This is the accessible text file for GAO report number GAO-14-474 entitled 'Medicare Program Integrity: Increased Oversight and Guidance Could Improve Effectiveness and Efficiency of Postpayment Claims Reviews' which was released on August 13, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: July 2014: Medicare Program Integrity: Increased Oversight and Guidance Could Improve Effectiveness and Efficiency of Postpayment Claims Reviews: GAO-14-474: GAO Highlights: Highlights of GAO-14-474, a report to congressional requesters. Why GAO Did This Study: Several types of Medicare contractors conduct postpayment claims reviews to help reduce improper payments. Questions have been raised about their effectiveness and efficiency, and the burden on providers. GAO was asked to assess aspects of the claims review process. Building on GAO's July 2013 report on postpayment claims review requirements, this report examines, among other things, the extent to which CMS has (1) data to assess whether contractors conduct duplicative postpayment claims reviews, (2) requirements for contractor correspondence with providers to help ensure effective communication, and (3) strategies for coordination of claims review activities. GAO reviewed CMS's requirements for claims reviews; interviewed CMS officials, selected contractors, and provider associations; analyzed CMS data; assessed a nongeneralizable sample of 114 pieces of contractor correspondence for compliance with requirements; and assessed CMS's requirements and oversight against federal internal control standards and other guidance. What GAO Found: The Centers for Medicare & Medicaid Services (CMS) within the Department of Health and Human Services (HHS) has taken steps to prevent its contractors from conducting certain duplicative postpayment claims reviews—reviews of the same claims that are not permitted by the agency—but CMS neither has reliable data nor provides sufficient oversight and guidance to measure and fully prevent duplication. The four types of contractors GAO reviewed that examine providers' documentation to determine whether Medicare's payment was proper included: * Medicare Administrative Contractors (MAC), which process and pay claims; * Zone Program Integrity Contractors (ZPIC), which investigate potential fraud; * Recovery Auditors (RA), tasked with identifying on a postpayment basis improper payments not previously reviewed by other contractors; and; * the Comprehensive Error Rate Testing (CERT) contractor, which reviews claims used to annually estimate Medicare's improper payment rate. CMS implemented a database to track RA activities, designed in part to prevent RAs, which conducted most of the postpayment reviews, from duplicating other contractors' reviews. However, the database was not designed to provide information on all possible duplication, and its data are not reliable because other postpayment contractors did not consistently enter information about their reviews. CMS has not provided sufficient oversight of these data or issued complete guidance to contractors on avoiding duplicative claims reviews. CMS requires its contractors to include certain content in postpayment review correspondence with providers, but some requirements vary across contractor types and are not always clear, and contractors vary in their compliance with their requirements. These factors can lead to providers receiving less information about the reviews and thus decrease effective communication with them. In addition, the extent of CMS's oversight of correspondence varies across contractors, which decreases assurance that contractors comply consistently with requirements. In the correspondence reviewed, GAO found high compliance rates for some requirements, such as citing the issues leading to an overpayment, but low compliance rates for requirements about communicating providers' rights, which could affect providers' ability to exercise their rights. CMS has strategies to coordinate internally among relevant offices regarding requirements for contractors' claims review activities. The agency also has strategies to facilitate coordination among contractors, such as requiring joint operating agreements between contractors operating in the same geographic area. However, these strategies have not led to consistent requirements across contractor types or full coordination between ZPICs and RAs. GAO previously recommended that CMS increase the consistency of its requirements, where appropriate, and the HHS Office of Inspector General has recommended steps to improve coordination between ZPICs and RAs. What GAO Recommends: GAO recommends that CMS take actions to improve the efficiency and effectiveness of contractors' postpayment review efforts, which include providing additional oversight and guidance regarding data, duplicative reviews, and contractor correspondence. In its comments, the Department of Health and Human Services concurred with the recommendations and noted plans to improve CMS oversight and guidance. View [hyperlink, http://www.gao.gov/products/GAO-14-474]. For more information, contact Kathleen M. King at (202) 512-7114 or kingk@gao.gov. [End of section] Contents: Letter: Background: CMS Lacks Reliable Data to Estimate the Number of Duplicative Claims Reviews and Has Not Taken Sufficient Steps to Prevent Inappropriate Duplication: Efficiency and Effectiveness of Communications to Providers May Be Reduced by Differences and Lack of Clarity in CMS's Requirements, Contractor Compliance, and Extent of CMS's Oversight: CMS Requires Quality Assurance Processes for All Contractor Types to Help Ensure Appropriateness of Postpayment Review Decisions: CMS Has Multiple Strategies for Coordinating Postpayment Claims Reviews, but Differences in Requirements and Contractor Coordination Remain That May Hamper Effectiveness and Efficiency of Claims Reviews: Conclusions: Recommendations for Executive Action: Agency and Third Party Comments and Our Evaluation: Appendix I: Scope and Methodology: Appendix II: Comments from the Department of Health and Human Services: Appendix III: GAO Contacts and Staff Acknowledgments: Related GAO Products: Tables: Table 1: Primary Purpose of Contractors' Postpayment Claims Reviews, Basis for Claims Selection, and Percentage of Claims Reviewed in 2012: Table 2: Examples of Similarities and Differences in CMS's Requirements for Content of Results Letters across Contractors: Table 3: CMS Requirements Applicable to the 2012 and 2013 Additional Documentation Requests (ADR) GAO Reviewed, by Contractor Type: Table 4: CMS Requirements Applicable to the 2012 and 2013 Results Letters GAO Reviewed, by Contractor Type: Figures: Figure 1: Average Percentage Compliance with CMS's Requirements for Additional Documentation Requests (ADR) in GAO Sample, by Contractor Type: Figure 2: Average Percentage Compliance with CMS's Requirements for Results Letters in GAO Sample, by Contractor Type: Figure 3: Centers for Medicare & Medicaid Services (CMS) Organizational Components That Oversee Medicare Fee-for-Service Contractors and Their Activities Related to Postpayment Claims Reviews, as of April 2014: Abbreviations: AD: additional documentation request: CERT: Comprehensive Error Rate Testing: CMS: Centers for Medicare & Medicaid Services: DME: durable medical equipment: FFS: fee-for-service: HHS: Department of Health and Human Services: HIPAA: Health Insurance Portability and Accountability Act: IPIA: Improper Payments Information Act of 2002: IRR: interrater reliability: JOA: Joint Operating Agreement: MAC: Medicare Administrative Contractor: OIG: Office of Inspector General: OMB: Office of Management and Budget: RA: Recovery Auditor: ZPIC: Zone Program Integrity Contractor: [End of section] United States Government Accountability Office: GAO: 441 G St. N.W. Washington, DC 20548: July 18, 2014: Congressional Requesters: In fiscal year 2014, Medicare will cover more than 50 million elderly and disabled beneficiaries at an estimated cost of $595 billion. [Footnote 1] Because of its size, complexity, and susceptibility to mismanagement and improper payments, for more than 20 years we have designated Medicare as a high-risk program.[Footnote 2] Improper Medicare payments include payments made for treatments or services that were not covered by program rules, that were not medically necessary, or that were not provided to beneficiaries in the way that they were billed to Medicare.[Footnote 3] In fiscal year 2013, the Centers for Medicare & Medicaid Services (CMS)--the agency within the Department of Health and Human Services (HHS) that administers the Medicare program[Footnote 4]--made payments for about 1.2 billion fee- for-service (FFS) claims and was estimated to have made improper payments of $36 billion in the Medicare FFS program.[Footnote 5] CMS has a goal to reduce improper payments in the Medicare program and conducts a number of activities in order to protect the integrity of the program--that is, to ensure that payments are made correctly the first time and to identify, investigate, and recoup payments made in error. One such activity is the review of FFS claims and related documentation from providers[Footnote 6] after payment has been made. These postpayment claims reviews by Medicare contractors' trained clinicians and coders can determine if a claim was paid properly and may help determine if the claim was potentially fraudulent. Currently, CMS uses several different types of contractors to conduct postpayment claims reviews: Medicare Administrative Contractors (MAC), which process and pay claims and also recoup overpayments and remediate underpayments; Zone Program Integrity Contractors (ZPIC), which investigate potential fraud;[Footnote 7] the Comprehensive Error Rate Testing (CERT) contractor,[Footnote 8] which conducts postpayment reviews as part of estimating Medicare's improper payment rate; and Recovery Auditors (RA), which conduct postpayment reviews to detect improper payments in claims not previously reviewed by staff from other contractors.[Footnote 9] In 2012, the RAs conducted 83 percent of the roughly 1.4 million postpayment claims reviews conducted that year, with MACs, ZPICs, and the CERT contractor conducting the remainder. The four types of contractors use the same general process for conducting postpayment claims reviews: they select claims, request documentation from providers to support Medicare coverage of those claims, apply Medicare coverage and coding requirements to determine if the claims were paid properly, communicate the results of their reviews to the providers, and use quality assurance processes to help ensure the quality and consistency of their reviewers' decisions. [Footnote 10] However, as we reported in July 2013, these types of contractors were established by different laws and for varying purposes, and they report to different units within CMS.[Footnote 11] This presents challenges to CMS's coordination and oversight of contractors' claims review efforts, including ensuring consistency in the claims review process, and creates the potential for the same claims to be reviewed more than once by different contractors. Further, we also reported that CMS's requirements for many aspects of the claims review process differ across the contractor types.[Footnote 12] Some of these differences may impede the efficiency and effectiveness of postpayment claims reviews and are inconsistent with federal guidelines to streamline service delivery. In July 2013, we recommended that CMS examine the postpayment review requirements for the contractors to determine those that could be made more consistent without impeding efforts to reduce improper payments. HHS concurred with the recommendations in the report and CMS officials told us that they have begun examining their requirements with the intention of increasing the consistency of requirements where possible. In addition, questions have been raised recently about whether CMS's coordination and oversight of postpayment review contractors provide adequate assurance that the reviews are effective and efficient and whether the agency is minimizing administrative burdens on providers. CMS officials indicated that they consider duplicative claims reviews to be appropriate under some circumstances. However, CMS officials consider other duplicative claims reviews to be inappropriate; any such inappropriate reviews could create an unnecessary burden on some providers and contractors. You asked us to assess several aspects of CMS's coordination and oversight of claims review activities, building on our earlier report. This report examines the extent to which (1) CMS has data to assess whether contractors conduct duplicative postpayment claims reviews and whether CMS ensures that these contractors do so only when appropriate, (2) CMS's requirements for contractor correspondence with providers help ensure effective communication, (3) CMS uses quality assurance processes to ensure that contractors' postpayment claims review decisions about whether claims were paid properly are appropriate, and (4) CMS has strategies for coordination of postpayment claims review activities among different types of contractors. For the first objective, we defined a duplicative claims review as one in which more than one contractor conducted postpayment reviews of the same claim, using associated documentation obtained from the same provider.[Footnote 13] We reviewed CMS documents, such as the Medicare Program Integrity Manual, to identify the CMS requirements for contractors to prevent inappropriate duplicative claims reviews. We reviewed relevant documentation and interviewed knowledgeable officials about CMS's Recovery Audit Data Warehouse--a database of claims CMS developed, in part, to prevent duplicative claims reviews by the RAs--to assess whether it could be used to estimate the number of times in 2012 that a contractor reviewed a claim for which an RA had also initiated a review. We assessed the Recovery Audit Data Warehouse data for this purpose by reviewing relevant documents; conducting electronic data testing to look for missing data, outliers, or obvious errors; and analyzing the data to identify potentially duplicative reviews. We also reviewed relevant Recovery Audit Data Warehouse summary data provided by CMS. We determined the data were not sufficiently reliable to estimate the number of times in 2012 that a contractor reviewed a claim for which an RA had also initiated a review, as further discussed in the report. We interviewed CMS officials from the three offices responsible for managing and overseeing the four contactor types--the Center for Medicare, Office of Financial Management, and Center for Program Integrity--about what types of duplicative claims reviews the agency considers appropriate and inappropriate, about the reliability of the data the agency had on duplication, and about the agency's efforts to limit inappropriate duplicative claims reviews. We interviewed representatives from 11 postpayment review contractors--all 4 RAs, the CERT contractor, and a nongeneralizable sample of 3 of the 6 ZPICs and 3 of the 16 MACs--to learn about any steps the contractors take to prevent duplication. (Details about how we selected our sample are in appendix I.) We also interviewed representatives from 13 associations representing Medicare FFS providers who have experienced postpayment claims reviews to learn about their concerns regarding duplicative claims reviews. Using federal internal control standards for control activities, we evaluated CMS's efforts to help ensure that contractors do not inappropriately duplicate other contractors' claims reviews. [Footnote 14] To assess the extent to which CMS's requirements for contractor correspondence with providers help to ensure effective communication with providers, we reviewed CMS manuals, such as the Medicare Program Integrity Manual, and contractors' statements of work to identify CMS's requirements for the content of the correspondence, and we confirmed those requirements with agency officials. We focused our review on two frequently used types of correspondence sent to providers during postpayment claims reviews: letters requesting documentation such as medical records from providers--called additional documentation requests (ADR)--and letters providing information on the results of the reviews, called results letters. We evaluated the extent to which CMS's requirements for contractor correspondence with providers help to ensure effective communication with providers on the basis of federal standards for internal controls [Footnote 15] as well as according to guidance developed by the Office of Management and Budget (OMB) to help agencies implement Executive Order 13571--Streamlining Service Delivery and Improving Customer Services.[Footnote 16] We interviewed CMS officials and representatives from postpayment review contractors and provider associations about contractor correspondence. We collected and analyzed a nongeneralizable sample of 114 letters from the contractors in our sample to assess their compliance with CMS requirements. (Details about how we selected the correspondence and assessed it for compliance with CMS requirements are in appendix I.) We reviewed CMS's processes for overseeing contractor correspondence against an internal control standard for monitoring quality.[Footnote 17] To ascertain CMS's procedures for contractor oversight related to correspondence, we reviewed CMS documents, such as manuals and contractors' statements of work, and interviewed CMS officials. To examine how CMS uses quality assurance processes to ensure that contractors' postpayment claims review decisions about whether claims were paid properly are appropriate, we reviewed CMS documents, such as manuals and contractors' statements of work, to identify relevant CMS requirements and agency efforts to monitor postpayment reviews. We also interviewed CMS officials and representatives from postpayment review contractors about quality assurance efforts, and representatives of provider associations about contractors' claims review decisions. We assessed CMS's requirements and the agency's monitoring efforts using the standards outlined in the federal internal control standards for monitoring.[Footnote 18] To assess the extent to which CMS has strategies to coordinate postpayment claims review activities among the different types of contractors, we reviewed CMS manuals and contractors' statements of work to identify CMS's requirements and practices for (1) coordinating internally among the three CMS offices that oversee postpayment review contractors, and (2) coordinating contractors' postpayment claims review activities. We also interviewed CMS officials and representatives from postpayment review contractors about CMS's coordination efforts. We evaluated CMS's requirements and practices for coordinating internally and coordinating its contractors' postpayment claims review activities using prior GAO work on practices that can help federal agencies collaborate effectively.[Footnote 19] We conducted this performance audit from April 2013 to July 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Contractors have a long-standing and essential role in administering the Medicare program, including conducting program integrity activities, such as postpayment claims reviews, which are integral to protecting the Medicare program from improper payments or fraud. The four types of contractors we examined conducted about 1.4 million claims reviews that involved examining documentation sent in by providers in 2012, which represented less than one percent of all FFS claims in that year. Four Types of Contractors That Conduct Postpayment Claims Reviews: MACs conduct postpayment claims reviews on a small percentage of paid claims to determine if the payments were proper based on the underlying documentation. MACs use the findings from postpayment claims reviews to help prevent future payment errors, for example, by reviewing claims received from specific providers or for specific services with a history of improper payments to determine whether additional action is needed to prevent similar improper payments in the future.[Footnote 20] As of February 2014, 12 A/B MACs processed Medicare Part A and Part B claims from providers in each of 12 jurisdictions nationwide, and 4 DME MACs processed DME claims from providers in each of 4 jurisdictions nationwide.[Footnote 21] In 2012, A/B and DME MACs conducted 84,070 postpayment claims reviews,[Footnote 22] or 6 percent of about 1.4 million total postpayment claims reviews conducted that year.[Footnote 23] The mission of the ZPICs is to identify and investigate potentially fraudulent FFS claims and providers[Footnote 24] in each of seven geographic jurisdictions, which are called zones.[Footnote 25] They use several methods to investigate potentially fraudulent claims and providers, including postpayment claims reviews. In 2012, ZPICs conducted 107,621 postpayment claims reviews, or 8 percent of the total postpayment claims reviews that year.[Footnote 26] The CERT contractor conducts postpayment claims reviews on a nationwide random sample of claims, which are used to annually estimate the national Medicare FFS improper payment rate. This helps CMS comply with legal requirements for improper payment reporting. [Footnote 27] These reviews are used to estimate the national Medicare improper payment rate, and to estimate the improper payment rate for each MAC and by type of service and provider. In 2012, the CERT contractor conducted 41,396 postpayment claims reviews used to estimate the improper payment rate, or 3 percent of the total postpayment claims reviews conducted that year. The mission of the RAs is to conduct postpayment claims reviews to identify improper payments not previously identified through MAC claims processing or other contractors' reviews. Following a demonstration of recovery auditing required by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003, the Tax Relief and Health Care Act of 2006 established the National RA program.[Footnote 28] Use of RAs expands the capacity for claims reviews without placing additional demands on CMS's budget, because the RAs are paid from funds recovered rather than appropriated funds. As a result of lessons learned during the RA demonstration project and to establish tighter controls on RAs, CMS imposed certain postpayment requirements unique to the RAs when it implemented the national program that it has not imposed on the other contractors. For example, prior to widespread use, RAs must submit to CMS for review and approval descriptions of the types of claims that they propose to review. CMS expects the RAs to select only those claims with the highest risk of improper payments. RAs must also submit the basis for assessing whether the claims for those services are proper. CMS established national RA operations in 2009 with one RA in each of four regions that together cover the United States. Federal law requires CMS to pay RAs on a contingency basis from Medicare overpayments recouped.[Footnote 29] However, if an RA's overpayment determination is overturned on appeal, the RA is not paid for that claim. In contrast, MACs, ZPICs, and the CERT contractor are paid on the basis of the costs for the tasks performed. CMS reported that overpayments collected from the RAs increased from about $75 million in fiscal year 2010 to about $2.29 billion in fiscal year 2012. In 2012, the RAs conducted over 1.1 million postpayment claims reviews, or 83 percent of the total postpayment claims reviews that year. Postpayment Claims Review Process: CMS provides guidance to its contractors on how they should analyze data to select claims for review. Within that guidance, contractors select the specific claims to review. Each of the four types of contractors selects claims for postpayment claims review using somewhat different bases for selection. (See table 1.) The potential for duplicative reviews exists because claims may be selected by more than one contractor. CMS officials told us that, in some cases, duplication is appropriate. For example, CMS officials told us that the CERT contractor may review a claim that has already been reviewed by another contractor because it must select a random sample of claims to estimate the Medicare improper payment rate. Table 1: Primary Purpose of Contractors' Postpayment Claims Reviews, Basis for Claims Selection, and Percentage of Claims Reviewed in 2012: Primary purpose of contractor claims reviews; Contractor type: Medicare Administrative Contractor (MAC): To better ensure payment accuracy and better ensure that providers with a history of a sustained or high level of billing errors comply with Medicare billing requirements; Zone Program Integrity Contractor (ZPIC): To identify and investigate patterns of billing that indicate potentially fraudulent claims and providers; Comprehensive Error Rate Testing (CERT) Contractor: To annually estimate the national Medicare fee-for-service (FFS) improper payment rate; Recovery Auditor (RA): To identify Medicare FFS claim underpayments and overpayments not previously identified through MAC claims processing or other contractor reviews. Basis for selecting claims for postpayment review; Contractor type: Medicare Administrative Contractor (MAC): Claims from providers with a history of improper billing; Data analyses of paid claims to identify patterns of payments that may be improper; Zone Program Integrity Contractor (ZPIC): Claims submitted by providers flagged as high risk by CMS's Fraud Prevention System; Referrals from other contractors; Fraud hotline; Data analyses of paid claims to identify patterns of billing by a provider or group of providers that suggests potential fraud; Comprehensive Error Rate Testing (CERT) Contractor: Random sample selected from claims processed; Recovery Auditor (RA): Data analyses of all paid claims to identify services with payments most likely to be made improperly; CMS approves the RAs' selection of services and the coverage and payment criteria to be applied to them in advance of review. Percentage of total postpayment claims reviews conducted in 2012[A]; Contractor type: Medicare Administrative Contractor (MAC): 6%[B]; Zone Program Integrity Contractor (ZPIC): 8%[C]; Comprehensive Error Rate Testing (CERT) Contractor: 3%; Recovery Auditor (RA): 83%. Source: GAO analysis of CMS information. GAO-14-474. [A] These figures are based on the number of MAC, ZPIC, and CERT contractor reviews conducted in calendar year 2012 and RA reviews conducted in fiscal year 2012, and do not reflect about 1 million automated postpayment claims reviews conducted by RAs that identified improper payments that year. [B] Reviews completed by the MACs in 2012 do not include the reviews performed by the three legacy contractors--two fiscal intermediaries and one carrier--that continued to process claims as of June 2013. Fiscal intermediaries and carriers were responsible for claims administration prior to the establishment of the MACs. [C] Reviews by ZPICs also include those performed by four program safeguard contractors operating in one of the seven ZPIC zones. [End of table] Once a contractor selects a claim for review, the contractor notifies the provider that a particular claim is under postpayment review and requests documentation from the medical record to substantiate the claim. When the contractor receives the documentation, a trained clinician or coder evaluates the documentation in light of all applicable Medicare coverage policy and coding guidelines to determine whether the payment for the services or items claimed was proper. [Footnote 30] If a MAC or another contractor determines that an overpayment was made, the MAC will seek repayment and send the provider what is referred to as a demand letter. In the event of an underpayment, the MAC will return the balance in a future remittance. Providers may appeal the contractors' determinations. Recovery Audit Data Warehouse: CMS developed the Recovery Audit Data Warehouse to track RA review activities and to prevent RAs from duplicating other contractors' claims reviews. Since most of the postpayment claims reviews were conducted by RAs, RA review would be most likely to cause any potential duplications. To prevent RAs from duplicating reviews, the MACs, ZPICs, the CERT contractor, and other entities can enter the claims they have reviewed into the Recovery Audit Data Warehouse, and the database stores them as excluded claims (or exclusions).[Footnote 31] Exclusions are permanent, meaning that excluded claims are not supposed to ever be available for review by the RAs. In addition, the ZPICs and law enforcement entities, such as the HHS Office of Inspector General (OIG), can upload claims into the Recovery Audit Data Warehouse that they may, but not necessarily will, select for postpayment review as part of a fraud investigation and the database stores them as suppressions.[Footnote 32] While a claim is suppressed, it is unavailable for RA review. When a ZPIC or law enforcement agency concludes its investigation, the suppressions are required to be lifted. CMS then requires formerly suppressed claims for which medical records were requested to be excluded and thus become ineligible for RA review; all other formerly suppressed claims are to be released for possible future postpayment review. CMS requires ZPICs and law enforcement agencies to renew their suppressions every 12 months. If not renewed, the Recovery Audit Data Warehouse is to automatically release the suppressed claims. Before an RA begins postpayment claims reviews, it enters the claims it is considering for review into the Recovery Audit Data Warehouse. The database then checks to see if any of the claims the RA entered match the excluded or suppressed claims already stored in the database. If there is a match, the claim is not available for the RA to review and the Recovery Audit Data Warehouse will not allow the RA to enter any additional information about the claim. Although the other postpayment review contractors also are able to check the Recovery Audit Data Warehouse to see if the claims they are considering for review have already been reviewed by other contractors, the database is intended primarily to prevent RAs from conducting duplicative reviews. According to CMS officials, the amount of duplicative claims reviews among the four types of contractors is likely to be very small. Criteria for Assessing Efficient and Effective Postpayment Claims Review Activities: Internal controls can help ensure that contractors are conducting postpayment claims reviews efficiently and effectively. Internal controls are the plans, methods, and procedures used to meet an organization's mission, goals, and objectives, and help provide reasonable assurance that an organization achieves effective and efficient operations.[Footnote 33] For example, monitoring helps agencies ensure that contractor activities follow agency requirements. CMS requirements for contractors performing postpayment claims reviews and the manner in which the agency delegates authority and responsibility through these requirements help establish the control environment and control activities. Contractor requirements also establish the mechanisms that contractors use to communicate and interact with providers. Ineffective or inefficient requirements for claims reviews or insufficient monitoring and oversight create the risk of generating false findings of improper payments and an unnecessary administrative and financial burden for Medicare- participating providers and the Medicare program. The process of postpayment claims review requires contractors to interact and communicate with Medicare providers that directly provide medical services to beneficiaries. Executive Order 13571--Streamlining Service Delivery and Improving Customer Services--was issued in April 2011 to improve government services to individuals and private entities by requiring agencies to develop customer service plans in consultation with OMB.[Footnote 34] OMB issued implementing guidance for agencies for those services that the agencies plan to focus on improving.[Footnote 35] The guidance calls on agencies to improve customers' experiences by a number of activities, including developing a process for ensuring consistency across the agency's interactions with customers and coordinating with other agencies serving the same customers, as well as identifying opportunities to use common materials and processes. Collaboration is important when multiple contractors that conduct similar activities are overseen by different CMS units. Previous GAO work has identified practices that can help federal agencies collaborate effectively when they work together to achieve goals.[Footnote 36] This work highlighted, for example, the importance of agreeing on roles and responsibilities; establishing compatible policies, procedures, and other means to operate across organizational boundaries; and establishing mutually reinforcing or joint strategies to help align activities, processes, and resources to achieve a common outcome. These collaboration practices can also be useful when multiple offices within an agency--or an agency's contractors--work together toward a common purpose. CMS Lacks Reliable Data to Estimate the Number of Duplicative Claims Reviews and Has Not Taken Sufficient Steps to Prevent Inappropriate Duplication: CMS lacks reliable data to estimate the number of duplicative claims reviews that are conducted. The Recovery Audit Data Warehouse was not designed to estimate the number of duplicative reviews among all four types of contractors, and not all contractors have been entering information consistently into the database. CMS has not monitored contractors' data entry into the Recovery Audit Data Warehouse to ensure that it is complete and correct. CMS also has not issued complete guidance for MACs and ZPICs on whether it is appropriate for them to conduct duplicative reviews. CMS Lacks Reliable Data and Does Not Sufficiently Oversee Data Entry to Avoid Inappropriate Duplication: CMS does not have reliable data to estimate the total number of duplicative claims reviews by all four types of contractors. In part, this is because CMS did not design the Recovery Audit Data Warehouse to estimate the total number of duplicative reviews. The RAs performed more than 80 percent of the claims reviews in 2012 and the Recovery Audit Data Warehouse was designed to track RA claims review activities and to prevent RAs from duplicating other contractors' claims reviews; it was not designed to track and prevent duplicate claims reviews by the other three contractor types. For example, the Recovery Audit Data Warehouse does not show whether contractors other than RAs, such as a MAC and a ZPIC, duplicated each others' claims reviews. Therefore, the Recovery Audit Data Warehouse data are not sufficient and reliable for accurately estimating the number of duplicative reviews by all four types of contractors. Another reason the Recovery Audit Data Warehouse cannot be used to estimate the amount of duplication is that not all of the four types of contractors consistently enter data into the database. For example, in response to our analysis that showed anomalies in the distribution of apparently duplicated claims, CMS officials told us that some MACs have been entering data from appeals reviews into the Recovery Audit Data Warehouse as exclusions.[Footnote 37] The officials noted that if Recovery Audit Data Warehouse data were used to estimate duplication, claims reviews for which MACs entered appeals of claims as exclusions would appear to be duplicative reviews. Similarly, we found that, in 2012, more than half of the ZPICs did not enter claims they reviewed into the Recovery Audit Data Warehouse as exclusions, which makes the database less effective in preventing the RAs from duplicating other contractors' claims reviews. CMS provided data to us that showed that five of the six ZPICs had not entered any claims into the Recovery Audit Data Warehouse as exclusions in 2012, although these ZPICs had performed postpayment claims reviews. [Footnote 38] CMS officials told us they do not monitor contractors' entry of exclusions and suppressions to ensure this information is accurate or complete, although they recognized, before we examined the Recovery Audit Data Warehouse exclusion data with CMS, that some ZPICs may not enter claims they review as exclusions. These officials stated that if ZPICs did not exclude these claims, they would be available for an RA to review, which could lead to inappropriate duplication.[Footnote 39] CMS officials told us that they had held meetings with all of the ZPICs to educate them about the available options in the Recovery Audit Data Warehouse that could augment their antifraud activities. CMS's lack of oversight of exclusions and suppressions may hinder the Recovery Audit Data Warehouse's effectiveness in preventing RAs from duplicating claims reviews. Representatives from RAs we spoke with told us duplication has occurred because other contractors did not enter exclusions and suppressions into the Recovery Audit Data Warehouse. For example, representatives from one RA reported that, in 2011, it had to halt reviews on 2,000 claims because the ZPIC had not informed the RA of an ongoing investigation either by suppressing affected claims in the Recovery Audit Data Warehouse or through any other methods of coordination. Checking the accuracy of data is part of a strong internal control environment and provides an agency with assurance that the data needed for operations are reliable and complete.[Footnote 40] CMS Has Issued Guidance for Some but Not All Contractors about When Duplicative Reviews Are Permitted: CMS has issued guidance for RAs and the CERT contractor about whether they may conduct duplicative claims reviews. CMS's Medicare Program Integrity Manual states that RAs are prohibited from reviewing claims that have been reviewed by other contractors.[Footnote 41] In contrast, CMS's manual for the CERT contractor states that it should select and review a random sample of claims regardless of whether they have been reviewed by other contractors, in order to establish the Medicare improper payment rate accurately. However, CMS has not developed complete guidance for MACs and ZPICs about whether they are permitted to duplicate other contractors' claims reviews. Although a CMS official told us that MACs are not permitted to conduct duplicative reviews and are required to check the Recovery Audit Data Warehouse to prevent duplication, CMS guidance states only that MACs are not permitted to duplicate the ZPICs' claims reviews and does not address whether MACs are permitted to duplicate RA claims reviews. The guidance also does not address whether MACs are expected to check the Recovery Audit Data Warehouse to prevent duplication.[Footnote 42] Furthermore, representatives from two of the three MACs we spoke with believed that CMS permitted them to duplicate some contractors' reviews. A CMS official stated that clear guidance could be helpful for contractors. In the absence of complete guidance, officials from CMS and representatives from a ZPIC and MAC differed in their understanding of whether ZPICs could conduct duplicative reviews. CMS officials, including those who oversee ZPICs, provided conflicting information about whether CMS permits ZPICs to conduct duplicative reviews, and CMS officials were unable to provide guidance to clarify whether duplication is allowed.[Footnote 43] Representatives from a ZPIC and some CMS program integrity officials told us that CMS permits ZPICs to conduct duplicative claims reviews because ZPICs must be able to review any claim they deem necessary to investigate potential fraud. However, CMS program integrity officials told us that ZPICs may not duplicate reviews conducted by RAs or MACs because overpayment for an improperly paid claim cannot be collected twice. Written guidance stating explicitly which contractors may conduct duplicative claims reviews and when the different contractor types should check the Recovery Audit Data Warehouse to avoid duplication is important to prevent inappropriate duplication among the contractors and to minimize confusion among CMS staff, CMS contractors, and stakeholders, such as providers, about what is permitted. It is also consistent with federal internal control standards,[Footnote 44] which call for agencies to establish control activities that enforce management's directives. Without complete guidance for all postpayment claims review contractors about when duplicative reviews are permitted, CMS does not have assurance that MACs and ZPICs understand when and how to avoid duplicative reviews. Absence of such guidance can also leave providers confused about whether a duplicative review is appropriate. Efficiency and Effectiveness of Communications to Providers May Be Reduced by Differences and Lack of Clarity in CMS's Requirements, Contractor Compliance, and Extent of CMS's Oversight: Several factors may reduce the efficiency and effectiveness of contractors' correspondence with providers. First, CMS's requirements differ across contractors for the content of two types of correspondence contractors often send to providers during postpayment review, and therefore contractors do not have to convey the same type of information to providers. Second, for the correspondence we reviewed, we found that contractors did not comply consistently with all applicable requirements. Third, the extent of CMS's oversight of contractor correspondence differed across contractor types. CMS's Requirements for Correspondence Content Vary across Contractor Types and Are Not Always Clear: CMS requires contractors to include certain content in the correspondence they send to providers, but the requirements sometimes differ. All four types of contractors send providers an ADR if a provider's claim is selected for postpayment review. Upon completing their review, MACs, ZPICs, and RAs notify providers of their findings in correspondence we refer to as results letters.[Footnote 45] The CERT contractor does not send results letters.[Footnote 46] CMS's requirements for these types of correspondence include the reason the claim was selected for review, the information the provider must submit, the contractor's findings, and steps providers may take in response to those findings. Some CMS requirements for correspondence are similar across all contractor types. For example, CMS requires that ADRs for all contractors specify the number of days the provider has to submit documentation in response to a contractor's request. Similarly, CMS requires that all contractors' results letters regarding an overpayment describe the issues leading to the overpayment as well as any recommended corrective actions the provider can take to avoid similar billing errors in the future. However, other CMS requirements for correspondence differ by contractor type. For example, ADRs from MACs, RAs, and the CERT contractor, but not those from ZPICs, must give providers the option of submitting documentation via paper, fax, CD/DVD, or electronically. Similarly, results letters from MACs and ZPICs regarding claims that were overpaid are required to include the overpayment amount for each claim, but CMS officials told us RAs are not required to include these amounts.[Footnote 47] MACs' and ZPICs' results letters are required to include the signature of a person to contact with inquiries about the correspondence, whereas RAs' results letters are not required to contain this information. (Table 2 shows examples of CMS's requirements for results letters.) Table 2: Examples of Similarities and Differences in CMS's Requirements for Content of Results Letters across Contractors: Required element: Letter must clearly document a reason for conducting the review or the rationale for good cause for having reopened the claim or claims; Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes. Required element: If an overpayment is identified, include a narrative description of the issues leading to the overpayment as well as any recommended corrective actions; Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes. Required element: If any claim in the letter has an overpayment, include the overpayment amount for each claim; Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[A]. Required element: If an overpayment is due, include an explanation of the procedures for recovery, including Medicare's right to recover overpayments and charge interest on debts not repaid within 30 days; Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): No; Recovery Auditor (RA): No[B]. Required element: Include information about the provider's right to appeal; Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): No[C]; Recovery Auditor (RA): No[B]. Required element: Include the signature of a person responsible for handling inquiries about the correspondence; Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[D]. Source: GAO analysis of CMS information. GAO-14-474. Notes: ZPICs have discretion to determine whether to issue a results letter, depending on the status of their investigation. The Comprehensive Error Rate Testing (CERT) contractor does not send results letters. If the CERT contractor determines that an improper payment has been made, it informs the MAC, which then communicates the improper payment information to the provider. [A] MACs assumed responsibility from the RAs for sending providers the demand letters resulting from RA reviews, effective January 1, 2012. CMS officials told us that requirements related to payment amounts no longer apply to the RAs' results letters. [B] CMS officials told us these requirements are not applicable to the RAs because MACs will include recoupment and appeals information in their demand letters. However, the requirements are in the RA statement of work that was in effect at the time of our review. [C] The Medicare Program Integrity Manual's list of results letter requirements includes one statement indicating that the MACs and ZPICs must include appeals information in their results letters, as well as a different statement right next to it indicating that only MACs must do so. In response to this discrepancy, CMS officials told us this requirement was not applicable to ZPICs. [D] This requirement is included in the Medicare Contractor Beneficiary and Provider Communications Manual, which CMS officials indicated applies to MACs and ZPICs but not RAs. [End of table] In addition, inconsistencies in CMS's guidance made it difficult to identify some of the requirements and their applicability. CMS conveys requirements through statements of work contained in the contracts, and in manuals that provide additional guidance on what contractors must do and that may be specifically referenced in a statement of work. For ADRs and results letters, we identified requirements in the RA statement of work (which applies to RAs), the Medicare Program Integrity Manual, the Medicare Contractor Beneficiary and Provider Communications Manual (which applies to MACs and ZPICs), and the CERT Manual and CERT statement of work (which apply to the CERT contractor).[Footnote 48] These documents sometimes contained differing guidance about the information the correspondence from different contractors must include. For example, the RA statement of work in effect during our review specifically required RA results letters to explain the procedures for recovering any overpayments and providers' rights to appeal, but the Medicare Program Integrity Manual did not include these requirements for RAs. CMS officials told us that the RA statement of work was the primary guiding document for RA requirements; however, they also told us that they were not requiring the RAs to include some of the content requirements listed for results letters in the RA statement of work.[Footnote 49] As another example, the Medicare Program Integrity Manual contains some differing guidance to the MACs about their ADRs. While chapter 3 of the Medicare Program Integrity Manual instructs MACs to notify providers in ADRs that they have 45 days to respond to the request for documentation, this manual also includes a sample ADR that MACs may use for postpayment review that includes language informing providers that they have 30 days to respond to the documentation request.[Footnote 50] In addition, the Medicare Program Integrity Manual's list of results letter requirements includes one statement indicating that the MACs and ZPICs must include appeals information in their results letters, as well as a different statement right next to it indicating that only MACs must do so.[Footnote 51] Without consistent and specific requirements for the content across contractor types, CMS does not have assurance that, consistent with federal internal control standards, providers receive similar and sufficient information during claims reviews to understand their responsibilities in responding or their rights if their claims are denied.[Footnote 52] Establishing consistent processes to communicate with providers is also aligned with OMB guidance to agencies to streamline service delivery and improve customer service, which can increase administrative efficiency.[Footnote 53] Further, inconsistencies in CMS's requirements in contractors' statements of work and the Medicare Program Integrity Manual could make it difficult for contractors to easily identify the most current set of requirements that apply to contractor correspondence.[Footnote 54] CMS officials told us in October 2013 that the agency has begun to explore making requirements for the content of ADRs more consistent across contractor types, such as by standardizing the introduction for the letters used by each contractor. Contractors Did Not Consistently Comply with Requirements for Correspondence Content: Compliance with CMS requirements was not consistent across contractor types for the correspondence we reviewed. Our examination of 67 ADRs found that, on average, contractor ADRs overall complied with 94 percent of their applicable CMS requirements, but the compliance rate varied by contractor type.[Footnote 55] RAs had the highest compliance rate (100 percent) and the CERT contractor had the lowest rate (86 percent) (see figure 1).[Footnote 56] Unlike the ADRs from the other three contractor types, the ADRs that the CERT contractor sends to providers are uniform and based on form letters written by CMS. (See appendix I for a list of the requirements we analyzed for each type of contractor and each type of correspondence.) Figure 1: Average Percentage Compliance with CMS's Requirements for Additional Documentation Requests (ADR) in GAO Sample, by Contractor Type: [Refer to PDF for image: horizontal bar graph] Medicare Administrative Contractor: 92%; N=24; Zone Program Integrity Contractor: 91%; N=14; Comprehensive Error Rate Testing contractor: 86%; N=6; Recovery Auditor: 100%; N=23. Source: GAO analysis. GAO-14-474. Note: The percentages are for average compliance for each type of contractor with the number of requirements for their correspondence. N represents the number of ADRs analyzed for each contractor type. [End of figure] While all four types of contractors met most or all of their ADR requirements, compliance sometimes varied by requirement. For example, though representatives of several provider associations have reported that providers do not understand the reason their claims were selected for review, all the MAC and RA ADRs we reviewed complied with applicable requirements to identify the basis for the claim's selection. All of the contractors' ADRs that were required to include instructions for how to submit documentation to support the claim also complied. However, not all contractor ADRs complied with a requirement that had the potential to affect the timeliness of providers' responses to the ADRs: about 50 percent of the MAC ADRs, 30 percent of the ZPIC ADRs, and 100 percent of the CERT contractor ADRs gave providers fewer than the required number of days to submit documentation.[Footnote 57] We also found differences in compliance with CMS's requirements for results letters. Our examination of 47 results letters found that, on average, contractor results letters overall complied with 79 percent of their respective CMS requirements, but the compliance rate varied by contractor type (see figure 2).[Footnote 58] All three contractor types that issue results letters were 100 percent compliant with the requirement to have a description of the issues leading to an overpayment as well as any recommended corrective actions. However, we found low compliance rates for some contractors for several requirements related to communicating providers' rights and Medicare repayment issues. For example, for MACs, only 27 percent of the results letters we reviewed informed providers of their right to request an extended repayment schedule in the case of an overpayment, and just 55 percent of MAC results letters informed providers of their right to submit a financial rebuttal statement within 15 days of the date on the letter.[Footnote 59] Twenty-seven percent of MAC results letters explained the procedures for recovering overpayments, including Medicare's right to recover and charge interest on overpayments. In addition, none of the RAs' results letters complied with the requirement to document in the letter a reason for conducting the review or the rationale for good cause for having reopened the claims; instead, the letters directed the provider to the contractor's website or to the ADR sent by the contractor previously.[Footnote 60] Also, 40 percent of the ZPICs' results letters complied with the requirement to cite a reason for noncoverage or incorrect coding for each claim. Figure 2: Average Percentage Compliance with CMS's Requirements for Results Letters in GAO Sample, by Contractor Type: [Refer to PDF for image: horizontal bar graph] Medicare Administrative Contractor: 76%; N=22; Zone Program Integrity Contractor: 85%; N=9; Recovery Auditor: 82%; N=16. Source: GAO analysis. GAO-14-474. Note: The percentages are for average compliance for each type of contractor with the number of requirements for their correspondence. N represents the number of results letters analyzed for each contractor type. [End of figure] Contractors' inconsistent compliance with CMS's correspondence requirements may lead to provider confusion and increased administrative burden, and is not consistent with federal internal control standards to have control activities to ensure that management's directives are carried out and to monitor the performance of agency activities.[Footnote 61] For example, several provider associations indicated that it was burdensome to pull together complete documentation quickly. Therefore, giving providers response times that are shorter than required in ADRs can add to providers' burden. In addition, it can lead to less efficient claims reviews--and potentially unnecessary claims denials--if providers do not submit complete information (or respond) within the shorter time frame. When providers are not notified of their rights in results letters as required, they may have more difficulty exercising their rights within required time frames, which could have financial consequences for them. Extent of CMS Oversight of Correspondence Differs by Contractor Type: The extent of CMS oversight of the content of contractors' postpayment review-related correspondence differs by type of contractor. For MACs, CMS staff may review correspondence with providers during their annual evaluations of each MAC's performance. CMS staff indicated that they do not review ZPIC postpayment claims review correspondence. An independent RA validation contractor that evaluates RAs' claims reviews also assesses each RA's correspondence for clarity and accuracy by reviewing results letters associated with reviews included in a random sample of up to 100 claims per RA per month, and CMS officials noted that they review a sample of the RA correspondence during quarterly RA performance assessments. According to CMS officials, the CERT contractor's ADRs are uniform and based on form letters written by CMS. CMS officials stated that they did not believe they needed to monitor the content of these ADRs since most of the text was a standard template written by CMS. Our findings that contractors did not comply consistently with CMS's requirements for the correspondence we reviewed indicate that CMS's monitoring efforts in this area are not adequate to meet federal internal control standards to monitor contractors' activities. Without adequate monitoring of contractors' compliance with correspondence content, CMS's internal control is weakened and the agency does not have assurance that the correspondence is accurate and includes all of the content required.[Footnote 62] CMS Requires Quality Assurance Processes for All Contractor Types to Help Ensure Appropriateness of Postpayment Review Decisions: CMS requires quality assurance processes for each of the contractor types to help ensure the accuracy of their claims review decisions about whether claims were paid properly, but the processes differ by contractor type. These processes can be internal, external, or both. CMS requires the four contractor types we reviewed to have some type of internal quality assurance process to verify the accuracy of their claims review decisions about whether claims were paid properly. In addition, for the MACs, ZPICs, and RAs, CMS has implemented external validation reviews in which staff from CMS or an independent contractor review a selection of those contractors' claims reviews. All Four Contractor Types Must Use Internal Quality Assurance Processes: CMS requires the four contractor types to establish an internal quality assurance process for verifying the accuracy of their claims review decisions about whether the claim was proper to pay because the service was medically necessary and billed properly according to Medicare coverage and billing rules. In addition, CMS specifically requires the MACs, ZPICs, and CERT contractor to conduct interrater reliability (IRR) assessments--assessments that compare multiple decisions by their staff reviewers about the same claim to determine the extent of their agreement about whether the claim was paid properly or not--as part of their overall quality assurance efforts. [Footnote 63] CMS officials told us that for the new RA contracts the agency expects to award in 2014, CMS will also require RAs to conduct IRR assessments as part of their efforts.[Footnote 64] Contractors have discretion in how they conduct their IRR assessments, according to CMS officials.[Footnote 65] CMS monitors the results of contractors' IRR assessments to varying degrees but has not collected that information routinely from all contractor types. CMS officials said they review monthly reports from the CERT contractor about its IRR assessment results. CMS officials also told us they expect to see a roughly 98 percent accuracy rate for each month's IRR assessment, which they said the CERT contractor usually achieves. Beginning with the new contracts expected to be awarded in 2014, RAs also will be expected to provide monthly information to CMS about their IRR assessments, according to CMS officials. In contrast, CMS does not routinely collect information from the MACs or ZPICs about their IRR assessments. According to CMS officials, CMS does not require MACs to report regularly on their IRR assessments, but agency officials may, at their discretion, discuss MACs' IRR assessments during their routine on-site visits with MACs. [Footnote 66] CMS revised its requirements in October 2013 to state that MACs must report their IRR assessment results to CMS as directed, and CMS officials indicated that they will request MACs' IRR information on an as-needed basis rather than requiring all MACs to provide specific IRR information on a predetermined schedule. Similarly, CMS officials may discuss ZPICs' IRR assessments during ZPICs' annual performance assessments or at other times, but have not collected information routinely about ZPICs' IRR assessment results, according to CMS officials we spoke with.[Footnote 67] CMS Has Some External Validation Reviews for Three of Four Contractor Types: CMS has implemented additional quality assurance processes in which the MACs, ZPICs, and RAs have a sample of their claims reviews undergo external validation by CMS or an independent contractor, using clinical staff or coders, to assess the appropriateness of the contractors' claims review decisions about whether the claim was paid properly according to Medicare coverage and billing rules. These validation efforts differ in frequency and process. While CMS has not implemented a separate external validation of the CERT contractor's claims reviews, CMS officials told us that they have several other mechanisms to gauge the appropriateness of those reviews. MACs: According to CMS officials, in 2010, CMS implemented the Accuracy Project to learn more about MACs' claims review processes and decision making, and to identify areas in which contractor training might be needed or where CMS could clarify or modify its guidance. For this project, a team of CMS clinical staff conducted validation reviews for a selection of MACs' claims reviews. In 2010 and 2011, CMS reviewed more than 200 claims per year, and in each year CMS staff concurred with all but one of the MACs' claims review decisions. In 2012, CMS increased the number of Accuracy Project staff and from September 2012 through February 2014 reviewed 1,160 claims and concurred with over 90 percent of the MACs' decisions, according to CMS. CMS officials noted that this has been a limited effort to date, most recently focused on DME claims--specifically, power mobility devices.[Footnote 68] CMS officials said they plan to broaden this effort to include other services. For this broader effort, CMS plans to have the CERT contractor conduct validation reviews of a random sample of 100 claims per MAC. The CERT contractor will review the documentation the MACs used to reach decisions for those claims, such as medical records, and evaluate the accuracy of MACs' decisions by determining whether the MACs properly paid, adjusted, or denied the claims on the basis of Medicare coverage, coding, and billing rules. In April 2014, CMS officials told us that the CERT contractor had just begun conducting validation reviews for several MACs. ZPICs: To assess the appropriateness of the ZPICs' claims reviews, CMS staff examine a sample of those reviews when they conduct each ZPIC's annual performance assessment. For each ZPIC, CMS staff select 5 investigations or cases of particular providers and then select 5 claims for each investigation or case, for a total of 25 claims. [Footnote 69] CMS clinical staff then assess whether the ZPICs' decisions were consistent with CMS guidance and clinical judgment. According to CMS officials, they typically find that ZPICs' claims reviews decisions are satisfactory. RAs: CMS has established an external validation process in which the independent RA validation contractor uses licensed clinical professionals and coders to assess the quality of each RA's claims reviews. Each month the RA validation contractor reviews a random sample of up to 400 RA-reviewed claims (up to 100 claims per RA) that are proportional to the provider types that each RA determined had been paid improperly. CMS officials told us that the RA validation contractor sends monthly reports to CMS on the RAs' claims review accuracy rates. According to CMS's most recently published report to Congress on the RAs, the cumulative accuracy rates for fiscal year 2012 were between about 93 and 97 percent for the RAs.[Footnote 70] CERT contractor: While CMS does not require a separate external validation of the CERT contractor's claims reviews, CMS officials told us that the expansion of the Accuracy Project to involve CERT contractor reviews of MACs' claims will give them increased ability to examine the CERT contractor's claims review decisionmaking. They added that they review the CERT contractor's decisions on an as-needed basis, such as when MACs dispute the CERT contractor's findings of the MACs' improper payment rates, or if a provider raises a concern to CMS about a CERT contractor decision. CMS Has Multiple Strategies for Coordinating Postpayment Claims Reviews, but Differences in Requirements and Contractor Coordination Remain That May Hamper Effectiveness and Efficiency of Claims Reviews: CMS has strategies to coordinate internally among relevant CMS offices in developing the requirements for postpayment claims review contractors' activities and has strategies to facilitate coordination among the contractor types. However, differences in contractor requirements have continued and there is less coordination between ZPICs and RAs compared to the coordination among other contractors. CMS Has Strategies to Coordinate among Its Offices Regarding Contractor Requirements, but Differences in Requirements Continue to Exist: CMS has established strategies for coordination among the three CMS offices that oversee postpayment review contractors--the Center for Medicare, the Office of Financial Management, and the Center for Program Integrity--to review proposed new or updated requirements for contractors' activities. This internal coordination is important because contractors have many postpayment claims review activities in common, but responsibilities for overseeing postpayment review contractors are distributed across seven components within three CMS offices.[Footnote 71] (See figure 3.) Thus, coordination strategies among CMS's offices are critical to help ensure that contractor requirements are consistent when possible and that the four types of contractors are conducting postpayment claims reviews efficiently and effectively. Figure 3: Centers for Medicare & Medicaid Services (CMS) Organizational Components That Oversee Medicare Fee-for-Service Contractors and Their Activities Related to Postpayment Claims Reviews, as of April 2014: [Refer to PDF for image: organizational chart] Top level: CMS Administrator; CMS Deputy Administrator/Chief Operating Officer. Second level, reporting to CMS Administrator: Office of Financial Management: * Provider Compliance Group: - Division of Error Rate Measurement: Comprehensive Error Rate Testing contractors (CERT)[A]; - Division of Recovery Audit Operations: Recovery Auditors (RA)[A]; - Division of Medical Review and Education: Pre- and postpayment reviews for MACs and specialty contractors[A]. Center for Medicare: * Medicare Contractor Management Group; - Medicare Administrative Contractors (MAC)[A]. Center for Program Integrity: * Medicare Program Integrity Group: - Division of Medicare Integrity Contractor Operations: Zone Program Integrity Contractors (ZPIC)[A]. [A] Contractor or activity that the component oversees. Source: GAO analysis. GAO-14-474. [End of figure] CMS officials reported using multiple strategies--in particular, meetings and clearance processes--to coordinate internally on contractors' requirements. * Officials from the Center for Medicare, the Office of Financial Management, and the Center for Program Integrity told us they meet regularly to discuss a range of postpayment claims review issues, such as the consistency of the contractors' requirements and contractors' understanding and implementation of the requirements. They also discuss potential changes to key CMS documents used to communicate requirements to contractors--manuals, contractors' statements of work, and technical direction letters.[Footnote 72] * CMS offices use both formal and informal processes to coordinate with one another when making changes to contractor requirements. The formal system, the Enterprise Electronic Change Information Management Portal, is used when changes are made to requirements in the Medicare Program Integrity Manual and, according to CMS officials, when preparing MAC technical direction letters.[Footnote 73] This internal system allows CMS officials in different offices to review and comment on proposed changes, and it requires sign-off from certain CMS offices before the changes are finalized. In comparison, when CMS offices make changes to requirements in the contractors' statements of work and prepare technical direction letters for RAs, ZPICs, and the CERT contractor, they use a less formal system to coordinate across the offices.[Footnote 74] In general, CMS offices circulate proposed changes and drafts of the statements of work and technical direction letters for RAs, ZPICs, and the CERT contractor to other CMS offices for review and input when the changes pertain to their areas of responsibility. CMS officials told us that they often reviewed such documents only if there was a section directly pertaining to the contractors they were responsible for managing. As a result, one office can make changes to requirements for the contractors they manage that might lead to differences among the four types of contractors' requirements, but these changes might not be thoroughly reviewed by all the offices. However, CMS's internal coordination strategies have not resolved long- standing differences in requirements across contractor types. In our July 2013 report, we reported that inconsistencies in contractor requirements may impede efficiency and effectiveness of claims reviews by increasing administrative burden on providers.[Footnote 75] For example, contractors had different time frames for providers to submit documentation, which might confuse providers and reduce compliance. CMS has begun to take steps to make contractor requirements more consistent, where appropriate.[Footnote 76] For example, in October 2013, CMS began requiring MAC, RA, and CERT contractor ADRs to all give providers the same options for submitting documentation. In addition, CMS officials said that their new RA contracts will require RAs to establish an IRR process to assess their claims reviews. Our findings in this report indicate that variations in requirements continue to exist. Such variations may result in inefficient processes and present challenges for providers for responding to documentation requests. Variation in requirements across contractors also is inconsistent with OMB's executive-agency guidelines to streamline service delivery and with having a strong internal control environment.[Footnote 77] Further, this variation does not follow a practice that we have identified to help facilitate and enhance collaborative efforts across organizational boundaries.[Footnote 78] CMS Has Strategies to Coordinate among Contractors: CMS has established multiple strategies to facilitate coordination among postpayment claims review contractors. In addition to using the Recovery Audit Data Warehouse to help prevent duplicative claims reviews, CMS requires MACs, RAs, and ZPICs operating in the same geographic jurisdiction to establish Joint Operating Agreements (JOA) to facilitate coordination.[Footnote 79] CMS also sponsors meetings between different types of contractors. According to CMS officials, the JOA is a mechanism for different types of contractors to document how they plan to work together. For example, CMS officials told us JOAs are used by MACs and RAs to agree on methods of communication and levels of service related to improper payments, such as data sharing, file transmissions, data warehouse uploads, and appeals. Officials also said ZPICs use the JOAs to come to an agreement with the other contractors on how they will coordinate to avoid duplicating claims reviews and to exchange information on potential fraud.[Footnote 80] We reviewed all of the JOAs provided to us by CMS and determined all the JOAs between the different contractor types had been agreed upon by the contractors and were actively in use.[Footnote 81] We reported previously that when implementing coordination strategies, agencies benefit from having participants document their agreement for how they will collaborate and that agencies should consider whether all relevant participants have been included in and regularly attend collaboration-related activities. [Footnote 82] In addition to requiring JOAs, CMS holds regular meetings between different types of contractors to help them coordinate their workloads and to facilitate discussions of vulnerabilities and issues related to postpayment claims reviews.[Footnote 83] Depending on the meeting, some types of contractors are required to attend, while others are invited. For example, to help MACs and RAs better target their claims selection to identify improper payments, CMS has required these contractors to meet weekly to discuss vulnerabilities identified by RAs. CMS officials said that ZPICs also are invited to these meetings, but they are not required to attend. CMS also requires the MACs, CERT contractor, and RAs to attend CMS's annual medical review training conference, where CMS and contractor staff discuss CMS policy, program integrity vulnerabilities, and other medical review issues. Although ZPICs are not required to attend this conference, some do. Other than CMS's annual medical review training conference, ZPICs and RAs do not have structured meetings with each other to share information on vulnerabilities and potential fraud. All three ZPICs we spoke with said they meet with MACs on a regular basis to discuss medical review strategies, operational issues, and their JOAs with the MAC. According to one ZPIC, the interactions with the MAC ensure they are sharing best practices and receiving information expeditiously. However, two of the ZPICs we spoke with also said they do not coordinate with the RAs in their geographic jurisdictions. HHS's OIG recently recommended that to ensure that RAs refer all appropriate cases of potential fraud, CMS should facilitate increased collaboration between RAs and ZPICs, such as by coordinating regular meetings to share information about potentially fraudulent coding or billing schemes and to advise RAs of emerging fraud schemes.[Footnote 84] According to the OIG report, CMS concurred with OIG's recommendation. CMS officials also told us that the new RA statement of work for the upcoming procurement will include a requirement for the RAs to meet with the ZPICs in their geographic jurisdictions quarterly, at a minimum, to discuss trends in possible fraudulent billing. Established JOAs and regular meetings between different contractor types provide more assurance that postpayment claims reviews are conducted as efficiently and effectively as possible and opportunities to further reduce improper payments are not overlooked. Coordination among the contractors promotes sharing of information that can be critical to identifying vulnerabilities to improper payments. For example, while reviewing claims, each contractor may be identifying vulnerabilities to improper payment that may also be present in other jurisdictions, as well as improper payment issues that could be better addressed by another type of contractor. In addition, MACs' and RAs' claims reviews sometimes identify instances of potential fraud, which they are expected to refer to ZPICs for further investigation. [Footnote 85] Conclusions: Postpayment claims review contractors play an important role in helping CMS reduce improper payments in the Medicare program. Because different types of contractors conduct similar claims reviews, CMS guidance, oversight, and coordination of them is essential to maintaining an appropriate balance between detecting improper payments effectively and efficiently and avoiding unnecessary administrative burdens. CMS has taken a number of steps to guide, oversee, and coordinate its contractors' postpayment claims review efforts. However, further actions by CMS could help improve the efficiency and effectiveness of its contractors' efforts. CMS does not have sufficient information to determine whether its contractors are conducting inappropriate duplicative claims reviews. We found that CMS has conducted insufficient data monitoring to prevent the RAs from conducting inappropriate duplicative reviews. If the Recovery Audit Data Warehouse information on excluded claims is inaccurate, as we found is sometimes the case, the Recovery Audit Data Warehouse's effectiveness in preventing the RAs from conducting inappropriate duplicative claims reviews is limited. In addition, while CMS has issued clear guidance for RAs and the CERT contractor about whether they are permitted to conduct duplicative reviews, it has not issued similar guidance for the MACs and ZPICs. If CMS does not intend for the MACs and ZPICs to conduct duplicative reviews, issuing complete guidance stating so is important to prevent inappropriate duplication. Furthermore, having consistent guidance and ensuring that contractors comply with the requirements that apply to them can improve the efficiency and effectiveness of contractors' communication with providers. It is important that providers understand the postpayment claims review process, including what documentation they need to send to contractors, the steps in the review process, and their rights. More consistent requirements and better monitoring of contractors' compliance with correspondence content guidance would increase CMS's assurance that providers are given similar and sufficient information during claims reviews and that the correspondence is accurate and includes all of the content required. Although CMS has strategies to coordinate internally among the CMS offices that oversee postpayment claims review contractors--as well as strategies to facilitate coordination among the contractors themselves- -differing requirements for the postpayment claims reviews conducted by different types of contractors continue to exist. CMS is currently working to address some of the differences, but will need to remain vigilant as requirements are updated in the future. Moreover, CMS must ensure that its current methods for ensuring effective collaboration among contractors are working as intended. The comparatively limited amount of required communication between ZPICs and other contractors addressing improper payment issues reduces CMS's assurance that the four types of postpayment contractors that we reviewed are coordinating as effectively as possible to reduce improper payments and fraud. Recommendations for Executive Action: In order to improve the efficiency and effectiveness of Medicare postpayment claims review efforts and simplify compliance for providers, we recommend that the Administrator of CMS take the following four actions: * monitor the Recovery Audit Data Warehouse to ensure that all postpayment review contractors are submitting required data and that the data the database contains are accurate and complete; * develop complete guidance to define contractors' responsibilities regarding duplicative claims reviews, including specifying whether and when MACs and ZPICs can duplicate other contractors' reviews; * clarify the current requirements for the content of contractors' ADRs and results letters and standardize the requirements and contents as much as possible to ensure greater consistency among postpayment claims review contractors' correspondence; and: * assess regularly whether contractors are complying with CMS requirements for the content of correspondence sent to providers regarding claims reviews. Agency and Third Party Comments and Our Evaluation: We provided a draft of this report to HHS and received written comments, which are reprinted in appendix II. In its comments, HHS agreed with our findings and concurred with all four recommendations. HHS also described steps it plans to take to remedy the issues we identified. We also provided portions of the draft report for review and comment to the contractors in our sample. We received responses via email from all but one contractor. The contractors generally agreed with our findings as applicable to their contractor type. Representatives from all four RAs commented on our finding that none of the RA results letters met the requirement to document in the letter a reason for conducting the review or the rationale for good cause for reopening the claims. Representatives from two RAs commented that they believed their results letters did sufficiently indicate the reason for the review, and representatives from three RAs pointed out that CMS had reviewed and approved the text of their letters. However, as we noted in the draft report, we determined that none of the RA results letters met this requirement because the text was not sufficient to provide a reason for review or rationale for good cause. In response to comments from the RAs, we have modified the text in the report to more prominently note that the results letters do refer providers to the contractor's website or to the ADR to obtain the reason for the review. HHS and the contractors also provided technical comments, which we incorporated into the report as appropriate. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to the Secretary of Health and Human Services, the Administrator of CMS, appropriate congressional committees, and other interested parties. In addition, the report will be available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff members have any questions about this report, please contact me at (202) 512-7114 or at kingk@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff that made key contributions to this report are listed in appendix III. Signed by: Kathleen M. King: Director, Health Care: List of Requesters: The Honorable Ron Wyden: Chairman: The Honorable Orrin G. Hatch: Ranking Member: Committee on Finance: United States Senate: The Honorable Tom Carper: Chairman: The Honorable Tom Coburn, M.D. Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Charles Grassley: Ranking Member: Committee on the Judiciary: United States Senate: The Honorable Claire McCaskill: Chairwoman: Subcommittee on Contracting Oversight: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Bob Corker: United States Senate: The Honorable Fred Upton: Chairman: The Honorable Henry Waxman: Ranking Member: Committee on Energy and Commerce: House of Representatives: The Honorable Charles Boustany, M.D. Chairman: The Honorable John Lewis: Ranking Member: Subcommittee on Oversight: Committee on Ways and Means: House of Representatives: The Honorable Diana DeGette: Ranking Member: Subcommittee on Oversight and Investigations: Committee on Energy and Commerce: House of Representatives: [End of section] Appendix I: Scope and Methodology: This appendix gives additional detail about two aspects of our methodology for addressing the report's objectives. Specifically, we explain our methodology for selecting and assessing the sample of postpayment claims review contractors we interviewed as part of our work to address all four objectives. We also provide information on our methodology for selecting the correspondence--additional documentation requests (ADR) and results letters--from the contractors in the sample we used to examine how CMS's requirements for contractor correspondence with providers help ensure effective communication. To learn about postpayment claims review contractors' claims review efforts, we interviewed representatives from 11 postpayment review contractors. We selected all four Recovery Auditors (RA) because they conduct substantially more postpayment claims reviews than all the other contractors combined, and the Comprehensive Error Rate Testing (CERT) contractor, which reviews a nationwide random sample of claims. We also selected a nongeneralizable sample of 3 of the 16 Medicare Administrative Contractors (MAC), including 2 of the 12 MACs that process Part A and B claims and 1 of the 4 MACs that process claims for durable medical equipment. We selected these 3 MACs because they had been in operation for at least 6 months, performed postpayment claims reviews in 2012, and were geographically diverse. We selected a nongeneralizable sample of 3 of the 6 Zone Program Integrity Contractors (ZPIC) that had been in operation for at least 1 year and whose service areas included some of the same states served by the 3 MACs in our sample. To assess the extent to which CMS requirements for the content of contractors' correspondence with providers help ensure effective communication, we focused our review on ADRs and results letters. We reviewed the Medicare Program Integrity Manual, Medicare Claims Processing Manual, Medicare Financial Management Manual, Medicare Contractor Beneficiary and Provider Communications Manual, CERT Manual, and the contractors' statements of work to identify CMS requirements for this correspondence.[Footnote 86] Because there were some discrepancies and issues of clarity in the requirements for these sources, we confirmed the requirements with CMS. To assess the correspondence against these requirements, we asked the contractors in our sample to provide us with all correspondence associated with four claims they determined had been paid improperly and two claims that had been paid properly.[Footnote 87] To prevent bias, we asked them to select claims for which the ADR had been sent on a date that we randomly selected. If they had not sent ADRs on that date, we asked them to choose the closest date on which they had sent ADRs. Upon receiving the sample of contractor correspondence, we chose two frequently used postpayment review-related forms of correspondence-- ADRs and results letters--to assess compliance. We limited our review of results letters to assess compliance for those that reported improper payments. The final sample we reviewed included 67 ADRs and 47 results letters. We assessed compliance with CMS requirements in effect as of the date on the letter. Each letter was reviewed by two of our staff working independently. The reviewers compared each requirement with each letter's content to determine if a requirement was "met," "not met," "not applicable," or "unknown." Afterward, the reviewers met to resolve any differences in their scores. Their final score was checked by a third reviewer. We calculated a compliance rate for each letter by dividing the total number of applicable requirements that were met (numerator) by the total number of applicable requirements that were met or not met (denominator). An average compliance rate for each type of contractor was based on the sum of the contractors' letter-specific numerators divided by the sum of the letter-specific denominators. Requirements for ADRs are listed in table 3 and for review results letters in table 4. We note in the tables several requirements that we did not include in our assessment of compliance and why. Table 3: CMS Requirements Applicable to the 2012 and 2013 Additional Documentation Requests (ADR) GAO Reviewed, by Contractor Type: Required element: 1; Sending contractor's name; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Comprehensive Error Rate Testing (CERT) Contractor: No[A]; Recovery Auditor (RA): No[A]. Required element: 2; Sending contractor's address; Contractor type: Medicare Administrative Contractor (MAC): Yes; Contractor type: Zone Program Integrity Contractor (ZPIC): Yes; Comprehensive Error Rate Testing (CERT) Contractor: No[A]; Recovery Auditor (RA): No[A]. Required element: 3; Clear indication that correspondence is related to Medicare; Contractor type: Medicare Administrative Contractor (MAC): Yes; Contractor type: Zone Program Integrity Contractor (ZPIC): Yes; Comprehensive Error Rate Testing (CERT) Contractor: No[A]; Recovery Auditor (RA): No[A]. Required element: 4; The word "Medicare" and/or CMS's alpha representation in a location that gives at least equal prominence to the sender's identification; Contractor type: Medicare Administrative Contractor (MAC): Yes; Contractor type: Zone Program Integrity Contractor (ZPIC): Yes; Comprehensive Error Rate Testing (CERT) Contractor: No[A]; Recovery Auditor (RA): No[A]. Required element: 5; The word "Medicare" and/or CMS's alpha representation are at least as large as the sender's identification; Contractor type: Medicare Administrative Contractor (MAC): Yes; Contractor type: Zone Program Integrity Contractor (ZPIC): Yes; Comprehensive Error Rate Testing (CERT) Contractor: No[A]; Recovery Auditor (RA): No[A]. Required element: 6; If review is provider-specific, reason for selection[B]; Contractor type: Medicare Administrative Contractor (MAC): Yes[C]; Contractor type: Zone Program Integrity Contractor (ZPIC): No; Comprehensive Error Rate Testing (CERT) Contractor: No; Recovery Auditor (RA): No. Required element: 7; Good cause to reopen the claim[B]; Contractor type: Medicare Administrative Contractor (MAC): No; Contractor type: Zone Program Integrity Contractor (ZPIC): No; Comprehensive Error Rate Testing (CERT) Contractor: No; Recovery Auditor (RA): Yes. Required element: 8; If review is provider-specific and the basis for selection is comparative data, data on how the provider varies significantly from other providers in the same specialty, jurisdiction, or locality; Contractor type: Medicare Administrative Contractor (MAC): Yes[C]; Contractor type: Zone Program Integrity Contractor (ZPIC): No; Comprehensive Error Rate Testing (CERT) Contractor: No; Recovery Auditor (RA): No. Required element: 9; If review is provider-specific, indication as to whether the review will occur on a pre-or postpayment basis; Contractor type: Medicare Administrative Contractor (MAC): Yes[C]; Contractor type: Zone Program Integrity Contractor (ZPIC): No; Comprehensive Error Rate Testing (CERT) Contractor: No; Recovery Auditor (RA): No. Required element: 10; Request only those individual pieces of documentation needed to make a determination; Contractor type: Medicare Administrative Contractor (MAC): Yes[D]; Contractor type: Zone Program Integrity Contractor (ZPIC): Yes[D]; Comprehensive Error Rate Testing (CERT) Contractor: Yes[D]; Recovery Auditor (RA): Yes[D]. Required element: 11; Option to submit paper documentation; Contractor type: Medicare Administrative Contractor (MAC): Yes; Contractor type: Zone Program Integrity Contractor (ZPIC): No; Comprehensive Error Rate Testing (CERT) Contractor: Yes; Recovery Auditor (RA): Yes. Required element: 12; Option to submit documentation via fax[E]; Contractor type: Medicare Administrative Contractor (MAC): No; Contractor type: Zone Program Integrity Contractor (ZPIC): No; Comprehensive Error Rate Testing (CERT) Contractor: Yes; Recovery Auditor (RA): Yes. Required element: 13; Fax number; Contractor type: Medicare Administrative Contractor (MAC): No; Contractor type: Zone Program Integrity Contractor (ZPIC): No; Comprehensive Error Rate Testing (CERT) Contractor: Yes; Recovery Auditor (RA): No. Required element: 14; Option to submit documentation via CD/DVD[E]; Contractor type: Medicare Administrative Contractor (MAC): No; Contractor type: Zone Program Integrity Contractor (ZPIC): No; Comprehensive Error Rate Testing (CERT) Contractor: Yes; Recovery Auditor (RA): Yes. Required element: 15; Statement that documentation on CD/DVDs can be mailed by any means; Contractor type: Medicare Administrative Contractor (MAC): No; Contractor type: Zone Program Integrity Contractor (ZPIC): No; Comprehensive Error Rate Testing (CERT) Contractor: Yes; Recovery Auditor (RA): No. Required element: 16; Website link or phone number for information regarding submission requirements for CD/DVDs; Contractor type: Medicare Administrative Contractor (MAC): No; Contractor type: Zone Program Integrity Contractor (ZPIC): No; Comprehensive Error Rate Testing (CERT) Contractor: No; Recovery Auditor (RA): Yes. Required element: 17; Correct number of days the provider has to submit the requested documentation[F]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Contractor type: Zone Program Integrity Contractor (ZPIC): Yes; Comprehensive Error Rate Testing (CERT) Contractor: Yes; Recovery Auditor (RA): Yes. Required element: 18; Toll-free customer service number; Contractor type: Medicare Administrative Contractor (MAC): No; Contractor type: Zone Program Integrity Contractor (ZPIC): No; Comprehensive Error Rate Testing (CERT) Contractor: No; Recovery Auditor (RA): Yes. Required element: 19; Signature of person responsible for handling inquiries about the correspondence; Contractor type: Medicare Administrative Contractor (MAC): Yes; Contractor type: Zone Program Integrity Contractor (ZPIC): Yes; Comprehensive Error Rate Testing (CERT) Contractor: No[A]; Recovery Auditor (RA): No[A]. Required element: 20; Statement that providing medical records of Medicare patients to the CERT contractor does not violate the Health Insurance Portability and Accountability Act (HIPAA); Contractor type: Medicare Administrative Contractor (MAC): No; Zone Program Integrity Contractor (ZPIC): No; Comprehensive Error Rate Testing (CERT) Contractor: Yes[G]; Recovery Auditor (RA): No. Source: GAO analysis of CMS information. GAO-14-474. Notes: This table lists all requirements applicable to contractors' ADRs as documented in the Medicare Program Integrity Manual, the Medicare Contractor Beneficiary and Provider Communications Manual, the CERT Manual, the CERT Statement of Work, and the Statement of Work for the Recovery Audit Program. We validated the requirements with CMS officials. Where a requirement was not included in scoring the ADRs, the text of the requirement is in italics and a table note provides an explanation. Also, the requirement applied to each letter was the requirement in effect as of the date on the letter. MAC ADRs were dated between March 13, 2012, and May 7, 2013; ZPIC ADRs between March 22, 2012, and October 31, 2012; CERT contractor ADRs on October 16, 2012; and RA ADRs between October 18, 2012, and November 8, 2012. A "Yes" entry indicates that an item was a requirement for a contractor type, and a "No" entry indicates that an item was not a requirement for a contractor type. Some requirements have since changed. [A] This requirement is included in the Medicare Contractor Beneficiary and Provider Communications Manual, which CMS officials indicated applies to MACs and ZPICs, but not RAs or the CERT contractor. [B] Because requirements 6 and 7 were similar, for the purpose of our analysis we discussed them together in the report: [C] The Medicare Program Integrity Manual requires MACs to notify selected providers prior to beginning a provider-specific review by sending a notice that includes the reason for their selection, provides comparative data if it was the basis for their selection, and indicates whether the review will occur on a prepayment or postpayment basis. MACs have discretion to do this notification as part of their ADRs. All of the MAC ADRs related to provider-specific reviews did so, so we reviewed whether the ADRs contained this required information-- and nearly all did. [D] We did not score the letters against this element because of the subjectivity involved in determining the reasonableness of a document request. [E] While these were the requirements at the time for the ADRs we reviewed, the Medicare Program Integrity Manual was later revised and, as of October 21, 2013, required ADRs from MACs, RAs, and the CERT contractor to give providers the option of submitting documentation via paper, fax, CD/DVD, or electronic submission; there is no similar requirement for ZPIC ADRs. [F] Prior to July 16, 2012, the Medicare Program Integrity Manual required MACs, ZPICs, and the CERT contractor to notify providers that the requested documents were to be submitted within 30 days, and required RAs to give providers a 45-day submission deadline. Effective July 16, 2012, the manual changed and stated that the MACs and CERT contractor were to notify providers that the requested documents were to be submitted within 45 days. [G] This requirement is included in the CERT Manual. [End of table] Table 4: CMS Requirements Applicable to the 2012 and 2013 Results Letters GAO Reviewed, by Contractor Type: Required element: 1; Sending contractor's name; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[A]. Required element: 2; Sending contractor's address; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[A]. Required element: 3; Provider's name; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes. Required element: 4; Provider's 10-digit National Provider Identifier (NPI); Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes[B]. Required element: 5; Provider's address; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes. Required element: 6; Clear indication that correspondence is related to Medicare; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[A]. Required element: 7; The word "Medicare" and/or CMS's alpha representation in a location that gives at least equal prominence to the sender's identification; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[A]. Required element: 8; The word "Medicare" and/or CMS's alpha representation are at least as large as the sender's identification; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[A]. Required element: 9; Reason for conducting the review or the rationale for good cause for having reopened the claim or claims[C]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes. Required element: 10; If Part A claim, date the claim was reopened; Contractor type: Medicare Administrative Contractor (MAC): No; Zone Program Integrity Contractor (ZPIC): No; Recovery Auditor (RA): Yes[D]. Required element: 11; Reason for noncoverage or incorrect coding for each claim[E]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes. Required element: 12; If an overpayment is identified, a narrative description of the issues creating the overpayment as well as any recommended corrective actions[E]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes. Required element: 13; If any claim in the letter has an overpayment, the overpayment amount for each claim[F]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[G]. Required element: 14; The noncovered amount for each claim listed in the letter[H]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[I]. Required element: 15; The denied amount for each claim listed in the letter[H]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[I]. Required element: 16; The amounts that will and will not be recovered from the provider for each claim listed in the letter[H]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[G]. Required element: 17; Total amount of overpayments for which the provider is responsible; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[G]. Required element: 18; Total amount of overpayments for which provider is not responsible because the provider was found to be without fault[J]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[G]. Required element: 19; If any claim in the letter has an underpayment, the underpayment amount for each claim[K]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[G]. Required element: 20; Total amount of underpayments[K]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[G]. Required element: 21; If statistical sampling was used to estimate the total amount of overpayments, a clear explanation of how the overpayment was calculated[F]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes[L]. Required element: 22; If a claim was found to not be reasonable or necessary, the contractor's determination as to whether or not the provider knew or should have known that the services were not covered[M]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes. Required element: 23; If a claim was found not to be reasonable or necessary and the contractor determined that provider knew or should have known that the services were not covered, the basis for the contractor's determination[M]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes. Required element: 24; If a claim was overpaid, the contractor's determination as to whether or not the provider was at fault in causing the overpayment[M]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes. Required element: 25; If a claim was overpaid and a contractor determined that the provider was at fault in causing the overpayment, the basis for the contractor's determination[M]; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): Yes. Required element: 26; If an overpayment is due, explanation of the procedures for recovery, including Medicare's right to recover overpayments and charge interest on debts not repaid within 30 days; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): No; Recovery Auditor (RA): No[N]. Required element: 27; For a Part A claim, language that the subsequent adjustments may be made at cost settlement; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): No; Recovery Auditor (RA): No. Required element: 28; Provider's right to submit a financial rebuttal statement within 15 calendar days; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): No; Recovery Auditor (RA): No[N]. Required element: 29; If there is an overpayment, information about provider's right to request an extended repayment schedule; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): No; Recovery Auditor (RA): No[N]. Required element: 30; Information about the provider's right to appeal; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): No[O]; Recovery Auditor (RA): No[N]. Required element: 31; Signature of person responsible for handling inquiries about the correspondence; Contractor type: Medicare Administrative Contractor (MAC): Yes; Zone Program Integrity Contractor (ZPIC): Yes; Recovery Auditor (RA): No[A]. Required element: 32; Toll-free customer service number; Contractor type: Medicare Administrative Contractor (MAC): No; Zone Program Integrity Contractor (ZPIC): No; Recovery Auditor (RA): Yes. Source: GAO analysis of CMS information. GAO-14-474. Notes: This table lists all requirements applicable to the contractors' results letters as documented in the Medicare Program Integrity Manual, the Medicare Contractor Beneficiary and Provider Communications Manual, and the Statement of Work for the Recovery Audit Program. We validated the requirements with CMS officials. Where a requirement was not included in scoring the results letters, the text of the requirement is in italics and a table note provides an explanation. Also, the requirement applied to each letter was the requirement in effect as of the date on the letter. The MAC results letters were dated between May 23, 2012, and June 13, 2013; the ZPIC results letters were dated between February 26, 2012, and April 30, 2013; and the RA results letters were dated between December 4, 2012, and February 7, 2013. A "Yes" entry indicates that an item was a requirement for a contractor type, and a "No" entry indicates that an item was not a requirement for a contractor type. [A] This requirement is included in the Medicare Contractor Beneficiary and Provider Communications Manual, which CMS officials indicated applies to MACs and ZPICs, but not RAs. [B] For RA results letters, any provider identifier is sufficient to meet the requirement. [C] If the results letter did not contain this information and directed the provider to the contractor's website or to the ADR sent previously by the contractor, we scored the letter as nonresponsive. In addition, results letters that mentioned the Progressive Corrective Action program without any additional explanation as to good cause for the review were scored as nonresponsive. We scored the letters as responsive if a reason for the review was given, but we did not assess whether the information provided would be considered sufficient by providers. [D] The date of reopening is not defined in the manuals or statement of work. For purposes of scoring, we scored letters that included the date on the ADR as responsive. [E] CMS officials told us that they consider requirements in rows 11 and 12 to be the same. However, we kept these requirements separate because row 12 requires contractors to provide a general description of the issues that led to the overpayment situation, whereas row 11 requires contractors to provide a reason for noncoverage or incorrect coding for each claim denied upon postpayment review. We scored the letters as responsive if a reason for the decision about whether the claim was paid properly was given, but we did not assess whether the information provided would be considered sufficient by providers. [F] If the results letter did not contain this information and directed the provider to contact the contractor to request it, we scored the letter as nonresponsive. [G] Effective January 1, 2012, MACs assumed responsibility from the RAs for sending providers the demand letters resulting from RA reviews and are, therefore, now responsible for calculating adjustments to provider payments included in demand letters based on RA reviews. As a result, CMS officials told us requirements related to payment amounts no longer apply to the RAs' results letters, and we did not score the RA letters on these requirements. These requirements were applicable to the RAs according to the Medicare Program Integrity Manual, but not the RA statement of work, during the time period for the letters we reviewed. [H] For purposes of scoring, we did not interpret these requirements differently from the requirement in row 13 and did not use the requirements in rows 14, 15, or 16 in scoring the letters. [I] These are requirements for RAs in both the Medicare Program Integrity Manual and the RA statement of work. However, CMS officials told us they did not apply to the RAs because MACs are now responsible for sending demand letters. [J] We only reviewed results letters that included at least one claim with an overpayment and all of the letters found the provider at fault for the overpayments listed in the letters. Therefore, we scored all of the letters as not applicable for this requirement. [K] None of the results letters we reviewed found that a claim had been underpaid. Therefore, we scored all of the letters as not applicable for this requirement. [L] Although this is a requirement for RAs in both the Medicare Program Integrity Manual and the RA statement of work, none of the RAs used statistical sampling to estimate the overpayment amount for the letters we reviewed. Therefore, we scored all of the RA letters as not applicable for this requirement. [M] We did not score the letters against these requirements because of the subjectivity involved in interpreting the contractors' determinations. [N] CMS officials told us these requirements are not applicable to the RAs because MACs now send demand letters and will include recoupment and appeals time frames in that correspondence. Therefore, we did not score the RA letters on these requirements. These requirements were in the RA statement of work, but were not applicable to RAs, according to the Medicare Program Integrity Manual, during the time period for the letters we reviewed. [O] The Medicare Program Integrity Manual's list of results letter requirements includes one statement indicating that MACs and ZPICs must include appeals information in their results letters, as well as a different statement right next to it indicating that only MACs must do so. In response to this discrepancy, CMS officials told us this requirement was not applicable to ZPICs. Therefore, we did not score the ZPIC letters on this requirement. [End of table] [End of section] Appendix II: Comments from the Department of Health and Human Services: Department of Health & Human Services: Office of The Secretary: Assistant Secretary for Legislation: Washington, DC 20201: June 30, 2014: Kathleen M. King: Director, Health Care: U.S. Government Accountability Office: 441 G Street NW: Washington, DC 20548: Dear Ms. King: Attached are comments on the U.S. Government Accountability Office's (GAO) report entitled, "Medicare Program Integrity: Increased Oversight and Guidance Could Improve Effectiveness and Efficiency of Postpayment Claims Reviews" (GAO-14-474). The Department appreciates the opportunity to review this report prior to publication. Sincerely, Signed by: Jim R. Esquea: Assistant Secretary for Legislation: Attachment: General Comments Of The Department Of Health And Human Services (HHS) On The Government Accountability Office's (GAO) Draft Report Entitled, "Medicare Program Integrity: Increased Oversight And Guidance Could Improve Effectiveness And Efficiency Of Postpayment Claims Reviews (GAO-14-474): The Department appreciates the opportunity to review and comment on this draft report. GAO Recommendation: Monitor the Recovery Audit Warehouse to ensure that all postpayment review contractors are submitting required data and that the data the database contains are accurate and complete. CMS Response: HHS concurs with this recommendation. HHS agrees it is important to ensure that all postpayment review contractors submit required data to the Recovery Audit Warehouse, and that the data is accurate and complete. We will ensure that appropriate direction is provided to the postpayment review contractors to ensure accurate and complete information is entered into the Recovery Audit Warehouse. Therefore, we shall seek to modify contracts to include quality assurance performance metrics for data entered into the warehouse, to include the timely loading of data. In addition, we shall seek to develop reports that would alert HI-IS and its contractors when data has not been entered into the warehouse within a specified time period. GAO Recommendation: Develop complete guidance to define contractors' responsibilities regarding duplicative claims reviews, including specifying whether and when by Medicare Administrative Contractors (MACs) and Zone Program Integrity Contractors (ZPICs) can duplicate other contractors' reviews. CMS Response: HHS concurs with this recommendation. We plan to update the Program Integrity Manual with additional guidance for duplicative claims reviews. GAO Recommendation: Clarify the current requirements for the content of contractors' ADRs and results letters and standardize the requirements and contents as much as possible to ensure greater consistency among postpayment claims review contractors' correspondence. CMS Response: HHS concurs with this recommendation. We agree that ADRs and results letters need to be examined for consistency, and we will assess the feasibility of standardizing the requirements, where appropriate. GAO Recommendation: Assess regularly whether contractors are complying with CMS requirements for the content of correspondence sent to providers regarding claims reviews. CMS Response: HHS concurs with this recommendation. To address this recommendation, we will take our analysis from recommendation three of this report into consideration when developing a plan to assess the four postpayment claims review contractors' (i.e., Recovery Auditors, Comprehensive Error Rate Testing contractor, MACs, and ZPICs) compliance with requirements for ADRs and results letters. HHS thanks GAO for its efforts on this issue and looks forward to working with GAO on this and other issues in the future. [End of section] Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contact: Kathleen M. King, (202) 512-7114 or kingk@gao.gov: Staff Acknowledgments: In addition to the contact named above, Sheila. K. Avruch, Assistant Director; Robin Burke; Carrie Davidson; Iola D'Souza; Carolyn Garvey; Leslie V. Gordon; Richard Lipinski; Elizabeth Morrison; Amanda Pusey; and Jennifer Whitworth made key contributions to this report. [End of section] Related GAO Products: Medicare Program Integrity: Contractors Reported Generating Savings, but CMS Could Improve Its Oversight. [hyperlink, http://www.gao.gov/products/GAO-14-111]. Washington, D.C.: October 25, 2013. Medicare Program Integrity: Increasing Consistency of Contractor Requirements May Improve Administrative Efficiency. [hyperlink, http://www.gao.gov/products/GAO-13-522]. Washington, D.C.: July 23, 2013. GAO's 2013 High-Risk Update: Medicare and Medicaid. [hyperlink, http://www.gao.gov/products/GAO-13-433T]. Washington, D.C.: February 27, 2013. Medicare Program Integrity: Greater Prepayment Control Efforts Could Increase Savings and Better Ensure Proper Payment. [hyperlink, http://www.gao.gov/products/GAO-13-102]. Washington, D.C.: November 13, 2012. Medicare Fraud Prevention: CMS Has Implemented a Predictive Analytics System, but Needs to Define Measures to Determine Its Effectiveness. [hyperlink, http://www.gao.gov/products/GAO-13-104]. Washington, D.C.: October 15, 2012. Program Integrity: Further Action Needed to Address Vulnerabilities in Medicaid and Medicare Programs. [hyperlink, http://www.gao.gov/products/GAO-12-803T]. Washington, D.C.: June 7, 2012. Medicare Integrity Program: CMS Used Increased Funding for New Activities but Could Improve Measurement of Program Effectiveness. [hyperlink, http://www.gao.gov/products/GAO-11-592]. Washington, D.C.: July 29, 2011. Improper Payments: Reported Medicare Estimates and Key Remediation Strategies. [hyperlink, http://www.gao.gov/products/GAO-11-842T]. Washington, D.C.: July 28, 2011. Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Ensure More Widespread Use. [hyperlink, http://www.gao.gov/products/GAO-11-475]. Washington, D.C.: June 30, 2011. Improper Payments: Recent Efforts to Address Improper Payments and Remaining Challenges. [hyperlink, http://www.gao.gov/products/GAO-11-575T]. Washington, D.C.: April 15, 2011. Status of Fiscal Year 2010 Federal Improper Payments Reporting. [hyperlink, http://www.gao.gov/products/GAO-11-443R]. Washington, D.C.: March 25, 2011. Medicare and Medicaid Fraud, Waste, and Abuse: Effective Implementation of Recent Laws and Agency Actions Could Help Reduce Improper Payments. [hyperlink, http://www.gao.gov/products/GAO-11-409T]. Washington, D.C.: March 9, 2011. Medicare: Program Remains at High Risk Because of Continuing Management Challenges. [hyperlink, http://www.gao.gov/products/GAO-11-430T]. Washington, D.C.: March 2, 2011. Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight. [hyperlink, http://www.gao.gov/products/GAO-10-143]. Washington, D.C.: March 31, 2010. Medicare Contracting Reform: Agency Has Made Progress with Implementation, but Contractors Have Not Met All Performance Standards. [hyperlink, http://www.gao.gov/products/GAO-10-71]. Washington, D.C.: March 25, 2010. [End of section] Footnotes: [1] Medicare is the federally financed health insurance program for persons aged 65 and over, certain individuals with disabilities, and individuals with end-stage renal disease. [2] See GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-13-283] (Washington, D.C.: Feb. 2013). [3] An improper payment is any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. This definition includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except where authorized by law), and any payment that does not account for credit for applicable discounts. Improper Payments Elimination and Recovery Act of 2010, Pub. L. No. 111-204, § 2(e), 124 Stat. 2224, 2227 (codified at 31 U.S.C. § 3321 note). Office of Management and Budget guidance also instructs agencies to report as improper payments any payments for which insufficient or no documentation was found. [4] The Secretary of Health and Human Services delegated the authority under the Medicare provisions of the Social Security Act to the Administrator of CMS. [5] Medicare FFS, or original Medicare, consists of Medicare Parts A and B. Medicare Part A covers hospital and other inpatient stays. Medicare Part B is optional insurance and covers physician, outpatient hospital, home health care, certain other services, and the rental or purchase of durable medical equipment (DME), including wheelchairs, prosthetics, orthotics, and supplies. [6] In this report, the term provider includes entities such as hospitals or physicians as well as entities that supply Medicare beneficiaries with DME and laboratory, ambulance, home health, hospice, therapy, and skilled nursing services. [7] Program safeguard contractors conducted activities to investigate fraud prior to the establishment of ZPICs, and are still doing so in one geographic region. [8] There are four contractors that support CMS's CERT program. Unless otherwise noted, in this report "the CERT contractor" will refer to the CERT contractor that reviews documentation to determine whether claims were properly paid. The other three contractors handle the design of the CERT sampling strategy, manage the documentation from providers, and maintain the confidential CERT website. [9] In 2012, CMS established the Supplemental Medicare Review Contractor type to perform national claims reviews of Medicare Part A, Part B, and DME providers. This contractor conducts large-volume medical reviews nationwide for specific services, such as inpatient psychiatric facility interrupted stays, epidural injections, and place- of-service coding. We did not include this type of contractor in our study. [10] See GAO, Medicare Program Integrity: Increasing Consistency of Contractor Requirements May Improve Administrative Efficiency, [hyperlink, http://www.gao.gov/products/GAO-13-522] (Washington, D.C.: July 23, 2013). [11] [hyperlink, http://www.gao.gov/products/GAO-13-522]. [12] [hyperlink, http://www.gao.gov/products/GAO-13-522]. [13] This objective focuses specifically on duplicative claims reviews that occur between MACs, RAs, the CERT contractor, and ZPICs. Other entities, such as the HHS Office of Inspector General and CMS's Supplemental Medical Review Contractor, may also duplicate claims reviews conducted by these CMS contractors. While our definition of a duplicative claims review is consistent with the way CMS defines duplication, it differs from how some providers may define duplication; for example, some providers may consider duplication to have occurred if contractors review claims from the same provider, but not necessarily the same claim. [14] See GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999); and Internal Control Management and Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G] (Washington, D.C.: August 2001). Control activities refer to an agency's ability to ensure that its policies and procedures enforce management's directives. [15] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] and [hyperlink, http://www.gao.gov/products/GAO-01-1008G]. The internal control standards indicate that organizations should assess risks, implement control activities to address risks, monitor their activities to assess the quality of performance on an ongoing basis over time, and have effective communications with outside stakeholders. [16] Office of Management and Budget, Implementing Executive Order 13571 on Streamlining Service Delivery and Improving Customer Service, Memorandum M-11-24 (June 13, 2011). [17] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] and [hyperlink, http://www.gao.gov/products/GAO-01-1008G]. The internal control standards indicate that organizations should monitor their activities to assess performance on an ongoing basis over time. [18] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] and [hyperlink, http://www.gao.gov/products/GAO-01-1008G]. [19] See GAO, Results-Oriented Government: Practices That Can Help Enhance and Sustain Collaboration among Federal Agencies, [hyperlink, http://www.gao.gov/products/GAO-06-15] (Washington, D.C.: Oct. 21, 2005) and Managing for Results: Key Considerations for Implementing Interagency Collaborative Mechanisms, [hyperlink, http://www.gao.gov/products/GAO-12-1022] (Washington, D.C.: Sept. 27, 2012). [20] Information from postpayment review can also be used to improve activities to review claims before payment. For example, prepayment edits are instructions that MACs program into claims processing systems in order to approve or deny claims or to flag them for additional review. Postpayment reviews can provide information to CMS and MACs as to which services could benefit from additional edits. See GAO, Medicare Program Integrity: Greater Prepayment Control Efforts Could Increase Savings and Better Ensure Proper Payment, [hyperlink, http://www.gao.gov/products/GAO-13-102] (Washington, D.C.: Nov. 13, 2012). [21] A company may have contracts for more than one MAC jurisdiction. For this report, we are counting each jurisdiction with a separate contract as a MAC. [22] Reviews completed by the MACs in 2012 do not include the reviews performed by the three legacy contractors--two fiscal intermediaries and one carrier--that continued to process claims as of June 2013. Fiscal intermediaries and carriers were responsible for claims administration prior to the establishment of the MACs. [23] The total number of postpayment claims reviews includes MAC, ZPIC, and CERT contractor reviews conducted in calendar year 2012 and RA reviews conducted in fiscal year 2012. The total does not include about 1 million automated postpayment claims reviews conducted by RAs that identified improper payments that year. Automated reviews rely on computer programming logic to check claims for evidence of improper coding or other mistakes and do not involve reviews of medical documentation. [24] The Health Insurance Portability and Accountability Act of 1996 established the Medicare Integrity Program, which authorized CMS to contract separately for program safeguard contractors--the precursor to the ZPICs--to conduct activities, such as identifying and investigating potential fraud, that had previously been conducted by fiscal intermediaries and carriers. CMS later transitioned fraud investigation from program safeguard contractors to ZPICs in all but one geographic region. Pub. L. No. 104-191, § 202, 110 Stat. 1936, 1996 (codified at 42 U.S.C. § 1395ddd). [25] Although there are seven ZPIC zones, there were only six ZPICs as of September 2013 because one zone did not have a ZPIC contract in place. The contractor functions in that zone are handled by four program safeguard contractors. The ZPIC zones are designed to include one or more MAC jurisdictions. CMS is in the process of consolidating its ZPICs, program safeguard contractors, and Medicaid Integrity Contractors with new entities that will conduct their functions, called the Unified Program Integrity Contractors. [26] Reviews by ZPICs also include those performed by four program safeguard contractors operating in one of the seven zones. [27] See Improper Payments Information Act of 2002 (IPIA), Pub. L. No. 107-300, 116 Stat. 2350 (codified at 31 U.S.C. § 3321 note). The IPIA was subsequently amended by the Improper Payments Elimination and Recovery Act of 2010, Pub. L. No. 111-204, 124 Stat. 2224 (2010), and the Improper Payments Elimination and Recovery Improvement Act of 2012, Pub. L. No. 112-248, 126 Stat. 2390 (2013). [28] Pub. L. No. 108-173, § 306, 117 Stat. 2066, 2256 (2003); Pub. L. No. 109-432, § 302, 120 Stat. 2922, 2991-92 (2006) (codified at 42 U.S.C. § 1395ddd(h)). [29] 42 U.S.C. § 1395ddd(h)(1). In fiscal year 2012, the contingency fee ranged from 9 to 12.5 percent of the overpayments recouped and underpayments identified for all claims except DME, and from 14.0 to17.5 percent for DME claims. [30] Providers submit claims to Medicare and other insurers with the services and diagnoses coded, using standard coding systems. CMS establishes national coverage determinations. Each MAC has the authority to develop local coverage determinations that delineate the circumstances under which services are considered reasonable and necessary and therefore covered in the geographic area where that MAC processes claims. These local coverage determinations cannot conflict with CMS policy or law. In addition to national and local coverage determinations, ZPICs use other information to determine whether or not a claim was the subject of suspected fraud. ZPICs may refer to law enforcement and initiate administrative actions against providers suspected of fraud, including but not limited to, the recovery of overpayments. [31] Other entities that can enter claims they have reviewed into the Recovery Audit Data Warehouse to be stored as exclusions include HHS's Office of Inspector General, CMS's Supplemental Medical Review Contractor, and Quality Improvement Organizations. [32] ZPICs and law enforcement agencies enter suppressions in the Recovery Audit Data Warehouse to temporarily mark entire providers or subsets of a provider's claims as off-limits to the RAs. CMS requires ZPICs and law enforcement agencies to tailor their suppressions as narrowly as possible. [33] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [34] Exec. Order No. 13571, Streamlining Service Delivery and Improving Customer Services, 76 Fed. Reg. 24,399 (May 2, 2011). [35] Office of Management and Budget, Memorandum M-11-24 (June 13, 2011). [36] See [hyperlink, http://www.gao.gov/products/GAO-06-15] and [hyperlink, http://www.gao.gov/products/GAO-12-1022]. [37] The appeals process under the Medicare FFS program includes five levels of review, and review by a MAC is the first level of appeals review. CMS officials were unable to provide an estimate of the number of appealed claims that the MACs may have entered into the Recovery Audit Data Warehouse as exclusions. Two of the three MACs we interviewed told us they enter claims they review through the appeals process as exclusions. [38] Although there are seven ZPIC zones, only six ZPICs are operational and four program safeguard contractors conduct reviews in one zone. [39] CMS conducts a quarterly review of a random sample of claims that RAs entered into the Recovery Audit Data Warehouse to ensure the information is timely and accurate. [40] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] and [hyperlink, http://www.gao.gov/products/GAO-01-1008G]. [41] CMS does not pay RAs for overpayments or underpayments identified from their review of claims excluded or suppressed in the Recovery Audit Data Warehouse. [42] CMS's Medicare Program Integrity Manual states that MACs should take steps to avoid duplicating ZPIC claims reviews. However, it does not direct the MACs to use the Recovery Audit Data Warehouse to avoid duplication. If a MAC did not take steps to avoid duplication by checking the Recovery Audit Data Warehouse to determine if the RA had reviewed a claim, it is possible that the MAC could review a claim that had been reviewed by an RA. [43] CMS's Medicare Program Integrity Manual and the ZPIC statement of work state that ZPICs should work with other contractors to avoid duplication of efforts, but neither addresses whether reviewing a claim that another contractor had reviewed would be considered a duplication of efforts. CMS program integrity officials acknowledged that it is unclear from this guidance whether CMS permits ZPICs to duplicate other contractors' claims reviews. [44] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] and [hyperlink, http://www.gao.gov/products/GAO-01-1008G], sections related to control activities. [45] ZPICs have discretion on whether to issue a results letter, depending on the status of their investigation. [46] If the CERT contractor determines that an improper payment has been made, it informs the MAC, which then communicates the improper payment information to the provider through a demand letter. When any of the four types of contractors determine that an improper payment is made, the MAC is responsible for collecting any overpayments or for paying the provider in the event of an underpayment. If an overpayment has been made, the MAC's demand letter must state that an improper payment has occurred and indicate the amount that the provider must repay. In the event of an underpayment, the MAC will return the balance in a future remittance. [47] CMS officials told us requirements related to payment amounts no longer apply to the RAs' results letters. [48] The RA and CERT contractor statements of work had specific requirements for these letters, but the statements of work for the ZPICs and MACs did not. [49] We requested documentation from CMS about removing these results letter requirements from the RAs. The documentation CMS provided regarding the agency removing these results letter requirements from RAs was about the responsibilities for sending, and contents of, demand letters, not results letters. [50] CMS previously required MACs to give providers 30 days rather than 45 days to respond to postpayment review documentation requests, but changed the notification time frame to 45 days for postpayment reviews effective July 16, 2012. CMS officials informed us that the 45- day time frame is correct. [51] CMS officials informed us that ZPIC results letters do not have to include this information. [52] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] and [hyperlink, http://www.gao.gov/products/GAO-01-1008G], sections related to risk assessment, control activities, and information and communications. [53] Office of Management and Budget, Memorandum M-11-24 (June 13, 2011). See [hyperlink, http://www.gao.gov/products/GAO-13-522] for a discussion of this in relation to CMS's contractor requirements. [54] For our analysis, we reviewed the requirements with CMS officials to validate which requirements were applicable to ADRs and results letters. [55] The number of requirements applicable to each ADR varied depending on the type of contractor sending it, when it was sent, and, for MACs, whether the review was based on provider-specific concerns. An average of 10 requirements were applicable to each MAC ADR, 7 for each ZPIC ADR, 7 for each CERT contractor ADR, and 7 for each RA ADR. [56] Compliance rates also sometimes varied among individual contractors within each contractor type. [57] Effective July 16, 2012, CMS's Medicare Program Integrity Manual required MAC, RA, and CERT contractor ADRs to notify providers that the requested documents are to be submitted within 45 days, and required ZPIC ADRs to give providers a 30-day submission deadline. Most of the MAC ADRs and all of the CERT contractor ADRs we reviewed that were issued after that date gave providers 30 days, the time frame that ceased to apply as of CMS's update to its manual. As of November 2013, CMS had not updated the CERT contractor ADR form letter to reflect the new time frame, but the CERT contractor takes multiple steps after 30 days to obtain the requested documents, according to CMS officials. Of the 10 ZPIC letters for which this requirement was applicable, 2 gave providers 15 days and 1 gave 5 days, rather than the required 30 days; in 2 cases, the ZPIC did not give the provider any written submission deadline. CMS established separate guidance for when contractors may deny a claim after sending ADRs. Providers have at least 30 days to respond to a ZPIC ADR, 45 days to respond to a MAC or RA ADR, and 75 days to respond to a CERT contractor ADR before the contractor has the authority to deny the claim. [58] Similar to ADRs, the number of requirements for results letters differed by contractor type. On average, 18 requirements were applicable to each MAC results letter, 14 for each ZPIC results letter, and 8 for each RA results letter. [59] CMS officials told us that the demand letters the MACs send to providers about overpayments subsequent to the results letters are also required to include information about providers' rights. [60] We scored the letters as nonresponsive. [61] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] and [hyperlink, http://www.gao.gov/products/GAO-01-1008G], sections related to control activities. [62] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] and [hyperlink, http://www.gao.gov/products/GAO-01-1008G], sections related to monitoring. [63] CMS also requires each contractor to have a plan to outline its internal quality assurance processes. In addition, CMS has requirements about contractors' staffing and training that can help ensure the accuracy of their postpayment claims reviews. See [hyperlink, http://www.gao.gov/products/GAO-13-522]. CMS also requires the CERT contractor to re-review any claim for which the CERT reviewer initially disagreed with the MAC's claims determination. [64] In 2014, CMS plans to award four new RA contracts to review Medicare Part A and B claims and one new national RA contract to review DME, home health, and hospice claims. In response to our July 2013 report, which noted that CMS's quality assurance requirements differed across contractors and that RAs were not required to have internal IRR review of their decisions, CMS revised its Medicare Program Integrity Manual to include internal IRR review of their decisions as a requirement for the RAs. CMS officials said the requirement will apply to RAs under the new contracts. Although RAs are not required to conduct IRR assessments under the terms of their existing contracts, representatives of several RAs told us they did so as a quality control measure. See [hyperlink, http://www.gao.gov/products/GAO-13-522]. [65] CMS specifies that the CERT contractor should review at least 300 completed claims per month and provides guidance on selecting claims to review. CMS officials told us that they have reviewed and approved the CERT contractor's IRR assessment process. CMS officials also told us that MACs' and ZPICs' IRR assessment methods can differ. [66] CMS officials stated they conduct on-site visits to the MACs as part of their regular MAC monitoring and evaluation efforts. They also noted that they do not require MACs to achieve a minimum rate of interrater agreement. [67] CMS officials added that they do not expect ZPICs to achieve a minimum rate of inter-rater agreement. [68] According to CMS officials, in 2010 and 2011, CMS reviewed MAC claims in several clinical areas, including physical therapy, hospice, and chiropractic services. In 2012 and 2013, CMS reviewed claims related to power mobility devices. [69] An investigation consists of ZPIC staff evaluating a provider to determine if fraud may have occurred. If a ZPIC investigation uncovers suspected instances of fraud, the ZPIC must refer the investigation to the HHS OIG for further examination and, if the HHS OIG declines to investigate, the ZPIC may refer the issue to other law enforcement entities. A ZPIC investigation that is referred to and accepted by law enforcement for further exploration and potential prosecution is called a case. [70] CMS officials noted that they also can conduct "special studies" to review the RAs' work when there is a concern, such as if a large number of the RAs' decisions are appealed or there are complaints from provider associations. In fiscal years 2012 and 2013, CMS conducted studies on issues such as minor surgeries, cardiovascular procedures, and digestive system diseases and disorders. CMS officials stated that they also review RAs periodically during the year as part of their performance assessment. [71] Postpayment claims review activities that contractors generally have in common include obtaining medical documentation from providers, applying Medicare policy to determine if an improper payment was made, and reducing inappropriate duplicative claims reviews. [72] Technical direction letters are a way to give technical direction to contractors on a wide range of activities, not just postpayment claims review activities. [73] According to CMS officials, the Enterprise Electronic Change Information Management Portal system is formal in that it provides a uniform entry and validation process before any changes to CMS documents are finalized. In addition, there are written instructions for how CMS officials are to submit, share, and sign off on documents in the Enterprise Electronic Change Information Management Portal. [74] Unlike the Medicare Program Integrity Manual and other manuals, the statements of work and technical direction letters for RAs, ZPICs, and the CERT contractor are generally specific to individual contractor types. [75] [hyperlink, http://www.gao.gov/products/GAO-13-522] reported differences in contractor requirements for oversight of claims selections, time frames for providers to submit documentation, reviewer staffing, and processes to ensure the quality of claims reviews. [76] As reported in [hyperlink, http://www.gao.gov/products/GAO-13-522], in some cases, because their functions differ, having differing requirements for the four contractor types is appropriate. However, CMS officials indicated that other requirement differences across contractors generally developed as a result of setting requirements at different times by staff in different parts of the agency--not because the differences were needed. [77] Office of Management and Budget, Memorandum M-11-24 (June 13, 2011) and [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [78] Establishing compatible policies, procedures, and other ways of operating across organizational boundaries is a practice we have identified to help facilitate and enhance collaborative efforts. See [hyperlink, http://www.gao.gov/products/GAO-06-15]. [79] This requirement does not apply to the CERT contractor, which reviews claims for the entire nation, not just a specific geographic region. [80] Although CMS guidance on what should be included in these agreements varies by the contractors' relationships to each other, in general, JOAs are to specify how the contractors intend to interact with one another. For example, CMS guidance states that JOAs between MACs and RAs should include a communication process and time frames for adjustments, recoupment, appeals, inquiries, and receipt of provider names and addresses. [81] Our analysis determined there should be 27 JOAs between MACs and RAs; 29 JOAs between MACs and ZPICs; and 6 JOAs between ZPICs and RAs. However, two of the RAs that had contracts starting in 2008 did not have established JOAs with the ZPICs until November 2013. [82] [hyperlink, http://www.gao.gov/products/GAO-12-1022]. [83] Vulnerabilities to improper payment represent billing practices or patterns that are or may be associated with significant amounts of improper payments. [84] Department of Health and Human Services, Office of Inspector General, Medicare Recovery Audit Contractors and CMS's Actions to Address Improper Payments, Referrals of Potential Fraud, and Performance, OEG-04-11-00680 (Washington, D.C.: August 2013). [85] Representatives from 3 RAs indicated to us that they refer instances of potential fraud to CMS, not to ZPICs directly. [86] The RA and CERT contractor statements of work had specific requirements for these letters, but the statements of work for the ZPICs and MACs did not. [87] We obtained correspondence from the CERT documentation contractor, which notifies providers that their claim has been selected and receives the provider's documentation. The CERT documentation contractor then gives this information to the CERT review contractor, which reviews the documentation to make a determination about whether the claim was properly paid. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]