GAO Offers Steps to Enhance Medicaid, Medicare Fraud Strategy

December 12, 2017 - CMS demonstrates a commitment to preventing and combating Medicaid and Medicare fraud, but the federal agency’s anti-fraud efforts only partially align with the Government Accountability Office’s (GAO) Framework for Managing Fraud Risks in Federal Programs, a new report showed.

Specifically, CMS does not follow the framework because the agency lacks employee anti-fraud training, a fraud risk assessment for Medicare and Medicaid, and a risk-based anti-fraud strategy, the investigation uncovered.

“By not employing the actions identified in the Fraud Risk Framework and incorporating them in its approach to managing fraud risks, CMS is missing a significant opportunity to better ensure employee vigilance against fraud, and to organize and focus its many antifraud and program-integrity activities and related resources into a comprehensive strategy,” GAO wrote.

Incorporating the missing framework pieces would ensure that CMS is focusing on the most significant fraud risks in Medicare, Medicaid, CHIP, and the health insurance exchanges, as well as helping protect the government’s increasing investments in the four programs, the federal watchdog added.

GAO developed the Framework for Managing Fraud Risks in Federal Programs in 2015. The framework details key components and best practices for federal agency managers to use when creating anti-healthcare fraud programs and strategies.

READ MORE: How Providers Can Detect, Prevent Healthcare Fraud and Abuse

The framework provides leading practices for the following four components:

• Commit: commit to preventing and combating fraud by developing an organizational culture and structure that allows for fraud risk management

• Assess: plan frequent fraud risk assessments and evaluate risks to determine fraud risk profile

• Design and implement: create and implement a strategy with specific control activities to mitigate assessed fraud risks and partner to help ensure implementation

• Evaluate and adapt: assess outcomes using a risk-based approach and modify activities to improve fraud risk management

READ MORE: Using Big Data in the Hunt for Healthcare Fraud, Waste, and Abuse

The GAO investigation uncovered that CMS exhibited a commitment to combating fraud by aligning its organizational structure with the first component of the GAO’s Fraud Risk Framework. The federal agency developed the Center for Program Integrity (CPI), an organization dedicated to addressing Medicare and Medicare fraud, waste, and abuse. The center also prevents and recoups improper payments.

The center aims to address Medicaid and Medicare fraud by educating stakeholders, such as providers, beneficiaries, and health plans. CMS also offers anti-fraud educational materials to providers via the National Training Program and Medicare Learning Network.

However, the Fraud Risk Framework calls on federal managers to require similar anti-fraud and fraud awareness training for their workforce. CMS did not offer their employees such training, the investigation showed.

CMS requires fraud awareness training for contracting officer representatives who are responsible for overseeing regional Medicare and Medicaid contractors that investigate potential fraud cases and perform audits.

The federal agency told GAO that 638 contracting officer representatives underwent the training, meaning just 10 percent of the CMS workforce received fraud and abuse prevention training in 2016 and 2017.

READ MORE: New Medicare Fraud Audits to Ease Burden on Compliant Providers

CMS policies also do not require new hires to receive fraud awareness education and the federal agency does not conduct regular training for existing employees.

“While fraud-awareness training for contracting officer representatives is an important step in helping to promote fraud risk management, fraud-awareness training specific to CMS programs would be beneficial for all employees,” GAO wrote. “Such training would not only be consistent with what CMS offers to or requires of its stakeholders and some of its employees, but would also help to keep the agency’s entire workforce continuously aware of fraud risks and examples of known fraud schemes, such as those identified in successful OIG investigations.”

Fraud awareness training for employees would also keep staff informed as they design and implement CMS programs. Since Medicaid and Medicaid are large programs, they are particularly vulnerable to fraud, waste, and abuse.

Staff should understand fraud prevention and risks while developing programs to reduce fraud risk from the start. For example, understanding fraud prevention may prevent CMS officials from unknowingly includes incentives for waste and abuse in payment policies.

CMS should also take steps to fully implement the Fraud Risk Framework’s assess component. The federal agency lacks a fraud risk assessment for both Medicaid and Medicare, GAO reported.

Under the framework, federal managers should conduct regular fraud risk assessments and evaluate the risks to create a fraud risk profile.

The anti-fraud efforts by CMS partially align with the assess component. The federal agency implemented several control activities to target areas that are at higher risk for fraud, such as certain provider types and specific regions.

For example, CMS enforced temporary moratoriums on enrollments for Medicare Part B non-emergency ambulance suppliers and Medicare home health agencies in 2016. Medicare contractors enforced the moratoriums in six states.

While the control efforts align partially with the framework’s assess component, GAO pointed out that CMS failed to conduct a fraud risk assessment for the entire Medicare and Medicaid programs. The control activities primarily centered on Medicare fee-for-service programs and, to a lesser extent, Medicaid programs.

CMS explained the lack of Medicare and Medicaid fraud risk assessments by stating that “within CPI’s broader approach of preventing and eliminating improper payments, its focus has been on addressing specific vulnerabilities among provider groups that have shown themselves particularly prone to fraud, waste, and abuse.”

However, GAO explained that CMS will face challenges with creating and implementing control activities that respond to the full portfolio of fraud risks with Medicare and Medicaid.

Additionally, GAO found that CMS has failed to develop a risk-based anti-fraud strategy for Medicare and Medicaid, which does not align with the design and implement component of the Fraud Risk Framework.

According to the framework, federal officials should establish and document an anti-fraud strategy that includes the program’s method for addressing prioritized fraud risks found through the fraud risk assessment. This strategy is called a risk-based anti-fraud approach.

While CMS successfully implemented control activities to detect Medicare and Medicaid fraud risks, particularly in the fee-for-service program, the federal agency has not established a risk-based strategy to “guide its design and implementation of new anti-fraud activities and to better align and coordinate its existing activities to ensure it is targeting and mitigating the most-significant fraud risks.”

Specifically, GAO reported the following risk-based anti-fraud strategy deficiencies:

• CPI does not have a documented strategy even though several official documents describe efforts to reduce healthcare fraud

• Despite established relationships and communication channels for all stakeholders, stakeholders communicated without a common understanding of the federal agency’s strategic approach to addressing fraud

• Competing priorities limit the incentives CMS can offer to stakeholders, such as Medicaid programs, to implement an anti-fraud strategy because some stakeholders are hesitant to share information with the federal agency due to audit concerns or competition for CMS business

“Without developing and documenting an anti-fraud strategy based on a fraud risk assessment, as called for in the design and implement component of the Fraud Risk Framework, CMS cannot ensure that it has a coordinated approach to address the range of fraud risks and to appropriately target and allocate resources for the most-significant risks,” GAO stated.

Given the large size and complexity of Medicare and Medicaid, a risk-based anti-fraud strategy is also needed to “ensure that a number of existing control activities and numerous stakeholder relationships and incentives are being aligned to produce desired results.”

HHS agreed with the findings of the GAO investigation. The federal department plans to develop and implement fraud-awareness training for CMS employees, conduct a Medicare and Medicaid fraud risk assessment after the marketplace assessment concludes, and establish and document a risk-based anti-fraud strategy after completing the fraud risk assessment.