TRENDING:

Fraud Management & Cybercrime

Medicaid Anti-Fraud Efforts Criticized

GAO Suggests Ways to Better Prevent Fraudulent Payments Marianne Kolbasuk McGee (HealthInfoSec) • June 3, 2015    
Medicaid Anti-Fraud Efforts Criticized

Federal and state agencies should take more steps to prevent Medicaid fraud, according to two new reports from the Government Accountability Office.

See Also: Live Webinar | Human Detection & Response: Exploring Three Security Awareness Realities

Among the steps that the Centers for Medicare and Medicaid Services can take, the GAO says, is providing states with more guidance in using certain data-related tools and services offered by the federal government to update their files so they can better detect fraudulent payment claims involving IDs of deceased beneficiaries and healthcare providers.

Both GAO reports are based on the same study. But one features summarized findings that were part of written testimony given to a Congressional subcommittee by the reports' author, Seto Bagdoyan, GAO director of forensic audits and investigative service. That testimony was part of a June 2 hearing on Medicaid fraud by the House Energy and Commerce Committee's Oversight and Investigations subcommittee.

The reports notes that Medicaid is a significant expenditure for the federal government and the states, with total federal outlays of $310 billion in fiscal 2014. CMS reported an estimated $17.5 billion in potentially improper payments for the Medicaid program for that year.

Four-State Sample

GAO says the agency's recent study of four states - Arizona, Florida, Michigan, and New Jersey - found thousands of Medicaid beneficiaries and hundreds of providers involved in potential improper or fraudulent payments during fiscal 2011, the most recent year for which data was available. These states had about 9.2 million Medicaid beneficiaries and accounted for 13 percent of all fiscal 2011 Medicaid payments.

Among the fraud GAO found in these four states:

  • About 8,600 Medicaid beneficiaries had improper payments made on their behalf concurrently to healthcare providers in two or more of the states, totaling at least $18.3 million;
  • The identities of about 200 deceased beneficiaries were used to fraudulently receive about $9.6 million in Medicaid benefits;
  • About 50 healthcare providers received Medicaid payments even though they were excluded from federal healthcare programs, including Medicaid, for a variety of reasons, such as patient abuse or neglect, fraud, theft, bribery or tax evasion.

Filling Gaps

GAO says that since 2011, CMS has implemented a number of "regulatory steps to make the Medicaid enrollment process more rigorous and data-driven; however, gaps in beneficiary-eligibility verification guidance and data sharing continue to exist."

In explaining the various gaps, GAO notes that in October 2013, CMS required states to use electronic data maintained by the federal government in its Data Services Hub to verify beneficiary eligibility. The hub was rolled out by the Department of Health and Human Services as part of the Affordable Care Act. The hub, which is also connected to the HealthCare.gov health insurance exchange, routes and verifies application information in various external data sources, such as the Social Security Administration and the Department of Homeland Security.

GAO notes that according to CMS, the hub can verify key application information, including state residency, incarceration status and immigration status. "However, additional guidance from CMS to states might further enhance program-integrity efforts beyond using the hub. Specifically, CMS regulations do not require states to periodically review Medicaid beneficiary files for deceased individuals more frequently than annually, nor specify whether states should consider using the more-comprehensive Social Security Administration Death Master File in conjunction with state-reported death data when doing so. As a result, states may not be able to detect individuals that have moved to and died in other states, or prevent the payment of potentially fraudulent benefits to individuals using these identities."

Without using information from these tools, "states can generally only detect deaths within the state's borders and not prevent or detect benefit payments made for individuals who had their deaths recorded in other states' vital records," the GAO says.

To help prevent Medicaid fraud involving ineligible healthcare providers, CMS in 2011 issued regulations to strengthen Medicaid healthcare provider-enrollment screening, GAO notes. "For example, CMS now requires states to screen providers and suppliers to ensure they have active licenses in the state where they provide Medicaid services. CMS's regulations also allow states to use Medicare's enrollment database - the Provider Enrollment, Chain and Ownership System (PECOS) - to screen Medicaid providers so that duplication of effort is reduced."

In April 2012, CMS gave each state manual access to certain information in PECOS. "However, none of the four states GAO interviewed used PECOS to screen all Medicaid providers because of the manual process," GAO notes. "In October 2013, CMS began providing interested states access to a monthly file containing basic enrollment information that could be used for automated screening, but CMS has not provided full access to all PECOS information, such as ownership information, that states report are needed to effectively and efficiently process Medicaid provider applications."

GAO Recommendations

GAO concludes that while CMS has taken steps since 2011 to strengthen Medicaid beneficiary and provider enrollment-screening controls, more improvements are needed to bolster those efforts.

"As part of this ongoing endeavor, increasing information and data sharing efforts between the federal government and state Medicaid programs could help enhance efforts to identify improper payments and potentially fraudulent activities," the reports' author Bagdoyan notes in his written testimony.

In its response to the GAO report, HHS says it concurs with the agency's recommendations to provide more guidance to the states on using federal tools, such as the Data Services Hub and PECOS, to help identify deceased individuals and screen healthcare providers. HHS says it will provide more technical assistance and education to the states as needed.

Other Suggestions

Bagdoyan tells Information Security Media Group that because the GAO study was based on 2011 data from those four states - and CMS implemented its data hub services and PECOS efforts after that - it's possible those states have seen improvements in their anti-fraud efforts that are not reflected by the GAO study. "It sometimes takes a while for the impact of efforts to play out," he says.

In any case, CMS "still needs to provide more clarification to states on using the [federal] toolbox to narrow opportunities for fraudulent activities," he says.

Healthcare entities can also help the anti-fraud efforts by taking steps to prevent data breaches, including those involving inappropriate access by insiders, he says. "If data is housed in IT systems, then taking measures to protect that data ... is important. Prevention is the best medicine."

Previous
President Obama Signs USA Freedom Act
Next
How Do We Catch Cybercrime Kingpins?

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.



Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.