This is the accessible text file for GAO report number GAO-13-50 entitled 'Medicaid Integrity Program: CMS Should Take Steps to Eliminate Duplication and Improve Efficiency' which was released on December 10, 2012. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: November 2012: Medicaid Integrity Program: CMS Should Take Steps to Eliminate Duplication and Improve Efficiency: GAO-13-50: GAO Highlights: Highlights of GAO-13-50, a report to congressional requesters. Why GAO Did This Study: Medicaid has the second-highest estimated improper payments of any federal program that reports such data. The Deficit Reduction Act of 2005 created the Medicaid Integrity Program to oversee and support state program integrity activities. CMS, the federal agency within HHS that oversees Medicaid, established the MIG to implement this new program. This report assesses (1) the MIG’s use of two types of contractors to review and audit state Medicaid claims, (2) the MIG’s implementation of other oversight and support activities, and (3) CMS and state reporting on the results of their program integrity activities. GAO analyzed MIG data on its contractors’ audits, training program for state officials, comprehensive state reviews, and state assessments; analyzed reports that summarized the monetary returns from MIG and state program integrity activities; and interviewed MIG officials, contractors, and state program integrity officials. What GAO Found: The Medicaid Integrity Group’s (MIG) hiring of separate review and audit contractors for its National Medicaid Audit Program (NMAP) was inefficient and led to duplication because key functions were performed by both entities. Review contractors analyze state claims data to identify aberrant claims or billing anomalies while audit contractors conduct postpayment audits to determine if payments to providers were improper. Because both types of contractors had to assess whether payments were improper under state Medicaid policies, having separate contractors doubled states’ burden in ensuring that state policies were being correctly applied. Also, poor coordination and communication between the two types of contractors resulted in duplicative data analysis. In turn, these inefficiencies added to the length of audits, which on average took almost 23 months to complete. By contrast, the average duration of six audits using a more collaborative and coordinated approach was 16 months, and the amount of identified overpayments increased significantly. Other MIG oversight and support activities—the free training provided to state officials through the Medicaid Integrity Institute, the evaluation of state program integrity procedures through triennial comprehensive reviews, and the collection of data from states through annual assessments—show mixed results in enhancing program integrity efforts. According to state officials, the modest expenditures on the institute result in valuable training and networking opportunities. The MIG, however, has not taken advantage of the potential for comprehensive reviews to inform the selection of states for federal audits. Although the MIG’s comprehensive reviews yield considerable information about state program integrity vulnerabilities, states with serious program integrity vulnerabilities often had few NMAP audits. Furthermore, the data collected through state program integrity assessments (SPIA) duplicate data collected through comprehensive reviews and other reports, are not validated, and, even if the data were accurate, are less current than similar data from other sources. Reporting by the Centers for Medicaid & Medicaid Services (CMS) on the return on investment (ROI) from the activities of the MIG is inadequate. CMS’s annual reports to Congress provide a limited picture of ROI for NMAP audits, which account for over half of the MIG’s annual expenditures, and it is difficult to calculate an ROI with the expenditure and activity information provided. The Department of Health and Human Services (HHS) recently announced that it will discontinue reporting a separate ROI for NMAP. In addition, CMS’s ROI methodology includes a percentage of state-identified overpayments reported on the SPIA, which is questionable. To date, CMS has not published an ROI methodology. Regarding state reporting of recoveries, we found that most states were not fully reporting recoveries according to specific program integrity activities and that a sizable number appeared to underreport aggregate recoveries compared to other sources. For example, one state reported aggregate recoveries of about $195,000 over 3 years to CMS but about $36 million in its annual report to the governor for 2 of these years. The apparent gaps in state reporting of such recoveries make it difficult to determine whether states are returning the federal share of recovered overpayments. A full accounting of state and NMAP related recoveries is vital for measuring the effectiveness of efforts to reduce improper payments. What GAO Recommends: GAO recommends that the CMS Administrator (1) eliminate duplication by merging contractor functions, (2) use comprehensive reviews to better target audits, (3) follow up with states to ensure reliable reporting of their program integrity recoveries, (4) discontinue the SPIA, and (5) reevaluate and publish its ROI methodology. In response, HHS concurred with three of GAO’s recommendations and partially concurred with the need to eliminate SPIA-related duplication and to reevaluate CMS’s ROI methodology. As discussed in this report, GAO continues to believe that its recommendations are valid. View [hyperlink, http://www.gao.gov/products/GAO-13-50]. For more information, contact Carolyn L. Yocom at (202) 512-7114 or yocomc@gao.gov. [End of section] Contents: Letter: Background: Use of Separate Review and Audit Contractors Was Inefficient, Led to Duplication, and Contributed to a Longer Audit Process: Other MIG Activities Show Mixed Results in Overseeing and Supporting States' Program Integrity Activities: Reporting on Program Integrity Results Is Inadequate: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Number of National Medicaid Audit Program Audits: Appendix II: Recoveries from State Medicaid Program Integrity Activities: Appendix III: Comments from the Department of Health and Human Services: Appendix IV: GAO Contact and Staff Acknowledgments: Related GAO Products: Tables: Table 1: States with Serious Program Integrity Vulnerabilities Identified in Comprehensive Reviews and the Number of Assigned NMAP Audits and State Rank as of February 2012: Table 2: MIG's Strategy to Measure Return on Investment across Activities: Table 3: Number of National Medicaid Audit Program Audits by State as of February 2012: Table 4: Fraud, Waste, and Abuse Recoveries from State Medicaid Program Integrity Activities, Fiscal Years 2009 through 2011: Figures: Figure 1: Review and Audit Contractors by State as of July 2012: Figure 2: Number of Audits and Total Potential Overpayments Identified and Sent to States for Recoupment (in millions of dollars) by Audit Approach, from fiscal year 2007 through February 29, 2012: Figure 3: Description of the MIG's Comprehensive Program Integrity Reviews: Figure 4: Number and Duration of MSIS Audits that Identified Potential Overpayments, by Fiscal Year in which Audit Was Assigned, Fiscal Years 2008 through 2010: Figure 5: Number of States Reporting No Recoveries to CMS for State- Based Data Analysis, Provider Audits, and Medicaid Fraud Control Unit Investigations, Fiscal Years 2010 and 2011: Abbreviations: CMS: Centers for Medicare & Medicaid Services: DRA: Deficit Reduction Act of 2005: HHS: Department of Health and Human Services: MBES: Medicaid Budget & Expenditure System: MFCU: Medicaid Fraud Control Unit: MIG: Medicaid Integrity Group: MMIS: Medicaid Management Information System: MSIS: Medicaid Statistical Information System: NMAP: National Medicaid Audit Program: OIG: Office of Inspector General: ROI: return on investment: SPIA: state program integrity assessment: SURS: Surveillance and Utilization Review Subsystem: [End of section] United States Government Accountability Office: Washington, DC 20548: November 13, 2012: The Honorable Thomas R. Carper: Chairman: The Honorable Scott P. Brown: Ranking Member: Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Tom Coburn: Ranking Member: Permanent Subcommittee on Investigations: Committee on Homeland Security and Governmental Affairs: United States Senate: The size and diversity of the Medicaid program make it particularly vulnerable to improper payments—-including payments made for treatments or services that were not covered by program rules, that were not medically necessary, or that were billed for but never provided.[Footnote 1,2] Medicaid, the joint federal-state health care financing program for certain low-income individuals, is one of the largest social programs in federal and state budgets, providing care to about 70 million individuals at a cost of $436 billion in fiscal year 2011.[Footnote 3] The Centers for Medicare & Medicaid Services (CMS), the federal agency within the Department of Health and Human Services (HHS) that oversees Medicaid, estimated that $21.9 billion (8.1 percent) of federal Medicaid expenditures for that fiscal year were improper—-the second-highest of any federal program that reports such data. We have had long-standing concerns about Medicaid’s program integrity. In January 2003 we added Medicaid to our list of high-risk programs because of concerns about the sufficiency of federal and state oversight.[Footnote 4] Two years later, we testified that CMS needed to increase its commitment—-both the alignment of resources and strategic planning—-to helping states fight Medicaid fraud, waste, and abuse.[Footnote 5] More recently, we highlighted the program’s vulnerability to improper payments.[Footnote 6] Until the Deficit Reduction Act of 2005 (DRA) expanded CMS’s role, Medicaid program integrity had been primarily a state responsibility. While states remain the first line of defense against Medicaid improper payments, the DRA established the Medicaid Integrity Program to provide effective federal support and assistance to states’ efforts to prevent improper payments.[Footnote 7] To implement this program, CMS established the Medicaid Integrity Group (MIG) in 2006, whose core activities consist of: * the National Medicaid Audit Program (NMAP), which uses contractors to analyze and audit state provider claims data in order to identify overpayments; * the Medicaid Integrity Institute--a national Medicaid integrity training program for state officials; * state comprehensive reviews--triennial assessments of states' program integrity procedures and processes; * state program integrity assessments (SPIA)--the annual collection of data on state Medicaid integrity activities; * state technical assistance; and: * education and training of providers on payment integrity and quality of care issues. You asked us to examine CMS's support for and oversight of states' efforts to prevent and reduce improper payments. To address your request, we first reported on the results of the MIG's efforts to redesign the NMAP, which accounts for about half of the MIG's expenditures.[Footnote 8] This report further examines the NMAP as well as the MIG's other activities. It assesses (1) how the MIG used contractors to conduct NMAP audits, (2) the MIG's implementation of several other oversight and support activities, and (3) the reporting of the results of program integrity activities by CMS and states. To assess how the MIG used contractors to conduct NMAP audits, we analyzed MIG data on audit assignments and its contractors' lessons learned reports. We discussed the NMAP program with MIG officials, representatives of the MIG's review and audit contractors, and program integrity officials in 11 states.[Footnote 9] Finally, we reviewed relevant HHS Office of the Inspector General (HHS-OIG) reports, and interviewed HHS-OIG officials involved in early assessments of the work of the MIG's review and audit contractors. To ensure the reliability of the data provided by the MIG, we reviewed the accompanying data descriptions and interviewed knowledgeable MIG officials. We determined that the data were reliable for our purposes. To assess the MIG's implementation of other oversight and support activities, we collected and analyzed available information on its three core activities. Specifically, we (1) examined materials related to the operation of the MIG's Medicaid Integrity Institute, such as the institute's 2011 training calendar and one course's after action evaluation report; (2) analyzed final reports for the MIG's most recent triennial comprehensive reviews of the 50 states and the District of Columbia for state program integrity vulnerabilities and compliance issues; and (3) reviewed the summary statistics collected annually as a part of the SPIA.[Footnote 10] We discussed these three activities with MIG officials and with program integrity staff in the same 11 states mentioned above, and reviewed other pertinent reports and documents related to these activities. We also performed reliability checks on the comprehensive reviews and SPIA data, such as reviewing relevant documentation and discussing these data sources and their internal controls with knowledgeable CMS officials. These officials told us that the SPIA data are self-reported and not validated. As a result, we discuss the SPIA's data limitations in this report but did not use these data to analyze states' reported recoveries. To assess the reporting of the results of program integrity activities by CMS and states, we reviewed CMS's annual budget justifications for fiscal years 2010-2013, the MIG's annual reports to Congress for fiscal years 2008-2010, and the HHS's performance management website; and we interviewed MIG officials. We also analyzed state-reported program integrity recoveries from the Medicaid Budget & Expenditures System (MBES), and discussed state reporting with officials in CMS's Center for Medicaid and CHIP Services, which is responsible for the database that captures state reporting.[Footnote 11] We performed reliability checks on the MBES data and discussed these data and their internal controls with knowledgeable CMS officials. Because we found that the MBES data were incomplete in their reporting of states' recoveries, we did not use this data source but do discuss the data limitations we identified in this report. We conducted this performance audit from July 2011 through November 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: The MIG implemented its set of core activities gradually from fiscal years 2006 to 2009 when it reached its annual funding level of $75 million.[Footnote 12] For example, the MIG initiated comprehensive reviews in fiscal year 2007, completing eight, week-long site visits and implemented NMAP audits in fiscal year 2009. To track the value of its program integrity activities, the MIG developed a formula to measure return on investment (ROI), including both direct and indirect benefits. The MIG, in conjunction with Center for Medicaid and CHIP Services, also developed a mechanism for states to report recoveries from fraud, waste, and abuse at a more detailed level than previously as a part of CMS's fiscal oversight of state Medicaid expenditures. NMAP Audits: The NMAP program accounts for about half of the $75 million appropriated annually for the Medicaid integrity program. In each of five geographic areas, two separate contractors are responsible for the review and audit functions (see figure 1) * Review function. One contractor reviews states' paid claims data to identify aberrant claims or billing anomalies.[Footnote 13] * Audit function. A different audit contractor conducts targeted provider audits to determine whether or not the provider received an overpayment.[Footnote 14] * As of July 2012, the MIG had two review contractors and three separate audit contractors. Figure 1: Review and Audit Contractors by State as of July 2012: [Refer to PDF for image: illustrated U.S. map] State: Alabama; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: Alaska; Audit contractor: IntegriGuard[B]; Review contractor: AdvanceMed. State: Arizona; Audit contractor: IntegriGuard[B]; Review contractor: AdvanceMed. State: Arkansas; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: California; Audit contractor: IntegriGuard[B]; Review contractor: AdvanceMed. State: Colorado; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Connecticut; Audit contractor: IPRO; Review contractor: Thomson Reuters. State: Delaware; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: District of Columbia; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: Florida; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: Georgia; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: Hawaii; Audit contractor: IntegriGuard[B]; Review contractor: AdvanceMed. State: Idaho; Audit contractor: IntegriGuard[B]; Review contractor: AdvanceMed. State: Illinois; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Indiana; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Iowa; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Kansas; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Kentucky; Audit contractor: Health Integrity[A]; Review contractor: State: Louisiana; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Maine; Audit contractor: IPRO; Review contractor: Thomson Reuters. State: Maryland; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: Massachusetts; Audit contractor: IPRO; Review contractor: Thomson Reuters. State: Michigan; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Minnesota; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Mississippi; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: Missouri; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Montana; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Nebraska; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Nevada; Audit contractor: IntegriGuard[B]; Review contractor: AdvanceMed. State: New Hampshire; Audit contractor: IPRO; Review contractor: Thomson Reuters. State: New Jersey; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: New Mexico; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: New York; Audit contractor: IPRO; Review contractor: Thomson Reuters. State: North Carolina; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: North Dakota; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Ohio; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Oklahoma; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Oregon; Audit contractor: IntegriGuard[B]; Review contractor: AdvanceMed. State: Pennsylvania; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: Rhode Island; Audit contractor: IPRO; Review contractor: Thomson Reuters. State: South Carolina; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: South Dakota; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Tennessee; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: Texas; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Utah; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Vermont; Audit contractor: IPRO; Review contractor: Thomson Reuters. State: Virginia; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: Washington; Audit contractor: IntegriGuard[B]; Review contractor: AdvanceMed. State: West Virginia; Audit contractor: Health Integrity[A]; Review contractor: Thomson Reuters. State: Wisconsin; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. State: Wyoming; Audit contractor: Health Integrity[A]; Review contractor: AdvanceMed. Source: GAO analysis of CMS data. Map REsources (map). Notes: Each contractor is assigned to one or multiple geographic areas outlined in this map. For example, IPRO works in one geographic area but IntegriGuard works in three geographic areas. In addition, the MIG selected a new audit contractor in one area and the original audit contractor is still completing its remaining work. [A] Booz Allen Hamilton was the initial audit contractor and is still completing its remaining work. [B] IntegriGuard was formerly known as HMS. [End of figure] Since its inception, the MIG has used three different approaches to conducting NMAP audits--test audits, Medicaid Statistical Information System (MSIS) audits, and, more recently, collaborative audits. [Footnote 15] As we noted in our June 2012 report on NMAP, the test and collaborative audits differed from the MSIS audits in two important ways: the test and collaborative audits (1) leveraged state expertise to identify potential audit targets, rather than having the MIG select potential targets on the basis of the work of its review contractors; and (2) primarily used state Medicaid Management Information System (MMIS) data rather than MSIS data.[Footnote 16] The MMIS is a mechanized claims-processing and information-retrieval system maintained by individual states that generally reflects real- time payments and adjustments of detailed claims for each health care service provided. The MSIS audits relied on MSIS data, which contains extracts from states' MMIS databases. Because MSIS is a subset of states' MMIS data files, MSIS data are missing elements that can assist in audits, such as the explanations of benefit codes and the names of providers and beneficiaries. In addition, MSIS data are not current because of late state submissions and the time it takes CMS's contractors to review and validate the data.[Footnote 17] We recently reported that the identified overpayments from MSIS audits were significantly lower than those identified by test and collaborative audits.[Footnote 18] As of February 2012, 59 of the 1,550 MSIS audits identified $7.4 million in potential overpayments. In contrast, 26 test audits and 6 collaborative audits together identified $12.5 million in potential overpayments (see figure 2). [Footnote 19] While the newer collaborative audits have not yet identified more in overpayments than MSIS audits, only 6 of the 112 collaborative audits had final audit reports through February 2012, and thus the total overpayment amounts identified through collaborative audits will likely continue to grow. In addition, we reported that (1) half of the MSIS audits were for potential overpayments of $16,000 or less, compared to a median of about $140,000 for test audits and $600,000 for collaborative audits, and (2) over two-thirds (69 percent) of the 1,550 MSIS audits assigned to contractors were either discontinued (625), had low or no findings (415), or were put on hold (37).[Footnote 20] Finally, we also reported that the main reason the NMAP audits were ineffective was the use of MSIS data, which are inadequate for reviewing claims and selecting audit targets. Further, the MSIS audits were not well coordinated with states, duplicated state program integrity activities, and diverted resources from states' activities. When we spoke about the MSIS audits with 11 states, some indicated that participation in MSIS audits diverted staff from their regular duties. Figure 2: Number of Audits and Total Potential Overpayments Identified and Sent to States for Recoupment (in millions of dollars) by Audit Approach, from fiscal year 2007 through February 29, 2012: [Refer to PDF for image: 2 pie-charts] Number of audits performed: MSIS audits: 92% (1,550); Collaborative audits: 7% (112); Test audits: 2% (27). Potential overpayments: MSIS audits (59 of 1,550 audits): 37%; $7,4 million; Collaborative audits (6 of 112 audits): 22%; $4.4 million; Test audits (26 of 27 audits): 41%%; $8.1 million. Source: GAO analysis of CMS data. Notes: Test audits were conducted from fiscal year 2007 through 2010. Medicaid Statistical Information System (MSIS) audits began in 2008 and are ongoing. Collaborative audits began in 2010 as part of the redesign of the NMAP and are also ongoing. Dollar amounts shown are potential overpayments in final audit reports sent to states for recovery. They do not reflect the amounts in draft audit reports or the amounts actually recovered by the states. [End of figure] MIG Support, Oversight, and Reporting: In addition to the NMAP, the MIG has implemented three activities that are the core of its support and oversight of state program integrity-- the Medicaid Integrity Institute, comprehensive reviews, and SPIA. Less than half of the MIG's $75 million annual budget supports these three activities. The MIG has also developed a methodology for computing the ROI for its activities. Medicaid Integrity Institute. In 2007, the MIG established the Medicaid Integrity Institute, the first national Medicaid training program for state program integrity officials. CMS executed an interagency agreement with the Department of Justice to house the institute at the National Advocacy Center, located at the University of South Carolina. At no cost to states, the institute offers substantive training and support in a structured learning environment. In time, the institute intends to create a credentialing process to elevate the professional qualifications of state Medicaid program integrity staff. Comprehensive reviews. In 2007, the MIG initiated triennial comprehensive state program integrity reviews, which assess each state's Medicaid program integrity procedures and processes.[Footnote 21] Topics covered include program integrity organization and staffing, postpayment review and fraud identification, investigation, and referral. The objective of the reviews is to assess the effectiveness of states' program integrity activities and compliance with federal program integrity laws. As of fiscal year 2011, the MIG had reviewed all states once (as well as the District of Columbia, and Puerto Rico) and 26 states twice. Eighteen states have been scheduled for review in fiscal year 2012. State comprehensive reviews are guided by a detailed protocol and represent a significant investment of staff time and resources for both states and the MIG. In advance of a 1-week on-site review, state staff respond to the review protocol and provide documentation on a state's program integrity activities (see figure 3.) After the week- long visit, MIG staff draft a report, obtain state comments, and follow up with the state on the implementation of any corrective actions required to address findings. The culmination of a review is a final report that details the MIG's assessment of each state's program integrity vulnerabilities, compliance with federal laws, and effective practices. These reports are posted on CMS's website and the MIG prepares an annual report that summarizes the results for all states reviewed each year.[Footnote 22] Figure 3: Description of the MIG's Comprehensive Program Integrity Reviews: [Refer to PDF for image: illustration of continuous process] MIG informs state of the review; States collect and provide information and data to the MIG in advance of on-site work; MIG conducts 1-week on-site review; MIG presents draft findings to state, and state comments on draft report; MIG issues final Comprehensive Review Report; State prepares corrective-action plan and MIG follows up on implementation of corrective-action plans; MIG prepares an annual report that summarizes the results for states reviewed in the year. Source GAO. [End of figure] State Program Integrity Assessments. Annually, the MIG collects information through a web-based portal from each state about its program integrity activities, which results in a publication of a one- page summary that provides statistics on states' program integrity staffing, expenditures, audits for improper payments, and recoveries.[Footnote 23] According to MIG officials, the SPIA represent the first national baseline collection of data on state Medicaid integrity activities for the purpose of program evaluation and technical assistance. Although the profiles are published every year, there is a 2-year lag in the SPIA data collection. For example, the 2010 SPIA covered state fiscal year 2008 activities. Return on Investment. Federal law requires HHS to annually report to Congress on the effectiveness of the use of the funds appropriated for the Medicaid Integrity Program.[Footnote 24] However, the benefit derived from some of the activities, such as the Medicaid Integrity Institute or technical assistance, are difficult to quantify because they contribute to cost avoidance rather than recoveries of overpayments. The MIG has developed a strategy for reporting the ROI for the NMAP and its other activities, which has changed over the program's existence. Typically, an ROI is calculated as a percentage-- the benefits identified through a program or set of activities relative to the total costs of that program or activities. Medicaid Overpayment Recovery Reporting: CMS has had a long-standing requirement that states report the aggregated amount of recoveries from provider overpayments as a part of their quarterly reporting on Medicaid program expenditures. During fiscal year 2009, the MIG helped the CMS unit responsible for validating state reporting of Medicaid expenditures develop more detailed reporting of states' recoveries of provider overpayments. Beginning in fiscal year 2010, CMS required states to report recoveries for specific activities separately, such as NMAP, state program integrity activities, or the activities of the HHS-OIG. The more detailed reporting of fraud, waste, and abuse recoveries was initiated to allow CMS to track recouped amounts according to specific program activities. CMS regional office staff validates and audits the reported expenditure data and accompanying detailed information; state officials must also attest to the data's accuracy.[Footnote 25] Recovered overpayments are subtracted from the states' Medicaid expenditures, which forms the basis for computing the federal share of program costs. Use of Separate Review and Audit Contractors Was Inefficient, Led to Duplication, and Contributed to a Longer Audit Process: The MIG's decision to establish separate review and audit contractors for each state was inefficient and led to duplication because key functions such as data analysis were performed by both types of contractors. In turn, these inefficiencies contributed to lengthy MSIS audits, which, on average, took almost 2 years to complete. Use of Separate Review and Audit Contractors Was Inefficient and Led to Duplication: The MIG's decision to establish separate review and audit contractors for each state was inefficient and led to duplication in two key areas- -state Medicaid policies and data analysis. The DRA required CMS to hire contractors to review and audit provider claims. According to MIG officials, they initially believed that the DRA required the use of separate contractors but, in hindsight, concluded that these activities could have been performed by one contractor.[Footnote 26] State Medicaid policies. The MIG's decision to use separate review and audit contractors meant that both entities had to master the details of numerous state Medicaid policies related to eligibility, benefits, and claims processing in order to appropriately assess whether payments were improper.[Footnote 27] Although MIG officials told us that they were sensitive to the burden placed on states by the establishment of NMAP, the use of separate review and audit contractors nonetheless increased states' administrative burden because both types of contractors performed the same function and states had to review the contractors' work to ensure that state policies were applied correctly. States provided feedback about the samples prepared by the review contractors, which in some cases reflected a misunderstanding of state policy.[Footnote 28] In addition, state officials told us that they found themselves educating audit contractors about state Medicaid policies.[Footnote 29] The MIG's two review contractors were responsible for learning and correctly applying the policies of 22 and 28 states, respectively, while the three audit contractors were required to master the policies of from 8 to as many as 24 states. Officials from one state noted that becoming fully knowledgeable about all the policies affecting state program integrity audits could take 2 to 3 years. According to several state officials, the lack of an in-depth knowledge of state policy contributed to unproductive provider audits. For example, according to one state official, the MIG and its contractors had mistakenly identified overpayments for federally qualified health centers because they assumed that centers should receive reduced payments for an established patient on subsequent visits. The contractors were not aware that these types of centers are paid on an encounter basis, which makes the same payment for the first and follow-up visits. Data analysis. The use of separate review and audit contractors increased inefficiencies in data analysis, which also led to duplication of effort. The review contractors' primary function was using algorithms to analyze MSIS data with the goal of identifying potential improper payments. Audit contractors also analyzed MSIS data to learn more about targeted providers and the services for which they billed. However, the audit contractors duplicated certain data analyses that had already been performed by the review contractors, such as performing their own verification of the completeness and accuracy of MSIS data. For example, one audit contractor reported that the presence of large numbers of duplicate claims in the MSIS data resulted in a significant commitment of the contractor's analytical and data management resources for 66 audit targets that were subsequently discontinued. The inefficiencies of having both review and audit contractors were exacerbated by the MIG's communication policies. All communication, whether between review and audit contractors or between contractors and states, went through a multistep process controlled by the MIG and, as a result, the audit contractors could not easily communicate with the review contractors to verify specific details of the review contractors' data analyses. Two audit contractors' lessons-learned reports recommended closer collaboration between audit and review contractors during the algorithm vetting process and target selection to prevent duplicative data analysis. In addition, the inability to communicate freely inhibited contractors from taking full advantage of states' knowledge of their own Medicaid policies. The HHS-OIG reported a similar finding that the MIG's communication policy also contributed to a duplication of contractor functions.[Footnote 30] To improve coordination and communication between the contractors, MIG officials told us they began monthly conference calls in mid-2011 that included both the review and audit contractors working in the same geographic area. One audit contractor stated that the improved communication with the review contractor has increased the efficacy of their audits specifically related to early readmissions and hospice. Several of the MIG's recent changes to NMAP may reduce, but not eliminate, duplication. Although review contractors were not initially involved in collaborative audits, MIG officials told us that collaborative audits were evolving and in some cases the review contractors are conducting data analysis on state supplied MMIS data or are continuing to analyze MSIS data in order to identify potential audit targets.[Footnote 31] However, they told us that review contractors are collaborating more closely with states to validate any MSIS data findings using MMIS data. Moreover, in July 2012, the MIG told us that while it planned to retain two review contractors, it would reduce their workload overall and realign their geographic areas of responsibility to ensure that all states are still supported. Despite these changes, both review and audit contractors must still correctly apply states' Medicaid policies because both continue to be involved in collaborative audits. MSIS Audits Were Lengthy: MIG officials acknowledged that MSIS audits were lengthy and told us that, among other factors, better communication among the MIG, its contractors, and states would have contributed to shorter audits. The duration of successful MSIS audits, that is, those that identified overpayments, decreased from 2008 through 2010; however, the typical length of time from assignment of audit until submission of the final audit report for these 58 successful MSIS audits was 23 months, ranging from 11 months to 38 months, with half of these audits taking 23 months or more to complete (see figure 4).[Footnote 32] In addition, for the 118 audits that were assigned from 2009 to 2011 and still in progress, the average duration as of February 2012 was 21 months.[Footnote 33] As the MIG shifts to collaborative audits, preliminary results suggest these audits are completed more quickly than MSIS audits. Although only six collaborative audits had final audit reports as of February 2012, the average duration of those successful audits was 16 months compared to 23 months for successful MSIS audits. Figure 4: Number and Duration of MSIS Audits that Identified Potential Overpayments, by Fiscal Year in which Audit Was Assigned, Fiscal Years 2008 through 2010: [Refer to PDF for image: vertical bar graph] Year: 2008; Number: 9; Duration: 28 months. Year: 2009; Number: 38; Duration: 23 months. Year: 2010; Number: 11; Duration: 19 months. Source: GAO analysis of CMS data. Note: Data as of February 29, 2012, and include 58 out of 59 audits because of the ambiguity of one audit's duration. As of this date, CMS had not yet issued final audit reports for MSIS audits assigned in fiscal year 2011. An additional 16 audits had reached the final audit report stage but were still being reviewed by the MIG. Duration is the average number of months between audit assignment and submission of the final audit report to the state. [End of figure] Successful MSIS audits, those that identified overpayments, took nearly 2 years to complete, longer than some states and HHS-OIG typically allow for Medicaid provider audits. Several state officials we interviewed told us that MSIS audits took too long to complete. One state official indicated that the state expected its new recovery audit contractor would produce results within 9 months of the start of the contract, and an official from a different state said that his staff attempt to produce draft audit reports within 60 days of initiating an audit.[Footnote 34] Additionally, the HHS-OIG allows about a year for audits to be conducted and completed before reviewing or reporting on them.[Footnote 35] MIG officials told us that they were aware of the time-consuming nature of MSIS audits and do track audit progress, such as "days remaining to completion." On the basis of a 2010 suggestion by one of its audit contractors, the MIG is taking steps to build the capability to generate audit aging reports that would be available to its contractors in its new workflow management system, but officials told us that these changes are still in the implementation and testing phase. Other MIG Activities Show Mixed Results in Overseeing and Supporting States' Program Integrity Activities: The MIG's modest spending on the Medicaid Integrity Institute enhances states' capabilities. Comprehensive reviews, a MIG oversight activity, have the potential to inform state selection for federal audits. But, the data collected through the SPIA, another MIG oversight activity, has been of limited value as it is inconsistently reported, not validated, and overlaps with information collected through comprehensive reviews and other state reporting mechanisms. Modest MIG Spending on Training through the Institute Enhances States' Program Integrity Capabilities: Spending on the Medicaid Integrity Institute is a small fraction of the MIG's overall budget, and the 11 state program integrity officials we interviewed affirmed the value of the institute for the substantive training it provided. In addition, officials from 10 states described the benefits derived from the opportunity to network with other states (see text box for examples of state officials' comments). The cost of the institute is modest compared with overall MIG funding; the MIG reported that $1.7 million of the approximately $75 million appropriated for the Medicaid Integrity Program in fiscal year 2011 was spent on the institute.[Footnote 36] From fiscal years 2008 to 2012, the institute trained over 3,000 state employees. While officials from the 11 states we spoke with commended the institute, some also offered suggestions for expanding the reach of the institute's activities: * Officials from three states suggested that the MIG expand opportunities for additional staff to attend, such as staff from the Medicaid Fraud Control Units (MFCU) or the clinical staff that work with program integrity staff, or allow attendance by more staff from larger states.[Footnote 37] * Furthermore, officials from three states recommended that the institute offer Medicaid audit certification to state program integrity staff. * The National Association of Medicaid Directors and the Medicaid and CHIP Payment and Access Commission also recommended that CMS expand the institute to make it more accessible to state officials.[Footnote 38] [Text box: Examples of State Officials' Comments on the Value of the Medicaid Integrity Institute: * One state official asserted that the institute was by far the most effective of the MIG's programs, while officials from two other states described it as the biggest benefit to state program integrity efforts and as invaluable, respectively. * Program integrity officials in five states said that the free training had increased the skills and knowledge of their staff. For example, the institute trained state staff as certified coders and helped new staff become effective in their roles. * Officials from four states commented that the institute, which also features an online workspace, was an effective venue for states to learn about best practices from other states. End of text box] The MIG's Comprehensive Reviews Could Help Inform the Selection of States for NMAP Audits: Comprehensive reviews yield important information about all aspects of states' program integrity capabilities and vulnerabilities, and such information could be used to target NMAP audits towards states with serious vulnerabilities. In its comprehensive reviews of 51 states, the MIG identified 7 states as having serious program integrity infrastructure vulnerabilities, such as not maintaining a centralized program integrity function, yet 5 of these states had less than the typical number of audits assigned.[Footnote 39] Two of the 7 states had no NMAP audits assigned, 3 states had less than 1 percent of assigned audits in their states, and 2 other states had 16 and 23 audits, respectively; these last 2 states ranked 29th and 22nd in the assignment of 1,662 NMAP audits as of February 2012. (See table 1.) In the same set of 51 state comprehensive reviews, the MIG identified 6 states that had a limited or ineffective Surveillance Utilization Review Subsystem (SURS), another serious vulnerability involving the required claims-data surveillance system.[Footnote 40] Only 1 of these states was among the top 10 states for assigned NMAP audits. The number of assigned audits in these 6 states ranged from 0 to 110, with 3 states having 10 or fewer audits, 2 states having about 30 audits, and one state having 110 audits. The state with the highest number of NMAP audits was Louisiana, which accounted for 10 percent of all NMAP audits (195); yet, according to the MIG's comprehensive review, the state did not have a vulnerable program integrity infrastructure or any identified SURS weaknesses. (See appendix I for the number of NMAP audits assigned to each state.) Table 1: States with Serious Program Integrity Vulnerabilities Identified in Comprehensive Reviews and the Number of Assigned NMAP Audits and State Rank as of February 2012: Infrastructure vulnerability: State: Michigan; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2010; Finding: Ineffective program oversight and operations; Assigned NMAP audits: 0; State rank in terms of assigned audits: 45. State: Maine; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2009; Finding: Not having resources with diverse medical expertise; Assigned NMAP audits: 0; State rank in terms of assigned audits: 45. State: Oregon; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2010; Finding: Program integrity function is not centrally organized within Medicaid agency; Assigned NMAP audits: 2; State rank in terms of assigned audits: 41. State: Indiana; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2010; Finding: Limited effectiveness of program integrity/SURS; Assigned NMAP audits: 9; State rank in terms of assigned audits: 32. State: Wyoming; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2008; Finding: Not maintaining a centralized program integrity function; Assigned NMAP audits: 9; State rank in terms of assigned audits: 32. State: Alaska; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2010; Finding: Not maintaining a centralized program integrity function; Assigned NMAP audits: 16; State rank in terms of assigned audits: 29. State: Nevada; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2010; Finding: Not maintaining a centralized program integrity function and backlog of program integrity cases; Assigned NMAP audits: 23; State rank in terms of assigned audits: 22. Surveillance Utilization Review Subsystem (SURS) vulnerability: State: Maine; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2009; Finding: State does not have a functioning SURS; Assigned NMAP audits: 0; State rank in terms of assigned audits: 45. State: Hawaii; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2010; Finding: State does not have an effective SURS; Assigned NMAP audits: 5; State rank in terms of assigned audits: 39. State: Indiana; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2010; Finding: Limited effectiveness of program integrity/SURS; Assigned NMAP audits: 9; State rank in terms of assigned audits: 32. State: Nebraska; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2009; Finding: State does not maintain an effective SURS operation; Assigned NMAP audits: 26; State rank in terms of assigned audits: 20. State: West Virginia; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2009; Finding: State has less than effective SURS operation; Assigned NMAP audits: 33; State rank in terms of assigned audits: 17. State: Arkansas; Federal fiscal year comprehensive review was conducted: Infrastructure vulnerability: 2010; Finding: State does not have statewide SURS program; Assigned NMAP audits: 110; State rank in terms of assigned audits: 4. Source: GAO analysis of CMS data. Note: Our analysis of NMAP audits considered both MSIS and collaborative audits. [End of table] As a part of its comprehensive reviews, the MIG identifies findings or vulnerabilities that continue to persist from the state's prior comprehensive review. Of the 51 comprehensive reviews we analyzed, the MIG found that one quarter of states had uncorrected repeat or partial repeat findings or vulnerabilities that had not been addressed since the prior reviews.[Footnote 41] Nonetheless, of the 10 states that received 62 percent of the 1,662 NMAP audits, 8 states had no uncorrected repeat findings or vulnerabilities. SPIA Data Are Not Validated, Are Inconsistently Reported, and Overlap with Other Efforts: On an annual basis, states self-report the data submitted to the SPIA, and MIG staff told us that they do not review all 220 state-reported data elements or validate the data for reliability. Yet, MIG staff told us that they do check the states' data submissions for reasonableness and follow up with states to confirm extreme responses. We have reported that the SPIA contained significant errors and were inconsistent with data reported in state comprehensive reviews covering the same year.[Footnote 42] Overall, the data are not reported in a consistent enough manner to allow for comparisons across states. For example, the instructions specify which collections a state may include in the category of recovered overpayments, but one state official told us the state's recoveries included collections that were supposed to be excluded. State reporting is further complicated because the collection instrument does not allow state officials to comment on or explain their responses. Thus, states unable to report data as requested also cannot explain why or how their data deviates from what was requested, resulting in inconsistent reporting and blank items. In addition, much of the information is collected through other reporting mechanisms as well. State officials have told us that the SPIA is burdensome because the website interface is difficult to use and asks again for information that they already provide as part of other reporting. For example, the SPIA includes program integrity expenditures and recoveries--two key metrics for accountability and oversight--that are also collected through the required quarterly reporting of state Medicaid expenditures to CMS and which are also subject to validation and audit.[Footnote 43] Several other items reported on the SPIA--Medicaid enrollees, managed care enrollment, participating providers, the state program integrity organizational structure, number of staff, use of contractors, SURS, and recoveries-- are also collected during the comprehensive reviews every 3 years and included in the published reports available on the MIG's website. MIG officials acknowledged that the SPIA duplicated other requests for information and told us they were examining ways to reduce the duplication. MIG officials told us that states use the SPIA as a reference tool to familiarize themselves with other states' program integrity activities, plan program integrity activities and training, and identify how the MIG can provide support to them. However, representatives from 10 out of 11 states we spoke with told us that they had not looked at other states' assessment data posted on the MIG's website. One state official explained that smaller states or those with newer program integrity activities may refer to the SPIA, but the larger states we contacted had not. In addition, representatives from 4 states commented that SPIA reporting is not consistent or comparable across states. Correcting inconsistencies in the SPIA data, however, would be of limited value. The 2-year time lag in the SPIA data undermines its usefulness in determining which states would benefit from technical assistance and developing measures to assess states' performance. Other sources, such as comprehensive reviews, provide more timely and useful information. Reporting on Program Integrity Results Is Inadequate: CMS's limited reporting on the ROI from the Medicaid Integrity Program is inadequate. State reporting of recoveries is similarly insufficient because we found that most states were not fully reporting recoveries according to specific program integrity activities and that almost half appeared to underreport aggregate annual recoveries. CMS's Limited ROI Reporting Is Inadequate: CMS's annual reports to Congress do not provide a clear picture of the ROI for NMAP audits because they combined the results of MSIS and test audits, which performed very differently. In its annual report covering fiscal year 2010, CMS reported that 947 MSIS and test audits were underway in 45 states and that its contractors had identified cumulative potential overpayments of about $10.7 million.[Footnote 44] Our analysis of CMS's data, which summarized these results by audit approach, found that over three-fourths of the overpayments--$8.4 million--were identified by the small number of test audits, in which states identified the audit targets and supplied their own data. Reporting combined overpayments for MSIS and test audits gave the impression that NMAP was more successful than was the case. Moreover, the annual report did not provide information on the number of audits that were discontinued because of no or low overpayments. Finally, the $42 million in expenditures for Medicaid integrity contractors reported in the fiscal year 2010 annual report combined the cost of both NMAP and education contractors, making it difficult to compute an ROI for NMAP. ROI reporting for the Medicaid Integrity Program as a whole has changed over time. * For fiscal year 2008, HHS's budget justification for CMS reported an ROI of 300 percent for the test audits covering a 3-month period--the amount of identified overpayments from the test audits as a percentage of the contractor expenses for that time period.[Footnote 45] * For fiscal year 2009, the ROI formula was broadened to capture MIG overpayment identification activities beyond the NMAP. As such, it included the identification and recovery of overpayment amounts through the MIG's identification of systematic errors in state payment systems and comprehensive state program integrity reviews as a percentage of its fiscal year 2009 funding for the Medicaid Integrity Program. HHS reported a 2009 ROI of 175 percent using this new formula.[Footnote 46] * Although an ROI has not been released for fiscal years 2010 or 2011, HHS has announced that it will calculate the ROI to better reflect the resources invested through the Medicaid Integrity Program and will discontinue reporting an ROI for the NMAP.[Footnote 47] In several reports to the Congress, CMS has indicated that it was developing a methodology for calculating an ROI based on its activities. The MIG has not published its ROI methodology, but did provide it to us for our review.[Footnote 48] The methodology incorporates identified overpayments from activities for which the MIG was directly responsible as well as benefits from activities where the MIG provided support and assistance (see table 2). Table 2: MIG's Strategy to Measure Return on Investment across Activities: Medicaid Integrity Group activity: National Medicaid Audit Program; Organization that identifies overpayment/cost avoidance: MIG and review and audit contractors; Measurement of overpayment/cost avoidance: Identified overpayments from NMAP Final Audit Reports; Amount included in federal Medicaid Integrity Program ROI: 100%. Medicaid Integrity Group activity: Comprehensive reviews; Organization that identifies overpayment/cost avoidance: MIG; Measurement of overpayment/cost avoidance: Identified overpayments such as payments to excluded providers; Amount included in federal Medicaid Integrity Program ROI: 100%. Medicaid Integrity Group activity: Medicaid Integrity Institute; Organization that identifies overpayment/cost avoidance: States; Measurement of overpayment/cost avoidance: Savings projected by state attendees; Amount included in federal Medicaid Integrity Program ROI: 100%. Medicaid Integrity Group activity: Support and assistance to states; Organization that identifies overpayment/cost avoidance: States; Measurement of overpayment/cost avoidance: Identified overpayments from audits in which MIG provided staff support, an effort known as "Boots on the Ground"; Amount included in federal Medicaid Integrity Program ROI: 20%. Medicaid Integrity Group activity: Support and assistance to stakeholders; Organization that identifies overpayment/cost avoidance: Department of Justice and other stakeholders; Measurement of overpayment/cost avoidance: Findings and awards from actions in which MIG provided technical support, such as fraud prosecutions; Amount included in federal Medicaid Integrity Program ROI: 20%. Medicaid Integrity Group activity: State Program Integrity Assessment; Organization that identifies overpayment/cost avoidance: States; Measurement of overpayment/cost avoidance: State identified overpayments; Amount included in federal Medicaid Integrity Program ROI: 16%[A]. Source: CMS. [A] The MIG apportions the amount of identified overpayments listed on the SPIA using the percentage of the MIG's annual budget compared to the total reported spending on state program integrity activities and the MIG budget. [End of table] The MIG's ROI strategy includes a variety of elements, some of which may be difficult to quantify, and others that may be less valid or duplicative of other ROI calculations. For example, although difficult to measure, the MIG is attempting to quantify cost savings realized from states' participation at the institute so that they can be incorporated into an overall calculation of the ROI for the MIG's activities. However, it also incorporates a percentage of the identified overpayments reported on the SPIA, which are self-reported and not validated. Given that the MIG's methodology already includes the benefit from comprehensive reviews and technical assistance to states, its rationale for claiming an additional percentage of states' own identified overpayments is questionable. Most States Are Not Fully Reporting Recoveries: Even though the reporting of aggregated program integrity recoveries has been a longstanding requirement, many states appear to be underreporting aggregate annual recoveries when compared with other data sources, such as their CMS comprehensive program integrity reviews or reports states prepare on the results of their program integrity activities. For example: * One state reported aggregate recoveries of $3 million for federal fiscal years 2009 and 2010--$0 and $3 million--but about $37 million for state fiscal years 2009 and 2010 in its comprehensive review. * Another state reported aggregate recoveries of about $195,000 over 3 years to CMS--$0, $130,000, and $65,000--but about $36 million in its annual report to the governor for 2 of these years. * A third state reported about $6,000 in aggregate recoveries for federal fiscal year 2009 but about $3 million for state fiscal year 2009 in its comprehensive review. Overall from federal fiscal years 2009 through 2011, 15 states reported no fraud, waste, and abuse recoveries in at least 1 fiscal year (see appendix II). These results appear questionable given that 5 of the 15 states were among the 20 states with the highest Medicaid expenditures in fiscal year 2010. Additionally, total reported recoveries for all states in fiscal year 2010 represented only about 0.28 percent of state Medicaid expenditures, significantly less than CMS's estimate that improper payments accounted for about 8 percent of state Medicaid expenditures in fiscal year 2011. In addition, although CMS implemented more detailed state reporting of recovered overpayments beginning in fiscal year 2010, we found that most states were not fully reporting recoveries by the specific type of activity that resulted in the recovery. In fiscal year 2011, the second year of detailed reporting of program integrity recoveries, 36 or more states reported no recoveries for specific state-based activities that generally produce program integrity recoveries, such as state data analysis, provider audits, or MFCU investigations (see figure 5). Figure 5: Number of States Reporting No Recoveries to CMS for State- Based Data Analysis, Provider Audits, and Medicaid Fraud Control Unit Investigations, Fiscal Years 2010 and 2011: [Refer to PDF for image: vertical bar graph] Data mining activities: 2010: 45 states; 2011: 44 states. Provider audits: 2010: 38 states; 2011: 36 states. Medicaid Fraud Control Unit Investigations: 2010: 43 states; 2011: 37 states. Source: GAO analysis of CMS data. [End of figure] The underreporting of program integrity recoveries occurs despite CMS's validation efforts. CMS's financial review protocols specify that quarterly desk reviews must be completed for every state in every quarter, and yearly on-site reviews must be completed for the 20 states with the greatest Medicaid expenditures in the preceding fiscal year. On-site review protocols explicitly instruct the reviewer to verify the reported aggregated amount of fraud, waste, and abuse recoveries, and CMS regional office staff may conduct on-site reviews in additional states as appropriate. CMS staff told us that its financial review protocols encompass hundreds of pages and that reporting of fraud, waste, and abuse recoveries is a small portion of the items they are responsible for validating. They commented that their limited reviews did not allow them to know whether or not fraud, waste, and abuse recoveries were listed elsewhere as a part of the state's quarterly expenditure reporting because states may report recoveries as an offset to other expenditures or may report them comingled with other credits that are not fraud, waste, or abuse- related.[Footnote 49] Further, CMS staff offered several explanations for the reporting gaps we identified, including the observation that it is not unusual for states to take several years to come into compliance with new reporting requirements. This delay may reflect the fact that states' accounting processes may differ from the new instructions and states may need to change their processes or data systems to accommodate the new reporting requirements. CMS officials also said that states may have reported their recoveries as an adjustment that decreased claims from prior quarters.[Footnote 50] While it is plausible that state accounting systems may differ from the recently implemented federal reporting requirements, states have had a long-standing requirement to report their recoveries of overpayments in the aggregate. Additionally, states report recovered overpayments as a part of their state comprehensive reviews, and some states include the results of their program integrity activities in their Medicaid annual reports. [Footnote 51] Conclusions: The MIG's activities to support and oversee state Medicaid program integrity efforts are relatively new and have had mixed success. The Medicaid Integrity Institute is widely acclaimed by state officials. However, the MIG has had to make significant changes to NMAP, the use of comprehensive reviews have shortcomings, and the SPIAs are unreliable. In addition, CMS and states' reporting on the results of their program integrity activities are not transparent and are incomplete. Specifically: * The MIG's decision to hire separate review and audit contractors was inefficient and contributed to overlap and duplication. For example, both types of contractors were engaged in data analysis and both had to be cognizant of state Medicaid policies, which increased the burden on states. * Although the MIG's comprehensive reviews yield considerable information about state structural and data-analysis vulnerabilities, there is no apparent connection between the reviews' findings and the selection of states for NMAP audits. Thus, states with serious program integrity vulnerabilities often had few NMAP audits. * Information that the MIG collects through the SPIAs is unreliable. Even if SPIAs were accurate, their value is unclear because similar and more timely information is collected through other sources, such as the comprehensive reviews. * Computing an ROI for the entire Medicaid Integrity Program that reflects the outcomes from all MIG expenditures is complex because it involves measuring both direct and indirect benefits. To date, CMS has provided a misleading picture of the ROI for NMAP audits and its unpublished methodology incorporates a percentage of identified overpayments reported on the SPIA, which is questionable. * A full accounting of state and NMAP-related recoveries is an important yardstick for measuring the effectiveness of efforts to reduce improper payments. The apparent gaps in state reporting of such recoveries, however, hamper federal efforts to quantify the results of state and federal activities and make it difficult to determine whether states are returning the federal share of recovered overpayments. * Given the magnitude of the estimated Medicaid improper payments, federal support and oversight of Medicaid program integrity is important, and it is essential that federal efforts are carried out efficiently without placing an undue burden on states. Recommendations for Executive Action: To strengthen the Medicaid Integrity Program, we are making five recommendations to the CMS Acting Administrator: * To eliminate duplication and more efficiently use audit resources, the CMS Acting Administrator should merge the functions of the federal review and audit contractors within a state or geographic region. * To ensure that the MIG's comprehensive reviews inform its management of NMAP, the CMS Acting Administrator should use the knowledge gained from the comprehensive reviews as a criterion for focusing NMAP resources towards states that have structural or data-analysis vulnerabilities. * To avoid unnecessary duplication overlap with other efforts, as well as the reporting of unverified and inaccurate data, the CMS Acting Administrator should discontinue the annual state program integrity assessments. * To ensure the most effective use of federal Medicaid program integrity funding, the CMS Acting Administrator should reevaluate the agency's methodology for calculating an ROI for the Medicaid Integrity Program, including reporting separately on the NMAP, and share its methodology with Congress and the states. * To ensure the appropriate tracking of the results of states' program integrity activities, the CMS Acting Administrator should increase the agency's efforts to hold states accountable for reliably reporting program integrity recoveries as a part of their quarterly expenditure reporting. Agency Comments and Our Evaluation: We provided a draft of this report to HHS for comment. In its written comments, HHS stated that CMS was currently revising its Comprehensive Medicaid Integrity Plan covering fiscal years 2013 through 2017 in order to address the duplication and inefficiencies that we had identified in the Medicaid Integrity Program. According to HHS, the plan will unveil significant changes to improve the efficiency of the agency's Medicaid integrity activities. In response to our five recommendations, HHS concurred with three recommendations and partially concurred with two others. Review and audit contractor functions. HHS said that it concurred with our recommendation to merge the functions of its review and audit contractors in order to eliminate duplication and use contractor resources more efficiently. The department stated that it was evaluating options for consolidating its contractors' work within current statutory and procurement requirements. Comprehensive reviews and recovery reporting. HHS also concurred with our recommendations to (1) use the comprehensive program integrity reviews to better inform NMAP, and (2) increase efforts to hold states accountable for reliably reporting program integrity recoveries as part of their quarterly expenditure reporting. With regard to the comprehensive reviews, HHS stated that CMS would work to improve the integration of the knowledge gained from the comprehensive reviews to help identify the states and program areas representing the greatest risks to the Medicaid program, which, in turn, would influence the agency's national audit strategy. In terms of holding states accountable, the department indicated that it would work through its regional offices to include state recovery reporting in the risk assessment used to select areas for financial management reviews, which validate state reported data. In addition, it will continue to provide the necessary training to states to help facilitate reliable recovery reporting. ROI methodology and reporting. HHS partially concurred with our recommendation to reevaluate the methodology used to calculate an ROI for the Medicaid Integrity Program, including reporting separately on NMAP, and to share its methodology with Congress and the states. HHS indicated that CMS annually reevaluates the methodology and has provided descriptions of the methodology in documents that are, or will soon be, available to the public, such as the fiscal year 2013 annual budget justification for CMS. We found that those descriptions were limited and that the budget justification was less detailed than the ROI methodology that CMS shared with us, which is summarized in table 2 of this report. HHS also noted that CMS's methodology will become public when our report is published. HHS said that CMS will be reviewing the scope of what should be included in the calculation of ROI for the Medicaid Integrity Program but it did not address our concern that taking an additional percentage of states' own identified overpayments was questionable. HHS did not concur that an ROI should be reported separately for NMAP because it believes that CMS's Medicaid program integrity investments interact with one another and NMAP ROI would be a misleading index of the work and impact of the Medicaid Integrity Program. We continue to believe that separately reporting an NMAP ROI is essential to hold CMS accountable for the effective operation of those audits, which constituted about half of CMS's annual expenditures on the Medicaid Integrity Program. SPIA. HHS partially concurred with our recommendation and said that it would suspend the annual state program integrity assessments while taking steps to address the limitations that we had identified. HHS stated that the triennial comprehensive state program integrity reviews alone may not provide adequate data to inform CMS oversight. Although the department acknowledged the reporting overlap between the SPIA and comprehensive reviews, it stated that CMS was now working to streamline the comprehensive review questionnaires to eliminate duplication. HHS also indicated that CMS's forthcoming Comprehensive Medicaid Integrity Plan would outline plans to enhance the SPIA by refining the data collection tool, reducing the reporting time lag, and providing for data validation and correction by CMS staff during the triennial comprehensive reviews. We believe that CMS's efforts to address overlap by eliminating duplicative information collected though the comprehensive reviews does not take into account the considerable resources that states devote to filling out the comprehensive review questionnaires, which CMS officials have the opportunity to discuss and verify during week-long site visits. In contrast, SPIA data are collected through a web-based survey, which is inconsistently completed and viewed as a burden by states. Although CMS believes the annual SPIA data are important to its program integrity mission and plans to reduce the current reporting time lag, it has not clearly articulated how it will or could use this information to inform its oversight. In addition, state recoveries and program integrity expenditures are reported to CMS on a quarterly basis, which would provide a more reliable financial accounting of states' program integrity activities. As a result, we continue to believe that the SPIA should be permanently, not just temporarily, discontinued. HHS's comments are reproduced in appendix III. HHS also provided technical comments, which we incorporated as appropriate. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to the Secretary of Health and Human Services, the Acting Administrator of CMS, appropriate congressional committees, and other interested parties. In addition, the report will be available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff has any questions about this report, please contact me at (202) 512-7114 or at yocomc@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix IV. Signed by: Carolyn L. Yocom: Director, Health Care: [End of section] Appendix I: Number of National Medicaid Audit Program Audits: Table 3: Number of National Medicaid Audit Program Audits by State as of February 2012: State: Alabama; Medicaid Statistical Information System audits: 67; Collaborative audits: 0; Total: 67. State: Alaska; Medicaid Statistical Information System audits: 16; Collaborative audits: 0; Total: 16. State: Arkansas; Medicaid Statistical Information System audits: 104; Collaborative audits: 6; Total: 110. State: California; Medicaid Statistical Information System audits: 17; Collaborative audits: 21; Total: 38. State: Colorado; Medicaid Statistical Information System audits: 21; Collaborative audits: 0; Total: 21. State: Connecticut; Medicaid Statistical Information System audits: 20; Collaborative audits: 0; Total: 20. State: Delaware; Medicaid Statistical Information System audits: 35; Collaborative audits: 0; Total: 35. State: District of Columbia; Medicaid Statistical Information System audits: 19; Collaborative audits: 0; Total: 19. State: Florida; Medicaid Statistical Information System audits: 35; Collaborative audits: 0; Total: 35. State: Georgia; Medicaid Statistical Information System audits: 28; Collaborative audits: 10; Total: 38. State: Hawaii; Medicaid Statistical Information System audits: 5; Collaborative audits: 0; Total: 5. State: Idaho; Medicaid Statistical Information System audits: 12; Collaborative audits: 2; Total: 14. State: Indiana; Medicaid Statistical Information System audits: 9; Collaborative audits: 0; Total: 9. State: Iowa; Medicaid Statistical Information System audits: 15; Collaborative audits: 0; Total: 15. State: Kansas; Medicaid Statistical Information System audits: 70; Collaborative audits: 0; Total: 70. State: Kentucky; Medicaid Statistical Information System audits: 9; Collaborative audits: 0; Total: 9. State: Louisiana; Medicaid Statistical Information System audits: 195; Collaborative audits: 0; Total: 195. State: Maryland; Medicaid Statistical Information System audits: 17; Collaborative audits: 5; Total: 22. State: Massachusetts; Medicaid Statistical Information System audits: 75; Collaborative audits: 0; Total: 75. State: Minnesota; Medicaid Statistical Information System audits: 6; Collaborative audits: 0; Total: 6. State: Mississippi; Medicaid Statistical Information System audits: 8; Collaborative audits: 10; Total: 18. State: Missouri; Medicaid Statistical Information System audits: 1; Collaborative audits: 0; Total: 1. State: Montana; Medicaid Statistical Information System audits: 5; Collaborative audits: 0; Total: 5. State: Nebraska; Medicaid Statistical Information System audits: 26; Collaborative audits: 0; Total: 26. State: Nevada; Medicaid Statistical Information System audits: 23; Collaborative audits: 0; Total: 23. State: New Jersey; Medicaid Statistical Information System audits: 63; Collaborative audits: 5; Total: 68. State: New Mexico; Medicaid Statistical Information System audits: 26; Collaborative audits: 0; Total: 26. State: New York; Medicaid Statistical Information System audits: 93; Collaborative audits: 5; Total: 98. State: North Carolina; Medicaid Statistical Information System audits: 18; Collaborative audits: 0; Total: 18. State: North Dakota; Medicaid Statistical Information System audits: 1; Collaborative audits: 0; Total: 1. State: Ohio; Medicaid Statistical Information System audits: 34; Collaborative audits: 3; Total: 37. State: Oklahoma; Medicaid Statistical Information System audits: 1; Collaborative audits: 0; Total: 1. State: Oregon; Medicaid Statistical Information System audits: 2; Collaborative audits: 0; Total: 2. State: Pennsylvania; Medicaid Statistical Information System audits: 86; Collaborative audits: 0; Total: 86. State: South Carolina; Medicaid Statistical Information System audits: 28; Collaborative audits: 0; Total: 28. State: South Dakota; Medicaid Statistical Information System audits: 8; Collaborative audits: 0; Total: 8. State: Texas; Medicaid Statistical Information System audits: 124; Collaborative audits: 34; Total: 158. State: Utah; Medicaid Statistical Information System audits: 6; Collaborative audits: 0; Total: 6. State: Vermont; Medicaid Statistical Information System audits: 9; Collaborative audits: 0; Total: 9. State: Virginia; Medicaid Statistical Information System audits: 111; Collaborative audits: 0; Total: 111. State: Washington; Medicaid Statistical Information System audits: 16; Collaborative audits: 11; Total: 27. State: West Virginia; Medicaid Statistical Information System audits: 33; Collaborative audits: 0; Total: 33. State: Wisconsin; Medicaid Statistical Information System audits: 44; Collaborative audits: 0; Total: 44. State: Wyoming; Medicaid Statistical Information System audits: 9; Collaborative audits: 0; Total: 9. State: Grand total; Medicaid Statistical Information System audits: 1,550; Collaborative audits: 112; Total: 1,662. Source: GAO analysis of CMS data. [End of table] [End of section] Appendix II: Recoveries from State Medicaid Program Integrity Activities: Table 4: Fraud, Waste, and Abuse Recoveries from State Medicaid Program Integrity Activities, Fiscal Years 2009 through 2011: State: Alabama; Fiscal year: 2009: $7,575,771; 2010: $4,215,561; 2011: $9,274,724. State: Alaska; Fiscal year: 2009: 0; 2010: 0; 2011: 0. State: Arizona; Fiscal year: 2009: 22,891; 2010: 1,870,637; 2011: 632,018. State: Arkansas; Fiscal year: 2009: 1,569,617; 2010: 1,548,437; 2011: 1,918,939. State: California; Fiscal year: 2009: 11,280,386; 2010: 99,465,305; 2011: 104,327,782. State: Colorado; Fiscal year: 2009: 218,625; 2010: 180; 2011: 22,168. State: Connecticut; Fiscal year: 2009: 8,940,819; 2010: 8,787,546; 2011: 9,737,835. State: Delaware; Fiscal year: 2009: 12,679; 2010: 0; 2011: 0. State: District of Columbia; Fiscal year: 2009: 1,323,039; 2010: 13,469,478; 2011: 2,239,303. State: Florida; Fiscal year: 2009: 0; 2010: 129,789; 2011: 65,352. State: Georgia; Fiscal year: 2009: 22,384,808; 2010: 24,477,927; 2011: 5,808,151. State: Hawaii; Fiscal year: 2009: 90,979; 2010: 816; 2011: 0. State: Idaho; Fiscal year: 2009: 1,368,716; 2010: 810,147; 2011: 1,057,442. State: Illinois; Fiscal year: 2009: 0; 2010: 3,342,569; 2011: 13,548,145. State: Indiana; Fiscal year: 2009: 10,512,856; 2010: 5,265,908; 2011: 1,919,964. State: Iowa; Fiscal year: 2009: 64,947; 2010: 1,761,559; 2011: 2,931,565. State: Kansas; Fiscal year: 2009: 1,613; 2010: 9,909,765; 2011: 664,779. State: Kentucky; Fiscal year: 2009: 17,362,774; 2010: 7,601,953; 2011: 15,523,861. State: Louisiana; Fiscal year: 2009: 6,462,291; 2010: 4,423,355; 2011: 8,778,553. State: Maine; Fiscal year: 2009: 0; 2010: 0; 2011: 0. State: Maryland; Fiscal year: 2009: 455,647; 2010: 0; 2011: 572,079. State: Massachusetts; Fiscal year: 2009: 10,914,670; 2010: 10,527,899; 2011: 2,649,756. State: Michigan; Fiscal year: 2009: 1,248,709; 2010: 0; 2011: 368,362. State: Minnesota; Fiscal year: 2009: 7,574,378; 2010: 2,361,639; 2011: 1,068,457. State: Mississippi; Fiscal year: 2009: 4,790,498; 2010: 15,594,880; 2011: 2,100,269. State: Missouri; Fiscal year: 2009: 5,687,808; 2010: 6,361,228; 2011: 5,698,735. State: Montana; Fiscal year: 2009: 256,310; 2010: 673,212; 2011: 156,451. State: Nebraska; Fiscal year: 2009: 319,467; 2010: 435,881; 2011: 578,054. State: Nevada; Fiscal year: 2009: 494,682; 2010: 104,427; 2011: 310,901. State: New Hampshire; Fiscal year: 2009: 244,903; 2010: 350,048; 2011: 522,046. State: New Jersey; Fiscal year: 2009: 2,031,217; 2010: 1,202,775; 2011: 10,865,626. State: New Mexico; Fiscal year: 2009: 554,109; 2010: 698,303; 2011: 2,107,263. State: New York; Fiscal year: 2009: 500,247,430; 2010: 666,653,864; 2011: 640,475,184. State: North Carolina; Fiscal year: 2009: 12,547,969; 2010: 9,865,891; 2011: 13,602,193. State: North Dakota; Fiscal year: 2009: 500; 2010: 0; 2011: 0. State: Ohio; Fiscal year: 2009: 912,840; 2010: 857,611; 2011: 765,912. State: Oklahoma; Fiscal year: 2009: 5,114,226; 2010: 20,920,971; 2011: 8,118,075. State: Oregon; Fiscal year: 2009: 0; 2010: 0; 2011: 6,371. State: Pennsylvania; Fiscal year: 2009: 8,998,928; 2010: 19,024,320; 2011: 13,513,771. State: Rhode Island; Fiscal year: 2009: 0; 2010: 303,984; 2011: 38,891. State: South Carolina; Fiscal year: 2009: 26,795,683; 2010: 11,407,888; 2011: 16,910,564. State: South Dakota; Fiscal year: 2009: 6,423; 2010: 935,041; 2011: 0. State: Tennessee; Fiscal year: 2009: 19,545; 2010: 506; 2011: 157,502. State: Texas; Fiscal year: 2009: 40,083,547; 2010: 135,572,616; 2011: 60,914,245. State: Utah; Fiscal year: 2009: 4,269,364; 2010: 0; 2011: 27,521. State: Vermont; Fiscal year: 2009: 0; 2010: 0; 2011: 0. State: Virginia; Fiscal year: 2009: 3,242,994; 2010: 2,508,097; 2011: 5,638,203. State: Washington; Fiscal year: 2009: 0; 2010: 105,915; 2011: 503. State: West Virginia; Fiscal year: 2009: 1,716; 2010: 1,716; 2011: 1,205. State: Wisconsin; Fiscal year: 2009: 3,609,194; 2010: 1,452,573; 2011: 1,111,085. State: Wyoming; Fiscal year: 2009: 1,535,178; 2010: 768,078; 2011: 1,334,446. Source: CMS's Medicaid Budget & Expenditure System. [End of table] [End of section] Appendix III: Comments from the Department of Health and Human Services: Department of Health & Human Services: Office of The Secretary: Assistant Secretary for Legislation: Washington, DC 20201: November 1, 2012: Carolyn L. Yocom: Director, Health Care: U.S. Government Accountability Office: 441 G Street NW: Washington, DC 20548: Dear Ms. Yocom: Attached are comments on the U.S. Government Accountability Office's (GAO) report entitled, "Medicaid Integrity Program: CMS Should Take Steps to Eliminate Duplication and Improve Efficiency" (GAO 12-917). The Department appreciates the opportunity to review this report prior to publication. Sincerely, Signed by: Jim R. Esquea: Assistant Secretary for Legislation: Attachment: General Comments Of The Department Of Health And Human Services (HHS) On The Government Accountability Office's (GAO) Draft Report Entitled, "Medicaid Integrity Program: CMS Should Take Steps To Eliminate Duplication And Improve Efficiency" (GAO-12-917): The Department appreciates the opportunity to review and comment on this subject GAO draft report. The Medicaid Integrity Program encompasses a wide variety of CMS's activities to support states' efforts to prevent improper payments and fraud in their Medicaid programs. Section 1936(d) of the Social Security Act requires that a comprehensive plan for the Medicaid Integrity Program be established every 5 years. CMS is currently revising the Comprehensive Medicaid Integrity Plan (CMIP) for the upcoming fiscal years to unveil significant changes to improve the efficiency of Medicaid program integrity activities and to address many of the issues identified in this report. In addition to plans to eliminate duplication and improve efficiency, the CMIP will also address the anticipated expansion of the Medicaid program, increasing enrollment in Medicaid managed care, and the emerging roles of the new state Medicaid recovery audit contractors. To implement the Medicaid Integrity Program, CMS established the Medicaid Integrity Group (MIG) in 2006 to oversee a comprehensive effort to address fraud, waste, and abuse in the Medicaid program. MIG coordinates a nationwide effort to reduce Medicaid improper payments through oversight of federal contractors, and a multi-faceted program of support and assistance to state Medicaid program integrity operations. MIG audits Medicaid providers and develops education and training materials for Medicaid providers, managed care organizations, Medicaid beneficiaries, and state Medicaid agencies regarding program integrity. MIG supports the states' anti-fraud efforts by conducting comprehensive triennial program integrity reviews, publishing best practices and other guidance documents, conducting field enforcement projects with state Medicaid agencies in vulnerable service areas, and offering training courses for state Medicaid staff at the Medicaid Integrity Institute and other CMS-sponsored staff training at no cost. GAO Recommendation 1: To eliminate duplication and more efficiently use audit resources, the CMS Administrator should merge the functions of the federal review and audit contractors within a state or geographic region. HHS Response: HHS concurs and is evaluating options for consolidating the work of contractors within current statutory and procurement requirements. GAO Recommendation 2: To ensure that the MIG's comprehensive reviews inform its management of the National Medicaid Audit Program (NMAP), the CMS Administrator should use the knowledge gained from the comprehensive reviews as a criterion for focusing NMAP resources towards states that have structural or data analysis vulnerabilities. HHS Response: HHS concurs that the comprehensive program integrity reviews can better inform the national audit program. The knowledge gained from the reviews can be effectively integrated into other knowledge sources to help identify the states and program areas representing the greatest risks to the Medicaid program. CMS will work to improve the integration of the knowledge gained from the comprehensive reviews and other data sources into our national audit strategy in the future. GAO Recommendation 3: To avoid unnecessary duplication overlap with other efforts, as well as the reporting of unverified and inaccurate data, the CMS Administrator should discontinue the annual state program integrity assessments. HHS Response: HHS concurs in part with the recommendation and will suspend the annual State Program Integrity Assessment (SPIA) while taking steps to address the limitations of SPIA that GAO has identified. HHS believes that triennial assessment through the comprehensive state program integrity reviews alone may not provide adequate data to inform CMS oversight. However, HHS has recognized the reporting overlap between SPIA and comprehensive program integrity reviews and has begun to streamline the questionnaires employed in program integrity reviews to eliminate duplication. The next version of the CMIP will outline plans to enhance the SPIA survey by refining the response tool, reducing the lag time for reporting, and providing for data validation and correction by CMS staff during comprehensive state program integrity reviews. GAO Recommendation 4: To ensure the most effective use of federal Medicaid program integrity funding, the CMS Administrator should reevaluate the agency's methodology for calculating a Return on Investment (ROI) for the Medicaid Integrity Program including reporting separately on the NMAP, and share its methodology with Congress and the states. HHS Response: HHS concurs in part with the recommendation. CMS reevaluates the ROI methodology for the Medicaid Integrity Program annually to reflect program changes and newly developed performance metrics, and has provided descriptions of the methodology in documents that are, or will soon be, available to the public. CMS has described its ROI methodology for the Medicaid Integrity Program previously in the annual budget justification for CMS, and stated for fiscal year 2013 that we are considering new measures that better reflect the resources invested through the Medicaid Integrity Program. Vital aspects of MIG's work, such as cost avoidance, educational programs and broad compliance efforts, are not fully captured in an ROI calculation based solely on overpayments identified or recovered. However, our current strategy for ROI methodology has been shared with GAO and appears in Table 2 of the current report, which will become public record for reference by Congress and the states. HHS does not feel it is necessary to report ROI separately on the NMAP component of the Medicaid Integrity Program, because CMS's Medicaid program integrity investments interact with one another and reporting separately on the NMAP ROI would provide a misleading index of the work and impact of the Medicaid Integrity Program. Moving forward, we will be reviewing the scope of what should be included in the calculation for a rate of return on expenditures. GAO Recommendation 5: To ensure the appropriate tracking of the results of states' program integrity activities, the CMS Administrator should increase its efforts to hold states accountable for reliably reporting program integrity recoveries as a part of their quarterly expenditure reporting. HHS Response: HHS concurs and will work through its regional offices to include this area in the risk assessment used in the selection of the financial management reviews. Each year, CMS identifies financial management reviews to be conducted of state Medicaid and Children's Health Insurance Programs. These financial management reviews are designed to hold states financially accountable through the identification of unallowable expenditures and, potentially, disallowance. In addition, to facilitate reliable reporting, CMS will continue to provide the necessary training and information to states on the actual mechanics of reporting program integrity recoveries in the Medicaid Budget and Expenditure System. Prior to implementation, we provided training to state and regional office users in all 10 regions and performed a nationwide training of state and regional office users at the Medicaid Integrity Institute in October 2011. [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Carolyn L. Yocom, (202) 512-7114 or yocomc@gao.gov: Staff Acknowledgments: In addition to the contact named above, key contributors to this report were: Water Ochinko, Assistant Director; Leslie V. Gordon; Drew Long; and Jasleen Modi. [End of section] Related GAO Products: National Medicaid Audit Program: CMS Should Improve Reporting and Focus on Audit Collaboration with States. [hyperlink, http://www.gao.gov/products/GAO-12-814T]. (Washington, D.C.: June 14, 2012). National Medicaid Audit Program: CMS Should Improve Reporting and Focus on Audit Collaboration with States. [hyperlink, http://www.gao.gov/products/GAO-12-627]. (Washington, D.C.: June 14, 2012). Program Integrity: Further Action Needed to Address Vulnerabilities in Medicaid and Medicare Programs. [hyperlink, http://www.gao.gov/products/GAO-12-803T]. (Washington, D.C.: June 7, 2012). Medicaid: Federal Oversight of Payments and Program Integrity Needs Improvement. [hyperlink, http://www.gao.gov/products/GAO-12-674T]. Washington, D.C.: April 25, 2012. Medicaid Program Integrity: Expanded Federal Role Presents Challenges to and Opportunities for Assisting States. [hyperlink, http://www.gao.gov/products/GAO-12-288T]. Washington, D.C.: December 7, 2011. Fraud Detection Systems: Additional Actions Needed to Support Program Integrity Efforts at Centers for Medicare and Medicaid Services. [hyperlink, http://www.gao.gov/products/GAO-11-822T]. Washington, D.C.: July 12, 2011. Fraud Detection Systems: Centers for Medicare and Medicaid Services Needs to Ensure More Widespread Use. [hyperlink, http://www.gao.gov/products/GAO-11-475]. Washington, D.C.: June 30, 2011. Improper Payments: Recent Efforts to Address Improper Payments and Remaining Challenges. [hyperlink, http://www.gao.gov/products/GAO-11-575T]. Washington, D.C.: April 15, 2011. Status of Fiscal Year 2010 Federal Improper Payments Reporting. [hyperlink, http://www.gao.gov/products/GAO-11-443R. Washington, D.C.: March 25, 2011. Medicare and Medicaid Fraud, Waste, and Abuse: Effective Implementation of Recent Laws and Agency Actions Could Help Reduce Improper Payments. [hyperlink, http://www.gao.gov/products/GAO-11-409T]. Washington, D.C.: March 9, 2011. Medicare: Program Remains at High Risk Because of Continuing Management Challenges. [hyperlink, http://www.gao.gov/products/GAO-11-430T]. Washington, D.C.: March 2, 2011. Opportunities to Reduce Potential Duplication in Government Programs, Save Tax Dollars, and Enhance Revenue. [hyperlink, http://www.gao.gov/products/GAO-11-318SP]. Washington, D.C.: March 1, 2011. High-Risk Series: An Update. [hyperlink, http://www.gao.gov/products/GAO-11-278]. Washington, D.C.: February 2011. Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight. [hyperlink, http://www.gao.gov/products/GAO-10-143]. Washington, D.C.: March 31, 2010. Medicaid: Fraud and Abuse Related to Controlled Substances Identified in Selected States. [hyperlink, http://www.gao.gov/products/GAO-09-1004T]. Washington, D.C.: September 30, 2009. Medicaid: Fraud and Abuse Related to Controlled Substances Identified in Selected States. [hyperlink, http://www.gao.gov/products/GAO-09-957]. Washington, D.C.: September 9, 2009. Improper Payments: Progress Made but Challenges Remain in Estimating and Reducing Improper Payments. [hyperlink, http://www.gao.gov/products/GAO-09-628T]. Washington, D.C.: April 22, 2009. Medicaid: Thousands of Medicaid Providers Abuse the Federal Tax System. [hyperlink, http://www.gao.gov/products/GAO-08-239T]. Washington, D.C.: November 14, 2007. Medicaid: Thousands of Medicaid Providers Abuse the Federal Tax System. [hyperlink, http://www.gao.gov/products/GAO-08-17]. Washington, D.C.: November 14, 2007. Medicaid Financial Management: Steps Taken to Improve Federal Oversight but Other Actions Needed to Sustain Efforts. [hyperlink, http://www.gao.gov/products/GAO-06-705]. Washington, D.C.: June 22, 2006. Medicaid Integrity: Implementation of New Program Provides Opportunities for Federal Leadership to Combat Fraud, Waste, and Abuse. [hyperlink, http://www.gao.gov/products/GAO-06-578T]. Washington, D.C.: March 28, 2006. Medicaid Fraud and Abuse: CMS's Commitment to Helping States Safeguard Program Dollars Is Limited. [hyperlink, http://www.gao.gov/products/GAO-05-855T]. Washington, D.C.: June 28, 2005. Major Management Challenges and Program Risks: Department of Health and Human Services. [hyperlink, http://www.gao.gov/products/GAO-03-101]. Washington, D.C.: January 2003. [End of section] Footnotes: [1] Medicaid consists of 56 distinct programs, and, within broad federal parameters, states are responsible for the day-to-day operations of their Medicaid programs. The 56 Medicaid programs include one for each of the 50 states, the District of Columbia, Puerto Rico, the Commonwealth of the Northern Mariana Islands, American Samoa, Guam, and the United States Virgin Islands. [2] An improper payment is any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. This definition includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except where authorized by law), and any payment that does not account for credit for applicable discounts. Improper Payments Elimination and Recovery Act of 2010, Pub. L. No. 111-204, § 2(e), 124 Stat. 2224, 2227 (codified at 31 U.S.C. § 3321 note). [3] The federal government matches states' expenditures for most Medicaid services using a statutory formula based on each state's per capita income. In fiscal year 2011, the federal share of Medicaid spending was $275 billion, while the state share was $161 billion. [4] See GAO, Major Management Challenges and Program Risks: Department of Health and Human Services, [hyperlink, http://www.gao.gov/products/GAO-03-101] (Washington, D.C.: Jan. 2003). [5] See GAO, Medicaid Fraud and Abuse: CMS's Commitment to Helping States Safeguard Program Dollars Is Limited, [hyperlink, http://www.gao.gov/products/GAO-05-855T] (Washington, D.C.: June 28, 2005). [6] See GAO, Medicare and Medicaid Fraud, Waste, and Abuse: Effective Implementation of Recent Laws and Agency Actions Could Help Reduce Improper Payments, [hyperlink, http://www.gao.gov/products/GAO-11-409T] (Washington, D.C.: Mar. 9, 2011). [7] See Pub. L. No. 109-171, § 6034, 120 Stat. 4, 74-78 (2006) (codified at 42 U.S.C. § 1396u-6). [8] See GAO, National Medicaid Audit Program: CMS Should Improve Reporting and Focus on Audit Collaboration with States, [hyperlink, http://www.gao.gov/products/GAO-12-627] (Washington, D.C.: June 14, 2012). [9] The 11 states were Arizona, California, Connecticut, Florida, Kentucky, New York, Ohio, Pennsylvania, Texas, Washington, and Wisconsin. We selected these states because of their geographic diversity and because together they account for almost half of all Medicaid spending and beneficiaries. [10] We did not review technical assistance provided to states by the MIG or the activities of the MIG's education contractor, which works with providers on payment integrity and quality of care issues. [11] CHIP is the acronym for the State Children's Health Insurance Program, a federal-state program that provides health care coverage to children 18 years of age and younger living in low-income families whose incomes exceed the eligibility requirement for Medicaid. [12] Under the DRA provision, as amended, $5 million was appropriated for the Medicaid Integrity Program for fiscal year 2006, increasing to $50 million for each of the subsequent 2 fiscal years, and $75 million for fiscal years 2009 and 2010. For each fiscal year since 2010, the amount appropriated has been the previous year's appropriation adjusted for inflation. [13] The MIG's review contractors conduct data analysis intended to help identify potential audit targets using algorithms that target specific types of overpayments, such as duplicate claims for the same service, and specify a set of rules to analyze the data. The MIG maintains about 100 algorithms. [14] Audit contractors notify the providers and request documentation. Audit work involves reviewing provider records and interviewing providers and personnel. The audit contractors prepare draft audit reports and incorporate provider and state comments. The MIG reviews the audit contractors' submission and when it is considered complete sends a final audit report to the state to pursue and collect any overpayments. [15] The MIG began implementing collaborative audits in 2010 and, in February 2011, stopped assigning MSIS audits. As of June 2012, however, about 90 MSIS audits were still underway. [16] See [hyperlink, http://www.gao.gov/products/GAO-12-627]. [17] HHS-OIG, MSIS Data Usefulness for Detecting Fraud, Waste, and Abuse, OEI-04-07-00240 (August 2009); HHS-OIG, Top Management and Performance Challenges Facing the Department of Health and Human Services in Fiscal Year 2011 (November 2011). [18] See [hyperlink, http://www.gao.gov/products/GAO-12-627]. [19] As of February 2012, 123 of the 1,550 MSIS audits were on-going and 286 were in the draft audit report stage. [20] These data are as of February 2012. The MIG generally considers overpayments of $2,000 or less as too low to merit collection, but it has issued final audit reports for less than that amount. [21] Prior to the MIG, CMS conducted comprehensive reviews of state program integrity activities every 7 years. [22] [hyperlink, http://www.cms.gov/Medicare-Medicaid- Coordination/Fraud- Prevention/FraudAbuseforProfs/StateProgramIntegrityReviews.html]. [23] The SPIA online database contains more detailed information than is presented in the one-page summaries. SPIA results covering all states are also summarized in a three-page executive summary, and detailed data for each state are available for all SPIA years. [24] 42 U.S.C. §1396u-6(e)(5). [25] CMS's Financial Review Guide describes the protocol that its staff uses to validate the state-reported data. [26] MIG officials told us that they consulted CMS's Office of Acquisition and Grants Management before deciding to hire separate review and audit contractors. This office manages contracting activities and is responsible for developing acquisition policy and procedures. [27] The MIG required both type of contractors to execute Joint Operating Agreements with state Medicaid agencies. [28] As part of their data analyses, the review contractors submitted samples of their potential findings to the states, via the MIG, for review and validation. See [hyperlink, http://www.gao.gov/products/GAO-12-627]. [29] Since the implementation of NMAP, the MIG has changed audit contractors in two of the five geographic areas and thus new contractors had to become familiar with state Medicaid policies while the original audit contractors completed any remaining work. [30] HHS-OIG, Early Assessment of Audit Medicaid Integrity Contractors, OEI-05-1-00210 (March 2012). [31] According to MIG officials, in cases where MMIS data are not available at the outset, the review contractors run algorithms on MSIS data. The review contractors conducted data analysis on 34 percent of the 112 collaborative audits assigned to the MIG's audit contractors from January 2010 through December 2011. [32] Data reported is as of February 29, 2012. We only report the duration for 58 of the 59 MSIS audits that resulted in a final audit report because of the ambiguity of the duration of one audit. The duration of MSIS audits includes the several weeks that the MIG takes to review the draft findings and release the final audit report to states. [33] According to CMS, 13 of these ongoing 118 audits had low or no findings and 15 have resulted in draft audit reports as of June 2012. In addition, MIG officials told us that two audits in progress were consolidated into one draft audit report, which reduces the number of audits in progress by two rather than one. [34] The Patient Protection and Affordable Care Act requires state Medicaid programs to establish contracts with recovery audit contractors to identify and recoup overpayments, consistent with state law and similar to the contracts established for the Medicare program. Pub. L. No. 111-148, § 6411, 124 Stat. 119,773 (2010). [35] OEI-05-1-00210. [36] The MIG funds state officials' attendance at and travel to the institute. [37] MFCUs, which are generally located in state Attorney Generals' offices, are responsible for investigating and prosecuting Medicaid fraud. State program integrity offices refer cases to these units. [38] National Association of Medicaid Directors, Rethinking Medicaid Program Integrity: Eliminating Duplication and Investing in Effective, High-value Tools (March 2012) and Medicaid and CHIP Payment and Access Commission, Report to Congress on Medicaid and CHIP (March 2012). [39] The comprehensive reviews of 51 states were performed from 2008 through 2011 and were the most recently available as of May 2012. [40] SURS is intended to develop statistical profiles of services, providers, and beneficiaries in order to identify potential improper payments. For example, SURS may apply automatic postpayment screens to Medicaid claims in order to identify aberrant billing patterns. [41] According to MIG officials, partial repeat findings are cited when a state has (1) started, but not completed, steps to correct a vulnerability, or (2) not yet addressed a new statutory requirement. [42] See GAO, Medicaid Program Integrity: Expanded Federal Role Presents Challenges to and Opportunities for Assisting States, [hyperlink, http://www.gao.gov/products/GAO-12-288T] (Washington, D.C.: Dec. 7, 2011). [43] According to CMS, not all of the information that the SPIA collects on expenditures is available through quarterly reports. For example, unlike the quarterly reporting form, the SPIA asks for expenditure information by activity. Many states, however, do not report such information and the information provided is not validated. If CMS believed that such detailed program integrity expenditure data were valuable, it could revise states' quarterly reporting requirements. [44] Secretary of Health and Human Services, Annual Report to Congress on the Medicaid Integrity Program, Center for Program Integrity, Centers for Medicare & Medicaid Services, Fiscal Year 2010. (Washington, D.C.: June 2010). [45] Department of Health and Human Services, Centers for Medicare & Medicaid Services Justification of Estimates for Appropriations Committees, Fiscal Year 2010 (Washington, D.C.: May 7, 2009). [46] Department of Health and Human Services, Centers for Medicare & Medicaid Services Justification of Estimates for Appropriations Committees, Fiscal Year 2011 (Washington, D.C.: Feb. 1, 2010). [47] Department of Health and Human Services, Centers for Medicare & Medicaid Services Justification of Estimates for Appropriations Committees, Fiscal Year 2013 (Washington, D.C.: Feb. 13, 2012). [48] State program integrity units are required to report on their methodology for calculating ROI as a part of the comprehensive reviews and some describe their methodology in reports to their legislatures. [49] According to CMS officials, when such occurrences are identified, they notify the state to make a correction. [50] Again, CMS officials told us that they notify the state to make a correction when such issues are identified. [51] For examples of state annual reports see Florida Agency for Heathcare Administration and Medicaid Fraud Control Unit Department of Legal Affairs, The State's Efforts to Control Medicaid Fraud and Abuse, 2010-2011 (December 2011), accessed June 29, 2012. Available at [hyperlink, http://ahca.myflorida.com/Executive/Inspector_General/index.shtml] and Illinois Department of Healthcare and Family Services, Medical Assistance Program Annual Report Fiscal Years 2008, 2009 and 2010 (Apr. 1, 2011). [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E-mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]