Medicaid Anti-Fraud Efforts CriticizedGAO Suggests Ways to Better Prevent Fraudulent Payments
Among the steps that the Centers for Medicare and Medicaid Services can take, the GAO says, is providing states with more guidance in using certain data-related tools and services offered by the federal government to update their files so they can better detect fraudulent payment claims involving IDs of deceased beneficiaries and healthcare providers.
Both GAO reports are based on the same study. But one features summarized findings that were part of written testimony given to a Congressional subcommittee by the reports' author, Seto Bagdoyan, GAO director of forensic audits and investigative service. That testimony was part of a June 2 hearing on Medicaid fraud by the House Energy and Commerce Committee's Oversight and Investigations subcommittee.
The reports notes that Medicaid is a significant expenditure for the federal government and the states, with total federal outlays of $310 billion in fiscal 2014. CMS reported an estimated $17.5 billion in potentially improper payments for the Medicaid program for that year.
GAO says the agency's recent study of four states - Arizona, Florida, Michigan, and New Jersey - found thousands of Medicaid beneficiaries and hundreds of providers involved in potential improper or fraudulent payments during fiscal 2011, the most recent year for which data was available. These states had about 9.2 million Medicaid beneficiaries and accounted for 13 percent of all fiscal 2011 Medicaid payments.
Among the fraud GAO found in these four states:
- About 8,600 Medicaid beneficiaries had improper payments made on their behalf concurrently to healthcare providers in two or more of the states, totaling at least $18.3 million;
- The identities of about 200 deceased beneficiaries were used to fraudulently receive about $9.6 million in Medicaid benefits;
- About 50 healthcare providers received Medicaid payments even though they were excluded from federal healthcare programs, including Medicaid, for a variety of reasons, such as patient abuse or neglect, fraud, theft, bribery or tax evasion.
GAO says that since 2011, CMS has implemented a number of "regulatory steps to make the Medicaid enrollment process more rigorous and data-driven; however, gaps in beneficiary-eligibility verification guidance and data sharing continue to exist."
In explaining the various gaps, GAO notes that in October 2013, CMS required states to use electronic data maintained by the federal government in its Data Services Hub to verify beneficiary eligibility. The hub was rolled out by the Department of Health and Human Services as part of the Affordable Care Act. The hub, which is also connected to the HealthCare.gov health insurance exchange, routes and verifies application information in various external data sources, such as the Social Security Administration and the Department of Homeland Security.
GAO notes that according to CMS, the hub can verify key application information, including state residency, incarceration status and immigration status. "However, additional guidance from CMS to states might further enhance program-integrity efforts beyond using the hub. Specifically, CMS regulations do not require states to periodically review Medicaid beneficiary files for deceased individuals more frequently than annually, nor specify whether states should consider using the more-comprehensive Social Security Administration Death Master File in conjunction with state-reported death data when doing so. As a result, states may not be able to detect individuals that have moved to and died in other states, or prevent the payment of potentially fraudulent benefits to individuals using these identities."
Without using information from these tools, "states can generally only detect deaths within the state's borders and not prevent or detect benefit payments made for individuals who had their deaths recorded in other states' vital records," the GAO says.
To help prevent Medicaid fraud involving ineligible healthcare providers, CMS in 2011 issued regulations to strengthen Medicaid healthcare provider-enrollment screening, GAO notes. "For example, CMS now requires states to screen providers and suppliers to ensure they have active licenses in the state where they provide Medicaid services. CMS's regulations also allow states to use Medicare's enrollment database - the Provider Enrollment, Chain and Ownership System (PECOS) - to screen Medicaid providers so that duplication of effort is reduced."
In April 2012, CMS gave each state manual access to certain information in PECOS. "However, none of the four states GAO interviewed used PECOS to screen all Medicaid providers because of the manual process," GAO notes. "In October 2013, CMS began providing interested states access to a monthly file containing basic enrollment information that could be used for automated screening, but CMS has not provided full access to all PECOS information, such as ownership information, that states report are needed to effectively and efficiently process Medicaid provider applications."
GAO concludes that while CMS has taken steps since 2011 to strengthen Medicaid beneficiary and provider enrollment-screening controls, more improvements are needed to bolster those efforts.
"As part of this ongoing endeavor, increasing information and data sharing efforts between the federal government and state Medicaid programs could help enhance efforts to identify improper payments and potentially fraudulent activities," the reports' author Bagdoyan notes in his written testimony.
In its response to the GAO report, HHS says it concurs with the agency's recommendations to provide more guidance to the states on using federal tools, such as the Data Services Hub and PECOS, to help identify deceased individuals and screen healthcare providers. HHS says it will provide more technical assistance and education to the states as needed.
Bagdoyan tells Information Security Media Group that because the GAO study was based on 2011 data from those four states - and CMS implemented its data hub services and PECOS efforts after that - it's possible those states have seen improvements in their anti-fraud efforts that are not reflected by the GAO study. "It sometimes takes a while for the impact of efforts to play out," he says.
In any case, CMS "still needs to provide more clarification to states on using the [federal] toolbox to narrow opportunities for fraudulent activities," he says.
Healthcare entities can also help the anti-fraud efforts by taking steps to prevent data breaches, including those involving inappropriate access by insiders, he says. "If data is housed in IT systems, then taking measures to protect that data ... is important. Prevention is the best medicine."