This is the accessible text file for GAO report number GAO-12-803T entitled 'Program Integrity: Further Action Needed to Address Vulnerabilities in Medicaid and Medicare Programs' which was released on June 7, 2012. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Testimony: Before the Subcommittee on Government Organization, Efficiency, and Financial Management, Committee on Oversight and Government Reform, House of Representatives: For Release on Delivery: Expected at 9:30 a.m. EDT: Thursday, June 7, 2012: Program Integrity: Further Action Needed to Address Vulnerabilities in Medicaid and Medicare Programs: Statement of Carolyn L. Yocom: Director, Health Care: Kathleen M. King: Director, Health Care: GAO-12-803T: GAO Highlights: Highlights of GAO-12-803T, a testimony before the Subcommittee on Government Organization, Efficiency, and Financial Management, Committee on Oversight and Government Reform, House of Representatives. Why GAO Did This Study: In 2011, CMS estimated that Medicaid and Medicare had improper payments of $21.9 billion and almost $43 billion, respectively—among the largest for all federal programs. Both health care programs are on GAO’s list of high-risk programs. Over the years, Congress has passed legislation designed to help address program integrity issues in the two programs but they remain vulnerable to fraud, waste, and abuse. The program integrity challenges are different for Medicaid and Medicare. With 51 distinct state-based programs, Medicaid has complex challenges for finding the appropriate balance between state and federal efforts. Medicare uses contractors to help administer the program and CMS must oversee their efforts. This statement examines the progress made and important steps still to be taken in these programs. GAO focused on four key strategies and recommendations that were designed to facilitate them that were identified in prior work and that could help reduce improper payments: (1) strengthening provider enrollment standards and procedures to ensure that only legitimate providers participate in the program; (2) improving prepayment controls; (3) improving postpayment claims review and recovery of improper payments; and (4) developing a robust process for addressing identified vulnerabilities. This statement is based on GAO products issued from April 2004 through May 2012 and interviews with agency officials and other stakeholders. In May 2012, GAO also received additional information from CMS on agency actions. GAO received technical comments from CMS officials and incorporated them into this statement. What GAO Found: For the Medicaid program, the Centers for Medicare & Medicaid Services (CMS) and the states have taken some actions related to GAO’s four key strategies but more needs to be done. * CMS’s comprehensive state program integrity reviews identified provider enrollment as the most frequently cited area of concern but the agency has noted a positive trend in states’ awareness of regulatory requirements. * CMS noted vulnerabilities in the prepayment reviews of claims in five states and effective practices in seven others. In anticipation of new analytic tools to predict vulnerabilities before claims are paid, the agency has initiated discussions with and provided guidance to states. * CMS has begun collaborating with states to identify targets for federal postpayment audits, which should help to avoid duplication of federal and state audit efforts. * CMS has not established a robust process for states to evaluate and address vulnerabilities identified by the states’ new recovery audit contractors brought in to identify improper payments and recoup overpayments. For the Medicare program, CMS has acted to strengthen several of its strategies to better ensure program integrity, but other actions remain undone. * Congress authorized CMS to implement several new or improved enrollment safeguards, including screening enrollment applications for categories of Medicare providers by risk level. CMS has issued a final rule to implement this and other changes, but has not completed other final rules and additional actions that could further strengthen enrollment procedures, such as rules to implement new surety bond provisions and provider and supplier disclosures. * GAO’s prior work found certain gaps in Medicare’s prepayment edits based on coverage and payment policies and made recommendations for improvement, such as adding edits to identify abnormally rapid increases in medical equipment billing. GAO is currently evaluating new CMS efforts in this area. * CMS has begun using recovery auditing in its prescription drug program but not for its Medicare managed care plans. * GAO recommended that CMS establish an adequate process to ensure prompt resolution of identified vulnerabilities in Medicare and is currently evaluating steps that CMS has taken recently. It is critical that CMS and the states continue working on reducing improper payments. While both have made efforts to reduce improper payments, further action is needed. Although Medicaid presents different challenges, GAO believes that many of the lessons learned from its work on Medicare could be applied to strengthen Medicaid program integrity. These lessons can be applied as CMS and the states begin to use the additional tools provided through recent legislation. As the implementation process proceeds, GAO is continuing to monitor these issues. Effectively implementing provisions of recent laws and GAO’s recommendations will be critical to reducing improper payments and ensuring that federal funds are used efficiently and for their intended purpose. View [hyperlink, http://www.gao.gov/products/GAO-12-803T]. For more information, contact Carolyn L. Yocom at yocomc@gao.gov or Kathleen M. King at kingk@gao.gov or contact us at (202) 512-7114. [End of section] Chairman Platts, Ranking Member Towns, and Members of the Subcommittee: We are pleased to be here today to discuss our work regarding program integrity efforts in the Medicaid and Medicare programs. Medicaid and Medicare are two of the largest programs in the federal government, financing health care services for a combined total of approximately 119 million individuals at a cost of about $983 billion in 2011. [Footnote 1] These two programs also have some of the largest reported estimates of improper payments--payments that either were made in an incorrect amount or should not have been made at all.[Footnote 2] The Centers for Medicare & Medicaid Services (CMS), the agency within the Department of Health and Human Services (HHS) that oversees Medicaid and Medicare, has estimated that improper payments in the Medicaid program were $21.9 billion in fiscal year 2011.[Footnote 3] For the Medicare program, CMS estimated improper payments of almost $43 billion in fiscal year 2011.[Footnote 4] In part because of concerns over improper payments, we have identified both as high-risk programs. [Footnote 5] The program integrity challenges are different for Medicaid and Medicare. With 51 distinct state-based programs that are partially federally financed, Medicaid has complex challenges for finding the appropriate balance of state and federal efforts to ensure its integrity.[Footnote 6] States are the first line of defense against Medicaid improper payments because they are responsible for ensuring the qualifications of providers who bill the program, detecting improper payments, recovering overpayments, and referring suspected cases of fraud and abuse to law enforcement authorities. However, CMS has a critical role ensuring that adequate controls are in place and states' actions to help reduce improper payments are effective--which involves balancing the agency's oversight and support roles. The Medicaid Integrity Group--an organization within CMS's Center for Program Integrity--is responsible for the Medicaid Integrity Program, which focuses on overseeing and supporting state program integrity activities. Medicare's challenges are also significant. Since its inception, Medicare has been administered largely by contractors with federal oversight.[Footnote 7] In Medicare Parts A and B, CMS contractors process and pay approximately 4.5 million claims per workday, manage the information technology payment systems, enroll providers, respond to beneficiary questions, and investigate potential Medicare fraud. In Medicare Advantage (Part C) and the Medicare prescription drug benefit (Part D), CMS contracts with private health plans and drug sponsors to administer the Medicare benefits. In that capacity, the plans and sponsors have a responsibility to help ensure Medicare program integrity, and CMS must oversee their efforts to help ensure proper payments. The Medicare Integrity Group, also located within CMS's Center for Program Integrity, is responsible for the Medicare Integrity Program. However, other CMS components, such as the Office of Financial Management and the Center for Medicare, also share significant responsibilities for overseeing activities to ensure the integrity of the program. Our testimony today focuses on the progress CMS has made and important steps still to be taken to better assure the integrity of the Medicaid and Medicare programs. We will focus on four key strategies and recommendations designed to facilitate them that were identified in our prior work and that can help reduce improper payments: * Strengthening provider enrollment standards and procedures to help reduce the risk of enrolling entities intent on defrauding the program; * Improving prepayment controls, to ensure that claims are paid correctly the first time; * Improving postpayment claims review and recovery of improper payments to reduce the likelihood of and recoup overpayments; and: * Developing a robust process for tackling identified vulnerabilities in order to address risks that lead to improper payments. This testimony is largely based on products that were issued from April 2004 through May 2012.[Footnote 8] In addition, to assess CMS and state efforts to strengthen provider enrollment standards and procedures and improve prepayment and postpayment claims review for Medicaid, we analyzed CMS's comprehensive reviews of state program integrity activities and its audits of state Medicaid providers. This additional work was performed in May 2012. We also received updated information from CMS in May 2012 on its actions related to the laws, regulations, guidance, and open recommendations that we discuss in this statement. We shared the facts contained in this statement with CMS and have incorporated their comments as appropriate. Our work was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Since 1996, Congress has taken important steps to increase program integrity funding and oversight, including the establishment of both the Medicaid and Medicare Integrity Programs. Table 1 summarizes several key congressional actions. Table 1: Key Congressional Actions to Increase Program Integrity Funding and Oversight in the Medicaid and Medicare Programs: Year: 1996; Congressional action: Created the Medicare Integrity Program and established a dedicated fund for activities to address fraud, waste, and abuse in federal health care programs, including both Medicaid and Medicare[A]; Statute: Health Insurance Portability and Accountability Act of 1996[B]. Year: 2003; Congressional action: Directed CMS to conduct a 3-year demonstration project on the use of a new type of contractors--recovery audit contractors (RAC)--in identifying underpayments and overpayments, and recouping Medicare overpayments; Statute: Medicare Prescription Drug, Improvement, and Modernization Act of 2003[C]. Year: 2006; Congressional action: Established the Medicaid Integrity Program to support and oversee state Medicaid program integrity activities and included specific appropriations to reduce fraud, waste, and abuse; Statute: Deficit Reduction Act of 2005[D]. Year: 2010; Congressional action: Provided additional funding for program integrity activities and, among other things: * Required states to establish Medicaid RACs and CMS to extend the Medicare RACs to Parts C and D of the Medicare program; * Established new provider enrollment requirements for both programs; * Required CMS to develop core elements for provider compliance programs; * Authorized surety bond requirements for providers[E]; Statute: Patient Protection and Affordable Care Act[F]. Year: 2010; Congressional action: Required Medicare to begin using predictive analytics to identify and prevent fraud, with their use in Medicaid by 2015 to be based on the results of Medicare's experience[G]; Statute: Small Business Jobs Act of 2010[H]. Source: GAO analysis of selected federal laws. [A] The fund is known as the Health Care Fraud and Abuse Control account. [B] Pub. L. No. 104-191, §§ 201-202, 110 Stat. 1936, 1993, 1996 (codified at 42 U.S. C. §§ 1395i, 1395ddd). [C] Pub. L. No. 108-173, § 306, 117 Stat. 2066, 2256-57. Subsequently, the Tax Relief and Health Care Act of 2006 required CMS to implement a national recovery audit contractor program by January 1, 2010. Pub. L. No. 109-432, div B., title III, § 302, 120 Stat. 2922, 2991-92 (codified at 42 U.S.C. § 1395 ddd(h)). [D] See Pub. L. No. 109-171, § 6034, 120 Stat. 4, 74-78 (2006) (codified at 42 U.S.C. § 1396u-6). [E] A surety bond is a three-party agreement in which a company, known as a surety, agrees to compensate the bondholder if the bond purchaser fails to keep a specified promise. [F] Pub. L. No. 111-148, 124 Stat. 119 (2010), as amended by the Health Care Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029. [G] Predictive analytics include the use of algorithms and models to analyze claims before payment is made in order to identify unusual or suspicious patterns or abnormalities in provider networks, claims billing patterns, and beneficiary utilization. [H] Pub. L. No. 111-240, § 4241, 124 Stat. 2504, 2599. [End of table] CMS and States Have Undertaken Efforts to Improve Medicaid Program Integrity, but More Needs to Be Done: CMS and the states are continuing to strengthen provider enrollment standards and procedures, as well as developing adequate controls to detect improper claims before they are paid. While CMS has made progress in collaborating more closely with states on federal postpayment claims reviews by shifting the focus to state-identified targets, it is too early to assess the potential for Medicaid recovery audit contractors (RAC) to avoid duplicating efforts of ongoing state and federal provider audits. Finally, the agency has not established a robust process for incorporating RAC-identified vulnerabilities in state corrective action plans. Provider Enrollment Standards Remain a Concern, but CMS Has Reported Some Progress: CMS and the states continue efforts to strengthen the standards and procedures for enrolling Medicaid providers, which could help reduce the risk of enrolling providers intent on defrauding or abusing the program. Since 2007, CMS has monitored states' Medicaid provider enrollment standards and procedures--as well as other aspects of their programs--through comprehensive state program integrity reviews. [Footnote 9] The Patient Protection and Affordable Care Act (PPACA) also included several provisions aimed at strengthening Medicaid provider enrollment standards and procedures.[Footnote 10] For example, PPACA required states to conduct certain provider screening procedures, such as verifying provider licenses and terminating individuals or entities from Medicaid participation under certain circumstances.[Footnote 11] Our analysis of final reports from CMS's most recent comprehensive reviews for all 51 states found 230 instances of non-compliance with federal laws or federal regulatory requirements related to states' provider enrollment standards and procedures.[Footnote 12] Most of the reviews we analyzed were conducted prior to CMS's final rule implementing PPACA provider enrollment provisions.[Footnote 13] CMS cited at least 1 instance and as many as 8 instances of non-compliance for each state reviewed, with 31 states receiving 4 or 5 citations. About half of the citations were generally due to states' failures to verify provider licenses, or collect or disclose required ownership and related information.[Footnote 14] In the introduction to its summary of 2011 comprehensive reviews, CMS noted that provider enrollment has been the most frequently cited area of non-compliance since it began these reviews in 2007. While these problems were identified in nearly every state, CMS also reported that it had noticed a positive trend in states' awareness of regulatory requirements and knowledge of how to implement the requirements. In addition to identifying areas in which states needed to improve their provider enrollment standards and procedures, CMS's most recent comprehensive reviews of all 51 states identified a total of 53 instances of effective or noteworthy provider enrollment practices. [Footnote 15] CMS credited 29 states with having at least one effective or noteworthy practice, and deemed 1 state to have five. For example, CMS found that this state had: * an innovative software package that automated the verification of licenses of potential Medicaid providers, which ensures that Medicaid does not allow payments to nonqualified health care providers; * a team dedicated to conducting criminal background checks prior to approving a provider application; and: * a requirement that managed care providers be enrolled in Medicaid before they are eligible to become a member of a participating managed care plan's provider network, which ensures that such providers will have had a criminal background check conducted by the state. In addition to the comprehensive reviews, CMS provided guidance periodically to states. In August 2010, CMS issued guidance to states on best practices related to provider enrollment. Among other things, this guidance recommended that states meet regularly and coordinate enrollment policy with provider enrollment personnel, ensure that provider enrollment forms request all required disclosures, and report to the HHS Office of Inspector General (OIG) any adverse actions taken on providers' Medicaid participation and providers' criminal convictions. In July 2011, the Medicaid Integrity Institute--CMS's national Medicaid training program for state program integrity officials--sponsored a symposium on PPACA's program integrity enhancements--including the provider enrollment provisions--and discussed strategies to achieve their timely implementation. CMS Continues to Monitor States' Implementation and Use of Prepayment Claims Review: While states are responsible for paying claims and conducting prepayment reviews of claims, CMS is responsible for ensuring that states have adequate controls to detect improper claims before they are paid. Two ways CMS provides this oversight are through (1) an examination of states' prepayment review processes, which occurs during CMS's comprehensive state program integrity reviews, and (2) the provision of guidance to states on their use of predictive analytics, which use algorithms and models to simultaneously analyze large numbers of claims from multiple data sources before payment is made in order to identify unusual or suspicious patterns or abnormalities in provider networks, claims billing patterns, and beneficiary utilization. Although not all of CMS's comprehensive reviews included information on states' prepayment review processes, our analysis of the most recent comprehensive reviews for all 51 states noted vulnerabilities in the processes of 5 states and regulatory compliance issues in 1 state. For example, CMS found that 1 state did not conduct prepayment reviews or suspend or withhold payments to providers suspected of fraud and abuse. Rather, the state only withheld provider payments after determining that it had overpaid a provider. For another state, a very limited prepayment review process was seen as one of many issues contributing to what CMS characterized as the state's ineffective program integrity oversight and operations. These comprehensive reviews also noted effective and noteworthy prepayment review processes in 7 states. For example, CMS highlighted one state's prepayment edit process that included an automated edit system to deny claims that failed to meet certain standards.[Footnote 16] For another state, CMS recognized the state's efforts to effectively communicate program integrity concerns throughout its Medicaid agency; these communications included the establishment of an agencywide committee--with representation from the program integrity division--that regularly discussed current and proposed edits for inclusion in prepayment reviews. According to CMS officials, they have had discussions with and provided guidance and technical assistance to states regarding the use of predictive analytics to identify and prevent improper payments both informally and during three recent Medicaid Integrity Institute symposiums. CMS officials also told us that states are in varying stages of implementing predictive analytics; based on Medicare's experience, the Small Business Jobs Act of 2010 requires the use of predictive analytics in Medicaid beginning in 2015.[Footnote 17] Federal Postpayment Claims Reviews Are Becoming More Collaborative; Introduction of Recovery Audit Contractors Will Need to Avoid Duplication with Other Audit Efforts: Our prior work found that postpayment reviews are critical to identifying and recouping overpayments, but the importance of collaboration and coordination to avoid duplication has grown because of the increase in the number of entities other than states now conducting such reviews.[Footnote 18],[Footnote 19] In 2011, we reported that collaborative audits were a promising approach to avoiding duplication of federal and state audit efforts.[Footnote 20] As directed by the Deficit Reduction Act of 2005, CMS established a federal program to audit state Medicaid claims. Since implementing federal audits in 2008, CMS's contractors have conducted a total of 1,662 postpayment audits, 1,550 of which were federal audits where CMS identified the audit targets and 112 of which were collaborative audits where CMS relied on state Medicaid integrity programs to identify audit targets.[Footnote 21] Our analysis shows that since shifting to a more collaborative approach in 2010, the focus of audits has changed from an emphasis on hospitals to an emphasis on long-term care and pharmacy (see table 2). Table 2: Number and Percentage of Provider Types Targeted by Federal and Collaborative Audits. Provider type: Hospital; Number of federal audits: 584; Percentage of all federal audits[A]: 38%; Number of collaborative audits: 11; Percentage of collaborative audits[A]: 10%. Provider type: Long-term care; Number of federal audits: 284; Percentage of all federal audits[A]: 18%; Number of collaborative audits: 33; Percentage of collaborative audits[A]: 29%. Provider type: Physician; Number of federal audits: 227; Percentage of all federal audits[A]: 15%; Number of collaborative audits: 8; Percentage of collaborative audits[A]: 7%. Provider type: Pharmacy; Number of federal audits: 225; Percentage of all federal audits[A]: 15%; Number of collaborative audits: 35; Percentage of collaborative audits[A]: 31%. Provider type: Home health; Number of federal audits: 9; Percentage of all federal audits[A]: 1%; Number of collaborative audits: 6; Percentage of collaborative audits[A]: 5%. Provider type: Durable medical equipment; Number of federal audits: 45; Percentage of all federal audits[A]: 3%; Number of collaborative audits: 1; Percentage of collaborative audits[A]: 1%. Provider type: Other; Number of federal audits: 176; Percentage of all federal audits[A]: 11%; Number of collaborative audits: 18; Percentage of collaborative audits[A]: 16%. Provider type: Total; Number of federal audits: 1,550; Percentage of all federal audits[A]: 100%; Number of collaborative audits: 112; Percentage of collaborative audits[A]: 100%. Source: GAO analysis of CMS data. Note: Data presented from 2008 through February 29, 2012. "Other" includes clinic, behavioral health, dental, personal care, managed care, hospice, ambulatory health care facilities, direct service providers, disability care services, home office, provider agency, transportation, therapeutic residential child care facility, and cases that CMS labeled "other." [A] Column does not add up to 100 due to rounding. [End of table] PPACA requires state Medicaid programs to establish contracts with RACs, consistent with state law and similar to the contracts established for the Medicare program, subject to exceptions or requirements provided by CMS.[Footnote 22] One or more of these RACs are to identify and recoup overpayments and identify underpayments made for services provided by state Medicaid programs. The National Association of Medicaid Directors (NAMD) in March 2012 noted concern about the potential for overlap between federal and state program integrity activities, particularly with respect to provider audits, and observed that the deployment of Medicaid RACs increased the potential for duplication.[Footnote 23] CMS's shift to collaborative federal audits should help resolve the potential for duplication of state audit efforts because states identify the collaborative audit targets. However, a few states that we discussed the Medicaid RAC program with voiced concerns about the potential for duplication with their own audits. In its September 2011 final rule implementing the Medicaid RAC program, CMS disagreed with similar public comments that the Medicaid RAC program would duplicate efforts of the federal national audit program because federal audit targets are vetted with states.[Footnote 24] In this final rule, CMS acknowledged the potential for the duplication of efforts among different auditing entities and required states to coordinate their RAC efforts with other auditing entities. According to CMS, RACs are an efficient way to identify payment errors, while federal audits may be more effective in identifying or preventing fraudulent practices. CMS defined implementation of state RAC programs to mean that states must have a signed contract in place with their selected contractors by January 1, 2012. According to agency officials, 32 states had signed contracts with RAC vendors as of May 31, 2012, but few states' Medicaid RAC programs were operational. In addition, officials told us that 17 states had requested exceptions due to implementation delays. The few states with operational RAC programs had not yet reported on whether RACs had increased state collections of improper payments. As a result, it is too early to assess the initial results and the potential for duplication, including the steps CMS and the states will take to avoid duplication. CMS Has Not Established a Robust Process for Incorporating Identified Vulnerabilities in State Corrective Action Plans: Our prior work has demonstrated that CMS had not developed a robust process to specifically address identified vulnerabilities that lead to improper payments in Medicaid. Previously we reported that CMS, in its proposed rule for the Medicaid RAC program, did not include steps for states to collect information on RAC-identified vulnerabilities and to develop a corrective action plan to address them.[Footnote 25] CMS requires state Medicaid agencies to have a corrective action process as part of their activities to reduce their Medicaid error rates. Information from the Medicaid RAC program could be incorporated into these processes. In response to a comment on the proposed rule noting this weakness, CMS acknowledged the importance of having RAC- identified vulnerabilities incorporated in state program integrity activities, observing, "if Medicaid RACs identify program vulnerabilities as a result of their findings, we encourage RACs to share this information with States so that they can implement corrective action, such as pre-payment edits or other similar system fixes."[Footnote 26] However, CMS did not incorporate a process for states to evaluate and address RAC-identified vulnerabilities into its final rule. CMS Has Made Progress in Strengthening Its Medicare Program Integrity Efforts, but Further Actions Are Needed: CMS has made progress strengthening several of the strategies to better ensure the integrity of the Medicare program, such as implementing changes to provider enrollment. However, CMS has not completed other actions that could be helpful in addressing improper payments and reducing fraud, waste and abuse in the Medicare program, including implementation of some relevant PPACA provisions and some of our prior recommendations. CMS Has Taken Action on Certain PPACA Provider Enrollment Provisions, but Not Completed Others: To address past weaknesses that allowed entities intent on committing fraud from enrolling in Medicare, PPACA authorized CMS to implement several actions to strengthen provider enrollment, some of which have been completed. Specifically, CMS has added screenings of categories of provider enrollment applications by risk level and new national enrollment screening and site visit contractors. Screening Provider Enrollment Applications by Risk Level: CMS and the HHS-OIG issued a final rule with comment period in February 2011 to implement many of the new screening procedures required by PPACA. [Footnote 27] CMS designated three levels of risk--high, moderate, and limited--with different screening procedures for categories of Medicare providers at each level. Providers in the high-risk level are subject to the most rigorous screening.[Footnote 28] Based in part on our work and that of the HHS-OIG, CMS designated newly enrolling home health agencies and durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) suppliers as high risk and designated other providers at lower levels. Providers at all risk levels are screened to verify that they meet specific requirements established by Medicare, such as having current licenses or accreditation and valid Social Security numbers.[Footnote 29] High-and moderate-risk providers are additionally subject to unannounced site visits. Further, depending on the risks presented, PPACA authorizes CMS to require fingerprint-based criminal history checks, and the posting of surety bonds for certain providers.[Footnote 30] CMS indicated in the discussion of the final rule that the agency will continue to review the criteria for its screening levels on an ongoing basis and would publish changes if the agency decided to update the assignment of screening levels for categories of Medicare providers. Doing so could become important because the Department of Justice (DOJ) and HHS reported multiple convictions or other legal actions against types of providers not currently at the high-risk level, including medical clinics and physical therapy practices.[Footnote 31] CMS's implementation of accreditation for DMEPOS suppliers, and of a competitive bidding program, including in areas thought to have high fraud rates, may be helping to reduce risk of DMEPOS fraud.[Footnote 32] As a result, while continued vigilance on DMEPOS suppliers is warranted, other types of providers may become more problematic in the future. We are currently examining the types of providers involved in fraud cases investigated by the HHS-OIG and DOJ, which may help illuminate risk to the Medicare program from different types of providers. New National Enrollment Screening and Site Visit Contractors: CMS contracted with two new types of entities at the end of 2011 to assume centralized responsibility for two functions that had been the responsibility of multiple contractors. One of the new contractors will be conducting automated screening to check that providers and suppliers have valid licensure, accreditation, a valid National Provider Identifier (NPI), and no presence on the HHS-OIG list of providers and suppliers excluded from participating in federal health care programs. The second contractor has begun conducting site visits of providers to determine if sites are legitimate and the providers meet certain Medicare standards.[Footnote 33] CMS officials told us that the agency expects that these new contractors will provide more efficiency and consistency in their reviews. However, our prior work found that CMS had not implemented other enrollment screening actions authorized by PPACA. These actions could help further reduce the enrollment of providers and suppliers intent on defrauding the Medicare program. They include issuing a rule to implement surety bonds for providers, completing contract awards to begin fingerprint-based criminal background checks, issuing a rule on provider and supplier disclosure requirements, and establishing the core elements for provider and supplier compliance programs. Surety Bond: PPACA authorizes CMS to require a surety bond for certain types of at-risk providers. Surety bonds may serve as a source for recoupment of erroneous payments. CMS has not developed a proposed rule to require surety bonds as conditions of enrollment to implement this requirement. Extending the use of surety bonds to these new entities would augment a previous statutory requirement for DMEPOS suppliers to post a surety bond at the time of enrollment.[Footnote 34] While CMS had required surety bonds from DMEPOS suppliers since 2009, CMS did not issue instructions for recovering overpayments through surety bonds, until January 2012, to take effect in February 2012. As of May 2012, CMS had not collected any funds from surety bond companies. Fingerprint-based Criminal Background Checks: CMS officials told us that they are working with the Federal Bureau of Investigation to arrange a contract that will enable the agency to access information to help conduct fingerprint-based criminal background checks of high- risk providers and suppliers, which is a tool authorized by PPACA. The agency expects to have the necessary contract in place by early 2013. Providers and Suppliers Disclosure: CMS had not completed development of regulations for increased disclosures of prior actions taken against providers and suppliers enrolling or revalidating enrollment in Medicare, such as whether the provider or supplier has been subject to a payment suspension from a federal health care program.[Footnote 35] Agency officials indicated that developing the additional disclosure requirements was complicated by provider and supplier concerns about what types of information will be collected, what CMS will do with it, and how the privacy and security of this information will be maintained. Compliance Program: CMS had not established the core elements of compliance programs for providers and suppliers, as required by PPACA. Agency officials indicated that they had sought public comments on the core elements, which they were considering, and were also studying criteria found in HHS-OIG model plans for possible inclusion.[Footnote 36] Additional Improvements to Prepayment Claims Review May Better Identify Improper Payments: Increased efforts to review claims on a prepayment basis can better prevent payments that should not be made. As claims go through Medicare's electronic claims payment systems, they are subjected to prepayment edits, most of which are fully automated; if a claim does not meet the criteria of the edit, it is automatically denied. Other prepayment edits are manual; they flag a claim for individual review by trained staff who determine if it should be paid. Due to the volume of claims, CMS has reported that less than 1 percent of Medicare claims are subject to manual medical record review by trained personnel. Having effective prepayment edits that deny claims for ineligible providers and suppliers depends on having timely and accurate information about them, such as whether the providers are currently enrolled and have the appropriate license or accreditation to provide specific services. We have previously identified flaws in the timeliness and accuracy of data in the Provider Enrollment Chain and Ownership System (PECOS)--the database that maintains Medicare provider and supplier enrollment information, which may result in CMS making improper payments to ineligible providers and suppliers. [Footnote 37] These weaknesses are related to the frequency with which CMS's contractors update enrollment information and the timeliness and accuracy of information obtained from outside entities, such as state licensing boards,[Footnote 38] the HHS-OIG, and the Social Security Administration's Death Master File, which contains information on deceased individuals that can be used to identify deceased providers in order to deactivate their NPI. CMS has indicated that its new national screening contractor should improve the timeliness and accuracy of the provider and supplier information in PECOS by centralizing the process, increasing automation of the process, checking databases more frequently, and incorporating new sources of data, such as financial, business, tax, and geospatial data. We are planning to review the accuracy of PECOS information. Having effective edits to implement coverage and payment policies before payment is made can also prevent improper payments. The Medicare program has defined categories of items and services eligible for coverage and excludes from coverage items or services that are determined not to be "reasonable and necessary for the diagnosis and treatment of an illness or injury or to improve functioning of a malformed body part."[Footnote 39] CMS and its contractors set policies regarding when and how items and services will be covered by Medicare, as well as coding and billing requirements for payment, which can be implemented in the payment systems through edits. Our prior work found certain gaps in Medicare's prepayment edits based on coverage and payment policies and made recommendations for improvement, which have not all been implemented. For example, CMS has not developed edits to identify abnormally rapid increases in billing by DMEPOS suppliers, which is associated with fraudulent billing. [Footnote 40] We are currently assessing CMS's implementation of edits on coverage and payment policies. We are also currently evaluating a new CMS effort, the Fraud Prevention System (FPS), which uses predictive analytic technologies to analyze Medicare fee-for-service (FFS) claims as required by the Small Business Jobs Act of 2010. According to CMS, FPS may enhance CMS's ability to identify potential fraud because it simultaneously analyzes large numbers of claims from multiple data sources nationwide before payment is made, thus allowing CMS to examine billing patterns across geographic regions for those that may indicate fraud. The results of FPS could lead to the initiation of payment suspensions, implementation of automatic claim denials, and identification of additional prepayment edits, investigations, or the revocation of Medicare billing privileges. CMS began using FPS to screen all FFS claims nationwide prior to payment as of June 30, 2011. Because FPS is relatively new, and we have not completed our work, it is too soon to determine whether FPS will improve CMS's ability to address fraud. Adding New Contractors and Taking Additional Actions Could Improve Medicare Postpayment Claims Reviews: Adding new RACs into the Medicare program may help in identifying under or overpayments, and in recouping overpayments.[Footnote 41] Prior to PPACA, CMS began a national RAC program in March 2009 for FFS Medicare.[Footnote 42] As of May 2012, CMS reported that $1.86 billion was recouped due to these contractors' efforts from October 2009 through March 2012. PPACA required the expansion of Medicare RACs to Parts C and D. CMS has implemented a RAC for Part D, but not for Part C. * The agency awarded a Part D RAC task order[Footnote 43] for a 1-year base period that began in January 2011, and 4 option years. The Part D RAC is modeled after the Medicare FFS RACs and conducts postpayment review of Part D claims for prescription drugs based on specific criteria determined by CMS. CMS has approved the Part D RAC to conduct postpayment review of claims to identify several issues leading to improper payments, such as payments to excluded providers and duplicate payments.[Footnote 44] To ensure that the Part D RAC is making correct determinations of any improper payments, CMS has included a validation contractor to review Part D RAC determinations. CMS officials stated that the Part D RAC has started its review of 2007 claims data for prescription drug events and has identified potential overpayments to recoup. * CMS has not yet awarded a Part C RAC task order or contract. Agency officials indicated that they are still considering different options for implementing a Part C RAC program to address improper Medicare Advantage plan payments. Plans are paid a monthly capitated per-person payment for enrolled beneficiaries, based on an approved bid amount and risk adjusted based on individual beneficiaries' health status. Most of the Part C payment errors are driven by errors in the risk adjustment data (clinical diagnosis data) submitted by the plans, due to diagnoses not supported by the medical records. CMS is currently auditing Part C plans' reporting of risk adjustment data. CMS officials indicated concern that adding additional contractors to identify Medicare Advantage plan payment errors would duplicate current efforts. Further actions are also needed to improve use of two CMS information technology systems that could help analysts identify fraud after claims have been paid.[Footnote 45] * The Integrated Data Repository (IDR) became operational in September 2006 as a central data store of Medicare and other data needed to help CMS program integrity staff and contractors detect improper payments of claims. However, we found IDR did not include all the data that were planned to be incorporated by fiscal year 2010, because of technical obstacles and delays in funding. Further, as of December 2011, the agency had not finalized plans or developed reliable schedules for efforts to incorporate these data, which could lead to additional delays. * One Program Integrity (One PI) is a web-based portal intended to provide CMS staff and contractors with a single source of access to data contained in IDR, as well as tools for analyzing those data. Although One PI is operational, as of May 2011, CMS had trained few program integrity analysts and the system was not being widely used. GAO recommended that CMS take steps to finalize plans and reliable schedules for fully implementing and expanding the use of both IDR and One PI and to define measurable benefits. The agency has initiated activities to incorporate additional data into IDR and expand the use of One PI through additional user training. For example, CMS officials indicated that they began incorporating additional Medicare claims data into IDR in September 2011 and as of November 2011, had trained over 200 analysts who were using One PI. CMS officials reported having provided additional training in 2012. However, as of April 2012, CMS had not fully addressed our recommendations--for example, the agency had not finalized plans for adding Medicaid data into IDR. Robust Process to Address Identified Vulnerabilities Could Help Reduce Improper Payments: Having mechanisms in place to resolve vulnerabilities that lead to improper payments is critical to effective program management, but our work has shown weaknesses in CMS's processes to address such vulnerabilities.[Footnote 46] Our March 2010 report on the RAC demonstration program found that CMS had not established an adequate process during the demonstration or in planning for the national program to ensure prompt resolution of identified vulnerabilities in Medicare. Further, most vulnerabilities identified during the demonstration were not addressed.[Footnote 47] We therefore recommended that CMS develop and implement a corrective action process that includes policies and procedures to ensure the agency promptly (1) evaluates findings of RAC audits, (2) decides on the appropriate response and a time frame for taking action based on established criteria, and (3) acts to correct the vulnerabilities identified. [Footnote 48] In December 2011, the HHS-OIG found that CMS had not resolved or taken significant action to resolve 48 of 62 vulnerabilities reported in 2009 by CMS contractors specifically charged with addressing fraud.[Footnote 49] The HHS-OIG made several recommendations, including that CMS have written procedures and time frames to assure that vulnerabilities were resolved. CMS has indicated that it is now tracking vulnerabilities identified from several types of contractors through a single vulnerability tracking process, and the agency has developed some written guidance on the process. We are currently examining aspects of CMS's vulnerability tracking process and will be reporting on it soon. Concluding Observations: CMS and the states must continue and improve their efforts to reduce improper payments. Identifying the nature, extent, and underlying causes of improper payments, and developing adequate corrective action processes to address vulnerabilities, is an essential prerequisite to reducing them. Although Medicaid presents different challenges, we believe that many of the lessons learned from our Medicare work could be applied to strengthen Medicaid program integrity. These lessons can be applied as CMS and the states begin to use the additional tools to identify and recoup Medicaid improper payments provided through recent legislation. As CMS and the states implement these PPACA and Small Business Jobs Act provisions, additional evaluation and oversight will help determine whether the provisions are implemented as intended and have the desired effect on better ensuring proper payments. Moreover, we are continuing to monitor CMS and state efforts as the implementation process proceeds. Notably, we have work under way assessing CMS's efforts to support and strengthen Medicaid program integrity through its Medicaid Integrity Program. We are also examining the effectiveness of different types of prepayment edits in Medicare, including CMS's oversight of its contractors in implementing those edits, and CMS's implementation of predictive analytics through FPS. The level of importance placed on effectively implementing our recommendations and the provisions of recent laws will be critical to reducing improper payments in the Medicaid and Medicare programs, and ensuring that federal funds are used efficiently and for their intended purposes. Chairman Platts, Ranking Member Towns, and Members of the Subcommittee, this completes our prepared statement. We would be pleased to respond to any questions that you may have at this time. GAO Contacts and Staff Acknowledgments: For further information about this statement, please contact us at (202) 512-7114 or kingk@gao.gov and yocomc@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement. Sheila K. Avruch and Walter Ochinko, Assistant Directors; Sean DeBlieck; Kaycee Glavich; Leslie V. Gordon; Drew Long; Jasleen Modi; Lisa Rogers; and Jennifer Whitworth were key contributors to this statement. [End of section] Appendix I: Abbreviations: CMS: Centers for Medicare & Medicaid Services: DOJ: Department of Justice: DMEPOS: durable medical equipment, prosthetics, orthotics and supplies: FFS: fee-for-service: FPS: Fraud Prevention System: HHS: Department of Health and Human Services: IDR: Integrated Data Repository: NAMD: National Association of Medicaid Directors: NPI: National Provider Identifier: OIG: Office of Inspector General: PECOS: Provider Enrollment Chain and Ownership System: PPACA: Patient Protection and Affordable Care Act: RAC: recovery audit contractor: [End of section] Related GAO Products: Medicare: Review of the First Year of CMS's Durable Medical Equipment Competitive Bidding Program's Round 1 Rebid. [hyperlink, http://www.gao.gov/products/GAO-12-693]. Washington, D.C.: May 9, 2012. Medicare: The First Year of the Durable Medical Equipment Competitive Bidding Program Round 1 Rebid. [hyperlink, http://www.gao.gov/products/GAO-12-733T]. Washington, D.C.: May 9, 2012. Medicaid: Federal Oversight of Payments and Program Integrity Needs Improvement. [hyperlink, http://www.gao.gov/products/GAO-12-674T]. Washington, D.C.: April 25, 2012. Medicare: Important Steps Have Been Taken, but More Could Be Done to Deter Fraud. [hyperlink, http://www.gao.gov/products/GAO-12-671T]. Washington, D.C.: April 24, 2012. Medicare Program Integrity: CMS Continues Efforts to Strengthen the Screening of Providers and Suppliers. [hyperlink, http://www.gao.gov/products/GAO-12-351]. Washington, D.C.: April 10, 2012. Improper Payments: Remaining Challenges and Strategies for Governmentwide Reduction Efforts. [hyperlink, http://www.gao.gov/products/GAO-12-573T]. Washington, D.C.: March 28, 2012. 2012 Annual Report: Opportunities to Reduce Duplication, Overlap and Fragmentation, Achieve Savings, and Enhance Revenue. [hyperlink, http://www.gao.gov/products/GAO-12-342SP]. Washington, D.C.: February 28, 2012. Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Expand Efforts to Support Program Integrity Initiatives. [hyperlink, http://www.gao.gov/products/GAO-12-292T]. Washington, D.C.: December 7, 2011. Medicaid Program Integrity: Expanded Federal Role Presents Challenges to and Opportunities for Assisting States. [hyperlink, http://www.gao.gov/products/GAO-12-288T]. Washington, D.C.: December 7, 2011. Medicare Part D: Instances of Questionable Access to Prescription Drugs. [hyperlink, http://www.gao.gov/products/GAO-12-104T]. Washington, D.C.: October 4, 2011. Medicare Part D: Instances of Questionable Access to Prescription Drugs. [hyperlink, http://www.gao.gov/products/GAO-11-699]. Washington, D.C.: September 6, 2011. Medicare Integrity Program: CMS Used Increased Funding for New Activities but Could Improve Measurement of Program Effectiveness. [hyperlink, http://www.gao.gov/products/GAO-11-592]. Washington, D.C.: July 29, 2011. Improper Payments: Reported Medicare Estimates and Key Remediation Strategies. [hyperlink, http://www.gao.gov/products/GAO-11-842T]. Washington, D.C.: July 28, 2011. Fraud Detection Systems: Additional Actions Needed to Support Program Integrity Efforts at Centers for Medicare and Medicaid Services. [hyperlink, http://www.gao.gov/products/GAO-11-822T]. Washington, D.C.: July 12, 2011. Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Ensure More Widespread Use. [hyperlink, http://www.gao.gov/products/GAO-11-475]. Washington, D.C.: June 30, 2011. Improper Payments: Recent Efforts to Address Improper Payments and Remaining Challenges. [hyperlink, http://www.gao.gov/products/GAO-11-575T]. Washington, D.C.: April 15, 2011. Medicare and Medicaid Fraud, Waste, and Abuse: Effective Implementation of Recent Laws and Agency Actions Could Help Reduce Improper Payments. [hyperlink, http://www.gao.gov/products/GAO-11-409T]. Washington, D.C.: March 9, 2011. Opportunities to Reduce Potential Duplication in Government Programs, Save Tax Dollars, and Enhance Revenue. [hyperlink, http://www.gao.gov/products/GAO-11-318SP]. Washington, D.C.: March 1, 2011. High-Risk Series: An Update. [hyperlink, http://www.gao.gov/products/GAO-11-278]. Washington, D.C.: February 2011. Medicaid Managed Care: CMS's Oversight of States' Rate Setting Needs Improvement. [hyperlink, http://www.gao.gov/products/GAO-10-810]. Washington, D.C.: August 4, 2010. Medicaid: Ongoing Federal Oversight of Payments to Offset Uncompensated Hospital Care Costs Is Warranted. [hyperlink, http://www.gao.gov/products/GAO-10-69]. Washington, D.C.: November 20, 2009. Medicaid: Fraud and Abuse Related to Controlled Substances Identified in Selected States. [hyperlink, http://www.gao.gov/products/GAO-09-1004T]. Washington, D.C.: September 30, 2009. Medicaid: Fraud and Abuse Related to Controlled Substances Identified in Selected States. [hyperlink, http://www.gao.gov/products/GAO-09-957]. Washington, D.C.: September 9, 2009. Improper Payments: Progress Made but Challenges Remain in Estimating and Reducing Improper Payments. [hyperlink, http://www.gao.gov/products/GAO-09-628T]. Washington, D.C.: April 22, 2009. Medicare: Thousands of Medicare Providers Abuse the Federal Tax System. [hyperlink, http://www.gao.gov/products/GAO-08-618]. Washington, D.C.: June 13, 2008. Medicaid: CMS Needs More Information on the Billions of Dollars Spent on Supplemental Payments. [hyperlink, http://www.gao.gov/products/GAO-08-614]. Washington, D.C.: May 30, 2008. Medicare: Competitive Bidding for Medical Equipment and Supplies Could Reduce Program Payments, but Adequate Oversight Is Critical. [hyperlink, http://www.gao.gov/products/GAO-08-767T]. Washington, D.C.: May 6, 2008. Improper Payments: Status of Agencies' Efforts to Address Improper Payment and Recovery Auditing Requirements. [hyperlink, http://www.gao.gov/products/GAO-08-438T]. Washington, D.C.: January 31, 2008. Medicaid Demonstration Waivers: Recent HHS Approvals Continue to Raise Cost and Oversight Concerns. [hyperlink, http://www.gao.gov/products/GAO-08-87]. Washington, D.C.: January 31, 2008. Improper Payments: Federal Executive Branch Agencies' Fiscal Year 2007 Improper Payment Estimate Reporting. [hyperlink, http://www.gao.gov/products/GAO-08-377R]. Washington, D.C.: January 23, 2008. Medicaid Financing: Long-Standing Concerns about Inappropriate State Arrangements Support Need for Improved Federal Oversight. [hyperlink, http://www.gao.gov/products/GAO-08-255T]. Washington, D.C.: November 1, 2007. Medicaid Financing: Federal Oversight Initiative Is Consistent with Medicaid Payment Principles but Needs Greater Transparency. [hyperlink, http://www.gao.gov/products/GAO-07-214]. Washington, D.C.: March 30, 2007. Medicare: Improvements Needed to Address Improper Payments for Medical Equipment and Supplies. [hyperlink, http://www.gao.gov/products/GAO-07-59]. Washington, D.C.: January 31, 2007. Medicaid Financial Management: Steps Taken to Improve Federal Oversight but Other Actions Needed to Sustain Efforts. [hyperlink, http://www.gao.gov/products/GAO-06-705]. Washington, D.C.: June 22, 2006. Medicaid Integrity: Implementation of New Program Provides Opportunities for Federal Leadership to Combat Fraud, Waste, and Abuse. [hyperlink, http://www.gao.gov/products/GAO-06-578T]. Washington, D.C.: March 28, 2006. Medicare: More Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment Suppliers. [hyperlink, http://www.gao.gov/products/GAO-05-656]. Washington, D.C.: September 22, 2005. Medicaid Financing: States' Use of Contingency-Fee Consultants to Maximize Federal Reimbursements Highlights Need for Improved Federal Oversight. [hyperlink, http://www.gao.gov/products/GAO-05-748]. Washington, D.C.: June 28, 2005. Medicaid Fraud and Abuse: CMS's Commitment to Helping States Safeguard Program Dollars Is Limited. [hyperlink, http://www.gao.gov/products/GAO-05-855T]. Washington, D.C.: June 28, 2005. Medicare: CMS's Program Safeguards Did Not Deter Growth in Spending for Power Wheelchairs. [hyperlink, http://www.gao.gov/products/GAO-05-43]. Washington, D.C.: November 17, 2004. Medicaid Program Integrity: State and Federal Efforts to Prevent and Detect Improper Payments. [hyperlink, http://www.gao.gov/products/GAO-04-707]. Washington, D.C.: July 16, 2004. Medicare: CMS Did Not Control Rising Power Wheelchair Spending. [hyperlink, http://www.gao.gov/products/GAO-04-716T]. Washington, D.C.: April 28, 2004. [End of section] Footnotes: [1] Medicaid is the federal-state program that covers acute health care, long-term care, and other services for certain low-income people. It is also one of the largest components of state budgets. In 2011, Medicaid covered approximately 70 million people and estimated expenditures totaled about $427 billion, with a federal share of $271 billion and a state share of $157 billion (numbers do not add due to rounding). Medicare is the federally financed health insurance program for persons age 65 or over, certain individuals with disabilities, and individuals with end-stage renal disease. In 2011, Medicare covered almost 49 million people at an estimated cost of about $556 billion. [2] An improper payment is any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. This definition includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except where authorized by law), and any payment that does not account for credit for applicable discounts. Improper Payments Elimination and Recovery Act of 2010, Pub. L. No. 111-204, § 2(e), 124 Stat. 2224, 2227 (codified at 31 U.S.C. § 3321 note). Improper payments may be a result of fraud, waste, and abuse. Fraud represents intentional acts or representations to deceive with knowledge that the action or representation could result in an inappropriate gain. Waste includes inaccurate payments for services, such as unintentional duplicate payments. Abuse represents actions inconsistent with acceptable business or medical practices. [3] In its Fiscal Year 2011 Agency Financial Report, HHS calculated and reported the 3-year (2009, 2010, and 2011) weighted average national payment error rate for Medicaid of 8.1 percent. See HHS, Department of Health and Human Services FY 2011 Agency Financial Report (Washington, D.C.: Nov. 15, 2011). [4] HHS, Department of Health and Human Services FY 2011 Agency Financial Report. [5] See GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 2011). [6] While American Samoa, Guam, the Commonwealth of the Northern Mariana Islands, the United States Virgin Islands, and Puerto Rico also receive federal funds for Medicaid, this statement focuses on the 50 states and the District of Columbia, which we refer to as 51 states. [7] The Medicare program consists of four parts: A, B, C, and D. Medicare Parts A and B are known as Medicare fee-for-service (FFS). Medicare Part A covers hospital and other inpatient stays. Medicare Part B is optional, and covers hospital outpatient, physician, and other services. Medicare beneficiaries have the option of obtaining coverage for Medicare services from private health plans that participate in Medicare Advantage--Medicare's managed care program-- also known as Part C. All Medicare beneficiaries may purchase coverage for outpatient prescription drugs under Part D, either as a stand- alone benefit or as part of a Medicare Advantage plan. [8] The products listed at the end of this statement contain detailed information on the methodologies used in our work. [9] CMS typically conducts triennial comprehensive state program integrity reviews of 16 to 17 states each year. These reviews assess the effectiveness of each state's Medicaid program integrity activities and compliance with federal statutes and regulations. The culmination of a review is a final report that details CMS's assessment of the state's program integrity effective and noteworthy practices, vulnerabilities, and compliance issues. [10] For purposes of this report, we use the term provider to include both providers and suppliers. [11] Circumstances that warrant termination include if the individual or entity owns, controls, or manages an entity that has unpaid overpayments or is affiliated with an individual or entity that has been suspended, excluded, or terminated from any state's Medicaid program. CMS and the HHS's Office of Inspector General (HHS-OIG) published a final rule regarding provider and supplier screening and enrollment on February 2, 2011, which became effective on March 25, 2011. Medicare, Medicaid, and Children's Health Insurance Programs; Additional Screening Requirements, Application Fees, Temporary Enrollment Moratoria, Payment Suspensions and Compliance Plans for Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011). CMS also issued additional guidance to states in December 2011. [12] For our analysis, we included reports from the most recent comprehensive review for each of the 51 states that were available on CMS's website as of May 22, 2012--this included 5 states that were reviewed in 2011, 17 states that were reviewed in 2010, 18 states that were reviewed in 2009, and 11 states that were reviewed in 2008. [13] CMS officials told us that none of the 16 states that were reviewed during fiscal year 2011 had fully implemented these PPACA provisions. Our analysis only included the fiscal year 2011 report for 5 states that were available on CMS's website as of May 22, 2012; for the other 11 states reviewed during that fiscal year but whose reports were not available online at the time of our analysis, we included the reports from their prior reviews. [14] In these reviews, CMS also identified areas of vulnerability-- areas where changes in states' provider enrollment standards and procedures could potentially reduce the risk of fraud, waste, and abuse. [15] Some of these noteworthy practices are now required under PPACA. For example, CMS noted that 4 of the states reviewed in 2010 were already screening providers prior to enrollment against some or all of the databases required by PPACA. [16] CMS's comprehensive reviews focus on states' prepayment review processes, not on the actual edits that states have in place. [17] Pub. L. No. 111-240, § 4241(c)(3), 124 Stat. 2504, 2600. [18] See GAO, Medicare Fraud, Waste, and Abuse: Challenges and Strategies for Preventing Improper Payments, [hyperlink, http://www.gao.gov/products/GAO-10-844T] (Washington, D.C.: June 15, 2010). [19] The Deficit Reduction Act of 2005 required CMS to conduct postpayment audits of state Medicaid claims payments and in 2010 PPACA required states to use audit contractors to recover overpayments and identify underpayments. [20] GAO, Medicaid Program Integrity: Expanded Federal Role Presents Challenges to and Opportunities for Assisting States, [hyperlink, http://www.gao.gov/products/GAO-12-288T] (Washington, D.C.: Dec. 7, 2011). [21] We are currently examining the effectiveness of CMS's audits of Medicaid claims--both the federal audits and CMS's redesign of those audits, which CMS refers to as collaborative audits. Specifically, we are examining (1) the effectiveness of CMS's implementation of the national federal audit program, under which it conducted federal audits and (2) its efforts to redesign the national federal audit program, primarily through implementation of collaborative audits. We plan to issue this report in June 2012. [22] Pub. L. No. 111-148, §6411(a)(1), 124 Stat. 119,773 (codified at 42 U.S.C. § 1396a(a)(42)(B)). [23] NAMD, Rethinking Medicaid Program Integrity: Eliminating Duplication and Investing in Effective, High-value Tools (Washington, D.C.: March 2012). [24] Medicaid Program: Recovery Audit Contractors, 76 Fed. Reg. 57,808 (Sept. 16, 2011). [25] See GAO, Medicare and Medicaid Fraud, Waste, and Abuse: Effective Implementation of Recent Laws and Agency Actions Could Help Reduce Improper Payments, [hyperlink, http://www.gao.gov/products/GAO-11-409T] (Washington, D.C.: Mar. 9, 2011). We noted that having Medicaid RACs report to state Medicaid agencies and CMS on the vulnerabilities they identify and having a corrective action process to address those vulnerabilities would be important to reduce Medicaid improper payments. [26] 76 Fed. Reg. 57808, 57,819. [27] 76 Fed. Reg. 5862 (Feb. 2, 2011). In discussing the final rule, CMS noted that Medicare had already employed a number of the screening practices described in PPACA to determine if a provider is in compliance with federal and state requirements to enroll or to maintain enrollment in the Medicare program. [28] PPACA specified that the enhanced screening procedures will apply to new providers and suppliers beginning 1 year after the date of enactment and to currently enrolled providers and suppliers 2 years after that date. [29] Screening may include verification of the following: Social Security number; National Provider Identifier (NPI); National Practitioner Databank licensure; whether the provider has been excluded from federal health care programs by the HHS-OIG; taxpayer identification number; and death of an individual practitioner, owner, authorized official, delegated official, or supervising physician. [30] A surety bond is a three-party agreement in which a company, known as a surety, agrees to compensate the bondholder if the bond purchaser fails to keep a specified promise. [31] The Department of Health and Human Services and the Department of Justice Health Care Fraud and Abuse Control Program Annual Report for Fiscal Year 2011 (Washington, D.C.: February 2012). [32] Competitive bidding is a process in which suppliers of medical equipment and supplies compete for the right to provide their products on the basis of established criteria, such as quality and price. See GAO, Medicare: Review of the First Year of CMS's Durable Medical Equipment Competitive Bidding Program's Round 1 Rebid, [hyperlink, http://www.gao.gov/products/GAO-12-693] (Washington, D.C.: May 9, 2012). [33] Site visits for DMEPOS suppliers will continue to be conducted by the contractor responsible for their enrollment. In addition, CMS at times exercises its authority to conduct a site visit or request its contractors to conduct a site visit for any Medicare provider or supplier. [34] 42 U.S.C. § 1395m (a)(16)(B). As of October 2009, DMEPOS suppliers were required to obtain and submit a surety bond in the amount of at least $50,000. A DMEPOS surety bond is a bond issued by an entity guaranteeing that a DMEPOS supplier will fulfill its obligation to Medicare. If the obligation is not met, the surety bond is paid to Medicare. Medicare Program; Surety Bond Requirement for Suppliers of Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS), 74 Fed. Reg. 166 (Jan. 2, 2009). [35] At the time of initial enrollment or revalidation of enrollment, PPACA requires providers and suppliers to disclose any current or previous affiliation with another provider or supplier that has uncollected debt; has been or is subject to a payment suspension under a federal health care program; has been excluded from participation under Medicare, Medicaid, or State Children's Health Insurance Program; or has had its billing privileges denied or revoked. [36] A compliance program is an internal set of policies, processes, and procedures that a provider organization implements to help it act ethically and lawfully. In this context, a compliance program is intended to help provider and supplier organizations prevent and detect violations of Medicare laws and regulations. The HHS-OIG has developed a series of voluntary compliance program guidance documents directed at various segments of the health care industry, such as hospitals, nursing homes, third-party billers, and durable medical equipment suppliers, to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements. [37] See Medicare Program Integrity: CMS Continues Efforts to Strengthen the Screening of Providers and Suppliers, [hyperlink, http://www.gao.gov/products/GAO-12-351] (Washington, D.C.: Apr. 10, 2012). [38] Licensure is a mandatory process by which a state government grants permission to an individual practitioner or health care organization to engage in an occupation or profession. [39] 42 U.S.C. § 1395y(a)(1)(A). [40] GAO, Medicare: Improvements Needed to Address Improper Payments for Medical Equipment and Supplies, [hyperlink, http://www.gao.gov/products/GAO-07-59] (Washington, D.C.: Jan. 31, 2007), Follow-up on 2011 Report: Status of Actions Taken to Reduce Duplication, Overlap, and Fragmentation, Save Tax Dollars, and Enhance Revenue, [hyperlink, http://www.gao.gov/products/GAO-12-453SP] (Washington, D.C.: Feb. 28, 2012). [41] Recovery auditing has been used in various industries, including health care, to identify and collect overpayments for about 40 years. [42] The Medicare Prescription Drug, Improvement and Modernization Act of 2003 directed CMS to conduct a demonstration of the use of RACs in identifying underpayments and overpayments, and recouping overpayments in Medicare. Pub. L. No. 108-173, § 306, 117 Stat. 2066, 2256-57. Subsequently, in December 2006 the Tax Relief and Health Care Act of 2006 required CMS to implement a national RAC program by January 1, 2010. Pub. L. No. 109-432, div. B, title III, § 302, 120 Stat. 2924, 2991 (codified at 42 U.S.C. § 1395ddd(h)). [43] A task order is a supplementary document that outlines specific expected services, supplies, or tasks to be provided under an established contract. [44] The Part D RAC can propose other issues to audit, but any issue requires prior CMS approval before implementation. CMS limits the number of new audit issues the Part D RAC can propose to a maximum of five a year. [45] GAO, Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Ensure More Widespread Use, [hyperlink, http://www.gao.gov/products/GAO-11-475] (Washington, D.C.: June 30, 2011). [46] We have reported that an agency should have policies and procedures to ensure that (1) the findings of all audits and reviews are promptly evaluated, (2) decisions are made about the appropriate response to these findings, and (3) actions are taken to correct or resolve the issues promptly. These are all aspects of internal control, which is the component of an organization's management that provides reasonable assurance that the organization achieves effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. Internal control standards provide a framework for identifying and addressing major performance challenges and areas at greatest risk for mismanagement. GAO, Internal Control Standards: Internal Control Management and Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G] (Washington, D.C.: August 2001). [47] GAO, Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight, [hyperlink, http://www.gao.gov/products/GAO-10-143] (Washington, D.C.: Mar. 31, 2010). [48] [hyperlink, http://www.gao.gov/products/GAO-10-43]. [49] HHS-OIG, Addressing Vulnerabilities Reported by Medicare Benefit Integrity Contractors, OEI-03-10-00500 (December 2011). [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E- mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548.