Medicare Recovery Audit Contracting:

Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight

GAO-10-143: Published: Mar 31, 2010. Publicly Released: Mar 31, 2010.

Additional Materials:


Kathleen M. King
(202) 512-3000


Office of Public Affairs
(202) 512-4800

The Centers for Medicare & Medicaid Services (CMS) conducted a mandated 3-year project from March 2005 through March 2008 to demonstrate the use of recovery audit contractors (RAC) in identifying Medicare improper payments and recouping overpayments. CMS implemented a mandated national RAC program, which began in March 2009. GAO was asked to examine specific issues that arose during the demonstration project and CMS's efforts to address them in the national RAC program. This report examines the extent to which CMS (1) developed a process and took corrective actions to address vulnerabilities identified by the RACs that led to improper payments, (2) resolved coordination issues between the RACs and the Medicare claims administration contractors, and (3) established methods to oversee RAC claim review accuracy and provider service during the national program. GAO reviewed CMS documents and interviewed officials from CMS and contractors and provider groups affected by the demonstration project.

CMS did not establish an adequate process in the 3-year demonstration project or in planning for the national program to address RAC-identified vulnerabilities that led to improper payments, such as paying duplicate claims for the same service. CMS stated that one purpose of the demonstration project was to obtain information to help prevent improper payments. However, CMS has not yet implemented corrective actions for 60 percent of the most significant RAC-identified vulnerabilities that led to improper payments, a situation that left 35 of 58 unaddressed. These were vulnerabilities for which RACs identified over $1 million in improper payments for medical services or $500,000 for durable medical equipment. CMS developed a spreadsheet, which listed the most significant improper payment vulnerabilities that were identified by the RACs during the demonstration project. However, the agency did not develop a plan to take corrective action or implement sufficient monitoring, oversight, and control activities to ensure these significant vulnerabilities were addressed. Thus, CMS did not address significant vulnerabilities representing $231 million in overpayments identified by the RACs during the demonstration project. For the RAC national program, CMS developed a process to compile identified vulnerabilities and recommend actions to prevent improper payments. However, this corrective action process lacks certain essential procedures and staff with the authority to ensure that these vulnerabilities are resolved promptly and adequately to prevent further improper payments. Based on lessons learned during the demonstration project, CMS took multiple steps in the national program to resolve coordination issues between the RACs and Medicare claims administration contractors. During the demonstration project, CMS learned that having regular communication with the claims administration contractors on improper payment vulnerabilities that the RACs were identifying was important. CMS also learned that the data warehouse used to store claims information for the RACs needed more capacity and utility, that manual claims adjustment by claims administration contractors to recoup improper payments was burdensome, and that sharing paper copies of medical records between RACs and claims administration contractors when claims denials were appealed was difficult to manage. As a result, CMS took steps to resolve these coordination issues in the national program, such as enhancing the existing data warehouse and automating the claims-adjustment process. CMS took steps to improve oversight of the accuracy of RACs' claims reviews and the quality of their service to providers for the national program. CMS added processes to review the accuracy of RAC determinations, including independent reviews by another CMS contractor. CMS also established requirements to address provider concerns about service, such as having the RACs establish Web sites that will allow providers to track the status of a claim being reviewed. In addition, CMS established performance metrics that the agency will use to monitor RAC accuracy and service to providers.

Recommendations for Executive Action

  1. Status: Open

    Comments: CMS concurred with this recommendation. The agency has developed written policies and procedures for its corrective action process, but the the written document does not require the agency to establish timeframes for completing action on particular vulnerabilities or for followup if action is referred to other units. The written procedures also do not indicate how monitoring of corrective actions taken will be accomplished. However, CMS has taken taken other useful steps regarding vulnerabilities to improper payments, such as introducing new edits into the payment system to deny certain claims as improper. CMS also provided information in July 2011 on steps it had taken to inform providers about vulnerabilities that led to improper payments. In addition, CMS indicated that it regularly required the Medicare Administrative Contractors (MACs) to consider and evaluate vulnerabilities identified by the Recovery Auditors and the MACs must now submit a quarterly report on the status of their evaluations and corrective actions taken with regard to specific vulnerabilities.

    Recommendation: To help reduce future improper payments, the Administrator of CMS should develop and implement a process that includes policies and procedures to ensure that the agency promptly: (1) evaluates findings of RAC audits, (2) decides on the appropriate response and a time frame for taking action based on established criteria, and (3) acts to correct the vulnerabilities identified.

    Agency Affected: Department of Health and Human Services: Centers for Medicare and Medicaid Services

  2. Status: Closed - Implemented

    Comments: CMS concurred with this recommendation and stated that the Administrator of CMS is the official responsible for assuring that vulnerabilities that cut across all agency components are addressed.

    Recommendation: The Administrator of CMS should designate key personnel with appropriate authority to be responsible for ensuring that corrective actions are implemented and that the actions taken were effective.

    Agency Affected: Department of Health and Human Services: Centers for Medicare and Medicaid Services


Explore the full database of GAO's Open Recommendations »

Jun 30, 2015

Jun 24, 2015

Jun 17, 2015

May 29, 2015

May 15, 2015

Apr 30, 2015

Mar 27, 2015

Mar 16, 2015

Feb 27, 2015

Looking for more? Browse all our products here