Veterans Community Care Program: VA Should Strengthen Its Ability to Identify Ineligible Health Care Providers [Reissued with revisions on Mar. 11, 2022.]
Fast Facts
The VA allows eligible veterans to receive care from community providers when they face challenges accessing care at VA medical facilities. The VA is still responsible for ensuring that these community providers are qualified and competent.
However, the VA may have mistakenly allowed some ineligible community providers to participate in this program. For instance, we found 1,600 potentially ineligible providers in VA's system—including some who had revoked or suspended medical licenses.
We recommended that the VA improve its controls and standard operating procedures to exclude all ineligible providers from its community care program.
Reissued with Revisions Mar 11, 2022Revised March 11, 2022 to include page four of VA’s response to GAO’s recommendations.
Highlights
What GAO Found
GAO found vulnerabilities in the controls used by the Department of Veterans Affairs' (VA) Veterans Health Administration (VHA) and its contractors to identify health care providers who are not eligible to participate in the Veterans Community Care Program (VCCP), resulting in the inclusion of potentially ineligible providers.
Examples of Requirements of and Restrictions on Veterans Community Care Program Provider Eligibility
Of over 800,000 providers assessed, GAO identified approximately 1,600 VCCP providers who were deceased, were ineligible to work with the federal government, or had revoked or suspended medical licenses. VHA and its contractors had controls in place to identify such providers. However, the existing controls missed some providers who could have been identified with enhanced controls and more consistent implementation of standard operating procedures. For example, GAO found the following:
- One provider had an expired nursing license in April 2016 and was arrested for assault in October 2018. This provider was excluded from working in federally funded health care programs. The provider was convicted of patient abuse and neglect in July 2019. The provider entered the VCCP in November 2019. VHA officials stated that this provider was uploaded into the system in error.
- One provider was eligible for referrals in the VHA system, but his medical license had been revoked in 2019. Licensing documents stated that the provider posed a clear and immediate danger to public health and safety.
GAO also identified weaknesses in oversight of provider address data. Some VCCP providers used commercial mail receiving addresses as their only service address. Such addresses have been disguised as business addresses in the past by individuals intending to commit fraud. VHA has not assessed the fraud risk that invalid address data pose to the program.
These vulnerabilities potentially put veterans at risk of receiving care from unqualified providers. Additionally, VHA is at risk of fraudulent activity, as some of the providers GAO identified had previous convictions of health-care fraud. VA has an opportunity to address these limitations as it continues to refine the controls, policies, and procedures for this 2-year old program.
Why GAO Did This Study
The VHA allows eligible veterans to receive care from community providers through VA's VCCP when veterans face challenges accessing care at VA medical facilities. VHA is responsible for ensuring VCCP providers are qualified and competent to provide safe care to veterans based on the eligibility requirements and restrictions.
GAO was asked to examine the extent to which vulnerabilities in VCCP provider eligibility controls contributed to potentially ineligible providers participating in the program.
GAO reviewed VHA and contractor standard operating procedures, policies, and guidance. GAO also interviewed knowledgeable officials. To identify potentially ineligible providers, GAO compared data from VHA's Office of Community Care to data sources related to actions that may exclude providers from participating in the VCCP.
Reissued with revisions on Mar. 11, 2022.
Revised March 11, 2022 to include page four of VA’s response to GAO’s recommendations.Recommendations
GAO is making ten recommendations to VA, including that VA enhance existing controls, consistently implement controls as described in standard operating procedures, and assess the fraud risk of invalid provider address data. VA generally agreed with GAO's ten recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Veterans Affairs | The Under Secretary for Health should ensure that Community Care Network contractors perform automated monthly checks for all VCCP providers against the HHS OIG LEIE using SSN, date of birth, and other unique identifiers. (Recommendation 1) |
On December 4, 2023, GAO and VHA officials convened to clarify the intentions of Recommendations 1 and 3 and discussed how a new contract with TPAs might address the issues at stake. Afterwards, GAO forwarded its January 26, 2022 email to VHA, which contained referrals of providers who GAO flagged as potentially ineligible to participate in the VCCP but who were active in PPMS at the time of the audit. GAO suggested that a review of these referrals would help VHA determine the effectiveness of their revised controls since the audit.
|
Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care identifies and implements a process to inform schedulers of specific HHS OIG LEIE waiver specifications. (Recommendation 2) |
In January 2023, VA provided evidence that the agency developed and implemented a process by which providers with List of Excluded Individuals/Entities waivers were appropriately marked as eligible for participation in the Veterans Community Care Program only in the states specified by the waiver.
|
Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care revises its Provider Exclusion Standard Operating Procedures to require automated matching of providers in PPMS to the SAM Exclusions file using both TIN and NPI as identifiers. (Recommendation 3) |
On December 4, 2023, GAO and VHA officials convened to clarify the intentions of Recommendations 1 and 3 and discussed how a new contract with TPAs might address the issues at stake. Afterwards, GAO forwarded its January 26, 2022 email to VHA, which contained referrals of providers who GAO flagged as potentially ineligible to participate in the VCCP but who were active in PPMS at the time of the audit. GAO suggested that a review of these referrals would help VHA determine the effectiveness of their revised controls since the audit.
|
Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care consults with the Administrator of the GSA to correct technical issues to ensure VHA can routinely monitor PPMS providers on the SAM Exclusions file. (Recommendation 4) |
In January 2023, VA provided evidence that the agency had resolved technical issues that had prevented the agency from routinely monitoring PPMS providers on the SAM exclusions file. Specifically, VA created a new process that downloads an exported list of providers from a GSA website. In September 2023, VA further demonstrated its success in running this eligibility test by producing an example of the results of a recent test. By creating this process, VA can now ensure that it consistently screens PPMS providers using the SAM Exclusions file without the technical challenges it faced before implementing this new process.
|
Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care conducts automated matching of PPMS to LEIE, SAM, and NPPES in accordance with the monthly timeline outlined in its Provider Exclusion Standard Operating Procedures. (Recommendation 5) |
In April 2023, VA provided evidence that demonstrated the agency's success in conducting automated matching of PPMS to LEIE, SAM, and NPPES in accordance with the guidelines in its Provider Exclusion Standard Operating Procedures. Specifically, the process validates PPMS data using these three data sources on a monthly or more frequent basis, within the monthly timeline in the guidance. The evidence demonstrated the success of the verification.
|
Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care identifies inherent fraud risks related to VCCP provider address controls. (Recommendation 6) |
In January 2023, VA provided a fraud risk assessment that identified inherent fraud risks related to VCCP provider address controls.
|
Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care assesses the likelihood and impact of inherent fraud risks related to VCCP provider address controls. (Recommendation 7) |
In January 2023, VA provided a fraud risk assessment that determined the likelihood of fraud related to providers using PO boxes for service addresses.
|
Department of Veterans Affairs | The Under Secretary for Health should ensure that VHA Office of Community Care determines the fraud risk tolerance related to VCCP provider address controls. (Recommendation 8) |
In January 2023, VA provided a fraud risk assessment that determined the fraud risk tolerance related to VCCP provider address controls.
|
Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care examines the suitability of existing fraud controls related to VCCP provider address controls. (Recommendation 9) |
In January 2023, VA provided a fraud risk assessment that examined the suitability of existing fraud controls related to VCCP provider address controls.
|
Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care documents the fraud risk profile related to VCCP provider address controls. (Recommendation 10) |
In January 2023, VA provided a fraud risk assessment that documented its fraud risk profile related to VCCP provider address controls.
|