This is the accessible text file for GAO report number GAO-11-822T 
entitled 'Fraud Detection Systems: Additional Actions Needed to 
Support Program Integrity Efforts at Centers for Medicare and Medicaid 
Services' which was released on July 12, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: GAO: 


Before the Subcommittee on Federal Financial Management, Government 
Information, Federal Service, and International Security, Committee on 
Homeland Security and Government Affairs, U.S. Senate: 

For Release on Delivery: 
Expected at 2:30 p.m. EDT:
Tuesday, July 12, 2011: 

Fraud Detection Systems: 

Additional Actions Needed to Support Program Integrity Efforts at 
Centers for Medicare and Medicaid Services: 

Statement of Joel C. Willemssen: 
Managing Director, Information Technology: 


Mr. Chairman and Members of the Subcommittee: 

I am pleased to participate in today's hearing on the Centers for 
Medicare and Medicaid Services' (CMS) efforts to protect the integrity 
of the Medicare and Medicaid programs, particularly through the use of 
information technology to help improve the detection of fraud, waste, 
and abuse in these programs. As you are aware, CMS is responsible for 
administering the Medicare and Medicaid programs[Footnote 1] and 
leading efforts to reduce improper payments of claims for medical 
treatment, services, and equipment. Improper payments are overpayments 
or underpayments that should not have been made or were made in an 
incorrect amount; they may be due to errors, such as the inadvertent 
submission of duplicate claims for the same service, or misconduct, 
such as fraud or abuse. The Department of Health and Human Services 
reported about $70 billion in improper payments in the Medicare and 
Medicaid programs in fiscal year 2010. 

Operating within the Department of Health and Human Services, CMS 
conducts reviews to prevent improper payments before claims are paid 
and to detect claims that were paid in error. These activities are 
predominantly carried out by contractors who, along with CMS 
personnel, use various information technology solutions to consolidate 
and analyze data to help identify the improper payment of claims. For 
example, these program integrity analysts may use software tools to 
access data about claims and then use those data to identify patterns 
of unusual activities by matching services with patients' diagnoses. 

In 2006, CMS initiated activities to centralize and make more 
accessible the data needed to conduct these analyses and to improve 
the analytical tools available to its own and contractor analysts. At 
the Subcommittee's request, we have been reviewing two of these 
initiatives--the Integrated Data Repository (IDR), which is intended 
to provide a single source of data related to Medicare and Medicaid 
claims, and the One Program Integrity (One PI) system, a Web-based 
portal[Footnote 2] and suite of analytical software tools used to 
extract data from IDR and enable complex analyses of these data. 
According to CMS officials responsible for developing and implementing 
IDR and One PI, the agency had spent approximately $161 million on 
these initiatives by the end of fiscal year 2010. 

My testimony, in conjunction with a report that we are releasing 
today,[Footnote 3] summarizes the results of our study--which 
specifically assessed the extent to which IDR and One PI have been 
developed and implemented and CMS's progress toward achieving its 
goals and objectives for using these systems to detect fraud, waste, 
and abuse. All work on which this testimony is based was conducted at 
CMS's headquarters in Baltimore, Maryland, between June 2010 and July 
2011, in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 


Like financial institutions, credit card companies, telecommunications 
firms, and other private sector companies that take steps to protect 
customers' accounts, CMS uses information technology to help detect 
cases of improper claims and payments. For more than a decade, the 
agency and its contractors have used automated software tools to 
analyze data from various sources to detect patterns of unusual 
activities or financial transactions that indicate payments could have 
been made for fraudulent charges or improper payments. For example, to 
identify unusual billing patterns and support investigations and 
prosecutions of cases, analysts and investigators access information 
about key actions taken to process claims as they are filed and the 
specific details about claims already paid. This would include 
information on claims as they are billed, adjusted, and paid or 
denied; check numbers on payments of claims; and other specific 
information that could help establish provider intent. 

CMS uses many different means to store and manipulate data and, since 
the establishment of the agency's program integrity initiatives in the 
1990s, has built multiple, disparate databases and analytical software 
tools to meet the individual and unique needs of various programs 
within the agency. In addition, data on Medicaid claims are stored by 
the states in multiple systems and databases, and are not readily 
available to CMS. According to agency program documentation, these 
geographically distributed, regional approaches to data storage result 
in duplicate data and limit the agency's ability to conduct analyses 
of data on a nationwide basis. As a result, CMS has been working for 
most of the past decade to consolidate its databases and analytical 

CMS's Initiative to Develop a Centralized Source of Medicare and 
Medicaid Data: 

In 2006, CMS officials expanded the scope of a 3-year-old data 
modernization strategy to not only modernize data storage technology, 
but also to integrate Medicare and Medicaid data into a centralized 
repository so that CMS and its partners could access the data from a 
single source. They called the expanded program IDR. 

According to program officials, the agency's vision was for IDR to 
become the single repository for CMS's data and enable data analysis 
within and across programs. Specifically, this repository was to 
establish the infrastructure for storing data related to Medicaid and 
Medicare Parts A, B, and D claims processing,[Footnote 4] as well as a 
variety of other agency functions, such as program management, 
research, analytics, and business intelligence. 

CMS envisioned an incremental approach to incorporating data into IDR. 
Specifically, it intended to incorporate data related to paid claims 
for all Medicare Part D data by the end of fiscal year 2006, and for 
Medicare Parts A and B data by the end of fiscal year 2007. The agency 
also planned to begin to incrementally add all Medicaid data for the 
50 states in fiscal year 2009 and to complete this effort by the end 
of fiscal year 2012. 

Initial program plans and schedules also included the incorporation of 
additional data from legacy CMS claims-processing systems that store 
and process data related to the entry, correction, and adjustment of 
claims as they are being processed, along with detailed financial data 
related to paid claims. According to program officials, these data, 
called "shared systems" data, are needed to support the agency's plans 
to incorporate tools to conduct predictive analysis of claims as they 
are being processed, helping to prevent improper payments. Shared 
systems data, such as check numbers and amounts related to claims that 
have been paid, are also needed by law enforcement agencies to help 
with fraud investigations. CMS initially planned to have all the 
shared systems data included in IDR by July 2008. 

CMS's Initiative to Develop and Implement Analytical Tools for 
Detecting Fraud, Waste, and Abuse: 

Also in 2006, CMS initiated the One PI program with the intention of 
developing and implementing a portal and software tools that would 
enable access to and analysis of claims, provider, and beneficiary 
data from a centralized source. The agency's goal for One PI was to 
support the needs of a broad program integrity user community, 
including agency program integrity personnel and contractors who 
analyze Medicare claims data, along with state agencies that monitor 
Medicaid claims. To achieve its goal, agency officials planned to 
implement a tool set that would provide a single source of information 
to enable consistent, reliable, and timely analyses and improve the 
agency's ability to detect fraud, waste, and abuse. These tools were 
to be used to gather data from IDR about beneficiaries, providers, and 
procedures and, combined with other data, find billing aberrancies or 
outliers. For example, an analyst could use software tools to identify 
potentially fraudulent trends in ambulance services by gathering the 
data about claims for ambulance services and medical treatments, and 
then use other software to determine associations between the two 
types of services. If the analyst found claims for ambulance travel 
costs but no corresponding claims for medical treatment, it might 
indicate that further investigation could prove that the billings for 
those services were fraudulent. 

According to agency program planning documentation, the One PI system 
was also to be developed incrementally to provide access to IDR data, 
analytical tools, and portal functionality. CMS planned to implement 
the One PI portal and two analytical tools for use by program 
integrity analysts on a widespread basis by the end of fiscal year 
2009. The agency engaged contractors to develop the system. 

IDR and One PI Are in Use, but Lack Data and Functionality Essential 
to CMS's Program Integrity Efforts: 

IDR has been in use by CMS and contractor program integrity analysts 
since September 2006 and currently incorporates data related to claims 
for reimbursement of services under Medicare Parts A, B, and D. 
According to program officials, the integration of these data into IDR 
established a centralized source of data previously accessed from 
multiple disparate system files. 

However, although the agency has been incorporating data from various 
sources since 2006, IDR does not yet include all the data that were 
planned to be incorporated by the end of 2010 and that are needed to 
support enhanced program integrity initiatives. Specifically, although 
initial program integrity requirements included the incorporation of 
the shared systems data by July 2008, these data have not yet been 
added to IDR. As such, analysts are not able to access certain data 
from IDR that would help them identify and prevent payment of 
fraudulent claims. According to IDR program officials, the shared 
systems data were not incorporated as planned because funding for the 
development of the software and acquisition of the hardware needed to 
meet this requirement was not approved until the summer of 2010. Since 
then, IDR program officials have developed project plans and 
identified user requirements, and told us that they plan to 
incorporate shared systems data by November 2011. 

In addition, IDR does not yet include the Medicaid data that are 
critical to analysts' ability to detect fraud, waste, and abuse in 
this program. While program officials initially planned to incorporate 
20 states' Medicaid data into IDR by the end of fiscal year 2010, the 
agency had not incorporated any of these data into the repository as 
of May 25, 2011. Program officials told us that the original plans and 
schedules for obtaining Medicaid data did not account for the lack of 
funding for states to provide Medicaid data to CMS, or the variations 
in the types and formats of data stored in disparate state Medicaid 
systems. Consequently, the officials were not able to collect the data 
from the states as easily as they expected and did not complete this 
activity as originally planned. 

In December 2009, CMS initiated another agencywide program intended 
to, among other things, identify ways to collect Medicaid data from 
the many disparate state systems and incorporate the data into a 
single data store. As envisioned by CMS, this program, the Medicaid 
and Children's Health Insurance Program Business Information and 
Solutions (MACBIS) program, is to include activities in addition to 
providing expedited access to current data from state Medicaid 
programs. According to agency planning documentation, as a result of 
efforts to be initiated under the MACBIS program, CMS expects to 
incorporate Medicaid data for all 50 states into IDR by the end of 
fiscal year 2014. This enterprisewide initiative is expected to cost 
about $400 million through fiscal year 2016. 

However, program officials have not defined plans and reliable 
schedules for incorporating the additional data into IDR that are 
needed to support the agency's program integrity goals. Yet, doing so 
is essential to ensuring that CMS does not repeat mistakes of the past 
that stand to jeopardize the overall success of its current efforts. 
In this regard, more than a decade ago, we reported on the agency's 
efforts to replace multiple claims processing systems with a single, 
unified system.[Footnote 5] Among other things, that system was 
intended to provide an integrated database to help the agency in 
identifying fraud and abuse. However, as the system was being 
developed, we reported repeatedly that the agency was not applying 
effective investment management practices to its planning and 
management of the project. Further, we reported that the agency had no 
assurance that the project would be cost-effective, delivered within 
estimated timeframes, or even improve the processing of Medicare 
claims. Lacking these vital project management elements, CMS 
subsequently halted that troubled initiative without delivering the 
intended system--after investing more than $80 million over 3-and-a- 
half years. 

Until the agency defines plans and reliable schedules for 
incorporating the additional data into IDR, it cannot ensure that 
current development, implementation, and deployment efforts will 
provide the data and technical capabilities needed to enhance CMS's 
efforts to detect potential cases of fraud, waste, and abuse. 

Beyond the IDR initiative, CMS program integrity officials have not 
yet taken appropriate actions to ensure the use of One PI on a 
widespread basis for program integrity purposes. According to program 
officials, the system was deployed in September 2009 as originally 
planned and consisted of a portal that provided Web-based access to 
software tools used by CMS and contractor analysts to retrieve and 
analyze data stored in IDR. As currently implemented, the system 
provides access to two analytical tools. One tool is a commercial off-
the-shelf decision support tool that is used to perform data analysis 
to, for example, detect patterns of activities that may identify or 
confirm suspected cases of fraud, waste, or abuse. The second tool 
provides users with extended capabilities to perform more complex 
analyses of data. For example, it allows the user to customize and 
create ad hoc queries of claims data across the different parts of the 
Medicare program. 

However, while program officials deployed the One PI portal and two 
analytical tools, the system is not being used as widely as planned 
because CMS and contractor analysts have not received the necessary 
training for its use. In this regard, program planning documentation 
from August 2009 indicated that One PI program officials had planned 
for 639 analysts to be trained and using the system by the end of 
fiscal year 2010; however, CMS confirmed that by the end of October 
2010, only 42 of those intended users had been trained to use One PI, 
with 41 actively using the portal and tools. These users represent 
fewer than 7 percent of the users originally intended for the program. 

Program officials responsible for implementing the system acknowledged 
that their initial training plans and efforts had been insufficient 
and that they had consequently initiated activities and redirected 
resources to redesign the One PI training plan in April 2010; they 
began to implement the new training program in July of that year. As 
of May 25, 2011, One PI officials told us that 62 additional analysts 
had signed up to be trained in 2011 and that the number of training 
classes for One PI had been increased from two to four per month. 
Agency officials, in commenting on our report, stated that since 
January 2011, 58 new users had been trained; however, they did not 
identify an increase in the number of actual users of the system. 

Nonetheless, while these activities indicate some progress toward 
increasing the number of One PI users, the number of users expected to 
be trained and to begin using the system represents a small fraction 
of the population of 639 intended users. Moreover, as of late May 
2011, One PI program officials had not yet made detailed plans and 
developed schedules for completing training of all the intended users. 
Agency officials concurred with our conclusion that CMS needs to take 
more aggressive steps to ensure that its broad community of analysts 
is trained. Until it does so, the use of One PI may remain limited to 
a much smaller group of users than the agency intended, and CMS will 
continue to face obstacles in its efforts to deploy One PI for 
widespread use throughout its community of program integrity analysts. 

CMS Is Not Yet Positioned to Identify Financial Benefits or to Fully 
Meet Program Integrity Goals and Objectives through the Use of IDR and 
One PI: 

Because IDR and One PI are not being used as planned, CMS officials 
are not yet in a position to determine the extent to which the systems 
are providing financial benefits or supporting the agency's 
initiatives to meet program integrity goals and objectives. As we have 
reported, agencies should forecast expected benefits and then measure 
actual financial benefits accrued through the implementation of 
information technology programs.[Footnote 6] Further, the Office of 
Management and Budget (OMB) requires agencies to report progress 
against performance measures and targets for meeting them that reflect 
the goals and objectives of the programs.[Footnote 7] To do this, 
performance measures should be outcome-based and developed with 
stakeholder input, and program performance must be monitored, 
measured, and compared to expected results so that agency officials 
are able to determine the extent to which goals and objectives are 
being met. In addition, industry experts describe the need for 
performance measures to be developed with stakeholders' input early in 
a project's planning process to provide a central management and 
planning tool and to monitor the performance of the project against 
plans and stakeholders' needs. 

While CMS has shown some progress toward meeting the programs' goals 
of providing a centralized data repository and enhanced analytical 
capabilities for detecting improper payments due to fraud, waste, and 
abuse, the current implementation of IDR and One PI does not position 
the agency to identify, measure, and track financial benefits realized 
from reductions in improper payments as a result of the implementation 
of either system. For example, program officials stated that they had 
developed estimates of financial benefits expected to be realized 
through the use of IDR. The most recent projection of total financial 
benefits was reported to be $187 million, based on estimates of the 
amount of improper payments the agency expected to recover as a result 
of analyzing data provided by IDR. With estimated life-cycle program 
costs of $90 million through fiscal year 2018, the resulting net 
benefit expected from implementing IDR was projected to be $97 
million. However, as of March 2011, program officials had not 
identified actual financial benefits of implementing IDR. 

Further, program officials' projection of financial benefits expected 
as a result of implementing One PI was most recently reported to be 
approximately $21 billion. This estimate was increased from initial 
expectations based on assumptions that accelerated plans to integrate 
Medicare and Medicaid data into IDR would enable One PI users to 
identify increasing numbers of improper payments sooner than 
previously estimated, thus allowing the agency to recover more funds 
that have been lost due to payment errors. 

However, the current implementation of One PI has not yet produced 
outcomes that position the agency to identify or measure financial 
benefits. CMS officials stated at the end of fiscal year 2010--more 
than a year after deploying One PI--that it was too early to determine 
whether the program has provided any financial benefits. They 
explained that, since the program had not met its goal for widespread 
use of One PI, there were not enough data available to quantify 
financial benefits attributable to the use of the system. These 
officials said that as the user community is expanded, they expect to 
be able to begin to identify and measure financial and other benefits 
of using the system. 

In addition, program officials have not developed and tracked outcome- 
based performance measures to help ensure that efforts to implement 
One PI and IDR meet the agency's goals and objectives for improving 
the results of its program integrity initiatives. For example, outcome-
based measures for the programs would indicate improvements to the 
agency's ability to recover funds lost because of improper payments of 
fraudulent claims. However, while program officials defined and 
reported to OMB performance targets for IDR related to some of the 
program's goals, they do not reflect the goal of the program to 
provide a single source of Medicare and Medicaid data that supports 
enhanced program integrity efforts. Additionally, CMS officials have 
not developed quantifiable measures for meeting the One PI program's 
goals. For example, performance measures and targets for One PI 
include increases in the detection of improper payments for Medicare 
Parts A and B claims. However, the limited use of the system has not 
generated enough data to quantify the amount of funds recovered from 
improper payments. 

Because it lacks meaningful outcome-based performance measures and 
sufficient data for tracking progress toward meeting performance 
targets, CMS does not have the information needed to ensure that the 
systems are useful to the extent that benefits realized from their 
implementation help the agency meet program integrity goals. Further, 
until CMS is better positioned to identify and measure financial 
benefits and establishes outcome-based performance measures to help 
gauge progress toward meeting program integrity goals, it cannot be 
assured that the systems will contribute to improvements in CMS's 
ability to detect fraud, waste, and abuse in the Medicare and Medicaid 
programs, and prevent or recover billions of dollars lost to improper 
payments of claims. 

Given the critical need for CMS to improve the management of and 
reduce improper payments within the Medicare and Medicaid programs, 
our report being released today recommends a number of actions that we 
consider vital to helping CMS achieve more widespread use of IDR and 
One PI for program integrity purposes. Specifically, we are 
recommending that the Administrator of CMS: 

* finalize plans and develop schedules for incorporating additional 
data into IDR that identify all resources and activities needed to 
complete tasks and that consider risks and obstacles to the IDR 

* implement and manage plans for incorporating data in IDR to meet 
schedule milestones; 

* establish plans and reliable schedules for training all program 
integrity analysts intended to use One PI; 

* establish and communicate deadlines for program integrity 
contractors to complete training and use One PI in their work; 

* conduct training in accordance with plans and established deadlines 
to ensure schedules are met and program integrity contractors are 
trained and able to meet requirements for using One PI; 

* define any measurable financial benefits expected from the 
implementation of IDR and One PI; and: 

* with stakeholder input, establish measurable, outcome-based 
performance measures for IDR and One PI that gauge progress toward 
meeting program goals. 

In commenting on a draft of our report, CMS agreed with these 
recommendations and indicated that it plans to take steps to address 
the challenges and problems that we identified during our study. 

In summary, CMS's success toward meeting its goals to enhance program 
integrity will depend upon the agency's incorporation of all needed 
data into IDR as well as the effective use of the systems by the 
agency's broad community of program integrity analysts. In addition, a 
vital step will be the identification of measurable financial benefits 
and performance goals expected to be attained through improvements in 
the agency's ability to prevent and detect fraudulent, wasteful, and 
abusive claims and resulting improper payments. In taking these steps, 
the agency will better position itself to determine whether these 
systems are useful for enhancing CMS's ability to identify fraud, 
waste, and abuse and, consequently, reduce the loss of funds resulting 
from improper payments of Medicare and Medicaid claims. 

Mr. Chairman, this concludes my prepared statement. I would be pleased 
to answer any questions you or other Members of the Subcommittee may 

GAO Contacts and Staff Acknowledgments: 

If you have questions concerning this statement, please contact Joel 
C. Willemssen, Managing Director, Information Technology Team, at 
(202) 512-6253 or; or Valerie C. Melvin, Director, 
Information Management and Human Capital Issues, at (202) 512-6304 or Other individuals who made key contributions include 
Teresa F. Tucker (Assistant Director), Sheila K. Avruch (Assistant 
Director), April W. Brantley, Clayton Brisson, Neil J. Doherty, Amanda 
C. Gill, Nancy Glover, Kendrick M. Johnson, Lee A. McCracken, Terry L. 
Richardson, Karen A. Richey, and Stacey L. Steele. 

[End of section] 


[1] Medicaid is a joint federal-state program for certain low-income 

[2] The One PI portal is a Web-based user interface that enables a 
single login through centralized, role-based access to the system. 

[3] GAO, Fraud Detection Systems: Centers for Medicare and Medicaid 
Services Needs to Ensure More Widespread Use, [hyperlink,] (Washington, D.C.: June 30, 

[4] Medicare Part A provides payment for inpatient hospital, skilled 
nursing facility, some home health, and hospice services, while Part B 
pays for hospital outpatient, physician, some home health, durable 
medical equipment, and preventive services. Further, all Medicare 
beneficiaries may purchase coverage for outpatient prescription drugs 
under Medicare Part D. 

[5] GAO, Medicare Automated Systems: Weaknesses in Managing 
Information Technology Hinder Fight Against Fraud and Abuse, 
(Washington, D.C.: September 29, 1997). At the time of this report, 
CMS was known as the Health Care Financing Administration. 

[6] GAO, Secure Border Initiative: DHS Needs to Reconsider Its 
Proposed Investment in Key Technology Program, [hyperlink,] (Washington, D.C.: May 5, 
2010) and DOD Business Systems Modernization: Planned Investment in 
Navy Program to Create Cashless Shipboard Environment Needs to be 
Justified and Better Managed, [hyperlink,] (Washington, D.C.,: Sept. 8, 

[7] OMB, Guide to the Performance Assessment Rating Tool. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the 
performance and accountability of the federal government for the 
American people. GAO examines the use of public funds; evaluates 
federal programs and policies; and provides analyses, recommendations, 
and other assistance to help Congress make informed oversight, policy, 
and funding decisions. GAO's commitment to good government is 
reflected in its core values of accountability, integrity, and 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink,]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink,] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of 
production and distribution and depends on the number of pages in the 
publication and whether the publication is printed in color or black 
and white. Pricing and ordering information is posted on GAO’s Web 
site, [hyperlink,]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or 
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card, 
MasterCard, Visa, check, or money order. Call for additional 

To Report Fraud, Waste, and Abuse in Federal Programs: 


Web site: [hyperlink,]: E-
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, (202) 512-4400: 
U.S. Government Accountability Office: 441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, (202) 512-4800: 
U.S. Government Accountability Office: 441 G Street NW, Room 7149: 
Washington, D.C. 20548: