This is the accessible text file for GAO report number GAO-05-656 entitled 'Medicare: More Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment Suppliers' which was released on October 12, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Committee on Finance, U.S. Senate: United States Government Accountability Office: GAO: September 2005: Medicare: More Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment Suppliers: GAO-05-656: GAO Highlights: Highlights of GAO-05-656, a report to the Chairman, Committee on Finance, U.S. Senate: Why GAO Did This Study: In fiscal year 2004, the Centers for Medicare & Medicaid Services (CMS) estimated that Medicare improperly paid $900 million for durable medical equipment, prosthetics, orthotics, and supplies—in part due to fraud by suppliers. To deter such fraud, CMS contracts with the National Supplier Clearinghouse (NSC) to verify that suppliers meet 21 standards before they can bill Medicare. NSC verifies adherence to the standards through on-site inspections and document reviews. Recent prosecutions of fraudulent suppliers suggest that there may be weaknesses in NSC’s efforts to screen suppliers or in the standards. In this report, GAO evaluated: 1) NSC’s efforts to verify suppliers’ compliance with the 21 standards, 2) the adequacy of the standards to screen suppliers, and 3) CMS’s oversight of NSC’s efforts. What GAO Found: NSC’s efforts to verify compliance with the 21 standards are insufficient because of weaknesses in two key screening procedures—checking state licensure and conducting on-site inspections. NSC’s licensure check is ineffective because it relies on self-reported information about the items suppliers intend to provide to beneficiaries and does not match this against actual billing later. We found a total of 22 suppliers in Florida, Louisiana, and Texas that had each been paid at least $1,000 by Medicare in 2004 for providing oxygen services, but did not have the required state license. Further, more than half of the almost $107 million paid by Medicare for custom- fabricated orthotics and prosthetics in Florida in 2004 went to suppliers that had not had their licenses checked. At least 46 of these suppliers were under investigation for fraud as of April 2005. NSC’s on- site inspections also have weaknesses that limit their effectiveness. We estimate that NSC did not conduct required on-site inspections of 605 suppliers. Further, when conducting on-site inspections, NSC does not require its inspectors to examine beneficiary files to assess whether suppliers are meeting the standard to maintain proof of delivery or check whether suppliers have a real source of inventory, as required by Medicare. Medicare’s 21 standards are currently too weak to be used effectively to screen medical equipment suppliers. Although Medicare paid suppliers about $8.8 billion in fiscal year 2004, the program’s 21 standards do not include measures related to supplier integrity and capability analogous to those that federal agencies generally apply to prospective contractors or those used by at least two state Medicaid programs for their suppliers. For example, in sworn testimony before the Committee on Finance in April 2004, an individual who pleaded guilty to Medicare fraud described how she was able to open a sham business with $3,000—despite lacking the experience and the financial, technical, and managerial resources to operate a legitimate supply company. If an agency finds a company does not meet federal contracting standards for integrity and capability, the agency may decline to award it a contract. If a contractor performs inadequately, the agency can terminate the contract. Further, agencies may disqualify a contractor from competing for other federal contracts. In addition, a California supplier that is disenrolled from Medicaid for failing to meet state requirements cannot reenroll for 3 years. In contrast, if a Medicare supplier can later demonstrate compliance with the 21 standards, CMS readmits it into the program. CMS’s oversight has not been sufficient to determine whether NSC is meeting its responsibilities in screening and enrolling DMEPOS suppliers. For example, CMS was unaware—until we informed the agency—that NSC had not conducted all required on-site inspections for suppliers. Moreover, while CMS has established performance goals for NSC related primarily to processing applications, it has not established a method to evaluate NSC’s success in identifying noncompliant and fraudulent suppliers and recommending that they be removed from the program. What GAO Recommends: GAO suggests that the Congress consider whether suppliers found to be noncompliant should wait a specified period of time before having their billing numbers reissued. GAO is also making several recommendations to the CMS Administrator to improve NSC’s licensure verification and on- site inspections, the supplier standards, and CMS’s oversight of NSC. CMS generally concurred with all of the recommendations and provided information on the actions it was taking to implement each of them. www.gao.gov/cgi-bin/getrpt?GAO-05-656. To view the full product, including the scope and methodology, click on the link above. For more information, contact Leslie G. Aronovitz at (312) 220-7600 or aronovitzl@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: NSC's Efforts Are Insufficient to Verify Suppliers' Compliance with the 21 Standards: Medicare's Standards Are Too Weak to be Used Effectively to Screen DMEPOS Suppliers: CMS's Oversight Is Insufficient to Determine Whether NSC Screens and Monitors Suppliers Effectively: Conclusions: Matter for Congressional Consideration: Recommendations: Agency Comments: Appendix I: Objectives, Scope, and Methodology: Appendix II: Medicare's 21 Standards for Suppliers and NSC's Procedures to Verify Their Compliance: Appendix III: Agency Comments: Appendix IV: GAO Contact and Staff Acknowledgments: Related GAO Products: Tables: Table 1: Suppliers That Should Not Have Billed for Oxygen Services, but Were Paid at Least $1,000 for Them in 2004: Table 2: Examples of Suppliers That Had Billing Privileges Revoked, Were Reinstated, and Billed Improperly After Readmission into Medicare: Table 3: Medicare's 21 Standards for Medicare Suppliers of DME, Prosthetics, Orthotics, and Supplies and NSC's Procedures at Enrollment and Reenrollment to Verify Compliance with the Standards: Figure: Figure 1: Medicare Payments for Prosthetics and Custom-Fabricated Orthotics to Florida Suppliers That Did and Did Not Disclose Intention to Bill for These Items, 2003 and 2004: Abbreviations: CMS: Centers for Medicare & Medicaid Services: DME: durable medical equipment: DMEPOS: durable medical equipment, prosthetics, orthotics, and supplies: FBI: Federal Bureau of Investigation: MMA: Medicare Prescription Drug, Improvement, and Modernization Act of 2003: NSC: National Supplier Clearinghouse: OIG: Office of Inspector General: OSI: Overland Solutions, Inc.: SACU: Supplier Audit and Compliance Unit: United States Government Accountability Office: Washington, DC 20548: September 22, 2005: The Honorable Charles E. Grassley: Chairman: Committee on Finance: United States Senate: Dear Mr. Chairman: Medicare is the federal program that helps pay for a variety of health care services and items on behalf of almost 42 million elderly and certain disabled beneficiaries. One of the responsibilities of the Centers for Medicare & Medicaid Services (CMS), the agency that administers Medicare, is to minimize improper payments made on behalf of its beneficiaries. Improper payments result from mistakes on the part of those who bill Medicare; abusive activities; or fraud, which is intentional misrepresentation. According to CMS estimates, in fiscal year 2004, Medicare paid about $8.8 billion in claims for durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS), of which $900 million were improper payments.[Footnote 1] As we previously reported in November 2004, some improper payments were made to DMEPOS suppliers that were committing fraud.[Footnote 2] For example, in one 2003 criminal case, 20 individuals in Arizona pleaded guilty to charges of defrauding Medicare of more than $25 million by creating about 30 sham companies that billed for DMEPOS items that they did not deliver or that had not been ordered by the beneficiaries' physicians.[Footnote 3] Similarly, in 2004, the government won a civil suit against 24 DMEPOS suppliers for $366 million as treble damages to settle charges of falsely billing Medicare for items not needed or delivered as claimed. Because identifying and prosecuting suppliers[Footnote 4] engaged in fraudulent activity is time consuming, resource intensive, and costly, CMS tries to prevent potentially fraudulent entities from entering the Medicare program. To do so, using its statutory authority, CMS developed regulations that define the 21 standards that DMEPOS suppliers must meet to be authorized to bill Medicare for items and services that they provide to beneficiaries.[Footnote 5] The 21 standards are intended to help ensure that suppliers are legitimate businesses as well as properly licensed by the states in which they operate--and therefore qualified--to provide DMEPOS items and services. CMS contracts with the National Supplier Clearinghouse (NSC) to screen potential suppliers and enroll those that comply with the 21 standards into the Medicare program. NSC verifies DMEPOS suppliers' compliance with most of the standards through on-site inspections[Footnote 6] and conducts other verification procedures using information from the applications or gathered during the on-site inspections. Enrolled suppliers are authorized to bill Medicare, and to retain their billing privileges must apply for reenrollment and be rescreened every 3 years. NSC may also verify compliance with the standards at other times-- usually when it receives information about possible noncompliance or fraud. Despite these safeguards, recent prosecutions of fraudulent suppliers that successfully billed Medicare suggest that there may be weaknesses in NSC's efforts to verify compliance with the standards or in the standards themselves. Due to concerns that such weaknesses may leave the Medicare program vulnerable to improper billing practices or allow unqualified suppliers to serve beneficiaries, you asked us to examine the procedures used by NSC to ensure that DMEPOS suppliers are legitimate businesses and are qualified to bill Medicare. In this report, we evaluated: 1) NSC's efforts to verify suppliers' compliance with the 21 standards, 2) the adequacy of the standards used to screen suppliers, and 3) CMS's oversight of NSC's efforts. To evaluate NSC's efforts to verify suppliers' compliance with the standards, we examined NSC's contract statement of work and its written procedures. Through this analysis, we determined that checking DMEPOS suppliers' state licenses[Footnote 7] and conducting on-site inspections were two of the most important verification procedures and we focused our review on them.[Footnote 8] We analyzed Medicare DMEPOS claims data for 2003 and 2004 in four states--Florida, Illinois, Louisiana, and Texas--and information from NSC's supplier database.[Footnote 9] This helped us determine whether suppliers had the state licenses necessary for the items they billed and whether NSC had conducted all required on-site inspections. We chose these states because they have licensure requirements for certain DMEPOS items and have suppliers with fraudulent Medicare DMEPOS billings. We assessed the reliability of the 2003 and 2004 claims data from CMS and the NSC supplier data files by performing electronic testing of required data elements, reviewing existing information about the data and the systems that produced them, and interviewing CMS and NSC officials knowledgeable about the data. We determined that these data were sufficiently reliable to address the issues in this report. We also accompanied NSC staff on supplier on-site inspections and had our Forensic Audits and Special Investigations staff investigate selected suppliers and companies associated with them in Florida and Texas. To determine the adequacy of the 21 standards to screen suppliers, we compared them to certain standards applicable to government contracting and for participating as Medicaid[Footnote 10] DMEPOS suppliers in California and Florida. Further, we analyzed appeals from suppliers that had their supplier numbers denied or revoked to better understand their infractions and obtained documentation on criminal cases of suppliers that had defrauded Medicare or were under active investigation. We interviewed fraud inspectors at NSC and in the Department of Health and Human Services Office of Inspector General (OIG), as well as DMEPOS suppliers and their representatives. To assess CMS's oversight of NSC, we reviewed the agency's written evaluation procedures, evaluation reports, and other documents related to the agency's oversight. In addition, we interviewed NSC and CMS officials about NSC's efforts to verify compliance, the adequacy of the standards, and CMS's oversight of NSC. Appendix I includes a more detailed discussion of our scope and methodology. Our work was conducted from June 2004 to September 2005 in accordance with generally accepted government auditing standards. Results in Brief: NSC's efforts to verify compliance with the supplier standards in order to enroll only legitimate and qualified suppliers in Medicare are insufficient because of weaknesses in procedures for checking state licensure and conducting on-site inspections and gaps in NSC's performance of the procedures. NSC lacks an effective method for identifying the state licenses suppliers are required to maintain to meet the standard for adhering to all federal and state requirements. This is primarily because NSC relies on self-reported information from suppliers' enrollment applications about the items they intend to provide to beneficiaries and does not match this later against suppliers' actual billing. During our work, we found 121 suppliers in Florida, Louisiana, and Texas that had each been paid at least $1,000 by Medicare in 2004 for providing oxygen services but had not both disclosed that they would be doing so and provided a license for NSC to review. Twenty-two of these suppliers were not licensed to provide oxygen services in 2004. Further, CMS requires NSC to check state licensure only during initial enrollment, although suppliers may change the items supplied or allow licenses to lapse after enrollment. We identified 7 other suppliers in Florida, Louisiana, and Texas that lacked the needed state license to provide oxygen in 2004, although they had disclosed their intention to provide this service to NSC and were reimbursed at least $1,000 each by Medicare for providing it. We also identified 73 suppliers in Florida that billed for custom- fabricated orthotics and prosthetics without informing NSC of their intention to provide these items. Routinely identifying the suppliers that were billing without the required state license might have avoided some of the more than $56.3 million in improper payments made in Florida for custom-fabricated orthotics and prosthetics. In regard to on-site inspections, NSC's performance in conducting them exhibited weaknesses that limited their effectiveness. We estimate that NSC did not perform on-site inspections of 605 suppliers to verify those suppliers' compliance with Medicare's standards. Further, some of the procedures for conducting on-site inspections do not fully verify compliance with the standards because CMS has not required NSC to adopt a rigorous inspection process. For example, when conducting on-site inspections, NSC does not require its inspectors to examine beneficiary files to ensure that suppliers are meeting the standard for maintaining proof of delivery. Another standard requires suppliers to have inventory to fill orders, or a contract to purchase the items needed. However, if a supplier indicates that its inventory is stored off-site or is provided by another company, NSC does not require site inspectors to verify the inventory's existence or confirm that the company serving as its source is a legitimate business. Medicare's standards are currently too weak to be used effectively to screen DMEPOS suppliers. Although Medicare pays millions of dollars to suppliers, the program's 21 standards do not include measures related to supplier integrity and capability analogous to those that federal agencies generally apply to prospective contractors or those used by at least two state Medicaid programs for their suppliers. Federal agencies--including CMS--determine whether companies seeking federal contracts are "responsible"--that is, whether they have a satisfactory record of performance, integrity, and business ethics, as well as the financial, technical, and managerial ability to provide the specified products and services. According to federal requirements, agencies are not to award government contracts to companies that are not responsible. After receiving a federal government contract, a business that performs poorly on that contract can lose it and may have difficulty securing federal contracts in the future because of previous poor performance. In addition, in the case of certain serious offenses, a company can be debarred from federal contracting, generally for up to 3 years. The Florida and California Medicaid agencies also have barriers to reentry of problematic Medicaid suppliers that have violated program rules--a 3-year exclusion in some cases. In contrast, because Medicare suppliers are not CMS contractors, they are not subject to federal procurement standards. Instead, they are subject to Medicare's standards, which generally do not require suppliers to demonstrate that they are responsible and do not limit the reentry of suppliers that have remedied past noncompliance with Medicare's standards. Having weak standards for suppliers helps individuals intent on defrauding Medicare to obtain billing privileges and be paid for fraudulent claims. For example, in sworn testimony before the Senate Committee on Finance in April 2004, an individual who pleaded guilty to Medicare fraud described how she was able to obtain a billing number by opening a sham business with $3,000--despite lacking the experience and the financial, technical, and managerial resources to operate a legitimate DMEPOS company. Even when CMS revokes suppliers' billing privileges, suppliers that have violated multiple standards have been able to reenroll within an average of 3 months. CMS's oversight has not been sufficient to determine whether NSC is meeting its responsibilities in screening, enrolling, and monitoring DMEPOS suppliers. For example, CMS has not effectively overseen NSC's verification of suppliers' state licenses. In addition, CMS was unaware--until we informed the agency--that NSC had not conducted required on-site inspections for suppliers and that--in contrast to CMS requirements--NSC's procedures allow its staff to use discretion in selecting suppliers for on-site inspections. These lapses may be attributed in part to limitations in the means through which CMS oversees its contractor--an annual inspection and monthly reports. During its annual inspection, CMS analyzes a small random sample of supplier files to determine, for instance, whether NSC is conducting on- site inspections, verifying licenses, and denying or revoking billing privileges in accordance with CMS requirements. However, we determined that CMS's sample sizes are too small to identify systematic problems. Further, the monthly report CMS receives from NSC provides useful information on the contractor's workload, but does not provide information on the thoroughness of NSC's screening and enrollment efforts. Similarly, while CMS has established performance goals in NSC's contract related primarily to processing applications and handling supplier inquiries, it has not established performance goals connected to effective screening or fraud prevention efforts, such as examining whether the on-site inspections are conducted thoroughly enough to uncover noncompliance. To strengthen the supplier standards, we are suggesting that the Congress consider whether suppliers that violate the standards should have to wait a specified period of time from the date of their revocation to have a billing number reissued. We are also making several recommendations to the CMS Administrator to improve NSC's licensure verification and on-site inspections, the supplier standards, and CMS's oversight of NSC's screening efforts. CMS generally concurred with all of our recommendations and provided information on the actions it was taking to implement each of them. Background: Most Medicare beneficiaries elect to enroll in Part B insurance,[Footnote 11] which helps pay for certain physician, outpatient hospital, laboratory, and other services; DME, such as oxygen, wheelchairs, hospital beds, and walkers; prosthetics and orthotics; and certain supplies. Medicare, under Part B, pays for most DMEPOS based on a series of state-specific or regional-specific fee schedules. Under the schedules, Medicare pays 80 percent, and the beneficiary pays the balance, of either the actual charge submitted by the supplier or the fee schedule amount, whichever is less. To review and process DMEPOS claims, CMS contracts with four insurance companies, known as DME regional carriers. The DME regional carriers review and pay DMEPOS claims submitted by outpatient providers and suppliers on behalf of beneficiaries residing in specific regions of the country.[Footnote 12] CMS contracts with Palmetto Government Benefits Administrators to serve as the National Supplier Clearinghouse. In fiscal year 2004, NSC received $11.4 million for these activities, and for fiscal year 2005, its approved budget was $11.5 million. Palmetto also serves as the DME regional carrier for Region C. In addition, Palmetto serves as the Statistical Analysis Durable Medical Equipment Regional Carrier, which analyzes claims and reports to the DME regional carriers and CMS on trends in DMEPOS payment and areas of potential fraud. Medicare's Supplier Standards: Medicare's 21 supplier standards were introduced primarily to deter individuals intent on committing fraud from entering the program and to safeguard Medicare beneficiaries by ensuring that suppliers were qualified. The 21 standards apply to a variety of business practices and establish certain requirements. (See app. II for a list of the 21 standards.) For example, the standards require suppliers to have a physical facility on an appropriate site that is accessible to beneficiaries and to CMS, with stated business hours clearly posted. CMS established the requirement for having an appropriate physical facility in December 2000 after investigators discovered fraudulent suppliers without fixed locations claiming vans or station wagons as their place of business or using mail drop boxes to receive Medicare payments for items they billed but never delivered. Among other things, the standards also require suppliers to: * comply with applicable federal and state regulatory requirements, including state licensure, when providing DMEPOS items or services; * maintain inventory on site or off site, or available through valid contracts with other companies not excluded from doing business with the federal government or its health care programs; and: * obtain comprehensive liability insurance. The 21 supplier standards also prohibit certain practices. For example, one standard generally prohibits suppliers from using telephone calls to solicit new business, because the Social Security Act prohibits this type of marketing to Medicare beneficiaries.[Footnote 13] Verifying Compliance with Supplier Standards: NSC verifies compliance with the supplier standards primarily during enrollment and reenrollment, through on-site inspections[Footnote 14] and desk reviews conducted by NSC analysts. (App. II lists the standards and how NSC verifies them during enrollment and reenrollment.) For example, the on-site inspections are used to check the compliance with the standards for whether the supplier: * has a physical facility on an appropriate site that is accessible to beneficiaries and to CMS, with a clearly visible sign with hours posted; * has its own inventory in stock on site, off site at another location, or has a contract with another company for the purchase of inventory; * maintains records that document delivery of items to beneficiaries and information provided to beneficiaries on warranties, including how repairs and exchanges will be handled, and how to contact the supplier in case of questions or problems; and: * has a written beneficiary complaint resolution policy and maintains records on beneficiary complaints and their resolution. NSC's analysts are expected to follow procedures to review information provided by the on-site inspection and take other steps to verify suppliers' compliance with the standards. For example, when on site the inspectors are expected to check that the supplier has all the valid occupation and business licenses required by its state and has a comprehensive liability insurance policy. The NSC analyst is expected to check that the supplier has all the state licenses that it would need to provide the items it disclosed in its application. The NSC analyst also is expected to contact the insurance underwriter to ensure that the supplier's policy is valid,[Footnote 15] and the post office to make sure the supplier's address is listed. NSC also has a procedure to match data from its supplier database with computerized lists maintained by the federal government to ensure that supply company owners are not prohibited from participating in federal health care programs or debarred from federal contracting. NSC does not specifically verify adherence to 4 of the 21 standards at enrollment and reenrollment, because violations would generally be apparent through its verification of other standards. For example, the standard that requires suppliers to furnish NSC with complete and accurate information on the application and notify NSC of any changes within 30 days is verified through checking the accuracy of the suppliers' disclosures of information for other standards--such as ownership and the appropriateness of the physical facility. On-site Inspection Procedures: The majority of on-site inspections are conducted by more than 380 field representatives of Overland Solutions, Inc. (OSI), a company that performs this work as a subcontractor to NSC. In addition, NSC uses its own personnel, who are located in six cities, to conduct on-site inspections. NSC and OSI conducted over 20,000 on-site inspections in fiscal year 2004. In performing their reviews, the site inspectors follow certain procedures. NSC requires that site inspectors arrive unannounced for any inspection. Before the inspection, NSC provides the inspectors with briefing information on the supplier, including information on whether the supplier is enrolling or reenrolling and the type of state licenses to verify. While on site, inspectors are expected to take photographs of the supplier's sign with its business name, posted hours of operation, complete inventory in stock, and facility.[Footnote 16] NSC also expects site inspectors to obtain copies of relevant documents, such as state licenses, comprehensive liability insurance, contracts with companies for inventory, and contracts for the service and maintenance of DME. Enrollment, Disenrollment, and Appeals: As long as suppliers can demonstrate that they comply with the standards and have not been excluded from participating in any federal health care program, NSC must enroll or reenroll them in Medicare.[Footnote 17] Enrolled suppliers are issued a Medicare billing number. If NSC discovers that a new applicant or enrolled supplier is not in compliance with any of the 21 supplier standards, NSC can deny the application or, with CMS's approval, revoke the supplier's billing number.[Footnote 18] Suppliers whose applications have been denied or whose numbers have been revoked can submit a plan to NSC to correct the noncompliance or appeal the denial or revocation by requesting a hearing or both. If a supplier requests a hearing, the first level of appeal is conducted by a carrier hearing officer who was not involved in the original determination. The supplier can submit new information to address the compliance problems identified by NSC. If dissatisfied with the carrier hearing officer's ruling, either NSC or the supplier can request a review by an administrative law judge, which became the second level of appeal as of December 8, 2004.[Footnote 19] Prior to that date, second level appeal hearings were conducted by a CMS review official. At both levels of the hearing process, if the supplier can demonstrate that it is currently in compliance with the standards, the supplier will be given a billing number. Other NSC Efforts to Verify Suppliers' Compliance with Medicare's Standards: NSC's Supplier Audit and Compliance Unit (SACU) also has responsibility to help verify suppliers' compliance with the 21 standards and identify fraudulent activity. The SACU supervises NSC's site inspectors and oversees the OSI on-site inspections. It also analyzes supplier billing and enrollment patterns. Based on billing or other irregularities, the SACU can help NSC identify suppliers for additional on-site inspections. For example, the SACU might discover that several new suppliers are owned by the same individuals as other companies that are under investigation for fraudulent billing. Based on this information, the SACU could target the new suppliers for additional on-site inspections or refer the suppliers for investigation by federal law enforcement, such as the OIG and the Federal Bureau of Investigation (FBI). NSC's Efforts Are Insufficient to Verify Suppliers' Compliance with the 21 Standards: NSC's verification procedures have weaknesses that leave the Medicare program without assurance that suppliers billing the program are meeting the 21 standards, and thus, are qualified and legitimate. NSC's procedures to verify state licenses have gaps that have allowed suppliers to be paid for DMEPOS items they are not licensed to supply in their states. In part, this is because CMS has not set requirements for a stronger licensure verification effort. Further, although on-site inspections play a key role in verifying suppliers' compliance with the 21 standards, we estimate that NSC did not conduct more than 600 required on-site inspections and its inspection procedures have limitations. NSC's Procedures to Verify State Licenses Have Gaps: NSC does not have an effective means of identifying suppliers that violate the standard to have appropriate state licensure for the items they provide to beneficiaries. This is partly because CMS's requirements are inadequate to assure an effective process and partly because NSC does not have effective procedures that are consistently followed. To determine whether it needs to verify a supplier's license, NSC relies on the information the supplier provides--in enrollment or reenrollment applications--regarding the items or services the supplier intends to provide to Medicare beneficiaries. Suppliers are required to certify on their applications that they will notify CMS of any changes to the information they provided on the form. However, if the supplier fills out the application incorrectly or dishonestly and does not provide a license during an on-site inspection, NSC would not verify whether the supplier has all the licenses needed in its state. We also found that NSC did not consistently resolve discrepancies or omissions in the information provided by suppliers--such as not forwarding a copy of a needed state license--before issuing suppliers billing numbers. Further, even though suppliers may change the items they supply, CMS's contract requires NSC to verify licensure only during enrollment and does not require verification at any later time, such as during reenrollment. Thus, even if a supplier begins to bill for items that require a state license and discloses this information during reenrollment, CMS does not require NSC to check the supplier's state licenses. Further, CMS does not require NSC to recheck suppliers prior to reenrollment to ensure that the supplier's license has not lapsed. Finally, CMS has not required NSC to verify licensure after enrollment by routinely comparing a supplier's actual billing history against the DMEPOS items and services originally disclosed on the supplier's application. Without such a check, CMS lacks assurance that suppliers are billing only for items they disclosed to NSC and for which NSC has verified a license. As a result of these gaps, Medicare paid suppliers when NSC had not verified their licenses, including some suppliers that lacked the appropriate license. As table 1 shows, by analyzing 2004 DMEPOS claims data, we found 121 suppliers in Florida, Louisiana, and Texas that were each paid at least $1,000 by Medicare for oxygen services, even though they should not have billed for them. These suppliers either had not informed NSC that they would be billing for oxygen, did not provide NSC with the appropriate state license to verify, or both. Therefore, these suppliers were not in compliance with the 21 standards. In total, these suppliers were paid almost $6 million by Medicare. When we checked with the three states, we found that 22 of these suppliers did not have a license to provide oxygen in their states in 2004. These unlicensed suppliers were paid $231,730 in 2004 by Medicare for oxygen on behalf of beneficiaries. In addition, we verified licensure with the respective states for a sample of the suppliers that had disclosed to NSC their intention to bill for oxygen and had been paid at least $1,000 by Medicare for this service. Through this process, we identified 7 more suppliers that did not have the required state license to provide oxygen services in 2004. Table 1: Suppliers That Should Not Have Billed for Oxygen Services, but Were Paid at Least $1,000 for Them in 2004: Number of suppliers that should not have billed for oxygen; Florida: 62; Louisiana: 14; Texas: 45. As a percentage of all suppliers paid at least $1,000 for oxygen services in the state; Florida: 6.4; Louisiana: 10.9; Texas: 6.4. Oxygen payments to suppliers that should not have billed for oxygen; Florida: $3,299,445; Louisiana: $855,659; Texas: $1,831,868. As a percentage of payments to all suppliers paid at least $1,000 for oxygen services in the state; Florida: 2.4%; Louisiana: 4.6%; Texas: 1.5%. Number of suppliers that should not have billed for oxygen and also lacked the appropriate state license in 2004[A]; Florida: 7; Louisiana: 3; Texas: 12. Payments to suppliers that should not have billed for oxygen and lacked the appropriate state license in 2004[A]; Florida: $41,382; Louisiana: $25,322; Texas: $165,026. Source: GAO. Note: Table is based on analysis of NSC's active supplier data file as of May 31, 2004, verified by NSC; analysis of Medicare claims data for each state; and information on whether the suppliers had a license provided by the states of Florida, Louisiana, and Texas. Suppliers should not have billed for oxygen if they did not disclose to NSC the intention to do so, did not provide a license for verification, or both. [A] Suppliers that had a state license for any part of 2004 were not included. [End of table] Similarly, in 2003 and 2004, Medicare paid prosthetics and custom- fabricated orthotics[Footnote 20] claims submitted by suppliers that did not both disclose to NSC that they would supply these items and provide a copy of their licenses.[Footnote 21] Thus, they should not have been allowed to bill Medicare for these items. We found 28 suppliers in Illinois and Texas that were paid a total of about $197,000 in 2004 for prosthetics and custom-fabricated orthotics even though they should not have been billing for these items. Routinely comparing suppliers' billing to the information they report on the enrollment or reenrollment application regarding the items and services they intend to provide might have avoided some of the improper prosthetics and orthotics payments that occurred in Florida. In this state, Medicare payments for prosthetics and custom-fabricated orthotics inexplicably tripled in 1 year--from about $32.5 million in 2003 to almost $107.0 million in 2004. As figure 1 shows, most of the increase was in payments to suppliers that did not disclose to NSC that they intended to provide these items. In 2004, the 73 suppliers that did not disclose the intention to provide prosthetics or orthotics were paid more than $56.3 million. These 73 suppliers were paid more than the amount paid to the 262 suppliers that had informed NSC that they would provide these items. The DME regional carrier has established about $16.3 million as overpaid to 70 of the 73 suppliers, but has collected less than $2.3 million plus interest payments of $60,820, as of April 21, 2005.[Footnote 22] Investigative staff at the Region C DME regional carrier informed us that at least 46 of the 73 suppliers are currently under active investigation for health care fraud.[Footnote 23] Figure 1: Medicare Payments for Prosthetics and Custom-Fabricated Orthotics to Florida Suppliers That Did and Did Not Disclose Intention to Bill for These Items, 2003 and 2004: [See PDF for image] Note: Figure is based on analysis of NSC's active supplier data file as of May 31, 2004, verified by NSC, and analysis of Medicare claims data. [End of figure] When NSC reviewed each case we identified of suppliers that billed for oxygen or prosthetics and custom-fabricated orthotics without disclosing the intention to do so, its analysis revealed several types of problems with its processing of suppliers' applications. For example, in Florida, for one case that we identified, the supplier had not correctly filled out the application to disclose the intention of providing prosthetics and custom-fabricated orthotics but had given NSC a copy of its state license. In two cases, the supplier disclosed the intention of providing prosthetics and custom-fabricated orthotics, but did not give NSC a copy of its state license to review. Despite the discrepancies in the information provided by suppliers, NSC enrolled or reenrolled these suppliers. In three cases, the supplier disclosed the intention to provide prosthetics and custom-fabricated orthotics and gave NSC a copy of its license, but NSC staff did not update their information appropriately in the supplier database. During this engagement, we discussed with CMS NSC's weaknesses in verifying suppliers' licenses. CMS officials acknowledged that the law requires CMS to restrict Medicare payment of prosthetics and certain custom-fabricated orthotics to those supplied by a qualified practitioner and fabricated by a qualified practitioner or supplier.[Footnote 24] The law defines qualified practitioners as a physician; an orthotist or a prosthetist who is licensed, certified, or has credentials and qualifications approved by the Secretary of Health and Human Services; or a qualified physical therapist or occupational therapist. The law defines qualified suppliers as entities accredited by the American Board of Certification in Orthotics and Prosthetics, Inc., the Board for Orthotist/Prosthetist Certification, or a program approved by the Secretary of Health and Human Services. CMS is in the process of developing proposed regulations that would further define qualified practitioners and suppliers of prosthetics and certain custom- fabricated orthotics on a national level. As an interim step, as of October 3, 2005, CMS will be requiring its DME regional carriers to put edits in their payment systems to deny claims for prosthetics and certain custom-fabricated orthotics submitted by any suppliers that are not qualified, or do not have qualified practitioners on staff, in the states that currently require licensure or certification. CMS indicated that these two actions should help address the problem of unlicensed suppliers billing for prosthetics and custom-fabricated orthotics. However, if NSC does not resolve discrepancies in the information provided by suppliers to have an accurate supplier database, the DME regional carriers will not have accurate information for approving or denying prosthetics and certain custom-fabricated orthotics claims. Further, the agency has not restricted payments for any other items that require state licensure--such as oxygen. Nor has it taken action to prevent payments to suppliers that have violated the standard for accurate disclosure of application information by billing for items they have not disclosed to NSC--whether or not a license is required in their states to provide these items. CMS has recently added another requirement for verifying licensure and other certifications. During this evaluation, we pointed out to CMS staff that the agency's contract with NSC was not specific about whether a license close to its expiration date when submitted to NSC should be rechecked to ensure the supplier had renewed it. CMS was developing a new statement of work for NSC and as a result of our discussion, the new statement of work requires NSC to follow up to ensure renewal of licenses, insurance policies, and certifications submitted within 60 days of expiration. NSC Has Not Conducted All of the Routine On-site Inspections Required to Verify Standards: NSC has not conducted the routine on-site inspections to verify supplier standards for all the DMEPOS suppliers that CMS requires it to inspect. We estimate that 605 enrolled suppliers that NSC was required to inspect never received an on-site inspection.[Footnote 25] We also estimate that NSC conducted on-site inspections for another 3,079 suppliers, but did not properly record the date of these inspections in its supplier database.[Footnote 26] As a result, the database--with inaccurate or missing information--is not a reliable management tool for CMS to use in overseeing NSC's activities. NSC may not have conducted all of the required on-site inspections because of its procedures for determining which suppliers to inspect. According to NSC's written procedures, NSC staff use discretion to decide if an on-site inspection should be conducted prior to the enrollment or reenrollment of a supplier. In contrast, while CMS's contract with NSC exempts certain types of suppliers from routine on- site inspection, it does not state that NSC should use its discretion to choose whether to inspect the nonexempt suppliers. CMS staff informed us that NSC is required to inspect suppliers on initial enrollment and reenrollment, with some exceptions, and they were unaware that NSC was not conducting all of the required on-site inspections. Furthermore, because CMS's statements of work in its fiscal year 2004 and 2005 contracts with NSC were not clear about what constitutes a supplier chain, NSC was not inspecting other suppliers that could be eligible for on-site inspections. NSC did not have to inspect supplier chains with 25 or more locations. However, the contract did not clearly state whether all 25 locations in the chain have to have active billing numbers. As a result, NSC was exempting some suppliers in chains that currently have fewer than 25 locations with active billing numbers.[Footnote 27] We found 484 active suppliers included in chains with 24 or fewer locations with active billing numbers as of May 31, 2004. Of these 484 active suppliers, 257 did not have any on-site inspections recorded. For example, NSC indicated to us that no on-site inspection was needed for Responsive Home Health Care, because it was included in a chain with 50 locations. However, it was part of a chain with 24 active locations, one location whose billing number had been revoked, and 25 inactive locations. We recently informed CMS that its contract language on chain suppliers was not clear, because CMS was developing a new statement of work for the next NSC contract. As a result, CMS revised its contract language for fiscal year 2006 to clarify that a chain consisted of 25 or more active supplier locations. NSC's Procedures for Conducting On-site Inspections May Limit Their Effectiveness in Verifying Compliance with Standards: Even if NSC had conducted all of its on-site inspections, the contractor's procedures for conducting them limit their effectiveness as a means of verifying compliance with the supplier standards in several ways. Thus, the procedures cannot assure suppliers' legitimacy and qualifications to serve beneficiaries. First, NSC does not explicitly require its site inspectors to review a specific number of suppliers' beneficiary files during their inspections. NSC told us that inspectors reviewed beneficiary files, but OSI told us that its inspectors were not required to review the contents of any beneficiary files. Without reviewing beneficiary files, it is unclear how inspectors can verify suppliers' compliance with the standard that requires suppliers to maintain several forms of documentation--including proof of delivery and evidence of their efforts to educate beneficiaries on how to use the equipment. Further, reviewing beneficiary files is also helpful to provide support beyond a written supplier policy that other standards are being met. For example, a record of equipment maintenance is better proof that the supplier repairs equipment than a written policy alone. Reviewing beneficiary files can also enable an inspector to identify potentially fraudulent patterns of behavior and fabrications designed to cover up lack of compliance with the 21 standards. For example, NSC investigators told us that when many beneficiaries using one supplier have the same physician's signature on certificates that are required by Medicare to affirm the medical necessity of certain DMEPOS items, this can be a sign of fraudulent certifications designed to falsify compliance with Medicare's rules.[Footnote 28] The Region C DME regional carrier is currently investigating a group of suppliers using the same set of physicians on their certificates. Second, NSC does not routinely provide its site inspectors with the dollar amounts and specific DMEPOS items a supplier billed to Medicare. Knowing a supplier's billing history would enable inspectors to determine whether the supplier's submitted claims coincide with its inventory, invoices, delivery tickets, and other documentation in beneficiary files. When we accompanied NSC inspectors to the physical facilities of several suppliers about which NSC had suspicions--based on the suppliers' billing patterns or their association with other companies under investigation--the site inspectors did not have data on the billing histories for the suppliers being inspected. As a result, the inspectors did not know what types and amounts of inventory, delivery tickets, or invoices they should expect to find.[Footnote 29] Third, neither CMS nor NSC explicitly requires the site inspectors to verify a supplier's inventory when it is stored at, or purchased from, another location. The inventory standard does not preclude a supplier from storing inventory off site or relying on another supplier--even a competitor--to provide its inventory. However, when this occurs, without taking additional verification steps, NSC would not know whether the off-site inventory exists or whether the source of inventory is legitimate. According to the inventory standard, suppliers cannot contract with companies that are currently excluded from the Medicare program, any state health programs, or from any other federal procurement or nonprocurement programs. However, without investigating the companies that are cited as sources of inventory, NSC would not know if this standard was being met. NSC's procedures suggest, but do not require, its site inspectors to verify off-site inventory locations. Because CMS does not require NSC to conduct verification of off-site inventory or an assessment of the company cited as the source of inventory, the current procedures do not fully verify the inventory standard. Inspecting off-site inventory or assessing the validity of inventory contracts can help pinpoint violations of the standard for inventory and can also identify potentially fraudulent activities. For instance, when NSC inspected an address of a company that a supplier gave as its source for inventory, it discovered an auto body shop at that address. In another instance, NSC found a vacant building at the address given as a supplier's inventory source. These suppliers violated the standards for disclosing accurate information to NSC and for having inventory or a contract to procure it. Further, citing a nonexistent source of inventory suggests the possibility that these suppliers were engaging in fraud. Similarly, groups of suppliers under investigation for fraud in Houston in 2003 and 2004 were using the same company as their fictitious source of inventory. SACU investigators were able to identify other suppliers participating in the same fraud scheme because the suppliers claimed they were obtaining inventory from a source that was under investigation. Through examining sources of inventory, our investigators identified companies with questionable financial transactions or owners involved with suppliers engaged in potentially fraudulent billing. For example, we identified and investigated one distribution company in Florida that six suppliers had cited as one of their main sources of inventory.[Footnote 30] CMS had denied or revoked the billing numbers for the six suppliers, in part because they did not appear to have inventory, but five of them were able to obtain or regain their billing numbers after providing contracts for inventory from this distribution company. Our investigators found that the distribution company's bank had filed 27 separate reports identifying cash withdrawals from company accounts in amounts ranging from $10,000 to more than $98,000 over a period of 20 months--almost $1 million in total.[Footnote 31] Such cash withdrawals are suspicious because they can indicate attempts to disguise illicit funds and make them more difficult to track. Even more suspicious, our investigators found that this distribution company did not appear to be an active business. Through on-site inspections conducted in March 2005, we found that two of the addresses given for it were vacant office/storage units and one was a custom woodworking shop. In June 2005, we investigated a fourth possible address for the company. This address had been leased by an individual who identified himself in leasing paperwork as being associated with a "Medical Equipment" business and was found to be a storage unit littered with debris and a pile of boxes, many of which were crushed and broken. The investigators saw no posted signs or activities that would indicate an active business. In addition, of the five suppliers currently reenrolled in Medicare that cited this source of inventory, three were under investigation in March 2005 by the Region C DME regional carrier's fraud control unit. NSC Is Not Required by Contract to Conduct a Minimum Number of Out-of- cycle On-site Inspections: Out-of-cycle on-site inspections have been effective in identifying suppliers that are not complying with Medicare's standards. For example, during the April 2004 hearing before the Senate Committee on Finance on the Medicare power wheelchair benefit, the attendees watched a video of law enforcement surveillance that showed individuals bringing office equipment and DMEPOS items into an office suite in order to appear to meet the standards for having an appropriate physical facility and inventory to pass an on-site inspection. Because the timing of enrollment and reenrollment inspections are predictable, a supplier intent on committing fraud can anticipate an enrollment on- site inspection and create the illusion of legitimacy, fully understanding that an inspector is not likely to return for 3 years. Out-of-cycle on-site inspections can be so valuable that we previously recommended that CMS direct NSC to routinely conduct them for suppliers suspected of billing improperly.[Footnote 32] CMS agreed with the recommendation and pointed out the number of out-of-cycle inspections that were being completed. In 2003, NSC conducted over 600 out-of-cycle inspections and found 306 DMEPOS suppliers not complying with Medicare's standards. NSC continued this practice in fiscal year 2004, conducting over 400 out-of-cycle on-site inspections targeted specifically at high-volume suppliers that were not part of chains.[Footnote 33] CMS has also requested NSC to conduct out-of-cycle on-site inspections in fiscal year 2005. Nevertheless, NSC's contract does not explicitly require it to conduct out-of-cycle on-site inspections. Although NSC has conducted out-of-cycle on-site inspections in the last several years, without becoming an explicit part of its contract, this activity could be curtailed at any time. We discussed our concerns about this with CMS staff writing the revised statement of work for a new contract that is scheduled to be awarded in December 2005. As a result, CMS included language in the revised statement of work that will explicitly require the contractor for NSC to conduct random, out- of-cycle on-site inspections as resources permit. However, the change in the statement of work does not require NSC to conduct a minimum number of out-of-cycle on-site inspections as a routine part of its activities. Medicare's Standards Are Too Weak to be Used Effectively to Screen DMEPOS Suppliers: Medicare's standards are currently too weak to be used effectively for screening DMEPOS suppliers that want to enroll in the program. The 21 standards focus on certain operational characteristics. However, they do not include standards related to supplier integrity and capability analogous to those that federal agencies generally apply to prospective contractors or those used by at least two state Medicaid programs for their suppliers. For example, federal agencies do not have to contract with companies that have demonstrated poor performance in the past. In contrast, CMS has reenrolled suppliers whose billing numbers have been revoked, after they have demonstrated compliance with the standards--no matter how many standards they had previously violated. We found cases of suppliers that had billed improperly and violated standards, reentered the program, and then began to bill improperly for other items. CMS is currently developing more specific guidance for applying some of its 21 standards. In addition, to implement provisions in the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA),[Footnote 34] CMS is introducing a competitive bidding process for DME, off-the-shelf orthotics, and supplies, and is developing quality standards that would supplement the existing ones. When implemented, these steps could help ensure that DMEPOS suppliers are legitimate businesses and qualified to bill Medicare. Medicare's Standards Lack Assessment of Integrity and Capability Like Those for Federal Contractors and Some State Medicaid Suppliers: Although a federal agency primarily pays for items provided by DMEPOS suppliers, these businesses are not held to standards analogous to those that apply to companies that seek to contract with the federal government. Under federal procurement regulations, agencies are generally required to determine whether a potential contractor is "responsible"--that is, whether it has a satisfactory record of performance, integrity, and business ethics, as well as the financial, technical, and managerial ability to provide the specified products and services.[Footnote 35] Federal agencies can consider a contractor's past performance as an indicator of future performance and require a disclosure of financial and management information to make their assessment. In addition, after a contract is awarded, federal agencies can terminate the contract for default or convenience.[Footnote 36] Further, for committing certain crimes or not meeting certain federal requirements, a company may be debarred from receiving federal contracts, generally for up to 3 years.[Footnote 37] Some state governments have requirements to ensure that Medicaid suppliers are responsible. For example, California's Medicaid program requires DME suppliers to have the administrative and fiscal foundation to survive as a business, demonstrated by financial records, such as a business plan, bank statements, and contractual agreements. California state officials told us that a DME supplier in their state could not meet the definition of being an established business for the Medicaid program if it sold power wheelchairs out of a residence, as some Medicare DME suppliers have done.[Footnote 38] Similarly, Florida's Medicaid program requires suppliers to provide evidence of being a viable, ongoing business. Florida also requires anyone with 5 percent or greater ownership, and the manager of the supplier, to be fingerprinted and undergo a criminal background investigation, because the state will not enroll suppliers with owners convicted of several types of crimes, such as health care fraud or patient abuse. In contrast, suppliers are not CMS contractors, and CMS's standards do not require suppliers to demonstrate that they are responsible based on their financial, technical, and managerial ability, their integrity, and their past performance. As a result, suppliers that are not legitimate DMEPOS businesses have enrolled in Medicare and have been paid millions of dollars in improper payments without having to demonstrate that they have the ability and integrity to serve beneficiaries, as the following examples show. For example, in sworn testimony before the Senate Committee on Finance in April 2004, a witness who pleaded guilty to fraud explained her part in a $25 million fraud scheme that she and a group of 19 others committed against the Medicare program. She explained how she was able to set up a sham company--Mercury Medical Supplies--with $3,000 and obtain a Medicare billing number, even though she had no prior experience, expertise, or discernible resources for providing DMEPOS items or services. From September 2000 to December 2001, when its billing number was revoked, Medicare paid Mercury Medical Supplies $1,158,482 for providing DMEPOS items that were falsely billed based on forged physicians' prescriptions and were generally not supplied to beneficiaries. While the Medicare program paid Mercury Medical Supplies over $1 million but did not inquire into its financial ability to supply DMEPOS items, one federal agency refused to award a $230,000 contract to a company with $32,500 in working capital, in part because the agency's contracting officer did not think that the company was financially strong enough to fulfill the contractual obligations.[Footnote 39] Like Mercury Medical Supplies, All-Divine Health Services in Lufkin, Texas was not a legitimate DMEPOS business, but managed to enroll in Medicare in December 2002. NSC's inspector noted on an initial site inspection report that the owner explained that she was awaiting inventory, which was why she had none in her storage area prior to enrollment in the Medicare program. Once enrolled, All-Divine Health Services began to bill for power wheelchairs, an item for which Medicare pays over $5,000. However, because of concerns about inappropriate power wheelchair billing, NSC conducted out-of-cycle on- site inspections of All-Divine and other power wheelchair suppliers in the area. The site inspector found evidence of potential fraud, such as altered certificates from physicians attesting to the beneficiaries' medical need for the items to be supplied, as well as violations of Medicare's standards. Following the out-of-cycle inspection, CMS found that All-Divine was in violation of four standards, because it lacked comprehensive liability insurance, lacked a state license to provide bedding, did not have adequate contracts for inventory, and did not have adequate provision to repair and service DME. All-Divine's billing number was revoked effective August 6, 2003. After the owner pleaded guilty to conspiracy to commit health care fraud on June 25, 2004, her lawyer testified that All-Divine's owner had not understood the intricacies of proper Medicare billing and had no experience managing a DMEPOS company. The owner told her lawyer that she did not think she was committing a crime, although she admitted purchasing paperwork certifying beneficiaries as needing power wheelchairs and then submitting claims on their behalf. Her lawyer also testified that the owner stated that her firm lacked the operational controls to ensure that beneficiaries actually received the power wheelchairs for which the company billed and was paid by Medicare. Before its billing number was revoked, All-Divine was paid over $1.8 million by the program, predominantly for power wheelchairs not provided as billed. Medicare Suppliers Do Not Face the Same Penalties for Not Meeting Federal Requirements as Contractors and Medicaid Suppliers: While federal agencies, including CMS, may choose not to conduct business with companies that lack integrity or perform poorly, and may disqualify companies from competing for federal contracts, suppliers that have failed to comply with Medicare's standards have not lost their billing privileges for any substantial length of time. Federal agencies can terminate contracts at their convenience or for default-- which is when a contractor fails to perform the contract. For certain serious violations, contractors can be debarred from receiving any federal contract, generally for up to 3 years.[Footnote 40] Willful failure to perform the terms of a government contract is a basis for debarment. In addition, apart from debarment, agencies can refuse to offer new contracts to companies exhibiting previous performance problems or a lack of integrity in the past.[Footnote 41] This may occur after conviction for criminal charges, but sometimes the refusals follow allegations of wrongdoing. For example, one agency refused to offer a new contract to a company that had allegedly provided false certifications in the past.[Footnote 42] Another agency used the results of criminal investigative reports as a basis for refusing to offer contracts to companies.[Footnote 43] Compared with Medicare, the Medicaid programs of California and Florida put more barriers to reenrollment of problematic suppliers into Medicaid. For example, California provisionally enrolls new Medicaid providers for 12 to 18 months.[Footnote 44] During this period, if the provider fails to meet state requirements, the state agency disenrolls the provider from Medicaid.[Footnote 45] In addition, if a provider fails to accurately disclose information, such as the ownership of the company, California can disenroll the provider from Medicaid and keep it from reenrolling for 3 years.[Footnote 46] The California Medicaid program denies applications from providers under investigation for criminal offenses. Florida will not reenroll suppliers that have been excluded from the program. When NSC identifies suppliers that violate Medicare's standards, CMS may revoke their billing privileges. However, in contrast to California and Florida Medicaid, if a supplier can demonstrate compliance with the 21 standards, CMS readmits it into Medicare unless it has been otherwise excluded from participating in the program. DMEPOS suppliers that have their billing privileges revoked and then later reenter Medicare are not uncommon. We identified 1,038 DMEPOS suppliers that lost their billing privileges in 2003, generally for violating multiple standards. Of these suppliers, 192 were reenrolled in Medicare as of May 31, 2004, with the average period of suspension lasting about 3 months. None of these suppliers encountered any barrier to enrollment for violating the standards. Further, when some suppliers that had billed improperly because they were unlicensed reentered the program, they resumed improper billing for different types of items. See table 2 for two examples. Table 2: Examples of Suppliers That Had Billing Privileges Revoked, Were Reinstated, and Billed Improperly After Readmission into Medicare: Revocation basis: Noncompliance with five standards, including providing oxygen and orthotics without a state license and not having an active liability insurance policy, business telephone number, or inventory; Revocation period (in months): 5; Improper billing closely following readmission: After reenrollment in early 2004, Wonderful Medical Supply Company submitted claims totaling about $2.6 million and was paid about $1.27 million, predominantly for one type of layered bandage. Because Wonderful Medical Supply's billing was suspicious, the DME regional carrier began to review claims from this supplier. Most of the claims it submitted in the fall of 2004 were denied and the DME regional carrier collected overpayments of almost $500,000 for claims that had previously been paid improperly. The supplier's enrollment in Medicare was terminated in late 2004. The supplier was also under criminal investigation by federal and local law enforcement for health care fraud in 2005. Revocation basis: Noncompliance with six standards, including billing for orthotics without the proper state license, not having inventory, not offering beneficiaries the required option of renting equipment, and not having the ability, or a contract, to repair broken equipment; Revocation period (in months): 3; Improper billing closely following readmission: After being reenrolled in Medicare, Fabulous Medical Supply in Miami, Florida was investigated by the Region C DME regional carrier because of suspicions that it was not providing items as billed. In 2004, it was paid almost $1.4 million by Medicare for one colostomy supply item that was being abusively billed by a number of suppliers during this period. Because of the abusive billing, payments for this item increased over 14,000 percent in a year in the region. To combat the abusive billing, starting in May 2004, the DME regional carrier requested additional documentation--such as physicians' orders--from all of the suppliers billing this item to support their claims. Fabulous Medical Supply did not provide any documentation to support its billing, and its subsequent claims for this item were denied. The DME regional carrier suspended payments to Fabulous Medical Supply during the summer of 2004 and revoked its billing number in 2005 after the supplier's liability insurance lapsed. In 2004, Fabulous Medical Supply was paid almost $2.7 million by Medicare, but $1.6 million is currently being held by the DME regional carrier, pending determination of overpayments, and almost $200,000 has been established as an overpayment owed to Medicare. This supplier was under criminal investigation by federal and local law enforcement for health care fraud as of July 2005. Source: GAO. Note: We are using aliases for these suppliers, because they are currently or have been under active investigation by federal and local law enforcement. This table is based on information provided by the Region C DME regional contractor's benefit integrity unit. [End of table] CMS's Efforts to Strengthen the Supplier Standards and Other Recent Steps May Partially Address Identified Weaknesses: According to NSC and CMS officials, strengthening the supplier standards by increasing their specificity is an important step in preventing enrollment of suppliers that are intent on committing fraud. NSC and CMS officials agreed that the inventory and physical facility standards are not specific enough. These standards do not specify the characteristics of an inventory, or the amount, type, or source of inventory that should be required for the items or services the supplier intends to provide to Medicare beneficiaries. According to these officials, the lack of specificity in the standards has allowed suppliers that were not legitimate companies to acquire Medicare billing numbers and then defraud the program. NSC and OIG officials investigating enrolled suppliers with potentially fraudulent billing reported that many had physical facilities not conducive to conducting a legitimate DMEPOS business. For example, these investigators have found multiple suppliers located in close proximity in small suites in the same building. In addition, they found suppliers in buildings that were not located where beneficiaries were likely to come and purchase DMEPOS items. The investigators also reported finding DMEPOS suppliers operating out of their houses and garages.[Footnote 47] These suppliers had few DMEPOS items in stock, but claimed that they had contracts for acquiring inventory. These documents sometimes lacked the usual elements of a contract, such as the clear signature of authorized individuals from both companies and the time period for the contract. Nevertheless, these suppliers met the current standards. In early 2004, based on NSC proposals, CMS drafted new guidance on the current supplier standards to make them more specific. For example, CMS added more details to describe what constituted a reasonable amount of inventory, the elements of an acceptable contract for inventory, and an appropriate physical facility from which to provide items and services to Medicare beneficiaries. As of June 2005, CMS had not issued the new guidance. According to an agency official, some of the revisions have been incorporated into a proposed regulation under review within the agency. The official told us that CMS plans to issue other changes through revisions of Medicare guidance manuals, once the proposed regulation had been issued. In addition to the new guidance, provisions of the MMA that require CMS to develop quality standards for DMEPOS suppliers and competitive bidding, when implemented, could enhance the agency's ability to screen suppliers. The MMA requires CMS to develop quality standards for all DMEPOS suppliers and to select one or more independent accreditation organizations that will apply these standards to determine if suppliers are meeting them.[Footnote 48] CMS has not finished its development of the quality standards, so it is not clear whether the standards will incorporate requirements for suppliers to demonstrate that they have the integrity and capability to perform their functions analogous to the standards for federal contractors. In addition, the MMA requires CMS to establish competitive bidding among suppliers for DME, supplies, off-the-shelf orthotics, and enteral nutrients and related equipment and supplies in at least 10 of the largest metropolitan areas by 2007 and in 80 of these areas by 2009. The MMA will require suppliers chosen by competitive bidding to comply with the quality standards that are being developed for all DMEPOS suppliers as well as new financial standards to be specified by the Secretary. However, competitive bidding will be limited to certain DMEPOS items and localities, so not all Medicare DMEPOS suppliers will be held to the new financial standards. CMS anticipates issuing a proposed rule in the fall of 2005 on DME competitive bidding and on quality standards and accreditation and a final rule in 2006. CMS's Oversight Is Insufficient to Determine Whether NSC Screens and Monitors Suppliers Effectively: CMS's oversight has not been sufficient to determine whether NSC is meeting its responsibilities in screening, enrolling, and monitoring DMEPOS suppliers. CMS was unaware--until we informed the agency--that NSC had not conducted all required on-site inspections of suppliers. Furthermore, CMS did not know that, in contrast to its requirements, NSC's procedures allow its staff to use discretion in selecting which suppliers received on-site inspections. In addition, CMS did not recognize gaps in NSC's verification of suppliers' state licenses and as a result, Medicare paid suppliers whose licenses the contractor did not verify. During our review, we found weaknesses in the methods CMS uses to oversee its contractor that could lead to the agency not recognizing problems in the verification process. CMS evaluates NSC's performance primarily through an annual inspection. During this inspection, CMS analyzes a small random sample of supplier files to determine, for instance, whether NSC is conducting on-site inspections, processing enrollment applications, and handling appeals of denied or revoked billing privileges in accordance with its requirements. The analysis of NSC's supplier files is CMS's most direct means of assessing NSC's efforts to screen and enroll suppliers; however, we determined that CMS's past practice of basing NSC's performance on a sample selected from a single quarter of the year may not be adequate. NSC's performance might differ during the quarters in which it was not reviewed. CMS also recognized problems with basing its review on a single quarter, and in October 2004 began to institute quarterly reviews of a sample of supplier files. However, if any problems are uncovered, the sample sizes examined by CMS are too small to be used as a means of oversight, relative to the number of application files processed and other type of files reviewed. During fiscal year 2004, NSC processed more than 58,000 supplier applications for enrollment or reenrollment. To evaluate NSC's efforts to enroll suppliers during its fiscal year 2004 inspection, CMS examined a sample of 10 approved supplier applications, as well as 10 denied and 10 returned applications. To evaluate NSC's efforts to reenroll suppliers, CMS examined a sample of 20 approved reenrollments. If CMS uncovered any problems, it would need to select a much larger sample to determine if the problems were systemic, a step that is not indicated in the evaluation protocol. CMS's evaluation of NSC's performance is focused primarily on whether the suppliers' applications are filled out and processed correctly--not whether NSC has conducted the required verification tasks thoroughly. For example, while NSC may have a supplier site inspection form with the boxes checked to indicate that a supplier is complying with various standards--such as the one to maintain documentation of delivery of items to beneficiaries--CMS cannot know from reviewing the form if the inspector checking that supplier actually examined any beneficiary files. CMS also oversees NSC through reviewing monthly reports from NSC, but this does not provide information on the thoroughness of NSC's screening and enrollment efforts. Instead, CMS reviews the monthly reports to monitor NSC's workload--including the number of enrollment and reenrollment applications received, pending, approved, and returned; the timeliness in processing applications; the number of denials and revocations; and the timeliness with which NSC handles inquiries from suppliers. This monitoring is important to ensure that NSC is managing its workload, but does not inform CMS as to how well NSC performs these activities. Finally, while CMS has established performance goals in NSC's contract related primarily to processing supplier applications and managing other aspects of NSC's workload--such as handling inquiries--it has not established performance goals connected to effectiveness of the screening or fraud prevention efforts. CMS uses both the annual inspection and the monthly reports to measure NSC's performance against goals established in its contract. These goals are linked to timeliness in processing suppliers' applications, appeals, and inquiries. For example, according to its contract, NSC must: * process 90 percent of all applications and reenrollments accurately within 60 calendar days of receipt and 99 percent of applications within 120 calendar days of receipt, * process 90 percent of appeals accurately within 60 calendar days of receipt, and: * answer 85 percent of supplier telephone calls within the first 60 seconds. These performance measures do not indicate the success of NSC or its SACU in identifying noncompliant and fraudulent suppliers. Further, CMS's contract requires NSC to maintain a SACU,[Footnote 49] but the contract does not establish outcomes expected from this unit. Similarly, in its annual inspection, CMS does not evaluate the SACU's efforts--whether, for instance, the SACU has adequately educated suppliers, adequately supervised the quality of on-site inspections, or analyzed supplier enrollment and billing data so that NSC can identify suppliers for additional inspections. Conclusions: CMS is responsible for assuring that Medicare beneficiaries have access to the equipment, supplies, and services they need, and at the same time, for protecting the program from abusive billing and fraud. The supplier standards and NSC's gatekeeping activities were intended to provide assurance that potential suppliers are qualified and would comply with Medicare's rules. However, there is overwhelming evidence- -in the form of criminal convictions, revocations, and recoveries--that the supplier enrollment processes and the standards are not strong enough to thoroughly protect the program from fraudulent entities. We believe that CMS must focus on strengthening the standards and overseeing the supplier enrollment process. It needs to better focus on ways to scrutinize suppliers to ensure that they are responsible businesses, analogous to federal standards for evaluating potential contractors. CMS's current effort to develop additional guidance on the standards and the development of quality standards for DMEPOS suppliers provide an opportunity for the agency to establish stronger requirements for potential and enrolled suppliers. Developing more rigorous quality standards that include an assessment of suppliers' performance, integrity, and financial, managerial, and technical ability would help ensure that only qualified companies became suppliers. Suppliers whose previous performance was poor or that demonstrated a lack of integrity should not be allowed to quickly reenter the program. CMS also needs to provide more specific requirements in NSC's contract so that the program's policies will be consistently carried out. Finally, we believe that CMS has not adequately evaluated NSC's activities to ensure that it is meeting all of its responsibilities and using all of the tools available to identify, and address, problem suppliers. Matter for Congressional Consideration: The Congress should consider whether suppliers that have violated standards should have to wait a specified period of time from the date of revocation to have a billing number reissued. Recommendations: To improve the supplier enrollment process and oversight of NSC, we recommend that the Administrator of CMS take eight actions--five related to NSC's efforts to verify DMEPOS suppliers' compliance with the 21 standards, one related to the supplier standards, and two related to the agency's oversight of NSC. We recommend that CMS: * Starting in states where licensure is mandatory, require NSC to routinely check suppliers' billing for oxygen, prosthetics, orthotics, and any other items requiring licensure, against the items the suppliers declared they are providing on applications. Where suppliers are billing for services not declared, take appropriate action to revoke the billing numbers of suppliers not complying with program requirements. * Require NSC to provide information from suppliers' billing histories to inspectors before they conduct on-site inspections to help them collect information to assess whether suppliers' inventory or contracts to obtain inventory are congruent with the suppliers' Medicare payments. * When suppliers report having inventory that is primarily maintained off site or supplied through another company, require NSC to evaluate the legitimacy of the supply location or source and any related contracts. * As part of the on-site inspections, require inspectors to review, and provide information to NSC analysts on the contents of, a minimum number of patient files to determine supplier adherence to standards for maintaining documentation of services and information provided to beneficiaries. * Oversee NSC's activities to ensure that it conducts on-site inspections of suppliers as required by CMS and maintains accurate data on the on-site inspections it conducts. * Establish a minimum number of out-of-cycle on-site inspections in its contract that NSC must perform each year. * Develop standards that incorporate requirements for suppliers to demonstrate that they have the integrity and capability to perform their functions analogous to the standards for federal contractors. * Revise current evaluation procedures to fully assess the outcomes expected from the SACU's activities and NSC's adherence to contract requirements. Agency Comments: In its written comments on a draft of this report, CMS generally concurred with our eight recommendations and cited actions it is taking to implement each recommendation. It also affirmed its commitment to protect beneficiaries and Medicare from fraud, waste, and abuse by ensuring that NSC only enrolled qualified suppliers and enforced the supplier standards. CMS agreed with our five recommendations related to improving NSC's efforts to verify DMEPOS suppliers' compliance with the 21 standards. In response to four of these recommendations, CMS stated that it has revised the statement of work for fiscal year 2006 to require NSC to: * check suppliers' licenses and liability insurance each year, rather than every 3 years at reenrollment, and compare suppliers' billing histories to the licenses they provide at that time; * provide on-site inspectors with the billing histories of DMEPOS suppliers they are reviewing; * conduct site inspections of suppliers' off-site inventory storage locations and of businesses that provide them with inventory through contracts; and: * conduct out-of-cycle inspections, the number of which CMS will manage based on NSC's workload and budgetary constraints. In addition to the completed revisions, to address the other recommendation related to NSC's efforts to verify suppliers' compliance with the 21 standards, CMS indicated that it intends to further revise the statement of work to require site inspectors to review a minimum number of beneficiary files maintained by suppliers. CMS also agreed with our recommendation to develop standards for suppliers to ensure they have the integrity and capability to perform their functions analogous to the standards for federal contractors. In its response to that recommendation, CMS indicated that the quality standards the agency is developing for suppliers will improve its ability to deter health care fraud and abuse. The agency stated that it will publish a proposed rule to implement the standards in the fall of 2005 and expects to issue a final rule in 2006. Finally, to address the two recommendations on improving its oversight, CMS stated that it intends to more closely review NSC's activities to ensure that the contractor conducts on-site inspections as required and maintains accurate data on these inspections. CMS also noted that it had expanded its oversight and evaluation procedures during fiscal year 2005 to include quarterly reviews of NSC and SACU enrollment functions. CMS's written comments on a draft of this report are included in appendix III. CMS also provided technical comments, which we included as appropriate. As agreed with your office, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days after its issue date. At that time, we will send copies of this report to the Administrator of CMS, appropriate congressional committees, and other interested parties. We will also make copies available to others upon request. This report is also available at no charge on GAO's Web site at http://www.gao.gov. If you or your staff have any questions about this report, please contact me at (312) 220-7600 or aronovitzl@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix IV. Sincerely yours, Signed by: Leslie G. Aronovitz: Director, Health Care: [End of section] Appendix I: Objectives, Scope, and Methodology: To evaluate the National Supplier Clearinghouse's (NSC) efforts to verify suppliers' compliance with the 21 standards, we conducted interviews, document reviews, field inspections, investigations, and data analysis. We interviewed the Centers for Medicare & Medicaid Services (CMS) officials that oversee NSC and NSC staff, assessed CMS's contract statement of work for enrollment screening, and reviewed NSC's written procedures to gain a better understanding of the procedures used. Through that assessment, we determined that its procedures to check licensure and conduct on-site inspections of suppliers were critical to verifying compliance with the standards and we focused our evaluation on these procedures. To better understand the on-site inspection process, we accompanied NSC officials as they conducted on- site inspections of 12 suppliers in Maryland during August 9 and 10, 2004. In addition, to test the effectiveness of the licensure verification, we analyzed Medicare durable medical equipment, orthotics, prosthetics, and supplies (DMEPOS) claims data for 2003 and 2004 from Florida, Illinois, Louisiana, and Texas [Footnote 50] and NSC's active supplier data file to determine whether suppliers had the licenses necessary for items billed. We also tested whether all required on-site inspections had been conducted through an analysis of NSC's active supplier data file and inspection procedures. To assess the reliability of the 2003 and 2004 claims from CMS and NSC's supplier data files, we performed electronic testing of required data elements, reviewed existing information about the data and the systems that produced them, and interviewed CMS and NSC officials knowledgeable about the data. We determined that these data were sufficiently reliable for the purposes of this report. We also contacted Florida, Texas, and Louisiana to determine which of the suppliers that had not disclosed to NSC that they would be providing oxygen and were paid at least $1,000 for oxygen claims in 2004 actually had the needed state licenses. In addition, we also checked with these states to determine whether a small sample of suppliers that had disclosed the intention to bill for oxygen, and were paid at least $1,000 for oxygen claims in 2004, had the needed state licenses. For custom-fabricated orthotics and prosthetics, we were not able to confirm whether the suppliers that had not disclosed to NSC that they would be providing these items and were paid at least $1,000 for such claims in 2004 in Florida, Illinois, and Texas had the proper state licenses, because those states license individuals to be allowed to supply these items, not companies. To evaluate procedures for on-site inspections, we analyzed on-site inspection instructions and the standards and interviewed on-site inspectors and officials in NSC and Overland Solutions, Inc. We investigated two companies cited as sources of inventory by two groups of Florida and Texas suppliers that had their billing privileges denied or revoked, in part because of inventory issues, and also investigated those suppliers. To evaluate the adequacy of the 21 supplier standards, we compared them to the requirements for government contractors and those imposed by the California and Florida Medicaid program on suppliers. In addition, we analyzed cases of revocations that had been appealed to CMS in 2004 to determine if weaknesses in the standards were leading to suppliers with questionable billing practices being reinstated in the program. We also obtained documentation on cases of suppliers that had defrauded Medicare and interviewed fraud inspectors at NSC and in the Department of Health and Human Services Office of Inspector General to develop insight into the problems that they saw with the 21 standards. We also interviewed NSC and CMS officials and individuals from the following organizations: the American Association for Homecare, the American Orthotic and Prosthetic Association, Hoveround, National Association for Home Care and Hospice, Power Mobility Coalition, and a representative from the National Supplier Clearinghouse's Advisory Council. To evaluate CMS's oversight of NSC, we considered the information we had gathered to answer the previous questions. We reviewed CMS's written procedures used to evaluate NSC and other documents related to CMS's oversight. We also discussed CMS's oversight with CMS and NSC officials. Our work was conducted from June 2004 to September 2005 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Medicare's 21 Standards for Suppliers and NSC's Procedures to Verify Their Compliance: Suppliers of durable medical equipment (DME), prosthetics, orthotics, and supplies must meet 21 standards in order to obtain and retain their Medicare billing privileges. The NSC is responsible for screening suppliers to ensure that they meet the standards. An abbreviated summary of the most recent version of these standards, which became effective December 11, 2000, is presented in table 3. The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 requires CMS to develop quality standards that must be at least as stringent as current standards for all Medicare suppliers of DME, prosthetics, orthotics, and supplies. Supplier compliance with the quality standards will be determined by one or more designated independent accreditation organizations. Table 3: Medicare's 21 Standards for Medicare Suppliers of DME, Prosthetics, Orthotics, and Supplies and NSC's Procedures at Enrollment and Reenrollment to Verify Compliance with the Standards: Standard number: 1; Standard's description of what supplier must do: Comply with all applicable federal and state licensure and regulatory requirements; NSC's verification procedures: Desk review - The NSC enrollment analyst matches the supplier's legal business name in the application to the legal business name listed in Internal Revenue Service forms and on licenses. Through a computerized edit, the analyst checks the listed organizations and owners against the General Services Administration debarment list and the Office of Inspector General's sanction list to determine eligibility to receive income from the Medicare Trust Funds. The analyst also checks all names listed in the supplier's application against the CMS's Fraud Investigative Database. The analyst matches information in the application on the type of supplier and products and services to be furnished with state licenses attached to the application. If the license appears to be altered, the analyst checks with the state to determine if the state license is valid; On-site inspection - The site inspector is expected to collect copies of applicable state, business, and occupational licenses and a listing of the names of owners and records the information on the site inspection form, if applicable. Standard number: 2; Standard's description of what supplier must do: Provide complete and accurate information on the application and report any changes to NSC within 30 days; NSC's verification procedures: NSC verifies compliance with this standard through verification of the other standards. Standard number: 3; Standard's description of what supplier must do: Have an authorized individual--whose signature is binding--sign the application; NSC's verification procedures: NSC relies on supplier self-report that an authorized individual, as defined in the application, has signed. Standard number: 4; Standard's description of what supplier must do: Fill orders from its own inventory or contracts with other companies for the purchase of items necessary to fill the order. A supplier may not contract with any entity excluded from the Medicare program or state health care programs or from any other federal procurement or nonprocurement program or activity; NSC's verification procedures: On-site inspection - The site inspector takes photographs of inventory and requests copies of the supplier's contracts with other companies for the purchase of items. The site inspector may inspect or telephone the supplier listed in the contract, if it is in the local area; Desk review - The analyst reviews any contracts for inventory to determine whether the terms and conditions of the contracts are acceptable. The analyst also contacts the vendor to verify that the contract is authentic. Standard number: 5; Standard's description of what supplier must do: Advise beneficiaries that they may rent or purchase inexpensive or routinely purchased DME and of the purchase option for capped rental DME; NSC's verification procedures: On-site inspection - The site inspector interviews the owner, manager, or another responsible employee about the supplier's policy, records the responses on the site inspection form, and collects a copy of supplier's policy, if any. Standard number: 6; Standard's description of what supplier must do: Honor all warranties under applicable state law and repair or replace free of charge Medicare-covered items that are under warranty; NSC's verification procedures: On-site inspection - The site inspector interviews the owner, manager, or another responsible employee and records the responses on the site inspection form. The site inspector collects a copy of supplier's documentation, if any, such as a written policy that the supplier provides warranty information to beneficiaries and replaces items under warranty free of charge. If the supplier does not have the required policy or forms, the site inspector educates the supplier about what is needed to comply with this standard and advises the supplier of where a model warranty information form can be obtained. The supplier then has 48 hours from the time of the inspection to provide any needed documentation to the site inspector. Standard number: 7; Standard's description of what supplier must do: Maintain a physical facility on an appropriate site; NSC's verification procedures: On-site inspection - The site inspector interviews the owner, manager, or another responsible employee and records responses on the site inspection form. The site inspector takes photographs of the physical facility to document the site and its accessibility for handicapped beneficiaries and records the approximate size of the facility on the site inspection form; Desk review - The analyst reviews the site inspection documents and photographs to ensure that the facility complies with the standard. Standard number: 8; Standard's description of what supplier must do: Permit on-site inspections to determine compliance with the standards and maintain an appropriate physical facility accessible to beneficiaries and to CMS during reasonable business hours, with a visible sign and posted hours of operation; NSC's verification procedures: On-site inspection - The site inspector inspects the physical facility, records the posted hours on the site inspection form, and determines if the location is open during that time period. The site inspector also records on the site inspection form whether customers are in the facility during the inspection and whether the supplier shares space with another DMEPOS supplier or other business. The site inspector also photographs the signage, posted hours of operation, and the physical facility to document the site and its accessibility for handicapped beneficiaries; Desk review - The analyst reviews the site inspection documents and photographs to ensure that the facility complies with the standard. If the facility does not appear to be accessible to handicapped beneficiaries, the analyst contacts the supplier to determine how it accommodates the needs of these individuals. Standard number: 9; Standard's description of what supplier must do: Maintain a primary business telephone listed under the name of the business in a local directory or a toll-free number available through directory assistance. The exclusive use of a beeper, answering service, answering machine, pager, facsimile machine, or car phone as the primary business telephone number is prohibited; NSC's verification procedures: Desk review - The analyst verifies the telephone number and whether it is listed at the supplier's facility by calling the supplier, contacting telephone directory assistance, and using the Internet to check telephone directories; On-site inspection - The site inspector interviews the owner, manager, or another responsible employee to determine where the majority of the supplier's calls are received and records the responses on the site inspection form. The site inspector confirms the telephone number by viewing the telephone directory, telephone bills, or contacting directory assistance. Standard number: 10; Standard's description of what supplier must do: Have comprehensive liability insurance in the amount of at least $300,000 that covers both the supplier's place of business and all customers and employees of the supplier. If the supplier manufactures its own items, this insurance must also cover product liability and completed operations; NSC's verification procedures: Desk review - The analyst verifies the supplier's legal name and address on the policy, the insurance policy number, issue and expiration dates, scope of insurance, and amount of coverage. Effective August 1, 2004, a supplier's underwriter is requested to notify NSC of any changes in the supplier's comprehensive liability insurance policy; On-site inspection - The site inspector obtains a copy of the insurance policy, if necessary, and records the information on the site inspection form. Standard number: 11; Standard's description of what supplier must do: Agree not to initiate telephone contact with beneficiaries, with a few exceptions allowed, and is prohibited from using telephone contact to solicit new business; NSC's verification procedures: On-site inspection - The site inspector interviews the owner, manager, or another responsible employee and records the response on the site inspection form. Standard number: 12; Standard's description of what supplier must do: Be responsible for delivery, document that beneficiaries were instructed on the use of Medicare-covered items, and maintain proof of delivery; NSC's verification procedures: On-site inspection - The site inspector interviews the owner, manager, or another responsible employee, requests a copy of the written delivery policy, and records information on the site inspection form. The site inspector may review beneficiary files to check for proof of delivery. Standard number: 13; Standard's description of what supplier must do: Answer questions and respond to complaints of beneficiaries, and maintain documentation of such contacts; NSC's verification procedures: On-site inspection - The site inspector interviews the owner, manager, or another responsible employee, requests a copy of the written complaint policy, views the complaint log, and records information on the site inspection form. The site inspector may review beneficiary files to check for communications about complaints. Standard number: 14; Standard's description of what supplier must do: Must maintain and replace at no charge or repair directly, or through a service contract with another company, Medicare-covered items it has rented to beneficiaries; NSC's verification procedures: On- site inspection - The site inspector interviews the owner, manager, or another responsible employee, requests a copy of any written repair policy, if it exists, and records the information on the site inspection form. The site inspector may also check beneficiary files to review maintenance records of equipment that has been supplied. Standard number: 15; Standard's description of what supplier must do: Accept returns of substandard (less than full quality) or unsuitable (inappropriate for the beneficiary at the time it was fitted and sold) items from beneficiaries; NSC's verification procedures: On- site inspection - The site inspector interviews the owner, manager, or another responsible employee, collects the written return policy, if any, and records information on the site inspection form. Standard number: 16; Standard's description of what supplier must do: Disclose the supplier standards to each of the beneficiaries served; NSC's verification procedures: On-site inspection - The site inspector interviews the owner, manager, or another responsible employee about how the supplier discloses the standards to beneficiaries and records the information on the site inspection form. The site inspector determines if the supplier is using the current standards and, if not, advises the supplier of the regulatory requirement and provides the supplier with a copy of the current standards. Standard number: 17; Standard's description of what supplier must do: Disclose to the government any person having ownership, financial, or controlling interest in the DMEPOS supplier; NSC's verification procedures: Desk review - The analyst reviews information provided in the application and uses the information as part of verification of standard 1 by determining if any listed owners have been previously sanctioned or disbarred; On-site inspection - The site inspector interviews the owner, manager, or other responsible employee to elicit names of the supplier's owners and managers, as well as any other companies owned or managed by these individuals, and records the information on the site inspection form. Standard number: 18; Standard's description of what supplier must do: Not sell, or allow another entity to use, its Medicare billing number; NSC's verification procedures: NSC verifies through the same process as standard 17. Standard number: 19; Standard's description of what supplier must do: Have a complaint resolution protocol established to address beneficiary complaints that relate to these standards and maintain a record of the complaints at the physical facility; NSC's verification procedures: On-site inspection - The site inspector interviews the owner, manager, or other responsible employee, obtains a copy of the complaint resolution protocol and complaint log, observes where complaint records are stored, and records the information on the site inspection form. If the supplier does not have the required complaint resolution protocol or log, the inspector educates the supplier and advises the supplier of where model forms can be obtained. The supplier has 48 hours from the time of the inspection to provide the needed documents to the site inspector. Standard number: 20; Standard's description of what supplier must do: Include in its beneficiary complaint records the name, address, telephone number, and beneficiary insurance number; a summary of the complaint, including its resolution; and any actions taken to resolve it; NSC's verification procedures: On-site inspection - The site inspector obtains a copy of the complaint log and records observations on the site inspection form. If the supplier does not have complaint records, the site inspector educates the supplier about the need for them and advises the supplier about where model forms can be obtained. The supplier has 48 hours from the time of the inspection to provide the needed documents to the site inspector; Desk review - The analyst reviews the complaint log obtained by the site inspector to ensure that each complaint record includes the required information. Standard number: 21; Standard's description of what supplier must do: Agree to furnish CMS with any information required by the Medicare statute and implementing regulations; NSC's verification procedures: NSC verifies compliance with this standard through verifying compliance with the other standards. Source: GAO analysis of 42 C.F.R. § 424.57(c) (2004) and 42 C.F.R § 420.206 (2004), CMS's Medicare Program Integrity Manual, NSC's contract statement of work, NSC's procedures, the site inspection form, and information from NSC officials. [End of table] [End of section] Appendix III: Agency Comments: DEPARTMENT OF HEALTH & HUMAN SERVICES: Centers for Medicare & Medicaid Service: Administrator: Washington, DC 20201: DATE: AUG 30 2005: TO: Leslie G. Aronovitz: Director: Health Care: Government Accountability Office: FROM: Mark B. McClellan, M.D., Ph.D. Administrator: Initialed by Mark B. McClellan: SUBJECT: Government Accountability Office's (GAO) Draft Report: MEDICARE: More Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment Suppliers (GAO-05-656): Thank you for the opportunity to review and comment on the above GAO draft report. The Centers for Medicare & Medicaid Services (CMS) is committed to protecting beneficiaries and the Medicare Trust fund from fraud, waste, and abuse by ensuring that only qualified suppliers are enrolled via the National Supplier Clearinghouse (NSC) and assuring the NSC enforces the twenty-one supplier standards. In the past year, the NSC has already started conducting ad-hoc, out-of-cycle site inspections in vulnerable areas of the country, including Miami and Los Angeles, resulting in revocation of supplier numbers. NSC is also working with other contractors to develop an analytical approach to identify suppliers intent on fraud who "sand-bag" billing numbers to be used in the event other numbers they have are revoked or suspended. The CMS has already made changes to the statement of work (SOW) that the NSC will operate under beginning fiscal year (FY) 2006, as well as under the new durable medical equipment (DME) Medicare administrative contract, expected to be awarded later this year and implemented in calendar year 2006. CMS will be pursuing regulatory changes to strengthen current supplier standards, including providing interpretive guidance on inventory and physical facility requirements, keeping a revoked supplier from reentering the program for a specified period of time, and temporarily limiting the approval of supplier enrollment applications in parts of the country experiencing fraud and abuse in the durable medical equipment, prosthetics, orthotics and supplies (DMEPOS) community. CMS also recently added a Program Integrity satellite office in southern California that is focusing on Medicare DMEPOS supplier fraud. This office is working closely with the NSC/Supplier Audit and Compliance Unit (SACU) on many initiatives to combat fraud and abuse. The CMS appreciates the level of effort that the GAO expended in drafting this report. We look forward to working collaboratively with GAO to protect the Medicare Trust Funds in the future. Attached are the detailed comments to the GAO's recommendations. Centers for Medicare & Medicaid Services' Comments to the Government Accountability Office's Draft Report: MEDICARE: More Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment Suppliers (GAO-05-656): GAO Recommendation: Starting in states where licensure is mandatory, require NSC to routinely check suppliers' billing for oxygen, prosthetics, orthotics, and any other items requiring licensure against the items the suppliers declared they are providing on applications. Where suppliers are billing for services not declared, take appropriate action to revoke the billing numbers of suppliers not complying with program requirements. CMS Response: The CMS recently issued instructions to our durable medical equipment regional carriers (DMERC) claims processing area to institute edits of claims for prosthetics and certain custom-fabricated orthotics for suppliers who supply such items and are located in a state requiring licensure. These instructions are scheduled for implementation on October 3, 2005. Beginning with FY 2006, an additional statement of work requirement for the NSC will be to annually check for compliance with all applicable licensure and certification requirements, and confirm the comprehensive liability insurance policy remains in effect (that is, that it has not been cancelled or allowed to lapse). This is currently being done every three years as part of the reenrollment process. Part of this check will include a comparison to a supplier's billing history. CMS is also exploring the institution of edits for other licensed specialties, including oxygen. The CMS will explore the idea of requiring the NSC, where appropriate, to routinely compare the items for which a supplier bills that require licensure against the items the supplier indicates on the enrollment application it will supply to Medicare beneficiaries. We also believe that Footnote 22 on page 15 inappropriately suggests that CMS is not concerned with the failure of some DMEPOS suppliers to comply with state licensure requirements. CMS is very concerned with this issue, and is exploring ways to pursue collection of overpayments for licensure violations. To that end, the NSC has begun providing specific information to the DMERCs regarding when a DMEPOS supplier's license on file has expired, with instruction to develop and collect an overpayment for any claims submitted for items or services furnished after licensure has lapsed. GAO Recommendation: Require NSC to provide information. from suppliers' billing histories to inspectors before they conduct on-site inspections to help them collect information to assess whether suppliers' inventory or contracts to obtain inventory are congruent with the suppliers' Medicare payments. CMS Response: We concur. With the start of FY 2006, the requirements in the NSC SOW have been revised to include the provision of a DMEPOS supplier's billing history to on-site inspectors prior to inspectors conducting onsite inspections. GAO Recommendation: When suppliers report having inventory that is primarily maintained off- site or supplied through another company, require NSC to evaluate the legitimacy of the supply location or source and any related contracts. CMS Response: We concur. The FY 2006 SOW requires the NSC to make site visits to a suppliers off-site inventory storage location and to make site visits to businesses that sell the supplier inventory or fulfill orders through inventory-supply contracts. GAO Recommendation: As part of the on-site inspections, require inspectors to review and provide information to NSC analysts on the contents of, a minimum number of patient fates to determine supplier adherence to standards for maintaining documentation of services and information provided to beneficiaries. CMS Response: We concur and believe that by reviewing beneficiary tiles, inspectors can verify that suppliers are properly documenting services and information provided to beneficiaries. Inspectors will be required to review a percentage of the tiles. The exact percentage of files that could be reviewed will depend on factors such as the number of total beneficiary files, the inspectors' workload, budgetary constraints, and other available sources for review of claims files. This specific requirement will be further defined in the NSC's SOW. GAO Recommendation: Oversee NSC's activities to ensure that it conducts on-site inspections for suppliers as required by CMS and maintains accurate data on the on- site inspections it conducts. CMS Response: We concur. CMS will add this oversight function to the quarterly contractor performance evaluations that were started in FY 2005. CMS would like to review the procedures used by GAO to arrive at its conclusions regarding whether the NSC was conducting all on-site inspections as required by NSC's SOW, and then incorporate these procedures into the quarterly contractor performance evaluation. CMS will also develop a mechanism to audit the workload figures reported by NSC to CMS as part of their ongoing workload reporting requirements. GAO Recommendation: Establish a minimum number of out-of-cycle on-site inspections in its contract that NSC must perform each year. CMS Response: We concur. As mentioned above, the NSC has already begun conducting out- of-cycle inspections in FY 2005. Beginning in FY 2006, the requirement to perform out-of-cycle onsite inspections has been added to their SOW. The exact number of inspections that NSC shall perform will depend on NSC's workload and budgetary constraints, and will be monitored on a monthly basis by CMS. GAO Recommendation: Develop standards that incorporate requirements for suppliers to demonstrate that they have the integrity and capability to perform their functions analogous to the standards for federal contractors. CMS Response: We concur, and are in the process of developing quality standards for suppliers. As noted in your report, the Medicare Modernization Act of 2003 (MMA) requires CMS to establish competitive bidding among suppliers for DME and supplies used in conjunction with DME, enteral nutrients, and off-the-shelf orthotics. Such bidding, which will be subject to the Federal Acquisition Regulation (FAR), must be introduced to at least 10 of the largest metropolitan areas by 2007 and to 80 of these areas by 2009. (Although the bidding will be subject to the FAR, the Secretary may waive FARs as needed to efficiently implement the bidding process.) The MMA also requires CMS to develop quality standards for all DMEPOS suppliers and to select one or more independent accreditation organizations to apply these quality standards. We believe that this requirement will raise the bar for all suppliers and will improve our ability to deter health care fraud and abuse. Comments we have received from interested parties about this MMA provision have supported requiring accreditation of Medicare DMEPOS suppliers. The CMS will be publishing an NPRM in the fall of this year on DME competitive bidding, quality standards and accreditation. We expect to have a final rule by next year. There will be a period for selection by CMS of one or more accreditation organizations to apply the quality standards. CMS will coordinate implementation of the DMEPOS accreditation requirement with the DME competitive bidding program. GAO Recommendation: Revise current evaluation procedures to fully assess the outcomes expected from SACU's activities and NSC 's adherence to contract requirements. CMS Response: We concur. As mentioned earlier, beginning with the second quarter of FY 2005, CMS has already expanded its oversight and evaluation procedures to include quarterly reviews of N SC and SACU enrollment functions. This effort was undertaken to better assess the outcomes expected from SACU's activities and NSC's adherence to contract requirements. [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Leslie G. Aronovitz, (312) 220-7600 or aronovitzl@gao.gov: Acknowledgments: In addition to the contact named above, Sheila K. Avruch, Assistant Director; Kevin Dietz; Cynthia Forbes; Krister Friday; Christine Hodakievic; Daniel Lee; Lisa Rogers; John Ryan; and Craig Winslow made key contributions to this report. [End of section] Related GAO Products: Medicare: CMS's Program Safeguards Did Not Deter Growth in Spending for Power Wheelchairs. GAO-05-43. Washington, D.C.: November 17, 2004. Medicare: Past Experience Can Guide Future Competitive Bidding for Medical Equipment and Supplies. GAO-04-765. Washington, D.C.: September 7, 2004. Medicare: CMS Did Not Control Rising Power Wheelchair Spending. GAO-04- 716T. Washington, D.C.: April 28, 2004. Medicare: HCFA to Strengthen Medicare Provider Enrollment Significantly, but Implementation Behind Schedule. GAO-01-114R. Washington, D.C.: November 2, 2000. FOOTNOTES [1] Medicare law defines durable medical equipment (DME) as equipment that serves a medical purpose, can withstand repeated use, is generally not useful in the absence of an illness or injury, and is appropriate for use in the home. DME includes items such as wheelchairs, hospital beds, and walkers. Medicare law defines prosthetic devices (other than dental) as devices that are needed to replace a body part or function. Prosthetic devices include artificial limbs and eyes and cardiac pacemakers. Medicare law defines orthotic devices to include leg, arm, back, and neck braces that provide rigid or semirigid support to weak or deformed body parts or restrict or eliminate motion in a diseased or injured part of the body. Medicare-reimbursed DME supplies are items that are used in conjunction with DME and are consumed during the use of the equipment--such as drugs used for inhalation therapy--or items that need to be replaced on a frequent, usually daily, basis--such as surgical dressings. [2] GAO, Medicare: CMS's Program Safeguards Did Not Deter Growth in Spending for Power Wheelchairs, GAO-05-43 (Washington, D.C.: Nov. 17, 2004). [3] According to the Department of Health and Human Services Office of Inspector General that investigates alleged DMEPOS and other fraud, from 2003-2004, nine criminal cases involving DMEPOS supplier fraud have gone to trial. As of February 4, 2005, 21 individuals involved in such cases have been convicted of fraud, and over $70 million in improper payments has been recovered. [4] In this report, the term supplier is used only for DMEPOS suppliers. [5] Three of the 21 standards were created by statute (42 U.S.C. § 1395m(j)(1)(B) (2000)) and the other 18 standards were established by regulation. The 21 standards are found at 42 C.F.R. § 424.57(c) (2004). [6] The supplier standards require suppliers to permit on-site inspections, while the statement of work governing NSC's activities generally refers to these as site visits. The two terms refer to the same activity and we use the term on-site inspection throughout this report. [7] In order to sell certain DMEPOS items or services, including oxygen, orthotics, and prosthetics, certain states require licensure. The types of licensure vary by state. For example, according to CMS, nine states require licensure or certifications to provide prosthetics and orthotics. Holding a valid state license, in states that require them, indicates that the state has determined that the supplier has met the state's minimum requirements to supply the item. [8] We did not review NSC's procedures to verify that suppliers have comprehensive liability insurance, because these procedures have recently been strengthened and we believe that they should be adequate as a result. We also did not review NSC's procedure to check supplier companies and their owners to ensure that they are not excluded from participating in federal health care programs or debarred from federal contracting, because this is done through a routine data procedure matching the names against federal files that list the names of excluded and debarred companies and individuals. [9] NSC maintains a database with information on Medicare DMEPOS suppliers. From this database NSC sent us three files with information on active, inactive, and revoked suppliers as of May 31, 2004. The files included information such as the supplier's legal business name, billing number, address, date of the most recent on-site inspection, the DMEPOS items and services the supplier provides, and information on whether the supplier had its billing number revoked. [10] Medicaid is a state-administered health care program, jointly funded by the federal and state governments, that covers approximately 54.9 million eligible low-income individuals. Each state administers its own program and determines, under broad federal guidelines, eligibility for, coverage of, and reimbursement for specific items and services, such as DME. Each state is also responsible for its own enrollment process for suppliers and other providers. [11] Unlike Part A, Part B requires enrollees to pay a monthly premium for their Part B coverage. Part A of Medicare covers inpatient hospital, skilled nursing facility, hospice, and certain home health services. [12] The four DME regional carriers are HealthNow New York, Inc. (Region A, which includes 10 states in the northeast from Maine to Delaware); AdminaStar Federal (Region B, which includes 9 states in the midwest, from Maryland to Minnesota, and the District of Columbia); Palmetto Government Benefits Administrators (Region C, which includes 14 states in the south, from North Carolina to New Mexico, and Puerto Rico and the Virgin Islands); and CIGNA Government Services, LLC (Region D, which includes 17 states in the west, from Missouri to Washington, and Guam, Mariana Islands, and American Samoa). [13] 42 U.S.C. § 1395m(a)(17) (2000). [14] CMS requires NSC to conduct on-site inspections of DMEPOS suppliers--with certain exceptions. Specifically, the statement of work under which NSC operates states that NSC shall apply certain procedures to verify information provided by new applicants, including conducting inspections for those suppliers requiring them, and will perform inspections on reenrolling suppliers as required to verify information. It further states that all suppliers are subject to on-site inspections upon initial enrollment and reenrollment, except physicians, certified Medicare suppliers, and supplier chains with 25 or more locations. Certified Medicare suppliers include hospitals; skilled nursing facilities; home health agencies; clinics, rehabilitation agencies, and public health agencies; comprehensive outpatient rehabilitation facilities; hospices; critical access hospitals; and community mental health centers. The statement of work also provides that NSC, at reenrollment, does not have to conduct on-site inspections of suppliers with $34,000 or less in allowed charges in the previous year. According to CMS, NSC is responsible for conducting enrollment and reenrollment on-site inspections for all suppliers listed as not exempt. [15] NSC also requires suppliers to name NSC as a certificate holder for their liability insurance, which means that an insurer must notify NSC when a supplier's policy is cancelled. [16] NSC began requiring photographic evidence as part of the on-site inspection in December 2003. [17] Federal health care programs include Medicare, Medicaid, and all other plans and programs that provide health benefits funded directly or indirectly by the United States (other than the Federal Employees Health Benefits Program). [18] First-time applicants for enrollment can be denied, while DMEPOS suppliers currently enrolled in the program that are renewing their applications for billing privileges may have their current billing numbers revoked. DMEPOS suppliers must renew their Medicare enrollment application every 3 years. [19] The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 gave suppliers the right, after December 8, 2004, to take their second level of appeal to an administrative law judge. Suppliers dissatisfied with the decision of the administrative law judge can pursue additional judicial appeals. Pub. L. No. 108-173, § 936(a)(2), 117 Stat. 2066, 2411-2412 (to be codified at 42 U.S.C. § 1395cc(j)). [20] Custom-fabricated orthotic devices are braces that are individually fabricated for a specific patient. For our analysis, we used a list of codes developed by CMS to identify prosthetic devices and custom-fabricated orthotic devices. [21] We restricted our analysis to suppliers with at least $1,000 in prosthetics or custom-fabricated orthotics payments. [22] A Region C DME regional carrier official told us that it was not routinely identifying and assessing overpayments against suppliers that have been identified as billing without the proper state licenses and CMS has not directed it to do so. The DME regional carrier assessed overpayments for prosthetics and custom-fabricated orthotics claims against the suppliers in Florida cited above after receiving permission to do so by the CMS satellite field office in Miami. The overpayment assessments were established based on information from investigations and medical review of claims that suggested many of these payments were not proper. In its comments on a draft of this report, CMS informed us that NSC has begun providing specific information to the DME regional carriers regarding when a DMEPOS supplier's license on file has expired, with instructions to develop and collect an overpayment for any items or services furnished after licensure has lapsed. [23] In response to the rise in suspicious prosthetics and custom- fabricated orthotics billing, Region C DME regional carrier staff began several special projects, such as requiring suppliers to provide documentation to back up their claims before paying for 148 prosthetic and orthotic items and investigating and referring 74 cases to law enforcement. [24] 42 U.S.C. § 1395m(h)(1)(F) (2000). [25] After excluding all of the types of suppliers NSC is not required to inspect at enrollment and reenrollment, we analyzed NSC's active supplier data file to determine whether all of the suppliers for which an on-site inspection was required had one listed. We found that 14 percent--3,684--of the enrolled suppliers that should have received an on-site inspection did not have an inspection date recorded. NSC reviewed our random sample of 67 of these 3,684 suppliers. In most cases, the suppliers without an on-site inspection date recorded had received one, but NSC had not updated its supplier database. However, 11 of the 67 suppliers did not receive the required on-site inspection. Based on this sample, we estimated that between 545 and 667 of the 3,684 suppliers had not received an on-site inspection, based on a confidence interval of + or - 10 percent. [26] On April 1, 2005, NSC informed us that it had implemented edits in its supplier data system to ensure that on-site inspections conducted after August 20, 2004, were recorded. [27] In these cases, the chains also include other locations with supplier billing numbers that are either inactive or revoked. [28] Falsely certifying beneficiaries' medical need for DMEPOS items is a violation of the standard that requires suppliers to comply with all applicable federal regulatory requirements, and may constitute a civil or criminal offense. [29] In addition, the inspectors were not told exactly why NSC was suspicious of these suppliers--for example, whether it was due to their billing patterns or to their connection to an ongoing investigation of other suppliers. Understanding why the inspection was taking place could help focus the inspector's review. [30] We analyzed fiscal year 2004 appeals to CMS by suppliers that had their billing numbers denied or revoked, in part because they did not have inventory to fill orders, to identify suppliers that provided contracts with the same companies as their sources of inventory in order to contest the revocations. [31] Banks and other financial institutions are required to file reports on currency transactions of $10,000 or more. 31 C.F.R. § 103.22 (2004). These reports assist law enforcement in identifying financial transactions that may be associated with criminal activities. [32] See GAO-05-43. [33] NSC has focused its review on nonchain suppliers, based on its previous experience with the suppliers found most likely to have problematic billing. [34] Pub. L. No. 108-173, § 302(b), 117 Stat. 2066, 2224-2228. [35] 48 C.F.R. § 9.104-1 (2004). A federal officer awarding a contract has broad discretion to use any current facts indicating financial weakness in making responsibility determinations, such as the firm's profitability, ratio of assets to liabilities, liquidity of assets, and credit ratings. In addition, a prospective contractor must have the "necessary organization, experience, accounting and operational controls, and technical skills or the ability to obtain them." This is often determined by examining the prior experience of the prospective contractor, its past performance, the past performance of a predecessor firm, and the experience of the principal officers. [36] Termination for convenience means the federal government completely or partially terminates a contractor's performance of work under the contract when it is in the government's interest. Termination for default means the federal government completely or partially terminates a contract because of the contractor's actual or anticipated failure to perform its contractual obligations. 48 C.F.R. § 2.101 (2004). [37] 48 C.F.R. §§ 9.406-2 and 9.406-4 (2004). [38] The Medicare standard for a physical location does not forbid suppliers from operating out of their homes. [39] Costec Assocs., B-215827, Dec. 5, 1984, 84-2 CPD ¶ 626. [40] HHS also has authority to debar entities that engage in nonprocurement transactions with the department. See 45 C.F.R. pt. 76 (2004). HHS officials that we contacted were not aware of this authority ever being used to debar Medicare suppliers. A CMS official indicated that the supplier-specific regulations are used to address noncompliant DMEPOS suppliers. [41] In practice, federal agencies do not always use their authority and sometimes continue to contract with companies that have failed to perform adequately or have shown a lack of integrity in performing their contracts. [42] Mayfair Constr. Co., B-192023, Sept. 11, 1978, 78-2 CPD ¶ 187. [43] See Garten-und Landschaftsbau GmbH Frank Mohr, B-237276, Feb. 13, 1990, 90-1 CPD ¶ 186; see also Becker and Schwindenhammer, GmbH, B- 225396, Mar. 2, 1987, 87-1 CPD ¶ 235. [44] This requirement applies to all providers, not just suppliers. [45] The state can also disenroll providers after the first year, but the process to do so is more complex. [46] After discovering significant fraud among DME suppliers, California Medicaid required all DME suppliers to reapply in 2000. Less than half reenrolled. California Medicaid has not enrolled any DME suppliers since that time. Any supplier disenrolled after 2000 cannot be reenrolled until the state begins a new reenrollment cycle for DME suppliers, which the state does not plan to do in the near term. [47] One supplier recently investigated by the FBI and the OIG was located in a gym and fitness center. [48] Pub. L. No. 108-173, § 302(a), 117 Stat. 2066, 2223-2224. [49] According to NSC's contract, the SACU must educate suppliers about the Medicare application process; participate in Medicare and DME regional-carrier-sponsored fraud conferences, meetings, and discussions; serve as a point of contact with GAO, the OIG, and the FBI on NSC-related Medicare fraud issues; establish contacts among governmental fraud prevention agencies; support the on-site inspection process; and take whatever steps it deems necessary, including appropriate travel, in compliance with existing laws and regulations to prevent fraudulent suppliers from gaining and keeping access to the Medicare program. [50] These states were chosen because they have licensure requirements for certain DMEPOS items and are known to have suppliers with fraudulent Medicare DMEPOS billings. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: