This is the accessible text file for GAO report number GAO-11-409T 
entitled 'Medicare and Medicaid Fraud, Waste, and Abuse: Effective 
Implementation of Recent Laws and Agency Actions Could Help Reduce 
Improper Payments' which was released on March 9, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Testimony: 

Before the Subcommittee on Federal Financial Management, Government 
Information, Federal Services, and International Security, Committee 
on Homeland Security and Governmental Affairs, U.S. Senate: 

For Release on Delivery: 
Expected at 2:30 p.m. EST: 
Wednesday, March 9, 2011: 

Medicare and Medicaid Fraud, Waste, and Abuse: 

Effective Implementation of Recent Laws and Agency Actions Could Help 
Reduce Improper Payments: 

Statement of Kathleen M. King: 
Director, Health Care: 

Kay L. Daly:
Director, Financial Management and Assurance: 

GAO-11-409T: 

GAO Highlights: 

Highlights of GAO-11-409T, a testimony before the Subcommittee on 
Federal Financial Management, Government Information, Federal 
Services, and International Security, Committee on Homeland Security 
and Governmental Affairs, U.S. Senate. 

Why GAO Did This Study: 

GAO has designated Medicare and Medicaid as high-risk programs because 
they are particularly vulnerable to fraud, waste, abuse, and improper 
payments (payments that should not have been made or were made in an 
incorrect amount). Medicare is considered high-risk in part because of 
its complexity and susceptibility to improper payments, and Medicaid 
because of concerns about the adequacy of its fiscal oversight to 
prevent inappropriate spending. 

In fiscal year 2010, the Centers for Medicare & Medicaid Services 
(CMS)—-the agency that administers Medicare and Medicaid—-estimated 
that these programs made a total of over $70 billion in improper 
payments. 

This statement focuses on how implementing prior GAO recommendations 
and recent laws, as well as other agency actions, could help CMS carry 
out five key strategies GAO identified in previous reports to help 
reduce fraud, waste, and abuse and improper payments in Medicare and 
Medicaid. It is based on 16 GAO products issued from April 2004 
through June 2010 using a variety of methodologies, such as analyses 
of Medicare or Medicaid claims, review of relevant policies and 
procedures, and interviews with officials. In February 2011, GAO also 
received updated information from CMS on agency actions. 

What GAO Found: 

The amount of improper payments creates urgency for CMS to effectively 
implement prior GAO recommendations, provisions in recently enacted 
laws, and recent guidance related to five key strategies to help 
reduce fraud, waste, abuse, and improper payments in Medicare and 
Medicaid. 

1. Strengthening provider enrollment standards and procedures. 
Strengthening the standards and procedures for provider enrollment can 
help reduce the risk of enrolling entities intent on defrauding the 
program. The Patient Protection and Affordable Care Act as amended 
(PPACA) strengthens aspects of provider enrollment in Medicare and 
Medicaid. CMS is implementing these provisions, which include 
designating providers by levels of risk and providing more stringent 
review of high-risk providers. 

2. Improving prepayment review of claims. Prepayment reviews of claims 
help ensure that Medicare pays correctly the first time. CMS is 
implementing a PPACA provision requiring states to add automated 
prepayment controls in their Medicaid programs. In addition, CMS is 
seeking contractors to apply predictive modeling analysis to claims as 
a way to develop new prepayment controls to add to Medicare; however, 
CMS has not implemented certain GAO recommendations related to 
prepayment review. 

3. Focusing postpayment claims review on most vulnerable areas. 
Postpayment reviews are critical to identifying payment errors and 
recouping overpayments. CMS is instituting recovery audit contractor 
(RAC) programs in Medicare and Medicaid to increase postpayment 
review. However, CMS contractors generally choose their focus for 
claims review, and GAO continues to contend that CMS should make it a 
priority to focus claims administration contractors’ postpayment 
review on the most vulnerable areas. 

4. Improving oversight of contractors. CMS’s oversight of contractors’ 
activities to address fraud, waste, and abuse is critical. CMS has 
taken action to address GAO recommendations to improve oversight of 
prescription drug plan sponsors’ fraud and abuse programs and to 
comply with other contractor oversight provisions in PPACA. 

5. Developing a robust process for addressing identified 
vulnerabilities. Having mechanisms in place to resolve vulnerabilities 
that lead to improper payment is critical, but CMS has not developed a 
robust corrective action process for vulnerabilities identified by 
Medicare RACs, and has not fully implemented GAO recommendations to 
improve it. Further, CMS’s guidance to states on Medicaid RAC programs 
did not include steps to address vulnerabilities through a corrective 
action process. 

Effective implementation of these recommendations, provisions of law, 
and guidance will be a key factor in helping to reduce future improper 
payments. 

View [hyperlink, http://www.gao.gov/products/GAO-11-409T] or key 
components. For more information, contact Kathleen M. King at (202) 
512-7114 or kingk@gao.gov or Kay L. Daly at (202) 512-9095 or 
dalykl@gao.gov. 

[End of section] 

Mr. Chairman, Ranking Member, and Members of the Subcommittee: 

I am pleased to be here today to discuss provisions in recent laws and 
agency actions that may help reduce fraud, waste, and abuse[Footnote 
1] in the Medicare and Medicaid programs.[Footnote 2] Fraud, waste, 
and abuse and improper payments put programs at risk. An improper 
payment is any payment that should not have been made or that was made 
in an incorrect amount (including overpayments and underpayments) 
under statutory, contractual, administrative, or other legally 
applicable requirements.[Footnote 3] 

We have designated both Medicare and Medicaid as high-risk programs. 
[Footnote 4] Medicare, a federally financed program, was designated as 
high risk because its complexity and susceptibility to improper 
payments, added to its size, have made it vulnerable to serious 
management challenges. The Centers for Medicare & Medicaid Services 
(CMS)--the agency in the Department of Health and Human Services (HHS) 
that administers Medicare and oversees Medicaid--has estimated 
improper payments for Medicare of almost $48 billion for fiscal year 
2010.[Footnote 5] This estimate does not include improper payments in 
Part D, the Medicare prescription drug benefit, for which the agency 
has not yet estimated a total amount. Medicaid, a federal-state 
program, was designated as high risk in part due to concerns about the 
adequacy of fiscal oversight, which is necessary to prevent 
inappropriate spending. Medicaid also has significant improper 
payments. HHS estimated that the federal share of improper payments in 
the Medicaid program in fiscal year 2010 was $22.5 billion.[Footnote 
6] Since 2004, we have issued 16 products containing strategies we 
have identified for reducing fraud, waste, abuse, and improper 
payments in Medicare and Medicaid. My statement today updates our 
previous work in light of certain provisions affecting Medicare and 
Medicaid in PPACA;[Footnote 7] the Small Business Jobs Act of 2010; 
[Footnote 8] and pertinent agency actions. 

Over the years, the Congress has worked to address fraud, waste, and 
abuse, and improper payments in the Medicare and Medicaid programs. 
Beginning in 1997, the Congress provided funds specifically for 
activities to address fraud, waste, and abuse in federal health care 
programs. In addition, Congress created the Medicare Integrity Program 
to conduct activities designed to reduce fraud, waste, abuse, and 
improper payments in Medicare. The Deficit Reduction Act of 2005 
created the Medicaid Integrity Program and included specific 
appropriations to reduce fraud, waste, and abuse in Medicaid. In 2010, 
PPACA provided further funding for such efforts and set new 
requirements specific to Medicare and Medicaid that are designed to 
address fraud, waste, and abuse. In the same year, the Improper 
Payments Elimination and Recovery Act of 2010 (IPERA) amended the 
Improper Payments Information Act of 2002 and established additional 
governmentwide requirements related to accountability, recovery 
auditing, compliance and noncompliance determinations, and reporting. 
[Footnote 9] However, owing to the size and scope of Medicare and 
Medicaid, reducing improper payments and addressing fraud, waste, and 
abuse in these programs are continuing challenges for CMS--despite 
progress made by the agency that we have recognized since the programs 
were first designated as high risk. 

CMS contractors play an important role in preventing improper payments 
in Medicare. Within Medicare Parts A and B--also known as Medicare fee-
for-service (FFS)[Footnote 10]--CMS contractors process and pay 
approximately 4.5 million claims per work day, enroll providers, 
respond to beneficiary questions, and investigate potential Medicare 
fraud. In addition, in Medicare Advantage (Part C) and the Medicare 
prescription drug benefit (Part D),[Footnote 11] CMS contracts with 
private health plans and drug plan sponsors that administer Medicare 
benefits and in that capacity are responsible for helping to ensure 
Medicare program integrity. 

With more than 50 distinct state-based programs that are partially 
federally financed, Medicaid creates complex challenges for CMS and 
states. CMS is responsible for overseeing the program at the federal 
level, while the states administer their respective programs' 
operations. Within broad federal requirements, each state operates its 
Medicaid program in accordance with a state plan. Differences in 
program design can lead to differences in state programs' 
vulnerabilities to improper payments and state approaches to 
protecting the program. States play a critical role in implementing 
strategies to reduce improper payments and address fraud, waste, and 
abuse. However, CMS also has a critical role in ensuring that adequate 
controls are in place and states' actions to help reduce improper 
payments are effective. Like Medicare, the state Medicaid programs 
also rely on contractors to help manage payments or services, but they 
vary in their use of contractors. 

My testimony today focuses on how implementing recent laws and our 
prior recommendations, as well as other agency actions, could help CMS 
carry out five key strategies we identified in previous reports to 
help reduce fraud, waste, and abuse and improper payments in Medicare 
[Footnote 12] and Medicaid.[Footnote 13] This statement discusses past 
agency actions, actions in progress, and actions that are still needed 
to implement certain recommendations that we continue to consider 
important. The five key strategies, and recommendations designed to 
facilitate them, are taken from the 16 products mentioned above. 
Twelve of these products, which we issued from April 2004 through June 
2010, focused on fraud, waste, abuse, and improper payments in 
Medicare. Because Medicaid faces a similar challenge to reduce its 
improper payments, these Medicare strategies can also be helpful when 
tailored to Medicaid. The other 4 products, which we issued since July 
2004, focused on reducing fraud, waste, abuse, and improper payments 
in Medicaid.[Footnote 14] 

The products on which this statement is based were developed by using 
a variety of methodologies, including analyses of Medicare and 
Medicaid claims, review of relevant policies and procedures, 
interviews with agency officials and other stakeholders, and site 
visits.[Footnote 15] We also received updated information from CMS in 
February 2011 on its actions related to the laws, regulations, 
guidance, and open recommendations that we discuss in this statement. 
Our work was performed in accordance with generally accepted 
government auditing standards. Those standards require that we plan 
and perform the audit to obtain sufficient, appropriate evidence to 
provide a reasonable basis for our findings and conclusions based on 
our audit objectives. We believe that the evidence obtained provides a 
reasonable basis for our findings and conclusions based on our audit 
objectives. 

Implementation of Our Prior Recommendations and Recent Laws, as Well 
as Other Agency Actions, Could Help CMS Reduce Medicare and Medicaid 
Fraud, Waste, and Abuse: 

The implementation of specific recommendations made in our prior 
reports[Footnote 16] and provisions in PPACA and the Small Business 
Jobs Act of 2010, as well as other agency actions, could help in 
reducing fraud, waste, and abuse in Medicare and Medicaid. In reports 
we have issued from 2004 through 2010, we have identified five key 
strategies as important to reducing Medicare and Medicaid fraud, 
waste, and abuse, and ultimately improper payments:[Footnote 17] 

* strengthening provider enrollment standards and procedures, 

* improving prepayment review of claims, 

* focusing postpayment claims review on the most vulnerable areas and 
adding new recovery audit contractors, 

* improving oversight of contractors, and: 

* developing a robust process for addressing identified 
vulnerabilities.[Footnote 18] 

PPACA has a number of provisions that could also aid CMS in its 
efforts to minimize improper payments, and CMS has issued final rules 
implementing some of these provisions. Furthermore, the Small Business 
Jobs Act of 2010 and the Presidential Memorandum, "Enhancing Payment 
Accuracy through a Do Not Pay List," focus on preventing, reducing, 
and recovering improper payments, which could also help CMS in 
reducing improper payments in Medicare and Medicaid. 

Strengthening Provider Enrollment Procedures for Medicare and Medicaid 
Could Reduce the Risk of Enrolling Providers Intent on Defrauding or 
Abusing the Program: 

Our work on Medicare indicates that strengthening the standards and 
procedures for provider enrollment could help reduce the risk of 
enrolling providers intent on defrauding or abusing the program. 
[Footnote 19] CMS has previously identified two types of providers 
whose services and items are especially vulnerable to improper 
payments--home health agencies (HHA) and suppliers of durable medical 
equipment, prosthetics, orthotics, and supplies (DMEPOS). In our 2009 
report on HHAs, we found problems with the enrollment procedures--for 
example, CMS's contractors were not requiring HHAs to re-submit 
enrollment information (including information about key officials, 
operating capital, and practice location) for re-verification every 5 
years as required by CMS.[Footnote 20] In a 2005 report on DMEPOS 
suppliers, we found that CMS had not taken sufficient steps to prevent 
entities intent on defrauding Medicare from enrolling, and we reported 
that more effective screening and stronger enrollment standards were 
needed to ensure that new suppliers were legitimate businesses. 
[Footnote 21] Partly in response to our recommendation to improve the 
provider enrollment process, CMS took steps to implement new supplier 
quality standards as part of an accreditation rule issued in August 
2006 and proposed new supplier enrollment standards in January 2008. 
Suppliers were required to meet these new accreditation standards in 
2009; however, the new supplier enrollment standards were not 
finalized until August 2010. Prior to the implementation of the new 
supplier enrollment standards, we exposed persisting weaknesses when 
we created two fictitious DMEPOS suppliers, which were subsequently 
enrolled by CMS's contractor and given permission to begin billing 
Medicare.[Footnote 22] As an enrollment requirement, suppliers must, 
upon request, show that they have contracts for obtaining inventory if 
the suppliers do not produce their own inventory. Review would have 
shown that the contracts provided by our fictitious companies had been 
fabricated. 

For Medicaid, states have adopted requirements to check providers' 
backgrounds before enrollment or during re-enrollment; however, these 
enrollment procedures have not been sufficient to protect Medicaid. 
For example, in September 2009, we reported that in five states 
Medicaid paid over $2 million in controlled substance prescriptions 
during fiscal years 2006 and 2007 that were written or filled by 65 
medical practitioners and pharmacies that were barred, excluded, or 
both from federal health care programs, including Medicaid, for such 
offenses as illegally selling controlled substances.[Footnote 23] As a 
result, we recommended that CMS consider issuing guidance to state 
Medicaid programs to provide assurance that their program requirements 
and systems prevent the processing of claims from providers and 
pharmacies that were barred from federal contracts or excluded from 
Medicare and Medicaid. We also recommended that CMS periodically 
identify deaths of Medicaid providers and prevent the approval of 
claims associated with providers who had died. 

Implementation of PPACA provisions related to provider enrollment 
could protect Medicare and Medicaid from making improper payments and 
address some of our previous concerns and recommendations. PPACA 
requires the Secretary, in consultation with the HHS Office of 
Inspector General (OIG), to establish procedures for screening 
providers enrolling in Medicare and Medicaid,[Footnote 24] including 
assessing the risk levels of fraud, waste, and abuse by categories of 
providers. At a minimum, PPACA requires all providers to be subject to 
licensure checks, which may include checks across state lines. 
Depending on the risks presented by the type of provider, CMS may 
require additional screening procedures, such as criminal history 
checks.[Footnote 25] Further, PPACA provides for enhanced oversight 
for specific periods for new providers and of initial claims of DMEPOS 
suppliers. In addition, PPACA directs HHS to promulgate a regulation 
requiring providers to include their National Provider Identifier on 
all Medicare and Medicaid enrollment applications and claims for 
payment. 

On February 2, 2011, CMS and the HHS OIG published a final rule to 
implement these new screening procedures.[Footnote 26] The rule is 
designed to institute a consistent set of enrollment procedures for 
Medicare and Medicaid, but not to abridge CMS's established screening 
authority or diminish the screening that providers currently undergo. 
Therefore, if states have additional Medicaid screening procedures, 
they will be able to maintain them.[Footnote 27] 

For Medicare, CMS designated three levels of risk--high, moderate, and 
limited--with different screening procedures for providers at each 
level. Based in part on our work and that of the HHS OIG and its own 
experience, CMS designated newly enrolling HHAs and DMEPOS suppliers 
as high risk and designated other providers at the lower levels. 
[Footnote 28] Providers in all risk levels are to be screened to 
verify that they meet specific requirements established by Medicare. 
This includes checking providers' licenses, including checks across 
state lines; and checking certain databases, to verify items such as 
Social Security numbers, on a pre-and post-enrollment basis to ensure 
that they continue to meet enrollment criteria.[Footnote 29] Moderate-
and high-risk providers are also subject to unannounced site visits. 
All individuals who own a 5 percent or greater interest in high-risk 
providers are subject to fingerprinting and criminal background 
checks.[Footnote 30] CMS's implementation of fingerprinting and 
criminal history checks would address our 2009 recommendation for CMS 
to assess the feasibility of verifying the criminal history of all key 
HHA officials named on the provider enrollment applications. 

In its discussion of the February 2, 2011 final rule, CMS indicated 
that the agency intended to review the criteria for its screening 
levels on a consistent and ongoing basis and would publish changes if 
the agency decided to update the assignment of screening levels for 
Medicare providers. This may become necessary, because fraud is not 
confined to newly enrolling HHAs and DMEPOS. As more scrutiny is given 
to these two types of providers, the types of providers that CMS is 
classifying as moderate risk, such as physical therapy practices, may 
begin to attract more individuals who are intent on defrauding 
Medicare or Medicaid. In their 2010 annual report on the Health Care 
Fraud and Abuse Control Program, DOJ and HHS reported convictions or 
other legal actions, such as exclusions or civil monetary penalties, 
against several types of Medicare providers other than DMEPOS 
suppliers and HHAs, such as medical clinics and physical therapy 
practices.[Footnote 31] CMS has also established triggers for 
adjustments to an individual provider's risk level. For example, if an 
individual limited-or moderate-risk provider has been excluded from 
Medicare by the HHS OIG, that individual provider would move to the 
high-risk level. 

For Medicaid, one requirement in CMS's February 2011 rule is that 
state Medicaid agencies are to establish categorical levels of risk 
for their providers. For the moderate-and high-risk providers, a state 
Medicaid agency must conduct site visits, and for high-risk providers, 
it must conduct fingerprinting and criminal background checks. 

In addition to enhancing screening procedures, PPACA includes two 
provisions that strengthen other aspects of provider enrollment for 
Medicare and Medicaid. CMS implemented these provisions in its 
February 2011 final rule. First, PPACA allows CMS to declare a 
moratorium on enrollment of new Medicare and Medicaid providers when 
the agency determines such a moratorium to be necessary to prevent or 
combat fraud, waste, and abuse. State Medicaid agencies may also 
authorize such a moratorium. Second, PPACA also requires state 
Medicaid programs to terminate providers that have been terminated 
from Medicare or other state Medicaid programs. 

PPACA also imposes new requirements on Medicare and Medicaid 
providers, including a requirement for establishing compliance 
programs that adhere to standards established by the Secretary in 
consultation with the OIG.[Footnote 32] CMS sought public comment on 
establishing such compliance programs in a proposed rule on September 
23, 2010.[Footnote 33] The agency indicated in explaining its February 
2011 final rule that it intended to conduct further rulemaking on 
compliance program requirements and would advance specific proposals 
in the future. In addition, PPACA imposes specific requirements for 
providers to disclose any current or previous affiliation with a 
provider that has uncollected debt; has been or is subject to a 
payment suspension under a federal health care program; has been 
excluded from participation under Medicare, Medicaid, or CHIP; or has 
had its billing privileges denied or revoked. The law allows CMS to 
deny enrollment to any such provider whose previous affiliations pose 
an undue risk. In February 2011, CMS told us that it was drafting a 
proposed rule to implement this authority. Further, providers that 
order home health services must have a face-to-face encounter with the 
beneficiary before the services can be ordered. CMS issued a final 
rule regarding this requirement in November 2010.[Footnote 34] 
Finally, providers that order DMEPOS or home health services for 
beneficiaries will have to be enrolled in Medicare or Medicaid and 
maintain documentation on the services or items ordered, and the 
claims for these services and items must contain their National 
Provider Identifier number. 

Before PPACA, CMS had taken other steps over the past 3 years 
regarding the legitimacy of providers, and PPACA has provisions that 
are consistent with some of these steps. First, the agency implemented 
a statutory requirement for DMEPOS suppliers to post a surety bond to 
help Medicare recoup erroneous payments that result from fraudulent or 
abusive billing practices.[Footnote 35] PPACA extended CMS's authority 
to impose surety bonds consistent with billing volume to all Medicare 
providers.[Footnote 36] Second, as directed by law, CMS required that 
all DMEPOS suppliers be accredited by a CMS-approved accrediting 
organization to ensure that they meet minimum standards. In June 2010, 
CMS told us that approximately 9,000 DMEPOS suppliers were dis-
enrolled as result of these surety bond and accreditation 
requirements. Third, CMS began to implement a Medicare competitive 
bidding program for durable medical equipment and supplies with prices 
that took effect in January 2011 from the first round of bidding. This 
program could also help reduce fraud, waste, and abuse because it 
requires CMS to select DMEPOS suppliers based in part on new scrutiny 
of their financial documents and other application materials, among 
other things. The program took effect initially in nine metropolitan 
areas. PPACA built upon some of these efforts. It required CMS to 
speed up implementation of the competitive bidding program, expanding 
the number of areas to be included in the second round of bidding from 
70 to 91 by the end of 2011. 

Improving Prepayment Review of Claims Could Prevent Improper Payments 
from Being Made: 

Our work on Medicare has shown that prepayment reviews of claims are 
essential to help ensure that Medicare pays correctly the first time. 
Conducting these reviews is challenging due to the volume of claims. 
Overall, less than 1 percent of Medicare's claims are subject to a 
medical record review by trained contractor personnel. Therefore, 
having robust automated payment controls--called edits--in place that 
can deny inappropriate claims or flag them for further review is 
critical. However, we have found weaknesses in these prepayment 
controls. For example, in 2007, we found that contractors responsible 
for reviewing DMEPOS claims did not have automated prepayment controls 
in place to identify questionable claims, such as those associated 
with atypically rapid increases in billing or for items unlikely to be 
prescribed in the normal course of medical care.[Footnote 37] Lack of 
such prepayment controls has resulted in losses to Medicare.[Footnote 
38] As a result, we recommended in 2007 that CMS require its 
contractors to develop thresholds for unexplained increases in billing 
and use them to develop automated prepayment controls. Although CMS 
has not implemented that recommendation specifically, it has added 
edits to flag claims for services unlikely to be provided in the 
normal course of medical care. Additional prepayment controls, such as 
those based on thresholds for unexplained increases in billing, could 
further enhance CMS's ability to identify improper claims before they 
are paid. 

PPACA requires state Medicaid agencies to add some specific prepayment 
edits. Beginning with claims submitted on October 1, 2010, PPACA 
requires states to incorporate into their Medicaid Management 
Information System compatible National Correct Coding Initiative 
(NCCI) methodologies in order to promote correct coding and to control 
improper coding leading to inappropriate payment.[Footnote 39] These 
methodologies are in use in the Medicare program for edits related to 
certain practitioner services, ambulatory surgical center services, 
outpatient hospital services, and supplier claims for durable medical 
equipment. For example, NCCI edits can detect claims with duplicate 
services delivered to the same beneficiary on the same date of 
service, such as more than one excision of a gallbladder for the same 
beneficiary. CMS provided guidance on how to implement this 
requirement through a state Medicaid directors' letter issued on 
September 1, 2010. 

The Small Business Jobs Act of 2010 also has a provision regarding 
claims review to prevent improper payments. It requires CMS to use 
predictive modeling and other analytic techniques--known as predictive 
analytic technologies--both to identify and to prevent improper 
payments under the Medicare FFS program.[Footnote 40] The law requires 
these predictive analytic technologies to be used to analyze and 
identify Medicare provider networks, billing patterns, and beneficiary 
utilization patterns and detect those that represent a high risk of 
fraudulent activity. Through such analysis, unusual or suspicious 
patterns or abnormalities could be identified that could be used to 
prioritize additional review of suspicious transactions before payment 
is made. CMS published a solicitation in December 2010 for these 
technologies and a case management system to track findings. The law 
requires that the solicitation require contractors that are selected 
to begin using these technologies on July 1, 2011, in the 10 states 
identified by CMS as having the highest risk of waste, fraud, or abuse 
in Medicare FFS payments. After the initial year, based on the results 
of the predictive analytic technologies, their use will be expanded to 
other states. Based on the results after year 3, the technologies are 
to be expanded to Medicaid. In September 2010, CMS indicated that it 
was conducting pilots to test the ability of the technologies to 
identify potential fraud in paid claims. Agency officials told us that 
the experience from the pilot projects helped them develop the 
solicitation. CMS reported that it planned to incorporate the 
technologies for prepayment review after testing them through 
postpayment review to ensure that the new technologies work as 
intended and do not disrupt claims from legitimate providers or 
diminish access to care for legitimate beneficiaries. 

In addition, a June 2010 Presidential Memorandum directed agencies to 
check certain databases--known as the "Do Not Pay List"--before making 
payments, to ensure that payments did not go to individuals who were 
dead or excluded from receiving federal payments or to entities that 
had been excluded from receiving federal payments. CMS officials 
stated that, in response to the Presidential Memorandum, the agency 
reviewed the databases that it and its Medicare contractors were using 
to determine payment eligibility for providers and took action to 
ensure that the agency's method of ensuring payment eligibility was 
consistent with the intent of the "Do Not Pay List". Specifically, CMS 
told us that it is currently reviewing the following databases: (1) 
the Social Security Administration's (SSA) Death Master File, (2) HHS 
OIG's Exclusions Database, (3) the Federal Payment Levy Program 
(FPLP), (4) the Treasury Offset Program, and (5) General Services 
Administration's Excluded Parties List System (EPLS).[Footnote 41] CMS 
reported that it uses information from these databases to update its 
provider enrollment system. Specifically, provider enrollment 
information is checked monthly against the Medicare Exclusion 
Database, which contains information from the HHS OIG's Exclusions 
Database, the GSA's EPLS, and the SSA's Death Master File to update 
providers' enrollment status. Agency officials told us that CMS's 
contractors integrate updated provider enrollment information into 
CMS's payment system. Specifically, changes in CMS's provider 
enrollment system are downloaded nightly to the CMS contractors that 
pay claims.[Footnote 42] Claims are then run through prepayment edits 
to check that providers are active and eligible for payment. With 
regard to Medicaid, CMS officials said that the state programs use 
some of these data sets, such as SSA's Death Master File, but that the 
states' abilities to complete checks consistent with the Presidential 
Memorandum would depend on whether they could obtain access to other 
databases, such as the FPLP, which has information on federal tax 
debt. The CMS officials added that they have encouraged states to 
review the databases available to them prior to making payments. 

Focusing Postpayment Claims Review on the Most Vulnerable Areas and 
Adding New Recovery Audit Contractors Could Increase Identification of 
Improper Payments: 

We have found that postpayment reviews are critical to identifying 
payment errors to recoup overpayments in Medicare and that there are 
steps that could strengthen postpayment review. These steps involve 
focusing postpayment claims review on the most vulnerable areas and 
increasing the amount of postpayment review by using recovery audit 
contractors (RAC) for the Medicare and Medicaid programs. 

CMS's claims administration contractors conduct limited postpayment 
reviews; therefore, it is important that they target their postpayment 
review resources on providers with a demonstrated high risk of 
improper payments.[Footnote 43] For example, in 2009 we recommended 
that postpayment reviews be conducted on claims submitted by HHAs with 
high rates of improper billing identified through prepayment review. 
[Footnote 44] To date, CMS has not implemented this recommendation; 
however, in February 2011 CMS told us that its contractors are 
developing medical review strategies that may include postpayment 
reviews on HHAs. We continue to believe that focusing postpayment 
claims review on the most vulnerable areas should be a priority. 

Cross-checking claims for home health services with the physicians who 
prescribed them can be a further safeguard against fraud, waste, and 
abuse, but, as we reported in 2009, this is not routinely done. 
[Footnote 45] For example, a physician must certify that a beneficiary 
needs home health services before services can be provided, but CMS 
does not routinely provide physicians with information that would 
enable a physician to determine whether an HHA was billing for 
services that the physician had not authorized or services that the 
physician would not consider necessary for the beneficiary's care. We 
recommended that CMS require that physicians receive a statement of 
services beneficiaries received based on the physicians' 
certification, but to date, the agency has not taken action. Taking 
such action also could be beneficial for other services and items 
susceptible to fraud and abuse that are not billed directly by 
physicians, such as DMEPOS. In February 2011, CMS indicated that it 
did not plan to implement this recommendation because agency officials 
thought that it would involve extensive resources to do so. 

Prior to PPACA, CMS had efforts focusing on postpayment review of 
claims, most recently its new national RAC program, which began in 
March 2009, after completion of a 3-year demonstration program in 
2008.[Footnote 46] The national program is designed to help the agency 
supplement the postpayment reviews conducted by contractors other than 
RACs. The RACs review Part A and B claims after payment, but because 
RACs are paid a contingent fee based on the dollar value of the 
improper payments identified, they have focused on claims from 
inpatient hospital stays, which are generally more costly services. We 
pointed out to CMS in our previous work that other contractors' 
postpayment review activities could be more valuable if CMS directed 
these contractors to focus on items and services where RACs are not 
expected to focus their reviews, and where improper payments are known 
to be high, such as home health services claims.[Footnote 47] 

PPACA expands Medicare's RAC program to Parts C and D. CMS published a 
request for comments on the development of Parts C and D RACs in 
December 2010. CMS awarded a Part D RAC task order for a 1-year base 
period that began January 2011 and 4 option years. 

PPACA also requires state Medicaid programs to establish contracts, 
consistent with state law and similar to the contracts established for 
the Medicare RAC program, with one or more RACs. These state RACs are 
to identify underpayments and identify and recoup overpayments made 
for services provided by state Medicaid programs. In November 2010, 
CMS issued a proposed rule and guidance to states on establishing a 
Medicaid Recovery Audit Contractor program. CMS's proposed rule 
covered issues such as contingency fees and establishing a process for 
provider appeals of RAC determinations. States can ask CMS for an 
exception to the Medicaid RAC requirements. CMS officials told us that 
as of February 2011, 55 state Medicaid agencies have submitted their 
plans for addressing the Medicaid RAC PPACA provision, and 14 states 
have asked for exceptions in part or in whole. CMS plans to make 
public its decisions on any exceptions granted. 

Improving Oversight of Contractors Could Help Ensure That Safeguard 
Activities Are Conducted: 

Overseeing the activities of contractors that provide services to 
Medicare beneficiaries is critical to addressing fraud, waste, and 
abuse and preventing improper payments. Over the years, we found areas 
where CMS's oversight had been insufficient to ensure that required 
program control activities were conducted and working well. For 
example, all Part D drug plan sponsors are required to have programs 
to detect, correct, and prevent fraud, waste, and abuse--also referred 
to as fraud and abuse programs. CMS is responsible for ensuring that 
sponsors are in compliance with this requirement; however, in 2008 we 
found that CMS's oversight of these programs had been limited. 
[Footnote 48] We recommended that CMS conduct timely audits of 
sponsors' fraud and abuse programs. CMS agreed with this 
recommendation, and in March 2010 we reported that CMS had completed 
desk audits of selected sponsors' programs and was beginning to 
implement an expanded oversight strategy, including on-site audits to 
assess the effectiveness of these programs more thoroughly.[Footnote 
49] In November 2010, CMS officials reported that the agency had 
conducted on-site audits of 33 of the 290 sponsors in 2010, which 
covered 62 percent of the enrolled beneficiaries in 2010. As a result 
of the on-site audits, CMS had taken formal enforcement actions 
against several sponsors. In addition, CMS published a final rule in 
April 2010 to increase its oversight efforts and ensure that sponsors 
have effective programs in place.[Footnote 50] 

PPACA included new requirements for CMS to evaluate contractors 
receiving Medicare Integrity Program and Medicaid Integrity Program 
funding every 3 years. In addition, PPACA requires these contractors 
to provide performance statistics to HHS and OIG upon request. These 
statistics may include the number and amount of overpayments 
recovered, the number of fraud referrals, and the return on investment 
of such activities. In February 2011, CMS officials told us that they 
are taking action to implement these requirements for Medicare and 
Medicaid. For Medicare, CMS reported that it is currently tracking 
performance statistics and is adding to and refining these statistics. 
CMS is also currently developing the specific performance statistics 
for its Part D integrity contractors and expects to finalize these 
statistics this year. For Medicaid, CMS also reported that it is 
requiring states to track performance statistics and anticipates 
finalizing the specific performance statistics to be tracked by March 
2011. 

Developing a Robust Process for Addressing Identified Vulnerabilities 
Could Help Reduce Improper Payments: 

Having mechanisms in place to resolve vulnerabilities that lead to 
improper payment is critical to effective program management, but our 
work has shown that CMS has not developed a robust process to 
specifically address identified vulnerabilities that lead to improper 
payments in Medicare. We have reported that an agency should have 
policies and procedures to ensure that (1) the findings of all audits 
and reviews are promptly evaluated, (2) decisions are made about the 
appropriate response to these findings, and (3) actions are taken to 
correct or resolve the issues promptly.[Footnote 51] We have also 
stressed the importance of holding individuals accountable for 
achieving agency objectives. 

As we reported in March 2010, CMS did not establish an adequate 
process during its recovery audit contracting demonstration or in 
planning for the national program to ensure prompt resolution of 
identified improper payment vulnerabilities in Medicare.[Footnote 52] 
During the demonstration, CMS did not assign responsibility to agency 
officials or contractors for taking corrective action. According to 
CMS officials, the agency took corrective action only for 
vulnerabilities with national implications, and let the contractors 
that processed and paid claims decide whether to take action for 
vulnerabilities that might occur only in certain geographic areas. 
Additionally, during the demonstration CMS did not specify in a plan 
what type of corrective action was required or establish a time frame 
for corrective action. The documented lack of assigned 
responsibilities impeded CMS's efforts to promptly resolve the 
vulnerabilities identified during the demonstration. 

For the national Medicare RAC program, although CMS established a 
corrective action team to compile, review, and categorize identified 
vulnerabilities and discuss corrective action recommendations, the 
corrective action process is still incomplete. CMS appointed the 
Director of the Office of Financial Management to be responsible for 
the day-to-day operations of the program, and the CMS Administrator to 
be responsible for vulnerabilities that span agency components. 
However, the corrective action process still does not include any 
steps to either assess the effectiveness of the corrective actions 
taken or adjust them as necessary based on the results of the 
assessments. Further, the agency has not developed time frames for 
implementing corrective actions. 

Because of these weaknesses, we recommended that CMS develop and 
implement a corrective action process that includes policies and 
procedures to ensure that the agency promptly (1) evaluates findings 
of RAC audits, (2) decides on the appropriate response and a time 
frame for taking action based on established criteria, and (3) acts to 
correct the vulnerabilities identified.[Footnote 53] CMS concurred 
with this recommendation. Agency officials said they intended to 
review vulnerabilities on a case-by-case basis and were considering 
assigning them to risk categories to help prioritize their actions. 
However, to date, this recommendation has not been implemented. In 
February 2011, CMS reported that the agency is still working to 
address the vulnerabilities identified during the demonstration 
program. Specific to corrective actions, CMS told us that it now 
requires its contractors to consider and evaluate vulnerabilities 
identified by various entities, including the RACs. 

For the Medicaid RAC program, CMS's proposed rule for state Medicaid 
programs does not include any steps to collect information on 
vulnerabilities to improper payment and develop a corrective action 
process to address them. Lessons learned from the Medicare RAC program 
indicate that collecting information on vulnerabilities and having an 
adequate corrective action process are important to address 
vulnerabilities. In turn, this suggests that having Medicaid RACs 
report to state Medicaid agencies and CMS on the vulnerabilities they 
identify and having a corrective action process to address those 
vulnerabilities would be important to reduce Medicaid improper 
payments. State Medicaid agencies are required to have a corrective 
action process as part of their activities to reduce their Medicaid 
error rates. Information from the Medicaid RAC program could be 
incorporated into these processes. Although its guidance was silent on 
this issue, in February 2011, CMS told us that state Medicaid programs 
will be responsible for addressing RAC-identified vulnerabilities and 
that it will monitor and assist states in implementing corrective 
actions. 

Concluding Observations: 

The amount of improper payments in the Medicare and Medicaid programs 
creates urgency for CMS to act decisively to reduce them. Identifying 
the nature, extent, and underlying causes of improper payments is an 
essential prerequisite to reducing them, as is implementing our prior 
recommendation to develop an adequate corrective action process to 
address vulnerabilities. CMS could also take other actions to help 
better address the issue of fraud, waste, abuse, and improper payments 
in the Medicare and Medicaid programs. For Medicare, these include (1) 
developing thresholds for unexplained increases in billing and using 
them to develop automated prepayment controls, (2) conducting 
postpayment reviews on claims submitted by HHAs with high rates of 
improper billing identified through prepayment review, (3) cross- 
checking claims for home health services with the physicians who 
prescribed them, and (4) focusing claims administration contractors' 
postpayment reviews on items and services where RACs are not expected 
to focus their reviews, and where improper payments are known to be 
high. For Medicaid, other actions include ensuring that states develop 
adequate corrective action processes to address vulnerabilities to 
improper Medicaid payments to providers and issuing guidance to states 
to better prevent payment of improper claims for controlled substances. 

As it implements PPACA provisions concerning Medicare and Medicaid, 
CMS has an opportunity to address fraud, waste, abuse, and improper 
payments in the two programs. CMS has made progress in rulemaking and 
issuing guidance to implement this law, the Small Business Jobs Act, 
and the "Do Not Pay List" memorandum. CMS's implementation efforts are 
in process, so it is too early to gauge their effects. As these 
requirements become part of Medicare and Medicaid operations, 
additional evaluation and oversight will help determine whether they 
are implemented as intended and have the desired effect on better 
ensuring proper payment. As the implementation process proceeds, we 
are continuing to monitor these issues. Notably, we are beginning new 
work to assess CMS's efforts to strengthen the standards and 
procedures for Medicare provider enrollment to reduce the risk of 
enrolling providers that are intent on defrauding or abusing the 
program. We also plan to examine the effectiveness of different types 
of prepayment edits in Medicare and of CMS's oversight of its 
contractors in implementing those edits to help ensure that Medicare 
pays claims correctly the first time. The level of importance placed 
on effectively implementing our recommendations and the requirements 
established by recent laws and guidance will be a key factor in 
reducing improper payments in the Medicare and Medicaid programs and 
ensuring that federal funds are used efficiently and for their 
intended purposes. 

Mr. Chairman, this concludes my prepared statement. I would be happy 
to answer any questions you or other members of the subcommittee may 
have. 

Contacts and Acknowledgments: 

For further information about this statement, please contact Kathleen 
M. King at (202) 512-7114 or kingk@gao.gov or Kay L. Daly at (202) 512-
9095 or DalyKL@gao.gov. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this statement. Sheila K. Avruch and Sabrina Springfield, 
Assistant Directors; Jennel Harvey; Jawaria Gilani; Shannon Legeer; 
Chelsea Lounsbury; Roseanne Price; Lisa Rogers; and Jennifer Whitworth 
were key contributors to this statement. 

[End of section] 

Appendix I: Abbreviations: 

CHIP: Children's Health Insurance Plan: 

CMS: Centers for Medicare & Medicaid Services: 

DMEPOS: durable medical equipment, prosthetics, orthotics, and 
supplies: 

EPLS: General Services Administration's Excluded Parties List System: 

FFS: Medicare fee-for-service: 

FPLP: Federal Payment Levy Program: 

HCERA: Health Care and Education Reconciliation Act of 2010: 

HHA: home health agencies: 

HHS: Department of Health and Human Services: 

NCCI: National Correct Coding Initiative: 

OIG: Office of the Inspector General: 

PPACA: Patient Protection and Affordable Care Act: 

RAC: Recovery Audit Contractor: 

SSA: Social Security Administration: 

[End of section] 

Appendix II: Open Recommendations: 

Durable Medical Equipment, Prosthetics, Orthotics, and Supplies 
(DMEPOS): 

GAO report title and number: Medicare: Improvements Needed to Address 
Improper Payments for Medical Equipment and Supplies, GAO-07-59; 
GAO recommendation: 1. The Administrator of CMS should require the 
Program Safeguard Contractors to develop thresholds for unexplained 
increases in billing--and use them to develop automated prepayment 
controls as one component of their manual medical review strategies; 
Centers for Medicare & Medicaid Services (CMS) implementation status: 
CMS has not implemented our recommendation specifically, but has added 
edits to flag claims for services that were unlikely to be provided in 
the normal course of medical care. CMS told us they are in the process 
of awarding contracts to implement advanced fraud detection and some 
contract awardees may have the ability to include increases in billing 
as part of those fraud detection efforts. 

Home Health Agencies (HHA): 

GAO report title and number: Medicare: Improvements Needed to Address 
Improper Payments in Home Health, GAO-09-185; 
GAO recommendation: 2. To strengthen the controls on improper payments 
in the Medicare home health benefit, the Administrator of CMS should 
assess the feasibility of verifying the criminal history of all key 
officials named on an HHA enrollment application; 
Centers for Medicare & Medicaid Services (CMS) implementation status: 
The Patient Protection and Affordable Care Act requires CMS to 
establish additional screening procedures for providers enrolling in 
Medicare and Medicaid. CMS has published a final rule that subjects 
high-risk providers in Medicare to fingerprinting and criminal 
background checks. Implementation of these efforts would address our 
recommendation. 

GAO report title and number: Medicare: Improvements Needed to Address 
Improper Payments in Home Health, GAO-09-185; 
GAO recommendation: 3. To strengthen the controls on improper payments 
in the Medicare home health benefit, the Administrator of CMS should 
give physicians whose identification number was used to certify or 
recertify a plan of care a statement of services the HHA provided to 
that beneficiary based on the physician's certification; 
Centers for Medicare & Medicaid Services (CMS) implementation status: 
CMS has no plans to implement this recommendation. The agency 
indicated that doing so would require extensive resources and funding. 

GAO report title and number: Medicare: Improvements Needed to Address 
Improper Payments in Home Health, GAO-09-185; 
GAO recommendation: 4. To strengthen the controls on improper payments 
in the Medicare home health benefit, the Administrator of CMS should 
direct CMS contractors to conduct postpayment medical reviews on 
claims submitted by HHAs with high rates of improper billing 
identified through prepayment review; 
Centers for Medicare & Medicaid Services (CMS) implementation status: 
CMS has not implemented this recommendation, but CMS reported that its 
contractors are developing medical review strategies that may include 
postpayment reviews on HHA claims. We believe there is an opportunity 
to further strengthen controls on improper payments if CMS were to 
direct its contractors to specifically conduct postpayment medical 
reviews on claims submitted with high rates of billing identified 
through prepayment review. 

GAO report title and number: Medicare: Improvements Needed to Address 
Improper Payments in Home Health, GAO-09-185; 
GAO recommendation: 5. To strengthen the controls on improper payments 
in the Medicare home health benefit, the Administrator of CMS should 
amend current regulations to expand the types of improper billing 
practices that are grounds for revocation of billing privileges. 
Grounds for revocation could include a pattern of submitting claims 
that are falsified, for persons who do not meet Medicare's coverage 
criteria, or are for services that are not medically necessary; 
Centers for Medicare & Medicaid Services (CMS) implementation status: 
CMS has not implemented this recommendation. 

Controlled Substances: 

GAO report title and number: Medicaid: Fraud and Abuse Related to 
Controlled Substances Identified in Selected States, GAO-09-957; 
GAO recommendation: 6. To establish an effective fraud prevention 
system for the Medicaid program, the Administrator of CMS should 
evaluate our findings and consider issuing guidance to the state 
programs to provide assurance that claims processing systems prevent 
the processing of claims from providers and pharmacies debarred from 
federal contracts (i.e., on the Excluded Parties List System (EPLS)), 
excluded from the Medicare and Medicaid programs (i.e., on the List of 
Excluded Individuals/Entities (LEIE)), or both; 
Centers for Medicare & Medicaid Services (CMS) implementation status: 
CMS told us it has taken various steps to implement this 
recommendation. It issued guidance to state Medicaid directors 
regarding the frequency with which states should check for excluded 
parties and directing them to provide guidance to enrolled providers 
and managed care organizations regarding checking for excluded 
employers, contractors, agents, etc. CMS also conducts triennial 
comprehensive program integrity reviews of states, in which they 
examine a sample of providers to determine if they contained excluded 
individuals. 

GAO report title and number: Medicaid: Fraud and Abuse Related to 
Controlled Substances Identified in Selected States, GAO-09-957; 
GAO recommendation: 7. To establish an effective fraud prevention 
system for the Medicaid program, the Administrator of CMS should 
evaluate our findings and consider issuing guidance to the state 
programs to provide assurance that Drug Utilization Review and 
restricted recipient program requirements adequately identify and 
prevent doctor shopping and other abuses of controlled substances; 
Centers for Medicare & Medicaid Services (CMS) implementation status: 
CMS has taken some steps to address this recommendation. Beginning in 
fiscal year 2011, as part of the triennial comprehensive program 
integrity reviews, CMS staff reviewed states' recipient restriction 
programs. CMS also made efforts to educate providers, beneficiaries, 
and others on related payment integrity and quality assurance issues. 

GAO report title and number: Medicaid: Fraud and Abuse Related to 
Controlled Substances Identified in Selected States, GAO-09-957; 
GAO recommendation: 8. To establish an effective fraud prevention 
system for the Medicaid program, the Administrator of CMS should 
evaluate our findings and consider issuing guidance to the state 
programs to provide assurance that effective claims processing systems 
are in place to periodically identify both duplicate enrollments and 
deaths of Medicaid beneficiaries and to prevent the approval of claims 
when appropriate; 
Centers for Medicare & Medicaid Services (CMS) implementation status: 
CMS has begun to take steps to address aspects of this recommendation. 
The agency is in the process of working with states to validate their 
processes to prevent the approval of claims for deceased Medicaid 
beneficiaries. 

GAO report title and number: Medicaid: Fraud and Abuse Related to 
Controlled Substances Identified in Selected States, GAO-09-957; 
GAO recommendation: 9. To establish an effective fraud prevention 
system for the Medicaid program, the Administrator of CMS should 
evaluate our findings and consider issuing guidance to the state 
programs to provide assurance that effective claims processing systems 
are in place to periodically identify deaths of Medicaid providers and 
prevent the approval of claims when appropriate; 
Centers for Medicare & Medicaid Services (CMS) implementation status: 
CMS has taken some steps to improve how deceased provider information 
is incorporated into claims processing in the Medicaid program. 
Specifically, CMS told us that it is currently implementing steps to 
access Medicare's provider enrollment system, which is updated monthly 
to reflect excluded and deceased providers, in order to inform 
Medicaid's provider data. 

Recovery Audit Contracting: 

GAO report title and number: Medicare Recovery Audit Contracting: 
Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, 
Although Improvements Made to Contractor Oversight, GAO-10-143; 
GAO recommendation: 10. To help reduce future improper payments, the 
Administrator of CMS should develop and implement a process that 
includes policies and procedures to ensure that the agency promptly: 
(1) evaluates findings of recovery audit contractors (RAC) audits, (2) 
decides on the appropriate response and a time frame for taking action 
based on established criteria, and (3) acts to correct the 
vulnerabilities identified; 
Centers for Medicare & Medicaid Services (CMS) implementation status: 
Although CMS has not implemented our recommendation specifically, it 
has taken some steps to address vulnerabilities identified by the RAC 
demonstration program. For example, CMS has developed provider-
specific reports related to the demonstration program and established 
a team to facilitate the corrective action process. In addition, CMS 
told us that it now requires its contractors to consider and evaluate 
vulnerabilities identified by various entities, including the RACs. 

Source: GAO and GAO analysis of CMS information. 

[End of table] 

[End of section] 

Related GAO Products: 

Medicare Fraud, Waste, and Abuse: Challenges and Strategies for 
Preventing Improper Payments. [hyperlink, 
http://www.gao.gov/products/GAO-10-844T]. Washington, D.C.: June 15, 
2010. 

Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing 
Vulnerabilities to Improper Payments, Although Improvements Made to 
Contractor Oversight. [hyperlink, 
http://www.gao.gov/products/GAO-10-143]. Washington, D.C.: March 31, 
2010. 

Medicare Part D: CMS Oversight of Part D Sponsors' Fraud and Abuse 
Programs Has Been Limited, but CMS Plans Oversight Expansion. 
[hyperlink, http://www.gao.gov/products/GAO-10-481T]. Washington, 
D.C.: March 3, 2010. 

Medicare: CMS Working to Address Problems from Round 1 of the Durable 
Medical Equipment Competitive Bidding Program. [hyperlink, 
http://www.gao.gov/products/GAO-10-27]. Washington, D.C.: November 6, 
2009. 

Medicaid: Fraud and Abuse Related to Controlled Substances Identified 
in Selected States. [hyperlink, 
http://www.gao.gov/products/GAO-09-957]. Washington, D.C.: September 
9, 2009. 

Improper Payments: Progress Made but Challenges Remain in Estimating 
and Reducing Improper Payments. [hyperlink, 
http://www.gao.gov/products/GAO-09-628T]. Washington, D.C.: April 22, 
2009. 

Medicare: Improvements Needed to Address Improper Payments in Home 
Health. [hyperlink, http://www.gao.gov/products/GAO-09-185]. 
Washington, D.C.: February 27, 2009. 

Medicare Part D: Some Plan Sponsors Have Not Completely Implemented 
Fraud and Abuse Programs, and CMS Oversight Has Been Limited. 
[hyperlink, http://www.gao.gov/products/GAO-08-760]. Washington, D.C.: 
July 21, 2008. 

Medicare: Covert Testing Exposes Weaknesses in the Durable Medical 
Equipment Supplier Screening Process. [hyperlink, 
http://www.gao.gov/products/GAO-08-955]. Washington, D.C.: July 3, 
2008. 

Medicare: Competitive Bidding for Medical Equipment and Supplies Could 
Reduce Program Payments, but Adequate Oversight Is Critical. 
[hyperlink, http://www.gao.gov/products/GAO-08-767T]. Washington, 
D.C.: May 6, 2008. 

Improper Payments: Status of Agencies' Efforts to Address Improper 
Payment and Recovery Auditing Requirements. [hyperlink, 
http://www.gao.gov/products/GAO-08-438T]. Washington, D.C.: January 
31, 2008. 

Improper Payments: Federal Executive Branch Agencies' Fiscal Year 2007 
Improper Payment Estimate Reporting. [hyperlink, 
http://www.gao.gov/products/GAO-08-377R]. Washington, D.C.: January 
23, 2008. 

Medicare: Improvements Needed to Address Improper Payments for Medical 
Equipment and Supplies. [hyperlink, 
http://www.gao.gov/products/GAO-07-59]. Washington, D.C.: January 31, 
2007. 

Medicaid Financial Management: Steps Taken to Improve Federal 
Oversight but Other Actions Needed to Sustain Efforts. [hyperlink, 
http://www.gao.gov/products/GAO-06-705]. Washington, D.C.: June 22, 
2006. 

Medicare: More Effective Screening and Stronger Enrollment Standards 
Needed for Medical Equipment Suppliers. [hyperlink, 
http://www.gao.gov/products/GAO-05-656]. Washington, D.C.: September 
22, 2005. 

Medicaid Fraud and Abuse: CMS's Commitment to Helping States Safeguard 
Program Dollars Is Limited. [hyperlink, 
http://www.gao.gov/products/GAO-05-855T]. Washington, D.C.: June 28, 
2005. 

Medicare: CMS's Program Safeguards Did Not Deter Growth in Spending 
for Power Wheelchairs. [hyperlink, 
http://www.gao.gov/products/GAO-05-43]. Washington, D.C.: November 17, 
2004. 

Medicaid Program Integrity: State and Federal Efforts to Prevent and 
Detect Improper Payments. [hyperlink, 
http://www.gao.gov/products/GAO-04-707]. Washington, D.C.: July 16, 
2004. 

Medicare: CMS Did Not Control Rising Power Wheelchair Spending. 
[hyperlink, http://www.gao.gov/products/GAO-04-716T]. Washington, 
D.C.: April 28, 2004. 

[End of section] 

Footnotes: 

[1] Fraud represents intentional acts of deception with knowledge that 
the action or representation could result in an inappropriate gain. 
Waste includes inaccurate payments for services, such as unintentional 
duplicate payments. Abuse represents actions inconsistent with 
acceptable business or medical practices. 

[2] Medicare is the federally financed health insurance program for 
persons age 65 or over, certain individuals with disabilities, and 
individuals with end-stage renal disease. Medicaid is the federal-
state program that covers acute health care, long-term care, and other 
services for low-income people and consists of more than 50 distinct 
state-based programs. In fiscal year 2009, Medicaid covered about 65 
million people. The federal government matches states' expenditures 
for most Medicaid services using a statutory formula based on each 
state's per capita income. 

[3] This definition includes any payment to an ineligible recipient, 
any payment for an ineligible good or service, any duplicate payment, 
any payment for a good or service not received (except where 
authorized by law), and any payment that does not account for credit 
for applicable discounts. Pub. L. No. 111-204, § 2(e), 124 Stat. 2224, 
2227 (2010) (codified at 31 U.S.C. § 3321 note). 

[4] In 1990, we began to report on government operations that we 
identified as "high risk" for serious weaknesses in areas that involve 
substantial resources and provide critical services to the public. See 
GAO, High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 
2011). [hyperlink, 
http://www.gao.gov/highrisk/risks/insurance/medicare_program.php]. 

[5] HHS, "Improper Payment Reduction Outlook FY 2009 through 2013," in 
Fiscal Year 2010 Agency Financial Report (Washington, D.C.: Nov. 15, 
2010). The Secretary of HHS has delegated administration of the 
Medicare program to the Administrator of CMS. See Appendix I for 
abbreviations used in this statement. 

[6] In its Fiscal Year 2010 Agency Financial Report, HHS calculated 
and reported the 3-year (2008, 2009, and 2010) weighted average 
national payment error rate for Medicaid of 9.4 percent. See 
Department of Health and Human Services FY 2010 Agency Financial 
Report (Washington, D.C.: Nov. 15, 2010). 

[7] Pub. L. No. 111-148, 124 Stat. 119 (2010), as amended by the 
Health Care and Education Reconciliation Act of 2010 (HCERA), Pub. L. 
No. 111-152, 124 Stat. 1029, which we refer to collectively as PPACA. 
The program integrity provisions discussed in this statement are 
generally located in sections 6401 through 6411 and 10603 and 10605 of 
PPACA as well as section 1304 of HCERA. For our previous work, see a 
list of related products at the end of this statement. 

[8] Pub. L. No. 111-240, § 4241, 124 Stat. 2504, 2599. 

[9] Implementing guidance has not been issued, and therefore it is too 
early to assess the implementation of these requirements. 

[10] Medicare Parts A and B are known as original Medicare or Medicare 
FFS. Medicare Part A covers hospital and other inpatient stays. 
Medicare Part B is optional, and covers hospital outpatient, 
physician, and other services. 

[11] Medicare beneficiaries have the option of obtaining coverage for 
Part A and B services from private health plans that participate in 
Medicare Advantage--Medicare's managed care program--also known as 
Part C. All Medicare beneficiaries may purchase coverage for 
outpatient prescription drugs under Part D. 

[12] These strategies were identified in our June 2010 testimony as 
critical to helping prevent fraud, waste, and abuse in Medicare. See 
GAO, Medicare Fraud, Waste, and Abuse: Challenges and Strategies for 
Preventing Improper Payments, [hyperlink, 
http://www.gao.gov/products/GAO-10-844T] (Washington, D.C.: June 15, 
2010). 

[13] This statement deals with the challenge of reducing improper 
payments to providers and plans, but Medicaid has additional areas of 
concern, such as supplemental payments to providers that can lead to 
inappropriate federal payments to states. For a discussion of these 
areas, see GAO, High Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 
2011). 

[14] A list of both sets of products appears at the end of this 
statement. 

[15] For more detailed information on the methodologies used in our 
work, please consult the products listed at the end of this statement. 

[16] For a list of recommendations that we made that CMS has not 
implemented, see appendix II. 

[17] See GAO, Medicare Fraud, Waste, and Abuse: Challenges and 
Strategies for Preventing Improper Payments, [hyperlink, 
http://www.gao.gov/products/GAO-10-844T] (Washington, D.C.: June 15, 
2010). While the June 2010 statement specifically focused on the 
Medicare program, the strategies it presented are also applicable to 
the Medicaid program. 

[18] Vulnerabilities are service-specific errors that result in 
improper overpayments and underpayments. An example of a vulnerability 
that leads to improper payments is providers billing for more than one 
blood transfusion in a hospital outpatient setting for a Medicare 
beneficiary in a day, which Medicare policy does not allow. 

[19] Enrolling as a provider in Medicare and Medicaid allows a 
provider to provide services to beneficiaries and bill for those 
services. 

[20] See GAO, Medicare: Improvements Needed to Address Improper 
Payments in Home Health, [hyperlink, 
http://www.gao.gov/products/GAO-09-185] (Washington, D.C.: Feb. 27, 
2009). CMS's contractors began to revalidate HHA enrollment during the 
course of our work on that engagement. 

[21] See GAO, Medicare: More Effective Screening and Stronger 
Enrollment Standards Needed for Medical Equipment Suppliers, 
[hyperlink, http://www.gao.gov/products/GAO-05-656] (Washington, D.C.: 
Sept. 22, 2005). 

[22] See GAO, Medicare: Covert Testing Exposes Weaknesses in the 
Durable Medical Equipment Supplier Screening Process, [hyperlink, 
http://www.gao.gov/products/GAO-08-955] (Washington, D.C.: July 3, 
2008). 

[23] See GAO, Medicaid: Fraud and Abuse Related to Controlled 
Substances Identified in Selected States, [hyperlink, 
http://www.gao.gov/products/GAO-09-957] (Washington, D.C.: Sept. 9, 
2009). The five states whose claims we reviewed for this report were 
California, Illinois, New York, North Carolina, and Texas. 

[24] This law also applies to certain provisions related to Medicaid 
or to the state Children's Health Insurance Program (CHIP), which is 
the joint federal-state program that provides health coverage to 
children whose families have incomes that are low, but not low enough 
to qualify for Medicaid. This statement does not address how PPACA 
will affect CHIP. 

[25] The enhanced screening procedures that PPACA provided for will 
apply to new providers beginning 1 year after the date of enactment 
and to currently enrolled providers 2 years after that date. 

[26] Medicare, Medicaid, and Children's Health Insurance Programs; 
Additional Screening Requirements, Application Fees, Temporary 
Enrollment Moratoria, Payment Suspensions and Compliance Plans for 
Providers and Suppliers, 76 Fed. Reg. 5862 (Feb. 2, 2011). 

[27] In discussing the final rule, CMS noted that Medicare already 
employs a number of the screening practices described in PPACA to 
determine if a provider is in compliance with federal and state 
requirements to enroll or to maintain enrollment in the Medicare 
program. 

[28] CMS considered issues such as past levels of improper payments 
and occurrences of fraud among different provider types to determine 
risk levels. The moderate level comprises re-enrolling HHAs and re-
enrolling DMEPOS suppliers; ambulance suppliers; community mental 
health centers; comprehensive outpatient rehabilitation facilities; 
hospice organizations; independent diagnostic testing facilities; 
independent clinical laboratories; and physical therapists, including 
physical therapy groups and portable X-ray suppliers. Other providers, 
such as physicians and ambulatory surgical centers, are in the limited 
risk level. 

[29] The database checks may include verification of the following: 
Social Security number; National Provider Identifier; National 
Practitioner Databank licensure; whether the provider has been 
excluded from federal health care programs by the OIG; taxpayer 
identification number; and death of an individual practitioner, owner, 
authorized official, delegated official, or supervising physician. 

[30] In February 2011, CMS told us that the agency had requested 
additional comments on how best to implement the fingerprinting and 
criminal history record check requirements and might adopt some of the 
comments in implementing this provision. CMS will not implement 
fingerprinting and criminal history record checks until after 
subregulatory guidance is published that explains how the agency plans 
to ensure that privacy rights are respected and that addresses other 
operational concerns. 

[31] The Department of Health and Human Services and the Department of 
Justice Health Care Fraud and Abuse Control Program Annual Report for 
Fiscal Year 2010 (Washington, D.C.: January 2011). 

[32] In general, a compliance program is the internal set of policies, 
processes, and procedures that a provider organization implements to 
help it act ethically and lawfully. In this context, compliance plans 
help provider organizations prevent and detect violations of Medicare 
laws and regulations. 

[33] Medicare, Medicaid, and Children's Health Insurance Programs; 
Additional Screening Requirements, Application Fees, Temporary 
Enrollment Moratoria, Payment Suspensions and Compliance Plans for 
Providers and Suppliers. 75 Fed. Reg. 58204 (Sept. 23, 2010). 

[34] Medicare Program; Home Health Prospective Payment System Rate 
Update for Calendar Year 2011; Changes in Certification Requirements 
for Home Health Agencies and Hospices. 75 Fed. Reg. 70,372 (Nov. 17, 
2010). 

[35] Social Security Act §1834(a)(16)(B). As of October 2009, DMEPOS 
suppliers were required to obtain and submit a surety bond in the 
amount of at least $50,000. A DMEPOS surety bond is a bond issued by 
an entity guaranteeing that a DMEPOS supplier will fulfill its 
obligation to Medicare. If the obligation is not met, Medicare will 
recover its losses via the surety bond. Medicare Program; Surety Bond 
Requirement for Suppliers of Durable Medical Equipment, Prosthetics, 
Orthotics, and Supplies (DMEPOS), 74 Fed. Reg. 166 (Jan. 2, 2009). 

[36] Before PPACA, the Social Security Act also required CMS to impose 
surety bonds on HHAs and permitted the imposition of surety bonds on 
certain other Medicare providers. PPACA requires any surety bond 
imposed to be commensurate with the provider's billing volume. CMS 
officials stated that the agency is drafting a rule to implement this 
authority, in which the agency will propose imposing surety bonds on 
additional providers. 

[37] See GAO, Medicare: Improvements Needed to Address Improper 
Payments for Medical Equipment and Suppliers, [hyperlink, 
http://www.gao.gov/products/GAO-07-59] (Washington, D.C.: Jan. 31, 
2007). 

[38] For example, we found that from the first quarter of 2003 through 
the first quarter of 2005, due to an absence of such prepayment 
controls, 225 suppliers increased their billing to Medicare both by at 
least 500,000 and by at least 50 percent from at least one 3-month 
period to the next. In November 2004, the U.S. government won a 
default civil judgment against 16 of these suppliers for filing false 
claims against Medicare for services not rendered--after they were 
paid almost $40 million from January 2003 through September 2004. 

[39] NCCI, a CMS program that consists of coding policies and edits, 
was initiated for Medicare in 1996 to help ensure correct payment for 
Medicare Part B for physician, laboratory, and radiology services 
claims. Under NCCI, CMS's contractors screen Medicare Part B claims 
with automated prepayment edits designed to detect anomalies that 
indicate a claim has incorrect information. 

[40] The law requires these predictive analytic technologies to be 
integrated into the Medicare FFS claims flow and prevent the payment 
of claims identified as potentially fraudulent, wasteful, or abusive 
until the claims can be verified as valid. 

[41] See [hyperlink, http://www.ntis.gov/products/ssa-dmf.aspx] [SSA 
death master]; [hyperlink, http://oig.hhs.gov/fraud/exclusions.asp];  
[HHS OIG Exclusions] [hyperlink, 
http://www.irs.gov/individuals/article/0,,id=100551,00.html] [FPLP]; 
and [hyperlink, http://fms.treas.gov/debt/top.html]. 

[42] These contractors include Medicare Administrative Contractors 
(MAC) and any fiscal intermediaries or carriers still administering 
claims. These MACs, carriers, and fiscal intermediaries are 
responsible for ensuring that they only pay claims to eligible 
providers. 

[43] We reported in 2009 that two contractors paying home health 
services claims conducted postpayment reviews on fewer than 700 of the 
8.7 million claims they paid in fiscal year 2007. See [hyperlink, 
http://www.gao.gov/products/GAO-09-185].

[44] See [hyperlink, http://www.gao.gov/products/GAO-09-185]. 

[45] See [hyperlink, http://www.gao.gov/products/GAO-09-185]. 

[46] The Medicare Prescription Drug, Improvement and Modernization Act 
of 2003 directed CMS to conduct a project to demonstrate how effective 
the use of RACs would be in identifying underpayments and 
overpayments, and in recouping overpayments in Medicare. Pub. L. No. 
108-173, § 306, 117 Stat. 2066, 2256. Subsequently, in December 2006 
the Tax Relief and Health Care Act of 2006 required CMS to implement a 
national RAC program by January 1, 2010. Pub. L. No. 109-342, div. B, 
title III, § 302, 120 Stat. 2924, 2991 (codified at 42 U.S.C. § 
1395ddd(h)). 

[47] See GAO, Medicare Fraud, Waste and Abuse: Challenges and 
Strategies for Preventing Improper Payments, [hyperlink, 
http://www.gao.gov/products/GAO-10-844T] (Washington, D.C.: June 15, 
2010). 

[48] GAO, Medicare Part D: Some Plan Sponsors Have Not Completely 
Implemented Fraud and Abuse Programs, and CMS Oversight Has Been 
Limited, [hyperlink, http://www.gao.gov/products/GAO-08-760] 
(Washington, D.C.: July 21, 2008). 

[49] See Medicare Part D: CMS Oversight of Part D Sponsors' Fraud and 
Abuse Programs Has Been Limited, but CMS Plans Oversight Expansion. 
[hyperlink, http://www.gao.gov/products/GAO-10-481T] (Washington, 
D.C.: March 3, 2010). A desk audit includes reviews of requested 
documents only, in contrast to site visits, which include other tasks, 
such as interviews with sponsor officials. 

[50] Policy and Technical Changes to the Medicare Advantage and the 
Medicare Prescription Drug Benefit Programs, 75 Fed. Reg. 19,678 (Apr. 
15, 2010). 

[51] These are all aspects of internal control, which is the component 
of an organization's management that provides reasonable assurance 
that the organization achieves effective and efficient operations, 
reliable financial reporting, and compliance with applicable laws and 
regulations. Internal control standards provide a framework for 
identifying and addressing major performance challenges and areas at 
greatest risk for mismanagement. GAO, Internal Control Standards: 
Internal Control Management and Evaluation Tool [hyperlink, 
http://www.gao.gov/products/GAO-01-1008G] (Washington, D.C.: August 
2001). 

[52] GAO, Medicare Recovery Audit Contracting: Weaknesses Remain in 
Addressing Vulnerabilities to Improper Payments, Although Improvements 
Made to Contractor Oversight, [hyperlink, 
http://www.gao.gov/products/GAO-10-143] (Washington, D.C.: March 31, 
2010). 

[53] [hyperlink, http://www.gao.gov/products/GAO-10-143]. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: