This is the accessible text file for GAO report number GAO-14-111 entitled 'Medicare Program Integrity: Contractors Reported Generating Savings, but CMS Could Improve Its Oversight' which was released on November 25, 2013. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: October 2013: Medicare Program Integrity: Contractors Reported Generating Savings, but CMS Could Improve Its Oversight: GAO-14-111: GAO Highlights: Highlights of GAO-14-111, a report to congressional requesters. Why GAO Did This Study: GAO has designated Medicare as a high-risk program, in part because its size and complexity make it particularly vulnerable to fraud. To help detect and prevent potential Medicare fraud, CMS-—the agency within the Department of Health and Human Services (HHS) that administers the Medicare program—-contracts with ZPICs. These contractors are to identify potential fraud, investigate it thoroughly and in a timely manner, and take swift action, such as working to revoke suspect providers’ Medicare billing privileges and referring potentially fraudulent providers to law enforcement. GAO examined (1) ZPIC contract costs and how ZPICs use those funds, (2) the results of ZPICs’ work, and (3) the results of CMS’s evaluations of ZPICs’ performance and aspects of CMS’s evaluation practices. To do this, GAO examined ZPIC funding, contracts, and related documents; data on ZPICs’ workloads, investigations, and results; and CMS evaluations of ZPICs as well as federal standards for performance measurement. GAO also interviewed CMS and ZPIC officials. What GAO Found: The Centers for Medicare and Medicaid Services (CMS) paid its Zone Program Integrity Contractors (ZPIC) about $108 million in 2012. ZPICs reported spending most of this funding on fraud case development, primarily for investigative staff, who in 2012 reported conducting about 3,600 beneficiary interviews, almost 780 onsite inspections, and reviews of more than 200,000 Medicare claims. ZPICs reported that their actions resulted in more than $250 million in savings to Medicare in calendar year 2012 from actions such as stopping payment on suspect claims. ZPICs also reported taking other actions to protect Medicare funds, including having more than 130 of their investigations accepted by law enforcement for potential prosecution, and working to stop more than 160 providers from receiving additional Medicare payments in 2012. However, CMS lacks information on the timeliness of ZPICs’ actions—such as the time it takes between identifying a suspect provider and taking actions to stop that provider from receiving potentially fraudulent Medicare payments—and would benefit from knowing if ZPICs could save more money by acting more quickly. Table: Cost-saving Zone Program Integrity Contractor Actions, 2012: Action: Medicare claims reviewed and denied prior to payment[A]: Number: 176,079 Associated savings: $99,916,894. Action: Auto-denial edits recommended[B]: Number: 7,264 (37,736 in effect) Associated savings: $95,635,829. Action: Overpayment determinations referred[C]: Number: 515 Associated savings: $56,403,080. Total reported savings from these actions: Associated savings: $251,955,803. Source: GAO analysis of CMS Analysis, Reporting, and Tracking System data. [A] Provider-specific prepayment edits are used to identify claims for medical review and, based on those reviews, claims may be denied before they are paid. [B] Auto-denial edits automatically deny payment for noncovered, incorrectly coded, or inappropriately billed services without further review, and can prevent payment for all services submitted by suspicious providers or certain types of services for beneficiaries identified as part of a fraud scheme. [C] ZPICs refer Medicare claims to the contractors that process them to recover Medicare payments received by a provider in excess of amounts due and payable. [End of table] ZPICs generally received good ratings in annual reviews, with five of six eligible for incentive awards. CMS follows some best practices for ZPICs’ oversight, but the agency does not clearly link ZPIC performance to agency program integrity goals. The majority of the measures CMS uses to evaluate ZPICs relate to the quality of their work because, according to CMS officials, quality is the most important element. However, evaluation of such measures, while a best practice, does not connect ZPIC work to agency performance measures. For example, CMS aims to increase the percentage of actions taken against certain high risk Medicare providers—work central to ZPICs—but does not explicitly link ZPICs’ work to the agency’s progress toward that goal, another best practice that would allow the agency to better assess the ZPICs’ support of CMS’s fraud prevention efforts. What GAO Recommends: GAO recommends that CMS collect and evaluate information on the timeliness of ZPICs’ investigative and administrative actions, and develop ZPIC performance measures that explicitly link ZPICs’ work to Medicare program integrity performance measures and goals. GAO requested comments from HHS on the draft report, but none were provided. View [hyperlink, http://www.gao.gov/products/GAO-14-111]. For more information, contact Kathleen King at (202) 512-7114 or kingk@gao.gov. [End of section] Contents: Letter: Background: CMS Paid About $108 Million to ZPICs during Calendar Year 2012, Primarily for Fee-for-Service Work, which ZPICs Mostly Spent on Fraud Case Development: ZPICs Reported More than $250 Million in Savings and Other Actions, Primarily from Reactive Sources, but CMS Lacks Information on Whether More Could Be Saved: CMS Generally Gave ZPICs Good Reviews, but Does Not Link ZPIC Performance to Agency Program Integrity Measures: Conclusions: Recommendations: Agency Comments: Appendix I: Scope and Methodology: Appendix II: ZPIC Activities and Results, 2012: Appendix III: GAO Contact and Staff Acknowledgments: Tables: Table 1: Zone Program Integrity Contractor (ZPIC) Performance Timeline: Table 2: Administrative Actions that May Result from Zone Program Integrity Contractor (ZPIC) Investigations: Table 3: Select Zone Program Integrity Contractor (ZPIC) Actions and Associated Savings, Calendar Year 2012: Table 4: Zone Program Integrity Contractor (ZPIC) Award Fee Elements for Quality of Service: Table 5: Selected Zone Program Integrity Contractor (ZPIC) Activities and Results by Medicare Fee-for-Service Provider Type, Calendar Year 2012: Figures: Figure 1: Zone Program Integrity Contractor (ZPIC) Geographic Areas: Figure 2: Total Award Amounts for the Six Operating Zone Program Integrity Contractors (ZPIC), by Area of Work: Figure 3: Breakdown of Fee-for-Service Zone Program Integrity Contractor (ZPIC) Spending, 2012: Figure 4: Source of Zone Program Integrity Contractor (ZPIC) Investigations, 2012: Abbreviations: ARTS: Analysis, Reporting, and Tracking System: CMS: Centers for Medicare & Medicaid Services: COR: Contracting Officer's Representative: CPARS: Contractor Performance Assessment Report System: CPI: Center for Program Integrity: DME: durable medical equipment: DOJ: Department of Justice: FAR: Federal Acquisition Regulation: FID: Fraud Investigation Database: FPS: Fraud Prevention System: GPRA: Government Performance and Results Act: HHS: Department of Health and Human Services: HIPAA: Health Insurance Portability and Accountability Act of 1996: MAC: Medicare Administrative Contractor: Medi-Medi: Medicare-Medicaid Data Match Program: MIP: Medicare Integrity Program: OAGM: Office of Acquisition and Grants Management: OIG: Office of Inspector General: PSC: Program Safeguard Contractor: ZPIC: Zone Program Integrity Contractor: [End of section] GAO: United States Government Accountability Office: 441 G St. N.W. Washington, DC 20548: October 25, 2013: The Honorable Thomas R. Carper: Chairman: The Honorable Tom Coburn, M.D. Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Claire McCaskill: Chairman: Subcommittee on Financial and Contracting Oversight: Committee on Homeland Security and Governmental Affairs: United States Senate: For more than 20 years, GAO has designated Medicare as a high-risk program Footnote 1] due to its size and complexity, as well as its susceptibility to fraud.[Footnote 2] There are no reliable estimates of the extent of fraud in the Medicare program, but recent convictions for multimillion dollar schemes defrauding the program make clear that it continues to be vulnerable to fraud. To help detect and prevent fraud in the Medicare program, the Centers for Medicare & Medicaid Services (CMS)--the agency within the Department of Health and Human Services (HHS) that administers the Medicare program--contracts with Zone Program Integrity Contractors (ZPIC) in seven specific geographic zones covering the nation.[Footnote 3] These contractors are responsible for identifying potential fraud, investigating it thoroughly and in a timely manner, and taking swift action--such as working to revoke suspect providers' Medicare billing privileges or referring such providers to law enforcement. CMS awarded the first ZPIC contracts in 2008, and ZPICs now operate in six of the seven zones; however, weaknesses have been identified in CMS's oversight of ZPICs. Based on a review of the first two ZPICs in operation, HHS's Office of Inspector General (OIG) reported that CMS lacked complete and timely information on ZPICs' activities and results,[Footnote 4] which raised concerns about what is known about ZPICs and their effect on Medicare fraud. You asked us to examine the activities and oversight of ZPICs. This report examines (1) ZPIC contract costs and how ZPICs use those funds, (2) the results of ZPICs' work, and (3) the results of CMS's evaluations of ZPICs' performance and aspects of CMS's evaluation practices. To determine ZPIC contract costs and how ZPICs use those funds, we analyzed ZPICs' financial data from CMS's Analysis, Reporting, and Tracking System (ARTS), an online system ZPICs use to submit invoices and report workload statistics and that CMS uses to track and analyze ZPIC workload, performance, and production; and interviewed ZPIC officials on how they use their funds. To examine the six ZPICs' results, we analyzed calendar year 2012 data from CMS ARTS and the Fraud Investigation Database (FID).[Footnote 5] These included data on the source of investigations and the actions taken against suspect providers. We interviewed officials from the operational ZPICs and CMS, as well as HHS OIG. We reviewed CMS guidance to ZPICs on how they should prioritize and conduct investigations. To examine the results of CMS's evaluations of ZPICs' performance and aspects of CMS's evaluation practices, we reviewed ZPICs' contracts and associated documents that set out performance requirements, the most recently available ZPIC ratings from the Contractor Performance Assessment Reporting System (CPARS),[Footnote 6] and data from CMS on ZPICs' most recent performance evaluations and incentive award results. We reviewed internal CMS guidance on how to evaluate ZPIC performance and interviewed CMS and ZPIC officials about that evaluation process. We also reviewed federal standards and best practices for measuring performance. A more detailed discussion of our scope and methodology is included in appendix I. We conducted this performance audit from October 2012 to September 2013 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: To address Medicare's vulnerability to fraud, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) established the Medicare Integrity Program (MIP).[Footnote 7] In particular, HIPAA required the Secretary of HHS to enter into contracts to promote the integrity of the Medicare program. In exercising its authority to identify and combat improper payments,[Footnote 8] CMS created 18 Program Safeguard Contractors (PSC) to identify and investigate potential fraud in specific parts of Medicare, such as Part A, in particular states or regions.[Footnote 9] In 2008, as part of the implementation of broader agency contracting reform, CMS began replacing PSCs with ZPICs, reducing the total number of contractors and giving additional responsibilities to ZPICs to investigate potential fraud across the Medicare fee-for-service program. In September 2008, CMS awarded the first two ZPIC contracts for Zones 4 and 7. As of September 2013, all but one of the ZPICs-- Zone 6--was in operation. PSCs continue to operate in Zone 6 because of protest-related delays with respect to the Zone 6 ZPIC contract. The term of each ZPIC contract is generally for a 1-year base period followed by 4 option years, enabling CMS to extend each contract through 5 years of performance.[Footnote 10] (See table 1 for contract performance timelines and figure 1 for a map of the seven ZPIC zones.) Table 1: Zone Program Integrity Contractor (ZPIC) Performance Timeline: Zone: 1; Contract awarded: September 2010; Contract fully operational: December 2010; Contract end date: January 2016. Zone: 2; Contract awarded: September 2009; Contract fully operational: February 2011; Contract end date: October 2014. Zone: 3; Contract awarded: April 2011[A]; Contract fully operational: April 2012; Contract end date: January 2017. Zone: 4; Contract awarded: September 2008; Contract fully operational: February 2009; Contract end date: October 2013. Zone: 5; Contract awarded: February 2009; Contract fully operational: December 2009; Contract end date: December 2014. Zone: 6; Contract awarded: [B]; Contract fully operational: [B]; Contract end date: [B]. Zone: 7; Contract awarded: November 2008; Contract fully operational: February 2009; Contract end date: October 2013. Source: GAO analysis of CMS information. [A] The Zone 3 contract was awarded in April 2011, but CMS subsequently modified the contract performance periods to account for protest-related delays. [B] Program Safeguard Contractors continue to operate in Zone 6 because of protest-related delays with respect to the Zone 6 ZPIC contract. [End of table] Figure 1: Zone Program Integrity Contractor (ZPIC) Geographic Areas: [Refer to PDF for image: illustrated U.S. map] Zone 1: California; Hawaii; Nevada. Zone 2: Alaska; Arizona; Idaho; Iowa; Kansas; Missouri; Montana; Nebraska; North Dakota; Oregon; South Dakota; Utah; Washington; Wyoming. Zone 3: Illinois; Indiana; Kentucky; Michigan; Minnesota; Ohio; Wisconsin. Zone 4: Colorado; New Mexico; Oklahoma; Texas. Zone 5: Alabama; Arkansas; Georgia; Louisiana; Mississippi; North Carolina; South Carolina; Tennessee; Virginia; West Virginia; Zone 6: Connecticut; Delaware; District of Columbia; Maine; Maryland; Massachusetts; New Hampshire; New Jersey; New York; Pennsylvania; Rhode Island; Vermont. Zone 7: Florida; Puerto Rico. Source: GAO analysis of CMS information; Map Resources (map). Note: Program Safeguard Contractors continue to operate in Zone 6 because of protest-related delays with respect to the Zone 6 ZPIC contract. [End of figure] In 2010, CMS established the Center for Program Integrity (CPI), which oversees the agency's program integrity efforts, including ZPICs. CPI's stated mission is to ensure that correct payments are made to legitimate providers for covered, appropriate, and reasonable services for eligible beneficiaries. CPI has undertaken an effort to try to move beyond the "pay and chase" approach--which focused on the recovery of funds lost due to payments of fraudulent claims--to focusing on fraud prevention. To enhance these efforts, the Small Business Jobs Act of 2010 appropriated funds for and required CMS to implement predictive analytics technologies, which are automated systems and tools that can help identify patterns of potentially fraudulent claims before they are paid.[Footnote 11] In turn, CMS developed the Fraud Prevention System (FPS), an electronic system in which Medicare claims data are compared against models of potentially fraudulent behavior to identify and prioritize for investigation providers with aberrant billing patterns.[Footnote 12] As part of implementing FPS, CPI modified ZPICs' work. They are to continue to investigate and quickly initiate actions to protect Medicare, but are also charged with investigating certain referrals from FPS.[Footnote 13] Investigating and Acting on Potential Fraud: To detect and investigate potential fraud within each zone, ZPICs develop leads, investigate them, and initiate appropriate actions against suspect providers, suppliers, and others. ZPICs do this with teams of investigators, data analysts, and medical reviewers. Investigators perform a range of actions to examine potential fraud, including conducting provider audits, making site visits to suspect providers' offices, and interviewing Medicare beneficiaries. Data analysts, including statisticians, examine Medicare claims and other data to support investigations and search for potential fraud and new schemes. Medical reviewers, primarily nurses, provide clinical knowledge to support the work of investigators and data analysts. ZPICs identify potential targets for fraud investigations using three categories of sources: 1. Reactive sources. Reactive sources are notifications of potential fraud submitted to ZPICs, which may result in a ZPIC conducting an investigation. A number of entities refer potential fraud to ZPICs for investigation. These entities include Medicare Administrative Contractors (MAC), which examine their contacts with beneficiaries for indications of potential fraud and may forward the contacts to ZPICs for additional scrutiny.[Footnote 14] In addition, HHS OIG operates a fraud hotline and may refer calls from it to the MACs for initial screening and then to the ZPICs for further investigation. Other sources include investigations ZPICs receive directly from CMS. 2. Proactive sources. ZPICs are required to maintain at least 3 years of Medicare claims data for analysts to examine for potential fraud using a variety of analytic tools and methods. For example, analysts examining these data may identify providers that, compared with their peers, have aberrant billing patterns, which can indicate potentially fraudulent behavior. If analysts identify such patterns, those findings may result in a ZPIC investigation. 3. FPS. FPS identifies providers for ZPICs to investigate, with the goal of identifying aberrant billing patterns early so that ZPICs can investigate suspect providers before they generate large amounts of potentially fraudulent claims. ZPICs prioritize their investigations according to CMS guidance, which states that ZPICs should give priority to investigations with the greatest program impact and/or urgency. CMS's Program Integrity Manual defines such investigations as those involving patient abuse or harm, multistate fraud, high dollar amounts of potential overpayments, likely increase in the amount of fraud or enlarged pattern of fraud, and complaints made by Medicare supplemental insurers.[Footnote 15] In addition, with the implementation of FPS in July 2011, CMS directed the ZPICs to investigate certain high-risk leads from that system. As part of their investigations, ZPICs initiate administrative actions against Medicare providers or suppliers, coordinating with CMS and MACs to carry out those actions, which may result in Medicare savings. (See table 2 for the administrative actions ZPICs may initiate as part of their investigations.) For example, ZPICs may initiate payment suspensions that allow CMS to stop payment on suspect claims and prevent the payment of future claims until an investigation is resolved.[Footnote 16] In addition, a ZPIC may recommend to CMS that the agency revoke a provider's Medicare billing privileges and will coordinate with a MAC to implement that action following CMS approval. In addition to administrative actions, ZPICs may forward vulnerabilities[Footnote 17] identified during an investigation to CMS for consideration as possible local or national prepayment edits. [Footnote 18] Table 2: Administrative Actions that May Result from Zone Program Integrity Contractor (ZPIC) Investigations: Action: Implementation of provider-specific prepayment review edits[A]; Definition: ZPICs request provider-specific prepayment edits to identify claims for medical review prior to payment. Action: Implementation of auto-denial edits[A]; Definition: ZPICs request prepayment edits to automatically deny payment for noncovered, incorrectly coded, or inappropriately billed services without further review.[B] Action: Payment suspension; Definition: ZPICs request whole or partial suspension of a provider's Medicare payments. Action: Overpayment determination; Definition: ZPICs request recovery of Medicare payments received by a provider in excess of amounts due and payable. Action: Revocation, deactivation, or both; Definition: ZPICs request revocation of a provider's Medicare billing privileges; deactivation of a provider's National Provider Identifier, stopping other billing privileges; or a combination of both.[C] Source: GAO analysis of agency information. [A] In cases of suspected fraud, ZPICs may recommend the implementation of prepayment edits that apply to specific providers and automatically deny claims or flag claims for prepayment review. In these cases, prepayment edits are considered by CMS to be administrative actions. [B] These edits analyze claims' attributes and automatically prevent Medicare from paying claims based on suspicious attributes. For example, some edits prevent payment for all services submitted by suspicious providers. Other edits prevent payment for certain types of services for beneficiaries identified as part of a fraud scheme for specific services. [C] Given ZPICs' role in identifying and investigating potential fraud, for this report we consider deactivations initiated by ZPICs to be administrative actions; however, according to CMS officials, the agency may deactivate providers' National Provider Identifiers for a number of reasons, some of which may not be a result of an investigation into potential fraud, such as when a provider or supplier is no longer submitting claims to Medicare or did not report certain changes to their enrollment application or respond to a revalidation request. A provider or supplier whose enrollment has been deactivated may have billing privileges restored by resubmitting an enrollment application with updated information to CMS. [End of table] In addition to administrative actions, if a ZPIC investigation uncovers suspected instances of fraud, the ZPIC must refer the investigation to HHS OIG for further examination and, if HHS OIG declines to investigate, the ZPIC may refer the issue to the FBI or any other interested law enforcement entity, such as a U.S. Attorney's Office. A ZPIC investigation that is referred to and accepted by law enforcement for further exploration and potential prosecution is then called a case. As long as law enforcement entities have not closed a case, it is considered open by both law enforcement and ZPICs. CMS also requires ZPICs to support HHS OIG, the Department of Justice (DOJ), and other law enforcement entities with their Medicare fraud investigations. This support can be for these entities' own, independently initiated cases, or for those that ZPICs initiated and then referred to law enforcement. ZPICs provide support on ZPIC- initiated and non-ZPIC-initiated cases by responding to law enforcement requests for information. These requests may be for data analysis; provider enrollment records, which ZPICs obtain from MACs; medical review; or other investigative support. ZPIC Contracts by Area of Work and Award Amount: ZPIC contracts cover three areas of work: 1. Fee-for-service program integrity work. ZPICs are to identify and investigate potential fraud in Medicare fee-for-service. The contracts for this work outline four categories of investigations: Part A, Part B, durable medical equipment (DME), and home health and hospice. Although DME providers and home health and hospice suppliers provide services covered under Medicare Parts A and B, the ZPIC contracts identify them separately and ZPICs track their fee-for-service program integrity work based on these four categories.[Footnote 19] 2. Medicare-Medicaid Data Match Program (Medi-Medi). Medi-Medi is a joint effort between CMS and states to identify providers with aberrant Medicare and Medicaid[Footnote 20] billing patterns through analyses of claims for individuals with both Medicare and Medicaid coverage. States participate voluntarily and ZPIC Medi-Medi work and funding is dependent on the number of states, if any, actively participating in each zone.[Footnote 21] 3. Special projects. CMS may also fund ZPICs for special zone-or fraud- specific projects. Special projects can vary in duration and can be as short as several months or run for multiple years. The total award amount for the six operating ZPIC contracts through all option years is more than $600 million. Of that amount, $411 million is for fee-for-service program integrity work, $169 million is for Medi-Medi, and $62 million is for special zone-and fraud-specific projects over the life of the contracts. (See figure 2.) The contract award amounts for the six operating ZPIC contracts (inclusive of option years) range from $67 million to $182 million, which reflects variations between the zones in terms of their size, exposure to fraud risk, and receipt of special projects. For example, Zone 7 covers a geographically small area comprising one state and one territory, but is an area CMS considers to be at high risk for fraud. In comparison, Zone 2 is a geographically large but predominantly rural area comprising 14 states and including areas that may be at a lower risk of fraud.[Footnote 22] In addition, although not all ZPICs currently receive funding for a special project, all six operating ZPICs have at some time received such funding. For example, one ZPIC was awarded almost $50 million for an ongoing state-specific fraud hotline and another received almost $3 million for a completed project specifically examining potential fraud among home health providers. Figure 2: Total Award Amounts for the Six Operating Zone Program Integrity Contractors (ZPIC), by Area of Work: [Refer to PDF for image: pie-chart] Medicare fee-for-service: $411 million; Medi-Medi: $169 million; Special projects: $62 million. Source: GAO analysis of CMS Analysis, Reporting and Tracking System data. Notes: Excludes Zone 6. Program Safeguard Contractors continue to operate in this zone because of protest-related delays with respect to the Zone 6 ZPIC contract. CMS awarded the first ZPIC contract in September 2008 and the most recent in April 2011. If operating ZPICs are extended for their full contract terms, this round of contracts will end between October 2013 and January 2017. [End of figure] Medicare fee-for-service consists of Medicare Part A, which covers inpatient hospital care, skilled nursing facility care, some home health care services, and hospice care; and Medicare Part B, which covers physician and outpatient hospital services, diagnostic tests, mental health services, outpatient physical and occupational therapy, ambulance services, prosthetics, orthotics, and supplies. Medi-Medi is a program that matches data from Medicare and Medicaid-- Medicaid is a joint federal-state health care program for certain low- income individuals--to identify patterns of fraud that examine data from both programs that only one program may not find. Special projects are zone-or fraud-specific projects that vary in length and can be as short as a few months or can run indefinitely. CMS Oversight and Performance Evaluations of ZPICs: CMS primarily oversees ZPICs through the coordinated efforts of CPI and the Office of Acquisition and Grants Management (OAGM). The ZPIC Contracting Officer in OAGM is responsible for ensuring effective contracting, and the Contracting Officer's Representatives (COR) are in CPI. Each ZPIC is assigned a different COR, who helps oversee ZPIC contractor compliance through ongoing reviews. Among other things, the CORs use CMS ARTS to review their ZPICs' monthly invoices and aggregate workload, such as the total number of new investigations, administrative actions, and dollar amounts recouped in a month. Each ZPIC contract includes award fee provisions, which give contractors the opportunity to earn all or some of the award fee allowed under their contracts, depending on their level of performance. CMS evaluates each ZPIC's performance annually and determines how much of its award fees it will receive. CMS first evaluates whether a ZPIC is eligible for an award fee.[Footnote 23] For these reviews, CMS instructs its CORs on how to assess specific areas of their ZPICs' performance by interviewing ZPIC and other staff; reviewing a sample of open and closed investigations and cases, as well as other documents; reviewing data in CMS ARTS, FID, and other systems; and making observations during ZPIC site visits. If in this review CMS finds that a ZPIC meets certain performance thresholds, [Footnote 24] the CORs move to the second step: using their annual review findings to recommend the amount of award fees a ZPIC should receive. The ZPICs' contracts specify through Award Fee Plans the criteria against which CMS will measure ZPICs' performance to earn their fees. These criteria fall into two overarching areas: (1) quality of service measures that apply to all ZPICs, worth 60 percent of the award fee, and (2) ZPIC-specific plans drafted in the prior year by each ZPIC and approved by CMS on how the ZPIC will improve its administrative actions--Award Fee Administrative Action Plans--worth 40 percent. ZPICs can receive all or part of their proposed award fees based on how well they perform in each of the elements within the two areas. CMS Paid About $108 Million to ZPICs during Calendar Year 2012, Primarily for Fee-for-Service Work, which ZPICs Mostly Spent on Fraud Case Development: CMS paid the six operating ZPICs about $108 million in calendar year 2012, including about $1.3 million in award fees for each ZPIC's most recent contract year evaluation. CMS's payments were primarily to reimburse contractors for fee-for-service work, comprising $77 million of the $108 million paid. ZPICs reported spending most of their fee-for-service funding in 2012 on fraud case development, primarily for investigative staff. (See figure 3 for the breakdown of ZPIC fee-for-service spending.) According to CMS officials, fraud case development costs are those related to identifying and investigating potential Medicare fraud. These costs include those associated with developing proactive sources, and addressing potential fraud identified by FPS. Personnel accounts for most of these costs, with ZPICs reporting that half their fraud case development staff are investigators and the other half are split between medical reviewers and data analysts. ZPIC officials told us that identifying and investigating potential Medicare fraud can be labor intensive, which is why the largest direct cost was for personnel. In 2012, ZPICs reported that their investigations included 3,600 beneficiary interviews, 777 onsite inspections, prepayment reviews of 190,000 suspended claims and postpayment reviews of 32,000 paid claims. Additionally, ZPICs added more than 1,100 providers to prepayment review and almost 300 providers to postpayment review. Figure 3: Breakdown of Fee-for-Service Zone Program Integrity Contractor (ZPIC) Spending, 2012: [Refer to PDF for image: pie-chart] Fraud case development: $46 million; IT systems support: $12 million; ZPIC administration: $10 million; Quality assurance/improvement[A]: $5 million; Law enforcement requests for information: $4 million. Source: GAO analysis of CMS Analysis, Reporting and Tracking System data. Note: The spending categories in the figure are general spending categories CMS sets for ZPICs. [A] Quality assurance/improvement costs are those related to ZPICs' activities that ensure that their work is being performed consistently and accurately. [End of figure] ZPICs Reported More than $250 Million in Savings and Other Actions, Primarily from Reactive Sources, but CMS Lacks Information on Whether More Could Be Saved: In calendar year 2012, ZPICs reported more than $250 million in savings to Medicare by stopping payment on suspect claims and recouping money from overpayments. However, it is unclear if ZPICs could save more money by taking swifter actions since CMS lacks information on the speed of those actions. ZPICs took these actions based primarily on reactive sources, such as tips and complaints. ZPICs Reported More than $250 Million in Savings through Administrative Actions, but CMS Lacks Information to Track the Timeliness of These Actions: Side bar: Example of investigations resulting in a revocation: One ZPIC described that investigations involving "false fronts"-- meaning there is no provider at the designated address--allow the ZPIC to quickly initiate revocations of those providers' billing privileges. [End of side bar] ZPICs reported initiating administrative actions that led to more than $250 million in savings or money recovered to Medicare in calendar year 2012 (see table 3). These savings represent nearly $100 million in claims flagged for review and then denied before payment; almost $100 million in auto-denial edits for suspect providers, suppliers, and beneficiaries; and almost $60 million recouped by MACs at the request of ZPICs. In addition, ZPICs placed more than $14 million in suspense accounts while the claims for that money were reviewed. [Footnote 25] ZPICs also reported taking actions that could result in savings that may not be easily quantifiable. For example, in 2012 ZPICs reported implementing more than 160 revocations and deactivations. Although these actions represent no direct savings, [Footnote 26] CMS has reported that revocations are the most effective fraud prevention tool because they prevent providers from submitting additional potentially fraudulent claims. (See appendix II for more information on ZPICs' actions, including by provider type.) Table 3: Select Zone Program Integrity Contractor (ZPIC) Actions and Associated Savings, Calendar Year 2012: Action: Claims denied prior to payment[A]; Number: 176,079; Savings associated with action: $99,916,894. Action: Auto-denial edits recommended[B]; Number: 7,264 (37,736 in effect); Savings associated with action: $95,635,829. Action: Overpayment determinations referred for collection[C]; Number: 515; Savings associated with action: $56,403,080 collected ($231,551,875 referred)[D]. Action: Total reported savings from these administrative actions; Savings associated with action: $251,955,803. Action: Providers under payment suspension[E]; Number: 403; Savings associated with action: $14,082,755 ($5,351,135 released). Action: Revocations and deactivations[F]; Action: Claims denied prior to payment[A]: Auto-denial edits recommended[B]: Overpayment determinations referred for collection[C]: Total reported savings from these administrative actions: Providers under payment suspension[E]: 164 (102 revocations/62 deactivations); Savings associated with action: [Empty]. Source: GAO analysis of CMS Analysis, Reporting, and Tracking System data. Notes: Table shows the total of selected actions and savings reported by all operating ZPICs in 2012. Because Zone 3 was fully operational in April 2012, the totals reflect that zone's work from April 2012 through December 2012. All amounts reflect the Medicare allowed rate for claims, but do not take into account beneficiary copayments, other insurance, or other costs. [A] Provider-specific prepayment edits are used to identify claims for medical review and, based on those reviews, claims may be denied before they are paid. [B] These edits analyze claims' attributes and automatically prevent Medicare from paying claims based on suspicious attributes. In addition, some edits prevent payment for all services submitted by suspicious providers or for certain types of services for beneficiaries identified as part of a fraud scheme for specific services. [C] Actions are taken to recover Medicare payments received by a provider in excess of amounts due and payable. [D] These amounts reflect all ZPIC overpayment determinations, whether resulting from a ZPIC investigation or a law enforcement case. [E] Medicare payments to a provider are suspended, in whole or in part. We did not include the dollar amount for suspensions in the estimate of total savings from administrative actions because these dollars have not been collected and returned to Medicare. [F] A provider's Medicare billing privileges are revoked and/or a provider's National Provider Identifier is deactivated, stopping other billing privileges. [End of table] Side bar: Example of an investigation resulting in a law enforcement referral: One ZPIC recently identified chiropractors opening pain management clinics and billing Medicare for diabetic neuropathy treatments, such as physical therapy and pneumatic devices. However, on inspection, these providers were using nonclinical massage chairs, such as those often found in nail salons. The ZPIC identified 17 such clinics, all operated by the same provider, which were successfully referred to law enforcement for further investigation and possible prosecution. [End of side bar] ZPICs coordinate with law enforcement entities on ZPIC-initiated and other investigations, resulting in additional savings to Medicare and other results. In 2012, ZPICs reported that law enforcement entities accepted more than 130 new cases from them, with HHS OIG as the primary entity accepting the cases, followed by the FBI.[Footnote 27] In addition, ZPICs reported completing almost 1,800 requests for information for cases initiated by law enforcement and almost 700 for cases that had been initiated by ZPICs, primarily for data analysis. ZPICs also reported that, as a result of their cases being accepted and prosecuted by law enforcement, convicted providers were ordered to pay almost $80 million[Footnote 28] in court-determined fines, settlements, and/or restitutions.[Footnote 29] Cases can also result in prison sentences and other actions,[Footnote 30] though CMS does not consistently track those outcomes. ZPICs are to track information on the results of their cases in FID, but the system contains few outcomes. CMS officials said that they are aware of this issue and have taken steps to both improve ZPICs' use of FID and integrate the system with CMS ARTS and other systems to improve the data in FID. As of August 2013, CMS officials reported that the agency was testing the integration of the systems and expected the integration to be completed by late 2013. According to CMS, ZPICs are to take immediate action to protect Medicare funds, but CMS may be missing opportunities for additional savings to Medicare because the agency lacks information on the timeliness of certain ZPIC actions. ZPIC officials reported taking actions and preventing potentially fraudulent payments before they were made, in line with CMS fraud strategies, and CMS ARTS data show ZPICs implementing some aspects of these strategies. For example, ZPIC officials reported focusing on prepayment reviews of claims-- preventing potentially fraudulent payments--and 2012 CMS ARTS data showed that, of the providers whom ZPICs reviewed in 2012, almost five times as many had their claims reviewed on a prepayment basis rather than a postpayment basis. However, CMS does not track information on the swiftness of these actions, such as the length of time between a ZPIC's receipt of a complaint about a suspect provider and the ZPIC's visit to that provider, or between identifying a potentially fraudulent provider and initiating an administrative action. Federal internal control standards state that agencies' management should have information on performance relative to established objectives so that actual performance can be continually compared against goals and differences can be analyzed.[Footnote 31] Because CMS does not have information on ZPICs' timeliness for these types of activities, the agency cannot benchmark any changes in timeliness or measure the effectiveness of its strategies, such as whether ZPICs are limiting unnecessary losses to Medicare from suspect providers continuing to receive potentially fraudulent Medicare payments while awaiting investigative or administrative actions. ZPICs Identified Potential Fraud Primarily through Reactive Sources: Side bar: Example of proactive data analysis: Analysis of one rural state's Medicare data identified a minor billing anomaly that ultimately led to a fraud scheme involving a provider directing beneficiaries to use a colander-like hat to self-administer electro-shock therapy. [End of side bar] Reactive sources--primarily complaints--were the major source of new ZPIC investigations in 2012, accounting for almost 90 percent of the almost 5,000 new investigations that year. (See figure 4 for the sources of ZPIC investigations.) In 2012, ZPICs received almost 5,000 complaints, 45 percent of which were from MACs and over 50 percent from other sources, primarily the HHS OIG hotline, as reported by ZPIC officials. Proactive projects and FPS each accounted for less than 10 percent of investigations. Examples of proactive projects include analyzing data to identify spikes--large, rapid increases--in providers' billing patterns; aberrant providers, such as those with unusual billing patterns; and schemes related to stolen beneficiary identities. ZPIC officials reported that their proactive data analysis projects are valuable because they find zone-specific fraud or new fraud schemes that reactive sources or FPS may not identify. For example, one ZPIC that covers multiple frontier states conducted a proactive project related to critical access hospitals, 40 percent of which are in that ZPIC's geographic zone.[Footnote 32] ZPIC officials reported that as a result of this project, they identified overpayments to several hospitals that had opened new psychiatric units, as well as opportunities for education to improve patient care. (See appendix II for more information on the sources of ZPIC investigations.) Figure 4: Source of Zone Program Integrity Contractor (ZPIC) Investigations, 2012: [Refer to PDF for image: 2 pie-charts] All sources: Proactive sources[A]: 7%; Reactive sources[B]: 88%; Fraud Prevention System (FPS)[C]: 5%. Reactive sources: MAC: 45%; Medical Review: 1%; CMS: 2%; Other ZPIC contracts: 2%; Other: 51%. Source: GAO analysis of CMS Analysis, Reporting and Tracking System data. [A] Proactive sources are those identified by ZPIC data analysis. ZPICs are to maintain at least 3 years of Medicare claims data for analysts to examine for potential fraud using a variety of analytic tools and methods. If analysts identify patterns in the claims data indicating potential fraud, those findings may result in a ZPIC investigation. [B] Reactive sources are notifications of potential fraud submitted to ZPICs. A number of entities refer potential fraud to ZPICs for investigation. These entities include Medicare Administrative Contractors' Complaint Units, which examine their contacts with beneficiaries for indications of potential fraud and may forward the contacts to ZPICs for additional scrutiny. ZPICs also receive notifications of potential fraud directly from CMS and from other ZPICs, such as those involved with special projects. [C] The Fraud Prevention System (FPS) is an electronic system in which Medicare claims data are compared against models of potentially fraudulent behavior to identify and prioritize for ZPIC investigation certain providers with aberrant billing patterns. [End of figure] Although ZPIC officials previously reported issues with the quality of leads from FPS, as well as a decline in the number of proactive projects as a result of increased work to address FPS leads, officials have since reported improvements in FPS and their ability to address leads from the system.[Footnote 33] For example, officials from one ZPIC reported that the leads from FPS have improved and that the zone developed a new process for investigating those leads, thereby improving results. CPI officials reported that they will continue to direct ZPICs to investigate leads from proactive and reactive sources, as well as FPS, noting that the most successful ZPICs are those that can effectively address leads from all three categories. CMS Generally Gave ZPICs Good Reviews, but Does Not Link ZPIC Performance to Agency Program Integrity Measures: Based on CMS's annual reviews, five of the six operating ZPICs were eligible for some portion of their contracts' available award fees, and ZPICs received almost 70 percent of all fees for their most recent periods of performance.[Footnote 34] The five ZPICs' ratings for the elements considered in the annual reviews--elements that measure aspects of quality of service, cost control, business relations, and timeliness of certain activities--ranged from satisfactory to exceptional, meeting the award fee eligibility requirement of at least a satisfactory rating in all four of these elements. CMS awarded the five eligible ZPICs about two-thirds of the available award fees--$1.3 million out of $1.9 million--in the ZPICs' most recent contract years based on ZPIC performance both on quality-of-service measures in the annual reviews and achievement of their Award Fee Administrative Action Plan goals. CMS officials reported that they assigned the majority of available award fee amounts--60 percent--to the quality-of- service measures in the annual evaluations because quality is the most important element of ZPICs' work. CMS apportions the 60 percent of award fee amounts for quality of service across multiple assessment criteria. Table 4 lists the quality-of-service measures for which ZPICs could earn award fees. Among the highest-value elements are how well ZPICs prioritize and document investigations, conduct medical reviews, and analyze data. ZPICs' Award Fee Administrative Action Plan goals varied by ZPIC, and included goals such as developing a project to identify and prevent phantom provider schemes and improving the timeliness of initiating and implementing payment suspensions. CMS officials said that this portion of the award fee is intended to encourage ZPICs to develop more innovative ways to take administrative actions. Table 4: Zone Program Integrity Contractor (ZPIC) Award Fee Elements for Quality of Service: Performance categories: Investigations; Assessment of criteria: Prioritization of investigations; Percentage of score: 12%. Assessment of criteria: Investigation files; Percentage of score: 12%. Performance categories: Cases; Assessment of criteria: Law enforcement referrals; Percentage of score: 10%. Assessment of criteria: Administrative actions; Percentage of score: 12%. Performance categories: Fraud Investigation Database (FID); Assessment of criteria: Inputting data into FID; Percentage of score: 6%. Performance categories: Medical review; Assessment of criteria: Medical review; Percentage of score: 12%. Performance categories: Security; Assessment of criteria: Handling and physical security of sensitive material; Percentage of score: 6%. Assessment of criteria: ZPIC facility security; Percentage of score: 6%. Performance categories: Claims data; Assessment of criteria: Claims data and IT; Percentage of score: 6%. Performance categories: Data analysis; Assessment of criteria: Data analysis; Percentage of score: 12%. Performance categories: Deliverables; Assessment of criteria: Contractually required deliverables; Percentage of score: 6%. Performance categories: Total; Percentage of score: 100%. Source: GAO analysis of CMS information. Note: Quality-of-service award fee elements account for 60 percent of ZPICs' proposed award fees. The other 40 percent is based on ZPICs' performance reaching their annual Award Fee Administrative Action Plan goals. [End of table] CMS follows some best practices for its oversight of ZPICs, but does not clearly link ZPIC performance to agency performance measures and goals. The award fee evaluations allow CMS to assess key elements of ZPICs' work, which follows federal best practices. Federal standards state that performance measures may address the type or level of program activities conducted (process), the direct products and services delivered by a program (outputs), or the results of those products and services (outcomes).[Footnote 35] CMS's measures evaluate ZPICs' processes and outputs, but not their outcomes. Moreover, these performance measures do not connect ZPIC work to agency performance measures that are linked to its goals, which is another best practice. One way that agencies examine the effectiveness of their programs is by measuring performance as required by the Government Performance and Results Act of 1993 (GPRA), as amended by the GPRA Modernization Act of 2010.[Footnote 36] One of CMS's GPRA goals is to fight fraud and work to eliminate improper payments.[Footnote 37] Within that goal are two Medicare fee-for-service performance measures for determining progress toward that goal, and CMS officials reported that ZPICs are the primary actors for one of the measures: increasing the percentage of providers who are identified as high risk against whom CMS takes administrative actions.[Footnote 38] CMS's fiscal year 2014 target for this performance measure is to increase the percentage of administrative actions taken for these high-risk providers from 27 percent to 36 percent. Federal standards state that entities should link performance measurements to goals and objectives, and previous GAO work found that leading organizations try to link the goals and performance measures for each organizational level to successive levels and ultimately to the organization's strategic goals.[Footnote 39] However, according to CMS officials, none of the ZPICs' performance measures link to the agency's measures of increasing the percentage of administrative actions taken against high-risk providers, or to the other Medicare fee-for-service program integrity performance measure of reducing improper payments. Some ZPICs had goals in their Award Fee Administrative Action Plans related to the agency's performance measures--for example, one ZPIC set a goal of increasing the value of its referrals of overpayments, which could reduce improper payments--but these were zone-specific and do not allow CMS to evaluate the overall impact of ZPICs on agency measures and, ultimately, goals. CMS officials told us in April 2013 that they are revising the ZPIC Award Fee Plans, but based on a draft of the revisions and discussions with CMS officials, the revised plans will continue to lack measures related to outcomes and will not tie performance to agency program integrity measures or goals. While creating outcome measures for ZPICs may be challenging, CMS could develop measures that better link ZPICs' work to agency performance measures and goals. GAO has previously reported several factors that make assessing the outcomes of health care fraud prevention work--such as that conducted by ZPICs--difficult.[Footnote 40] These include the difficulties of establishing a health care fraud baseline to determine whether the amount of fraud has changed over time, quantifying the effect of the work on deterring fraud, and establishing a causal link between the work and changes in health care fraud. In addition, CMS officials as well as other stakeholders cautioned against setting targets, such as the number of law enforcement referrals or revocations, as performance measures or goals since that could create incentives for ZPICs to refer more cases to law enforcement or revoke more providers' billing privileges than investigations may merit, potentially jeopardizing the quality of ZPICs' work.[Footnote 41] Although developing outcome measures can be difficult and setting targets can be problematic, CMS could explicitly link ZPICs' work to the agency's progress toward meeting its performance measures and goals. Specifically, CMS officials reported that they are using FPS to identify and track high-risk providers for the performance measure of increasing the number of administrative actions taken against those providers. Although ZPICs are the primary users of FPS and have primary responsibility for initiating administrative actions, CMS does not link ZPICs' use of FPS to that measure, hindering the agency's ability to effectively oversee its progress toward meeting its goal of fighting fraud and working to eliminate improper payments.[Footnote 42] Conclusions: Given the vulnerability of the Medicare program to fraud and the lack of reliable estimates of the extent of fraud in the program, determining how well CMS is carrying out its fraud prevention strategy is a vital, if challenging, task. ZPICs, which are central to that strategy, reported that their efforts have yielded positive results, such as savings greater than their contract costs and multiple other actions that helped protect Medicare from potentially fraudulent providers, such as referring suspect providers to law enforcement. Yet little is known about how expeditiously ZPICs take action to save Medicare funds--an important consideration given that the longer a fraud scheme operates, the greater the potential financial losses. As a result, CMS would benefit from enhancing its collection and evaluation of information on the timeliness of ZPICs' actions, including information on whether new tools or strategies have increased the speed with which ZPICs investigate potentially fraudulent providers or initiate administrative actions. In addition, as CMS attempts to achieve its agencywide program integrity goal of fighting fraud and eliminating improper payments in the Medicare program, it would benefit from knowing how ZPICs are contributing to efforts to achieve this goal. By linking the evaluation of ZPICs' work to the agency's program integrity performance measures--in particular the performance measure focused on administrative actions, which are a significant portion of ZPICs' work--CMS would have greater assurance that its ZPIC activities are appropriately supporting CMS fraud prevention efforts. Recommendations: To help ensure that CMS's fraud prevention activities are effective and that CMS is comprehensively assessing ZPIC performance, the Administrator of CMS should take the following two actions: * Collect and evaluate information on the timeliness of ZPICs' investigative and administrative actions, such as how soon investigations are initiated after ZPICs identify potential fraud and how swiftly ZPICs initiate administrative actions after identifying potentially fraudulent providers. * Develop ZPIC performance measures that explicitly link their work to the agency's Medicare fee-for-service program integrity performance measures and targets for its GPRA goal of fighting fraud and working to eliminate improper payments. Agency Comments: We requested comments from HHS, but none were provided. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to the Secretary of Health and Human Services, the Acting Administrator of CMS, appropriate congressional committees, and other interested parties. In addition, the report will be available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-7114 or at kingk@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix III. Signed by: Kathleen King: Director, Health Care: [End of section] Appendix I: Scope and Methodology: To determine Zone Program Integrity Contractors' (ZPIC) contract costs and how ZPICs use those funds, we examined data from CMS's Analysis, Reporting, and Tracking System (ARTS), an online system ZPICs use to submit invoices and report workload statistics and which CMS uses to track and analyze ZPIC workload, performance, and production. Specifically, we examined aggregated ZPIC invoices and workload statistics that specified how ZPICs allocate their funds, and interviewed ZPIC officials to confirm these data. We also reviewed the task orders outlining the scope of each zone's work and obtained data from CMS on ZPIC contract amounts. To describe the results of ZPIC Medicare fee-for-service investigations, we examined data from CMS ARTS and the Fraud Investigation Database (FID), a secure system that contains details related to Medicare fraud and abuse investigations. We analyzed calendar year 2012 data for the six operating ZPICs on the sources of their investigations, the numbers of administrative actions taken, and dollar values of relevant actions. We reviewed CMS guidance on how ZPICs should prioritize their work and how to conduct investigations. We interviewed officials from the CMS Center for Program Integrity about how they review and track ZPIC administrative actions and their process of approval for actions, such as revocations. We interviewed officials from all six ZPICs to learn about their internal guidance on prioritizing and conducting their work, how they determine when to take administrative actions, and how they decide to refer a case to law enforcement. To examine the results of CMS's evaluation of ZPICs' performance and aspects of CMS's evaluation practices, we reviewed the following: each ZPIC's most recent Contractor Performance Assessment Report; each ZPIC's most recently completed Award Fee Administrative Action Plan, which describes the ZPIC's plans to improve administrative actions and how it will earn its award fee; and data from CMS on the percentage and amount of each zone's award fee. We reviewed internal CMS guidance on how to evaluate ZPICs' performance, as well as federal standards and best practices for measuring performance. We also interviewed CMS contracting and other officials to learn about the review process and how such guidance is applied, and to discuss changes to ZPIC evaluations and performance measures. We also interviewed ZPIC officials to learn more about how ZPICs determine their Award Fee Administrative Action Plan goals and how they evaluate themselves on these goals and other work. We assessed the reliability of the data we obtained from CMS ARTS and FID through interviews with agency officials and users, system demonstrations, and, in the case of CMS ARTS, direct use of the system. We shared with CMS and the relevant ZPIC any errors we identified through reviews of the data and comparisons with other sources to obtain corrected information. We found the data sufficiently reliable for the purposes of this review. We conducted this performance audit from October 2012 to September 2013 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: ZPIC Activities and Results, 2012: The following table shows selected ZPIC activities and results reported by ZPICs in CMS ARTS. Durable medical equipment (DME) is covered under Medicare Part B, and home health and hospice under are covered under Part A, but ZPICs report data in CMS ARTS as monthly aggregates by Part A, Part B, DME, and home health and hospice. CMS ARTS data do not allow us to identify particular provider types, such as whether a Part B provider was a family physician or podiatrist. Table 5: Selected Zone Program Integrity Contractor (ZPIC) Activities and Results by Medicare Fee-for-Service Provider Type, Calendar Year 2012: Investigations: Data element: Number of investigations closed; Part A[A]: 660; Part B[B]: 1,741; Durable medical equipment: 1,901; Home health and hospice: 557; Total: 4,859. Data element: Number of new investigations from reactive sources[C]; Medical review; Part A[A]: 5; Part B[B]: 26; Durable medical equipment: 7; Home health and hospice: 21; Total: 59. MAC complaint unit[D]; Part B[B]: 660: 5: 248; Part B[B]: 972; Durable medical equipment: 669; Home health and hospice: 298; Total: 2,187. CMS field offices; Part A[A]: 14; Part B[B]: 30; Durable medical equipment: 12; Home health and hospice: 22; Total: 78. Other ZPIC contracts; Part A[A]: 59; Part B[B]: 19; Durable medical equipment: 10; Home health and hospice: 2; Total: 90. Other; Part A[A]: 284; Part B[B]: 801; Durable medical equipment: 1,010; Home health and hospice: 380; Total: 2,475. Data element: Number of new investigations from proactive sources[E]; Part A[A]: 65; Part B[B]: 100; Durable medical equipment: 166; Home health and hospice: 53; Total: 384. Data element: Number of new investigations from FPS[F]; Part A[A]: [Empty]; Part B[B]: [Empty]; Durable medical equipment: [Empty]; Home health and hospice: [Empty]; Total: 257. Data element: Number of new proactive projects; Part A[A]: 26; Part B[B]: 83; Durable medical equipment: 67; Home health and hospice: 10; Total: 186. Cases[G]: Data element: Number of cases accepted by law enforcement; Part A[A]: 21; Part B[B]: 72; Durable medical equipment: 29; Home health and hospice: 17; Total: 139. Data element: Number of potential cases declined by law enforcement; For reasons within the control of the ZPIC[H]; Part A[A]: 0; Part B[B]: 0; Durable medical equipment: 0; Home health and hospice: 0; Total: 0. For reasons outside the control of the ZPIC; Part A[A]: 6; Part B[B]: 17; Durable medical equipment: 6; Home health and hospice: 4; Total: 33. Data element: Total dollars of court-determined fines, settlements, and/or restitutions; Part A[A]: $8,652,710; Part B[B]: $28,938,678; Durable medical equipment: $7,666,681; Home health and hospice: $33,768,044; Total: $79,026,113. Data element: Number of cases closed; Part A[A]: 53; Part B[B]: 152; Durable medical equipment: 64; Home health and hospice: 22; Total: 291. Administrative actions[I]: Data element: Dollar amount referred for overpayment collection; Part A[A]: $34,095,059; Part B[B]: $40,724,933; Durable medical equipment: $68,620,097; Home health and hospice: $88,111,786; Total: $231,551,875. Data element: Amounts recovered on overpayments[J]; Part A[A]: $7,200,445; Part B[B]: $22,473,168; Durable medical equipment: $13,470,567; Home health and hospice: $13,258,900; Total: $56,403,080. Data element: Number of providers added to prepayment medical review[K]; Part A[A]: 52; Part B[B]: 492; Durable medical equipment: 493; Home health and hospice: 104; Total: 1,141. Data element: Dollar amount of prepayment claims denied; Part A[A]: $24,194,983; Part B[B]: $35,223,594; Durable medical equipment: $33,183,318; Home health and hospice: $7,314,999; Total: $99,916,894. Data element: Number of providers added to postpayment medical review[L]; Part A[A]: 43; Part B[B]: 98; Durable medical equipment: 74; Home health and hospice: 38; Total: 253. Data element: Number of new auto-deny edits recommended for implementation[M]; Part A[A]: 229; Part B[B]: 2,985; Durable medical equipment: 3,916; Home health and hospice: 134; Total: 7,264. Data element: Dollar amount of ZPIC-recommended auto-denials; Part A[A]: $336,161; Part B[B]: $33,713,756; Durable medical equipment: $53,578,849; Home health and hospice: $8,007,063; Total: $95,635,829. Data element: Number of revocations requested[N]; Part A[A]: 8; Part B[B]: 175; Durable medical equipment: 33; Home health and hospice: 10; Total: 226. Data element: Number of revocations implemented; Part A[A]: 5; Part B[B]: 77; Durable medical equipment: 16; Home health and hospice: 4; Total: 102. Data element: Number of deactivations requested[O]; Part A[A]: 3; Part B[B]: 69; Durable medical equipment: 4; Home health and hospice: 3; Total: 79. Data element: Number of deactivations implemented; Part A[A]: 2; Part B[B]: 60; Durable medical equipment: 0; Home health and hospice: 0; Total: 62. Workload: Data element: Number of beneficiary interviews; Part A[A]: 82; Part B[B]: 1,468; Durable medical equipment: 653; Home health and hospice: 1,455; Total: 3,658. Data element: Number of onsites performed; Part A[A]: 84; Part B[B]: 441; Durable medical equipment: 126; Home health and hospice: 126; Total: 777. Data element: Number of claims reviewed prior to payment; Part A[A]: 5,497; Part B[B]: 110,831; Durable medical equipment: 65,462; Home health and hospice: 8,334; Total: 190,124. Data element: Number of claims reviewed after payment; Part A[A]: 5,831; Part B[B]: 9,067; Durable medical equipment: 5,414; Home health and hospice: 12,390; Total: 32,702. Requests for information[P]: Data element: Number of requests received from law enforcement for ZPIC-initiated cases; Part A[A]: 127; Part B[B]: 362; Durable medical equipment: 149; Home health and hospice: 81; Total: 683. Data element: Number of requests received from law enforcement for non- ZPIC initiated cases; Part A[A]: 339; Part B[B]: 935; Durable medical equipment: 221; Home health and hospice: 267; Total: 1,762. Source: GAO analysis of CMS Analysis, Reporting, and Tracking System data. Notes: Medicare fee-for-service consists of Medicare Part A, which covers inpatient hospital care, skilled nursing facility care, some home health care services, and hospice care; and Medicare Part B, which covers physician and outpatient hospital services, diagnostic tests, mental health services, outpatient physical and occupational therapy, ambulance services, prosthetics, orthotics, and supplies. In addition to fee-for-service, there is also Medicare Part C, Medicare Advantage, under which beneficiaries receive benefits through private health plans, and Part D, the outpatient prescription drug benefit. [A] Medicare Part A providers are those providing inpatient hospital care, skilled nursing facility care, some home health care services, and hospice care. [B] Medicare Part B providers are those providing physician and outpatient hospital services, diagnostic tests, mental health services, outpatient physical and occupational therapy, ambulance services, prosthetics, orthotics, and supplies. [C] Reactive sources are notifications of potential fraud submitted to ZPICs. [D] Medicare Administrative Contractors (MAC) process and pay Medicare fee-for-service claims and take various other actions to implement and enforce Medicare coverage rules. MAC Complaint Units examine their contacts with beneficiaries for indications of potential fraud and may forward the contacts to ZPICs for additional scrutiny. [E] Proactive sources are those identified by ZPICS that originate from such sources as data analysis, the Internet, and news media. ZPICs are to maintain at least 3 years of Medicare claims data for analysts to examine for potential fraud using a variety of analytic tools and methods. If analysts identify patterns in the claims data indicating potential fraud, those findings may result in a ZPIC investigation. [F] The Fraud Prevention System (FPS) is an electronic system in which Medicare claims data are compared against models of potentially fraudulent behavior to identify and prioritize for ZPIC investigation certain providers with aberrant billing patterns. Although ZPICs report other sources of investigations by the provider type targeted-- Part A, Part B, durable medical equipment, and home health and hospice--ZPICs only report the total number of investigations resulting from FPS. [G] A ZPIC investigation that is accepted by law enforcement for further exploration and potential prosecution is then referred to as a case. [H] Reasons within the control of the ZPIC are primarily related to the quality of the referral. [I] ZPICs initiate administrative and other actions against Medicare providers or suppliers, coordinating with CMS and MACs to carry out those actions. [J] This amount reflects all amounts recovered, whether resulting from a ZPIC investigation or a law enforcement case. Some overpayment amounts are offset--applied to future payments--rather than collected. [K] ZPICs request provider-specific prepayment edits to identify claims for medical review prior to payment and, on the basis of those reviews, claims may be denied before they are paid. [L] ZPICs request provider records for medical review after the claims have been paid and, based on those reviews, claims may be referred to MACs to recover Medicare payments received by a provider in excess of amounts due and payable. [M] ZPICs request prepayment edits to automatically deny payment for non-covered, incorrectly coded, or inappropriately billed services without further review. These edits analyze claims' attributes and automatically prevent Medicare from paying claims based on suspicious attributes. For example, some edits prevent payment for all services submitted by suspicious providers. Other edits prevent payment for certain types of services for beneficiaries identified as part of a fraud scheme for specific services. [N] ZPICs request revocation of a provider's Medicare billing privileges. [O] ZPICs request deactivation of a provider's National Provider Identifier, stopping other billing privileges. Given ZPICs' role in identifying and investigating potential fraud, we consider deactivations initiated by ZPICs to be administrative actions; however, according to CMS officials, the agency may deactivate providers' National Provider Identifiers for a number of reasons, some of which may not be as a result of an investigation into potential fraud, such as when a provider or supplier is no longer submitting claims to Medicare or did not report certain changes to their enrollment application or respond to a revalidation request. A provider or supplier whose enrollment has been deactivated may have their billing privileges restored by resubmitting an enrollment application with updated information to CMS. [P] ZPICs report requests for information from the Department of Health and Human Services' Office of Inspector General and the Department of Justice. [End of table] [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Kathleen M. King, (202) 512-7114 or kingk@gao.gov: Staff Acknowledgments: In addition to the contact named above, Karen Doran, Assistant Director; Matthew Gever; Elizabeth Morrison; Eden Savino; Kristin Van Wychen; and Jennifer Whitworth made key contributions to this report. [End of section] Footnotes: [1] Medicare is the federal program that helps pay for health care services for individuals age 65 years and older, certain individuals with disabilities, and those with end-stage renal disease. In 1990, we began to report on government operations that we identified as "high risk" for serious weaknesses in areas that involve substantial resources and provide critical services to the public. See GAO, High- Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: Feb. 2011). [2] In fiscal year 2012, Medicare covered more than 50 million individuals at a cost of $545 billion. Fraud involves an intentional act or representation to deceive with the knowledge that the action or representation could result in gain. For example, fraud may involve Medicare providers or suppliers submitting valid-looking claims for services that are not provided. [3] These seven zones cover the entire United States, Puerto Rico, American Samoa, Guam, and the Northern Mariana Islands. [4] HHS OIG, Zone Program Integrity Contractors' Data Issues Hinder Effective Oversight, OEI-03-09-00520 (Washington, D.C.: November 2011). [5] FID contains data related to Medicare fraud and abuse investigations, cases, and payment suspensions by ZPICs. See GAO, Medicare Fraud Prevention: CMS Has Implemented a Predictive Analytics System, but Needs to Define Measures to Determine Its Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-13-104] (Washington, D.C.: Oct. 15, 2012). [6] The CPARS is a web-based application used by the federal government to record certain contractor performance evaluations. [7] Pub. L. No. 104-191, § 202, 110 Stat. 1936, 1996-98 (codified at 42 U.S.C. § 1395ddd). Before 1996, Medicare program integrity activities were subsumed under Medicare's general administrative budget and performed, along with general claims processing functions, by insurance companies under contract with CMS. For more on MIP, see Medicare Integrity Program: CMS Used Increased Funding for New Activities but Could Improve Measurement of Program Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-11-592] (Washington, D.C.: July 29, 2011). [8] An improper payment is any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. [9] Medicare fee-for-service consists of Medicare Part A, which covers inpatient hospital care, skilled nursing facility care, some home health care services, and hospice care; and Medicare Part B, which covers physician and outpatient hospital services, diagnostic tests, mental health services, outpatient physical and occupational therapy, ambulance services, prosthetics, orthotics, and supplies. In addition to fee-for-service, there is also Medicare Part C, Medicare Advantage, under which beneficiaries receive benefits through private health plans, and Part D, the outpatient prescription drug benefit. [10] CMS may renew these contracts beyond the 5 years of performance without competition, if certain conditions are met. 42 U.S.C. § 1395ddd(d); 42 C.F.R. § 421.308. [11] Pub. L. No. 111-240, § 4241, 124 Stat. 2504, 2599-2604 (2010). [12] For more information on FPS, see [hyperlink, http://www.gao.gov/products/GAO-13-104]. [13] Referrals from FPS are called Alert Summary Records. [14] MACs process and pay Medicare fee-for-service claims and take various other actions to implement and enforce Medicare coverage rules. [15] Medicare supplemental insurers are private companies that offer insurance policies, also known as Medigap, that can help pay for health care costs not covered by Medicare fee-for-service, such as co- insurance for doctor office visits. [16] This money will either be returned to Medicare if the review of the claims determines they should not be paid, or released to the provider if the review determines the claims were legitimate. Although CMS had the authority to impose payment suspensions prior to the Patient Protection and Affordable Care Act, the law specifically authorized the Secretary of HHS to suspend payments to providers pending the investigation of credible allegations of fraud. In implementing this authority, CMS is required to consult with HHS OIG in determining whether a credible allegation of fraud exists. Pub. L. No. 111-148, § 6402(h), 124 Stat. 119, 760 (codified at 42 U.S.C. § 1395y(o)). [17] Vulnerabilities are billing practices or patterns that are or may be associated with significant amounts of improper payments. For more on vulnerabilities, see GAO, Medicare Program Integrity: Greater Prepayment Control Efforts Could Increase Savings and Better Ensure Proper Payment, [hyperlink, http://www.gao.gov/products/GAO-13-102] (Washington, D.C.: Nov. 13, 2012). [18] Edits are instructions that MACs program into claims processing systems to identify and potentially deny claims that do not meet Medicare coverage or payment criteria. For this report, we do not consider such systemwide prepayment edits to be administrative actions since they are not specific to a particular investigation or provider. For more on prepayment edits, see [hyperlink, http://www.gao.gov/products/GAO-13-102]. [19] CMS has identified newly enrolling DME suppliers and home health agencies as at higher risk for fraud than other types of providers. [20] Medicaid is a joint federal-state health care program for certain low-income individuals. [21] In 2012, 19 states were actively participating in Medi-Medi. These were Alabama, Arizona, Arkansas, California, Colorado, Florida, Georgia, Iowa, Mississippi, Missouri, Nebraska, New Jersey, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, Texas, and Utah. In April 2013, CMS also received a letter of intent to participate from Michigan. [22] The number of beneficiaries in any one zone ranges from more than 7 million to more than 19 million, and the number of providers in any one zone ranges from 130,000 to 460,000. [23] CMS tracks the results of these reviews in CPARS, a web-based application used by the federal government to record certain contractor evaluations. ZPIC CPARS evaluations consist of six elements: (1) quality of service, (2) schedule (meeting deadlines for responding to certain requests and submitting certain materials), (3) cost control, (4) business relations, (5) management of key personnel, and (6) utilization of small business. CPARS scores are based on a five-point scale: (1) unsatisfactory, (2) marginal, (3) satisfactory, (4) very good, and (5) exceptional. [24] A ZPIC is eligible to earn award fees if it receives scores of satisfactory or higher in four of the six CPARS elements: (1) quality of service, (2) schedule, (3) cost control, and (4) business relations. [25] In 2012, ZPICs released about $5 million to providers based on claims reviews. [26] The CMS FPS First Year Implementation Report estimated that revocations based on FPS investigations saved the Medicare program over $7 million. CMS based this on a "conservative" projection of those providers' existing billing patterns or behaviors; however, the HHS OIG evaluation of this report could not confirm the findings. See HHS OIG, The Department of Health and Human Services Has Implemented Predictive Analytics Technologies but Can Improve Its Reporting on Related Savings and Return on Investment, A-17-12-53000 (Washington, D.C.: September 2012). [27] In 2012, law enforcement declined to accept as cases 33 investigations referred by ZPICs due to lack of resources. No investigations were reportedly declined for any other reason, such as the quality of the ZPIC referral. [28] This is the amount reported to ZPICs by HHS OIG or DOJ for what convicted providers were ordered to pay in 2012. Providers may have been referred to law enforcement prior to 2012 and actual amounts collected may be less due to appeals and collection issues, such as suspect providers that close their businesses or declare bankruptcy. [29] We previously reported that in fiscal year 2011, the federal government won or negotiated approximately $2.4 billion in judgments and settlements related to health care fraud, including Medicare fraud. See GAO, Health Care Fraud: Types of Providers Involved in Medicare, Medicaid, and the Children's Health Insurance Program Cases, [hyperlink, http://www.gao.gov/products/GAO-12-820] (Washington, D.C.: Sept. 7, 2012). [30] Depending on the nature of the misconduct, HHS OIG may be authorized or required to exclude individuals and entities from federally funded health care programs. See 42 U.S.C. §§ 1320a-7, 1320c- 5. HHS OIG maintains the List of Excluded Individuals and Entities. See [hyperlink, http://oig.hhs.gov/exclusions/] (accessed July 18, 2013). In 2012, ZPICs did not refer any providers to HHS OIG for exclusion. [31] See GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00.21.3.1] (Washington, D.C.: Nov. 1, 1999). [32] Critical access hospitals are small rural hospitals that receive payment for their reasonable costs of providing inpatient and outpatient services to Medicare beneficiaries, rather than being paid fixed amounts under Medicare's prospective payment systems. See GAO Medicare: Modest Eligibility Expansion for Critical Access Hospital Program Should Be Considered, [hyperlink, http://www.gao.gov/products/GAO-03-948] (Washington, D.C.: Sept. 19, 2003). [33] [hyperlink, http://www.gao.gov/products/GAO-13-104]. [34] CMS evaluates ZPICs at the end of each of their contract years, so each ZPIC is reviewed on a different schedule. These results are from the most recent available evaluations for periods of performance ending from March 2010 through April 2012. [35] Performance measurement is the ongoing monitoring and reporting of program accomplishments, particularly progress toward pre- established goals, and focuses on whether a program has achieved its objectives, expressed as measurable performance standards. See GAO, Performance Measurement and Evaluation: Definitions and Relationships (Supersedes [hyperlink, http://www.gao.gov/products/GAO-05-739SP]), [hyperlink, http://www.gao.gov/products/GAO-11-646SP] (Washington, D.C.: May 2, 2011), GPRA, and GAO, Managing for Results: Critical Actions for Measuring Performance, [hyperlink, http://www.gao.gov/products/GAO/T-GGD/AIMD-95-187] (Jun. 20, 1995). [36] GPRA is designed to improve the effectiveness of federal programs by establishing a system to set goals for program performance and to measure results. Pub. L. No. 103-62, 107 Stat. 285 (1993), as amended by Pub. L. No. 111-352, 124 Stat. 3866 (2011). [37] This goal also includes fighting fraud and working to eliminate improper payments in other HHS programs not administered by CMS, such as foster care. See HHS, FY 2014 HHS Online Performance Appendix, [hyperlink, http://www.cms.gov/About-CMS/Agency- Information/PerformanceBudget/index.html?redirect=/performancebudget/] (accessed July 8, 2014). [38] The other Medicare fee-for-service performance measure for this goal is to reduce the percentage of improper payments--which include potentially fraudulent payments--made under the Medicare fee-for- service program. CMS's current estimate of the percentage of improper payments is 8.5, and the agency's performance measure is to reduce that to 8.0 in fiscal year 2014. In total, CMS has seven performance measures within the goal of fighting fraud and working to eliminate improper payments, four of which relate to Medicare. See the HHS FY 2014 HHS Online Performance Appendix. [39] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] and GAO, Executive Guide: Effectively Implementing the Government Performance and Results Act, [hyperlink, http://www.gao.gov/products/GAO/GGD-96-118] (Washington, D.C.: June 1, 1996). [40] GAO, Health Care Fraud and Abuse Control Program: Indicators Provide Information on Program Accomplishments, but Assessing Program Effectiveness Is Difficult, [hyperlink, http://www.gao.gov/products/GAO-13-746] (Washington, D.C.: Sept. 30, 2013). [41] See CMS agency comments in HHS OIG, Medicare's Program Safeguard Contractors: Performance Evaluation Reports, OEI-03-04-00050 (Washington, D.C.: March 2006). [42] In November 2011, HHS OIG recommended that CMS utilize and report ZPIC workload statistics from ARTS in ZPIC evaluations. See OEI-03-09- 00520. [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E-mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]