The Centers for Medicare & Medicaid Services (CMS) conducted a mandated 3-year project from March 2005 through March 2008 to demonstrate the use of recovery audit contractors (RAC) in identifying Medicare improper payments and recouping overpayments. CMS implemented a mandated national RAC program, which began in March 2009. GAO was asked to examine specific issues that arose during the demonstration project and CMS's efforts to address them in the national RAC program. This report examines the extent to which CMS (1) developed a process and took corrective actions to address vulnerabilities identified by the RACs that led to improper payments, (2) resolved coordination issues between the RACs and the Medicare claims administration contractors, and (3) established methods to oversee RAC claim review accuracy and provider service during the national program. GAO reviewed CMS documents and interviewed officials from CMS and contractors and provider groups affected by the demonstration project.

CMS did not establish an adequate process in the 3-year demonstration project or in planning for the national program to address RAC-identified vulnerabilities that led to improper payments, such as paying duplicate claims for the same service. CMS stated that one purpose of the demonstration project was to obtain information to help prevent improper payments. However, CMS has not yet implemented corrective actions for 60 percent of the most significant RAC-identified vulnerabilities that led to improper payments, a situation that left 35 of 58 unaddressed. These were vulnerabilities for which RACs identified over $1 million in improper payments for medical services or $500,000 for durable medical equipment. CMS developed a spreadsheet, which listed the most significant improper payment vulnerabilities that were identified by the RACs during the demonstration project. However, the agency did not develop a plan to take corrective action or implement sufficient monitoring, oversight, and control activities to ensure these significant vulnerabilities were addressed. Thus, CMS did not address significant vulnerabilities representing $231 million in overpayments identified by the RACs during the demonstration project. For the RAC national program, CMS developed a process to compile identified vulnerabilities and recommend actions to prevent improper payments. However, this corrective action process lacks certain essential procedures and staff with the authority to ensure that these vulnerabilities are resolved promptly and adequately to prevent further improper payments. Based on lessons learned during the demonstration project, CMS took multiple steps in the national program to resolve coordination issues between the RACs and Medicare claims administration contractors. During the demonstration project, CMS learned that having regular communication with the claims administration contractors on improper payment vulnerabilities that the RACs were identifying was important. CMS also learned that the data warehouse used to store claims information for the RACs needed more capacity and utility, that manual claims adjustment by claims administration contractors to recoup improper payments was burdensome, and that sharing paper copies of medical records between RACs and claims administration contractors when claims denials were appealed was difficult to manage. As a result, CMS took steps to resolve these coordination issues in the national program, such as enhancing the existing data warehouse and automating the claims-adjustment process. CMS took steps to improve oversight of the accuracy of RACs' claims reviews and the quality of their service to providers for the national program. CMS added processes to review the accuracy of RAC determinations, including independent reviews by another CMS contractor. CMS also established requirements to address provider concerns about service, such as having the RACs establish Web sites that will allow providers to track the status of a claim being reviewed. In addition, CMS established performance metrics that the agency will use to monitor RAC accuracy and service to providers.

Status Legend:

Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

• In Process
• Open
• Closed - implemented
• Closed - not implemented

Recommendations for Executive Action

Recommendation: To help reduce future improper payments, the Administrator of CMS should develop and implement a process that includes policies and procedures to ensure that the agency promptly: (1) evaluates findings of RAC audits, (2) decides on the appropriate response and a time frame for taking action based on established criteria, and (3) acts to correct the vulnerabilities identified.

Agency Affected: Department of Health and Human Services: Centers for Medicare and Medicaid Services

Status: Open

Comments: CMS concurred with this recommendation, but does not yet have written policies and procedures for a fully developed corrective action process that includes monitoring of actions taken. However, the agency has taken steps to begin to implement such a process. In July 2011, CMS indicated that its staff have been working diligently to close the remaining vulnerabilities identified by the Recovery Auditors in the demonstration program. CMS also indicated that it had established a corrective action process for issues identified in the National Recovery Audit Program. The agency has developed a written procedures document for the process. However, the written procedures document does not clearly outline the procedures to follow in the corrective action process or how monitoring of corrective actions taken will be accomplished. Nevertheless, CMS has taken action on certain vulnerabilities to improper payments, such as introducing edits into the payment system to deny certain claims as improper. CMS also provided information in July 2011 on steps it had taken to inform providers about vulnerabilities that led to improper payments. CMS also indicated that it required the Medicare Administrative Contractors (MACs) to consider and evaluate vulnerabilities identified by the Recovery Auditors. In addition, the MACs must now submit a quarterly report on the status of their evaluations and corrective actions taken.

Recommendation: The Administrator of CMS should designate key personnel with appropriate authority to be responsible for ensuring that corrective actions are implemented and that the actions taken were effective.

Agency Affected: Department of Health and Human Services: Centers for Medicare and Medicaid Services

Status: Closed - Implemented

Comments: CMS concurred with this recommendation and stated that the Administrator of CMS is the official responsible for assuring that vulnerabilities that cut across all agency components are addressed.