Patient Protection and Affordable Care Act:
CMS Should Act to Strengthen Enrollment Controls and Manage Fraud Risk
GAO-16-506T: Published: Mar 17, 2016. Publicly Released: Mar 17, 2016.
What GAO Found
The Patient Protection and Affordable Care Act (PPACA) requires applicant information be verified to determine eligibility for enrollment or income-based subsidies. To implement this verification process, the Centers for Medicare & Medicaid Services (CMS) created an electronic system called the “data services hub” (data hub), which, among other things, provides a single link to federal sources, such as the Internal Revenue Service and the Social Security Administration, to verify consumer application information. Although the data hub plays a key role in the eligibility and enrollment process, CMS does not, according to agency officials, track or analyze aggregate outcomes of data hub queries—either the extent to which a responding agency delivers information responsive to a request, or whether an agency reports that information was not available. In not doing so, CMS foregoes information that could suggest potential program issues or potential vulnerabilities to fraud, as well as information that might be useful for enhancing program management. In addition, PPACA also establishes a process to resolve “inconsistencies”—instances where individual applicant information does not match information from marketplace data sources. GAO found CMS did not have an effective process for resolving inconsistencies for individual applicants for the federal Health Insurance Marketplace (Marketplace). For example, according to GAO analysis of CMS data, about 431,000 applications from the 2014 enrollment period, with about $1.7 billion in associated subsidies for 2014, still had unresolved inconsistencies as of April 2015—several months after close of the coverage year. In addition, CMS did not resolve Social Security number inconsistencies for about 35,000 applications (with about $154 million in associated subsidies) or incarceration inconsistencies for about 22,000 applications (with about $68 million in associated subsidies). With unresolved inconsistencies, CMS is at risk of granting eligibility to, and making subsidy payments on behalf of, individuals who are ineligible to enroll in qualified health plans. In addition, according to the Internal Revenue Service, accurate Social Security numbers are vital for income tax compliance and reconciliation of advance premium tax credits that can lower enrollee costs.
During undercover testing, the federal Marketplace approved subsidized coverage under the act for 11 of 12 fictitious GAO phone or online applicants for 2014. The GAO applicants obtained a total of about $30,000 in annual advance premium tax credits, plus eligibility for lower costs at time of service. The fictitious enrollees maintained subsidized coverage throughout 2014, even though GAO sent fictitious documents, or no documents, to resolve application inconsistencies. While the subsidies, including those granted to GAO's fictitious applicants, are paid to health-care insurers, and not directly to enrolled consumers, they nevertheless represent a benefit to consumers and a cost to the government. GAO found CMS relies upon a contractor charged with document processing to report possible instances of fraud, even though CMS does not require the contractor to have any fraud detection capabilities. CMS has not performed a comprehensive fraud risk assessment—a recommended best practice—of the PPACA enrollment and eligibility process. Until such an assessment is done, CMS is unlikely to know whether existing control activities are suitably designed and implemented to reduce inherent fraud risk to an acceptable level.
Why GAO Did This Study
This testimony summarizes the information contained in GAO's February 2016 report, entitled Patient Protection and Affordable Care Act: CMS Should Act to Strengthen Enrollment Controls and Manage Fraud Risk, GAO-16-29.
For more information, contact Seto J. Bagdoyan at (202) 512-6722 or firstname.lastname@example.org.