This is the accessible text file for GAO report number GAO-14-341 entitled 'Medicaid Program Integrity: Increased Oversight Needed to Ensure Integrity of Growing Managed Care Expenditures' which was released on June 18, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to the Committee on Finance, U.S. Senate: May 2014: Medicaid Program Integrity: Increased Oversight Needed to Ensure Integrity of Growing Managed Care Expenditures: GAO-14-341: GAO Highlights: Highlights of GAO-14-341, a report to the Committee on Finance, U.S. Senate. Why GAO Did This Study: In fiscal year 2013, the Medicaid program covered about 71.7 million individuals at a cost of $431.1 billion, of which CMS estimated that $14.4 billion (5.8 percent) were improper payments. Multiple state and federal entities are involved in program integrity efforts, such as payment review, auditing, and investigating fraud. GAO was asked to examine how these entities ensure comprehensive Medicaid program integrity. This report examines state and federal roles and responsibilities to identify potential (1) gaps in efforts to ensure Medicaid program integrity coverage; and (2) fragmentation, overlap, or duplication of program integrity efforts, and efforts to coordinate activities. GAO examined relevant federal laws and regulations, CMS guidance, and state program integrity reviews. GAO also interviewed officials from CMS and HHS's Office of Inspector General, as well as PI unit and MFCU officials from seven states. What GAO Found: GAO identified a gap in state and federal efforts to ensure Medicaid managed care program integrity. Federal laws require the states and the Centers for Medicare & Medicaid Services (CMS) to ensure the integrity of the Medicaid program, including payments under Medicaid managed care, which are growing at a faster rate than payments under fee-for-service (FFS). However, five state program integrity (PI) units and four Medicaid Fraud Control Units (MFCU) from the seven states included in GAO's review said they primarily focus their efforts on Medicaid FFS claims and have not begun to closely examine program integrity in Medicaid managed care. In addition, federal entities have taken few steps to address Medicaid managed care program integrity. * CMS, the federal agency within the Department of Health and Human Services (HHS) that oversees Medicaid has largely delegated managed care program integrity oversight activities to the states, but has not updated its program integrity guidance since 2000. * Additionally, CMS does not require states to audit managed care payments, and state officials GAO interviewed said they require additional CMS support, such as additional guidance and the option to obtain audit assistance from existing Medicaid integrity contractors in overseeing Medicaid managed care program integrity. The involvement of multiple entities in conducting post-payment reviews, audits, and investigations has resulted in fragmented program integrity efforts; yet the effects of fragmentation are unclear. As GAO has found in past work, coordinating activities can alleviate many problems created by fragmentation, thus allowing entities to avoid unnecessary duplication and overlap. Most of the program integrity officials from the seven states GAO included in this review said that coordination efforts helped them manage overlap and avoid unnecessary duplication; however some officials said that coordination presented additional challenges for time and staff resources. Given that combined federal and state efforts have recovered only a small portion of the estimated improper payments, continued monitoring of federal and state program integrity efforts in Medicaid will be an important means of assessing whether the current structure is effective. Because of the gap GAO identified between state and federal program integrity efforts in managed care, neither state nor federal entities are well positioned to identify improper payments made to managed care organizations (MCOs), nor are they able to ensure that MCOs are taking appropriate actions to identify, prevent, or discourage improper payments. Improving federal and state efforts to strengthen Medicaid managed care program integrity takes on greater urgency as states that choose to expand their Medicaid programs under the Patient Protection and Affordable Care Act are likely to do so with managed care arrangements, and will receive a 100 percent federal match for newly eligible individuals from 2014 through 2016. Unless CMS takes a larger role in holding states accountable, and provides guidance and support to states to ensure adequate program integrity efforts in Medicaid managed care, the gap between state and federal efforts to monitor managed care program integrity will leave a growing portion of federal Medicaid dollars vulnerable to improper payments. What GAO Recommends: GAO recommends that CMS increase its oversight of program integrity efforts by requiring states to audit payments to and by MCOs; updating its guidance on Medicaid managed care program integrity; and providing states additional support for managed care oversight, such as audit assistance from existing contractors. In its comments, HHS asked for clarification on the first recommendation and concurred with the other two. In response, GAO clarified its first recommendation—-that CMS take the added step of requiring states to audit the appropriateness of payments to and by MCOs to better ensure Medicaid program integrity. View [hyperlink, http://www.gao.gov/products/GAO-14-341]. For more information, contact Carolyn L. Yocom at (202) 512-7114 or yocomc@gao.gov. [End of section] Contents: Letter: Background: Managed Care Presents a Gap in Medicaid Program Integrity Efforts: Fragmentation Exists and Coordination Efforts Raise Benefits and Challenges: Conclusions: Recommendations for Executive Action: Agency Comments: Appendix I: Comments from the Department of Health and Human Services: Appendix II: GAO Contact and Staff Acknowledgments: Figure: Figure 1: Federal and Non-Federal Entities with Primary Oversight Responsibilities for Medicaid Program Integrity: Abbreviations: CHIP: Children's Health Insurance Program: CMS: Centers for Medicare & Medicaid Services: DOJ: Department of Justice: DRA: Deficit Reduction Act of 2005: FFS: fee-for-service: HHS: Department of Health and Human Services: HHS-OIG: Department of Health and Human Services' Office of Inspector General: MACPAC: Medicaid and CHIP Payment and Access Commission: MCO: managed care organization: MEQC: Medicaid Eligibility Quality Control: MFCU: Medicaid Fraud Control Unit: MIC: Medicaid integrity contractor: MIG: Medicaid Integrity Group: OFM: Centers for Medicare & Medicaid Services' Office of Financial Management: PERM: Payment Error Rate Measurement: PI: program integrity: PPACA: Patient Protection and Affordable Care Act: RAC: recovery audit contractor: SSA: Social Security Act: SURS: Surveillance and Utilization Review Subsystem: [End of section] United States Government Accountability Office: GAO: 441 G St. N.W. Washington, DC 20548: May 19, 2014: The Honorable Ron Wyden: Chairman: The Honorable Orrin G. Hatch: Ranking Member: Committee on Finance: United States Senate: In fiscal year 2013, the Medicaid program provided health care coverage to about 71.7 million individuals at a cost of approximately $431.1 billion.[Footnote 1] The federal and state governments fund Medicaid, which finances the delivery of health care services to beneficiaries through fee-for-service (FFS) payments to participating providers and capitated payments to managed care organizations (MCO). [Footnote 2] Most Medicaid beneficiaries are in managed care, and although expenditures for managed care are less than FFS expenditures, managed care expenditures are growing at a faster rate. Medicaid consists of 51 state-based programs and, within broad federal parameters, states are largely responsible for the day-to-day operations, including the program integrity activities, of their Medicaid programs.[Footnote 3] The size and diversity of the Medicaid program make it particularly vulnerable to improper payments-- including payments made for treatments or services that were not covered by program rules, that were not medically necessary, or that were billed for but never provided.[Footnote 4] The Centers for Medicare & Medicaid Services (CMS), the federal agency within the Department of Health and Human Services (HHS) that oversees Medicaid, estimated that $14.4 billion (5.8 percent) of federal Medicaid expenditures for fiscal year 2013 were improper payments. Several state and federal entities are involved in Medicaid program integrity, including state Medicaid agencies and law enforcement divisions, the Medicaid Integrity Group within CMS, and HHS's Office of the Inspector General (HHS-OIG). The existence of multiple entities engaged in Medicaid program integrity activities allows for broader coverage but could also create the potential for fragmentation, overlap, and duplication of program integrity efforts.[Footnote 5] These efforts are of particular importance because of the significant growth expected in Medicaid due to implementation of the Patient Protection and Affordable Care Act (PPACA).[Footnote 6] Although having multiple entities involved in program integrity allows for specialization, resource sharing, and breadth of knowledge, we have found in past work that an effective program integrity strategy in Medicaid requires coordination among state and federal agencies to ensure broad program coverage while minimizing inefficient duplication of effort.[Footnote 7] In previous work we found that CMS has had limited success assisting states to recover improper payments, in part, due to duplication of effort within its activities.[Footnote 8] You asked us to examine whether potential fragmentation, overlap, and duplication exist among the activities of the entities charged with ensuring Medicaid program integrity. This report examines state and federal roles and responsibilities to identify potential (1) gaps in efforts to ensure comprehensive Medicaid program integrity coverage; and (2) fragmentation, overlap, or duplication of program integrity efforts, and examine efforts to coordinate activities. To identify potential gaps in state and federal efforts to ensure comprehensive program integrity coverage, we identified core program integrity activities related to improper payment prevention, detection, and recovery; and interviewed officials from HHS-OIG, the Medicaid Integrity Group, and selected state program integrity (PI) units and Medicaid Fraud Control Units (MFCU) about their roles and responsibilities in conducting these activities for both fee-for- service and Medicaid managed care payments. We selected seven states to provide a range of geographic distribution, size of their Medicaid program, implementation status of their recovery audit contractor (RAC) program, participation in the Medicare-Medicaid Data Match Program, and experience working with federal Medicaid integrity contractors (MIC) on audits. The states selected for interviews were California, Florida, Maryland, New Jersey, New York, Ohio, and Texas. The information we obtained from our selected states cannot be generalized to other states. We also reviewed relevant federal laws, including the Social Security Act (SSA), the Deficit Reduction Act of 2005 (DRA), PPACA, as well as federal regulations, CMS reviews of state program integrity activities, and guidance in those areas. To identify potential fragmentation, overlap, or duplication of program integrity efforts, and examine efforts to coordinate activities, we interviewed officials from HHS-OIG, the Medicaid Integrity Group, and state PI units and MFCUs about their roles, responsibilities, and coordination activities. We also reviewed a variety of documents to identify areas of fragmentation, overlap, and duplication including relevant federal regulations, state Medicaid fraud waste and abuse plans, and memorandums of understanding (MOU) among the entities.[Footnote 9] We conducted this performance audit from June 2013 through May 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our finding and conclusions based on our audit objectives. Background: Federal laws authorize both state and federal entities to protect the Medicaid program from fraud, waste, and abuse. Specifically, various provisions of federal law give CMS the authority to oversee Medicaid program integrity and to set requirements with which state Medicaid programs must comply.[Footnote 10] As a result, program integrity efforts consist of state and federal activities to detect and deter improper payments--including fraud, waste, and abuse--that range from provider enrollment to post-payment claims review and investigation. * Provider enrollment: States screen providers who seek to participate in Medicaid to verify their eligibility. As part of the enrollment process, states must collect certain information from providers, including MCOs, about their ownership interests and criminal background, search exclusion and debarment lists, and take action to exclude those providers who appear on those lists.[Footnote 11] In some states, MCOs are primarily responsible for enrolling participating providers. * Pre-payment review: States conduct prepayment review of claims to ensure appropriateness. Typically, states use payment edits programmed into their claims processing systems to compare claims data in order to approve or deny claims, or flag them for further review. They may also analyze claims data against models of fraudulent behavior to identify potentially fraudulent providers for further investigation. * Post-payment claims review: States and Medicaid contractors analyze paid claims, related provider records, and supporting documentation to ensure appropriate utilization, and to identify potential improper payments. These routine reviews may rely on the use of algorithms and data mining to identify potentially improper payments, which are subjected to additional review, including audits.[Footnote 12] * Auditing: Payments to providers are audited to determine compliance with Medicaid billing rules. * Investigation: When enrollment, prepayment review, post-payment review, or audits uncover potentially fraudulent claims, states must refer those claims or providers to law enforcement entities for investigation and possible prosecution. * Recovery: Once a state has identified and documented improper payments through audit activity, the state generally has one year from the date of a final audit report to recover the overpayment from the provider before reporting the return of the federal share, which can reach up to 100 percent for certain newly enrolled populations under PPACA, to CMS.[Footnote 13] Federal law requires the state to return the federal share of the overpayment regardless of whether the state was able to recover it, unless the provider has been determined to be bankrupt or out of business.[Footnote 14] State and Federal Program Integrity Entities: A variety of entities are engaged in Medicaid program integrity activities. States have primary responsibility for reducing, identifying, and recovering improper payments. Federal entities typically provide oversight, as well as program and law enforcement support. Figure 1 illustrates the various entities, both federal and non-federal, that are involved in Medicaid program integrity.[Footnote 15] Figure 1: Federal and Non-Federal Entities with Primary Oversight Responsibilities for Medicaid Program Integrity: [Refer to PDF for image: illustration] Federal Entities: Department of Justice (DOJ)[A]; Department of Health and Human Services (HHS)[F]: * Administration on Aging (AoA)[E][B]; * Centers for Medicare and Medicaid Services (CMS)[F]: - Office of Financial Management (OFM)[C][E]; - Center for Program Integrity (CPI)[F]: -- Medicaid Integrity Group (MIG)[F]; Medicaid Integrity Contractors (MIC)[E]; -- Zone Program Integrity Contractors (ZPIC)[E]; * Office of the Inspector General (OIG)[F]. Non-Federal Entities: Medicaid Managed Care Organizations (MCO)[E]: * Special Investigation Units (SIU)[E]. State Medicaid Agency/Single State Agency (SSA)[D][E]: * Program Integrity Unit (PIU)[F]: - Recovery Audit Contractors (RAC)[E]; - Surveillance and Utilization Review Subsystem (SURS)[E]. State Auditors Offices/Comptroller's Office[E]; State Attorney General's Office[E]; Local District Attorneys[E]; Medicaid Fraud Control Unit (MFCU)[F], Source: GAO. [A] The Department Of Justice (DOJ) works with the Department of Health and Human Services' (HHS) Office of Inspector General (HHS-OIG) and state law enforcement entities to investigate and prosecute health care fraud. Various divisions within DOJ are involved in Medicaid program integrity, including the U.S. Attorneys' Offices, Civil Division, Civil Rights Division, Criminal Division, and the Federal Bureau of Investigation. We focused our review on federal entities that conduct a wide range of Medicaid program integrity activities. We did not examine DOJ's role, which is limited to investigation and prosecution of health care fraud cases: [B] Administration on Aging, part of HHS's Administration for Community Living, leads the Senior Medicare Patrols program, which provides education to seniors to help them identify fraud, waste, and abuse in Medicare and Medicaid. Senior Medicare Patrols projects also work to resolve beneficiary complaints of potential fraud. We did not include the HHS/Administration for Community Living's Administration on Aging because they have limited Medicaid program integrity oversight responsibilities. [C] CMS's Office of Financial Management (OFM) oversees the Medicaid Eligibility Quality Control (MEQC) and Payment Error Rate Measurement (PERM) assessments. MEQC is designed to improve the quality of state eligibility determinations, and requires states to provide an annual estimate of improper payments in Medicaid based on eligibility reviews of states' recipients. MEQC is overseen by OFM and carried out by the states. PERM measures improper payments in Medicaid and the Children's Health Insurance Program (CHIP), and is made up of three components: fee-for-service, managed care, and eligibility reviews. OFM also oversees PERM, and contractors complete the managed care and fee-for- service components; states conduct eligibility reviews and report the results to CMS. We did not include OFM in our study because it has limited Medicaid program integrity oversight responsibilities. We also did not include the MEQC or PERM programs in our study. Each of these was examined in the June 2013 Medicaid and CHIP Payment and Access Commission (MACPAC) report to Congress (see the June 2013 MACPAC report [hyperlink, http://www.macpac.gov/reports]). [D] Other state agencies may also play a role in Medicaid program integrity including such activities as monitoring providers' quality of care and prosecuting Medicaid fraud cases. [E] Not interviewed for this study. [F] Interviewed for this study. [End of figure] States and CMS both have roles in ensuring Medicaid program integrity. [Footnote 16] States are generally responsible for the day-to-day program operations and are afforded wide latitude in how they structure and administer their programs. They typically have two designated entities specifically tasked with ensuring Medicaid program integrity: PI units and MFCUs.[Footnote 17] PI units are often located within the state's Medicaid agency and are tasked with identifying and recovering improper payments. MFCUs are typically housed in the state's attorney general's office and are tasked with investigating Medicaid fraud and other health care law violations.[Footnote 18] States are also required to operate a Surveillance and Utilization Review Subsystem (SURS) in conjunction with their claims processing databases.[Footnote 19] States are to refer instances of suspected overpayments to PI units for corrective action and potential fraud cases to the state's MFCU. In addition, states are now required to contract with recovery audit contractors (RAC) to identify under-and over-payments as part of their program integrity activities.[Footnote 20] CMS oversees state Medicaid programs by providing states with guidance related to statutory and regulatory requirements, as well as technical assistance on specific program integrity activities such as data- mining. The DRA increased the federal government's role by establishing the Medicaid Integrity Program to support and oversee state program integrity efforts.[Footnote 21] To carry out these responsibilities, CMS established the Medicaid Integrity Group, which conducts comprehensive reviews of state Medicaid program integrity activities to assess these activities and the state's compliance with federal program integrity laws. In addition, the Medicaid Integrity Group works with MICs who review and audit Medicaid claims. The Medicaid Integrity Group also provides training to state program integrity staff through its Medicaid Integrity Institute. CMS also collects information from states on their recoveries of overpayments; however, we recently reported that most states were not fully reporting recoveries and recommended that CMS should increase efforts to hold states accountable for reliably reporting program integrity recoveries to ensure that states are returning the federal share of recovered overpayments.[Footnote 22] HHS-OIG oversees Medicaid program integrity through its audits, investigations, and program evaluations. It is also responsible for enforcing certain civil and administrative health care fraud laws.[Footnote 23] In addition, the HHS-OIG oversees the MFCUs, assessing their compliance with statutes, regulations, and HHS-OIG policy. HHS-OIG is also responsible for assessing MFCU performance and recommends program improvements where appropriate. Medicaid Managed Care: States have traditionally provided Medicaid benefits using a fee-for- service system, where health care providers are paid for each service. However, according to CMS, in the past 15 years, states have more frequently implemented a managed care delivery system for Medicaid benefits. In a managed care delivery system, beneficiaries obtain some portion of their Medicaid services from an organization under contract with the state, and payments to MCOs are typically made on a predetermined, per person per month basis. In contrast, under the traditional fee-for-service delivery system, health care providers are paid for each unit of service delivered. Two-thirds of Medicaid beneficiaries now receive some of their services from MCOs, and many states are expanding their use of managed care to additional geographic areas and Medicaid populations. Nationally, approximately 27 percent, or $74.7 billion, of federal Medicaid expenditures in fiscal year 2011 were attributable to Medicaid managed care which, according to HHS, included the 57 percent of Medicaid beneficiaries who were enrolled in Medicaid MCOs as of July 1, 2011. States oversee MCOs that provide care to Medicaid beneficiaries through contracts and reporting requirements, which may include identifying improper payments to providers within their plans. In addition, CMS has developed requirements for states and MCOs to protect against fraud and abuse in Medicaid managed care. Among other things, CMS requires MCOs to implement compliance plans, train MCO employees, and monitor payments.[Footnote 24] Managed Care Presents a Gap in Medicaid Program Integrity Efforts: Most state and federal program integrity officials we interviewed told us that they did not closely examine Medicaid managed care payments, but instead primarily focused their program integrity efforts on FFS claims. Moreover, federal entities have taken few steps to address Medicaid managed care program integrity. States Have Focused on FFS Claims and Have Not Closely Examined Medicaid Managed Care Program Integrity: State PI unit officials from five of the seven states in our study and MFCU officials from four of the study states told us they primarily focus their program integrity efforts on Medicaid FFS claims. These officials said they have not begun to closely examine program integrity in Medicaid managed care, which is a growing portion of overall Medicaid expenditures.[Footnote 25] State PI units and MFCUs are responsible for ensuring Medicaid program integrity, part of which includes monitoring managed care program integrity. Each of the seven states included in our review had more than 60 percent of beneficiaries enrolled in managed care as of July 1, 2011, and expenditures attributable to managed care in the seven states varied, ranging from 18 to 38 percent of their total Medicaid spending in fiscal year 2011. PI unit officials from the seven states described differing levels of complexity in conducting Medicaid managed care program integrity activities, as shown in the examples that follow. * At the most sophisticated level, PI unit officials from two of the seven states we spoke with told us they examined payments to MCO plans and providers to identify improper payments, conducted meetings with MCOs to discuss provider audits and investigations, and used data analytics to identify aberrant patterns among MCO providers. They also conducted independent audits of payments to MCO plans. * PI unit officials in the remaining five states told us that they were still in the early stages of shifting the focus of program integrity efforts to Medicaid managed care, and thus reported more limited actions. - PI unit officials from three of these five states told us they examined Medicaid managed care providers for improper payments and fraud by reviewing MCO reporting on improper payments. - PI unit officials from the remaining two states told us they did not examine MCO encounter data, and one of these states told us they do not perform audits of MCO providers or actively search for fraudulent activities. MCOs have responsibility for identifying improper payments to providers within their plans; however, state officials suggested that MCOs might not have an incentive to identify and recover improper payments. Officials from two of the seven state PI units we spoke with told us that they believed MCOs were not consistently reporting improper payments to the state to avoid appearing vulnerable to fraud and abuse. Further, officials from three PI units described a potential conflict of interest because when MCOs report improper payment recoveries, future capitation rates could be reduced because of any improper payments identified.[Footnote 26] For example, officials from four PI units said their states account for improper payment recoveries and explained that it negatively impacts the MCO plans' rates for the following year. State officials we spoke with told us that one reason they have not focused on managed care program integrity is that MCO plan and provider audits and investigations are more complex than those in the FFS model. Similarly, almost all of the state MFCU officials we spoke with told us that extra effort was required to obtain detailed managed care claims data. While most states have access to managed care encounter data, states must rely on MCO plans to provide actual dollar amounts of claims, which are needed to audit and investigate providers and determine the amounts of overpayments. Obtaining the data from each MCO could require significant time and effort, which may hamper audits and investigations, particularly in states with several MCO plans. For example, according to CMS, as of July 1, 2011, four of the seven states included in our review had 20 or more MCOs operating in their state.[Footnote 27] State officials also told us that in order to be effective, PI unit and MFCU staff needed specialized training and federal support in the form of updated regulations, guidance, and technical assistance. For example, state program integrity staff from two states attending the 2013 National Association of Medicaid Program Integrity conference suggested that one way that CMS could enhance its assistance to states would be to redirect its Medicaid integrity contractors to focus their audit activities on managed care payments. Such an arrangement could help identify possible patterns or vulnerabilities across states and assist states as they work to acquire the necessary expertise in managed care program integrity. Without closer examination of Medicaid managed care payments, state PI units and MFCUs have limited ability to identify improper payments made to MCOs. They are also unable to ensure that MCOs are taking appropriate actions to identify, prevent, or discourage improper payments to providers. PPACA is expected to significantly expand the Medicaid program, with many of the new beneficiaries being enrolled in managed care and covered almost entirely by federal funds in 2014 through 2016. Considering managed care's growing share of federal Medicaid expenditures, Medicaid managed care is an area where program integrity activities are of growing importance to ensure the protection of federal dollars. Federal Entities Have Taken Few Steps to Address Medicaid Managed Care Program Integrity: Similar to states, federal entities--CMS and HHS-OIG--have taken few steps to address Medicaid managed care program integrity. For example, CMS officials told us that states have primary responsibility for direct oversight of MCOs' compliance with program integrity requirements. CMS provides on-going support and guidance to states regarding their managed care programs, including review and approval of states' managed care waivers and contracts, as well as assessment and guidance regarding program integrity in Medicaid managed care. For example, CMS's comprehensive reviews examine state compliance with federal regulations governing managed care contracts, such as ensuring that MCOs disclose certain ownership and control information. However, according to CMS officials, the comprehensive reviews do not require or check to ensure that states are conducting more in-depth managed care program integrity activities, such as audits of managed care claims. In 2000, CMS issued Medicaid managed care program integrity guidance to states; as of Nov. 18, 2013, however, this guidance was not available on the CMS website, and six of the seven state PI unit officials we spoke with did not mention it when asked about the guidance they relied on in conducting program integrity activities. [Footnote 28] CMS officials said they were updating this guidance, but did not have a timeline for its completion. According to CMS officials, states have requested additional support in ensuring managed care program integrity, and CMS has taken some actions to provide additional assistance. CMS officials said that states, including those with significant managed care experience, are still trying to understand their roles and responsibilities in overseeing managed care program integrity. In 2013, CMS offered two training sessions on Medicaid managed care program integrity through its Medicaid Integrity Institute. CMS officials told us that the sessions were well attended by PI unit staff and other Medicaid program staff. We reviewed the presentation materials, which provided extensive information regarding Medicaid managed care program integrity practices and strategies. Presentation materials are accessible to PI staff who did not attend the training if they register as users through the Medicaid Integrity Institute website. States and CMS ensure Medicaid program integrity by preventing, detecting, and recovering improper payments. Specifically, various provisions of the SSA authorize CMS to develop requirements for the proper and efficient operation of the Medicaid program, including reporting requirements and methods for prepayment and post-payment review.[Footnote 29] In addition, the SSA requires CMS to audit Medicaid claims, including cost reports and payments to MCOs and requires MCO contracts to contain provisions giving HHS and states audit and access authority over MCOs and their subcontractors. [Footnote 30] This contractual requirement also appears in CMS's regulations, although CMS does not require states to conduct such audits.[Footnote 31] Moreover, PPACA required state Medicaid programs to establish contracts consistent with state law and similar to the contracts established for the Medicare RAC program, and required CMS to coordinate this expansion with the states and to promulgate implementing regulations.[Footnote 32] CMS subsequently issued guidance to the states and a regulation implementing the Medicaid RAC program; however, this regulation allowed states to exclude Medicaid managed care claims from review by Medicaid RACs.[Footnote 33] In comments accompanying the final rule, issued in 2011, CMS indicated that it might require Medicaid RACs to review managed care claims during future rule-making, once a permanent Medicare managed care RAC program was fully operational or a viable state Medicaid model had been identified.[Footnote 34] During a February 2014 interview with CMS officials, the officials reiterated that they were open to revisiting the issue of whether the Medicaid RAC program should cover MCO claims, but the officials did not provide any specific details regarding how or when this might be accomplished. The need for CMS leadership on program integrity efforts in managed care is particularly important, given that some states' expansions of their Medicaid programs under PPACA may be accomplished through managed care arrangements. Until CMS takes steps to ensure the integrity of Medicaid managed care, state and federal Medicaid dollars remain vulnerable to fraud, waste, and abuse. The HHS-OIG has noted the emergence of MCO fraud among recent Medicaid fraud trends, citing the increase in the agency's workload on MCO fraud cases. During the 2013 National Association of Medicaid Program Integrity conference, the agency presented on the challenges associated with identifying different types of plan-based fraud schemes, some of which result in inflated payments to MCOs. While CMS does audit states' payments to MCOs to verify that the state is paying the capitated rates specified in the MCO's contract, CMS does not require states to audit the appropriateness of these payments, to ensure, for example, that these payments do not include improper payments by plans. In addition to plan-level fraud, the agency has noted the need for more emphasis on analyzing potential provider fraud in Medicaid managed care. On June 1, 2012, HHS-OIG issued updated performance standards directing MFCUs to take steps to ensure that state Medicaid agencies, MCOs, and other agencies refer suspected provider fraud cases to the MFCU. Additionally, the updated performance standards direct MFCUs to ensure their caseload mix reflects the proportion of Medicaid beneficiaries enrolled in managed care. As of March 10, 2014, HHS-OIG had published three MFCU evaluations that used the new performance standards.[Footnote 35] In one MFCU evaluation, HHS-OIG found that 55 percent of the state's Medicaid beneficiaries were enrolled in MCOs, but the state's MFCU only opened one case involving an MCO during the two year review period. The other two state MFCU evaluations did not mention managed care, although the states' MFCUs did not open or close any managed care provider cases during the review period. According to CMS officials, as of July 1, 2011, the two states had almost 78 percent and nearly 60 percent of their Medicaid beneficiaries enrolled in MCOs. Fragmentation Exists and Coordination Efforts Raise Benefits and Challenges: The involvement of multiple state and federal entities in similar activities--post-payment reviews, audits, and investigations--has resulted in fragmented program integrity activities. Typically, as we have found in past work, coordinating activities can alleviate many of the problems created by fragmentation, allowing entities to avoid unnecessary duplication and overlap.[Footnote 36] State program integrity officials we interviewed told us that coordination efforts helped them avoid unnecessary duplication, but presented additional challenges. Post-payment review activities are primarily led by states' PI units, which can include their SURS and RACs. Other state entities, such as state auditors' offices and other divisions in the state Medicaid agency may also participate in post-payment review activities. PI units coordinate these activities by (1) delegating specific data- mining targets to specific entities to avoid overlap, or (2) coordinating data-mining activities to ensure that the different entities are not duplicating each other's efforts to identify improper payments. For example, in four of the five states that had signed contracts with RACs, PI unit officials told us they require that before starting a data-mining project, the RAC must submit its plan to the PI unit for approval.[Footnote 37] Then, the PI unit checks the plan against other data-mining activities to ensure that the RAC will not be duplicating the activities of other entities. Additionally, officials from one of these PI units told us they participate in a monthly meeting with the SURS, RAC, ZPIC, state auditor's office, and MFCU to discuss current data mining projects, and to decide who is best able to handle specific cases. Although multiple state entities conduct post-payment review activities, their activities are not necessarily duplicative. State PI unit officials told us that the purposes of these reviews vary. For example, some PI unit officials told us other divisions within the state Medicaid agencies will use data mining to examine quality of care or clinical oversight issues. SURS post-payment reviews can include ensuring compliance with Medicaid payment policies. The involvement of multiple federal and state entities in audits leads to fragmentation. PI units, RACs, MICs, HHS-OIG--and in some states, the state auditor's office--perform audits. PI unit officials told us they take the lead in coordinating these audit activities to minimize overlap and duplication, as well as expand the types of providers and health care areas subject to review. * For example, five of the states we selected for this study had signed contracts with RACs, and PI unit officials from these states told us they direct the RACs to focus audits on specific areas to avoid duplicating other efforts.[Footnote 38] For example, PI unit officials in one state noted that the RAC asked and was granted permission to examine home health claims, which was an area where the PI unit had been unable to focus. * In some cases, PI units also coordinated with MICs on collaborative audits. For these audits, PI units typically identified audit targets using state claims data, and the MIC performed the audit. Officials from one state told us that collaborative audits with the MIC in their state had reviewed over $200 million in claims, from which the state expects some recoveries. With regard to fraud, fragmentation exists, in part, because multiple law enforcement entities may be responsible for the investigation of fraudulent claims. For example, fraud schemes may cross state lines thereby necessitating the involvement of multiple law enforcement entities.[Footnote 39] MFCUs have the primary responsibility for fraud investigations and coordinate with other state and federal law enforcement entities, including the HHS-OIG, U.S. Attorney's Offices, the Federal Bureau of Investigation, and state attorneys general. MFCUs coordinate with these entities to prevent duplicative investigations and to share knowledge on potential fraud schemes. MFCU officials from all of the states included in our review said they have regular meetings with federal entities to discuss cases, and officials from three MFCUs said they work cases with federal entities. HHS-OIG officials also said they work jointly with MFCUs and other entities to prevent a scenario where both entities would be conducting separate but duplicative investigations. To prevent duplication between fraud investigations and improper payment audits, all PI unit and MFCU officials we spoke with said they meet regularly to discuss current investigations and audits to ensure they are not pursuing the same target. All the MFCUs and PI units from the states that we reviewed had a memorandum of understanding, which describes the entities' relationship, consistent with federal regulation. Additionally, all of these entities said they seldom or never worked on cases involving the same provider at the same time. MFCU officials said that coordination helps with investigations because a PI unit pursuing a separate payment recovery action against a suspect provider could interfere with a criminal investigation. Coordination among PI units and MFCUs also allows the entities to share limited resources as the need arises. For example, MFCUs typically do not have clinical staff on hand, but can rely on the clinical expertise of PI units' and state Medicaid agencies' staff. MFCU officials from four states told us that coordination among entities helped improve their cases by better leveraging resources. * Officials from one MFCU said their coordination meetings allow the entities to decide who is best suited to handle specific cases. * Officials from two MFCUs said that working with other entities allows the MFCU to give assistance to or receive assistance from these other entities on investigations and executing warrants. * Officials from another MFCU told us that other entities can take on cases that the MFCU would not have the authority to prosecute on their own. However, our previous work has shown that measuring the results of health care fraud investigations is difficult due to several factors. [Footnote 40] These factors include the difficulties of establishing a health care fraud baseline to determine whether the amount of fraud has changed over time, quantifying the effect of investigation and prosecution on deterring fraud, and establishing a causal link between the work and changes in health care fraud. Overall, PI unit officials generally described coordination efforts among program integrity offices positively. * Officials from six of the seven PI units generally described their coordination efforts as requiring minimal resources and in some cases suggested that coordination improved program integrity functions, allowing the state to recover additional overpayments. For example, coordination among PI units and other entities--such as RACs or MFCUs-- can allow entities to share limited resources and expertise. * Officials from five MFCUs said their states' PI units will provide education to MFCU staff on various aspects of, and changes to, the Medicaid program. * Officials from one PI unit said that MIC staff provided clinical expertise that was not available within the PI unit. However, some of the officials with whom we spoke said that coordination efforts have sometimes proven to be problematic. For example, officials from three PI units described challenges with some types of collaborations. * Officials from one PI unit told us they have to expend resources to address inappropriate audit findings from other entities. For example, in some cases, the MIC had pursued audit findings that the PI unit was not able to successfully support in court. These officials also told us that due to the number of entities involved, the audit coordination process was somewhat convoluted and caused delays in the audit process. * Officials from a second PI unit said collaborative audits, which were initially put into place by the Medicaid Integrity Group to enhance collaboration between states and MICs, were not useful. The officials noted that years of working with the MIC on one project have generated less than $1,000 in findings in their state. * Officials from a third PI unit told us that they spent time directing RAC activities in order to steer the RAC away from unproductive audits. The PI unit officials said the RACs sometimes pursue audits that result in findings that are difficult to prove and can harm relations with providers. Additionally, officials from three PI units--including two of the above--said they would prefer to handle the work of RACs or MICs on their own or otherwise consolidate this work, if resources were available. PI units and MFCU officials told us that their organizations coordinate their activities with multiple entities to avoid unnecessary duplication; however, the results of these coordinated efforts have been mixed. Despite the combined efforts of various program integrity entities, our previous work has found that some states appear to be recovering only a small portion of estimated improper payments.[Footnote 41] Conclusions: GAO identified a gap between state and federal efforts to ensure Medicaid managed care program integrity. Federal laws require the states and CMS to ensure the integrity of the Medicaid program, including payments under Medicaid managed care. However, most of the state PI units and MFCUs included in our review were not closely examining the activities of MCOs citing a lack of sufficient guidance and support. For example, CMS does not require states to audit the appropriateness of payments to MCOs to ensure payments have not been improperly inflated, nor does CMS require states to include review of payments to MCO providers as part of their Medicaid RAC programs. However, CMS has largely delegated managed care program integrity activities to the states. Without adequate federal support and guidance on ways to prevent or identify improper payments in a managed care setting, states are neither well-positioned to identify improper payments made to MCOs, nor are they able to ensure that MCOs are taking appropriate actions to identify, prevent, or discourage improper payments. Such efforts take on greater urgency as states that choose to expand their Medicaid programs under PPACA are likely to do so with managed care arrangements, receiving a 100 percent federal match for newly eligible individuals from 2014 through 2016. Unless CMS takes a larger role in holding states accountable, and provides guidance and support to states to ensure adequate program integrity efforts in Medicaid managed care, the gap between state and federal efforts to monitor managed care program integrity leaves a growing portion of federal Medicaid dollars vulnerable to improper payments. Program integrity activities are fragmented across multiple state and federal entities. If not carefully coordinated, these fragmented activities could result in additional overlap and unnecessary duplication. State PI units and MFCUs we reviewed coordinate with one another and federal entities to avoid duplication, but their coordination efforts present both benefits and challenges. As implemented across the states, newer program integrity efforts--such as RACs and MICs--may improve states' efforts to identify and recover improper payments; however, they will also increase the need for coordination to ensure maximum program coverage and minimum duplication and overlap of program integrity activities. Given that combined federal and state efforts have recovered only a small portion of the estimated improper payments, it will be important to continue to monitor federal and state program integrity efforts in Medicaid as a means of assessing whether the current structure is effective. Recommendations for Executive Action: In order to improve the efficiency and effectiveness of Medicaid program integrity efforts, we recommend that the Administrator of CMS take the following three actions: 1. hold states accountable for Medicaid managed care program integrity by requiring states to conduct audits of payments to and by managed care organizations; 2. update CMS's Medicaid managed care guidance on program integrity practices and effective handling of MCO recoveries; and: 3. provide the states with additional support in overseeing Medicaid managed care program integrity, such as the option to obtain audit assistance from existing Medicaid integrity contractors. Agency Comments: We provided a draft of this report to HHS for comment. In its written comments, HHS stated that the Department concurred with two of our recommendations, and stated that our first recommendation--to hold states accountable for Medicaid managed care program integrity by requiring states to conduct audits of payments to and by managed care organizations--was unclear. In response to this recommendation, HHS listed current CMS activities that the Department believes address the first recommendation. These activities include the audits under the PERM program, the adoption of regulations requiring MCOs to have fraud and abuse compliance plans and to provide in their contracts for HHS and state audit and access authority. While the activities described by HHS support states in ensuring other aspects of Medicaid program integrity, they do not require states to conduct audits to ensure the appropriateness of payments to MCOs or payments by MCOs and therefore do not achieve the goal of our recommendation. Taking this additional step, particularly in combination with additional guidance and audit assistance, would help ensure that payments to MCO plans are appropriate and that providers within MCOs are also consistently reviewed, thus helping ensure the integrity of the Medicaid program. HHS agreed with our recommendation to update CMS's Medicaid managed care guidance on program integrity practices and effective handling of MCO recoveries. HHS stated that CMS is consulting with federal and state partners regarding strategies to improve Medicaid program integrity, and plans to address changes in future rulemaking or other guidance. Additionally, HHS agreed that states could benefit from additional Medicaid managed care guidance, particularly regarding improper payment recoveries, and that CMS would consider issuing guidance to states regarding the handling of overpayment recoveries. HHS also agreed with our recommendation that CMS provide states with additional support in overseeing Medicaid managed care program integrity, such as the option to obtain audit assistance from existing Medicaid integrity contractors. HHS stated that CMS currently offers assistance to states, including guidance in the use of tools for managed care program integrity. HHS also said that in 2014 CMS will conduct special in-depth reviews focused on managed care program integrity activities in selected states that are expanding the use of managed care. Additionally, HHS stated that CMS is working with two states with considerable managed care experience to develop a model for managed care audits for all states. HHS's comments are reproduced in appendix I. HHS also provided technical comments, which we incorporated as appropriate. We also provided an extract of this report to the state PI units and MFCUs that we selected for interviews. We incorporated their technical comments as appropriate. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to the Secretary of Health and Human Services, the Administrator of CMS, appropriate congressional committees, and other interested parties. In addition, the report will be available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-7114 or at yocomc@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in Appendix II. Sincerely yours, Signed by: Carolyn L. Yocom: Director, Health Care: [End of section] Appendix I: Comments from the Department of Health and Human Services: Department of Health & Human Services: Office of The Secretary: Assistant Secretary for Legislation: Washington, DC 20201: April 28, 2014: Carolyn Yocum: Director, Health Care: U.S. Government Accountability Office: 441 G Street NW: Washington, DC 20548: Dear Ms. Yocum: Attached are comments on the U.S. Government Accountability Office's (GAO) report entitled, "Medicaid Program Integrity: Increased Oversight Needed to Ensure Integrity of Growing Managed Care Expenditures" (GAO-14-341). The Department appreciates the opportunity to review this report prior to publication. Sincerely, Signed by: Jim R.Esquea: Assistant Secretary for Legislation: Attachment: General Comments Of The Department Of Health And Human Services (HHS) On The Government Accountability Office (GAO) Draft Report: "Medicaid Program Integrity: Increased Oversight Needed To Ensure Integrity Of Growing Managed Care Expenditures" (GAO-14-341l: The Department appreciates the opportunity to review and comment on this draft report. Within HHS, the Center for Medicare & Medicaid Services (CMS) has placed significant importance on protecting and improving the fiscal and program integrity of the Medicaid program, whether delivered through fee for service or managed care arrangements. As GAO notes, more Medicaid beneficiaries are being served through managed care arrangements, and more Medicaid dollars are accounted for in those arrangements. In this review, GAO concluded that there was a gap in Medicaid program integrity efforts relating to managed care oversight and made three recommendations. In some cases, it appears GAO is concerned about payments made by plans to providers and the approaches and resources used to examine those transactions; and in other cases, it appears that GAO is concerned about state payments to the plans themselves. We ask that GAO clarify this distinction in its analysis and recommendations. CMS's general approach to strengthening and improving program integrity in managed care arrangements is based on several important principles. First, managed care contracts (including rates) set the terms by which plans meet core requirements for operations and performance. As a consequence, CMS approves all managed care contracts executed by states with their plans and provides guidance (regulatory and sub-regulatory) concerning minimum requirements. States have the option to build on these requirements in their contracting process. Second, plans are at risk for their financial performance. States pay managed care plans a capitated fee based on actuarially certified and CMS approved rates. An at-risk payment means that if the actual costs incurred by the plans are greater than the amounts reimbursed through the capitated payment, the plan takes the financial loss. Thus, plans are incentivized to take overutilization, error, inefficiency, and waste out of the system. Further, savings resulting from better management of payments, coordination of care, or promotion of health outcomes are retained by the plan as its financial reward for performance. Finally, to encourage innovation and flexibility to meet market demands, plans can pay providers through a variety of arrangements and at varying rates, to meet their contract obligations for beneficiary access to care and benefits. Increasingly, CMS hopes to see plans pay providers using value-based arrangements rather than traditional fee for service schedules. GAO correctly reports that states have primary responsibility for direct oversight of their managed care contractors' program integrity compliance as required in 42 CFR §438.66. However, CMS plays a vital role in overseeing Medicaid program integrity in managed care as well. CMS oversees states (e.g., by approving plan contracts and rates submitted by states), establishes regulations (setting minimum requirements for state obligations and plan performance), approves federal match and expenditures, and provides technical assistance and support to states and plans to improve and promote efficiencies and best practices. With respect to the specific oversight and technical assistance on state and plan program integrity, the GAO report indicated that CMS has not updated its managed care program integrity guidance since 2000. This is incomplete. This statement refers to one particular document that was sent to states in August 2000 and that still serves as a valuable reference for states to use in their program integrity oversight of managed care entities. As recently as October 2013, CMS provided states with updated guidance on managed care program integrity that addresses new issues and regulations. Under the Medicaid Integrity Program established by the Deficit Reduction Act of 2005, CMS has used a variety of strategies and activities to ensure managed care program integrity. For example, CMS has: * Periodically assessed and provided feedback on the effectiveness of each state's program integrity oversight in managed care; * Identified and disseminated best practices in managed care program integrity; * Offered a robust training program through the Medicaid Integrity Institute for state program integrity officials, including courses on managed care program integrity issues since 2010; and, * Extended its educational reach beyond the Institute. For example, CMS has provided training and published educational materials for states to use in educating providers and managed care plan staff in the prevention, detection, and reporting of Medicaid improper payments. CMS's comprehensive state program integrity reviews assess how states are conducting managed care program integrity activities, including if states and managed care organizations (MCO) review and audit claims for services by providers in managed care networks. CMS's comprehensive reviews have identified findings and vulnerabilities related to managed care program integrity. Examples of managed care program integrity topics addressed include: state analyses of managed care encounter data, MCO investigations of suspected provider fraud or abuse and reports to state officials, MCOs' program integrity compliance plans, required disclosures by MCOs, state checks of MCO- affiliated parties for exclusions and debarments, program integrity training of MCO staff by state program integrity officials, and MCO credentialing, enrollment, and provider screening practices. CMS's comprehensive reviews include interviews with MCO staff to assess their program integrity activities and one-on-one meetings with Medicaid staff to discuss managed care oversight and monitoring. CMS also reviews the managed care contracts and other documents to validate the state's program integrity practices. CMS then makes recommendations to the states about how to strengthen their program integrity controls, and if needed, requires the state to submit a corrective action plan for each area of non-compliance. Thus, while states have primary responsibility for direct oversight of their managed care contractors' program integrity compliance, CMS is also providing oversight of managed care program integrity. Our responses to the GAO recommendations follow. GAO Recommendation: CMS should hold states accountable for Medicaid managed care program integrity by requiring states to conduct audits of payments to and by managed care organizations. HHS Response: GAO's recommendation is unclear. With respect to payments "to" managed care organizations, those payments are made by states and are subject to audit through the Payment Error Rate Measurement (PERM) program. States have very high accuracy rates for these payments (less than half a percent error rate in the last PERM cycle). With respect to "payments by" managed care organizations, this suggests that states should audit plan compliance with the plan's established policies and methodologies for paying providers for services under their agreements. Pursuant to federal regulations at 42 CFR §438.6(g), CMS has provided state Medicaid agencies with the required authority to audit managed care entities or their subcontractors. Managed care contracts are designed to transfer risk and responsibility for service delivery to MCOs. CMS provides technical assistance to states that identifies an array of strategies and tools to prevent improper payments in managed care, including: credentialing, enrollment, and provider screening practices, checks of MCO-affiliated parties for exclusions and debarments, sound fiscal oversight of rate-setting, external quality reviews of managed care service delivery, payment audits, monitoring of MCO compliance plans, and training of MCO staff in program integrity issues. CMS will continue to provide support and technical assistance to states to strengthen their oversight of service delivery and rate-setting in managed care contracts and to audit payments to and by MCOs when appropriate. CMS currently uses contractors to improve tools and provide technical assistance to states regarding managed care implementation, including oversight and program integrity efforts. Recently acquired additional resources will further support rate-setting and contract oversight as well as result in the provision of enhanced technical assistance and guidance to states. CMS currently does hold states accountable for effective program integrity oversight of their MCOs, including the regulatory requirement that MCOs have a compliance plan designed to safeguard against fraud and abuse. CMS monitors state proposals for managed care delivery systems, as well as MCO contracts, to ensure that this regulatory requirement is met. Through the enhanced efforts described above, CMS is providing enhanced oversight of state program integrity efforts, particularly in the area of financial program integrity. GAO Recommendation: CMS should update its Medicaid managed care guidance on program integrity practices and effective handling of MCO recoveries. HHS Response: HHS concurs with the recommendation to update guidance on managed care program integrity practices. CMS has been in consultation with federal partners and state partners regarding strategies to improve program integrity in the program. CMS will address these proposed changes in future rulemaking or other guidance. CMS will also continue to refresh our offerings at the Medicaid Integrity Institute. We agree that states could benefit from additional guidance, particularly in the more complicated area regarding recoveries from individual providers which were paid by the MCO out of a risk-based, prepaid capitation payment from the state. CMS will review this recommendation and will consider issuing guidance to states to advise them that their contracts with MCOs should specify how any recoveries of overpayments made to or by MCOs will be handled. GAO Recommendation: CMS should provide the states with additional support in overseeing Medicaid managed care program integrity, such as the option to obtain audit assistance from existing Medicaid integrity contractors. HHS Response: HHS concurs with the recommendation. CMS will continue to work with states to provide additional support and assistance to strengthen states' program integrity oversight of their Medicaid managed care programs. While GAO correctly notes in its draft report that states have the primary responsibility for reducing, identifying, and recovering improper payments, CMS provides significant support and assistance to states on Medicaid managed care program integrity. CMS provides assistance in program integrity reviews, publications of best practices, courses at the Medicaid Integrity Institute, educational materials, and guidance in the use of tools for managed care program integrity. In addition, CMS will conduct special in-depth reviews in 2014, focused on managed care program integrity activities, in selected states that are expanding the use of managed care. Because audits of managed care services can be more complex than audits in the fee-for-service model, we agree that states can benefit from more direct support. States may obtain assistance from the federal Medicaid integrity contractors for audits of managed care services. Collaboration between CMS and states has been an important element of the federal audit program since its inception in 2007; since February 2011, all audits assigned to Medicaid integrity contractors have been developed in partnership with states as collaborative audits. In addition, CMS and its contractors are working with two states with considerable experience in managed care to perform audits of services provided under managed care contracts. These states were not included in GAO's interview sample. These audits will provide valuable lessons for the development of a model for managed care audit activity in all states. We appreciate GAO's efforts to examine state and federal roles and responsibilities to ensure comprehensive Medicaid program integrity coverage. We look forward to working with GAO on this and other issues in the future. [End of section] Appendix II: GAO Contact and Staff Acknowledgments: GAO Contact: Carolyn L. Yocom, (202) 512-7114 or yocomc@gao.gov: Staff Acknowledgments: In addition to the contact named above, key contributors to this report were: Tom Conahan, Assistant Director; Matthew Gever, Drew Long, Jasleen Modi, Dawn Nelson, and Jennifer Whitworth. [End of section] Footnotes: [1] The federal government matches states' expenditures for most Medicaid services using a statutory formula based on each state's per capita income. In fiscal year 2013, the federal share of Medicaid spending was $247.7 billion, while the state share was $183.4 billion. See Medicaid and CHIP Payment and Access Commission, MACStats: Medicaid and CHIP Program Statistics March 2014 (Washington, D.C.: March 2014). [2] According to HHS, as of July 1, 2011, 57 percent of Medicaid beneficiaries were enrolled in managed care organizations. However, managed care constitutes a small portion--less than 27 percent--of Medicaid expenditures. [3] While the U.S. Territories and Commonwealths also receive federal funds for Medicaid, this report focuses on the 50 states and the District of Columbia, which we refer to as 51 states. [4] See GAO, High-Risk Series: an Update, [hyperlink, http://www.gao.gov/products/GAO-13-283] (Washington, D.C.: Feb. 14, 2012).We use the term improper payments to refer to payments made by Medicaid programs to MCOs and providers, as well as improper payments made by MCOs to providers. [5] Fragmentation occurs when multiple agencies are involved in a program and opportunities exist to improve service delivery. Overlap occurs when multiple agencies have similar goals and engage in similar activities to achieve them or target similar beneficiaries. Duplication occurs when two or more agencies are engaged in the same activities to provide the same services to the same beneficiaries. [6] Pub. L. No. 111-148, 124 Stat.119 (2010), as amended by the Health Care and Education Reconciliation Act of 2010 (HCERA), Pub. L. No. 111- 152, 124 Stat. 1029, which we refer to collectively as PPACA. In addition to changes that were designed to further strengthen program integrity, PPACA included other changes that will substantially expand the size and reach of the Medicaid program to include, by some federal estimates, an additional 16 million people. [7] See GAO, Medicaid Program Integrity: CMS Should Take Steps to Eliminate Duplication and Improve Efficiency, [hyperlink, http://www.gao.gov/products/GAO-13-50] (Washington, D.C.: Nov. 13, 2012). [8] See [hyperlink, http://www.gao.gov/products/GAO-13-50]. [9] Federal regulations require MFCUs to enter into agreements with state Medicaid agencies. 42 C.F.R. § 1007.9. [10] See, e.g., 42 U.S.C. §§ 1396a(a)(69), 1396u-6. [11] These databases include the List of Excluded Individuals and Entities, a nationwide list compiled by HHS-OIG, as well as state lists. [12] Data mining involves analysis of large sets of paid claims data to identify aberrant billing or utilization patterns, or anomalies that may indicate improper payments. [13] States will receive an increased federal match for newly eligible individuals at 100 percent for 2014 through 2016, 95 percent in 2017, 94 percent in 2018, 93 percent in 2019, and 90 percent in 2020 and beyond. 42 U.S.C. § 1396d(y). [14] 42 U.S.C. § 1396b(d)(2)(D); 42 C.F.R. § 433.312(b). [15] For the purposes of this report, we focused on those entities directly involved in program integrity activities--that is, those for whom program integrity activities are a primary mission. [16] See, e.g., 42 U.S.C. §§ 1396a(a)(69), 1396u-6. [17] States are primarily responsible for ensuring program integrity. Federal law requires states to (1) designate a single state Medicaid agency to administer or supervise the administration of its Medicaid program, and (2) establish and operate a MFCU unless the state can demonstrate that the operation of a MFCU would not be cost-effective because minimal fraud exists and that beneficiaries will be protected without a MFCU.42 U.S.C. § 1396a(a)(5), (a)(61). [18] MFCUs are also tasked with investigating patient abuse. [19] 42 C.F.R. § 456.3. The SURS staff use claims data to develop statistical profiles on services, providers, and beneficiaries to identify potential improper payments. For example, they may apply automatic post-payment screens to Medicaid claims to identify aberrant billing patterns. [20] 42 U.S.C. § 1396a(a)(42)(B). [21] Pub. L. No. 109-171, § 6034, 120 Stat. 4, 74 (2006) (codified at 42 U.S.C. § 1396u-6). [22] See [hyperlink, http://www.gao.gov/products/GAO-13-50]. [23] See GAO, Medicare: Implementation of Financial Incentive Programs under Federal Fraud and Abuse Laws, [hyperlink, http://www.gao.gov/products/GAO-12-355] (Washington, D.C.: March 30, 2012). [24] 42 C.F.R. § 438.608. [25] Reviews of FFS providers may reveal improper payments in managed care. For example, one provider may deliver Medicaid services under both managed care and FFS arrangements; the provider's FFS claims are subject to PI unit reviews that may reveal errors or fraudulent practices in the provider's managed care claims. [26] States' processes for developing MCO plan rates may vary in a number of ways, including the type of data they use as the basis for setting rates. For example, some states allow MCO plans to keep improper payment recoveries, and calculate rates using data that incorporates reductions based on improper payment recoveries. [27] Centers for Medicare & Medicaid Services, Medicaid Managed Care Enrollment Report, Summary Statistics as of July 1, 2011 (Baltimore, MD: November 2012). In addition to MCOs, states may contract with other types of capitated plans to provide Medicaid services. [28] One state PI unit did not respond to this question; however, during an earlier interview officials from this PI unit did not mention the CMS Medicaid managed care guidance. [29] 42 U.S.C. §1396a(a)(6), (a)(37)(B). [30] 42 U.S.C. §§ 1396b(m)(2)(A)(iv), 1396u-6(b)(2). [31] See 42 C.F.R. § 436(g). [32] Pub. L. No. 111-148, § 6411(a), 124 Stat. 119, 773 (2010). [33] 42 C.F.R. § 455.506. [34] Medicaid Program; Recovery Audit Contractors; Final Rules, 76 Fed. Reg. 57808, 57836 (Sep. 16, 2011). [35] Two of these MFCU evaluations--one of which was a state included in our study--used the new performance standards for 4 months of the 3- year review period, while one other MFCU applied them only to the report recommendations. [36] See GAO, 2013 Annual Report: Actions Needed to Reduce Fragmentation, Overlap, and Duplication and Achieve Other Financial Benefits, [hyperlink, http://www.gao.gov/products/GAO-13-279SP]. (Washington D.C., April 9, 2013). [37] Federal regulation requires states to coordinate the efforts of Medicaid RACs with other auditing entities. 42 C.F.R § 455.506(c). [38] CMS required states to implement the Medicaid RACs by Jan. 1, 2012. [39] Additionally, fraudulent claims can be identified from a variety of sources, including enrollment, prepayment review, post-payment review, or audits. Once fraudulent claims are identified or suspected, state program integrity entities must then refer those claims or providers to law enforcement entities for investigation and possible prosecution. [40] GAO, Health Care Fraud and Abuse Control Program: Indicators Provide Information on Program Accomplishments, but Assessing Program Effectiveness Is Difficult, [hyperlink, http://www.gao.gov/products/GAO-13-746] (Washington, D.C.: Sept. 30, 2013). [41] Three of the states we selected for this study reported to CMS less than $1 million in recoveries in each fiscal year between 2009 and 2011, with two of these states reporting zero recoveries in one year. The remaining four states' single-year recoveries ranged from $1.2 million to over $600 million. GAO found that states were under- reporting recoveries to CMS as compared to other data sources. See [hyperlink, http://www.gao.gov/products/GAO-13-50]. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]