GAO-13-279SP: Health: 6. Medicaid Program Integrity

Health > 6. Medicaid Program Integrity

The Centers for Medicare & Medicaid Services needs to take steps to eliminate duplication and increase efficiency in two Medicaid Integrity Program activities—provider audits and the collection of state program integrity data.

Why This Area Is Important

GAO has had longstanding concerns about Medicaid’s program integrity, and included Medicaid on its list of high-risk programs because of concerns about the sufficiency of federal and state oversight.[1] The Centers for Medicare & Medicaid Services (CMS) estimated that in fiscal year 2012 $19.2 billion (7.1 percent) of Medicaid’s federal expenditures involved improper payments—including payments made for treatments or services that were not covered by program rules, that were not medically necessary, or that were billed for but never provided.[2] Federal Medicaid expenditures in fiscal year 2011 were $275 billion. Medicaid is the joint federal-state health care financing program for certain low-income individuals and is one of the largest social programs in federal and state budgets. The size and diversity of Medicaid make it particularly vulnerable to improper payments. The Deficit Reduction Act of 2005 created the Medicaid Integrity Program (integrity program) to provide federal support for and oversight of state Medicaid program integrity activities with an annual appropriation of approximately $75 million.[3] The following year, CMS established the Medicaid Integrity Group (integrity group) to implement this program.

[1]See GAO, Major Management Challenges and Program Risks: Department of Health and Human Services, GAO-03-101 (Washington, D.C.: January 2003).

[2]CMS is an agency within the Department of Health and Human Services.

[3]Pub. L. No. 109-171, § 6034, 120 Stat. 4, 74-78 (2006) (codified at 42 U.S.C. § 1396u-6). For each fiscal year since 2010, the amount appropriated has been the previous year’s appropriation adjusted for inflation According to HHS, the fiscal year 2013 appropriation is expected to be approximately $80 million.

What GAO Found

In November 2012, GAO reported that it had identified duplication in two of the integrity group’s six integrity program activities—the National Medicaid Audit Program, which consists of audits of state Medicaid claims data to identify overpayments, and state program integrity assessments, one of several tools through which CMS collects data on state program integrity activities.

National Medicaid Audit Program. The integrity group hired separate contractors for each state—one contractor to review states’ paid claims data in order to identify potential aberrant claims or billing anomalies and another to audit such aberrant claims.[1] This division of labor was inefficient and led to duplication in two key areas—understanding states’ Medicaid policies and data analysis. The Deficit Reduction Act of 2005 required CMS to hire contractors to review and audit provider claims. According to integrity group officials, they initially believed that the act required the use of separate contractors but, in hindsight, concluded that these activities could have been performed by the same contractor.[2]

The integrity group’s decision to use separate contractors to review and audit provider claims meant that both entities had to master the details of numerous state Medicaid policies related to eligibility, benefits, and claims processing to appropriately assess whether payments were improper. For example, the two contractors responsible for reviewing provider claims to identify potential audit targets had to learn and correctly apply the policies of 22 and 28 states, respectively. Similarly, the three contractors hired to audit provider claims were required to master the policies of 8 to 24 states. Officials from one state commented that becoming fully knowledgeable about all the state policies affecting program integrity audits could take 2 to 3 years. According to several state officials, the lack of an in-depth knowledge of state policy contributed to unproductive provider audits. For example, according to one state official, the integrity group and its contractors had mistakenly identified overpayments for federally qualified health centers because they assumed that centers should receive reduced payments for an established patient on subsequent visits. The contractors were not aware that these types of centers are paid on an encounter basis, which uses the same payment rate for the first and follow-up visits.

Moreover, the use of separate contractors to review and audit provider claims increased inefficiencies in data analysis, which also led to duplication of effort. The review contractors’ primary function was to use algorithms to analyze extracts of states’ Medicaid claims data to identify any potential improper payments.[3] Audit contractors also analyzed the same data extracts to learn more about providers they were auditing and the services for which the providers billed. As a result, the audit contractors duplicated certain data analyses that had already been performed by the review contractors, such as verifying the completeness and accuracy of the data extracts. For example, one audit contractor reported that the presence of large numbers of duplicate claims in the data resulted in a significant commitment of the contractor’s analytical and data management resources for 66 provider audits that were subsequently discontinued because of the poor quality of the data.

The inefficiencies of having separate contractors both review and audit provider claims were exacerbated by the integrity group’s communication policies. All communication, whether between review and audit contractors or between contractors and states, went through a multistep process that was controlled by the integrity group. As a result, the audit contractors could not easily communicate with the review contractors to verify specific details of the review contractors’ data analyses. Two audit contractors’ lessons learned reports recommended closer collaboration between audit and review contractors during the claims analysis process and the selection of audit targets to prevent duplicative data analysis. In addition, the inability to communicate freely with states inhibited the contractors from fully leveraging states’ knowledge of their own Medicaid policies. The Department of Health and Human Services Office of the Inspector General reported a similar finding that the integrity group’s communication policy contributed to a duplication of contractor functions.[4]

The integrity group has initiated changes to the National Medicaid Audit Program that may reduce, but will not eliminate, duplication. The integrity group has shifted to a more collaborative approach to National Medicaid Audit Program audits in which states can identify the audit targets. However, integrity group officials told GAO that in some cases the review contractors will continue to analyze extracts of states’ Medicaid claims data to identify potential audit targets for audit contractors to pursue. According to integrity group officials, the review contractors conducted data analysis on 34 percent of the collaborative audits assigned to audit contractors from January 2010 through December 2011.[5] Thus, review and audit contractors continue to be involved in the shift to a more collaborative audit approach, resulting in continued duplication of effort. In fiscal year 2011, integrity group expenditures for its review and audit contractors totaled about $33.7 million, about half of which covered the cost of the review contractors’ activities. Merging the functions of the review and audit contractors has the potential to significantly reduce overall expenditures on National Medicaid Audit Program contractors.

State Program Integrity Assessments.GAO also identified duplication in the information that the integrity group collects annually on state program integrity activities through its state program integrity assessments. For example, the number of Medicaid enrollees, managed care enrollment, the number of participating providers, the state program integrity organizational structure, the number of staff, use of contractors, and the number of state audits of claims are also collected during the triennial comprehensive reviews and are included in the published reports available on the integrity group’s website.[6] The state program integrity assessments also include state program integrity expenditures and recoveries—two key metrics for accountability and oversight—that are collected through required quarterly state reporting of Medicaid expenditures to CMS, which are subject to validation and audit. GAO found that the annual state program integrity assessments contained significant errors and were inconsistent with data in reports that covered the same year. Moreover, program integrity officials in several states also told GAO that state program integrity assessment reporting is not consistent or comparable across states. Correcting inconsistencies in the state program integrity assessment data would be of limited value. The 2-year time lag in the state program integrity assessment data (e.g., fiscal year 2009 assessments contain data for state fiscal year 2007) undermines its usefulness in determining which states would benefit from technical assistance or developing measures to assess states’ performance. Other sources, such as triennial comprehensive reviews, provide more timely and useful information.

[1]As of July 2012, the integrity group had two review contractors and three separate audit contractors. One review and one audit contractor are assigned to each of five geographic areas.

[2]Integrity group officials told GAO that they consulted CMS’s Office of Acquisition and Grants Management before deciding to hire different contractors to review and audit provider claims. This office manages contracting activities and develops acquisition policy and procedures.

[3]An algorithm is a specific set or logical rules or criteria used to analyze data.

[4]HHS-OIG, Early Assessment of Audit Medicaid Integrity Contractors, OEI-05-1-00210 (March 2012).

[5]Integrity group officials also told GAO that it planned to retain its existing two review contractors, but reduce their workload and realign their geographic areas of responsibility.

[6]The integrity group performs comprehensive state program integrity reviews of each state’s Medicaid program every 3 years. These reviews assess each state’s Medicaid program integrity procedures and processes. Topics covered include program integrity organization and staffing; post-payment review and fraud identification; investigation, and referral. The objective of the reviews is to assess the effectiveness of states’ program integrity activities and compliance with federal program integrity laws.

Actions Needed

In November 2012, to improve the efficiency and effectiveness of the Medicaid Integrity Program, GAO recommended that CMS take the following two actions:

  • merge the functions of the federal review and audit contractors within a state or geographic region to eliminate duplication and more effectively use audit resources, which has the potential to significantly reduce National Medicaid Audit Program expenditures; and
  • discontinue the annual state program integrity assessments to avoid duplication and the reporting of inaccurate data.

How GAO Conducted Its Work

The information contained in this analysis is based on findings from the reports listed in the related GAO products section. For some of these reports, GAO analyzed the integrity group data on audit assignments as of February 29, 2012, and its contractors’ lessons learned reports. GAO discussed the National Medicaid Audit Program with integrity group officials, representatives of its contractors responsible for conducting provider claims reviews and audits, and program integrity officials in 11 states. GAO selected these states to ensure geographic diversity and because they account for almost half of all Medicaid spending and beneficiaries. GAO also compared and contrasted the information collected through the integrity group’s comprehensive reviews and state assessments. Table 5 in appendix IV lists the programs GAO identified that might have similar or overlapping objectives, provide similar services, or be fragmented across government missions. Overlap and fragmentation might not necessarily lead to actual duplication, and some degree of overlap and duplication may be justified.

Agency Comments & GAO Contact

In commenting on the November 2012 report on which this analysis is based, the Department of Health and Human Services agreed with GAO’s recommendation to merge the functions of the federal review and audit contractors, indicating that it was evaluating options for consolidating the work of its contractors within current statutory and procurement requirements. The department partially concurred with GAO’s recommendation to discontinue the state program integrity assessments but noted that its triennial comprehensive program integrity reviews alone might not provide adequate data to inform CMS oversight. It said, however, that it would suspend the assessments while taking steps to address the limitations GAO identified. For example, to address the reporting overlap between the assessments and comprehensive state program integrity reviews, it said CMS was now working to streamline the comprehensive review questionnaires to eliminate duplication. The department’s comments did not articulate how it used the data collected through the assessments to inform its oversight or why the comprehensive review data are insufficient. As a result, GAO continues to believe that the assessments should be discontinued.

GAO provided a draft of this report section to the Department of Health and Human Services for review and comment. The Department of Health and Human Services provided technical comments, which were incorporated as appropriate.

For additional information about this area, contact Carolyn L. Yocom at (202) 512-7114 or

Related Products