This is the accessible text file for GAO report number GAO-11-822T entitled 'Fraud Detection Systems: Additional Actions Needed to Support Program Integrity Efforts at Centers for Medicare and Medicaid Services' which was released on July 12, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Testimony: Before the Subcommittee on Federal Financial Management, Government Information, Federal Service, and International Security, Committee on Homeland Security and Government Affairs, U.S. Senate: For Release on Delivery: Expected at 2:30 p.m. EDT: Tuesday, July 12, 2011: Fraud Detection Systems: Additional Actions Needed to Support Program Integrity Efforts at Centers for Medicare and Medicaid Services: Statement of Joel C. Willemssen: Managing Director, Information Technology: GAO-11-822T: Mr. Chairman and Members of the Subcommittee: I am pleased to participate in today's hearing on the Centers for Medicare and Medicaid Services' (CMS) efforts to protect the integrity of the Medicare and Medicaid programs, particularly through the use of information technology to help improve the detection of fraud, waste, and abuse in these programs. As you are aware, CMS is responsible for administering the Medicare and Medicaid programs[Footnote 1] and leading efforts to reduce improper payments of claims for medical treatment, services, and equipment. Improper payments are overpayments or underpayments that should not have been made or were made in an incorrect amount; they may be due to errors, such as the inadvertent submission of duplicate claims for the same service, or misconduct, such as fraud or abuse. The Department of Health and Human Services reported about $70 billion in improper payments in the Medicare and Medicaid programs in fiscal year 2010. Operating within the Department of Health and Human Services, CMS conducts reviews to prevent improper payments before claims are paid and to detect claims that were paid in error. These activities are predominantly carried out by contractors who, along with CMS personnel, use various information technology solutions to consolidate and analyze data to help identify the improper payment of claims. For example, these program integrity analysts may use software tools to access data about claims and then use those data to identify patterns of unusual activities by matching services with patients' diagnoses. In 2006, CMS initiated activities to centralize and make more accessible the data needed to conduct these analyses and to improve the analytical tools available to its own and contractor analysts. At the Subcommittee's request, we have been reviewing two of these initiatives--the Integrated Data Repository (IDR), which is intended to provide a single source of data related to Medicare and Medicaid claims, and the One Program Integrity (One PI) system, a Web-based portal[Footnote 2] and suite of analytical software tools used to extract data from IDR and enable complex analyses of these data. According to CMS officials responsible for developing and implementing IDR and One PI, the agency had spent approximately $161 million on these initiatives by the end of fiscal year 2010. My testimony, in conjunction with a report that we are releasing today,[Footnote 3] summarizes the results of our study--which specifically assessed the extent to which IDR and One PI have been developed and implemented and CMS's progress toward achieving its goals and objectives for using these systems to detect fraud, waste, and abuse. All work on which this testimony is based was conducted at CMS's headquarters in Baltimore, Maryland, between June 2010 and July 2011, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Like financial institutions, credit card companies, telecommunications firms, and other private sector companies that take steps to protect customers' accounts, CMS uses information technology to help detect cases of improper claims and payments. For more than a decade, the agency and its contractors have used automated software tools to analyze data from various sources to detect patterns of unusual activities or financial transactions that indicate payments could have been made for fraudulent charges or improper payments. For example, to identify unusual billing patterns and support investigations and prosecutions of cases, analysts and investigators access information about key actions taken to process claims as they are filed and the specific details about claims already paid. This would include information on claims as they are billed, adjusted, and paid or denied; check numbers on payments of claims; and other specific information that could help establish provider intent. CMS uses many different means to store and manipulate data and, since the establishment of the agency's program integrity initiatives in the 1990s, has built multiple, disparate databases and analytical software tools to meet the individual and unique needs of various programs within the agency. In addition, data on Medicaid claims are stored by the states in multiple systems and databases, and are not readily available to CMS. According to agency program documentation, these geographically distributed, regional approaches to data storage result in duplicate data and limit the agency's ability to conduct analyses of data on a nationwide basis. As a result, CMS has been working for most of the past decade to consolidate its databases and analytical tools. CMS's Initiative to Develop a Centralized Source of Medicare and Medicaid Data: In 2006, CMS officials expanded the scope of a 3-year-old data modernization strategy to not only modernize data storage technology, but also to integrate Medicare and Medicaid data into a centralized repository so that CMS and its partners could access the data from a single source. They called the expanded program IDR. According to program officials, the agency's vision was for IDR to become the single repository for CMS's data and enable data analysis within and across programs. Specifically, this repository was to establish the infrastructure for storing data related to Medicaid and Medicare Parts A, B, and D claims processing,[Footnote 4] as well as a variety of other agency functions, such as program management, research, analytics, and business intelligence. CMS envisioned an incremental approach to incorporating data into IDR. Specifically, it intended to incorporate data related to paid claims for all Medicare Part D data by the end of fiscal year 2006, and for Medicare Parts A and B data by the end of fiscal year 2007. The agency also planned to begin to incrementally add all Medicaid data for the 50 states in fiscal year 2009 and to complete this effort by the end of fiscal year 2012. Initial program plans and schedules also included the incorporation of additional data from legacy CMS claims-processing systems that store and process data related to the entry, correction, and adjustment of claims as they are being processed, along with detailed financial data related to paid claims. According to program officials, these data, called "shared systems" data, are needed to support the agency's plans to incorporate tools to conduct predictive analysis of claims as they are being processed, helping to prevent improper payments. Shared systems data, such as check numbers and amounts related to claims that have been paid, are also needed by law enforcement agencies to help with fraud investigations. CMS initially planned to have all the shared systems data included in IDR by July 2008. CMS's Initiative to Develop and Implement Analytical Tools for Detecting Fraud, Waste, and Abuse: Also in 2006, CMS initiated the One PI program with the intention of developing and implementing a portal and software tools that would enable access to and analysis of claims, provider, and beneficiary data from a centralized source. The agency's goal for One PI was to support the needs of a broad program integrity user community, including agency program integrity personnel and contractors who analyze Medicare claims data, along with state agencies that monitor Medicaid claims. To achieve its goal, agency officials planned to implement a tool set that would provide a single source of information to enable consistent, reliable, and timely analyses and improve the agency's ability to detect fraud, waste, and abuse. These tools were to be used to gather data from IDR about beneficiaries, providers, and procedures and, combined with other data, find billing aberrancies or outliers. For example, an analyst could use software tools to identify potentially fraudulent trends in ambulance services by gathering the data about claims for ambulance services and medical treatments, and then use other software to determine associations between the two types of services. If the analyst found claims for ambulance travel costs but no corresponding claims for medical treatment, it might indicate that further investigation could prove that the billings for those services were fraudulent. According to agency program planning documentation, the One PI system was also to be developed incrementally to provide access to IDR data, analytical tools, and portal functionality. CMS planned to implement the One PI portal and two analytical tools for use by program integrity analysts on a widespread basis by the end of fiscal year 2009. The agency engaged contractors to develop the system. IDR and One PI Are in Use, but Lack Data and Functionality Essential to CMS's Program Integrity Efforts: IDR has been in use by CMS and contractor program integrity analysts since September 2006 and currently incorporates data related to claims for reimbursement of services under Medicare Parts A, B, and D. According to program officials, the integration of these data into IDR established a centralized source of data previously accessed from multiple disparate system files. However, although the agency has been incorporating data from various sources since 2006, IDR does not yet include all the data that were planned to be incorporated by the end of 2010 and that are needed to support enhanced program integrity initiatives. Specifically, although initial program integrity requirements included the incorporation of the shared systems data by July 2008, these data have not yet been added to IDR. As such, analysts are not able to access certain data from IDR that would help them identify and prevent payment of fraudulent claims. According to IDR program officials, the shared systems data were not incorporated as planned because funding for the development of the software and acquisition of the hardware needed to meet this requirement was not approved until the summer of 2010. Since then, IDR program officials have developed project plans and identified user requirements, and told us that they plan to incorporate shared systems data by November 2011. In addition, IDR does not yet include the Medicaid data that are critical to analysts' ability to detect fraud, waste, and abuse in this program. While program officials initially planned to incorporate 20 states' Medicaid data into IDR by the end of fiscal year 2010, the agency had not incorporated any of these data into the repository as of May 25, 2011. Program officials told us that the original plans and schedules for obtaining Medicaid data did not account for the lack of funding for states to provide Medicaid data to CMS, or the variations in the types and formats of data stored in disparate state Medicaid systems. Consequently, the officials were not able to collect the data from the states as easily as they expected and did not complete this activity as originally planned. In December 2009, CMS initiated another agencywide program intended to, among other things, identify ways to collect Medicaid data from the many disparate state systems and incorporate the data into a single data store. As envisioned by CMS, this program, the Medicaid and Children's Health Insurance Program Business Information and Solutions (MACBIS) program, is to include activities in addition to providing expedited access to current data from state Medicaid programs. According to agency planning documentation, as a result of efforts to be initiated under the MACBIS program, CMS expects to incorporate Medicaid data for all 50 states into IDR by the end of fiscal year 2014. This enterprisewide initiative is expected to cost about $400 million through fiscal year 2016. However, program officials have not defined plans and reliable schedules for incorporating the additional data into IDR that are needed to support the agency's program integrity goals. Yet, doing so is essential to ensuring that CMS does not repeat mistakes of the past that stand to jeopardize the overall success of its current efforts. In this regard, more than a decade ago, we reported on the agency's efforts to replace multiple claims processing systems with a single, unified system.[Footnote 5] Among other things, that system was intended to provide an integrated database to help the agency in identifying fraud and abuse. However, as the system was being developed, we reported repeatedly that the agency was not applying effective investment management practices to its planning and management of the project. Further, we reported that the agency had no assurance that the project would be cost-effective, delivered within estimated timeframes, or even improve the processing of Medicare claims. Lacking these vital project management elements, CMS subsequently halted that troubled initiative without delivering the intended system--after investing more than $80 million over 3-and-a- half years. Until the agency defines plans and reliable schedules for incorporating the additional data into IDR, it cannot ensure that current development, implementation, and deployment efforts will provide the data and technical capabilities needed to enhance CMS's efforts to detect potential cases of fraud, waste, and abuse. Beyond the IDR initiative, CMS program integrity officials have not yet taken appropriate actions to ensure the use of One PI on a widespread basis for program integrity purposes. According to program officials, the system was deployed in September 2009 as originally planned and consisted of a portal that provided Web-based access to software tools used by CMS and contractor analysts to retrieve and analyze data stored in IDR. As currently implemented, the system provides access to two analytical tools. One tool is a commercial off- the-shelf decision support tool that is used to perform data analysis to, for example, detect patterns of activities that may identify or confirm suspected cases of fraud, waste, or abuse. The second tool provides users with extended capabilities to perform more complex analyses of data. For example, it allows the user to customize and create ad hoc queries of claims data across the different parts of the Medicare program. However, while program officials deployed the One PI portal and two analytical tools, the system is not being used as widely as planned because CMS and contractor analysts have not received the necessary training for its use. In this regard, program planning documentation from August 2009 indicated that One PI program officials had planned for 639 analysts to be trained and using the system by the end of fiscal year 2010; however, CMS confirmed that by the end of October 2010, only 42 of those intended users had been trained to use One PI, with 41 actively using the portal and tools. These users represent fewer than 7 percent of the users originally intended for the program. Program officials responsible for implementing the system acknowledged that their initial training plans and efforts had been insufficient and that they had consequently initiated activities and redirected resources to redesign the One PI training plan in April 2010; they began to implement the new training program in July of that year. As of May 25, 2011, One PI officials told us that 62 additional analysts had signed up to be trained in 2011 and that the number of training classes for One PI had been increased from two to four per month. Agency officials, in commenting on our report, stated that since January 2011, 58 new users had been trained; however, they did not identify an increase in the number of actual users of the system. Nonetheless, while these activities indicate some progress toward increasing the number of One PI users, the number of users expected to be trained and to begin using the system represents a small fraction of the population of 639 intended users. Moreover, as of late May 2011, One PI program officials had not yet made detailed plans and developed schedules for completing training of all the intended users. Agency officials concurred with our conclusion that CMS needs to take more aggressive steps to ensure that its broad community of analysts is trained. Until it does so, the use of One PI may remain limited to a much smaller group of users than the agency intended, and CMS will continue to face obstacles in its efforts to deploy One PI for widespread use throughout its community of program integrity analysts. CMS Is Not Yet Positioned to Identify Financial Benefits or to Fully Meet Program Integrity Goals and Objectives through the Use of IDR and One PI: Because IDR and One PI are not being used as planned, CMS officials are not yet in a position to determine the extent to which the systems are providing financial benefits or supporting the agency's initiatives to meet program integrity goals and objectives. As we have reported, agencies should forecast expected benefits and then measure actual financial benefits accrued through the implementation of information technology programs.[Footnote 6] Further, the Office of Management and Budget (OMB) requires agencies to report progress against performance measures and targets for meeting them that reflect the goals and objectives of the programs.[Footnote 7] To do this, performance measures should be outcome-based and developed with stakeholder input, and program performance must be monitored, measured, and compared to expected results so that agency officials are able to determine the extent to which goals and objectives are being met. In addition, industry experts describe the need for performance measures to be developed with stakeholders' input early in a project's planning process to provide a central management and planning tool and to monitor the performance of the project against plans and stakeholders' needs. While CMS has shown some progress toward meeting the programs' goals of providing a centralized data repository and enhanced analytical capabilities for detecting improper payments due to fraud, waste, and abuse, the current implementation of IDR and One PI does not position the agency to identify, measure, and track financial benefits realized from reductions in improper payments as a result of the implementation of either system. For example, program officials stated that they had developed estimates of financial benefits expected to be realized through the use of IDR. The most recent projection of total financial benefits was reported to be $187 million, based on estimates of the amount of improper payments the agency expected to recover as a result of analyzing data provided by IDR. With estimated life-cycle program costs of $90 million through fiscal year 2018, the resulting net benefit expected from implementing IDR was projected to be $97 million. However, as of March 2011, program officials had not identified actual financial benefits of implementing IDR. Further, program officials' projection of financial benefits expected as a result of implementing One PI was most recently reported to be approximately $21 billion. This estimate was increased from initial expectations based on assumptions that accelerated plans to integrate Medicare and Medicaid data into IDR would enable One PI users to identify increasing numbers of improper payments sooner than previously estimated, thus allowing the agency to recover more funds that have been lost due to payment errors. However, the current implementation of One PI has not yet produced outcomes that position the agency to identify or measure financial benefits. CMS officials stated at the end of fiscal year 2010--more than a year after deploying One PI--that it was too early to determine whether the program has provided any financial benefits. They explained that, since the program had not met its goal for widespread use of One PI, there were not enough data available to quantify financial benefits attributable to the use of the system. These officials said that as the user community is expanded, they expect to be able to begin to identify and measure financial and other benefits of using the system. In addition, program officials have not developed and tracked outcome- based performance measures to help ensure that efforts to implement One PI and IDR meet the agency's goals and objectives for improving the results of its program integrity initiatives. For example, outcome- based measures for the programs would indicate improvements to the agency's ability to recover funds lost because of improper payments of fraudulent claims. However, while program officials defined and reported to OMB performance targets for IDR related to some of the program's goals, they do not reflect the goal of the program to provide a single source of Medicare and Medicaid data that supports enhanced program integrity efforts. Additionally, CMS officials have not developed quantifiable measures for meeting the One PI program's goals. For example, performance measures and targets for One PI include increases in the detection of improper payments for Medicare Parts A and B claims. However, the limited use of the system has not generated enough data to quantify the amount of funds recovered from improper payments. Because it lacks meaningful outcome-based performance measures and sufficient data for tracking progress toward meeting performance targets, CMS does not have the information needed to ensure that the systems are useful to the extent that benefits realized from their implementation help the agency meet program integrity goals. Further, until CMS is better positioned to identify and measure financial benefits and establishes outcome-based performance measures to help gauge progress toward meeting program integrity goals, it cannot be assured that the systems will contribute to improvements in CMS's ability to detect fraud, waste, and abuse in the Medicare and Medicaid programs, and prevent or recover billions of dollars lost to improper payments of claims. Given the critical need for CMS to improve the management of and reduce improper payments within the Medicare and Medicaid programs, our report being released today recommends a number of actions that we consider vital to helping CMS achieve more widespread use of IDR and One PI for program integrity purposes. Specifically, we are recommending that the Administrator of CMS: * finalize plans and develop schedules for incorporating additional data into IDR that identify all resources and activities needed to complete tasks and that consider risks and obstacles to the IDR program; * implement and manage plans for incorporating data in IDR to meet schedule milestones; * establish plans and reliable schedules for training all program integrity analysts intended to use One PI; * establish and communicate deadlines for program integrity contractors to complete training and use One PI in their work; * conduct training in accordance with plans and established deadlines to ensure schedules are met and program integrity contractors are trained and able to meet requirements for using One PI; * define any measurable financial benefits expected from the implementation of IDR and One PI; and: * with stakeholder input, establish measurable, outcome-based performance measures for IDR and One PI that gauge progress toward meeting program goals. In commenting on a draft of our report, CMS agreed with these recommendations and indicated that it plans to take steps to address the challenges and problems that we identified during our study. In summary, CMS's success toward meeting its goals to enhance program integrity will depend upon the agency's incorporation of all needed data into IDR as well as the effective use of the systems by the agency's broad community of program integrity analysts. In addition, a vital step will be the identification of measurable financial benefits and performance goals expected to be attained through improvements in the agency's ability to prevent and detect fraudulent, wasteful, and abusive claims and resulting improper payments. In taking these steps, the agency will better position itself to determine whether these systems are useful for enhancing CMS's ability to identify fraud, waste, and abuse and, consequently, reduce the loss of funds resulting from improper payments of Medicare and Medicaid claims. Mr. Chairman, this concludes my prepared statement. I would be pleased to answer any questions you or other Members of the Subcommittee may have. GAO Contacts and Staff Acknowledgments: If you have questions concerning this statement, please contact Joel C. Willemssen, Managing Director, Information Technology Team, at (202) 512-6253 or willemssenj@gao.gov; or Valerie C. Melvin, Director, Information Management and Human Capital Issues, at (202) 512-6304 or melvinv@gao.gov. Other individuals who made key contributions include Teresa F. Tucker (Assistant Director), Sheila K. Avruch (Assistant Director), April W. Brantley, Clayton Brisson, Neil J. Doherty, Amanda C. Gill, Nancy Glover, Kendrick M. Johnson, Lee A. McCracken, Terry L. Richardson, Karen A. Richey, and Stacey L. Steele. [End of section] Footnotes: [1] Medicaid is a joint federal-state program for certain low-income individuals. [2] The One PI portal is a Web-based user interface that enables a single login through centralized, role-based access to the system. [3] GAO, Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Ensure More Widespread Use, [hyperlink, http://www.gao.gov/products/GAO-11-475] (Washington, D.C.: June 30, 2011). [4] Medicare Part A provides payment for inpatient hospital, skilled nursing facility, some home health, and hospice services, while Part B pays for hospital outpatient, physician, some home health, durable medical equipment, and preventive services. Further, all Medicare beneficiaries may purchase coverage for outpatient prescription drugs under Medicare Part D. [5] GAO, Medicare Automated Systems: Weaknesses in Managing Information Technology Hinder Fight Against Fraud and Abuse, [hyperlink, http://www.gao.gov/products/GAO/T-AIMD-97-176] (Washington, D.C.: September 29, 1997). At the time of this report, CMS was known as the Health Care Financing Administration. [6] GAO, Secure Border Initiative: DHS Needs to Reconsider Its Proposed Investment in Key Technology Program, [hyperlink, http://www.gao.gov/products/GAO-10-340] (Washington, D.C.: May 5, 2010) and DOD Business Systems Modernization: Planned Investment in Navy Program to Create Cashless Shipboard Environment Needs to be Justified and Better Managed, [hyperlink, http://www.gao.gov/products/GAO-08-922] (Washington, D.C.,: Sept. 8, 2008). [7] OMB, Guide to the Performance Assessment Rating Tool. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E- mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: