This is the accessible text file for GAO report number GAO-10-143 
entitled 'Medicare Recovery Audit Contracting: Weaknesses Remain in 
Addressing Vulnerabilities to Improper Payments, Although Improvements 
Made to Contractor Oversight' which was released on March 31, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 
GAO: 

March 2010: 

Medicare Recovery Audit Contracting: 

Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, 
Although Improvements Made to Contractor Oversight: 

GAO-10-143: 

GAO Highlights: 

Highlights of GAO-10-143, a report to congressional requesters. 

Why GAO Did This Study: 

The Centers for Medicare & Medicaid Services (CMS) conducted a 
mandated 3-year project from March 2005 through March 2008 to 
demonstrate the use of recovery audit contractors (RAC) in identifying 
Medicare improper payments and recouping overpayments. CMS implemented 
a mandated national RAC program, which began in March 2009. 

GAO was asked to examine specific issues that arose during the 
demonstration project and CMS’s efforts to address them in the 
national RAC program. This report examines the extent to which CMS (1) 
developed a process and took corrective actions to address 
vulnerabilities identified by the RACs that led to improper payments, 
(2) resolved coordination issues between the RACs and the Medicare 
claims administration contractors, and (3) established methods to 
oversee RAC claim review accuracy and provider service during the 
national program. GAO reviewed CMS documents and interviewed officials 
from CMS and contractors and provider groups affected by the 
demonstration project. 

What GAO Found: 

CMS did not establish an adequate process in the 3-year demonstration 
project or in planning for the national program to address RAC-
identified vulnerabilities that led to improper payments, such as 
paying duplicate claims for the same service. CMS stated that one 
purpose of the demonstration project was to obtain information to help 
prevent improper payments. However, CMS has not yet implemented 
corrective actions for 60 percent of the most significant RAC-
identified vulnerabilities that led to improper payments, a situation 
that left 35 of 58 unaddressed. These were vulnerabilities for which 
RACs identified over $1 million in improper payments for medical 
services or $500,000 for durable medical equipment. CMS developed a 
spreadsheet, which listed the most significant improper payment 
vulnerabilities that were identified by the RACs during the 
demonstration project. However, the agency did not develop a plan to 
take corrective action or implement sufficient monitoring, oversight, 
and control activities to ensure these significant vulnerabilities 
were addressed. Thus, CMS did not address significant vulnerabilities 
representing $231 million in overpayments identified by the RACs 
during the demonstration project. For the RAC national program, CMS 
developed a process to compile identified vulnerabilities and 
recommend actions to prevent improper payments. However, this 
corrective action process lacks certain essential procedures and staff 
with the authority to ensure that these vulnerabilities are resolved 
promptly and adequately to prevent further improper payments. 

Based on lessons learned during the demonstration project, CMS took 
multiple steps in the national program to resolve coordination issues 
between the RACs and Medicare claims administration contractors. 
During the demonstration project, CMS learned that having regular 
communication with the claims administration contractors on improper 
payment vulnerabilities that the RACs were identifying was important. 
CMS also learned that the data warehouse used to store claims 
information for the RACs needed more capacity and utility, that manual 
claims adjustment by claims administration contractors to recoup 
improper payments was burdensome, and that sharing paper copies of 
medical records between RACs and claims administration contractors 
when claims denials were appealed was difficult to manage. As a 
result, CMS took steps to resolve these coordination issues in the 
national program, such as enhancing the existing data warehouse and 
automating the claims-adjustment process. 

CMS took steps to improve oversight of the accuracy of RACs’ claims 
reviews and the quality of their service to providers for the national 
program. CMS added processes to review the accuracy of RAC 
determinations, including independent reviews by another CMS 
contractor. CMS also established requirements to address provider 
concerns about service, such as having the RACs establish Web sites 
that will allow providers to track the status of a claim being 
reviewed. In addition, CMS established performance metrics that the 
agency will use to monitor RAC accuracy and service to providers. 

What GAO Recommends: 

GAO recommends that CMS improve its corrective action process by 
designating responsible personnel with authority to evaluate and 
promptly address RAC-identified vulnerabilities to reduce improper 
payments. CMS agreed with GAO’s recommendations. 

View [hyperlink, http://www.gao.gov/products/GAO-10-143] or key 
components. For more information, contact Kathleen M. King at (202) 
512-7114 or kingk@gao.gov or Kay L. Daly at (202) 512-9095 or 
dalykl@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

CMS Did Not Establish an Adequate Process to Address RAC-Identified 
Vulnerabilities That Led to Improper Payments; Corrective Actions Were 
Limited: 

CMS Is Taking Action to Resolve RAC and Medicare Claims Administration 
Contractor Coordination Issues: 

CMS Has Taken Steps to Improve Oversight of RAC Accuracy and Service 
to Providers: 

Conclusions: 

Recommendations for Executive Action: 

Agency and Other External Comments: 

Appendix I: Selected Changes Made to the Medicare National Recovery 
Audit Contractors (RAC) Program: 

Appendix II: Comments from the Department of Health & Human Services: 

Appendix III: GAO Contacts and Staff Acknowledgments: 

Table: 

Table 1: Selected Recovery Audit Contractor (RAC) Performance Metrics 
Related to Accuracy and Provider Service: 

Figures: 

Figure 1: Recovery Audit Contractor (RAC) Medicare Claim Review 
Process: 

Figure 2: Medicare Recovery Audit Contractor (RAC) Regions and Phase-
in Schedule: 

Figure 3: Timeline for the Recovery Audit Contracting (RAC) Program: 

Figure 4: Status of Corrective Actions for Vulnerabilities with 
Improper Payments of Greater Than $1 Million, as of the End of the 
Recovery Audit Contractor Demonstration Project--March 2008: 

Figure 5: Interdependence of Recovery Audit Contractors (RACs) and 
Medicare Administrative Contractors (MACs): 

Abbreviations: 

CMS: Centers for Medicare & Medicaid Services: 

DME: durable medical equipment: 

FFS: fee-for-service: 

HHS: Department of Health and Human Services: 

IPPP: Improper Payment Prevention Plan: 

LCD: local coverage determination: 

MAC: Medicare Administrative Contractor: 

MMA: Medicare Prescription Drug, Improvement, and Modernization Act of 
2003: 

NCD: national coverage determination: 

OFM: Office of Financial Management: 

RAC: recovery audit contractor: 

VC: validation contractor: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

March 31, 2010: 

Congressional Requesters: 

For almost 20 years, we have designated Medicare, which provides 
health insurance for those aged 65 and older and certain disabled 
persons, as a high risk program due to the its size and complexity, as 
well as its susceptibility to mismanagement and improper payments. 
[Footnote 1] Improper payments may be due to errors, such as the 
inadvertent submission of duplicate claims for the same service, or 
misconduct, such as fraud and abuse.[Footnote 2] In 2009, the 
Department of Health and Human Services (HHS) estimated that 
approximately $24.1 billion, or 7.8 percent of Medicare fee-for-
service (FFS)[Footnote 3] payments for claims from April 2008 through 
March 2009 were improper.[Footnote 4] Because billions of dollars are 
paid in error each year, the Centers for Medicare & Medicaid Services 
(CMS)--the HHS agency that administers the Medicare program--conducts 
a number of activities to reduce improper payments.[Footnote 5] CMS's 
efforts include pre-payment reviews to prevent improper payments 
before claims are paid, as well as post-payment reviews of claims 
potentially paid in error. CMS uses Medicare claims administration 
contractors to perform these and other Medicare FFS functions, 
[Footnote 6] which include reviewing and paying claims in accordance 
with Medicare policy, and conducting provider outreach and education 
on correct billing practices.[Footnote 7] 

The Medicare Prescription Drug, Improvement, and Modernization Act of 
2003 (MMA) directed CMS to conduct a project to demonstrate how 
effective the use of recovery audit contractors (RACs) would be in 
identifying underpayments and overpayments, and recouping overpayments 
in the Medicare program.[Footnote 8] Recovery audits involve post- 
payment review of supporting documents and other information to 
identify overpayments and underpayments.[Footnote 9] The MMA directed 
CMS to establish a RAC demonstration in at least two states from among 
the ones with the highest per-capita Medicare utilization rates and to 
use at least three RACs.[Footnote 10] The MMA also authorized CMS to 
pay the RACs on a contingency basis, which differs from how the agency 
pays its other contractors.[Footnote 11] For Medicare, the RAC 
demonstration project was designed to be an addition to existing 
claims review processes conducted by various contractors that CMS uses 
to administer the program. 

The demonstration project required the RACs to review claims 
previously paid by Medicare claims administration contractors to 
identify payment errors, such as whether a provider billed the correct 
number of units for a particular drug or service. Once a RAC 
identified an improper payment, it informed the provider of the error 
and its amount. The Medicare claims administration contractor then 
adjusted the claim to the proper amount and collected the overpayment 
or reimbursed the underpayment. During the demonstration project, CMS 
paid RACs contingency fees on overpayments collected and underpayments 
refunded.[Footnote 12] 

In the CMS RAC Status Document FY 2006: Status on the Use of Recovery 
Audit Contractors (RACs) in the Medicare Program, the agency reported 
its intention to use information from RAC reviews to identify issues 
at risk for improper payments. Similarly, the agency's 2008 evaluation 
of the demonstration project provided information on the service-
specific errors or vulnerabilities, which resulted in RAC-identified 
improper overpayments and underpayments. CMS or its Medicare claims 
administration contractors could then address the vulnerabilities most 
likely to result in payment errors in order to reduce improper 
payments. Once a RAC identified a vulnerability, it was the 
responsibility of CMS or the Medicare claims administration 
contractors to take corrective action. Corrective action involves 
identifying the causes for each type of vulnerability and addressing 
them, in order to reduce future improper payments. 

In the 2006 status document on the demonstration project, CMS also 
reported that the demonstration RACs identified $303.5 million in 
improper payments.[Footnote 13] However, this amount did not include 
the final results of any provider appeals filed after or pending at 
that time.[Footnote 14] CMS concluded that "preliminary results 
indicate that the use of recovery auditors is a viable and useful tool 
for ensuring accurate payments" and that RACs would be a "value-added 
adjunct" to the agency's programs. Subsequently, in December 2006 the 
Tax Relief and Health Care Act of 2006 required CMS to implement a 
national recovery audit contractor program by January 1, 2010. 

Providers reported problems during the RAC demonstration project, and 
expressed concerns about the implementation of a national program 
before these issues were resolved. For example, providers stated that 
the contingency fee payment structure created an incentive for RACs to 
be aggressive in determining that paid claims were improper. In 
addition, providers faulted CMS for not holding the RACs accountable 
for the accuracy of their decisions, noting that RAC determinations 
resulted in thousands of provider appeals to Medicare claims 
administration contractors. These appeals and adjustments to claims 
produced additional workload and coordination challenges for the 
Medicare claims administration contractors adjudicating appeals and 
RACs. Association and hospital representatives further noted the RACs 
sometimes requested duplicate medical records as part of their 
reviews, thus increasing providers' administrative burden. In a June 
2008 report evaluating the 3-year RAC demonstration project, CMS 
reported its intent to make a number of changes to the RAC national 
program to address these concerns and streamline operations.[Footnote 
15] 

You asked us to examine how CMS used information on RAC-identified 
improper payments to address the underlying vulnerabilities that led 
to them. You also asked us to examine particular issues regarding 
contractor coordination and RAC accuracy and service that arose during 
the RAC demonstration project and CMS's efforts to address them in the 
RAC national program. This report examines the extent to which CMS (1) 
developed an adequate process and took corrective action to address 
RAC-identified vulnerabilities that led to improper payments; (2) 
built upon lessons learned from the demonstration project to resolve 
coordination issues between the RACs and the Medicare claims 
administration contractors for the national program; and (3) 
established methods to oversee the accuracy of RACs' claims-review 
determinations and the quality of RAC service to providers during the 
national program. This report focused on implementation of the 
recovery audit provisions of the MMA and the Tax Relief and Health 
Care Act of 2006 and not certain other statues and guidance relevant 
to recovery auditing. 

To determine the extent to which CMS developed an adequate process and 
took corrective action to help prevent future improper payments due to 
vulnerabilities identified during the RAC demonstration project, we 
used the criteria outlined in our Standards for Internal Control in 
the Federal Government.[Footnote 16] We applied these standards to 
assess whether the policies and procedures CMS instituted to monitor 
the RAC program reasonably ensured that the findings from RAC reviews 
were evaluated, assigned to the appropriate components within CMS or 
its Medicare claims administration contractors to implement corrective 
actions, and resolved promptly in accordance with these internal 
control standards. We also used criteria from our Internal Control 
Management and Evaluation Tool to assess whether CMS's actions to 
establish an effective internal control environment for the RAC 
program included the appropriate assignment of authority, 
accountability, and responsibility to meet the agency's goals and 
objectives.[Footnote 17] We reviewed the agency's Improper Payment 
Prevention Plan (IPPP), an internal agency spreadsheet that was 
designed to list the most significant improper payments identified 
during the RAC demonstration project that generally resulted in 
overpayments of at least $1 million. We evaluated the IPPP against 
CMS's essential steps of a corrective action process namely: (1) data 
analysis of the errors including those associated with improper 
payments; (2) determination of the specific programmatic causes; (3) 
identification of corrective actions to be implemented based on data 
and program analysis; (4) development of an implementation schedule 
for each corrective action, including major tasks, personnel 
responsible, and a timeline for each action, and implementation of the 
corrective actions; and (5) evaluation of the effectiveness of the 
corrective actions through monitoring.[Footnote 18] We also 
interviewed CMS officials to determine the actions taken to assure 
that the information in the IPPP was accurate. Agency officials said 
they did not verify the dollar amounts reported by the RACs. However, 
they referred us to the agency's final evaluation report for the most 
accurate analysis of the amounts recovered by the RACs as of the end 
of the demonstration project. Therefore, to quantify the relative 
dollar amounts of improper payments associated with specific RAC-
identified vulnerabilities in the IPPP, we developed a crosswalk 
between the vulnerabilities listed on the IPPP and the dollar amounts 
presented in CMS's June 2008 evaluation of the RAC demonstration 
project. Agency officials agreed that this approach provided an 
accurate representation of the overpayment amounts at the end of the 
demonstration project for the most significant vulnerabilities 
identified by the RACs that led to improper payments.[Footnote 19] We 
determined these data were sufficiently reliable for our purposes 
because the data represented the best available information on the RAC-
identified vulnerabilities and their financial impact at that time. We 
also interviewed relevant officials from CMS, two Medicare claims 
administration contractors that participated in the demonstration 
project,[Footnote 20] and the demonstration RACs to obtain information 
about the demonstration RACs' processes and findings. 

To determine whether CMS addressed coordination issues between RACs 
and the Medicare claims administration contractors, we reviewed the 
statements of work for the RACs and MACs that detail CMS's 
expectations for these contractors. We also examined the performance 
metrics for the RACs, as well as performance metrics CMS uses to 
assess coordination between Medicare claims administration contractors 
and other Medicare FFS contractors. We assessed these elements against 
the Standards for Internal Control in the Federal Government. We also 
interviewed CMS officials and staff from the same two Medicare claims 
administration contractors that participated in the RAC demonstration 
project about the quality of communication among contractors involved 
with the RAC program. 

To determine the extent of CMS's oversight of RAC accuracy and quality 
of service to providers, we analyzed documentation from CMS, including 
the RAC statement of work. In addition, we listened to two Special 
Open Door Forums audio conferences hosted by CMS on the RAC program, 
as well as a national RAC summit sponsored by associations of health 
care professionals to learn about provider experiences during the 
demonstration project and concerns about the national program. We also 
conducted interviews with CMS officials, RAC staff, and 
representatives from the American Hospital Association and state 
hospital organizations in the demonstration states of California, 
Florida, and New York; the American Medical Association; the Medical 
Group Management Association; and the American Health Care 
Association, to obtain further information about the oversight of RAC 
accuracy and quality of service. 

We requested comments on a draft of this report from CMS. We received 
written comments on March 3, 2010 and have summarized them in the 
agency comment section of this report. We also provided statements of 
facts from our draft report to the two Medicare claims administration 
contractors and seven provider associations we interviewed and 
requested their comments that we incorporated as appropriate. We 
conducted this performance audit from March 2009 to March 2010 in 
accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe 
that the evidence obtained provides a reasonable basis for our 
findings and conclusions based on our audit objectives. 

Background: 

Recovery auditing has been used in various industries, including 
health care, to identify and collect overpayments for about 40 years. 
Private insurance companies, managed care plans, and employee group 
health plans contract with recovery auditors to review payments made. 
Typically, recovery auditing contractors are paid a contingency fee 
based on a percentage of the overpayments collected. Fees vary 
depending on such factors as the types of overpayment involved and the 
degree of difficulty associated with identifying and collecting them. 

Use of Contractors in the Operation of the Medicare Program: 

Contractors play an essential role in the Medicare program. Since the 
program's inception in 1965, Medicare claims administration 
contractors, then known as fiscal intermediaries and carriers, have 
conducted its claims administration activities. In addition, CMS also 
uses other contractors to conduct Medicare functions, such as to 
investigate instances of potential fraud and develop cases for 
referral to law enforcement and to answer beneficiary inquiries 
through the 1-800-Medicare help line. 

At present, CMS is in the midst of the largest transition of its 
claims administration contracts since the program was established. The 
MMA required CMS to use competitive procedures to select new entities 
called Medicare Administrative Contractors (MACs) to conduct claims 
administration activities that had been conducted by fiscal 
intermediaries and carriers. Through February 2005, CMS contracted 
with approximately 51 fiscal intermediaries and carriers that 
processed and paid claims, conducted automated pre-payment and limited 
post-payment review of claims, handled the first level of provider 
appeals of denied claims, enrolled providers in Medicare, and audited 
providers' cost reports.[Footnote 21] To address improper billing, 
these Medicare claims administration contractors also performed trend 
analysis of provider billing patterns, developed strategies to address 
improper billing through systems edits or provider education and 
claims review, helped implement CMS-issued national coverage 
determinations (NCD), and developed local coverage determinations 
(LCD).[Footnote 22] By the end of the transition from fiscal 
intermediaries and carriers to MACs, CMS will have transferred all of 
these tasks to 15 MACs that will handle Part A claims and Part B 
claims with the exception of durable medical equipment (DME) claims, 
which will be processed by four specialized DME MACs. As of September 
2009, CMS made an initial award decision on all the MAC contracts and 
has implemented 13. Because the transition is not completed, the 
current Medicare contracting environment includes fiscal 
intermediaries, carriers, and MACs, any one of which we refer to as 
Medicare claims administration contractors for this report. 

Claims Review in Medicare: 

Medicare claims administration contractors review Medicare claims both 
before and after payment using similar automated and complex 
processes. CMS's use of recovery auditing in the RAC demonstration 
project augmented existing Medicare claims administration contractor 
pre-and post-payment claims review efforts. While Medicare claims 
administration contractors have the authority to review claims they 
initially paid, this is only one of the many functions they perform. 
Further, because the Medicare claims administration contractors 
receive more than 1.2 billion claims per year (the equivalent of 4.5 
million claims per work day), it is impractical, according to CMS, for 
these contractors to manually review more than a small fraction of 
claims--either before or after payment.[Footnote 23] Recovery audit 
contractors, in contrast, focus exclusively on post-payment claims 
review. 

Medicare claims administration contractors and the RACs generally use 
the same processes to review claims: 

* Automated reviews use systems edits to check claims for evidence of 
improper coding or other mistakes.[Footnote 24] Medicare claims 
administration contractors may use automated reviews before payment to 
deny claims, or to flag claims that require additional non-automated 
review before payment. RACs use automated reviews after payment to 
analyze paid claims and identify those that were or could have been 
paid improperly. 

* Complex reviews rely on licensed medical professionals to manually 
examine a claim and any related documentation, including paper files, 
to determine whether the service was covered and was reasonable and 
necessary. Complex reviews conducted by a Medicare claims 
administration contractor or a RAC involve an examination of the 
medical records associated with a service, which the provider submits 
for review.[Footnote 25] 

RAC Responsibilities in the Demonstration Project: 

CMS implemented the RAC demonstration project to test whether recovery 
auditing would effectively identify additional improper payments that 
could be recouped. In March 2005, CMS selected three RAC contractors 
to conduct claims reviews in the three states with the highest per-
capita Medicare utilization rates--California, Florida, and New York. 
In July 2007, CMS expanded the demonstration project to three 
additional states--Arizona, Massachusetts, and South Carolina. The 
demonstration project ended in March 2008.[Footnote 26] 

CMS initially provided the RACs with 4 years of claims data in their 
jurisdictions, followed by an additional 3 months of claims each 
quarter for the rest of the demonstration project. CMS gave the 
demonstration RACs a total of 1.2 billion claims that they could 
review. To prevent the RACs from auditing those claims that previously 
underwent complex review by a Medicare claims administration 
contractor or other contractor,[Footnote 27] CMS established a data 
warehouse that contained information on which claims were unavailable 
for RAC review. 

During the demonstration project, the RACs were required to use 
automated and complex review processes using the same Medicare 
policies and regulations as CMS's Medicare claims administration 
contractors to identify improper payments. The RACs used their own 
software to analyze paid claims and identify those that were or could 
have been paid improperly. For example, claims indicating duplicate 
payments could be identified by automated analysis alone. In other 
cases, the RACs identified claims likely to contain errors and 
conducted complex reviews. (See figure 1 for a depiction of the claims 
review process.) In these cases, the RACs requested that providers 
submit the associated medical records for review. If the RAC found an 
improper payment, it notified the provider and the Medicare claims 
administration contractor responsible for recouping the overpayments 
or repaying an underpayments. Providers could appeal RAC 
determinations through the established Medicare appeals process, which 
included a first-level review conducted by the Medicare claims 
administration contractors. 

Figure 1: Recovery Audit Contractor (RAC) Medicare Claim Review 
Process: 

[Refer to PDF for image: process map] 

Provider submits claim: 

Medicare claims administration contractor processes claim: 
Deny; or: 
Pay: 
RAC conducts post-payment review: 
* No improper payment identified; or: 
* Improper payment identified: 
- Medicare claims administration contractor recoups overpayment; 
- Medicare claims administration contractor pays underpayment. 

Source: GAO analysis of CMS documents. 

Note: Figure does not include steps related to the appeals process and 
does include steps prior to the RAC review process. 

[End of figure] 

Two years into the demonstration project, CMS initiated a series of 
vulnerability calls, conference calls between the RACs and the 
Medicare claims administration contractors. These calls enabled the 
RACs to provide information about the vulnerabilities they identified 
that resulted in improper payments and to highlight situations where 
corrective action might be needed. Although a CMS official told us it 
was not required, the Medicare claims administration contractors could 
consider RAC-identified vulnerabilities when developing their 
strategies to reduce improper payments. If a Medicare claims 
administration contractor determined that a RAC-identified 
vulnerability was widespread in its region, it could choose to take 
several corrective actions. A Medicare claims administration 
contractor could: (1) conduct provider outreach and education, (2) 
develop or revise local coverage determinations to clarify what 
services were reasonable and necessary in that jurisdiction, and (3) 
initiate additional service-specific prepayment edits in its local 
claims processing system. In addition, CMS could initiate a nationwide 
corrective action, such as implementing a national system edit, 
reissue instructions for coding a claim, or develop a national 
coverage determination. CMS also could provide outreach and education 
on critical issues to providers directly through its Special Open Door 
Forums teleconferences, and presentations at national meetings. 

In its June 2008 evaluation report, CMS stated that the demonstration 
project corrected $1.02 billion in improper payments from the three 
claim RACs--$980.0 million in overpayments and $37.8 million in 
underpayments--as of March 27, 2008, and returned $693.6 million to 
the Medicare Trust Funds.[Footnote 28] Eighty-five percent of the 
overpayments collected were for services detailed on inpatient 
hospital claims.[Footnote 29] Common types of improper payments were 
for claims determined to be: coded incorrectly, lacking sufficient 
documentation, or medically unnecessary.[Footnote 30] However, the 
RACs collected the majority of these improper payments in the last 
quarter of the demonstration project, and many provider appeals had 
not been decided or even filed by the end of the demonstration 
project. The final outcome of the appeals process, which can take more 
than two years, could decrease the savings attributed to the 
demonstration project.[Footnote 31] CMS's report also discussed 
several changes the agency made prior to the start of the RAC national 
program. (See appendix I.) 

RAC Responsibilities in the National Program: 

In 2008, following the mandate to create a national program, CMS made 
initial awards of contingency-fee contracts to four RACs, each with 
responsibility for reviewing claims in one of four geographic 
regions.[Footnote 32] CMS launched the RAC national program in two 
stages with outreach activities beginning in 24 states on March 1, 
2009, and the remaining states starting in August 2009 or later. (See 
figure 2.) RAC claim reviews in the national program involve the same 
processes of automated and complex review of claims as during the 
demonstration project, and the Medicare claims administration 
contractors are responsible for recoupments, claims adjustments, and 
provider outreach and education. 

Figure 2: Medicare Recovery Audit Contractor (RAC) Regions and Phase-
in Schedule: 

[Refer to PDF for image: U.S. map] 

RAC Region A: 
Phase-in March 1, 2009: 
Maine; 
Massachusetts; 
New Hampshire; 
New York; 
Rhode Island; 
Vermont. 

Phase-in August 1, 2009: 
Connecticut; 
Delaware; 
District of Columbia; 
Maryland; 
New Jersey; 
Pennsylvania; 

RAC Region B: 
Phase-in March 1, 2009: 
Indiana; 
Michigan. 

Phase-in August 1, 2009: 
Illinois; 
Kentucky;
Minnesota; 
Ohio; 
Wisconsin. 

RAC Region C: 
Phase-in March 1, 2009: 
Colorado; 
Florida; 
New Mexico; 
Oklahoma; 
South Carolina; 
Texas; 

Phase-in August 1, 2009: 
Alabama; 
Arkansas; 
Georgia; 
Louisiana; 
Mississippi; 
North Carolina; 
Tennessee; 
Virginia; 
West Virginia. 

RAC Region D: 
Phase-in March 1, 2009: 
Arizona; 
California; 
Hawaii; 
Montana; 
Nevada; 
North Dakota; 
South Dakota; 
Utah; 
Wyoming. 

Phase-in August 1, 2009: 
Alaska; 
Idaho; 
Iowa; 
Kansas; 
Missouri; 
Nebraska; 
Oregon; 
Washington. 

Sources: GAO analysis of CMS data; copyright © Corel Corp. all rights 
reserved (map). 

[End of figure] 

The four regional RACs also are required to conduct outreach to 
providers about the purpose of the RAC program, assist CMS with the 
development of an improper payment prevention plan, and support the 
agency regarding any overpayments appealed by providers. The RACs are 
expected to conduct outreach to providers in each state in 
coordination with CMS and include the appropriate Medicare claims 
administration contractor in each state in its region. In addition, 
RACs are required to compare the claims proposed for review with the 
claims in the data warehouse to ensure that a Medicare claims 
administration contractor or other contractor had not previously 
audited the claims or that RAC activities would not interfere with 
potential fraud investigations. 

From March 2009 through June 2009, the RACs' activities included 
accessing claims data from CMS and convening meetings with the 
providers in the states in their regions to explain the RAC program. 
In June 2009, CMS announced a gradual implementation of claims review 
activities. CMS permitted RACs to begin automated reviews as of June 
2009.[Footnote 33] RACs will be permitted to conduct complex reviews 
to assess medical necessity of DME claims in fiscal year 2010 and 
complex review of other claims for medical necessity in calendar year 
2010. (See figure 3 for a timeline for the RAC program.) 

Figure 3: Timeline for the Recovery Audit Contracting (RAC) Program: 

[Refer to PDF for image: timeline] 

December 2003: 
Congress requires a RAC demonstration project. 

March 2005: 
Demonstration project begins in California, Florida, and New York. 

December 2006: 
Congress requires a RAC national program. 

July 2007: 
CMS expands RAC demonstration project to Arizona, Massachusetts, and 
South Carolina[A]. 

March 2008: 
RAC demonstration project ends. 

October 2008: 
CMS awards contracts for RAC national program. 

March 2009: 
RAC national program activity begins. 

June 2009: 
Automated reviews begin for RAC national program. 

During 2010: 
Complex reviews for medical necessity can begin for RAC national 
program. 

Source. GAO analysis of CMS documents. 

[A] While CMS added Arizona to the demonstration project in July 2007, 
the relevant RAC did not review any Arizona claims prior to the end of 
the RAC demonstration project. 

[End of figure] 

CMS Did Not Establish an Adequate Process to Address RAC-Identified 
Vulnerabilities That Led to Improper Payments; Corrective Actions Were 
Limited: 

CMS did not establish an adequate process during the demonstration 
project or in planning for the national program to ensure prompt 
resolution of the RAC-identified improper payment 
vulnerabilities.[Footnote 34] Although the agency's goal was for the 
RACs to provide information to CMS and Medicare claims administration 
contractors that could help prevent future improper payments, CMS did 
not implement corrective actions for 60 percent of the most 
significant vulnerabilities identified during the RAC demonstration 
project. 

CMS Did Not Establish an Adequate Process to Address RAC-Identified 
Vulnerabilities to Reduce Improper Payments: 

While CMS stated in its fiscal year 2006 status report on the RAC 
demonstration project that the agency intended to draft a corrective 
action plan to prevent future improper payments based on the findings 
identified by the RACs, it did not do so. CMS developed the IPPP--a 
list of the most significant vulnerabilities that led to improper 
payments and corrective actions taken to address them--but this 
document did not include the essential elements of a corrective action 
plan.[Footnote 35] The IPPP listed the 58 most significant RAC- 
identified vulnerabilities--generally those that resulted in 
overpayment collections of $1 million or more--and whether any 
corrective actions were taken to address them.[Footnote 36] Improper 
payments for medically unnecessary services and duplicate claims are 
examples of types of RAC-identified vulnerabilities listed in the 
IPPP. For each vulnerability, the IPPP listed the provider type, 
improper payment amount, status, and comments.[Footnote 37] If any 
action were taken by CMS or its Medicare claims administration 
contractors, it would be noted in the IPPP. For the RAC national 
program, CMS has yet to assign responsibility to personnel for 
implementing corrective actions to address RAC-identified 
vulnerabilities or to develop steps to assess the effectiveness of 
actions taken. 

Based on criteria outlined in our Standards for Internal Control in 
the Federal Government and criteria that CMS developed for a 
corrective action process, we found the following limitations in CMS's 
resolution process: 

CMS lacked a process to evaluate RAC findings promptly. CMS did not 
begin to evaluate the most significant vulnerabilities that resulted 
in improper payments until almost 2 years after the program began. 
Agency officials told us they did not anticipate that the RACs would 
identify such a high volume of improper payments and did not have 
systems in place to collect data at the beginning of the demonstration 
project. CMS's fiscal year 2006 status report on the RAC demonstration 
project stated that CMS would draft a proposed RAC Corrective Action 
Plan to prevent future improper payments by January 2007. However, CMS 
did not create the IPPP--the spreadsheet to track significant 
vulnerabilities identified during the demonstration project--until 
November 2008, 8 months after the demonstration project ended. 

CMS lacked a process to determine appropriate responses to RAC 
findings. CMS did not assign responsibility for taking corrective 
action on the vulnerabilities listed in the IPPP to either the agency 
itself, its Medicare claims administration contractors, or a 
combination of both. According to CMS officials, the agency only takes 
corrective action for vulnerabilities with national implications, and 
leaves it up to the Medicare claims administration contractors to 
decide whether to take action for vulnerabilities with local 
implications. However, the IPPP did not specify what type of action 
was required on the part of CMS or the Medicare claims administration 
contractors. For example, for inpatient services that did not meet the 
stated inpatient care criteria, the IPPP neither specified what type 
of corrective action would be needed to prevent future improper 
payments nor whether CMS or its Medicare claims administration 
contractors were responsible for taking action. Accordingly, neither 
Medicare claims administration contractors nor CMS have taken 
corrective action to address payment errors related to this inpatient 
service vulnerability. Similarly, we reviewed the instructions CMS 
provided to the Medicare claims administration contractors during the 
demonstration project and found that CMS did not provide specific 
guidance to the Medicare claims administration contractors for 
incorporating RAC findings into local corrective action plans. 
Instead, CMS allowed its Medicare claims administration contractors to 
independently determine when to take action and what actions, if any, 
were needed to address RAC findings. The lack of documented assigned 
responsibilities--as prescribed in our internal control standards--
impeded CMS's efforts to promptly resolve the vulnerabilities 
identified by the RACs during the demonstration project. 

CMS lacked a process to implement corrective actions promptly. The 
IPPP, which was not created until 8 months after the end of the 
demonstration project, lacked a time frame based on established 
criteria for when CMS or its Medicare claims administration 
contractors should take action. CMS officials told us that although 
they conducted some informal follow-up, neither the agency nor its 
Medicare claims administration contractors have implemented any 
corrective actions to address RAC findings since the fall of 2008. CMS 
officials noted that the agency does not plan to take any further 
action until the appeals from the demonstration project are finalized. 
Because CMS has not developed a time frame for taking action based on 
established criteria and is currently unable to track all pending 
first-level appeals of RAC determinations, it is uncertain when or if 
the agency would take any further action on the remaining 
vulnerabilities. Although educating providers promptly on how to 
correct billing errors reduces the risk of improper payments, provider 
associations also told us they and their members had not received 
training on the majority of the vulnerabilities identified by the RACs 
during the demonstration project. For example, one national provider 
association said that it was not aware of any educational efforts 
related to the RAC program findings on vulnerabilities either during 
or after the demonstration project. Another noted that in addition to 
provider education, systems edits should be used when possible to 
prevent the initial improper payments. 

CMS continues to lack an adequate process for implementing corrective 
actions during the RAC national program. Although CMS has made public 
statements that preventing future improper payments is the RAC 
program's mission, the agency has yet to assign responsibility to 
personnel for implementing corrective actions to address RAC-
identified vulnerabilities or to develop steps to assess the 
effectiveness of corrective actions taken. 

While CMS's Office of Financial Management (OFM) established a 
corrective action team for the RAC national program that will compile, 
review, and categorize RAC-identified vulnerabilities and discuss 
corrective action recommendations, the team does not have the 
organizational authority to implement the corrective actions necessary 
to reduce future improper payments. Rather, the team can only forward 
the issues and their recommendations to other leadership groups 
comprised of senior officials from different components within CMS 
that have the authority to take corrective actions. For example, if 
the decision is made to address a vulnerability by developing a NCD, 
the responsibility to prioritize the development of NCDs and expertise 
to develop them is not within OFM, but rather within the Office of 
Clinical Standards and Quality. The different components can choose 
whether to address the identified vulnerabilities that could lead to 
improper payments. 

Further, CMS's corrective action process does not include steps to 
assess the effectiveness of any actions taken to reduce improper 
payments on RAC-identified vulnerabilities. Strong internal controls 
include ongoing monitoring of corrective actions, evaluating their 
effectiveness, and modifying them as necessary.[Footnote 38] CMS 
officials in OFM said their corrective action team would monitor 
actions taken by other agency components. However, the corrective 
action process does not include any steps to either assess the 
effectiveness of the corrective actions taken or adjust them as 
necessary based on the results of the assessment. Until CMS designates 
key personnel with accountability for ensuring corrective actions are 
implemented and establishes a process to ensure these actions are 
effective, the agency remains at risk for making improper payments on 
vulnerabilities previously identified by RACs. 

CMS's Corrective Actions Did Not Address Most of the RAC-Identified 
Vulnerabilities That Led to Improper Payments: 

The lack of accountability and adequate processes for ensuring 
corrective actions are taken have resulted in most of the RAC- 
identified vulnerabilities that led to improper payments going 
unaddressed. CMS implemented corrective actions for 23 of the 58 
vulnerabilities (40 percent) listed in the IPPP. (See figure 4.) This 
left 35 of the 58 vulnerabilities identified during the demonstration 
project (60 percent) unaddressed, representing millions of dollars in 
potential overpayments.[Footnote 39] CMS stated in its June 2008 
demonstration evaluation report that overpayments were identified for 
18 specific medical services totaling $378 million.[Footnote 40] Our 
analysis of the status of the vulnerabilities related to these 
overpayments in the IPPP indicates that corrective actions had not 
been implemented by CMS or the Medicare claims administration 
contractors for vulnerabilities representing $231 million (61 percent) 
of the $378 million in overpayments for these services.[Footnote 41] 
More than 90 percent of the $231 million in vulnerabilities that were 
not addressed were for inpatient hospital claims alone. 

Figure 4: Status of Corrective Actions for Vulnerabilities with 
Improper Payments of Greater Than $1 Million, as of the End of the 
Recovery Audit Contractor Demonstration Project--March 2008: 

[Refer to PDF for image: pie-chart illustration] 

Status of vulnerabilities: 

Corrective actions taken: 42% (23); 
- Edits implemented: 12% (7); 
- Education provided: 10% (6); 
- Clarification of guidance/issuance of new regulation: 17% (10). 

Corrective actions not taken: 60% (35). 
- Unable to develop corrective actions[A]: 12% (7); 
- Corrective actions not taken: 48% (28). 

Source: GAO analysis of CMS data. 

Note: Percentages in figure do not add up due to rounding. 

[A] According to CMS officials the agency was unable to develop 
corrective actions because it either lacked adequate information on 
the specific services involved or decided it was not cost effective to 
do so. 

[End of figure] 

The corrective actions taken to address 23 of the 58 vulnerabilities 
(40 percent) included: 7 system edits (12 percent), 6 provider 
education activities (10 percent), and 10 clarifications of guidance 
and issuance of new regulations (17 percent).[Footnote 42] Six of the 
23 corrective actions taken included local actions implemented by the 
Medicare claims administration contractors and other contractors, but 
according to the IPPP, CMS also implemented national corrective 
actions for the same vulnerabilities. 

CMS did not implement corrective actions for 35 of the 58 
vulnerabilities (60 percent) listed in the IPPP. Of these 35 
vulnerabilities, CMS did not list a reason on the IPPP for 28 of them 
(48 percent). CMS officials told us that they were unable to develop 
specific corrective actions on the other seven (12 percent) because 
they either lacked adequate information to address the problem or 
decided it was not cost-effective to do so.[Footnote 43] CMS officials 
told us the agency was unable to develop corrective actions for 7 
vulnerabilities because the agency did not provide sufficient guidance 
to the RACs on how to categorize these vulnerabilities. As a result, 
the RACs combined several billing codes into single categories, which 
presented a challenge for identifying corrective actions, according to 
CMS officials. For example, RACs denied millions of dollars in 
inpatient hospital claims not meeting the requirements for inpatient 
admission. However, CMS officials told us they were unable to develop 
corrective actions on this and six other vulnerabilities because they 
either lacked adequate information on specific services involved or 
decided it was not cost effective to address each specific billing 
code. Further, the agency reported that it did not have sufficient 
time to analyze the information on one of these types of 
vulnerabilities prior to the end of the demonstration project. 

CMS noted several actions it took to improve the quality of its 
information on improper payment vulnerabilities that might be 
identified through the national RAC program. According to CMS 
officials, the agency has enhanced the data warehouse to provide 
additional information by establishing 20 to 30 different types of 
categories for use in the national program. In addition, CMS officials 
said they will not rely on each RAC to report its findings; instead, 
the agency will use the information from the data warehouse for data 
analysis and reports. 

CMS officials told us they had no plans to take further action on RAC- 
identified improper payment vulnerabilities that have appeals 
outstanding from the demonstration project until the results from 
these appeals are known. According to the agency, information from 
these appeals may help the agency determine what corrective actions 
are appropriate. 

CMS and Medicare claims administration contractors reported that the 
following factors also hindered their progress in implementing 
corrective actions: 

* Competing priorities in implementing system edits--According to CMS 
officials, national systems edits to address RAC findings competed 
with other computer system changes, such as Medicare fee schedule 
updates. National edits require collaboration among various CMS 
components and senior executives to determine the viability of each 
edit and its priority level and can take up to 7 months to be 
implemented. The decision to implement system edits at the local level 
is usually up to the local Medicare claims administration contractor. 
A Medicare claims administration contractor can decide not to 
implement a local edit if it does not consider that particular 
vulnerability a priority in its strategy to reduce improper payments 
or if it anticipates that the edit would result in a high level of 
appeals. CMS officials also told us that the availability of 
resources, including staff hours, played a role in prioritizing the 
implementation of national and local edits. Due to the limited 
resources available and the agency's competing priorities, RAC-related 
system edits from the three state demonstration project were not a 
high priority according to CMS. 

* Significant workload increase in processing claim readjustments and 
appeals--CMS officials and one of the Medicare claims administration 
contractors' staff we interviewed told us that the increase in 
workload from claim adjustments and appeals from RAC findings during 
the demonstration project strained the Medicare claims administration 
contractors' capacity to institute corrective actions.[Footnote 44] 
Medicare claims administration contractors made adjustments for claims 
in which the RACs had identified either overpayments or underpayments. 
However, during the demonstration project, the Medicare claims 
administration contractors processed hundreds of thousands of RAC 
claim adjustments--some manually--which created significant additional 
workload. In addition, both of the Medicare claims administration 
contractors that we interviewed that worked with the RACs during the 
demonstration project reported significant increases in appeals 
workload due to RAC activities, especially Part A appeals. One 
Medicare claims administration contractor stated that in fiscal year 
2008, 99 percent of its Part A appeal workload arose from RAC claims, 
while another claims administration contractor reported having twice 
as many Part A appeals as it did prior to the demonstration project. 

* Transition of Medicare claims administration functions to MACs--The 
transfer of claims administration responsibilities to MACs further 
contributed to CMS's inability to implement corrective actions. CMS 
consolidated numerous fiscal intermediary and carrier jurisdictions 
into the new MAC jurisdictions. The MACs are responsible for 
consolidating the different coverage policies and systems edits they 
inherited from the previous contractors into one consistent set of 
edits and coverage policies for the new jurisdictions. As a result, 
CMS told us that some Medicare claims administration contractors did 
not act upon RAC-identified vulnerabilities that led to improper 
payments during the demonstration project. Further, CMS officials said 
that in part they did not implement corrective actions due to the lack 
of continuity when some of the Medicare claims administration 
contractors were not awarded MAC contracts, which prevented the agency 
from continuing discussions with contractor staff familiar with the 
RAC program. 

Our prior work has shown that CMS has allowed known vulnerabilities 
that contribute to or result in improper payments to remain unresolved 
for years.[Footnote 45] In fact, the RACs focused on some specific 
types of claims because both we and the HHS Office of the Inspector 
General identified them in the past.[Footnote 46] Moreover, CMS 
officials and one of the RACs noted that many of these vulnerabilities 
were known to CMS before the demonstration project due to medical 
record reviews and the agency's error reports. In its 2006-2009 
Strategic Action Plan, CMS reported that it planned to effectively 
oversee its providers and aggressively deliver provider education and 
outreach and that this oversight would include ways to prevent 
overpayments and improper payments. In addition, CMS reported that it 
was also expanding the use of electronic data to more efficiently 
detect improper payments and program vulnerabilities. However, we have 
reported recently that continuing weaknesses in CMS's process still 
exist, and therefore Medicare continues to be at risk for improper 
payments.[Footnote 47] 

CMS Is Taking Action to Resolve RAC and Medicare Claims Administration 
Contractor Coordination Issues: 

CMS used lessons learned from the RAC demonstration project to take 
actions to resolve RAC and Medicare claims administration contractor 
coordination issues for the RAC national program. Specifically, the 
agency continued activities that worked well during the demonstration 
project, initiated a number of new actions, and is taking steps to 
address coordination challenges. 

According to CMS officials, the success of the RAC program depends on 
collaboration between the RACs and the Medicare claims administration 
contractors because of the interdependence of their responsibilities. 
Once the RACs identify errors, Medicare claims administration 
contractors are responsible for re-processing the claims to repay 
underpayments or recoup overpayments, conducting the first level 
review for RAC-related appeals, and informing and training providers 
about lessons learned through the RAC reviews, according to CMS 
officials. (See figure 5 which illustrates this interdependence of 
RACs and MACs.) 

Figure 5: Interdependence of Recovery Audit Contractors (RACs) and 
Medicare Administrative Contractors (MACs): 

[Refer to PDF for image: process flow] 

Formalizing interactions: 
MACs sign Joint Operating Agreements[A] with RACs (Requires both RAC 
and MAC action). 

Claims review process: 
RACs conduct automated and complex postpayment review (Requires RAC 
action): 
* No improper payment identified; no further action required (Requires 
RAC action); 
* Improper payment identified (Requires RAC action); 
- MACs refund underpayment (Requires MAC action); 
- MACs recoup overpayment (Requires MAC action). 

First level of appeal: 
Providers may appeal RAC decision; prevents MACs recouping over- 
payments while pending (No action required by RAC or MAC); 
MAC resolves first level of appeals (Requires MAC action): 
* Provider wins appeal, no recoupment[B] (No action required by RAC or 
MAC); 
* Provider appeal denied[C] (No action required by RAC or MAC). 

Corrective action: 
RACs and MACs analyze data and discuss solutions to address improper 
payments during, for example, Vulnerability Calls[D] 
(Requires MAC action); 
* No action taken (No action required by RAC or MAC); 
* CMS takes corrective actions (No action required by RAC or MAC); 
* MACs take corrective actions (Requires MAC action). 

Source: GAO analysis of CMS documents. 

[A] The RAC and MAC statements of work require that these contractors 
develop Joint Operating Agreements. 

[B] If providers win appeals concerning payments the MACs had 
recouped, the MACs will repay the providers the amounts that were 
recouped. 

[C] If a provider's appeal is denied, the provider may continue to 
appeal up to four additional levels. 

[D] MACs and CMS may also pursue corrective actions to address 
vulnerabilities that lead to improper payments beyond those discussed 
during RAC vulnerability calls. 

[End of figure] 

CMS is taking multiple steps to resolve RAC and Medicare claims 
administration contractor coordination issues in the national program 
based on lessons learned during the demonstration project, such as 
continuing the RAC and Medicare claims administration contractors 
vulnerability calls, enhancing the existing data warehouse, automating 
the claims-adjustment process, and developing a system for electronic 
documentation sharing when RAC determinations are appealed. 

CMS is continuing regular RAC and Medicare claims administration 
contractor vulnerability calls. The vulnerability calls, which began 2 
years after the start of the demonstration project, were considered 
valuable according to agency officials. CMS officials said that they 
plan to hold weekly calls during the national program, to share RAC- 
identified vulnerabilities that may result in improper payments with 
Medicare claims administration contractors. According to CMS, these 
calls can inform Medicare claims administration contractors about ways 
to reduce payment errors, for example, by implementing appropriate 
local system edits or educating providers. CMS noted that conducting 
these calls during the demonstration project provided information 
about how best to implement corrective actions that would prevent 
future improper payments. For example, upon learning about some RAC-
identified inpatient hospital errors, CMS consulted coding experts 
about how to resolve these errors and whether it was necessary to 
conduct an educational session on the issue. According to a CMS 
official, the vulnerability calls are expected to serve as the main 
mechanism of communication between the RACs and the Medicare claims 
administration contractors about vulnerabilities and are expected to 
provide a means to share RAC findings with various other components of 
CMS. 

CMS is enhancing the data warehouse. For the national program, CMS is 
redesigning, enhancing, and maintaining the data warehouse created 
during the demonstration project to house data on RAC activity and 
prevent RACs from auditing claims under investigation or previously 
reviewed by other contractors. RACs and one of the Medicare claims 
administration contractors reported issues with the data warehouse 
during the demonstration project, including difficulty uploading data 
in the correct format, slow processing time, and a lack of information 
on collection activities. According to CMS, it has already made 
significant changes to the data warehouse. For example, it enhanced 
the system to accommodate increased user demand, added capability to 
generate reports for CMS to track RAC activity, and improved processes 
for data uploads and downloads. CMS also plans to incorporate appeals 
data into the data warehouse. 

CMS is automating the claims-adjustment process. According to CMS, the 
agency is automating the claims-adjustment process to address Medicare 
claims administration contractors' workload issues. During the 
demonstration project, the Medicare claims administration contractors' 
workload related to claims adjustment increased significantly, due to 
the high volume of claims RACs identified that required adjustment and 
the time-consuming process necessary for the contractors to adjust 
them. CMS officials stated that the amount of time and effort required 
of the Medicare claims administration contractors to re-process RAC- 
related claims was the most significant coordination problem. The 
agency automated the Part A claims adjustment process and is working 
to automate the process for adjusting Part B claims by April 2010. CMS 
officials stated that the changes eliminate the need for costly and 
time-consuming manual intervention by the Medicare claims 
administration contractors, ensure that overpayment recovery or 
underpayment reimbursement occurs promptly, and ultimately minimize 
the burden on the Medicare claims administration contractors. However, 
one Medicare claims administration contractor informed us that the 
Part A claims adjustment process failed to adjust its claims. 

CMS is developing an electronic documentation sharing system. 
According to CMS officials, the agency addressed an administrative 
burden by developing the e-RAC initiative, an electronic system that 
RACs, CMS, and Medicare claims administration contractors will use to 
share medical records. CMS officials stated that during the 
demonstration project, RACs transferred paper copies of medical 
records to Medicare claims administration contractors for appeals 
deliberations. According to Medicare claims administration 
contractors, the volume of appeals made it difficult to manage all of 
the paper medical records.[Footnote 48] A CMS official told us the 
agency expects the first phase of the e-RAC initiative to be 
operational in March 2010, which would allow the RACs to store imaged 
files of medical records and make them accessible to CMS and certain 
contractors that review, but do not process, claims. CMS expects this 
system to enable the agency to create basic reports and improve 
oversight of RAC activities. CMS's goal is to expand the e-RAC 
initiative to one or more Medicare claims administration contractors 
by the end of calendar year 2010. 

CMS established a "black-out period" for claims review. To ensure that 
the RAC national program does not interfere with the ongoing 
transition of fiscal intermediaries and carriers to MACs, CMS reported 
establishing a black out period of three months before and after each 
transition when the new MACs will focus on other claims processing 
activities and not work with the RACs in their jurisdictions. Claims 
processed during this period will be available for RAC review after 
the black-out period has ended. According to CMS officials, the agency 
instituted the black-out period, in part, to limit the number of 
claims adjusted during a time of significant change. 

CMS is planning to add performance metrics on coordination with RACs 
into the MAC award fee program. CMS officials indicated that the 
agency is planning to add performance metrics[Footnote 49] to provide 
incentives for coordination between the RACs and MACs into the MAC 
award fee program. The award fee program is designed to provide 
incentives for exceptional performance by the MACs. According to CMS 
officials, these performance metrics will likely include activities 
such as participating in conference calls; effectively coordinating, 
implementing, and providing appropriate edit recommendations; and 
communicating claims determination decisions and inquiries. CMS 
officials stated that they will add metrics on coordination with the 
RACs to the award fee program once all of the MACs are in place. 

CMS Has Taken Steps to Improve Oversight of RAC Accuracy and Service 
to Providers: 

CMS took a number of steps to improve oversight of the accuracy of 
RACs' claims review determinations and the quality of RAC service to 
providers in the national program. Specifically, CMS added processes 
to review the accuracy of RAC determinations and established Web site 
requirements to address provider concerns about service. CMS also 
established a number of performance metrics to monitor RAC accuracy 
and service to providers. 

CMS Established Processes to Review the Accuracy of RAC Determinations 
and Required Additional RAC Medical Expertise to Enhance Program 
Accuracy: 

For the national program, CMS created processes to more closely review 
the accuracy of RAC determinations to address provider concerns raised 
during the demonstration project. Providers raised concerns that CMS 
did not sufficiently oversee the RACs during the demonstration project 
to ensure the vulnerabilities pursued by RACs were valid and that RACs 
made accurate improper payment determinations. According to provider 
associations, this led to numerous appeals of inaccurate RAC 
determinations that were expensive and burdensome for providers. For 
the national program, CMS will continue a process the agency 
established during the end of the demonstration project to help ensure 
that RACs pursue valid vulnerabilities. Prior to pursuing a wide-scale 
review of any vulnerability, the RAC must submit it to CMS for the 
agency's approval. As part of the submission process, the RAC must 
provide a description of the vulnerability; a reference to the rule, 
regulation, or policy the RAC intends to evaluate claims against; and 
a small sample of claims (up to 10) that the RAC already reviewed and 
the findings for those claims. For example, CMS approved one RAC's 
request to identify overpayments associated with providers billing for 
more than one blood transfusion in a hospital outpatient setting for a 
Medicare beneficiary in a day--which Medicare policy does not allow. 

According to CMS officials, the level of review that each proposed 
vulnerability will receive will depend on its complexity. CMS 
officials in OFM have authority to allow the RACs to pursue clear-cut 
vulnerabilities that can lead to improper payments, such as duplicate 
payments for the same service. For more complex vulnerabilities, 
including all medical necessity determinations, the agency established 
a New Issue Review Board, comprised of officials from four CMS 
components, which will decide whether the RAC can go forward with its 
proposed review. The board is responsible for ensuring that each RAC's 
claims reviews conform to Medicare's coverage or payment policies and 
that the language the RAC proposes to use in its determination letters 
is appropriate and clear. CMS also contracted with a validation 
contractor (VC) with experience in claims review to independently 
examine how the RAC plans to select claims for each vulnerability and 
to determine whether the RAC plans to use the correct review strategy--
(automated or complex)--in reviewing claims. In addition, the VC also 
is expected to reexamine the small sample of claims submitted by RACs 
with each proposed vulnerability to assess the accuracy of these RAC 
determinations.[Footnote 50] 

In addition to the oversight process for proposed vulnerabilities, CMS 
also established a process for ongoing oversight of RAC accuracy of 
the improper payments identified. Each month CMS's VC is expected to 
independently examine 100 randomly selected claims that had been 
reviewed by each RAC. For each claim in the sample, the VC is expected 
to report whether it agrees or disagrees with the RAC's determination 
and evaluate whether the language used by the RAC to communicate the 
determination to the provider was clear and accurate. CMS officials 
told us that the agency plans to publish an annual accuracy score for 
each RAC in the agency's annual report on the RAC program and will 
take the scores into consideration when determining whether to renew 
each RAC's contract. CMS officials also told us that they may prohibit 
a RAC with a low score on a particular issue from reviewing additional 
claims on that issue. This process could help address provider 
concerns that CMS might not become aware of inaccurate RAC 
determinations unless providers filed significant numbers of appeals. 
[Footnote 51] 

In addition to these oversight processes, CMS added requirements 
regarding the medical expertise of RAC staff to help address accuracy 
concerns. Providers stated that RACs did not have the necessary 
medical expertise to make their determinations during the 
demonstration project, because they were not required to have a 
physician medical director on staff or coding experts conducting the 
claims reviews. To address this concern, for the national program, CMS 
required each RAC to have at least one physician on staff as a medical 
director to provide clinical expertise and judgment to understand 
Medicare policy, provide guidance in questionable claims review 
situations, recommend when corrective actions are needed to address 
the RAC-identified vulnerabilities that result in improper payments, 
and brief and direct personnel on the correct application of policy 
during claims review.[Footnote 52] CMS also required RACs to hire 
registered nurses or therapists to conduct medical necessity 
determinations and coding experts to conduct other types of reviews. 

Providers also reported that CMS's decision to allow the demonstration 
RACs to retain contingency fees for determinations overturned at the 
second through the fifth level of appeal led RACs to make questionable 
determinations to increase their fees. CMS chose this methodology, in 
part, to encourage companies to participate in the demonstration 
project. To address provider concerns about the incentives in the 
payment method, CMS will require RACs to refund contingency fees 
received on any determination overturned at any level of the appeals 
process. 

CMS Created Web Site Requirements for RACs Designed to Improve Service 
to Providers: 

In addition to the changes CMS made to improve oversight of RAC 
accuracy, CMS also created a number of requirements for RAC Web sites 
to address provider concerns about the RACs' service. Provider 
associations reported that during the demonstration project their 
members could not easily track the status of claims throughout the RAC 
adjudication process, including the status of medical record request 
submissions and appeals. CMS also reported in its evaluation report on 
the RAC demonstration project that providers wanting to track the 
status of their medical record submissions often had to make frequent 
phone calls to RAC call centers and read a list of case numbers. 

CMS required each RAC by January 1, 2010, to develop a tool on its Web 
site that will allow providers to track the status of a claim. This 
tool should include information on whether a medical record request is 
outstanding, whether the RAC received the requested medical records, 
whether the RAC's review is underway or complete, and whether the case 
is closed. As of January 4, 2010, according to a CMS official, 
providers could track the status of their requested claims on two of 
the four RAC Web sites. According to a CMS official, the remaining 
RACs will need to have their tools in place prior to issuing requests 
for medical records. 

Although providers expressed concern about the difficulty tracking the 
status of their appeals during the demonstration project, CMS has not 
required the RAC Web sites to include information on the status of 
appeals resulting from RAC determinations. According to CMS officials, 
the agency does not have a standard system to track first-level 
appeals, and it would be difficult for RACs to collect the information 
from a number of separate Medicare claims administration contractors. 
CMS officials overseeing the RAC program told us they are working with 
their counterparts in the Medicare appeals division within CMS to move 
up the date by which the Medicare claims administration contractors 
will begin using the CMS system that already tracks appeals at the 
second and third level. These same officials told us they anticipate 
RACs will eventually incorporate appeals information into their Web 
sites, though the inclusion of appeals information is not a 
requirement in the RAC contract. 

Providers also expressed concern that they did not know what 
vulnerabilities RACs were pursuing during the demonstration project. 
In addition to the new issue review process, CMS has required the RACs 
to post a description of each vulnerability that they audit on their 
Web sites. The postings include a description of the vulnerability, 
the states where the RAC identified the problem, and references to 
additional information about the vulnerability. According to CMS 
officials, providers will need to check the Web site of the RAC in 
their region to stay informed of emerging vulnerabilities under RAC 
review for improper payments. 

To address provider concerns about medical record requests getting 
lost during the demonstration project because a RAC did not send the 
request to the correct department or individual at a hospital or 
practice, CMS is requiring each RAC to develop a tool for its Web 
sites that will allow providers to customize their address and point-
of-contact information. CMS also encouraged the RACs to solicit the 
assistance of provider associations to help collect the information. 

CMS Developed Performance Metrics to Monitor RAC Accuracy and Provider 
Service: 

CMS developed performance metrics to oversee RAC accuracy, service to 
providers, and other aspects of performance. The performance metrics 
include measurements of the RACs' compliance with medical record 
request limits and the accuracy of RAC determinations, as evaluated by 
the VC, as well as measures of staff performance at each RAC's 
customer service phone number that is expected to respond to inquiries 
from providers. (See table 1.) 

Table 1: Selected Recovery Audit Contractor (RAC) Performance Metrics 
Related to Accuracy and Provider Service: 

Area of performance: Accuracy metrics; 
Individual performance metric: The RAC shall achieve an overall 90 
percent or greater accuracy score for the first contract year, as 
evaluated by the validation contractor. 

Area of performance: Accuracy metrics; 
Individual performance metric: The RAC's total annual percentage of 
claims overturned on appeal shall be less than 10 percent in Year One 
with a subsequent decrease to less than 5 percent in Year Two. 

Area of performance: Provider service metrics; 
Individual performance metric: Qualified personnel shall staff the RAC 
call center during normal business hours from 8:00 a.m. to 4:30 p.m. 
in the applicable time zone 100 percent of the time. 

Area of performance: Provider service metrics; 
Individual performance metric: The RAC call center staff shall answer 
questions fully and accurately 100 percent of the time unless complex 
issues require follow-up. 

Area of performance: Provider service metrics; 
Individual performance metric: The RAC shall respond to written 
correspondence within 30 calendar days of receipt 100 percent of the 
time. 

Area of performance: Provider service metrics; 
Individual performance metric: The RAC shall demonstrate use of a 
quality assurance program to ensure that all customer service 
representatives are knowledgeable, respectful to providers, and 
provide timely follow-up calls when necessary, 100 percent of the time. 

Area of performance: Provider service metrics; 
Individual performance metric: The RAC shall demonstrate 100 percent 
compliance with the medical record request limits as outlined by CMS. 

Source: GAO analysis of information from CMS. 

[End of table] 

CMS's RAC project officers will be responsible for monitoring each 
RAC's performance and following up with the RAC if its performance 
does not meet the required level in the national program. For 
instance, to monitor whether call center staff answer questions fully 
and accurately, project officers or their designees will randomly 
monitor calls to the RAC call center and investigate provider 
complaints. If a project officer determines that call center staff are 
not answering questions fully and completely all the time, the project 
officer will require the RAC to respond in writing to the finding and 
may require a corrective action plan. CMS's statement of work also 
includes a provision that CMS may stop recovery work in a particular 
region if evidence leads CMS to believe the RAC's plan to provide 
service to providers is inappropriate or ineffective. In such a case, 
CMS would not allow the RAC to resume recovery work until the RAC 
satisfied CMS it made all required improvements to its provider 
service in the area. 

Conclusions: 

The ultimate success of the government-wide effort to reduce improper 
payments hinges on each federal agency's diligence and commitment to 
identify, estimate, determine the causes of, take corrective actions 
on, and measure progress in reducing improper payments. To this end, 
CMS must establish effective accountability measures, and incentives, 
to ensure the RAC program meets the agency's stated objectives. 
Although the RAC demonstration project led to the successful 
recoupment and refunding of past improper payments, CMS did not focus 
sufficient attention on addressing the root causes of the 
vulnerabilities that caused them. Neither the IPPP developed during 
the demonstration project nor the current plan for the national 
program provide for sufficient monitoring and control activities to 
ensure that corrective actions are taken to help meet the overall goal 
of reducing improper payments in the Medicare program. Because the RAC 
national program team does not have the organizational authority 
within the agency to implement the corrective actions needed to 
address the vulnerabilities that lead to improper payments, CMS must 
develop criteria by which it prioritizes the activities of its various 
components and contractors to develop adequate measures to reduce 
future improper payments. The identification and prevention of future 
Medicare FFS improper payments due to vulnerabilities identified by 
the national RAC program require direction from a sufficiently high 
level within CMS to initiate action from the various parts of the 
agency and its contractors. In addition, assessing the effectiveness 
of the corrective actions taken is an important step for reducing 
future improper payments. 

Recommendations for Executive Action: 

To help reduce future improper payments, we recommend that the 
Administrator of CMS develop and implement a process that includes 
policies and procedures to ensure that the agency promptly: 

* evaluates findings of RAC audits, 

* decides on the appropriate response and a time frame for taking 
action based on established criteria, and: 

* acts to correct the vulnerabilities identified. 

As part of this process, we recommend that the Administrator of CMS 
designate key personnel with appropriate authority to be responsible 
for ensuring that corrective actions are implemented and that the 
actions taken were effective. 

Agency and Other External Comments: 

We provided a draft of this report to the HHS for comment. We also 
provided statements of facts from our draft report to the two Medicare 
claims administration contractors and seven provider associations we 
interviewed and requested their comments. We received written comments 
from HHS on behalf of CMS. These comments are reprinted in Appendix 
II. We also received oral or written comments from two Medicare claims 
administration contractors and five of the seven provider associations 
on statements of facts related to information they provided, including 
some technical comments that we incorporated as appropriate. 

CMS Comments: 

CMS commented that the national RAC program is an important step in 
meeting its commitment to lower the Medicare payment error rate. The 
agency indicated that our review imparted vital recommendations that 
will greatly enhance CMS's oversight of the RAC national program and 
CMS concurred with each of our recommendations. With regard to the 
recommendation that CMS promptly evaluate the findings of RAC audits, 
CMS concurred and discussed specific elements included in the national 
program that are designed to report vulnerabilities from RAC audits 
and potential corrective actions. CMS concurred with our 
recommendation that the agency implement a process to decide on the 
appropriate response to address each RAC-identified vulnerability, but 
indicated that more research might be needed to determine the 
appropriate response or corrective action for some vulnerabilities. 
CMS also concurred that the agency should act promptly to correct the 
vulnerabilities, but indicated that it did not consider a 
vulnerability to be validated until the majority of claims for that 
issue completed the Medicare appeals process. Since the appeals 
process can take more than 2 years, the approach CMS suggested in its 
comments did not align with the intent of our recommendation. After 
conferring with CMS officials to clarify the agency's intent on acting 
promptly on vulnerabilities identified during the RAC national 
program, CMS acknowledged that it intended to review vulnerabilities 
on a case-by-case basis and judge how quickly to act on each. Agency 
officials told us they were considering assigning vulnerabilities to 
risk categories from high to low that would help to determine whether 
the agency should take prompt action or whether it should wait for 
claims to complete the appeals process. These officials told us that 
waiting for the results of appeals would keep the agency from 
expending the resources on: 

corrective actions that would need to be reversed if the appeals 
process overruled RAC determinations. We agree that taking a risk-
based approach meets the intent of the recommendation. To clarify this 
intent, we modified our recommendation to make the prompt prioritizing 
and timing of corrective actions, based on established criteria, more 
explicit. Finally, CMS concurred with our recommendation that the 
agency designate key personnel to oversee that corrective actions are 
implemented and effective and stated that the Administrator of CMS is 
the official responsible for assuring that vulnerabilities that cut 
across all agency components are addressed. 

Other External Comments: 

We clarified information in the report based on comments from two 
Medicare claims administration contractors. In addition, the five 
associations that provided comments to us did not offer substantive 
changes to the statement of facts that they reviewed. Three 
associations affirmed that the draft report addressed issues they had 
raised about the RAC demonstration project and national program. These 
three associations also discussed in greater detail concerns that they 
continue to have with the RAC program, such as the many appeals still 
in process from the RAC demonstration project. The other two provider 
associations raised no substantive issues with the report. 

We are sending copies of this report to the Administrator of CMS and 
other interested parties. In addition, the report will be available at 
no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. 

Please contact us on (202) 512-7114 or (202) 512-9095 if you or your 
staff have any questions about this report. Contact points for our 
Office of: 

Congressional Relations and Office of Public Affairs can be found on 
the last page of this report. Other major contributors to this report 
are listed in Appendix III. 

Signed by: 

Kathleen M. King: 
Director, Health Care: 

Signed by: 

Kay L. Daly: 
Director, Financial Management and Assurance: 

List of Requesters: 

The Honorable Henry A. Waxman: 
Chairman: 
The Honorable John D. Dingell: 
Chairman Emeritus: 
Committee on Energy and Commerce: 
House of Representatives: 

The Honorable Sander M. Levin: 
Acting Chairman: 
Committee on Ways and Means: 
House of Representatives: 

The Honorable Frank Pallone, Jr. 
Chairman: 
Subcommittee on Health: 
Committee on Energy and Commerce: 
House of Representatives: 

The Honorable Pete Stark: 
Chairman: 
Subcommittee on Health: 
Committee on Ways and Means: 
House of Representatives: 

The Honorable Lois Capps: 
House of Representatives: 

The Honorable Charles B. Rangel: 
House of Representatives: 

[End of section] 

Appendix I: Selected Changes Made to the Medicare National Recovery 
Audit Contractors (RAC) Program: 

As a result of the RAC demonstration project, the Centers for Medicare 
& Medicaid Services (CMS) included the following features in the RAC 
national program: 

* RACs are to have a physician medical director. 

* RACs are to be staffed with registered nurses or therapists to make 
coverage and medical necessity determinations and certified coders to 
make coding determinations. 

* RACs are to make credentials of reviewers available to providers 
upon request. 

* Providers will be able to discuss claim denials with the RAC medical 
director upon request. 

* The minimum claim amount that the RACs will review was raised to $10 
minimum per claim (instead of $10 minimum for aggregated claims). 

* CMS will use a validation contractor to independently examine the 
criteria each RAC plans to use to make its determinations and the 
accuracy of RAC determinations. 

* RACs must return the related contingency fee if a claim is 
overturned on appeal. 

* RACs must use standardized letters to notify providers of 
overpayments: 

* The look-back period (from claim payment date to date of medical 
record request) is reduced from 4 years to 3 years. 

* The RACs are allowed to review claims paid in the current fiscal 
year. 

* CMS is putting limits on the number of medical record requests in a 
45 day period. 

* The time frame for paying hospital medical record photocopying 
vouchers is to be set at 45 days from receipt of medical record. 

* CMS is not including Medicare Secondary Payer claims audits in the 
National Program.[Footnote 53] 

* RACs are to have quality assurance/internal control audits. 

* RACs are to list the reason for review on "request for records" 
letters and overpayment letters. 

* The status of specific claims are to be posted on RAC Web page. 

* RAC contingency fees are to be made publicly available. 

[End of section] 

Appendix II: Comments from the Department of Health & Human Services: 

Department Of Health & Human Services: 
Office Of The Secretary: 
Assistant Secretary for Legislation: 
Washington, DC 20201: 

March 3, 2010: 

Kathleen M. King: 
Director, Health Care: 
U.S. Government Accountability Office: 
441 G Street N.W. 
Washington, DC 20548: 

Dear Ms King: 

Enclosed are comments on the U.S. Government Accountability Office's 
(GAO) report entitled: "Medicare Recovery Audit Contracting: 
Weaknesses Remain in Process to Address Vulnerabilities to Improper 
Payments, Although Improvements Made to Contractor Oversight in 
National Program" (GAO-10-143). 

The Department appreciates the opportunity to review this report 
before its publication. 

Sincerely, 

Signed by: 

Andrea Palm: 
Acting Assistant Secretary for Legislation: 

Enclosure: 

[End of letter] 

General Comments Of The Department Of Health And Human Services On The 
Government Accountability Office's (GAO) Draft Report Entitled, 
"Medicare Recovery Audit Contracting: Weaknesses Remain In Process To 
Address Vulnerabilities To Improper Payments, Although Improvements 
Made To Contractor Oversight In National Program" (GA0-10-143): 

The Department appreciates the opportunity to review and comment on 
this Draft Report. The Congressional authority granted through the Tax 
Relief and Health Care Act of 2006, allowed the Centers for Medicare & 
Medicaid Services (CMS) to implement the Recovery Audit Contractor 
(RAC) Program on a permanent and nationwide basis. This is an 
important step forward in our commitment to lowering the improper 
payment error rate and preserving the Medicare Trust Funds for current 
and future generations. The CMS appreciates the time and resources GAO 
has invested to review the RAC Demonstration and implementation of the 
RAC National Program. Based on their extensive and thorough review, 
GAO has imparted vital recommendations which will greatly enhance CMS' 
oversight as the RAC National Program progresses. 

Section 306 of the Medicare Modernization Act (MMA) required CMS to 
establish the RAC Demonstration Project. The demonstration's purpose 
was to determine if recovery auditors could identify improper payments 
paid by the Medicare fee-for-service program. As discussed in the 
report, the RAC demonstration succeeded in correcting more than $l 
billion in improper Medicare payments. About 96 percent of these 
improper payments were overpayments, a fraction of which was used to 
pay for the program and the rest was returned to the Medicare Trust 
Funds. 

Even though the purpose of the RAC Demonstration Project was to 
determine if RACs could be utilized in Medicare, CMS used the results 
from the demonstration to inform us in the design of the RAC National 
Program. Specifically, CMS made the following improvements to the 
program: 

* Established a New Issue Approval Process where CMS approves each RAC 
issue for review prior to widespread review and/or communication with 
providers. CMS believes this will reduce the differences in 
interpretation of policies and/or manuals between CMS and the RAC thus 
ensuring accurate improper payments are identified; 

* Required each RAC to have a Medical Director on staff to ensure 
physician involvement in the review process and to ensure providers 
have a physician to discuss improper payment identifications and the 
reason for the denial; 

* Established a documentation request limit of a maximum of 200 
requests per 45 days to limit the cost and administrative burden of 
the RAC program on Medicare providers; 

* Required each RAC to have a website to inform providers about the 
RAC program, approved new issues, major findings, contact information 
and a web portal allowing providers to see specific claim details, and; 

* Established metrics for monitoring the RACs' performance on 
compliance, accuracy and provider service. These findings will be 
shared with the public on an annual basis. 

We appreciate GAO recognizing our efforts and the need to balance the 
concerns of the provider community with the agency's need to identify 
improper payments. We will continue to improve the RAC National 
Program in the future. 

Our detailed comments on the report recommendations follow. 

GAO Recommendation: 

To help reduce future improper payments, we recommend that the 
Administrator of CMS develop and implement a process that includes 
policies and procedures to ensure that the agency: 

* Promptly evaluates findings of RAC audits, 

* Decides on the appropriate response, and, 

* Acts promptly to correct the vulnerabilities identified. 

As part of this process, we recommend that the Administrator of CMS 
designate key personnel with appropriate authority to be responsible 
for ensuring that corrective actions are implemented and that the 
actions taken were effective. 

CMS Response: 

Promptly evaluates findings of RAC audits. 

The CMS concurs. In the current RAC Statement of Work the reporting of 
vulnerabilities and recommended corrective actions for vulnerabilities 
is required on a monthly basis. CMS has created a corrective actions 
team within the RAC program to review the vulnerabilities after
appeal and determine if a referral to the applicable policy or 
coverage staff is warranted. CMS is also continuing the vulnerability 
calls to alert claim processing contractors and CMS staff on
issues being reviewed by the RACs. In addition, CMS has an independent 
contractor reviewing the RAC Data Warehouse on a quarterly basis 
looking for trends in the data. These reports are sent to CMS 
quarterly and will be shared with all Center/Office components and 
external entities such as the OIG. Lastly, all RACs are required to 
place vulnerabilities or major findings on their websites to notify 
the provider community and CMS will continue to share the top improper 
payment identifications with the public. 

Decides on the appropriate response. 

The CMS concurs. Information on RAC identifications is made available 
to the public. This information can be used to determine the 
appropriate response or corrective action. In many cases though, 
additional research may be necessary. According to the July 2008 
Evaluation Report of the RAC Demonstration, complex reviews accounted 
for approximately 30% of the improper payments identified. These 
claims needed additional review by a clinician prior to a 
determination regarding the accuracy of the payment. Lack of 
documentation was a prevailing cause of the denials of the complex 
cases. In these cases the corrective action taken was an effort to 
increase the awareness in the provider community for physicians to 
adequately document their case files. Corrective actions can take 
place in many forms. For example, provider education, policy 
clarifications and system edits can all be corrective actions. 

Acts promptly to correct the vulnerabilities identified. 

The CMS concurs. Beginning in the FY 2006 CMS RAC Status Document and 
every subsequent update, CMS provided the public with information 
concerning the top improper payments identified by the RAC by provider 
type. CMS felt this information was helpful to providers who wished to 
conduct internal quality reviews. In May 2007, CMS began having 
regular vulnerability calls with CMS claim processing contractors and 
internal CMS staff to discuss RAC identified issues. At the conclusion 
of the demonstration, CMS completed a Joint Signature Memoranda to all 
contractors to determine actions taken because of these calls. 
Contractors around the nation conducted pre-pay review, updated Local 
Coverage Determinations, conducted provider education and installed 
local edits in response to issues that were identified by the RAC 
demonstration. 

The CMS believes it is important to take the validated RAC findings 
and work to correct the vulnerabilities identified. However, as stated 
in the previous recommendation many of the findings need additional 
research to determine the appropriate response. In addition, CMS does 
not consider a RAC finding to be validated until the majority of 
claims for that issue have completed the Medicare Appeals Process. It 
is necessary to wait for the appeals process to be completed to ensure 
the identification was accurate and appropriate. Lastly, the appropriate
corrective action put into place will be determined by factors such as 
cost efficiencies and system limitations. 

GAO Recommendation: 

As part of this process, we recommend that the Administrator of CMS 
designate key personnel with appropriate authority to be responsible 
for ensuring that corrective actions are implemented and that the 
actions taken were effective. 

CMS Response: 

The CMS appreciates the recommendation and concurs. The responsible 
official for the day-to-day operations of the RAC program is the 
Director of the Office of Financial Management. For those 
vulnerabilities that cut across all agency components, the responsible 
official is the Administrator of CMS. 

[End of section] 

Appendix III: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Kathleen M. King, (202) 512-7114 or kingk@gao.gov Kay L. Daly, (202) 
512-9095 or dalykl@gao.gov: 

Acknowledgments: 

In addition to the contacts named above, Sheila K. Avruch, Assistant 
Director; Carla Lewis, Assistant Director; Lori Achman; Jennie Apter; 
Anne Hopewell; Nina M. Rostro; and Jennifer Saunders made key 
contributions to this report. 

[End of section] 

Footnotes: 

[1] In 1990, GAO began to report on government operations that it 
identified as "high risk" for serious weaknesses in areas that involve 
substantial resources and provide critical services to the public. See 
GAO, High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 
2009). 

[2] Fraud is an intentional act or representation to deceive with 
knowledge that the action or representation could result in an 
inappropriate gain. Abuse typically involves actions that are 
inconsistent with acceptable business or medical practices and result 
in unnecessary costs. 

[3] Medicare FFS includes two parts--Medicare Parts A and B whereby 
providers are paid for each service or unit of service provided. 
Medicare Part A covers inpatient hospital services, skilled nursing 
facility services, some home health, and hospice services. Medicare 
Part B covers hospital outpatient, physician services, some home 
health services and preventive services, among other things. 

[4] Current year outlays for Medicare FFS are from the November 2009 
Improper Medicare FFS Payments Report in HHS's Fiscal Year 2009 Agency 
Financial Report and are based on claims from April 2008 through March 
2009. Annual improper payment reports are required by the Improper 
Payments Information Act of 2002 and applicable Office of Management 
and Budget guidance to help reduce improper payments. 

[5] The Secretary of HHS delegated the authority vested in that 
position under the Medicare provisions of the Social Security Act to 
the Administrator of CMS. 

[6] CMS is in the process of transitioning from fiscal intermediaries 
and carriers to new contracting entities called Medicare 
Administrative Contractors (MACs) due to statutorily required changes 
in Medicare administration in the Medicare Prescription Drug, 
Improvement, and Modernization Act of 2003 (MMA). Because the 
transition is ongoing, for purposes of this report, we will use the 
term Medicare claims administration contractors to refer to the 
contractors that historically processed Medicare claims--fiscal 
intermediaries and carriers--as well as the new MACs. Up until this 
transition, fiscal intermediaries were responsible for claims 
submitted by hospitals, home health agencies, hospital outpatient 
departments, skilled nursing facilities, and hospices. Carriers were 
responsible for claims submitted by physicians, diagnostic 
laboratories and facilities, and ambulance service providers. 

[7] CMS uses the term "providers" to refer collectively to physicians 
and non-physician practitioners who provide health care services to 
Medicare beneficiaries. 

[8] Pub. L. No. 108-173, § 306, 117 Stat. 2066, 2256-57. 

[9] According to the Office of Management and Budget (OMB), recovery 
auditing is not an audit in the traditional sense. Rather, it is a 
control activity designed to assure the integrity of contract 
payments, and, as such, serves a management function. See Appendix C 
to OMB Circular No. A-123, Requirements for Effective Measurement and 
Remediation of Improper Payments (Aug. 10, 2006). A new Part III to 
Appendix C was issued on March 22, 2010. See OMB memorandum M-10-13. 

[10] CMS initially contracted in March 2005 with three RACs to review 
Medicare claims from California, Florida, and New York. CMS later 
expanded the demonstration to three additional states--Arizona, 
Massachusetts, and South Carolina. While CMS added Arizona to the 
demonstration in July 2007, the RAC did not review any Arizona claims 
prior to the end of the RAC demonstration project in March 2008. 

[11] The MMA also required CMS to retain a percentage of the amount 
recovered for program management. 

[12] During the demonstration, CMS paid the RACs a total of $187.2 
million in contingency fees. Initially, the RAC demonstration project 
did not include contingency fee payment to the RACs for identifying 
underpayments and refunding providers. Beginning on March 1, 2006, the 
RACs were paid an equivalent percentage contingency fee for the 
identification of underpayments. 

[13] The total amount returned to the Trust Funds includes 
overpayments identified by the three RACs reviewing claims (claim 
RACs) as well as two Medicare Secondary Payer RACs that participated 
in the demonstration project. These overpayments were collected by 
their Medicare claims administration contractors. The Medicare 
Secondary Payer RACs identified overpayments for which an insurer 
other than Medicare should have served as the primary payer of the 
claim. Medicare Secondary Payer RACs were not included in the national 
program because they identified few improper payments during the 
demonstration project. Of the overpayments collected, CMS reported in 
its November 2006 report, about 6 percent were attributable to the 
Medicare Secondary Payer RACs. See, Centers for Medicare & Medicaid 
Services, CMS RAC Status Document FY 2006: Status on the Use of 
Recovery Audit Contractors (RACs) in the Medicare Program. (Baltimore, 
Md.: November 2006). This report focuses on the recovery reviews of 
the "Claim" RACs and does not discuss the findings from the Medicare 
Secondary Payer RACs. 

[14] Providers could appeal RAC determinations through the standard 
Medicare appeals process, which includes five levels of review. 

[15] See Department of Health and Human Services, Centers for Medicare 
and Medicaid Services, The Medicare Recovery Audit Contractor (RAC) 
Program: An Evaluation of the 3-Year Demonstration (Baltimore, Md.: 
June 2008). 

[16] Internal control is the component of an organization's management 
that provides reasonable assurance that the organization achieves: 
effective and efficient operations, reliable financial reporting, and 
compliance with applicable laws and regulations. Internal control 
standards provide a framework for identifying and addressing major 
performance challenges and areas at greatest risk for mismanagement. 
GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). 

[17] See GAO Internal Control Management and Evaluation Tool, 
[hyperlink, http://www.gao.gov/products/GAO-01-1008G] (Washington, 
D.C.: August 2001). 

[18] See U. S. Department of Health and Human Services, Centers for 
Medicare and Medicaid Services, The Essential Steps for an Effective 
Corrective Action Process (Oct. 23, 2007). 

[19] Due to appeal decisions made in favor of providers, the total 
amount of improper payments identified by the RAC demonstration 
project is likely to be less than stated in the June 2008 RAC 
Evaluation Report. See Department of Health and Human Services, 
Centers for Medicare and Medicaid Services, The Medicare Recovery 
Audit Contractor (RAC) Program: An Evaluation of the 3-Year 
Demonstration (Baltimore, Md.: June 2008) and Department of Health and 
Human Services, Centers for Medicare and Medicaid Services, The 
Medicare Recovery Audit Contractor (RAC) Program: Update to the 
Evaluation of the 3-Year, Demonstration (Baltimore, Md.: January 2009). 

[20] These two Medicare claims administration contractors were 
responsible for processing Part A claims for three demonstration 
states and Part B claims for two of the demonstration states. 

[21] HHS reported that there were 51 fiscal intermediaries and 
carriers as of February 2005. 

[22] NCDs are decisions by CMS that outline nationwide policy on 
whether Medicare covers particular services or items. They are made 
through an evidence-based process with opportunities for public 
participation, and determine whether services are reasonable and 
necessary across all jurisdictions. An LCD is a decision by Medicare 
claims administration contractor on whether to cover a particular 
service in its jurisdiction, based on whether the service is 
reasonable and necessary. 

[23] We previously found that Medicare claims administration 
contractors conducted limited manual pre-payment reviews and reviewed 
less than 5 percent of claims post-payment. See GAO, Medicare: Recent 
CMS Reforms Address Carrier Scrutiny of Physicians' Claims for 
Payment, [hyperlink, http://www.gao.gov/products/GAO-02-693] 
(Washington, D.C.: May 28, 2002) and GAO, Medicare: Improvements 
Needed to Address Improper Payments in Home Health, [hyperlink, 
http://www.gao.gov/products/GAO-09-185] (Washington, D.C.: Feb. 27, 
2009). Medicare claims administration contractors typically select a 
small sample of claims for review from providers or suppliers who 
demonstrate aberrant billing or practice patterns. 

[24] Systems edits confirm that the data entered in a claim is in the 
correct format, check for the proper coding of the fields needed for 
payment, check if the service or procedure is covered by Medicare, and 
validate that the beneficiary is eligible for the service provided. In 
addition, systems edits may be used to identify certain duplicate 
claims, to implement NCDs or LCDs, or to prevent payments for 
egregious amounts to providers with a pattern of billing for services 
not covered. 

[25] Medical records may include: physician orders for care and 
treatments, medical diagnoses, rehabilitation diagnoses, past medical 
history, progress notes, and laboratory and other test results 
supporting the beneficiary's need for the services being provided. 

[26] While CMS added Arizona to the demonstration project in July 
2007, the relevant RAC did not review any Arizona claims prior to the 
end of the RAC demonstration. 

[27] For example, CMS contractors responsible for investigating 
potential Medicare fraud may conduct post-payment review on claims to 
determine whether to refer a case to a law enforcement agency for 
fraud investigation. 

[28] This total represents funds returned to the Medicare Trust Funds 
from both the claim and Medicare Secondary Payer RAC-identified 
improper payments, adjusting for underpayments made to providers, 
overpayments overturned on appeal and operating costs through March 
27, 2008. 

[29] According to CMS, because RACs were paid on a contingency fee 
basis, they focused their reviews on high-value claims with the 
greatest potential to provide the highest contingency fees. 

[30] Medicare's payment system relies on the coding of services, 
procedures, and devices provided to beneficiaries. Medicare's claims- 
administration contractors pay claims according to the codes assigned. 

[31] CMS's January 2009 update to the RAC Evaluation Report included 
appeal decisions through August 2008. CMS reported that 7.6 percent of 
RAC overpayment decisions were overturned on appeal--an increase from 
the approximately 5 percent overturned on appeal through March 2008 
that was reported in the June 2008 evaluation report. As of January 
2010, CMS was still waiting for the final data on appeals filed from 
the RAC demonstration. 

[32] The RACs will receive contingency fees ranging from 9.0 percent 
to 12.5 percent depending on the jurisdiction. 

[33] As of October 2009, all four RACs had begun CMS-approved 
automated reviews of claims. 

[34] In its report, The Medicare Recovery Audit Contractor (RAC) 
Program: An Evaluation of the 3-Year Demonstration, issued in June 
2008, CMS described vulnerabilities as service-specific issues that 
resulted in RAC-identified improper payments. 

[35] The IPPP was an internal spreadsheet used by CMS to track the 
most significant vulnerabilities identified during the demonstration 
project. This spreadsheet was the only document CMS provided us that 
described the corrective actions taken by CMS and the Medicare claims 
administration contractors and the status of the vulnerabilities 
listed. 

[36] The IPPP threshold for significance was $500,000 for DME 
overpayments that were collected. 

[37] The IPPP did not include underpayments. 

[38] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). 

[39] This information is based on our analysis of the data recorded on 
the IPPP and we did not verify the accuracy of it. Although CMS listed 
some corrective actions in its evaluation report of the 3-year 
demonstration, issued in June 2008, most of the actions listed were 
vague and did not address the root causes of payment errors. 

[40] The 18 specific medical services represented the most significant 
vulnerabilities with overpayments of more than $1 million. In its June 
2008 evaluation, CMS reported a total of $997.2 million in 
overpayments identified during the demonstration. 

[41] The $231 million includes the amounts for vulnerabilities in 
CMS's evaluation report on the 3-year demonstration for which no 
corrective actions were taken based on a status of "pending" or 
"closed-no action taken" listed in CMS's IPPP. Centers for Medicare & 
Medicaid Services, Medicare RAC Program: An Evaluation of the 3-Year 
Demonstration, Appendix G (Baltimore, Md.: June 2008). 

[42] Percentages do not add up to 40 percent due to rounding. 

[43] CMS categorized the vulnerabilities in its IPPP as pending or 
closed. CMS indicated no sufficient action was taken for the pending 
vulnerabilities. CMS categorized those vulnerabilities for which 
corrective action(s) had been taken, as well as the seven 
vulnerabilities for which the agency was unable to take action, as 
closed. 

[44] The other Medicare claims administration contractor provided 
information on four corrective actions that it took to address RAC 
findings. 

[45] See GAO, CMS Did Not Control Rising Power Wheelchair Spending, 
[hyperlink, http://www.gao.gov/products/GAO-04-716T] (Washington, 
D.C.: April 2004) and GAO, CMS's Program Safeguards Did Not Deter 
Growth in Spending for Power Wheelchairs, [hyperlink, 
http://www.gao.gov/products/GAO-05-43] (Washington, D.C.: November 
2004). 

[46] See U.S. Department of Health and Human Services, Office of 
Inspector General, Review of High-Dollar Payments for Inpatient 
Services Processed by Palmetto GBA, Intermediary #382, for the Period 
January 1, 2004 Through December 31, 2005, A-04-07-06023 (Atlanta, GA: 
October 2008) and GAO, CMS's Program Safeguards Did Not Deter Growth 
in Spending for Power Wheelchairs, [hyperlink, 
http://www.gao.gov/products/GAO-05-43] (Washington, D.C.: Nov. 17, 
2004). 

[47] GAO, Improper Payments: Responses to Posthearing Questions 
Related to Eliminating Waste and Fraud in Medicare and Medicaid, 
[hyperlink, http://www.gao.gov/products/GAO-09-838R] (Washington, D. 
C.: July 20, 2009). 

[48] One of the Medicare claims administration contractors reported 
that after the demonstration ended, it had difficulty obtaining 
medical records related to provider appeals and, as a result, had to 
ask providers to resubmit copies of medical records. 

[49] We have suggested that agencies should create and monitor 
performance measures that address important dimensions of program 
performance (see GAO, Agency Performance Plans: Examples of Practices 
That Can Improve Usefulness to Decisionmakers, GAO/GGD/AIMD-99-69, 
(Washington, D.C.: Feb. 26, 1999) and Internal Control Management and 
Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G] 
(Washington, D.C.: August 2001)). 

[50] CMS contracted with a VC to review vulnerabilities the 
demonstration RACs wished to pursue during the final 7 months of the 
RAC demonstration project (September 2007 through March 2008). 

[51] Provider associations told us that providers may choose not to 
appeal a RAC determination if the effort and cost involved in filing 
the appeal outweighs the benefit of recouping the money originally 
lost by the RAC's determination. 

[52] RAC medical directors are also expected to be responsible for 
keeping abreast of medical practice and technology changes that may 
result in improper billing or program abuse; interacting with the 
medical directors at other contractors or RACs to share information on 
potential problem areas; participating in medical director clinical 
workshops, as appropriate; providing input on national coverage and 
payment policy upon request; and participating in CMS and RAC 
presentations to providers and associations. 

[53] CMS included two Medicare Secondary Payer RACs in the 
demonstration project. They identified overpayments for which the 
beneficiary's other insurance, rather than Medicare Fee-for-Service, 
should have served as the primary payer of the claim. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: