit a bond of no less than $50,000 for each NPI that is assigned by CMS. Because DMEPOS suppliers must obtain an NPI by practice location, a DMEPOS supplier with 20 practice locations would be required to secure a $1 million surety bond. [24] System maintenance includes activities such as programming software changes needed to correct errors or to implement functionality through "hard coded" edits. [25] Although the A/B and DME MACs we interviewed referred to it as a provider file, it also includes enrollment information on suppliers. [26] The Health Insurance Portability and Accountability Act (HIPAA) mandated that covered entities in the health care industry use standard formats for electronic claims and claims-related transactions. 42 U.S.C. § 1320d-2. CMS's EDI includes two systems--the Common Edits and Enhancements module and the Common Electronic Data Interchange--that are used for Medicare Part A and Part B claims and DMEPOS claims, respectively. Paper claims are put into electronic format for processing. [27] Medicare claims also undergo prepayment edits that are not related to provider enrollment information. Examples include edits that screen for excessive units of service--known as medically unlikely edits--and compliance with Medicare coverage policies. [28] For example, A/B MACs indicated that many provider-related claim denials are due to providers submitting claims for dates of service outside of the provider's eligibility dates. [29] PPACA requires all existing provider and supplier information to be revalidated by 2015. PPACA, § 6401, 124 Stat. 119, 749, amended by § 10603, 124 Stat. 119. 1006 (codified at 42 U.S.C. § 1395cc(j)). After the revalidation of all providers and suppliers required by PPACA, CMS's current cycle for revalidation--3 years for DMEPOS suppliers and 5 years for all other providers and suppliers--will apply. CMS retains the authority to require a provider or supplier to revalidate off-cycle when certain compliance-related concerns arise. PECOS data must also be updated when there is a change of address or other change to provider or supplier status. [30] The Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) required HHS to establish and begin implementing by January 1, 2009, a Physician Feedback Program that would include distribution of confidential feedback reports to physicians on the resources used to provide care to Medicare beneficiaries. Pub. L. No. 110-275, § 131, 122 Stat. 2492, 2526-2527 (July 15, 2008). See GAO, Medicare Physician Feedback Program: CMS Faces Challenges with Methodology and Distribution of Physician Reports, [hyperlink, http://www.gao.gov/products/GAO-11-720] (Washington, D.C.: Aug. 12, 2011). [31] See GAO, Nursing Homes: Complexity of Private Investment Purchases Demonstrates Need for CMS to Improve the Usability and Completeness of Ownership Data, [hyperlink, http://www.gao.gov/products/GAO-10-710] (Washington, D.C.: Sept. 30, 2010). [32] CMS uses its Quality Assurance Surveillance Plans (QASP) to evaluate A/B and DME MAC's fulfillment of contract requirements. The QASP describes CMS's plan for inspecting the work within the various business functions that the MACs conduct. [33] PPACA also applies to certain enrollment provisions related to Medicaid or to the state Children's Health Insurance Program (CHIP). Medicaid is the federal-state program that covers acute health care, long-term care, and other services for low-income people. CHIP is the joint federal-state program that provides health coverage to children whose families have incomes that are low, but not low enough to qualify for Medicaid. This report does not discuss how PPACA affects either Medicaid or CHIP. [34] Medicare, Medicaid, and Children's Health Insurance Programs; Additional Screening Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011). [35] A taxpayer identification number is an identification number used by the Internal Revenue Service (IRS) in the administration of tax laws. It is issued either by the SSA or by the IRS. [36] All individuals with a direct or indirect ownership interest of 5 percent or greater in high-risk providers and suppliers are subject to fingerprint-based criminal background checks. [37] Institutional providers include hospitals, home health agencies, community mental health centers, and skilled nursing facilities. Application fees do not apply to physicians, nonphysician practitioners, physician organizations, and nonphysician organizations. Suppliers include DMEPOS suppliers and other suppliers including ambulance service providers, mammography centers, and independent clinical laboratories. [38] PPACA, § 6401, 124 Stat. 119, 748, amended by § 10603, 124 Stat. 119. 1006 (codified at 42 U.S.C. § 1395cc(j)). PPACA established that fee amounts for subsequent years would be equal to the preceding year's fee adjusted by the percentage change in the Consumer Price Index (for all urban consumers) for the 12-month period ending on June 30 of the prior year. [39] CMS stated that a provider or supplier requesting a hardship exception must submit documentation of the need for an exception. For example, the application must include a letter and supporting documentation that describe the significant burden and why it merits an exception. [40] A/B MACs and the NSC must notify a provider or supplier who does not submit a fee or hardship exception request that it has 30 days from the date of the letter to pay the application fee, and that failure to do so will result in the rejection of the enrollment application (for initial enrollments and new practice locations) or revocation of the provider's Medicare billing privileges (for revalidation). The letter must also state that because a hardship exemption request was not submitted with the original application, such a request will not be considered in lieu of the fee. If the fee is paid within the 30 day period, the contractor may begin processing the application. [41] The provider or supplier must pay the application fee electronically through [hyperlink, http://www.pay.gov]. Pay.gov is the federal government website where individuals can submit payment to various federal agencies on-line. [42] PPACA, § 6402, 124 Stat. 119, 753-763 (codified at 42 U.S.C. § 1320a-7k). [43] Medicare and Medicaid Programs; Changes in Provider and Supplier Enrollment, Ordering and Referring, and Documentation Requirements, and Changes in Provider Agreements, 75 Fed. Reg. 24437 (May 5, 2010). [44] HIPAA required that HHS adopt standards for unique health identifiers. In a Final Rule, CMS adopted the NPI as the standard unique health identifier for health care providers. Centers for Medicare & Medicaid Services, The National Provider Identifier Rule, 69 Fed. Reg. 3434 (Jan. 23, 2004). Consistent with the NPI Final Rule, beginning in 2006, the Medicare program required providers and suppliers to report their NPIs on their enrollment applications. [45] CMS at times exercises its authority to conduct a site visit or request its contractors to conduct a site visit for any Medicare provider or supplier. [46] A surety bond is a three-party agreement in which a company, known as a surety, agrees to compensate the bondholder if the bond purchaser fails to keep a specified promise. [47] Social Security Act § 1834(a)(16)(B). [48] PPACA, § 6402, 124 Stat. 119, 753-763. [49] HHS-OIG, Use of Surety Bonds to Recover Overpayments Made to Suppliers of Durable Medical Equipment, Prosthetics, Orthotics, and Supplies: Early Findings, OEI-03-11-00351 (Sept. 12, 2011). [50] The guidance states that payment from the surety bond includes amounts up to the maximum obligation of the bond including: the amount of any unpaid claim, plus accrued interest, for which the DMEPOS supplier is responsible; and the amount of any unpaid claim, civil monetary penalty, or assessment imposed by CMS or the HHS OIG on the DMEPOS supplier, plus accrued interest. [51] Channelers are contractors who help collect the criminal history record information for the FBI. FBI-approved channelers receive the fingerprint submission and relevant data, collect the associated fee(s), electronically forward the fingerprint submission with the necessary information to the FBI for a national criminal background check, and receive the electronic record check result for dissemination to the individual or authorized recipient. [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E- mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548.