Medicare: CMS Needs to Address Risks Posed by Provider Enrollment Waivers and Flexibilities
Fast Facts
To respond to COVID-19, the Centers for Medicare & Medicaid Services waived Medicare requirements to help health care providers treat patients.
We identified 47 waivers and flexibilities, such as waiving about 7,300 fingerprint-based background checks for types of providers posing a high risk of fraud, waste, and abuse.
Medicare took some steps to oversee providers who enrolled under waivers and flexibilities, such as investigating potential fraud, but it fell behind on other actions. We recommended that it complete the background checks, speed up reviews of provider information, and evaluate its performance.
Medicare is on our High Risk List.
The number of new suppliers of Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) in Medicare escalated amid waived requirements.
Highlights
What GAO Found
GAO identified 47 waivers and flexibilities that the Centers for Medicare & Medicaid Services (CMS) issued to sustain Medicare's provider workforce capacity and beneficiary access to services during the COVID-19 pandemic. This included changes to provider enrollment screening, such as waiving about 7,300 fingerprint-based criminal background checks for provider types posing a high risk for fraud, waste, and abuse. It also included postponing site visits for high- and moderate-risk provider types, and postponing revalidating provider eligibility for all providers. In addition, CMS approved other waivers and flexibilities relating to clinicians' scope of practice and training, particularly for rural areas.
GAO found that about 220,000 providers enrolled under waivers and flexibilities from March 2020 through March 2022. Suppliers of durable medical equipment, prosthetics, orthotics, and supplies—a provider type CMS considers to pose a moderate or high risk for fraud, waste, and abuse—represented a small share (4 percent) of these enrollments. However, they were a large majority (83 percent) of the 208 enrollments CMS later revoked after finding they were ineligible. While this is not a large share of enrollments, even a small number of providers can cause significant financial harm if they commit fraud.
Percentage of Medicare Provider Enrollments and Revoked Enrollments under Waivers and Flexibilities, March 2020 through March 2022
CMS took steps to oversee providers who enrolled under waivers and flexibilities. Steps included monitoring providers' enrollment and billing information for potential fraud; conducting investigations; and applying safeguards, such as referring potential fraud to law enforcement. However, CMS has not fully addressed risks from provider enrollment waivers and flexibilities:
- Fingerprint-based criminal background checks: When waiving these checks, CMS officials intended to perform them later for providers enrolled under the waiver. However, CMS has not yet performed these checks.
- Revalidating provider eligibility: Without increasing pace and prioritization, CMS may not complete all 237,000 postponed revalidations of providers' eligibility before new revalidations are due, which occurs every 3 to 5 years.
There may be ways to improve the future use of provider enrollment waivers and flexibilities, according to CMS officials and contractor representatives. For example, maintaining requirements for providers posing a high risk of fraud may be appropriate. However, CMS has not planned an evaluation of these waivers and flexibilities, although the agency committed to do so in its Pandemic Plan.
Why GAO Did This Study
Medicare is on GAO's high-risk list due to its size, complexity, and vulnerability to improper payments, estimated at $47 billion in 2022. Medicare waivers and flexibilities during emergencies can help maintain access to Medicare services but also pose risks by removing program safeguards.
The CARES Act directs GAO to monitor the federal COVID-19 pandemic response. This report (1) describes Medicare waivers and flexibilities in response to the pandemic, (2) describes changes in Medicare provider enrollment after implementing waivers and flexibilities, and (3) examines CMS's oversight of waivers and flexibilities.
GAO reviewed relevant documents including CMS policies, such as waivers and flexibilities that it had issued. GAO analyzed Medicare provider enrollment data on the use of waivers and flexibilities from March 2020 through March 2022 and Medicare claims data from April 2020 through December 2021. GAO also interviewed officials from CMS and five Medicare contractors selected based on the geographic region where they operate, among other factors.
Recommendations
GAO is making four recommendations to CMS including conducting fingerprint-based criminal background checks, increasing the pace of revalidating provider eligibility, and evaluating opportunities for improvement in planning for future emergencies. CMS concurred with GAO's recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Centers for Medicare & Medicaid Services | The Administrator of CMS should conduct fingerprint-based criminal background checks for high-risk provider types who enrolled during the COVID-19 public health emergency, such as when CMS revalidates these providers' information. (Recommendation 1) |
CMS issued regulations that became effective January 1, 2024 that authorize the agency to conduct fingerprint-based criminal background checks for providers that were in a high-risk category at the time of initial enrollment when these providers revalidate enrollment. This authority may help CMS detect criminal behavior among high-risk providers who enrolled in Medicare during the COVID-19 public health emergency. As of August 2024, CMS anticipated that 4,940 high-risk provider types who enrolled while fingerprint-based criminal background check requirements were waived would begin submitting revalidations later in the year, and revalidations would be complete for all of these providers by December 2027. When we confirm what actions the agency has taken to conduct these background checks, we will provide updated information.
|
| Centers for Medicare & Medicaid Services | The Administrator of CMS should develop policies and procedures to postpone rather than waive fingerprint-based criminal background checks during future emergencies. (Recommendation 2) |
CMS issued regulations that became effective January 1, 2024 that authorize the agency to postpone rather than waive fingerprint-based criminal background checks for providers that were in a high-risk category at the time of initial enrollment. This authority may help CMS detect criminal behavior among high-risk providers who enrolled in Medicare during an emergency.
|
| Centers for Medicare & Medicaid Services | The Administrator of CMS should develop and implement a plan for conducting provider enrollment revalidations to ensure providers are revalidated prior to the end of their 3- to 5-year revalidation cycles, prioritizing moderate- and high-risk provider types. (Recommendation 3) |
CMS concurred with this recommendation. As of August 2024, CMS provided documentation supporting their revalidation efforts to date. CMS reported that out of 823,702 revalidations that had been delayed, 113,160 revalidations had been completed and 67,573 revalidations were in progress. When we confirm what actions the agency has taken to ensure moderate- and high-risk providers are revalidated prior to the end of their revalidation cycles, we will provide updated information.
|
| Centers for Medicare & Medicaid Services | The Administrator of CMS should evaluate waivers and flexibilities for provider enrollment, including related oversight challenges, and address any opportunities for improvement. This evaluation could consider targeting provider enrollment waivers and flexibilities to maintain requirements for provider types CMS considers high risk—including DMEPOS suppliers—and opportunities to track and communicate to program integrity contractors information about each waiver and flexibility providers enrolled under. (Recommendation 4) |
CMS concurred with this recommendation. In October 2024, CMS provided documentation of an assessment of provider enrollment waivers and flexibilities. This assessment included benefits, risks, and risk mitigations for each waiver or flexibility. It also included regulatory changes made to address risks and determinations as to whether each waiver should be maintained, discontinued, or analyzed further. We are closing this recommendation based on CMS's assessment and steps to mitigate risks associated with provider enrollment waivers and flexibilities.
|