Skip to main content

Medicaid: Additional Actions Needed to Help Improve Provider and Beneficiary Fraud Controls

GAO-15-313 Published: May 14, 2015. Publicly Released: May 29, 2015.
Jump To:
Skip to Highlights


What GAO Found

GAO found thousands of Medicaid beneficiaries and hundreds of providers involved in potential improper or fraudulent payments during fiscal year 2011—the most-recent year for which reliable data were available in four selected states: Arizona, Florida, Michigan, and New Jersey. These states had about 9.2 million beneficiaries and accounted for 13 percent of all fiscal year 2011 Medicaid payments. Specifically:

About 8,600 beneficiaries had payments made on their behalf concurrently by two or more of GAO's selected states totaling at least $18.3 million.

The identities of about 200 deceased beneficiaries received about $9.6 million in Medicaid benefits subsequent to the beneficiary's death.

About 50 providers were excluded from federal health-care programs, including Medicaid, for a variety of reasons that include patient abuse or neglect, fraud, theft, bribery, or tax evasion.

Since 2011, the Centers for Medicare & Medicaid Services (CMS) has taken regulatory steps to make the Medicaid enrollment process more rigorous and data-driven; however, gaps in beneficiary-eligibility verification guidance and data sharing continue to exist. These gaps include the following:

In October 2013, CMS required states to use electronic data maintained by the federal government in its Data Services Hub (hub) to verify beneficiary eligibility. According to CMS, the hub can verify key application information, including state residency, incarceration status, and immigration status. However, additional guidance from CMS to states might further enhance program-integrity efforts beyond using the hub. Specifically, CMS regulations do not require states to periodically review Medicaid beneficiary files for deceased individuals more frequently than annually, nor specify whether states should consider using the more-comprehensive Social Security Administration Death Master File in conjunction with state-reported death data when doing so. As a result, states may not be able to detect individuals that have moved to and died in other states, or prevent the payment of potentially fraudulent benefits to individuals using these identities.

In 2011, CMS issued regulations to strengthen Medicaid provider-enrollment screening. For example, CMS now requires states to screen providers and suppliers to ensure they have active licenses in the state where they provide Medicaid services. CMS's regulations also allow states to use Medicare's enrollment database—the Provider Enrollment, Chain and Ownership System (PECOS)—to screen Medicaid providers so that duplication of effort is reduced. In April 2012, CMS gave each state manual access to certain information in PECOS. However, none of the four states GAO interviewed used PECOS to screen all Medicaid providers because of the manual process. In October 2013, CMS began providing interested states access to a monthly file containing basic enrollment information that could be used for automated screening, but CMS has not provided full access to all PECOS information, such as ownership information, that states report are needed to effectively and efficiently process Medicaid provider applications.

Why GAO Did This Study

Medicaid is a significant expenditure for the federal government and the states, with total federal outlays of $310 billion in fiscal year 2014. CMS reported an estimated $17.5 billion in potentially improper payments for the Medicaid program in 2014.

GAO was asked to review beneficiary and provider enrollment-integrity efforts at selected states. This report (1) identifies and analyzes indicators of improper or potentially fraudulent payments in fiscal year 2011, and (2) examines the extent to which federal and state oversight policies, controls, and processes are in place to prevent and detect fraud and abuse in determining eligibility.

GAO analyzed Medicaid claims paid in fiscal year 2011, the most-recent reliable data available, for four states: Arizona, Florida, Michigan, and New Jersey. These states were chosen because they were among those with the highest Medicaid enrollment; the results are not generalizable to all states. GAO performed data matching with various databases to identify indicators of potential fraud, reviewed CMS and state Medicaid program-integrity policies, and interviewed CMS and state officials performing oversight functions.


GAO recommends that CMS issue guidance for screening deceased beneficiaries and supply more-complete data for screening Medicaid providers. The agency concurred with both of the recommendations and stated it would provide state-specific guidance to address them.

Recommendations for Executive Action

Agency Affected Recommendation Status
Centers for Medicare & Medicaid Services To further improve efforts to limit improper payments, including fraud, in the Medicaid program, the Acting Administrator of CMS should issue guidance to states to better identify beneficiaries who are deceased.
Closed – Implemented
CMS has taken several steps to address this recommendation. In its May 2016 Eligibility Technical Advisory Group meeting, CMS informed states that they can use the federal Data Services Hub to access SSA's full Death Master File (DMF) to better identify deceased beneficiaries. Moreover, in their written responses to GAO in July 2016, CMS officials said that they will provide state-specific technical assistance as needed and require states to include policies related to identification of deceased beneficiaries in their Verification Plans. By taking these actions, CMS has taken important steps in identifying and preventing benefits and payments to those individuals who are ineligible to participate in Medicaid.
Centers for Medicare & Medicaid Services To further improve efforts to limit improper payments, including fraud, in the Medicaid program, the Acting Administrator of CMS should provide guidance to states on the availability of automated information through Medicare's enrollment database--the Provider Enrollment, Chain and Ownership System (PECOS)--and full access to all pertinent PECOS information, such as ownership information, to help screen Medicaid providers more efficiently and effectively.
Closed – Implemented
CMS has taken several steps to provide guidance on the availability of automated information in and full access to all pertinent information in PECOS. CMS discussed the availability of the State Data Compare service and upcoming trainings during its monthly calls with states. In addition, CMS issued a system toolkit guide in July 2017 for sharing provider data among CMS and State programs, which includes information on how to retrieve CMS data from multiple data sources and how to access these systems. Further, CMS stated that it developed a State Medicaid page in PECOS that provided full access to all pertinent PECOS information to assist states with Medicaid enrollment screenings. CMS stated that it conducted training on the State Medicaid page on January 12, 2017 and offers training on a quarterly basis. By taking these actions, states have increased awareness of and access to pertinent PECOS information that can be used to prevent fraud, waste, and abuse in state Medicaid programs.

Full Report

Office of Public Affairs


BeneficiariesData collectionData integrityElectronic data interchangeEligibility determinationsErroneous paymentsFederal and state relationsFraudLicensesMedicaidProgram managementQuestionable paymentsDeceased personsInformation sharingPolicies and procedures