This is the accessible text file for GAO report number GAO-10-143 entitled 'Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight' which was released on March 31, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: March 2010: Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight: GAO-10-143: GAO Highlights: Highlights of GAO-10-143, a report to congressional requesters. Why GAO Did This Study: The Centers for Medicare & Medicaid Services (CMS) conducted a mandated 3-year project from March 2005 through March 2008 to demonstrate the use of recovery audit contractors (RAC) in identifying Medicare improper payments and recouping overpayments. CMS implemented a mandated national RAC program, which began in March 2009. GAO was asked to examine specific issues that arose during the demonstration project and CMS’s efforts to address them in the national RAC program. This report examines the extent to which CMS (1) developed a process and took corrective actions to address vulnerabilities identified by the RACs that led to improper payments, (2) resolved coordination issues between the RACs and the Medicare claims administration contractors, and (3) established methods to oversee RAC claim review accuracy and provider service during the national program. GAO reviewed CMS documents and interviewed officials from CMS and contractors and provider groups affected by the demonstration project. What GAO Found: CMS did not establish an adequate process in the 3-year demonstration project or in planning for the national program to address RAC- identified vulnerabilities that led to improper payments, such as paying duplicate claims for the same service. CMS stated that one purpose of the demonstration project was to obtain information to help prevent improper payments. However, CMS has not yet implemented corrective actions for 60 percent of the most significant RAC- identified vulnerabilities that led to improper payments, a situation that left 35 of 58 unaddressed. These were vulnerabilities for which RACs identified over $1 million in improper payments for medical services or $500,000 for durable medical equipment. CMS developed a spreadsheet, which listed the most significant improper payment vulnerabilities that were identified by the RACs during the demonstration project. However, the agency did not develop a plan to take corrective action or implement sufficient monitoring, oversight, and control activities to ensure these significant vulnerabilities were addressed. Thus, CMS did not address significant vulnerabilities representing $231 million in overpayments identified by the RACs during the demonstration project. For the RAC national program, CMS developed a process to compile identified vulnerabilities and recommend actions to prevent improper payments. However, this corrective action process lacks certain essential procedures and staff with the authority to ensure that these vulnerabilities are resolved promptly and adequately to prevent further improper payments. Based on lessons learned during the demonstration project, CMS took multiple steps in the national program to resolve coordination issues between the RACs and Medicare claims administration contractors. During the demonstration project, CMS learned that having regular communication with the claims administration contractors on improper payment vulnerabilities that the RACs were identifying was important. CMS also learned that the data warehouse used to store claims information for the RACs needed more capacity and utility, that manual claims adjustment by claims administration contractors to recoup improper payments was burdensome, and that sharing paper copies of medical records between RACs and claims administration contractors when claims denials were appealed was difficult to manage. As a result, CMS took steps to resolve these coordination issues in the national program, such as enhancing the existing data warehouse and automating the claims-adjustment process. CMS took steps to improve oversight of the accuracy of RACs’ claims reviews and the quality of their service to providers for the national program. CMS added processes to review the accuracy of RAC determinations, including independent reviews by another CMS contractor. CMS also established requirements to address provider concerns about service, such as having the RACs establish Web sites that will allow providers to track the status of a claim being reviewed. In addition, CMS established performance metrics that the agency will use to monitor RAC accuracy and service to providers. What GAO Recommends: GAO recommends that CMS improve its corrective action process by designating responsible personnel with authority to evaluate and promptly address RAC-identified vulnerabilities to reduce improper payments. CMS agreed with GAO’s recommendations. View [hyperlink, http://www.gao.gov/products/GAO-10-143] or key components. For more information, contact Kathleen M. King at (202) 512-7114 or kingk@gao.gov or Kay L. Daly at (202) 512-9095 or dalykl@gao.gov. [End of section] Contents: Letter: Background: CMS Did Not Establish an Adequate Process to Address RAC-Identified Vulnerabilities That Led to Improper Payments; Corrective Actions Were Limited: CMS Is Taking Action to Resolve RAC and Medicare Claims Administration Contractor Coordination Issues: CMS Has Taken Steps to Improve Oversight of RAC Accuracy and Service to Providers: Conclusions: Recommendations for Executive Action: Agency and Other External Comments: Appendix I: Selected Changes Made to the Medicare National Recovery Audit Contractors (RAC) Program: Appendix II: Comments from the Department of Health & Human Services: Appendix III: GAO Contacts and Staff Acknowledgments: Table: Table 1: Selected Recovery Audit Contractor (RAC) Performance Metrics Related to Accuracy and Provider Service: Figures: Figure 1: Recovery Audit Contractor (RAC) Medicare Claim Review Process: Figure 2: Medicare Recovery Audit Contractor (RAC) Regions and Phase- in Schedule: Figure 3: Timeline for the Recovery Audit Contracting (RAC) Program: Figure 4: Status of Corrective Actions for Vulnerabilities with Improper Payments of Greater Than $1 Million, as of the End of the Recovery Audit Contractor Demonstration Project--March 2008: Figure 5: Interdependence of Recovery Audit Contractors (RACs) and Medicare Administrative Contractors (MACs): Abbreviations: CMS: Centers for Medicare & Medicaid Services: DME: durable medical equipment: FFS: fee-for-service: HHS: Department of Health and Human Services: IPPP: Improper Payment Prevention Plan: LCD: local coverage determination: MAC: Medicare Administrative Contractor: MMA: Medicare Prescription Drug, Improvement, and Modernization Act of 2003: NCD: national coverage determination: OFM: Office of Financial Management: RAC: recovery audit contractor: VC: validation contractor: [End of section] United States Government Accountability Office: Washington, DC 20548: March 31, 2010: Congressional Requesters: For almost 20 years, we have designated Medicare, which provides health insurance for those aged 65 and older and certain disabled persons, as a high risk program due to the its size and complexity, as well as its susceptibility to mismanagement and improper payments. [Footnote 1] Improper payments may be due to errors, such as the inadvertent submission of duplicate claims for the same service, or misconduct, such as fraud and abuse.[Footnote 2] In 2009, the Department of Health and Human Services (HHS) estimated that approximately $24.1 billion, or 7.8 percent of Medicare fee-for- service (FFS)[Footnote 3] payments for claims from April 2008 through March 2009 were improper.[Footnote 4] Because billions of dollars are paid in error each year, the Centers for Medicare & Medicaid Services (CMS)--the HHS agency that administers the Medicare program--conducts a number of activities to reduce improper payments.[Footnote 5] CMS's efforts include pre-payment reviews to prevent improper payments before claims are paid, as well as post-payment reviews of claims potentially paid in error. CMS uses Medicare claims administration contractors to perform these and other Medicare FFS functions, [Footnote 6] which include reviewing and paying claims in accordance with Medicare policy, and conducting provider outreach and education on correct billing practices.[Footnote 7] The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) directed CMS to conduct a project to demonstrate how effective the use of recovery audit contractors (RACs) would be in identifying underpayments and overpayments, and recouping overpayments in the Medicare program.[Footnote 8] Recovery audits involve post- payment review of supporting documents and other information to identify overpayments and underpayments.[Footnote 9] The MMA directed CMS to establish a RAC demonstration in at least two states from among the ones with the highest per-capita Medicare utilization rates and to use at least three RACs.[Footnote 10] The MMA also authorized CMS to pay the RACs on a contingency basis, which differs from how the agency pays its other contractors.[Footnote 11] For Medicare, the RAC demonstration project was designed to be an addition to existing claims review processes conducted by various contractors that CMS uses to administer the program. The demonstration project required the RACs to review claims previously paid by Medicare claims administration contractors to identify payment errors, such as whether a provider billed the correct number of units for a particular drug or service. Once a RAC identified an improper payment, it informed the provider of the error and its amount. The Medicare claims administration contractor then adjusted the claim to the proper amount and collected the overpayment or reimbursed the underpayment. During the demonstration project, CMS paid RACs contingency fees on overpayments collected and underpayments refunded.[Footnote 12] In the CMS RAC Status Document FY 2006: Status on the Use of Recovery Audit Contractors (RACs) in the Medicare Program, the agency reported its intention to use information from RAC reviews to identify issues at risk for improper payments. Similarly, the agency's 2008 evaluation of the demonstration project provided information on the service- specific errors or vulnerabilities, which resulted in RAC-identified improper overpayments and underpayments. CMS or its Medicare claims administration contractors could then address the vulnerabilities most likely to result in payment errors in order to reduce improper payments. Once a RAC identified a vulnerability, it was the responsibility of CMS or the Medicare claims administration contractors to take corrective action. Corrective action involves identifying the causes for each type of vulnerability and addressing them, in order to reduce future improper payments. In the 2006 status document on the demonstration project, CMS also reported that the demonstration RACs identified $303.5 million in improper payments.[Footnote 13] However, this amount did not include the final results of any provider appeals filed after or pending at that time.[Footnote 14] CMS concluded that "preliminary results indicate that the use of recovery auditors is a viable and useful tool for ensuring accurate payments" and that RACs would be a "value-added adjunct" to the agency's programs. Subsequently, in December 2006 the Tax Relief and Health Care Act of 2006 required CMS to implement a national recovery audit contractor program by January 1, 2010. Providers reported problems during the RAC demonstration project, and expressed concerns about the implementation of a national program before these issues were resolved. For example, providers stated that the contingency fee payment structure created an incentive for RACs to be aggressive in determining that paid claims were improper. In addition, providers faulted CMS for not holding the RACs accountable for the accuracy of their decisions, noting that RAC determinations resulted in thousands of provider appeals to Medicare claims administration contractors. These appeals and adjustments to claims produced additional workload and coordination challenges for the Medicare claims administration contractors adjudicating appeals and RACs. Association and hospital representatives further noted the RACs sometimes requested duplicate medical records as part of their reviews, thus increasing providers' administrative burden. In a June 2008 report evaluating the 3-year RAC demonstration project, CMS reported its intent to make a number of changes to the RAC national program to address these concerns and streamline operations.[Footnote 15] You asked us to examine how CMS used information on RAC-identified improper payments to address the underlying vulnerabilities that led to them. You also asked us to examine particular issues regarding contractor coordination and RAC accuracy and service that arose during the RAC demonstration project and CMS's efforts to address them in the RAC national program. This report examines the extent to which CMS (1) developed an adequate process and took corrective action to address RAC-identified vulnerabilities that led to improper payments; (2) built upon lessons learned from the demonstration project to resolve coordination issues between the RACs and the Medicare claims administration contractors for the national program; and (3) established methods to oversee the accuracy of RACs' claims-review determinations and the quality of RAC service to providers during the national program. This report focused on implementation of the recovery audit provisions of the MMA and the Tax Relief and Health Care Act of 2006 and not certain other statues and guidance relevant to recovery auditing. To determine the extent to which CMS developed an adequate process and took corrective action to help prevent future improper payments due to vulnerabilities identified during the RAC demonstration project, we used the criteria outlined in our Standards for Internal Control in the Federal Government.[Footnote 16] We applied these standards to assess whether the policies and procedures CMS instituted to monitor the RAC program reasonably ensured that the findings from RAC reviews were evaluated, assigned to the appropriate components within CMS or its Medicare claims administration contractors to implement corrective actions, and resolved promptly in accordance with these internal control standards. We also used criteria from our Internal Control Management and Evaluation Tool to assess whether CMS's actions to establish an effective internal control environment for the RAC program included the appropriate assignment of authority, accountability, and responsibility to meet the agency's goals and objectives.[Footnote 17] We reviewed the agency's Improper Payment Prevention Plan (IPPP), an internal agency spreadsheet that was designed to list the most significant improper payments identified during the RAC demonstration project that generally resulted in overpayments of at least $1 million. We evaluated the IPPP against CMS's essential steps of a corrective action process namely: (1) data analysis of the errors including those associated with improper payments; (2) determination of the specific programmatic causes; (3) identification of corrective actions to be implemented based on data and program analysis; (4) development of an implementation schedule for each corrective action, including major tasks, personnel responsible, and a timeline for each action, and implementation of the corrective actions; and (5) evaluation of the effectiveness of the corrective actions through monitoring.[Footnote 18] We also interviewed CMS officials to determine the actions taken to assure that the information in the IPPP was accurate. Agency officials said they did not verify the dollar amounts reported by the RACs. However, they referred us to the agency's final evaluation report for the most accurate analysis of the amounts recovered by the RACs as of the end of the demonstration project. Therefore, to quantify the relative dollar amounts of improper payments associated with specific RAC- identified vulnerabilities in the IPPP, we developed a crosswalk between the vulnerabilities listed on the IPPP and the dollar amounts presented in CMS's June 2008 evaluation of the RAC demonstration project. Agency officials agreed that this approach provided an accurate representation of the overpayment amounts at the end of the demonstration project for the most significant vulnerabilities identified by the RACs that led to improper payments.[Footnote 19] We determined these data were sufficiently reliable for our purposes because the data represented the best available information on the RAC- identified vulnerabilities and their financial impact at that time. We also interviewed relevant officials from CMS, two Medicare claims administration contractors that participated in the demonstration project,[Footnote 20] and the demonstration RACs to obtain information about the demonstration RACs' processes and findings. To determine whether CMS addressed coordination issues between RACs and the Medicare claims administration contractors, we reviewed the statements of work for the RACs and MACs that detail CMS's expectations for these contractors. We also examined the performance metrics for the RACs, as well as performance metrics CMS uses to assess coordination between Medicare claims administration contractors and other Medicare FFS contractors. We assessed these elements against the Standards for Internal Control in the Federal Government. We also interviewed CMS officials and staff from the same two Medicare claims administration contractors that participated in the RAC demonstration project about the quality of communication among contractors involved with the RAC program. To determine the extent of CMS's oversight of RAC accuracy and quality of service to providers, we analyzed documentation from CMS, including the RAC statement of work. In addition, we listened to two Special Open Door Forums audio conferences hosted by CMS on the RAC program, as well as a national RAC summit sponsored by associations of health care professionals to learn about provider experiences during the demonstration project and concerns about the national program. We also conducted interviews with CMS officials, RAC staff, and representatives from the American Hospital Association and state hospital organizations in the demonstration states of California, Florida, and New York; the American Medical Association; the Medical Group Management Association; and the American Health Care Association, to obtain further information about the oversight of RAC accuracy and quality of service. We requested comments on a draft of this report from CMS. We received written comments on March 3, 2010 and have summarized them in the agency comment section of this report. We also provided statements of facts from our draft report to the two Medicare claims administration contractors and seven provider associations we interviewed and requested their comments that we incorporated as appropriate. We conducted this performance audit from March 2009 to March 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Recovery auditing has been used in various industries, including health care, to identify and collect overpayments for about 40 years. Private insurance companies, managed care plans, and employee group health plans contract with recovery auditors to review payments made. Typically, recovery auditing contractors are paid a contingency fee based on a percentage of the overpayments collected. Fees vary depending on such factors as the types of overpayment involved and the degree of difficulty associated with identifying and collecting them. Use of Contractors in the Operation of the Medicare Program: Contractors play an essential role in the Medicare program. Since the program's inception in 1965, Medicare claims administration contractors, then known as fiscal intermediaries and carriers, have conducted its claims administration activities. In addition, CMS also uses other contractors to conduct Medicare functions, such as to investigate instances of potential fraud and develop cases for referral to law enforcement and to answer beneficiary inquiries through the 1-800-Medicare help line. At present, CMS is in the midst of the largest transition of its claims administration contracts since the program was established. The MMA required CMS to use competitive procedures to select new entities called Medicare Administrative Contractors (MACs) to conduct claims administration activities that had been conducted by fiscal intermediaries and carriers. Through February 2005, CMS contracted with approximately 51 fiscal intermediaries and carriers that processed and paid claims, conducted automated pre-payment and limited post-payment review of claims, handled the first level of provider appeals of denied claims, enrolled providers in Medicare, and audited providers' cost reports.[Footnote 21] To address improper billing, these Medicare claims administration contractors also performed trend analysis of provider billing patterns, developed strategies to address improper billing through systems edits or provider education and claims review, helped implement CMS-issued national coverage determinations (NCD), and developed local coverage determinations (LCD).[Footnote 22] By the end of the transition from fiscal intermediaries and carriers to MACs, CMS will have transferred all of these tasks to 15 MACs that will handle Part A claims and Part B claims with the exception of durable medical equipment (DME) claims, which will be processed by four specialized DME MACs. As of September 2009, CMS made an initial award decision on all the MAC contracts and has implemented 13. Because the transition is not completed, the current Medicare contracting environment includes fiscal intermediaries, carriers, and MACs, any one of which we refer to as Medicare claims administration contractors for this report. Claims Review in Medicare: Medicare claims administration contractors review Medicare claims both before and after payment using similar automated and complex processes. CMS's use of recovery auditing in the RAC demonstration project augmented existing Medicare claims administration contractor pre-and post-payment claims review efforts. While Medicare claims administration contractors have the authority to review claims they initially paid, this is only one of the many functions they perform. Further, because the Medicare claims administration contractors receive more than 1.2 billion claims per year (the equivalent of 4.5 million claims per work day), it is impractical, according to CMS, for these contractors to manually review more than a small fraction of claims--either before or after payment.[Footnote 23] Recovery audit contractors, in contrast, focus exclusively on post-payment claims review. Medicare claims administration contractors and the RACs generally use the same processes to review claims: * Automated reviews use systems edits to check claims for evidence of improper coding or other mistakes.[Footnote 24] Medicare claims administration contractors may use automated reviews before payment to deny claims, or to flag claims that require additional non-automated review before payment. RACs use automated reviews after payment to analyze paid claims and identify those that were or could have been paid improperly. * Complex reviews rely on licensed medical professionals to manually examine a claim and any related documentation, including paper files, to determine whether the service was covered and was reasonable and necessary. Complex reviews conducted by a Medicare claims administration contractor or a RAC involve an examination of the medical records associated with a service, which the provider submits for review.[Footnote 25] RAC Responsibilities in the Demonstration Project: CMS implemented the RAC demonstration project to test whether recovery auditing would effectively identify additional improper payments that could be recouped. In March 2005, CMS selected three RAC contractors to conduct claims reviews in the three states with the highest per- capita Medicare utilization rates--California, Florida, and New York. In July 2007, CMS expanded the demonstration project to three additional states--Arizona, Massachusetts, and South Carolina. The demonstration project ended in March 2008.[Footnote 26] CMS initially provided the RACs with 4 years of claims data in their jurisdictions, followed by an additional 3 months of claims each quarter for the rest of the demonstration project. CMS gave the demonstration RACs a total of 1.2 billion claims that they could review. To prevent the RACs from auditing those claims that previously underwent complex review by a Medicare claims administration contractor or other contractor,[Footnote 27] CMS established a data warehouse that contained information on which claims were unavailable for RAC review. During the demonstration project, the RACs were required to use automated and complex review processes using the same Medicare policies and regulations as CMS's Medicare claims administration contractors to identify improper payments. The RACs used their own software to analyze paid claims and identify those that were or could have been paid improperly. For example, claims indicating duplicate payments could be identified by automated analysis alone. In other cases, the RACs identified claims likely to contain errors and conducted complex reviews. (See figure 1 for a depiction of the claims review process.) In these cases, the RACs requested that providers submit the associated medical records for review. If the RAC found an improper payment, it notified the provider and the Medicare claims administration contractor responsible for recouping the overpayments or repaying an underpayments. Providers could appeal RAC determinations through the established Medicare appeals process, which included a first-level review conducted by the Medicare claims administration contractors. Figure 1: Recovery Audit Contractor (RAC) Medicare Claim Review Process: [Refer to PDF for image: process map] Provider submits claim: Medicare claims administration contractor processes claim: Deny; or: Pay: RAC conducts post-payment review: * No improper payment identified; or: * Improper payment identified: - Medicare claims administration contractor recoups overpayment; - Medicare claims administration contractor pays underpayment. Source: GAO analysis of CMS documents. Note: Figure does not include steps related to the appeals process and does include steps prior to the RAC review process. [End of figure] Two years into the demonstration project, CMS initiated a series of vulnerability calls, conference calls between the RACs and the Medicare claims administration contractors. These calls enabled the RACs to provide information about the vulnerabilities they identified that resulted in improper payments and to highlight situations where corrective action might be needed. Although a CMS official told us it was not required, the Medicare claims administration contractors could consider RAC-identified vulnerabilities when developing their strategies to reduce improper payments. If a Medicare claims administration contractor determined that a RAC-identified vulnerability was widespread in its region, it could choose to take several corrective actions. A Medicare claims administration contractor could: (1) conduct provider outreach and education, (2) develop or revise local coverage determinations to clarify what services were reasonable and necessary in that jurisdiction, and (3) initiate additional service-specific prepayment edits in its local claims processing system. In addition, CMS could initiate a nationwide corrective action, such as implementing a national system edit, reissue instructions for coding a claim, or develop a national coverage determination. CMS also could provide outreach and education on critical issues to providers directly through its Special Open Door Forums teleconferences, and presentations at national meetings. In its June 2008 evaluation report, CMS stated that the demonstration project corrected $1.02 billion in improper payments from the three claim RACs--$980.0 million in overpayments and $37.8 million in underpayments--as of March 27, 2008, and returned $693.6 million to the Medicare Trust Funds.[Footnote 28] Eighty-five percent of the overpayments collected were for services detailed on inpatient hospital claims.[Footnote 29] Common types of improper payments were for claims determined to be: coded incorrectly, lacking sufficient documentation, or medically unnecessary.[Footnote 30] However, the RACs collected the majority of these improper payments in the last quarter of the demonstration project, and many provider appeals had not been decided or even filed by the end of the demonstration project. The final outcome of the appeals process, which can take more than two years, could decrease the savings attributed to the demonstration project.[Footnote 31] CMS's report also discussed several changes the agency made prior to the start of the RAC national program. (See appendix I.) RAC Responsibilities in the National Program: In 2008, following the mandate to create a national program, CMS made initial awards of contingency-fee contracts to four RACs, each with responsibility for reviewing claims in one of four geographic regions.[Footnote 32] CMS launched the RAC national program in two stages with outreach activities beginning in 24 states on March 1, 2009, and the remaining states starting in August 2009 or later. (See figure 2.) RAC claim reviews in the national program involve the same processes of automated and complex review of claims as during the demonstration project, and the Medicare claims administration contractors are responsible for recoupments, claims adjustments, and provider outreach and education. Figure 2: Medicare Recovery Audit Contractor (RAC) Regions and Phase- in Schedule: [Refer to PDF for image: U.S. map] RAC Region A: Phase-in March 1, 2009: Maine; Massachusetts; New Hampshire; New York; Rhode Island; Vermont. Phase-in August 1, 2009: Connecticut; Delaware; District of Columbia; Maryland; New Jersey; Pennsylvania; RAC Region B: Phase-in March 1, 2009: Indiana; Michigan. Phase-in August 1, 2009: Illinois; Kentucky; Minnesota; Ohio; Wisconsin. RAC Region C: Phase-in March 1, 2009: Colorado; Florida; New Mexico; Oklahoma; South Carolina; Texas; Phase-in August 1, 2009: Alabama; Arkansas; Georgia; Louisiana; Mississippi; North Carolina; Tennessee; Virginia; West Virginia. RAC Region D: Phase-in March 1, 2009: Arizona; California; Hawaii; Montana; Nevada; North Dakota; South Dakota; Utah; Wyoming. Phase-in August 1, 2009: Alaska; Idaho; Iowa; Kansas; Missouri; Nebraska; Oregon; Washington. Sources: GAO analysis of CMS data; copyright © Corel Corp. all rights reserved (map). [End of figure] The four regional RACs also are required to conduct outreach to providers about the purpose of the RAC program, assist CMS with the development of an improper payment prevention plan, and support the agency regarding any overpayments appealed by providers. The RACs are expected to conduct outreach to providers in each state in coordination with CMS and include the appropriate Medicare claims administration contractor in each state in its region. In addition, RACs are required to compare the claims proposed for review with the claims in the data warehouse to ensure that a Medicare claims administration contractor or other contractor had not previously audited the claims or that RAC activities would not interfere with potential fraud investigations. From March 2009 through June 2009, the RACs' activities included accessing claims data from CMS and convening meetings with the providers in the states in their regions to explain the RAC program. In June 2009, CMS announced a gradual implementation of claims review activities. CMS permitted RACs to begin automated reviews as of June 2009.[Footnote 33] RACs will be permitted to conduct complex reviews to assess medical necessity of DME claims in fiscal year 2010 and complex review of other claims for medical necessity in calendar year 2010. (See figure 3 for a timeline for the RAC program.) Figure 3: Timeline for the Recovery Audit Contracting (RAC) Program: [Refer to PDF for image: timeline] December 2003: Congress requires a RAC demonstration project. March 2005: Demonstration project begins in California, Florida, and New York. December 2006: Congress requires a RAC national program. July 2007: CMS expands RAC demonstration project to Arizona, Massachusetts, and South Carolina[A]. March 2008: RAC demonstration project ends. October 2008: CMS awards contracts for RAC national program. March 2009: RAC national program activity begins. June 2009: Automated reviews begin for RAC national program. During 2010: Complex reviews for medical necessity can begin for RAC national program. Source. GAO analysis of CMS documents. [A] While CMS added Arizona to the demonstration project in July 2007, the relevant RAC did not review any Arizona claims prior to the end of the RAC demonstration project. [End of figure] CMS Did Not Establish an Adequate Process to Address RAC-Identified Vulnerabilities That Led to Improper Payments; Corrective Actions Were Limited: CMS did not establish an adequate process during the demonstration project or in planning for the national program to ensure prompt resolution of the RAC-identified improper payment vulnerabilities.[Footnote 34] Although the agency's goal was for the RACs to provide information to CMS and Medicare claims administration contractors that could help prevent future improper payments, CMS did not implement corrective actions for 60 percent of the most significant vulnerabilities identified during the RAC demonstration project. CMS Did Not Establish an Adequate Process to Address RAC-Identified Vulnerabilities to Reduce Improper Payments: While CMS stated in its fiscal year 2006 status report on the RAC demonstration project that the agency intended to draft a corrective action plan to prevent future improper payments based on the findings identified by the RACs, it did not do so. CMS developed the IPPP--a list of the most significant vulnerabilities that led to improper payments and corrective actions taken to address them--but this document did not include the essential elements of a corrective action plan.[Footnote 35] The IPPP listed the 58 most significant RAC- identified vulnerabilities--generally those that resulted in overpayment collections of $1 million or more--and whether any corrective actions were taken to address them.[Footnote 36] Improper payments for medically unnecessary services and duplicate claims are examples of types of RAC-identified vulnerabilities listed in the IPPP. For each vulnerability, the IPPP listed the provider type, improper payment amount, status, and comments.[Footnote 37] If any action were taken by CMS or its Medicare claims administration contractors, it would be noted in the IPPP. For the RAC national program, CMS has yet to assign responsibility to personnel for implementing corrective actions to address RAC-identified vulnerabilities or to develop steps to assess the effectiveness of actions taken. Based on criteria outlined in our Standards for Internal Control in the Federal Government and criteria that CMS developed for a corrective action process, we found the following limitations in CMS's resolution process: CMS lacked a process to evaluate RAC findings promptly. CMS did not begin to evaluate the most significant vulnerabilities that resulted in improper payments until almost 2 years after the program began. Agency officials told us they did not anticipate that the RACs would identify such a high volume of improper payments and did not have systems in place to collect data at the beginning of the demonstration project. CMS's fiscal year 2006 status report on the RAC demonstration project stated that CMS would draft a proposed RAC Corrective Action Plan to prevent future improper payments by January 2007. However, CMS did not create the IPPP--the spreadsheet to track significant vulnerabilities identified during the demonstration project--until November 2008, 8 months after the demonstration project ended. CMS lacked a process to determine appropriate responses to RAC findings. CMS did not assign responsibility for taking corrective action on the vulnerabilities listed in the IPPP to either the agency itself, its Medicare claims administration contractors, or a combination of both. According to CMS officials, the agency only takes corrective action for vulnerabilities with national implications, and leaves it up to the Medicare claims administration contractors to decide whether to take action for vulnerabilities with local implications. However, the IPPP did not specify what type of action was required on the part of CMS or the Medicare claims administration contractors. For example, for inpatient services that did not meet the stated inpatient care criteria, the IPPP neither specified what type of corrective action would be needed to prevent future improper payments nor whether CMS or its Medicare claims administration contractors were responsible for taking action. Accordingly, neither Medicare claims administration contractors nor CMS have taken corrective action to address payment errors related to this inpatient service vulnerability. Similarly, we reviewed the instructions CMS provided to the Medicare claims administration contractors during the demonstration project and found that CMS did not provide specific guidance to the Medicare claims administration contractors for incorporating RAC findings into local corrective action plans. Instead, CMS allowed its Medicare claims administration contractors to independently determine when to take action and what actions, if any, were needed to address RAC findings. The lack of documented assigned responsibilities--as prescribed in our internal control standards-- impeded CMS's efforts to promptly resolve the vulnerabilities identified by the RACs during the demonstration project. CMS lacked a process to implement corrective actions promptly. The IPPP, which was not created until 8 months after the end of the demonstration project, lacked a time frame based on established criteria for when CMS or its Medicare claims administration contractors should take action. CMS officials told us that although they conducted some informal follow-up, neither the agency nor its Medicare claims administration contractors have implemented any corrective actions to address RAC findings since the fall of 2008. CMS officials noted that the agency does not plan to take any further action until the appeals from the demonstration project are finalized. Because CMS has not developed a time frame for taking action based on established criteria and is currently unable to track all pending first-level appeals of RAC determinations, it is uncertain when or if the agency would take any further action on the remaining vulnerabilities. Although educating providers promptly on how to correct billing errors reduces the risk of improper payments, provider associations also told us they and their members had not received training on the majority of the vulnerabilities identified by the RACs during the demonstration project. For example, one national provider association said that it was not aware of any educational efforts related to the RAC program findings on vulnerabilities either during or after the demonstration project. Another noted that in addition to provider education, systems edits should be used when possible to prevent the initial improper payments. CMS continues to lack an adequate process for implementing corrective actions during the RAC national program. Although CMS has made public statements that preventing future improper payments is the RAC program's mission, the agency has yet to assign responsibility to personnel for implementing corrective actions to address RAC- identified vulnerabilities or to develop steps to assess the effectiveness of corrective actions taken. While CMS's Office of Financial Management (OFM) established a corrective action team for the RAC national program that will compile, review, and categorize RAC-identified vulnerabilities and discuss corrective action recommendations, the team does not have the organizational authority to implement the corrective actions necessary to reduce future improper payments. Rather, the team can only forward the issues and their recommendations to other leadership groups comprised of senior officials from different components within CMS that have the authority to take corrective actions. For example, if the decision is made to address a vulnerability by developing a NCD, the responsibility to prioritize the development of NCDs and expertise to develop them is not within OFM, but rather within the Office of Clinical Standards and Quality. The different components can choose whether to address the identified vulnerabilities that could lead to improper payments. Further, CMS's corrective action process does not include steps to assess the effectiveness of any actions taken to reduce improper payments on RAC-identified vulnerabilities. Strong internal controls include ongoing monitoring of corrective actions, evaluating their effectiveness, and modifying them as necessary.[Footnote 38] CMS officials in OFM said their corrective action team would monitor actions taken by other agency components. However, the corrective action process does not include any steps to either assess the effectiveness of the corrective actions taken or adjust them as necessary based on the results of the assessment. Until CMS designates key personnel with accountability for ensuring corrective actions are implemented and establishes a process to ensure these actions are effective, the agency remains at risk for making improper payments on vulnerabilities previously identified by RACs. CMS's Corrective Actions Did Not Address Most of the RAC-Identified Vulnerabilities That Led to Improper Payments: The lack of accountability and adequate processes for ensuring corrective actions are taken have resulted in most of the RAC- identified vulnerabilities that led to improper payments going unaddressed. CMS implemented corrective actions for 23 of the 58 vulnerabilities (40 percent) listed in the IPPP. (See figure 4.) This left 35 of the 58 vulnerabilities identified during the demonstration project (60 percent) unaddressed, representing millions of dollars in potential overpayments.[Footnote 39] CMS stated in its June 2008 demonstration evaluation report that overpayments were identified for 18 specific medical services totaling $378 million.[Footnote 40] Our analysis of the status of the vulnerabilities related to these overpayments in the IPPP indicates that corrective actions had not been implemented by CMS or the Medicare claims administration contractors for vulnerabilities representing $231 million (61 percent) of the $378 million in overpayments for these services.[Footnote 41] More than 90 percent of the $231 million in vulnerabilities that were not addressed were for inpatient hospital claims alone. Figure 4: Status of Corrective Actions for Vulnerabilities with Improper Payments of Greater Than $1 Million, as of the End of the Recovery Audit Contractor Demonstration Project--March 2008: [Refer to PDF for image: pie-chart illustration] Status of vulnerabilities: Corrective actions taken: 42% (23); - Edits implemented: 12% (7); - Education provided: 10% (6); - Clarification of guidance/issuance of new regulation: 17% (10). Corrective actions not taken: 60% (35). - Unable to develop corrective actions[A]: 12% (7); - Corrective actions not taken: 48% (28). Source: GAO analysis of CMS data. Note: Percentages in figure do not add up due to rounding. [A] According to CMS officials the agency was unable to develop corrective actions because it either lacked adequate information on the specific services involved or decided it was not cost effective to do so. [End of figure] The corrective actions taken to address 23 of the 58 vulnerabilities (40 percent) included: 7 system edits (12 percent), 6 provider education activities (10 percent), and 10 clarifications of guidance and issuance of new regulations (17 percent).[Footnote 42] Six of the 23 corrective actions taken included local actions implemented by the Medicare claims administration contractors and other contractors, but according to the IPPP, CMS also implemented national corrective actions for the same vulnerabilities. CMS did not implement corrective actions for 35 of the 58 vulnerabilities (60 percent) listed in the IPPP. Of these 35 vulnerabilities, CMS did not list a reason on the IPPP for 28 of them (48 percent). CMS officials told us that they were unable to develop specific corrective actions on the other seven (12 percent) because they either lacked adequate information to address the problem or decided it was not cost-effective to do so.[Footnote 43] CMS officials told us the agency was unable to develop corrective actions for 7 vulnerabilities because the agency did not provide sufficient guidance to the RACs on how to categorize these vulnerabilities. As a result, the RACs combined several billing codes into single categories, which presented a challenge for identifying corrective actions, according to CMS officials. For example, RACs denied millions of dollars in inpatient hospital claims not meeting the requirements for inpatient admission. However, CMS officials told us they were unable to develop corrective actions on this and six other vulnerabilities because they either lacked adequate information on specific services involved or decided it was not cost effective to address each specific billing code. Further, the agency reported that it did not have sufficient time to analyze the information on one of these types of vulnerabilities prior to the end of the demonstration project. CMS noted several actions it took to improve the quality of its information on improper payment vulnerabilities that might be identified through the national RAC program. According to CMS officials, the agency has enhanced the data warehouse to provide additional information by establishing 20 to 30 different types of categories for use in the national program. In addition, CMS officials said they will not rely on each RAC to report its findings; instead, the agency will use the information from the data warehouse for data analysis and reports. CMS officials told us they had no plans to take further action on RAC- identified improper payment vulnerabilities that have appeals outstanding from the demonstration project until the results from these appeals are known. According to the agency, information from these appeals may help the agency determine what corrective actions are appropriate. CMS and Medicare claims administration contractors reported that the following factors also hindered their progress in implementing corrective actions: * Competing priorities in implementing system edits--According to CMS officials, national systems edits to address RAC findings competed with other computer system changes, such as Medicare fee schedule updates. National edits require collaboration among various CMS components and senior executives to determine the viability of each edit and its priority level and can take up to 7 months to be implemented. The decision to implement system edits at the local level is usually up to the local Medicare claims administration contractor. A Medicare claims administration contractor can decide not to implement a local edit if it does not consider that particular vulnerability a priority in its strategy to reduce improper payments or if it anticipates that the edit would result in a high level of appeals. CMS officials also told us that the availability of resources, including staff hours, played a role in prioritizing the implementation of national and local edits. Due to the limited resources available and the agency's competing priorities, RAC-related system edits from the three state demonstration project were not a high priority according to CMS. * Significant workload increase in processing claim readjustments and appeals--CMS officials and one of the Medicare claims administration contractors' staff we interviewed told us that the increase in workload from claim adjustments and appeals from RAC findings during the demonstration project strained the Medicare claims administration contractors' capacity to institute corrective actions.[Footnote 44] Medicare claims administration contractors made adjustments for claims in which the RACs had identified either overpayments or underpayments. However, during the demonstration project, the Medicare claims administration contractors processed hundreds of thousands of RAC claim adjustments--some manually--which created significant additional workload. In addition, both of the Medicare claims administration contractors that we interviewed that worked with the RACs during the demonstration project reported significant increases in appeals workload due to RAC activities, especially Part A appeals. One Medicare claims administration contractor stated that in fiscal year 2008, 99 percent of its Part A appeal workload arose from RAC claims, while another claims administration contractor reported having twice as many Part A appeals as it did prior to the demonstration project. * Transition of Medicare claims administration functions to MACs--The transfer of claims administration responsibilities to MACs further contributed to CMS's inability to implement corrective actions. CMS consolidated numerous fiscal intermediary and carrier jurisdictions into the new MAC jurisdictions. The MACs are responsible for consolidating the different coverage policies and systems edits they inherited from the previous contractors into one consistent set of edits and coverage policies for the new jurisdictions. As a result, CMS told us that some Medicare claims administration contractors did not act upon RAC-identified vulnerabilities that led to improper payments during the demonstration project. Further, CMS officials said that in part they did not implement corrective actions due to the lack of continuity when some of the Medicare claims administration contractors were not awarded MAC contracts, which prevented the agency from continuing discussions with contractor staff familiar with the RAC program. Our prior work has shown that CMS has allowed known vulnerabilities that contribute to or result in improper payments to remain unresolved for years.[Footnote 45] In fact, the RACs focused on some specific types of claims because both we and the HHS Office of the Inspector General identified them in the past.[Footnote 46] Moreover, CMS officials and one of the RACs noted that many of these vulnerabilities were known to CMS before the demonstration project due to medical record reviews and the agency's error reports. In its 2006-2009 Strategic Action Plan, CMS reported that it planned to effectively oversee its providers and aggressively deliver provider education and outreach and that this oversight would include ways to prevent overpayments and improper payments. In addition, CMS reported that it was also expanding the use of electronic data to more efficiently detect improper payments and program vulnerabilities. However, we have reported recently that continuing weaknesses in CMS's process still exist, and therefore Medicare continues to be at risk for improper payments.[Footnote 47] CMS Is Taking Action to Resolve RAC and Medicare Claims Administration Contractor Coordination Issues: CMS used lessons learned from the RAC demonstration project to take actions to resolve RAC and Medicare claims administration contractor coordination issues for the RAC national program. Specifically, the agency continued activities that worked well during the demonstration project, initiated a number of new actions, and is taking steps to address coordination challenges. According to CMS officials, the success of the RAC program depends on collaboration between the RACs and the Medicare claims administration contractors because of the interdependence of their responsibilities. Once the RACs identify errors, Medicare claims administration contractors are responsible for re-processing the claims to repay underpayments or recoup overpayments, conducting the first level review for RAC-related appeals, and informing and training providers about lessons learned through the RAC reviews, according to CMS officials. (See figure 5 which illustrates this interdependence of RACs and MACs.) Figure 5: Interdependence of Recovery Audit Contractors (RACs) and Medicare Administrative Contractors (MACs): [Refer to PDF for image: process flow] Formalizing interactions: MACs sign Joint Operating Agreements[A] with RACs (Requires both RAC and MAC action). Claims review process: RACs conduct automated and complex postpayment review (Requires RAC action): * No improper payment identified; no further action required (Requires RAC action); * Improper payment identified (Requires RAC action); - MACs refund underpayment (Requires MAC action); - MACs recoup overpayment (Requires MAC action). First level of appeal: Providers may appeal RAC decision; prevents MACs recouping over- payments while pending (No action required by RAC or MAC); MAC resolves first level of appeals (Requires MAC action): * Provider wins appeal, no recoupment[B] (No action required by RAC or MAC); * Provider appeal denied[C] (No action required by RAC or MAC). Corrective action: RACs and MACs analyze data and discuss solutions to address improper payments during, for example, Vulnerability Calls[D] (Requires MAC action); * No action taken (No action required by RAC or MAC); * CMS takes corrective actions (No action required by RAC or MAC); * MACs take corrective actions (Requires MAC action). Source: GAO analysis of CMS documents. [A] The RAC and MAC statements of work require that these contractors develop Joint Operating Agreements. [B] If providers win appeals concerning payments the MACs had recouped, the MACs will repay the providers the amounts that were recouped. [C] If a provider's appeal is denied, the provider may continue to appeal up to four additional levels. [D] MACs and CMS may also pursue corrective actions to address vulnerabilities that lead to improper payments beyond those discussed during RAC vulnerability calls. [End of figure] CMS is taking multiple steps to resolve RAC and Medicare claims administration contractor coordination issues in the national program based on lessons learned during the demonstration project, such as continuing the RAC and Medicare claims administration contractors vulnerability calls, enhancing the existing data warehouse, automating the claims-adjustment process, and developing a system for electronic documentation sharing when RAC determinations are appealed. CMS is continuing regular RAC and Medicare claims administration contractor vulnerability calls. The vulnerability calls, which began 2 years after the start of the demonstration project, were considered valuable according to agency officials. CMS officials said that they plan to hold weekly calls during the national program, to share RAC- identified vulnerabilities that may result in improper payments with Medicare claims administration contractors. According to CMS, these calls can inform Medicare claims administration contractors about ways to reduce payment errors, for example, by implementing appropriate local system edits or educating providers. CMS noted that conducting these calls during the demonstration project provided information about how best to implement corrective actions that would prevent future improper payments. For example, upon learning about some RAC- identified inpatient hospital errors, CMS consulted coding experts about how to resolve these errors and whether it was necessary to conduct an educational session on the issue. According to a CMS official, the vulnerability calls are expected to serve as the main mechanism of communication between the RACs and the Medicare claims administration contractors about vulnerabilities and are expected to provide a means to share RAC findings with various other components of CMS. CMS is enhancing the data warehouse. For the national program, CMS is redesigning, enhancing, and maintaining the data warehouse created during the demonstration project to house data on RAC activity and prevent RACs from auditing claims under investigation or previously reviewed by other contractors. RACs and one of the Medicare claims administration contractors reported issues with the data warehouse during the demonstration project, including difficulty uploading data in the correct format, slow processing time, and a lack of information on collection activities. According to CMS, it has already made significant changes to the data warehouse. For example, it enhanced the system to accommodate increased user demand, added capability to generate reports for CMS to track RAC activity, and improved processes for data uploads and downloads. CMS also plans to incorporate appeals data into the data warehouse. CMS is automating the claims-adjustment process. According to CMS, the agency is automating the claims-adjustment process to address Medicare claims administration contractors' workload issues. During the demonstration project, the Medicare claims administration contractors' workload related to claims adjustment increased significantly, due to the high volume of claims RACs identified that required adjustment and the time-consuming process necessary for the contractors to adjust them. CMS officials stated that the amount of time and effort required of the Medicare claims administration contractors to re-process RAC- related claims was the most significant coordination problem. The agency automated the Part A claims adjustment process and is working to automate the process for adjusting Part B claims by April 2010. CMS officials stated that the changes eliminate the need for costly and time-consuming manual intervention by the Medicare claims administration contractors, ensure that overpayment recovery or underpayment reimbursement occurs promptly, and ultimately minimize the burden on the Medicare claims administration contractors. However, one Medicare claims administration contractor informed us that the Part A claims adjustment process failed to adjust its claims. CMS is developing an electronic documentation sharing system. According to CMS officials, the agency addressed an administrative burden by developing the e-RAC initiative, an electronic system that RACs, CMS, and Medicare claims administration contractors will use to share medical records. CMS officials stated that during the demonstration project, RACs transferred paper copies of medical records to Medicare claims administration contractors for appeals deliberations. According to Medicare claims administration contractors, the volume of appeals made it difficult to manage all of the paper medical records.[Footnote 48] A CMS official told us the agency expects the first phase of the e-RAC initiative to be operational in March 2010, which would allow the RACs to store imaged files of medical records and make them accessible to CMS and certain contractors that review, but do not process, claims. CMS expects this system to enable the agency to create basic reports and improve oversight of RAC activities. CMS's goal is to expand the e-RAC initiative to one or more Medicare claims administration contractors by the end of calendar year 2010. CMS established a "black-out period" for claims review. To ensure that the RAC national program does not interfere with the ongoing transition of fiscal intermediaries and carriers to MACs, CMS reported establishing a black out period of three months before and after each transition when the new MACs will focus on other claims processing activities and not work with the RACs in their jurisdictions. Claims processed during this period will be available for RAC review after the black-out period has ended. According to CMS officials, the agency instituted the black-out period, in part, to limit the number of claims adjusted during a time of significant change. CMS is planning to add performance metrics on coordination with RACs into the MAC award fee program. CMS officials indicated that the agency is planning to add performance metrics[Footnote 49] to provide incentives for coordination between the RACs and MACs into the MAC award fee program. The award fee program is designed to provide incentives for exceptional performance by the MACs. According to CMS officials, these performance metrics will likely include activities such as participating in conference calls; effectively coordinating, implementing, and providing appropriate edit recommendations; and communicating claims determination decisions and inquiries. CMS officials stated that they will add metrics on coordination with the RACs to the award fee program once all of the MACs are in place. CMS Has Taken Steps to Improve Oversight of RAC Accuracy and Service to Providers: CMS took a number of steps to improve oversight of the accuracy of RACs' claims review determinations and the quality of RAC service to providers in the national program. Specifically, CMS added processes to review the accuracy of RAC determinations and established Web site requirements to address provider concerns about service. CMS also established a number of performance metrics to monitor RAC accuracy and service to providers. CMS Established Processes to Review the Accuracy of RAC Determinations and Required Additional RAC Medical Expertise to Enhance Program Accuracy: For the national program, CMS created processes to more closely review the accuracy of RAC determinations to address provider concerns raised during the demonstration project. Providers raised concerns that CMS did not sufficiently oversee the RACs during the demonstration project to ensure the vulnerabilities pursued by RACs were valid and that RACs made accurate improper payment determinations. According to provider associations, this led to numerous appeals of inaccurate RAC determinations that were expensive and burdensome for providers. For the national program, CMS will continue a process the agency established during the end of the demonstration project to help ensure that RACs pursue valid vulnerabilities. Prior to pursuing a wide-scale review of any vulnerability, the RAC must submit it to CMS for the agency's approval. As part of the submission process, the RAC must provide a description of the vulnerability; a reference to the rule, regulation, or policy the RAC intends to evaluate claims against; and a small sample of claims (up to 10) that the RAC already reviewed and the findings for those claims. For example, CMS approved one RAC's request to identify overpayments associated with providers billing for more than one blood transfusion in a hospital outpatient setting for a Medicare beneficiary in a day--which Medicare policy does not allow. According to CMS officials, the level of review that each proposed vulnerability will receive will depend on its complexity. CMS officials in OFM have authority to allow the RACs to pursue clear-cut vulnerabilities that can lead to improper payments, such as duplicate payments for the same service. For more complex vulnerabilities, including all medical necessity determinations, the agency established a New Issue Review Board, comprised of officials from four CMS components, which will decide whether the RAC can go forward with its proposed review. The board is responsible for ensuring that each RAC's claims reviews conform to Medicare's coverage or payment policies and that the language the RAC proposes to use in its determination letters is appropriate and clear. CMS also contracted with a validation contractor (VC) with experience in claims review to independently examine how the RAC plans to select claims for each vulnerability and to determine whether the RAC plans to use the correct review strategy-- (automated or complex)--in reviewing claims. In addition, the VC also is expected to reexamine the small sample of claims submitted by RACs with each proposed vulnerability to assess the accuracy of these RAC determinations.[Footnote 50] In addition to the oversight process for proposed vulnerabilities, CMS also established a process for ongoing oversight of RAC accuracy of the improper payments identified. Each month CMS's VC is expected to independently examine 100 randomly selected claims that had been reviewed by each RAC. For each claim in the sample, the VC is expected to report whether it agrees or disagrees with the RAC's determination and evaluate whether the language used by the RAC to communicate the determination to the provider was clear and accurate. CMS officials told us that the agency plans to publish an annual accuracy score for each RAC in the agency's annual report on the RAC program and will take the scores into consideration when determining whether to renew each RAC's contract. CMS officials also told us that they may prohibit a RAC with a low score on a particular issue from reviewing additional claims on that issue. This process could help address provider concerns that CMS might not become aware of inaccurate RAC determinations unless providers filed significant numbers of appeals. [Footnote 51] In addition to these oversight processes, CMS added requirements regarding the medical expertise of RAC staff to help address accuracy concerns. Providers stated that RACs did not have the necessary medical expertise to make their determinations during the demonstration project, because they were not required to have a physician medical director on staff or coding experts conducting the claims reviews. To address this concern, for the national program, CMS required each RAC to have at least one physician on staff as a medical director to provide clinical expertise and judgment to understand Medicare policy, provide guidance in questionable claims review situations, recommend when corrective actions are needed to address the RAC-identified vulnerabilities that result in improper payments, and brief and direct personnel on the correct application of policy during claims review.[Footnote 52] CMS also required RACs to hire registered nurses or therapists to conduct medical necessity determinations and coding experts to conduct other types of reviews. Providers also reported that CMS's decision to allow the demonstration RACs to retain contingency fees for determinations overturned at the second through the fifth level of appeal led RACs to make questionable determinations to increase their fees. CMS chose this methodology, in part, to encourage companies to participate in the demonstration project. To address provider concerns about the incentives in the payment method, CMS will require RACs to refund contingency fees received on any determination overturned at any level of the appeals process. CMS Created Web Site Requirements for RACs Designed to Improve Service to Providers: In addition to the changes CMS made to improve oversight of RAC accuracy, CMS also created a number of requirements for RAC Web sites to address provider concerns about the RACs' service. Provider associations reported that during the demonstration project their members could not easily track the status of claims throughout the RAC adjudication process, including the status of medical record request submissions and appeals. CMS also reported in its evaluation report on the RAC demonstration project that providers wanting to track the status of their medical record submissions often had to make frequent phone calls to RAC call centers and read a list of case numbers. CMS required each RAC by January 1, 2010, to develop a tool on its Web site that will allow providers to track the status of a claim. This tool should include information on whether a medical record request is outstanding, whether the RAC received the requested medical records, whether the RAC's review is underway or complete, and whether the case is closed. As of January 4, 2010, according to a CMS official, providers could track the status of their requested claims on two of the four RAC Web sites. According to a CMS official, the remaining RACs will need to have their tools in place prior to issuing requests for medical records. Although providers expressed concern about the difficulty tracking the status of their appeals during the demonstration project, CMS has not required the RAC Web sites to include information on the status of appeals resulting from RAC determinations. According to CMS officials, the agency does not have a standard system to track first-level appeals, and it would be difficult for RACs to collect the information from a number of separate Medicare claims administration contractors. CMS officials overseeing the RAC program told us they are working with their counterparts in the Medicare appeals division within CMS to move up the date by which the Medicare claims administration contractors will begin using the CMS system that already tracks appeals at the second and third level. These same officials told us they anticipate RACs will eventually incorporate appeals information into their Web sites, though the inclusion of appeals information is not a requirement in the RAC contract. Providers also expressed concern that they did not know what vulnerabilities RACs were pursuing during the demonstration project. In addition to the new issue review process, CMS has required the RACs to post a description of each vulnerability that they audit on their Web sites. The postings include a description of the vulnerability, the states where the RAC identified the problem, and references to additional information about the vulnerability. According to CMS officials, providers will need to check the Web site of the RAC in their region to stay informed of emerging vulnerabilities under RAC review for improper payments. To address provider concerns about medical record requests getting lost during the demonstration project because a RAC did not send the request to the correct department or individual at a hospital or practice, CMS is requiring each RAC to develop a tool for its Web sites that will allow providers to customize their address and point- of-contact information. CMS also encouraged the RACs to solicit the assistance of provider associations to help collect the information. CMS Developed Performance Metrics to Monitor RAC Accuracy and Provider Service: CMS developed performance metrics to oversee RAC accuracy, service to providers, and other aspects of performance. The performance metrics include measurements of the RACs' compliance with medical record request limits and the accuracy of RAC determinations, as evaluated by the VC, as well as measures of staff performance at each RAC's customer service phone number that is expected to respond to inquiries from providers. (See table 1.) Table 1: Selected Recovery Audit Contractor (RAC) Performance Metrics Related to Accuracy and Provider Service: Area of performance: Accuracy metrics; Individual performance metric: The RAC shall achieve an overall 90 percent or greater accuracy score for the first contract year, as evaluated by the validation contractor. Area of performance: Accuracy metrics; Individual performance metric: The RAC's total annual percentage of claims overturned on appeal shall be less than 10 percent in Year One with a subsequent decrease to less than 5 percent in Year Two. Area of performance: Provider service metrics; Individual performance metric: Qualified personnel shall staff the RAC call center during normal business hours from 8:00 a.m. to 4:30 p.m. in the applicable time zone 100 percent of the time. Area of performance: Provider service metrics; Individual performance metric: The RAC call center staff shall answer questions fully and accurately 100 percent of the time unless complex issues require follow-up. Area of performance: Provider service metrics; Individual performance metric: The RAC shall respond to written correspondence within 30 calendar days of receipt 100 percent of the time. Area of performance: Provider service metrics; Individual performance metric: The RAC shall demonstrate use of a quality assurance program to ensure that all customer service representatives are knowledgeable, respectful to providers, and provide timely follow-up calls when necessary, 100 percent of the time. Area of performance: Provider service metrics; Individual performance metric: The RAC shall demonstrate 100 percent compliance with the medical record request limits as outlined by CMS. Source: GAO analysis of information from CMS. [End of table] CMS's RAC project officers will be responsible for monitoring each RAC's performance and following up with the RAC if its performance does not meet the required level in the national program. For instance, to monitor whether call center staff answer questions fully and accurately, project officers or their designees will randomly monitor calls to the RAC call center and investigate provider complaints. If a project officer determines that call center staff are not answering questions fully and completely all the time, the project officer will require the RAC to respond in writing to the finding and may require a corrective action plan. CMS's statement of work also includes a provision that CMS may stop recovery work in a particular region if evidence leads CMS to believe the RAC's plan to provide service to providers is inappropriate or ineffective. In such a case, CMS would not allow the RAC to resume recovery work until the RAC satisfied CMS it made all required improvements to its provider service in the area. Conclusions: The ultimate success of the government-wide effort to reduce improper payments hinges on each federal agency's diligence and commitment to identify, estimate, determine the causes of, take corrective actions on, and measure progress in reducing improper payments. To this end, CMS must establish effective accountability measures, and incentives, to ensure the RAC program meets the agency's stated objectives. Although the RAC demonstration project led to the successful recoupment and refunding of past improper payments, CMS did not focus sufficient attention on addressing the root causes of the vulnerabilities that caused them. Neither the IPPP developed during the demonstration project nor the current plan for the national program provide for sufficient monitoring and control activities to ensure that corrective actions are taken to help meet the overall goal of reducing improper payments in the Medicare program. Because the RAC national program team does not have the organizational authority within the agency to implement the corrective actions needed to address the vulnerabilities that lead to improper payments, CMS must develop criteria by which it prioritizes the activities of its various components and contractors to develop adequate measures to reduce future improper payments. The identification and prevention of future Medicare FFS improper payments due to vulnerabilities identified by the national RAC program require direction from a sufficiently high level within CMS to initiate action from the various parts of the agency and its contractors. In addition, assessing the effectiveness of the corrective actions taken is an important step for reducing future improper payments. Recommendations for Executive Action: To help reduce future improper payments, we recommend that the Administrator of CMS develop and implement a process that includes policies and procedures to ensure that the agency promptly: * evaluates findings of RAC audits, * decides on the appropriate response and a time frame for taking action based on established criteria, and: * acts to correct the vulnerabilities identified. As part of this process, we recommend that the Administrator of CMS designate key personnel with appropriate authority to be responsible for ensuring that corrective actions are implemented and that the actions taken were effective. Agency and Other External Comments: We provided a draft of this report to the HHS for comment. We also provided statements of facts from our draft report to the two Medicare claims administration contractors and seven provider associations we interviewed and requested their comments. We received written comments from HHS on behalf of CMS. These comments are reprinted in Appendix II. We also received oral or written comments from two Medicare claims administration contractors and five of the seven provider associations on statements of facts related to information they provided, including some technical comments that we incorporated as appropriate. CMS Comments: CMS commented that the national RAC program is an important step in meeting its commitment to lower the Medicare payment error rate. The agency indicated that our review imparted vital recommendations that will greatly enhance CMS's oversight of the RAC national program and CMS concurred with each of our recommendations. With regard to the recommendation that CMS promptly evaluate the findings of RAC audits, CMS concurred and discussed specific elements included in the national program that are designed to report vulnerabilities from RAC audits and potential corrective actions. CMS concurred with our recommendation that the agency implement a process to decide on the appropriate response to address each RAC-identified vulnerability, but indicated that more research might be needed to determine the appropriate response or corrective action for some vulnerabilities. CMS also concurred that the agency should act promptly to correct the vulnerabilities, but indicated that it did not consider a vulnerability to be validated until the majority of claims for that issue completed the Medicare appeals process. Since the appeals process can take more than 2 years, the approach CMS suggested in its comments did not align with the intent of our recommendation. After conferring with CMS officials to clarify the agency's intent on acting promptly on vulnerabilities identified during the RAC national program, CMS acknowledged that it intended to review vulnerabilities on a case-by-case basis and judge how quickly to act on each. Agency officials told us they were considering assigning vulnerabilities to risk categories from high to low that would help to determine whether the agency should take prompt action or whether it should wait for claims to complete the appeals process. These officials told us that waiting for the results of appeals would keep the agency from expending the resources on: corrective actions that would need to be reversed if the appeals process overruled RAC determinations. We agree that taking a risk- based approach meets the intent of the recommendation. To clarify this intent, we modified our recommendation to make the prompt prioritizing and timing of corrective actions, based on established criteria, more explicit. Finally, CMS concurred with our recommendation that the agency designate key personnel to oversee that corrective actions are implemented and effective and stated that the Administrator of CMS is the official responsible for assuring that vulnerabilities that cut across all agency components are addressed. Other External Comments: We clarified information in the report based on comments from two Medicare claims administration contractors. In addition, the five associations that provided comments to us did not offer substantive changes to the statement of facts that they reviewed. Three associations affirmed that the draft report addressed issues they had raised about the RAC demonstration project and national program. These three associations also discussed in greater detail concerns that they continue to have with the RAC program, such as the many appeals still in process from the RAC demonstration project. The other two provider associations raised no substantive issues with the report. We are sending copies of this report to the Administrator of CMS and other interested parties. In addition, the report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. Please contact us on (202) 512-7114 or (202) 512-9095 if you or your staff have any questions about this report. Contact points for our Office of: Congressional Relations and Office of Public Affairs can be found on the last page of this report. Other major contributors to this report are listed in Appendix III. Signed by: Kathleen M. King: Director, Health Care: Signed by: Kay L. Daly: Director, Financial Management and Assurance: List of Requesters: The Honorable Henry A. Waxman: Chairman: The Honorable John D. Dingell: Chairman Emeritus: Committee on Energy and Commerce: House of Representatives: The Honorable Sander M. Levin: Acting Chairman: Committee on Ways and Means: House of Representatives: The Honorable Frank Pallone, Jr. Chairman: Subcommittee on Health: Committee on Energy and Commerce: House of Representatives: The Honorable Pete Stark: Chairman: Subcommittee on Health: Committee on Ways and Means: House of Representatives: The Honorable Lois Capps: House of Representatives: The Honorable Charles B. Rangel: House of Representatives: [End of section] Appendix I: Selected Changes Made to the Medicare National Recovery Audit Contractors (RAC) Program: As a result of the RAC demonstration project, the Centers for Medicare & Medicaid Services (CMS) included the following features in the RAC national program: * RACs are to have a physician medical director. * RACs are to be staffed with registered nurses or therapists to make coverage and medical necessity determinations and certified coders to make coding determinations. * RACs are to make credentials of reviewers available to providers upon request. * Providers will be able to discuss claim denials with the RAC medical director upon request. * The minimum claim amount that the RACs will review was raised to $10 minimum per claim (instead of $10 minimum for aggregated claims). * CMS will use a validation contractor to independently examine the criteria each RAC plans to use to make its determinations and the accuracy of RAC determinations. * RACs must return the related contingency fee if a claim is overturned on appeal. * RACs must use standardized letters to notify providers of overpayments: * The look-back period (from claim payment date to date of medical record request) is reduced from 4 years to 3 years. * The RACs are allowed to review claims paid in the current fiscal year. * CMS is putting limits on the number of medical record requests in a 45 day period. * The time frame for paying hospital medical record photocopying vouchers is to be set at 45 days from receipt of medical record. * CMS is not including Medicare Secondary Payer claims audits in the National Program.[Footnote 53] * RACs are to have quality assurance/internal control audits. * RACs are to list the reason for review on "request for records" letters and overpayment letters. * The status of specific claims are to be posted on RAC Web page. * RAC contingency fees are to be made publicly available. [End of section] Appendix II: Comments from the Department of Health & Human Services: Department Of Health & Human Services: Office Of The Secretary: Assistant Secretary for Legislation: Washington, DC 20201: March 3, 2010: Kathleen M. King: Director, Health Care: U.S. Government Accountability Office: 441 G Street N.W. Washington, DC 20548: Dear Ms King: Enclosed are comments on the U.S. Government Accountability Office's (GAO) report entitled: "Medicare Recovery Audit Contracting: Weaknesses Remain in Process to Address Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight in National Program" (GAO-10-143). The Department appreciates the opportunity to review this report before its publication. Sincerely, Signed by: Andrea Palm: Acting Assistant Secretary for Legislation: Enclosure: [End of letter] General Comments Of The Department Of Health And Human Services On The Government Accountability Office's (GAO) Draft Report Entitled, "Medicare Recovery Audit Contracting: Weaknesses Remain In Process To Address Vulnerabilities To Improper Payments, Although Improvements Made To Contractor Oversight In National Program" (GA0-10-143): The Department appreciates the opportunity to review and comment on this Draft Report. The Congressional authority granted through the Tax Relief and Health Care Act of 2006, allowed the Centers for Medicare & Medicaid Services (CMS) to implement the Recovery Audit Contractor (RAC) Program on a permanent and nationwide basis. This is an important step forward in our commitment to lowering the improper payment error rate and preserving the Medicare Trust Funds for current and future generations. The CMS appreciates the time and resources GAO has invested to review the RAC Demonstration and implementation of the RAC National Program. Based on their extensive and thorough review, GAO has imparted vital recommendations which will greatly enhance CMS' oversight as the RAC National Program progresses. Section 306 of the Medicare Modernization Act (MMA) required CMS to establish the RAC Demonstration Project. The demonstration's purpose was to determine if recovery auditors could identify improper payments paid by the Medicare fee-for-service program. As discussed in the report, the RAC demonstration succeeded in correcting more than $l billion in improper Medicare payments. About 96 percent of these improper payments were overpayments, a fraction of which was used to pay for the program and the rest was returned to the Medicare Trust Funds. Even though the purpose of the RAC Demonstration Project was to determine if RACs could be utilized in Medicare, CMS used the results from the demonstration to inform us in the design of the RAC National Program. Specifically, CMS made the following improvements to the program: * Established a New Issue Approval Process where CMS approves each RAC issue for review prior to widespread review and/or communication with providers. CMS believes this will reduce the differences in interpretation of policies and/or manuals between CMS and the RAC thus ensuring accurate improper payments are identified; * Required each RAC to have a Medical Director on staff to ensure physician involvement in the review process and to ensure providers have a physician to discuss improper payment identifications and the reason for the denial; * Established a documentation request limit of a maximum of 200 requests per 45 days to limit the cost and administrative burden of the RAC program on Medicare providers; * Required each RAC to have a website to inform providers about the RAC program, approved new issues, major findings, contact information and a web portal allowing providers to see specific claim details, and; * Established metrics for monitoring the RACs' performance on compliance, accuracy and provider service. These findings will be shared with the public on an annual basis. We appreciate GAO recognizing our efforts and the need to balance the concerns of the provider community with the agency's need to identify improper payments. We will continue to improve the RAC National Program in the future. Our detailed comments on the report recommendations follow. GAO Recommendation: To help reduce future improper payments, we recommend that the Administrator of CMS develop and implement a process that includes policies and procedures to ensure that the agency: * Promptly evaluates findings of RAC audits, * Decides on the appropriate response, and, * Acts promptly to correct the vulnerabilities identified. As part of this process, we recommend that the Administrator of CMS designate key personnel with appropriate authority to be responsible for ensuring that corrective actions are implemented and that the actions taken were effective. CMS Response: Promptly evaluates findings of RAC audits. The CMS concurs. In the current RAC Statement of Work the reporting of vulnerabilities and recommended corrective actions for vulnerabilities is required on a monthly basis. CMS has created a corrective actions team within the RAC program to review the vulnerabilities after appeal and determine if a referral to the applicable policy or coverage staff is warranted. CMS is also continuing the vulnerability calls to alert claim processing contractors and CMS staff on issues being reviewed by the RACs. In addition, CMS has an independent contractor reviewing the RAC Data Warehouse on a quarterly basis looking for trends in the data. These reports are sent to CMS quarterly and will be shared with all Center/Office components and external entities such as the OIG. Lastly, all RACs are required to place vulnerabilities or major findings on their websites to notify the provider community and CMS will continue to share the top improper payment identifications with the public. Decides on the appropriate response. The CMS concurs. Information on RAC identifications is made available to the public. This information can be used to determine the appropriate response or corrective action. In many cases though, additional research may be necessary. According to the July 2008 Evaluation Report of the RAC Demonstration, complex reviews accounted for approximately 30% of the improper payments identified. These claims needed additional review by a clinician prior to a determination regarding the accuracy of the payment. Lack of documentation was a prevailing cause of the denials of the complex cases. In these cases the corrective action taken was an effort to increase the awareness in the provider community for physicians to adequately document their case files. Corrective actions can take place in many forms. For example, provider education, policy clarifications and system edits can all be corrective actions. Acts promptly to correct the vulnerabilities identified. The CMS concurs. Beginning in the FY 2006 CMS RAC Status Document and every subsequent update, CMS provided the public with information concerning the top improper payments identified by the RAC by provider type. CMS felt this information was helpful to providers who wished to conduct internal quality reviews. In May 2007, CMS began having regular vulnerability calls with CMS claim processing contractors and internal CMS staff to discuss RAC identified issues. At the conclusion of the demonstration, CMS completed a Joint Signature Memoranda to all contractors to determine actions taken because of these calls. Contractors around the nation conducted pre-pay review, updated Local Coverage Determinations, conducted provider education and installed local edits in response to issues that were identified by the RAC demonstration. The CMS believes it is important to take the validated RAC findings and work to correct the vulnerabilities identified. However, as stated in the previous recommendation many of the findings need additional research to determine the appropriate response. In addition, CMS does not consider a RAC finding to be validated until the majority of claims for that issue have completed the Medicare Appeals Process. It is necessary to wait for the appeals process to be completed to ensure the identification was accurate and appropriate. Lastly, the appropriate corrective action put into place will be determined by factors such as cost efficiencies and system limitations. GAO Recommendation: As part of this process, we recommend that the Administrator of CMS designate key personnel with appropriate authority to be responsible for ensuring that corrective actions are implemented and that the actions taken were effective. CMS Response: The CMS appreciates the recommendation and concurs. The responsible official for the day-to-day operations of the RAC program is the Director of the Office of Financial Management. For those vulnerabilities that cut across all agency components, the responsible official is the Administrator of CMS. [End of section] Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Kathleen M. King, (202) 512-7114 or kingk@gao.gov Kay L. Daly, (202) 512-9095 or dalykl@gao.gov: Acknowledgments: In addition to the contacts named above, Sheila K. Avruch, Assistant Director; Carla Lewis, Assistant Director; Lori Achman; Jennie Apter; Anne Hopewell; Nina M. Rostro; and Jennifer Saunders made key contributions to this report. [End of section] Footnotes: [1] In 1990, GAO began to report on government operations that it identified as "high risk" for serious weaknesses in areas that involve substantial resources and provide critical services to the public. See GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 2009). [2] Fraud is an intentional act or representation to deceive with knowledge that the action or representation could result in an inappropriate gain. Abuse typically involves actions that are inconsistent with acceptable business or medical practices and result in unnecessary costs. [3] Medicare FFS includes two parts--Medicare Parts A and B whereby providers are paid for each service or unit of service provided. Medicare Part A covers inpatient hospital services, skilled nursing facility services, some home health, and hospice services. Medicare Part B covers hospital outpatient, physician services, some home health services and preventive services, among other things. [4] Current year outlays for Medicare FFS are from the November 2009 Improper Medicare FFS Payments Report in HHS's Fiscal Year 2009 Agency Financial Report and are based on claims from April 2008 through March 2009. Annual improper payment reports are required by the Improper Payments Information Act of 2002 and applicable Office of Management and Budget guidance to help reduce improper payments. [5] The Secretary of HHS delegated the authority vested in that position under the Medicare provisions of the Social Security Act to the Administrator of CMS. [6] CMS is in the process of transitioning from fiscal intermediaries and carriers to new contracting entities called Medicare Administrative Contractors (MACs) due to statutorily required changes in Medicare administration in the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA). Because the transition is ongoing, for purposes of this report, we will use the term Medicare claims administration contractors to refer to the contractors that historically processed Medicare claims--fiscal intermediaries and carriers--as well as the new MACs. Up until this transition, fiscal intermediaries were responsible for claims submitted by hospitals, home health agencies, hospital outpatient departments, skilled nursing facilities, and hospices. Carriers were responsible for claims submitted by physicians, diagnostic laboratories and facilities, and ambulance service providers. [7] CMS uses the term "providers" to refer collectively to physicians and non-physician practitioners who provide health care services to Medicare beneficiaries. [8] Pub. L. No. 108-173, § 306, 117 Stat. 2066, 2256-57. [9] According to the Office of Management and Budget (OMB), recovery auditing is not an audit in the traditional sense. Rather, it is a control activity designed to assure the integrity of contract payments, and, as such, serves a management function. See Appendix C to OMB Circular No. A-123, Requirements for Effective Measurement and Remediation of Improper Payments (Aug. 10, 2006). A new Part III to Appendix C was issued on March 22, 2010. See OMB memorandum M-10-13. [10] CMS initially contracted in March 2005 with three RACs to review Medicare claims from California, Florida, and New York. CMS later expanded the demonstration to three additional states--Arizona, Massachusetts, and South Carolina. While CMS added Arizona to the demonstration in July 2007, the RAC did not review any Arizona claims prior to the end of the RAC demonstration project in March 2008. [11] The MMA also required CMS to retain a percentage of the amount recovered for program management. [12] During the demonstration, CMS paid the RACs a total of $187.2 million in contingency fees. Initially, the RAC demonstration project did not include contingency fee payment to the RACs for identifying underpayments and refunding providers. Beginning on March 1, 2006, the RACs were paid an equivalent percentage contingency fee for the identification of underpayments. [13] The total amount returned to the Trust Funds includes overpayments identified by the three RACs reviewing claims (claim RACs) as well as two Medicare Secondary Payer RACs that participated in the demonstration project. These overpayments were collected by their Medicare claims administration contractors. The Medicare Secondary Payer RACs identified overpayments for which an insurer other than Medicare should have served as the primary payer of the claim. Medicare Secondary Payer RACs were not included in the national program because they identified few improper payments during the demonstration project. Of the overpayments collected, CMS reported in its November 2006 report, about 6 percent were attributable to the Medicare Secondary Payer RACs. See, Centers for Medicare & Medicaid Services, CMS RAC Status Document FY 2006: Status on the Use of Recovery Audit Contractors (RACs) in the Medicare Program. (Baltimore, Md.: November 2006). This report focuses on the recovery reviews of the "Claim" RACs and does not discuss the findings from the Medicare Secondary Payer RACs. [14] Providers could appeal RAC determinations through the standard Medicare appeals process, which includes five levels of review. [15] See Department of Health and Human Services, Centers for Medicare and Medicaid Services, The Medicare Recovery Audit Contractor (RAC) Program: An Evaluation of the 3-Year Demonstration (Baltimore, Md.: June 2008). [16] Internal control is the component of an organization's management that provides reasonable assurance that the organization achieves: effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. Internal control standards provide a framework for identifying and addressing major performance challenges and areas at greatest risk for mismanagement. GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [17] See GAO Internal Control Management and Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G] (Washington, D.C.: August 2001). [18] See U. S. Department of Health and Human Services, Centers for Medicare and Medicaid Services, The Essential Steps for an Effective Corrective Action Process (Oct. 23, 2007). [19] Due to appeal decisions made in favor of providers, the total amount of improper payments identified by the RAC demonstration project is likely to be less than stated in the June 2008 RAC Evaluation Report. See Department of Health and Human Services, Centers for Medicare and Medicaid Services, The Medicare Recovery Audit Contractor (RAC) Program: An Evaluation of the 3-Year Demonstration (Baltimore, Md.: June 2008) and Department of Health and Human Services, Centers for Medicare and Medicaid Services, The Medicare Recovery Audit Contractor (RAC) Program: Update to the Evaluation of the 3-Year, Demonstration (Baltimore, Md.: January 2009). [20] These two Medicare claims administration contractors were responsible for processing Part A claims for three demonstration states and Part B claims for two of the demonstration states. [21] HHS reported that there were 51 fiscal intermediaries and carriers as of February 2005. [22] NCDs are decisions by CMS that outline nationwide policy on whether Medicare covers particular services or items. They are made through an evidence-based process with opportunities for public participation, and determine whether services are reasonable and necessary across all jurisdictions. An LCD is a decision by Medicare claims administration contractor on whether to cover a particular service in its jurisdiction, based on whether the service is reasonable and necessary. [23] We previously found that Medicare claims administration contractors conducted limited manual pre-payment reviews and reviewed less than 5 percent of claims post-payment. See GAO, Medicare: Recent CMS Reforms Address Carrier Scrutiny of Physicians' Claims for Payment, [hyperlink, http://www.gao.gov/products/GAO-02-693] (Washington, D.C.: May 28, 2002) and GAO, Medicare: Improvements Needed to Address Improper Payments in Home Health, [hyperlink, http://www.gao.gov/products/GAO-09-185] (Washington, D.C.: Feb. 27, 2009). Medicare claims administration contractors typically select a small sample of claims for review from providers or suppliers who demonstrate aberrant billing or practice patterns. [24] Systems edits confirm that the data entered in a claim is in the correct format, check for the proper coding of the fields needed for payment, check if the service or procedure is covered by Medicare, and validate that the beneficiary is eligible for the service provided. In addition, systems edits may be used to identify certain duplicate claims, to implement NCDs or LCDs, or to prevent payments for egregious amounts to providers with a pattern of billing for services not covered. [25] Medical records may include: physician orders for care and treatments, medical diagnoses, rehabilitation diagnoses, past medical history, progress notes, and laboratory and other test results supporting the beneficiary's need for the services being provided. [26] While CMS added Arizona to the demonstration project in July 2007, the relevant RAC did not review any Arizona claims prior to the end of the RAC demonstration. [27] For example, CMS contractors responsible for investigating potential Medicare fraud may conduct post-payment review on claims to determine whether to refer a case to a law enforcement agency for fraud investigation. [28] This total represents funds returned to the Medicare Trust Funds from both the claim and Medicare Secondary Payer RAC-identified improper payments, adjusting for underpayments made to providers, overpayments overturned on appeal and operating costs through March 27, 2008. [29] According to CMS, because RACs were paid on a contingency fee basis, they focused their reviews on high-value claims with the greatest potential to provide the highest contingency fees. [30] Medicare's payment system relies on the coding of services, procedures, and devices provided to beneficiaries. Medicare's claims- administration contractors pay claims according to the codes assigned. [31] CMS's January 2009 update to the RAC Evaluation Report included appeal decisions through August 2008. CMS reported that 7.6 percent of RAC overpayment decisions were overturned on appeal--an increase from the approximately 5 percent overturned on appeal through March 2008 that was reported in the June 2008 evaluation report. As of January 2010, CMS was still waiting for the final data on appeals filed from the RAC demonstration. [32] The RACs will receive contingency fees ranging from 9.0 percent to 12.5 percent depending on the jurisdiction. [33] As of October 2009, all four RACs had begun CMS-approved automated reviews of claims. [34] In its report, The Medicare Recovery Audit Contractor (RAC) Program: An Evaluation of the 3-Year Demonstration, issued in June 2008, CMS described vulnerabilities as service-specific issues that resulted in RAC-identified improper payments. [35] The IPPP was an internal spreadsheet used by CMS to track the most significant vulnerabilities identified during the demonstration project. This spreadsheet was the only document CMS provided us that described the corrective actions taken by CMS and the Medicare claims administration contractors and the status of the vulnerabilities listed. [36] The IPPP threshold for significance was $500,000 for DME overpayments that were collected. [37] The IPPP did not include underpayments. [38] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [39] This information is based on our analysis of the data recorded on the IPPP and we did not verify the accuracy of it. Although CMS listed some corrective actions in its evaluation report of the 3-year demonstration, issued in June 2008, most of the actions listed were vague and did not address the root causes of payment errors. [40] The 18 specific medical services represented the most significant vulnerabilities with overpayments of more than $1 million. In its June 2008 evaluation, CMS reported a total of $997.2 million in overpayments identified during the demonstration. [41] The $231 million includes the amounts for vulnerabilities in CMS's evaluation report on the 3-year demonstration for which no corrective actions were taken based on a status of "pending" or "closed-no action taken" listed in CMS's IPPP. Centers for Medicare & Medicaid Services, Medicare RAC Program: An Evaluation of the 3-Year Demonstration, Appendix G (Baltimore, Md.: June 2008). [42] Percentages do not add up to 40 percent due to rounding. [43] CMS categorized the vulnerabilities in its IPPP as pending or closed. CMS indicated no sufficient action was taken for the pending vulnerabilities. CMS categorized those vulnerabilities for which corrective action(s) had been taken, as well as the seven vulnerabilities for which the agency was unable to take action, as closed. [44] The other Medicare claims administration contractor provided information on four corrective actions that it took to address RAC findings. [45] See GAO, CMS Did Not Control Rising Power Wheelchair Spending, [hyperlink, http://www.gao.gov/products/GAO-04-716T] (Washington, D.C.: April 2004) and GAO, CMS's Program Safeguards Did Not Deter Growth in Spending for Power Wheelchairs, [hyperlink, http://www.gao.gov/products/GAO-05-43] (Washington, D.C.: November 2004). [46] See U.S. Department of Health and Human Services, Office of Inspector General, Review of High-Dollar Payments for Inpatient Services Processed by Palmetto GBA, Intermediary #382, for the Period January 1, 2004 Through December 31, 2005, A-04-07-06023 (Atlanta, GA: October 2008) and GAO, CMS's Program Safeguards Did Not Deter Growth in Spending for Power Wheelchairs, [hyperlink, http://www.gao.gov/products/GAO-05-43] (Washington, D.C.: Nov. 17, 2004). [47] GAO, Improper Payments: Responses to Posthearing Questions Related to Eliminating Waste and Fraud in Medicare and Medicaid, [hyperlink, http://www.gao.gov/products/GAO-09-838R] (Washington, D. C.: July 20, 2009). [48] One of the Medicare claims administration contractors reported that after the demonstration ended, it had difficulty obtaining medical records related to provider appeals and, as a result, had to ask providers to resubmit copies of medical records. [49] We have suggested that agencies should create and monitor performance measures that address important dimensions of program performance (see GAO, Agency Performance Plans: Examples of Practices That Can Improve Usefulness to Decisionmakers, GAO/GGD/AIMD-99-69, (Washington, D.C.: Feb. 26, 1999) and Internal Control Management and Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G] (Washington, D.C.: August 2001)). [50] CMS contracted with a VC to review vulnerabilities the demonstration RACs wished to pursue during the final 7 months of the RAC demonstration project (September 2007 through March 2008). [51] Provider associations told us that providers may choose not to appeal a RAC determination if the effort and cost involved in filing the appeal outweighs the benefit of recouping the money originally lost by the RAC's determination. [52] RAC medical directors are also expected to be responsible for keeping abreast of medical practice and technology changes that may result in improper billing or program abuse; interacting with the medical directors at other contractors or RACs to share information on potential problem areas; participating in medical director clinical workshops, as appropriate; providing input on national coverage and payment policy upon request; and participating in CMS and RAC presentations to providers and associations. [53] CMS included two Medicare Secondary Payer RACs in the demonstration project. They identified overpayments for which the beneficiary's other insurance, rather than Medicare Fee-for-Service, should have served as the primary payer of the claim. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: