Veterans Community Care Program: VA Should Strengthen Its Ability to Identify Ineligible Health Care Providers [Reissued with revisions on Mar. 11, 2022.]
The VA allows eligible veterans to receive care from community providers when they face challenges accessing care at VA medical facilities. The VA is still responsible for ensuring that these community providers are qualified and competent.
However, the VA may have mistakenly allowed some ineligible community providers to participate in this program. For instance, we found 1,600 potentially ineligible providers in VA's system—including some who had revoked or suspended medical licenses.
We recommended that the VA improve its controls and standard operating procedures to exclude all ineligible providers from its community care program.
Revised March 11, 2022 to include page four of VA’s response to GAO’s recommendations.
What GAO Found
GAO found vulnerabilities in the controls used by the Department of Veterans Affairs' (VA) Veterans Health Administration (VHA) and its contractors to identify health care providers who are not eligible to participate in the Veterans Community Care Program (VCCP), resulting in the inclusion of potentially ineligible providers.
Examples of Requirements of and Restrictions on Veterans Community Care Program Provider Eligibility
Of over 800,000 providers assessed, GAO identified approximately 1,600 VCCP providers who were deceased, were ineligible to work with the federal government, or had revoked or suspended medical licenses. VHA and its contractors had controls in place to identify such providers. However, the existing controls missed some providers who could have been identified with enhanced controls and more consistent implementation of standard operating procedures. For example, GAO found the following:
- One provider had an expired nursing license in April 2016 and was arrested for assault in October 2018. This provider was excluded from working in federally funded health care programs. The provider was convicted of patient abuse and neglect in July 2019. The provider entered the VCCP in November 2019. VHA officials stated that this provider was uploaded into the system in error.
- One provider was eligible for referrals in the VHA system, but his medical license had been revoked in 2019. Licensing documents stated that the provider posed a clear and immediate danger to public health and safety.
GAO also identified weaknesses in oversight of provider address data. Some VCCP providers used commercial mail receiving addresses as their only service address. Such addresses have been disguised as business addresses in the past by individuals intending to commit fraud. VHA has not assessed the fraud risk that invalid address data pose to the program.
These vulnerabilities potentially put veterans at risk of receiving care from unqualified providers. Additionally, VHA is at risk of fraudulent activity, as some of the providers GAO identified had previous convictions of health-care fraud. VA has an opportunity to address these limitations as it continues to refine the controls, policies, and procedures for this 2-year old program.
Why GAO Did This Study
The VHA allows eligible veterans to receive care from community providers through VA's VCCP when veterans face challenges accessing care at VA medical facilities. VHA is responsible for ensuring VCCP providers are qualified and competent to provide safe care to veterans based on the eligibility requirements and restrictions.
GAO was asked to examine the extent to which vulnerabilities in VCCP provider eligibility controls contributed to potentially ineligible providers participating in the program.
GAO reviewed VHA and contractor standard operating procedures, policies, and guidance. GAO also interviewed knowledgeable officials. To identify potentially ineligible providers, GAO compared data from VHA's Office of Community Care to data sources related to actions that may exclude providers from participating in the VCCP.
Reissued with revisions on Mar. 11, 2022.
Revised March 11, 2022 to include page four of VA’s response to GAO’s recommendations.Recommendations
GAO is making ten recommendations to VA, including that VA enhance existing controls, consistently implement controls as described in standard operating procedures, and assess the fraud risk of invalid provider address data. VA generally agreed with GAO's ten recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Veterans Affairs | The Under Secretary for Health should ensure that Community Care Network contractors perform automated monthly checks for all VCCP providers against the HHS OIG LEIE using SSN, date of birth, and other unique identifiers. (Recommendation 1) |
On May 13, 2022, VA provided a response as part of its 180-day update. VA suggested that modifying its current contract with Third Party Administrators (TPA) would be cost-prohibitive. A modification is necessary because the existing contract does not require TPAs to use SSNs and DOBs. Further, VA stated that providers may decline to participate in the program if they were required to share SSNs and DOBs with TPAs. GAO responded the same day, acknowledging that the existing contract could be difficult to modify but that subsequent contracts could be written to require TPAs to use SSNs and DOBs. GAO further pointed out that TPAs already collect SSNs and DOBs and that VA should provide evidence to support claims that providers would decline to participate in the program if asked to provide SSNs and DOBs. In January 2023, VA provided evidence that its TPAs do not collect SSNs and DOBs for all providers and that those participating in practices that have an overarching TIN affiliated with the practice would not have a reason to provider individual SSNs and DOBs. GAO followed up to suggest that VA could use the SSNs and DOBs that are collected to verify eligibility and VA requested a follow up meeting to discuss.
|
| Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care identifies and implements a process to inform schedulers of specific HHS OIG LEIE waiver specifications. (Recommendation 2) |
In January 2023, VA provided evidence that the agency developed and implemented a process by which providers with List of Excluded Individuals/Entities waivers were appropriately marked as eligible for participation in the Veterans Community Care Program only in the states specified by the waiver.
|
| Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care revises its Provider Exclusion Standard Operating Procedures to require automated matching of providers in PPMS to the SAM Exclusions file using both TIN and NPI as identifiers. (Recommendation 3) |
On May 13, 2022, VA provided a response as part of its 180-day update, stating that there were drawbacks to using a Taxpayer Identification Number (TIN) for screening participants and that a new process, implemented in September 2021, verified participants on a daily basis. The same day, GAO replied that our report stated that VA already used TIN for this check and that we recommended that they also use National Provider Identifier (NPI) in addition to TIN when screening participants. In January 2023, VA reported that the agency switched to using NPI to screen providers and stopped using TINs. In February 2023, GAO requested documentation of the change in policy.
|
| Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care consults with the Administrator of the GSA to correct technical issues to ensure VHA can routinely monitor PPMS providers on the SAM Exclusions file. (Recommendation 4) |
On May 13, 2022, VA provided a response as part of its 180-day update. VA stated that it corrected technical issues that prevented the agency from completing automated validations with the SAM website. GAO replied the same day requesting documentation that showed that the check worked as planned. In January 2023, VA provided evidence that the automated validation took place on a consistent basis. In February 2023, GAO requested documentation explaining what was determined to have caused the problem and how the problem was resolved.
|
| Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care conducts automated matching of PPMS to LEIE, SAM, and NPPES in accordance with the monthly timeline outlined in its Provider Exclusion Standard Operating Procedures. (Recommendation 5) |
On May 13, 2022, VA provided a response as part of its 180-day update. VA provided evidence that its standard operating procedures (SOP) called for monthly verifications with these databases. On June 2, 2022, GAO acknowledged that the SOP called for monthly checks and stated that our report found that the monthly checks were not reliably completed that consistently. GAO asked for evidence that the monthly checks have been consistently completed on a monthly basis. In January 2023, VA provided documentation intended to demonstrate the frequency with which these checks were completed. In February 2023, GAO asked for clarity as to whether the documentation logged the dates and times at which tests were run or rather the dates and times at which the databases used were updated.
|
| Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care identifies inherent fraud risks related to VCCP provider address controls. (Recommendation 6) |
In January 2023, VA provided a fraud risk assessment that identified inherent fraud risks related to VCCP provider address controls.
|
| Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care assesses the likelihood and impact of inherent fraud risks related to VCCP provider address controls. (Recommendation 7) |
In January 2023, VA provided a fraud risk assessment that determined the likelihood of fraud related to providers using PO boxes for service addresses.
|
| Department of Veterans Affairs | The Under Secretary for Health should ensure that VHA Office of Community Care determines the fraud risk tolerance related to VCCP provider address controls. (Recommendation 8) |
In January 2023, VA provided a fraud risk assessment that determined the fraud risk tolerance related to VCCP provider address controls.
|
| Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care examines the suitability of existing fraud controls related to VCCP provider address controls. (Recommendation 9) |
In January 2023, VA provided a fraud risk assessment that examined the suitability of existing fraud controls related to VCCP provider address controls.
|
| Department of Veterans Affairs | The Under Secretary for Health should ensure that the VHA Office of Community Care documents the fraud risk profile related to VCCP provider address controls. (Recommendation 10) |
In January 2023, VA provided a fraud risk assessment that documented its fraud risk profile related to VCCP provider address controls.
|