Skip to main content

Medicare and Medicaid: CMS Needs to Fully Align Its Antifraud Efforts with the Fraud Risk Framework

GAO-18-88 Published: Dec 05, 2017. Publicly Released: Dec 05, 2017.
Jump To:
Skip to Highlights

Highlights

What GAO Found

The approach that the Centers for Medicare & Medicaid Services (CMS) has taken for managing fraud risks across its four principal programs—Medicare, Medicaid, the Children's Health Insurance Program (CHIP), and the health-insurance marketplaces—is incorporated into its broader program-integrity approach. According to CMS officials, this broader program-integrity approach can help the agency develop control activities to address multiple sources of improper payments, including fraud. As the figure below shows, CMS views fraud as part of a spectrum of actions that may result in improper payments.

Centers for Medicare & Medicaid Services (CMS) Description of How the Agency Addresses the Spectrum of Fraud, Waste, and Abuse

Centers for Medicare & Medicaid Services (CMS) Description of How the Agency Addresses the Spectrum of Fraud, Waste, and Abuse

CMS's efforts managing fraud risks in Medicare and Medicaid partially align with GAO's 2015 A Framework for Managing Fraud Risks in Federal Programs (Fraud Risk Framework). This framework describes leading practices in four components: commit , assess , design and implement , and evaluate and adapt . CMS has shown commitment to combating fraud in part by establishing a dedicated entity—the Center for Program Integrity—to lead antifraud efforts. Furthermore, CMS is offering and requiring antifraud training for stakeholder groups such as providers, beneficiaries, and health-insurance plans. However, CMS does not require fraud-awareness training on a regular basis for employees, a practice that the framework identifies as a way agencies can help create a culture of integrity and compliance. Regarding the assess and design and implement components, CMS has taken steps to identify fraud risks, such as by designating specific provider types as high risk and developing associated control activities. However, it has not conducted a fraud risk assessment for Medicare or Medicaid, and has not designed and implemented a risk-based antifraud strategy. A fraud risk assessment allows managers to fully consider fraud risks to their programs, analyze their likelihood and impact, and prioritize risks. Managers can then design and implement a strategy with specific control activities to mitigate these fraud risks, as well as an appropriate evaluation approach consistent with the evaluate and adapt component. By developing a fraud risk assessment and using that assessment to create an antifraud strategy and evaluation approach, CMS could better ensure that it is addressing the full portfolio of risks and strategically targeting the most-significant fraud risks facing Medicare and Medicaid.

Why GAO Did This Study

CMS, an agency within the Department of Health and Human Services (HHS), provides health coverage for over 145 million Americans through its four principal programs, with annual outlays of about $1.1 trillion. GAO has designated the two largest programs, Medicare and Medicaid, as high risk partly due to their vulnerability to fraud, waste, and abuse. In fiscal year 2016, improper payment estimates for these programs totaled about $95 billion.

GAO's Fraud Risk Framework and the subsequent enactment of the Fraud Reduction and Data Analytics Act of 2015 have called attention to the importance of federal agencies' antifraud efforts. This report examines (1) CMS's approach for managing fraud risks across its four principal programs, and (2) how CMS's efforts managing fraud risks in Medicare and Medicaid align with the Fraud Risk Framework.

GAO reviewed laws and regulations and HHS and CMS documents, such as program-integrity manuals. It also interviewed CMS officials and a sample of CMS stakeholders, including state officials and contractors. GAO selected states based on fraud risk and other factors, such as geographic diversity. GAO selected contractors based on a mix of companies and geographic areas served.

Recommendations

GAO recommends that CMS (1) provide and require fraud-awareness training to its employees, (2) conduct fraud risk assessments, and (3) create an antifraud strategy for Medicare and Medicaid, including an approach for evaluation. HHS concurred with GAO's recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Centers for Medicare & Medicaid Services The Administrator of CMS should provide fraud-awareness training relevant to risks facing CMS programs and require new hires to undergo such training and all employees to undergo training on a recurring basis. (Recommendation 1)
Closed – Implemented
The agency agreed with this recommendation. In July 2018, CMS reported that it is strengthening its efforts to ingrain fraud risk management principles throughout the Agency and is developing a training video, module, and curriculum to train staff agency-wide on fraud risks. In November 2019, CMS provided fraud-awareness training videos for new and current CMS employees. In November 2020, CMS provided evidence documenting mandatory nature of fraud awareness training for employees. These actions meet the intent of our recommendation and are consistent with leading practices identified in GAO's Fraud Risk Framework.
Centers for Medicare & Medicaid Services The Administrator of CMS should conduct fraud risk assessments for Medicare and Medicaid to include respective fraud risk profiles and plans for regularly updating the assessments and profiles. (Recommendation 2)
Closed – Implemented
Agency agreed with this recommendation. In 2021 and January 2022, CMS provided us with documentation of Risk Assessment Frameworks for Medicare Fee for Service, Medicare Part C, Medicare Part D, and Medicaid. These frameworks outline CMS approach and prioritization factors for conducting fraud risk assessments for specific program areas within Medicare and Medicaid using a standard format to document vulnerabilities, risks levels, residual risks, and mitigation strategies, among other topics. CMS approach also includes monitoring mitigation steps for assessed risks and regularly re-examining vulnerabilities based on risk and environmental factors. These actions meet the intent of our recommendation and are consistent with leading practices identified in GAO's Fraud Risk Framework.
Centers for Medicare & Medicaid Services The Administrator of CMS should, using the results of the fraud risk assessments for Medicare and Medicaid, create, document, implement, and communicate an antifraud strategy that is aligned with and responsive to regularly assessed fraud risks. This strategy should include an approach for monitoring and evaluation. (Recommendation 3)
Closed – Implemented
Agency agreed with this recommendation. In 2021 and 2022, CMS developed an organizing approach for conducting fraud risk assessments in Medicare and Medicaid (see Recommendation 2) and managing fraud risks. In 2023, CMS provided its antifraud strategy, which, among other things, articulated CMS's approach for managing fraud and other program integrity risks based on its existing process for identifying and assessing vulnerabilities in Medicare and Medicaid. The process also includes monitoring of vulnerabilities from identification through mitigation as well as post-implementation evaluation to determine the need for further action. CMS reported that the strategy is communicated to CMS employees through regular training and presentations to various CMS units, as well as externally to stakeholders and other audiences through meetings and conferences. These actions meet the intent of our recommendation and are consistent with leading practices identified in GAO's Fraud Risk Framework.

Full Report

GAO Contacts

Seto J. Bagdoyan
Director
Forensic Audits and Investigative Service

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

BeneficiariesCompliance oversightFraud, waste, and abuseImproper paymentsMedicaidMedicareProgram integrityRisk assessmentRisk managementMedicaid fraudMedicare fraudPublic health emergencies