For other versions of this document, see http://wikileaks.org/wiki/CRS-RL34217 ------------------------------------------------------------------------------ ¢ ¢ ¢ ¢ ¢ Prepared for Members and Committees of Congress ¢ ¢ In FY2008, Medicare is expected to cover an estimated 44.6 million beneficiaries at a total cost of $456 billion. With an average annual growth rate of 7.0%, the Congressional Budget Office (CBO) projects Medicare costs to double over the next 10 years. Because of a number of factors, such as an aging population, overall increases in medical costs, and the new Part D prescription drug benefit, spending on Medicare services is expected to grow more than spending in the U.S. economy. As expenditures continue to rise in the nation's largest health insurance program, efforts to preserve the integrity of the program receive increased attention from policy makers. Program integrity is considered a component of the effective and efficient administration of government programs, which are entrusted with ensuring that taxpayer dollars are spent wisely. Efforts to ensure Medicare program integrity encompass a wide range of activities and require coordination among multiple private and public entities. In general, initiatives designed to fight fraud, waste, and abuse are considered program integrity activities. This includes processes directed at reducing payment errors to Medicare providers, as well as activities to prevent, detect, investigate, and ultimately prosecute health care fraud and abuse. Because of the size and scope of the Medicare program, multiple government entities are involved in protecting Medicare's integrity. As the agency responsible for administering the Medicare program, the Centers for Medicare and Medicaid Services (CMS) oversees a network of private contractors that conduct various program integrity activities. The six main types of activities are conducting audits, reviewing claims for medical necessity, identifying and investigating potentially fraudulent behavior, ensuring that Medicare pays only for services for which it has primary responsibility, educating providers on Medicare billing procedures, and managing a Medicare-Medicaid data match program to identify fraud that may affect both federal health insurance programs. Contractors refer suspected cases of fraud to the Department of Health and Human Services (DHHS) Office of the Inspector General (OIG) and the Department of Justice (DOJ) for further investigation and prosecution. Medicare program integrity activities are funded in statute, largely through the Medicare Integrity Program (MIP) and the Health Care Fraud and Abuse Control Program (HCFAC), which provide CMS and other federal agencies with dedicated funds to prevent fraud, waste, and abuse in Medicare. This report provides an overview of Medicare's program integrity efforts. A definition of program integrity is presented, as well as descriptions of the types of activities, organizations, and agencies involved in protecting Medicare's integrity on a day-to-day basis. The report continues with a history of federal funding for Medicare's anti-fraud activities and a discussion of findings from recent studies on program integrity efforts. The report concludes with a brief description of current issues. This report will be updated to reflect legislative changes. ¢ Introduction ..................................................................................................................................... 1 Background on Medicare ................................................................................................................ 2 Program Integrity Defined............................................................................................................... 3 Types of Program Integrity Activities ............................................................................................. 4 Cost Report Auditing .......................................................................................................... 5 Medical Review .................................................................................................................. 5 Benefit Integrity.................................................................................................................. 6 Medicare Secondary Payer (MSP)...................................................................................... 6 Provider Education.............................................................................................................. 6 Medicare-Medicaid Data Match Program........................................................................... 7 Types of Program Integrity Contractors .......................................................................................... 7 Claims Administration Contractors..................................................................................... 7 Program Safeguard Contractors (PSCs).............................................................................. 8 Recovery Audit Contractors (RACs) .................................................................................. 8 Coordination of Benefits (COB) Contractor....................................................................... 8 Medicare Managed Care Program Integrity Contractors (MMC-PICs) ............................. 8 Medicare Drug Integrity Contractors (MEDICs)................................................................ 9 Quality Improvement Organizations (QIOs) ...................................................................... 9 Other Contractors................................................................................................................ 9 Medicare Program Integrity Partners .............................................................................................. 9 History of Funding for Medicare Program Integrity Activities ......................................................11 Current Funding for Medicare Program Integrity Activities ......................................................... 13 Assessment of Program Integrity Efforts ...................................................................................... 14 Improper Payment Rates................................................................................................... 14 HCFAC Annual Reports ................................................................................................... 16 GAO HCFAC Reports ...................................................................................................... 17 OMB Program Assessment Rating Tool (PART) .............................................................. 18 Other GAO Reports .......................................................................................................... 18 Current Program Integrity Issues................................................................................................... 19 Durable Medical Equipment ............................................................................................. 19 Recovery Audit Contractor Program ................................................................................ 20 Program Safeguard Contractors........................................................................................ 21 Program Integrity Activities for Part D............................................................................. 22 Concluding Observations .............................................................................................................. 23 Table 1. HCFAC and MIP Appropriations for Selected Fiscal Years ............................................ 13 Table 2. Medicare National Paid Claim Error Rates and Gross Improper Payments for Every Two Years Between 1996 and 2008................................................................................. 15 Table 3. HCFAC Summary of Results and Accomplishments for Years 1998-2005..................... 17 ¢ Author Contact Information .......................................................................................................... 24 ¢ According to the 2007 Medicare Trustees report, Medicare expenditures were $408 billion in FY2006 for 43.2 million beneficiaries.1 In FY2008, Medicare is expected to cover an estimated 44.6 million beneficiaries2 at a total cost of $456.3 billion.3 The Congressional Budget Office (CBO) projects these expenditures to double over the next 10 years. The majority of Medicare spending, approximately 75%, is for benefits provided by Parts A and B, the fee-for-service portion of the program. As one of the fastest growing sectors of the federal budget, challenges exist in maintaining and ensuring the integrity of the nation's largest health insurance program. Ensuring program integrity is typically discussed in connection with program administration and financial management issues. Its chief purpose is the effective and efficient use of taxpayer dollars. In general, initiatives designed to fight fraud, waste, and abuse are considered program integrity activities. This includes processes directed at reducing payment errors, as well as activities to prevent, detect, investigate, and ultimately prosecute health care fraud and abuse. More specifically, program integrity ensures that correct payments are paid to legitimate providers for appropriate and reasonable services for eligible beneficiaries. Because of the size and scope of the Medicare program, multiple government entities are involved in preserving Medicare's integrity. As the agency responsible for administering the Medicare program, the Centers for Medicare and Medicaid Services (CMS) oversees a network of private contractors that conduct a variety of program integrity activities as part of its Medicare Integrity Program (MIP). Examples of such activities include auditing providers, reviewing claims for medical necessity, and identifying and investigating alleged fraud. Contractors will develop and refer suspected cases of fraud to the Department of Health and Human Services (DHHS) Office of the Inspector General (OIG) and the Department of Justice (DOJ) for further investigation and prosecution. Medicare program integrity activities are funded in statute, largely through the Medicare Integrity Program (MIP) and the Health Care Fraud and Abuse Control Program (HCFAC), which provide CMS and federal law enforcement agencies with dedicated funds to safeguard federal monies and prevent fraud, waste, and abuse in Medicare. The MIP and HCFAC programs were both established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA, P.L. 104- 191) for the purpose of increasing and stabilizing federal funding for anti-fraud activities.4 This report provides an overview of Medicare's program integrity efforts. The report begins with a definition of program integrity, followed by detailed information on typical program integrity activities, a description of Medicare contractors and their role in ensuring Medicare integrity, and a discussion of other government agencies involved in protecting Medicare from fraud, waste, and abuse. A history of funding for Medicare's program integrity and anti-fraud activities is 1 Centers for Medicare and Medicaid Services (CMS) Office of the Actuary, 2007 Medicare Board of Trustees Report, April 23, 2007, at http://www.cms.hhs.gov/ReportsTrustFunds/downloads/tr2007.pdf. 2 Department of Health and Human Services, Budget in Brief, 2008, at http://www.hhs.gov/budget/08budget/ 2008BudgetInBrief.pdf. 3 Congressional Budget Office (CBO), Medicare March 2007 Fact Sheet, at http://www.cbo.gov/ftpdocs/78xx/ doc7861/m_m_schip.pdf. 4 Section 1893 of the Social Security Act (SSA) governs the Medicare Integrity Program (MIP), and Section 1128C of the Social Security Act governs the Health Care Fraud and Abuse Control (HCFAC) program. ¢ presented, as well a discussion of findings from recent studies on program integrity activities. The report concludes with a brief description of current issues. Although this report addresses program integrity activities undertaken to combat fraud in Medicare's private Part C and D programs, it is largely focused on Medicare's approaches to ensure integrity in its fee-for-service program (Parts A and B), which constitute the largest share of Medicare spending. Medicare is the nation's health insurance program for persons aged 65 and older and certain disabled persons. Of the program's 43.2 million enrollees, approximately 85% are aged and the remaining 15% are disabled.5 In 2006, spending on Medicare services accounted for an estimated 58% of total federal health expenditures and 20% of all national health expenditures.6 The majority of Medicare spending, nearly 75%, is for benefits provided by Parts A and B, the fee-for- service portion of the program otherwise known as "original" or "traditional" Medicare. The remaining 25% is spent on private health care plans that deliver Medicare services to beneficiaries under Part C, the Medicare Advantage (MA) program, and Part D, the new prescription drug benefit. Medicare consists of four distinct parts: Parts A, B, C, and D. Medicare Part A (Hospital Insurance) covers inpatient hospital services, skilled nursing facility services, home health, and hospice services. Medicare Part B (Supplementary Medical Insurance) covers a variety of other medical services, such as physician services, outpatient hospital care, laboratory services, and durable medical equipment. Beneficiaries also have the option to enroll in a private Medicare Part C or MA plan to receive all required Part A and B benefits, and a private Medicare Part D or Prescription Drug Plan (PDP) for prescription drug benefits. Most beneficiaries who opt to enroll in a private plan choose a MA-PD (Medicare Advantage Prescription Drug) plan for combined Part C and D coverage. Approximately 80% of beneficiaries receive services through the fee-for- service portion of the program (original Medicare), and 20% of Medicare beneficiaries receive services through a private Part C MA plan. Medicare pays for services in Parts A and B, or traditional Medicare, differently than it does for services under Parts C and D. Under the traditional fee-for-service program, Medicare pays providers directly for each specified unit of service delivered to a beneficiary. The unit of service may be a single procedure, visit, or test, or a group of services, such as a hospital stay. In contrast, for Parts C and D, Medicare pays private health plans to deliver Medicare services to beneficiaries. In addition, unlike Part A and B Medicare providers, private plans participating in Medicare are paid on a capitated basis as opposed to a fee-for-service basis. Under capitation, private plans receive a fixed monthly payment per enrollee regardless of the amount of services provided. Payment is made in advance for a pre-determined set of benefits; either Part A and B benefits administered by a Part C plan or prescription drug benefits administered by a Part D PDP plan. 5 The disabled population includes persons under age 65 who receive cash disability benefits from Social Security or the Railroad Retirement systems for at least 24 months and persons under age 65 with end stage renal disease (ESRD). 6 Centers for Medicare and Medicaid Services, National Health Expenditure Projections 2006-2016, at http://www.cms.hhs.gov/NationalHealthExpendData/downloads/proj2006.pdf. ¢ Each method of payment produces conflicting financial incentives for health plans and providers. These conflicting incentives result in different forms of fraud and abuse unique to each payment system. Under fee-for-service, providers may have an incentive to over-utilize health care services or provide more care to beneficiaries in order to maximize reimbursement. The more services providers deliver, the more money they receive. The opposite is true in capitated payment systems. Under capitation, where the payment is a fixed monthly amount per enrollee, providers may have an incentive to limit health services or provide less health care to beneficiaries. A provider's reimbursement amount does not vary with the number of services delivered. Medicare is administered by the Centers for Medicare and Medicaid Services (CMS) within the Department of Health and Human Services (DHHS). CMS contracts with more than 40 private entities to oversee day-to-day operations and conduct program integrity activities for Medicare Parts A, B, C, and D. Each year, Medicare contractors process nearly 1 billion claims from over 1 million providers enrolled in the Medicare program. In addition to processing and paying claims, contractors perform certain program integrity functions. Contractor activities are overseen by two departments within CMS: the Program Integrity Group and the Center for Beneficiary Choices. The Program Integrity Group is responsible for oversight related to Parts A and B. The Center for Beneficiary Choices is responsible for oversight activities related to Part C--the MA program. Both departments share oversight responsibility for Part D. ¢ Program integrity is often discussed in connection with financial management and oversight issues. It is considered an essential component of the efficient and effective administration of government programs and integral to accomplishing a program's social goals. In Medicare, one of these social goals is to ensure access to high-quality care for all beneficiaries. To meet this objective, Medicare implements activities designed to ensure that correct payments are made to legitimate providers for appropriate and reasonable services for eligible beneficiaries. On a practical level, program integrity activities are those directed at protecting the program from payment errors, fraud, and abuse. Broadly defined, Medicare program integrity functions encompass two types of activities designed to safeguard program payments: (1) activities directed at reducing payment errors or improper payments and (2) activities directed at protecting the Medicare program from fraud, waste, and abuse. The first set of activities emphasizes prevention and relies largely on automated processes to detect improper or potentially fraudulent claims before they are paid. The second set of activities emphasizes the identification and detection of health care fraud through the analysis of claims after they have been paid. An effective program integrity strategy incorporates elements from both approaches. To protect the Medicare Trust Fund from improper payments, CMS contracts with private organizations that review claims to determine whether the services provided are medically reasonable and necessary. Although program integrity activities directed at reducing improper payments will identify some instances of fraud, they are not specifically designed to do so. In Medicare, improper payments are largely the result of mistakes or inadvertent billing errors on the part of Medicare providers submitting claims or Medicare contractors processing claims. ¢ Improper payments pose a significant financial risk to the Medicare program.7 In November 2007, CMS reported a national paid claims error rate of 3.9%, which amounted to approximately $10.8 billion in expenditures.8 To protect the Medicare Trust Fund from fraud and abuse, CMS contracts with private organizations to conduct program integrity activities directed at identifying and detecting actual fraud. CMS typically classifies these activities as benefit integrity activities. Examples of benefit integrity methods may include performing ongoing data analysis of claims to identify aberrant billing patterns, developing fraud investigations, and referring suspected cases of fraud to law enforcement personnel for prosecution. Although law enforcement personnel may point to a deterrent effect associated with these types of activities, their focus is not on preventing fraud. Their focus is on tracking down offenders and recovering improper payments after fraud has been committed. Although there is a certain level of overlap, program integrity approaches to address fraud and abuse in Medicare's fee-for-service program are generally different than those used to address fraud in Medicare's Part C and D private plans. These differences stem largely from differences in Medicare's payment structure. In fee-for-service, where providers have an incentive to provide more services, examples of fraud may include billing for services not rendered, billing multiple insurers for the same service, or accepting bribes or kickbacks for referring patients. In capitated payment systems, where providers have an incentive to provide fewer services, types of fraudulent activities may include employing misleading marketing tactics in an effort to discourage utilization, "cherry picking" or selectively enrolling healthy enrollees, or failing to provide medically necessary care. Historically, the government's anti-fraud methods have focused on combating fraud in the fee-for-service sector. However, with enrollment in private Medicare plans on the rise, program integrity approaches to fight fraud in capitated payment systems are becoming more important. Ensuring Medicare program integrity is a coordinated effort involving CMS, Medicare contractors, law enforcement agencies, providers, and beneficiaries. By analyzing billing data, monitoring improper payments, and investigating potential fraud, Medicare contractors play a significant role in the detection and prevention of health care fraud and abuse. When these activities reveal suspected fraudulent activity, contractors develop and refer cases to the Department of Health and Human Services (DHHS) Office of the Inspector General (OIG) for further investigation and administrative sanctions. If the OIG suspects federal criminal law has been violated, fraud cases are then referred to the Department of Justice (DOJ) for prosecution. ¢ ¢ To protect the Medicare program from improper payments, as well as fraud, waste, and abuse, CMS conducts six main types of program integrity activities: cost report auditing, medical review, benefit integrity, Medicare secondary payer, provider education, and operating a Medicare-Medicaid Data Match Program. These six functions are stipulated in law and are 7 Since 1990, GAO has designated Medicare a high-risk program because of its vulnerability to improper payments. 8 See CMS annual improper payment rate report for November 2007: https://www.cms.hhs.gov/apps/er_report/ index.asp. ¢ largely performed as part of CMS's MIP program.9 CMS contracts with private organizations, otherwise known as Medicare contractors, to conduct these activities, the bulk of which are performed for Part A and B Medicare providers. Specific information on the types of private organizations that perform these functions are described in the next section. Part A Medicare providers such as hospitals, nursing homes, home health agencies, and other institutional providers are required to submit cost reports to CMS annually.10 Cost reports contain information on the provider's allocation of costs across services. CMS contractors analyze these cost reports by conducting desk reviews. The objective of the desk review is to assess whether the reported costs are adequate and accurate, and to determine whether a more comprehensive, on- site audit is necessary. If the desk review reveals problems with the cost report, contractors will conduct field audits at the provider's place of business. Field audits are designed to ensure compliance with Medicare regulations and reimbursement policies and to obtain reasonable assurance that the cost report was prepared in accordance with Medicare laws, regulations, and instructions. The cost report auditing activity also includes audits of Medicare Part C or private MA plan cost reports.11 Part B Medicare providers (physicians, outpatient hospital, durable medical equipment providers, and others) are not required to submit cost reports to CMS. Medical review activities are designed to identify and prevent payment errors and mistakes in billing. More specifically, medical review activities ensure that a payment is appropriate for the service that is provided and meets professionally recognized standards of care. As part of this process, Medicare contractors review claims, largely through the use of automated computer edits, to verify that the services are (1) covered by Medicare, (2) provided by legitimate providers, (3) delivered to eligible beneficiaries, and (4) reasonable and medically necessary.12 9 The Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) created Section 1893 of the Social Security Act, which established the Medicare Integrity Program or MIP. As part of MIP, the legislation outlines the activities that are to be conducted in carrying out the program. Section 1893 also includes an additional activity. This activity is developing a list of items of durable medical equipment in accordance with section 1834(a)(15) that are subject to prior authorization. This item is not addressed in this report because CMS does not use MIP funds to support this activity. 10 Generally, Part A Medicare providers are paid under a prospective payment system (PPS). With PPS, providers are paid pre-determined payment amounts based on specified units of service, such as hospital stays. When performing cost report audits, CMS reviews the few items that could affect a provider's payment under PPS, such as bad debt, organ procurement costs, payments for indirect and direct medical education, and the number of low-income patients hospitals serve. Recent studies conducted by GAO and MEDPAC have questioned the degree to which CMS's current audit process assesses the accuracy of Medicare costs for providers paid under PPS. See GAO-06-813, Medicare Integrity Program: Agency Approach for Allocating Funds Should be Revised, September 2006, at http://www.gao.gov/new.items/d06813.pdf, and MEDPAC, Report to the Congress: Sources of Financial Data on Medicare Providers, June 2004, at http://www.medpac.gov/publications/congressional_reports/ june04_990_DataNeeds.pdf. 11 Although the law requires that CMS annually audit the financial records of at least one-third of Part C MA plans, a recent GAO report released in July 2007 found that CMS did not document its process for ensuring that it met this requirement for years 2001-2005. See GAO-07-945, Medicare Advantage: Required Audits of Limited Value, July 2007, at http://www.gao.gov/new.items/d07945.pdf. 12 Computerized edits also check for errors such as incomplete or duplicate claims, claims where diagnosis codes do not match procedure codes, and unallowable code combinations. ¢ Medical review methods also include issuing Local Coverage Determinations (LCDs) for providers, which outline which items and services will be eligible for payment under the Medicare statute.13 LCDs are used to develop and update computer edits on an ongoing basis. When an edit reveals a billing error or problem with a claim, Medicare contractors may conduct a manual pre-payment or post-payment claims review, request additional medical documentation from the provider, or contact beneficiaries to verify that the services were actually provided.14 ¢ Benefit integrity involves the identification and investigation of potential fraud cases and referrals to law enforcement. CMS contractors hired to perform benefit integrity work may conduct national and regional data analysis to identify aberrant patterns of billing, request medical documentation from providers to verify services delivered, investigate beneficiary complaints related to fraud, educate providers about fraud detection and prevention, and review and process applications from certain Medicare providers. When fraud is suspected, contractors refer cases to the OIG or law enforcement for further investigation, prosecution, or both. Benefit integrity activities may also include recoupment of overpayments and suspension of future payments when fraud is suspected. ¢ ¢ MSP activities ensure that Medicare pays only for those services where it has primary responsibility for payment. Under MSP rules, Medicare is prohibited from making payments for any item or service when payment has been made or can reasonably expect to be made by certain third-party payers. Statutorily, Medicare is the secondary payer to employer-based insurance plans, auto liability insurance, and workers compensation insurance. CMS maintains a comprehensive database of all Medicare beneficiaries health insurance information and uses the database to conduct investigations related to MSP. To help prevent errors and keep providers abreast of any changes in Medicare billing and coding procedures, contractors are required to conduct regular outreach and educational activities. Examples of educational activities include seminars, workshops, articles and fact sheets, and other website publications. Provider education activities also include developing resources for providers to help them avoid and detect fraud, waste, and abuse. When billing problems or improper payments are identified, CMS contractors are required to work with Medicare providers directly to correct mistakes. 13 A Local Coverage Determination (LCD), as established by Section 522 of the Benefits Improvement and Protection Act of 2000 (BIPA, P.L. 106-554), is a decision by a fiscal intermediary or carrier whether to cover a particular service on an intermediary-wide or carrier-wide basis in accordance with Section 1862(a)(1)(A) of the Social Security Act (i.e., a determination as to whether the service is reasonable and necessary). 14 Manual pre-payment and post-payment claims reviews are initiated only after billing problems have been identified with a provider. Under pre-payment review, contractors will conduct a manual medical review on a percentage of claims before payment is made. When conducting postpayment review, contractors examine a statistically valid sample of paid claims from a provider. 15 For more information on Medicare Secondary Payer, see CRS Report RL33587, Medicare Secondary Payer: Coordination of Benefits, by Hinda Chaikind. ¢ Referred to as the Medi-Medi program, this activity is designed to identify fraudulent or improper billing practices that affect both Medicare and Medicaid programs. By matching data across both programs, CMS investigates atypical billing patterns that may not be evident when analyzing the data from each program separately. When problems are identified, CMS works with the states to initiate payment recovery actions. CMS currently has Medi-Medi projects in 10 states and plans to expand the program nationwide. ¢ ¢ To conduct the six program integrity activities described in the previous section, CMS contracts with a mix of different private organizations, called Medicare contractors. The types of program integrity activities undertaken by the different contractors vary depending on their Statement of Work (SOW). Some process and pay Medicare claims in addition to performing select program integrity functions (Claims Administration Contractors). Program Safeguard Contractors (PSCs), Recovery Audit Contractors (RACs), and the Coordination of Benefits (COB) contractor specialize solely in program integrity and fraud prevention activities for Part A and B Medicare providers. Medicare Managed Care Program Integrity Contractors (MMC-PICs) and Medicare Drug Integrity Contractors (MEDICs) handle a wide variety of anti-fraud activities for Part C MA plans and Part D PDPs. Finally, Quality Improvement Organizations (QIOs) are responsible for safeguarding payments to inpatient hospitals. A brief description of each of these contractors and their scope of work are described below. This list is not exhaustive. Claims administration contractors include Fiscal Intermediaries (FIs), Carriers, and Medicare Administrative Contractors (MACs).16 FIs process claims for Part A providers (hospital, home health, and skilled nursing facilities), and Carriers process claims for Part B providers (physician, laboratory, and durable medical equipment [DME] providers).17 MACs process claims for both Part A and B providers. In addition to processing and paying claims, these contractors perform certain program integrity tasks related to medical review, which includes reviewing claims to ensure that Medicare pays for services that are reasonable and medically necessary. They also perform other program integrity-related tasks, such as conducting provider audits, educating providers on appropriate billing practices, and screening beneficiary complaints related to alleged fraud. 16 Section 911 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA, P.L. 108-173) mandated that the Secretary implement Medicare fee-for-service (FFS) contracting reform. Effective October 1, 2005, the Secretary has the authority to replace the current claims administration contractors (FIs and Carriers) with performance-based Medicare Administrative Contractors, otherwise known as MACs, by 2011. MACs will process and pay claims for both Part A and B Medicare providers. Contracting reform is expected to generate savings to the government by promoting greater efficiency in processing Medicare claims. 17 DME includes items such as hospital beds, wheelchairs, respirators, walkers, and artificial limbs specifically for home use. According to CMS FY2008 Budget Justification, there are currently 23 FIs, 17 Carriers, 1 A/B MAC, and 3 DME MACs in operation. ¢ PSCs specialize in benefit integrity functions, which focus on detecting and investigating potential fraud and abuse in Parts A and B. By performing ongoing data analysis to identify potentially fraudulent billing patterns and investigating leads from a variety of sources (law enforcement agencies, CMS, beneficiaries, and Medicare supplemental insurers), PSCs identify suspected cases of fraud and make appropriate referrals to the OIG for consideration of civil or criminal prosecution. PSCs will also arrange Medicare training for law enforcement officials at the Federal Bureau of Investigation (FBI) and Department of Justice (DOJ) when requested. PSCs conducting benefit integrity work have the authority to suspend and deny payments and initiate payment recoupment. Some PSCs also perform medical review functions. Separate PSCs detect alleged Medicare fraud among durable medical equipment providers (DME PSCs).18 ¢ RACs are responsible for reducing the rate of Medicare improper payments in Parts A and B by identifying under- and overpayments made to providers, recovering overpayments, and working with providers to prevent future improper payments. Section 306 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (P.L. 108-173) authorized the Secretary to contract with RACs as a three-year demonstration project. The RAC initiative was made permanent with the Tax Relief and Health Care Act of 2006 (P.L. 109-432). There are currently six RACs operating in three states: New York, California, and Florida. CMS expects to expand the program nationwide by 2010. Additional information on RACs is included in the current issues section. The main purpose of the COB contractor is to identify payments that are the responsibility of another or secondary payer. Statutorily, Medicare is the secondary payer to employer-based insurance plans, auto liability insurance, and workers compensation insurance. By using data match programs, the Medicare COB is responsible for the collection, management, and reporting of other health insurance coverage for Medicare beneficiaries. In January of 2001, the COB contractor assumed responsibility for researching and conducting all MSP claim investigations. There is one COB contractor that handles all program integrity functions related to MSP. ¢ CMS currently maintains eight MMC-PIC contracts, which are responsible for identifying and detecting fraud, waste, and abuse in Medicare Part C MA plans. Among the services performed by MMC-PICs are evaluating the marketing operations of Part C plans, auditing plan financial and medical records, evaluating enrollment and encounter data from Part C plans, and completing all retroactive payment adjustments and retroactive enrollments or disenrollments submitted by MA organizations. 18 Currently, CMS has 18 active benefit integrity PSC task orders--15 for Medicare Parts A and B and 3 for DME. ¢ ¢ As part of its Part D oversight program, CMS awarded four MEDIC contracts in FY2006. One MEDIC was operational in FY2006, and the remaining three MEDICs began operations in FY2007. MEDICs have responsibility for monitoring program integrity and potential fraud issues that may arise with the new prescription drug benefit. The areas of oversight the MEDICs are involved with include reviewing bids from prescription drug plans for participation in the program, conducting audits of Part D participating organizations, investigating fraud complaints from beneficiaries, and making referrals to law enforcement as necessary. ¢ £ QIOs are responsible for providing technical assistance to Medicare providers on quality improvement, conducting medical review activities, and investigating beneficiary complaints related to inappropriate or medically unnecessary care. Although QIOs provide technical assistance to all types of Medicare providers (physicians, hospitals, nursing homes, and home health agencies), the majority of their medical review activities relate to care provided in inpatient hospitals. As part of their medical review function, QIOs take measures to reduce the hospital improper payment rate, ensure compliance with Medicare billing codes and procedures, and assess whether the care provided to beneficiaries meets professionally recognized standards. When a QIO determines, either through its medical review activities or beneficiary complaints, that the care provided does not meet Medicare standards, it will work with the provider to rectify deficiencies or refer the case to law enforcement for sanctions.19 CMS contracts separately for program integrity activities related to suppliers of DME. These include the National Supplier Clearinghouse (NSC), Data Analysis and Coding (DAC) Contractor, and Durable Medical Equipment Program Safeguard Contractors (DME PSCs). The NSC is responsible for enrolling DME suppliers in the Medicare program, conducting site visits to DME facility locations, and issuing Medicare billing numbers to suppliers. The DAC performs ongoing data analysis on supplier billing patterns, and the DME PSCs are responsible for detecting and investigating alleged fraud among DME suppliers. ¢ CMS shares responsibility for ensuring Medicare program integrity with three federal agencies: the Department of Health and Human Services (DHHS) Office of the Inspector General (OIG), 19 Recent studies and news articles on the activities of QIOs have raised concerns related to the QIOs' ability to effectively monitor the quality of care provided to Medicare beneficiaries. For example, an OIG report released in May 2007 reported that between 2003 and 2006, the QIOs assigned more than 80% of confirmed quality concerns to two of the least serious quality classifications. (See OEI-01-06-00170: Quality Concerns Identified Through QIO Medical Record Review, May 2007, at http://oig.hhs.gov/oei/reports/oei-01-06-00170.pdf). In February 2006, the Institute of Medicine (IOM) recommended in a congressionally mandated report that CMS consider removing medical review functions from the QIOs responsibilities, mainly because the number of sanctions issued to providers for quality violations has declined over time. (See IOM Report Medicare's Quality Improvement Organization Program: Maximizing Potential, March 2006, at http://www.nap.edu/catalog.php?record_id=11604). ¢ the Department of Justice (DOJ), and the Federal Bureau of Investigation (FBI). The OIG is an independent unit within DHHS that has the primary responsibility for detecting health care fraud and abuse in all federal health care programs. Most of its work, however, relates to the Medicare and Medicaid programs. The agency conducts audits of health care programs, providers, and agencies, and it performs criminal and civil investigations related to specific instances of health care fraud or abuse. CMS contractors, upon detecting potential fraud, will develop and refer cases to the OIG for further investigation and possible administrative sanctions. The OIG has the authority to impose civil monetary penalties20 and program exclusions21 on Medicare providers that have been convicted of certain fraudulent activities. The OIG does not have the authority to prosecute offenders for violations of federal criminal law. In these instances, the OIG would refer the case to the DOJ for prosecution. During FY2005, the OIG excluded 3,804 individuals for health care fraud.22 The OIG receives referrals for potential fraud cases from Medicare contractors, beneficiaries, the DOJ, and private citizens.23 Annually, OIG releases a work plan, which is available publicly, outlining its priorities for the upcoming fiscal year. These areas represent vulnerabilities in the Medicare program. For FY2007, vulnerabilities include oversight of DME suppliers, accuracy of payments to home health agencies, quality of care in nursing homes, and potential fraud in Medicare Part D.24 The FBI is the lead investigative agency in the fight against health care fraud. Unlike the OIG, which has the authority to investigate fraud only in federal programs, the FBI has jurisdiction over both federal and private sector health care fraud. Typically, the agency investigates complex fraud schemes involving large-scale medical providers, such as hospitals and corporations. The FBI does not have the authority to impose sanctions. Currently, the FBI is participating in a workgroup with CMS, DOJ, the OIG and others dedicated to investigating fraud in the Medicare Part D program. In FY2006, FBI-led investigations resulted in 535 criminal health care fraud convictions.25 20 Section 1128A of the Social Security Act authorizes the Secretary to impose penalties and assessments on persons for engaging in certain activities. For example, a person who knowingly submits a false claim to a federal health care program is subject to a penalty of up to $10,000 for each item or service fraudulently claimed, an assessment of up to three times the amount fraudulently claimed, and possible exclusion. 21 Section 1128 of the Social Security Act authorizes the Secretary to exclude individuals and entities from participation in federal health care programs. Exclusions are authorized for convictions of criminal offenses related to the delivery of health care, including (1) Medicare or Medicaid fraud, (2) patient abuse or neglect, (3) felonies for other health care fraud, and (4) felonies for the illegal manufacture, distribution, prescription, or dispensing of controlled substances. The Secretary has discretionary authority to exclude individuals on other grounds, such as health care fraud offenses involving misdemeanors, license suspension or revocation, provision of unnecessary or substandard services, submission of false or fraudulent claims, and engaging in unlawful kickback arrangements. 22 Health Care Fraud and Abuse Control (HCFAC) Annual Report for FY2005, at http://oig.hhs.gov/publications/docs/ hcfac/hcfacreport2005.pdf. 23 Under the Federal False Claims Act, 31 U.S.C. §§ 3729-3733, private citizens and relators may file suit on behalf of the U.S. government. Relators are private persons with direct knowledge of health care fraud who file complaints on behalf of the federal government. They are entitled to a percentage of any fraud recoveries. 24 See http://oig.hhs.gov/publications/docs/workplan/2007/Work%20Plan%202007.pdf. 25 Taken from testimony of Alexander Acosta, United States Attorney for the Southern District of Florida, Miami, at House Committee on Ways and Means Health and Oversight Subcommittee Hearing on Medicare Program Integrity, March 8, 2007, at http://waysandmeans.house.gov/hearings.asp?formmode=view&id=5581. ¢ CMS contractors, the OIG, and the FBI all refer potential health care fraud cases to the DOJ for prosecution. Within the DOJ, the Civil and Criminal Divisions handle health care fraud. One of the enforcement tools for prosecuting health care fraud is the False Claims Act (FCA), which prohibits knowingly submitting false or fraudulent claims to the U.S. government.26 Lawsuits may be brought by private plaintiffs, known as relators or whistleblowers, under the FCA. There are also 93 U.S. Attorneys Offices nationwide, which prosecute civil and criminal health care fraud. During FY2006, prosecutors for the DOJ and U.S. Attorneys Offices opened 836 new criminal and 698 new civil health care fraud investigations.27 Finally, Medicare beneficiaries are a source for detecting fraud. Beneficiaries who suspect fraud can call the OIG's National Fraud Hotline at 1-800-HHS-TIPS. To educate beneficiaries on how to detect and report fraud and abuse, the Administration on Aging oversees Senior Medicare Patrol Projects, which recruit retired professionals in all 50 states to conduct one-on-one and group training sessions for Medicare beneficiaries. The OIG collects annual performance data on these projects and in its most recent report (April 2007) reported that in 2006, Medicare patrol projects received 11,830 fraud complaints from beneficiaries; of this amount, 4,123 were referred for further investigation.28 Contractors investigating anomalies in billing patterns may also contact beneficiaries to verify that the services claimed were actually received by the beneficiary. ¢ ¢ Medicare program integrity and anti-fraud activities are funded through the Medicare Integrity Program (MIP) and Health Care Fraud and Abuse Control (HCFAC) program. The MIP and HCFAC programs were both established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which sought to increase and stabilize federal funding for health care anti- fraud activities. Specifically, HCFAC funds are directed to the enforcement and prosecution of all health care fraud, whereas MIP funding supports the Medicare program integrity activities undertaken by CMS contractors. HIPAA authorized the creation of the HCFAC program, which was to be jointly administered by the Secretary of HHS and the Attorney General. To fund the program, HIPAA established within the Hospital Insurance (HI) Trust Fund an expenditure account called the HCFAC account. All amounts equal to monies collected from health care investigations and enforcement efforts are to be deposited into the HI Trust fund.29 26 Under the Federal False Claims Act, 31 U.S.C. §§ 3729-3733, a person or entity is liable for up to treble damages and a penalty between $5,500 and $11,000 for each false claim it knowingly submits or causes to be submitted to a federal program. 27 Taken from testimony of Alexander Acosta, United States Attorney for the Southern District of Florida, Miami, at House Committee on Ways and Means Health and Oversight Subcommittee Hearing on Medicare Program Integrity, March 8, 2007, at http://waysandmeans.house.gov/hearings.asp?formmode=view&id=5581. 28 See OEI-02-07-00360: Performance Data for the Senior Medicare Patrol Projects, April 2007, at http://www.oig.hhs.gov/oei/reports/oei-02-07-00360.pdf 29 As specified in Section 1817(k)(C) of the Social Security Act (SSA), amounts equal to the following are to be deposited into the Federal Hospital Insurance Trust Fund from the U.S. Treasury: (1) amounts equaling unconditional gifts and bequests; (2) criminal fines recovered in cases involving a federal health care offense as defined in Title 18 U.S.C. § 982(a)(6)(B); (3) civil monetary penalties and assessments imposed in health care cases, including amounts (continued...) ¢ Within the HCFAC account, HIPAA authorized funding for health care anti-fraud activities undertaken by HHS, DOJ, OIG, and the FBI for years 1997-2003. All HIPAA appropriations were capped at the FY2003 level and remained at the FY2003 level through FY2006.30 HIPAA established that up to $104 million could be appropriated for health care anti-fraud and abuse activities undertaken by the HHS, DOJ, and OIG in FY1997. For FY2003-FY2006, this amount would increase to $240.6 million. Within these amounts, HIPAA earmarked specific funding amounts for activities undertaken by the OIG. The annual OIG appropriation increased from $70 million in FY1997 to a maximum of $160 million for fiscal years 2003 through 2006. HIPAA authorized a separate funding stream for the FBI. The annual FBI appropriation increased from $47 million in FY1997 to $114 million for fiscal years 2003 through 2006. The largest share of the HCFAC appropriation was dedicated to the MIP program, which increased from $440 million in FY1997 to $720 million for fiscal years 2003 through 2005. Prior to HIPAA and the establishment of the MIP program, funding for Medicare program integrity activities was taken from Medicare's program management budget, which was subject to the annual appropriations process. This sometimes led to fluctuations in funding, as monies originally intended to support program integrity functions were redirected to fund ongoing Medicare operations, such as day-to-day claims processing functions. With the passage of this legislation, HHS was ensured a stable funding source that it could commit to Medicare anti-fraud activities. Prior to HIPAA, Medicare program integrity approaches relied heavily on "pay and chase" methods, which entailed paying claims and then chasing after providers to recover inappropriate payments. Long-term financial support was intended to assist CMS in developing more innovative and preventive strategies to combat fraud and abuse, such as reviewing claims prior to payment as opposed to after payment. During years 1997 through 2005, total funding for program integrity and health care fraud and abuse activities almost doubled, increasing from approximately $0.6 billion in FY1997 to $1.1 billion by FY2005. The Deficit Reduction Act (DRA) of 2005 raised funding for the MIP program by $112 million for FY2006 to implement program integrity and oversight activities for the Medicare prescription drug benefit. This increased the annual MIP allocation from $720 million in FY2005 to $832 million for FY2006 only. Twelve million of this additional appropriation in FY2006 was earmarked for the Medi-Medi data matching program. The DRA provided increasing amounts for the Medi-Medi program through year 2010.31 Table 1 shows the allocation of HCFAC and MIP appropriation amounts for selected years between 1997 and 2007. (...continued) recovered under titles XI, XVIII, and XIX, of the SSA and Chapter 38 of Title 31 of the U.S.C.; (4) amounts resulting from the forfeiture of property by reason of a federal health care offense; and (5) penalties and damages obtained under the False Claims Act, 31 U.S.C. §§ 3729-3933. 30 The one exception to this is the Deficit Reduction Act's increase for the MIP program, from $720 million to $832 million, for year 2006 only. 31 The DRA appropriated $12M for the Medi-Medi program in FY2006, $24M in FY2007, $36M in FY2008, $48M in FY2009, and $60M in FY2010 and each year thereafter. ¢ sraeY lacsiF detceleS rof snoitairporppA PIM dna CAFCH .1 elbaT )sdnasuoht ni sra llod( 7991 1002 3002 5002 a6002 RC( 7002 b)leveL CAFCH SHH 008,11$ 824,8$ 341,13$ 341,13$ 341,13$ 692,23$ JOD 002,22$ 964,34$ 514,94$ 514,94$ 514,94$ 342,15$ GIO 000,07$ 000,031$ 000,061$ 000,061$ 000,061$ 029,561$ IBF 000,74$ 000,88$ 000,411$ 000,411$ 000,411$ 812,811$ LATOT 000,151$ 798,962$ 855,453$ 855,453$ 855,453$ 776,763$ PIM 000,044$ 000,086$ 000,027$ 000,027$ 000,028$ 000,027$ ideM-ideM 000,21$ 000,42$ 000,195$ 798,949$ 855,470,1$ 855,470,1$ 855,681,1$ LATOT 776,111,1$ fo noitacifitsuJ SMC dna stropeR launnA CAFCH 5002 dna ,3002 ,1002 ,7991 morf detcartxe ataD :ecruoS .8002YF seettimmoC snoitairporppA rof setamitsE eht fo egassap eht htiw ,ssergnoC .level 3002YF eht ta PIM dna CAFCH rof snoitairporppa deppac AAPIH .a .ylno 6002YF rof PIM rof tnuoma eht desaercni ,5002 ni ARD xaT eht yb detadnam sa xedni ecirp remusnoc eht ni esaercni egatnecrep eht sedulcni leveL RC 7002 ehT .b .CAFCH rof 6991 fo )ACHRT( tcA eraC htlaeH dna feileR In addition to HCFAC and MIP mandatory funds, each year Congress appropriates funds to support CMS contractor operations as part of its annual program management request (not shown in Table).32 A portion of these funds are directed to the claims administration contractors to conduct program integrity functions. According to the final rule on the MIP program published on August 24, 2007, approximately one-third of the total contractor budget was dedicated to program integrity activities in FY2004. The funding level for contractor activities that same year was $1.7 billion. In FY2007, funding for contractor operations had increased to $2.1 billion, an increase of approximately $420 million from FY2004.33 ¢ In December 2006, Congress passed the Tax Relief and Health Care Act of 2006 (P.L. 109-432), which extended the mandatory annual appropriation for HCFAC to 2010. For fiscal years 2007 through 2010, the mandatory annual appropriation would be the limit for the preceding year plus the percentage increase in the consumer price index for urban consumers. For each fiscal year 32 Funding for program integrity activities conducted by Medicare QIOs comes from a separate QIO budget. QIOs are funded via a three-year mandatory apportionment from the Medicare Trust Funds rather than an annual discretionary appropriation. The three-year budget for the QIO program, which runs from August 2005-August 2008, is approximately $1.25 billion. 33 CRS analysis of CMS financial data for years 2004 and 2007: http://www.cms.hhs.gov/CapMarketUpdates/ Downloads/2007WalletCard.pdf. ¢ beyond 2010, the mandatory annual appropriation would be capped at the FY2010 level. Funding for MIP, however, was not addressed with this legislation and will remain capped at the FY2003 level of $720 million plus the additional DRA appropriation for the Medicare-Medicaid data matching program. For FY2008, the President's budget included a request of $183 million in discretionary funds to augment the $1.1 billion in mandatory funding for the health care fraud and abuse control program. The HCFAC account has not been funded using discretionary funds in prior years. Of this $183 million, $138 million would have been allocated to MIP for oversight activities related to the prescription drug program. The House and Senate proposed $383 million in discretionary funds for the these activities. The amended version of the Consolidated Appropriations Act of 2008 (H.R. 2764), signed by the President on December 26, 2007, did not include funding for the health care fraud and abuse control program. ¢ There are a limited number of performance statistics and reports available to help policy makers evaluate the success of Medicare's program integrity efforts. Studies to date have generally examined the performance of the HCFAC and MIP programs separately. When the HIPAA legislation was passed in 1996, Congress mandated that DOJ and HHS report annually the results and accomplishments of its HCFAC efforts to the public. The legislation also required that the Government Accountability Office (GAO) biennially assess the appropriateness and adequacy of HCFAC expenditures for fraud control efforts. However, Congress did not require that HHS, DOJ, or GAO evaluate the MIP program as part of these assessments. As a result, there is less empirical data available on MIP performance than on the results of the HCFAC program. To date, the most comprehensive evaluation on MIP program integrity efforts was a study released by GAO in September of 2006, which identified weaknesses in the methods CMS uses to allocate funds across five MIP program integrity activities (cost report auditing, medical review, benefit integrity, medicare secondary payer, and provider education). This section summarizes findings from reviews and studies conducted on the HCFAC and MIP programs during the past decade. ¢ When assessing the performance of the MIP program, CMS relies on statistics measuring the percentage of improper payments the Medicare program makes to providers each year. CMS produces midyear and annual improper payment reports, which can be accessed publicly on the agency website.34 To measure improper payments in fee-for-service Medicare, CMS calculates a national paid claims error rate, contractor-specific improper payment rates, and provider-specific improper payment rates. The national paid claims error rate consists of the Comprehensive Error Rate Testing Program (CERT), which calculates error rates for all Medicare contractors that process and pay Part A and B claims, and the Hospital Payment Monitoring Program (HPMP), which calculates an error rate for Medicare's QIOs, which are responsible for ensuring 34 The Improper Payments Information Act of 2002 requires federal agencies to estimate and report their annual rate of improper payments. To access CMS annual improper payment rate reports, visit https://www.cms.hhs.gov/apps/ er_report/index.asp. ¢ appropriate payments to inpatient hospitals. Improper payment rates have not yet been created for Medicare Parts C and D.35 CMS uses the contractor-specific error rates to evaluate the performance of its MIP contractors: FIs, Carriers, and QIOs. To keep their improper payment rates low, contractors are expected to continually educate the provider community on Medicare coverage and coding policies. CMS uses the provider-specific error rates to determine where they should target their provider education efforts. Despite its value as a tool for estimating payment accuracy and administrative efficiency in claims processing, the improper payment rate does not measure fraud and abuse in the Medicare program. It is mainly a measure of administrative errors. According to CMS's most recent improper payment rate report, the main types of payment errors are incorrect coding by providers, claims for medically unnecessary services, and claims submitted with insufficient or no documentation. In its November 2007 report, CMS reported a national claims error rate of 3.9%, which amounted to approximately $10.8 billion in improper payments. This is down from 4.4% in 2006, 5.2% in 2005, and 10.1% in 2004. At the time the HIPAA legislation was passed in 1996, the OIG calculated a Medicare improper payment rate of 14.2%, or approximately $23.2 billion in improper payments. CMS has set a goal to reduce the error rate to 3.8% by the end of FY2008. Table 2 lists the national paid claims error rates and the total in gross improper payments for every two years between 1996 and 2008. In April 2006, the GAO reported that the significant reduction in Medicare's national paid claims error rate between years 2004 and 2005 was largely due to CMS's efforts to educate providers about the importance of submitting requested documentation to justify payments. When providers do not respond to requests for additional documentation, CMS automatically counts the payments as erroneous. According to GAO, despite the success and importance of these educational efforts, they do not reflect an improvement in payment safeguards or internal controls implemented by CMS.36 stnemyaP reporpmI ssorG dna setaR rorrE mialC diaP lanoitaN eracideM .2 elbaT 8002 dna 6991 neewteB sraeY owT yrevE rof )snoi llib ni sra llod( raeY )serutidnepxe SFF fo % a sa( etaR rorrE smialC diaP lanoitaN stnemyaP reporpmI ssorG a 6991 %2.41 2.32$ 8991 %4.8 9.41$ 0002 %4.9 4.61$ 2002 %0.8 1.71$ b4002 %1.01 7.12$ 35 According to testimony prepared by Tim Hill of the Office of Financial Management at CMS, CMS is in the process of developing payment error rates for Part C and Part D. Medicare Part C currently represents approximately 15% of Medicare's total outlays. Excerpt taken from hearing on Medicare Program Integrity for the Health and Oversight Subcommittee, House Ways and Means Committee, March 8, 2007, at http://waysandmeans.house.gov/ hearings.asp?formmode=view&id=5580. 36 See GAO-06-581T: Challenges Continue in Meeting Requirements of the Improper Payments Information Act, April 2006, at http://www.gao.gov/new.items/d06581t.pdf. ¢ raeY )serutidnepxe SFF fo % a sa( etaR rorrE smialC diaP lanoitaN stnemyaP reporpmI ssorG a 6002 %4.4 8.01$ 8002 ).tse( %8.3 -- .7002-6991 sraey rof stropeR etaR tnemyaP reporpmI GIO dna SMC :ecruoS .stnemyaprevo ot stnemyaprednu gnidda yb tnuoma tnemyap reporpmi ssorg a ta sevirra SMC .a ,3002 ni gninnigeB .smialc 000,6 yletamixorppa no desab etar rorre na detaluclac GIO eht ,2002-6991 morF .b deweiver smialc fo elpmas eht dednapxe dna GIO morf etar rorre eht fo noitaluclac eht revo koot SMC .000,821 yletamixorppa ot 000,6 morf HIPAA requires that every year DHHS and the DOJ release a joint annual report to Congress on HCFAC results and accomplishments. Typically, these reports are released late summer or early fall and contain the amounts deposited into the HI Trust Fund for health care fraud enforcement and the justifications for these expenditures. Numbers and examples of enforcement actions, program accomplishments, and total recoveries in health care fraud cases are also described. The most recent annual HCFAC report indicates that the federal government won or negotiated approximately $1.5 billion in judgements and settlements related to health care fraud in FY2005 and returned $1.6 billion to the HI Trust Fund as a result of these efforts.37 This is compared with $.6 billion in judgements and settlements and $1.5 billion returned to the trust fund in FY2004. Although the dollar value in fraud recoveries fluctuates from year to year, the amount of money transferred to the HI Trust Fund as a result of health care fraud enforcement efforts has been steadily increasing since 1998. Furthermore, the number of new civil and criminal investigations has accelerated, particularly in recent years. There is debate as to whether the increase in enforcement actions is actually the result of more fraud and abuse in Medicare. Some experts contend that the increase is the result of having more resources to fight and detect health care fraud, as opposed to an actual increase in the amount of fraud. Others indicate that the definition of what constitutes health care fraud has expanded over the years, making it appear as though fraud has escalated when the actual level has remained relatively steady.38 Table 3 provides a summary of HCFAC fraud recoveries, transfers to the HI Trust Fund, and enforcement actions for years 1998 through 2005. Table 3 also highlights payment amounts awarded to relators or whistleblowers. Relators are private persons with direct knowledge of health care fraud who file complaints on behalf of the federal government under the False Claims Act. Relators are entitled to a share of the recoveries in successful cases. As the table demonstrates, these individuals are a significant referral source for health care fraud. In 1998, the federal government paid relators $4.3 million in settlements. By 2002, this amount had increased to $101.2 million. In 2005, relators payments had risen to $136.8 million. 37 Health Care Fraud and Abuse Control (HCFAC) Annual Report for FY2005, at http://oig.hhs.gov/publications/docs/ hcfac/hcfacreport2005.pdf. The difference between the amount collected in fraud recoveries and the amount transferred to the HI Trust Fund in any given year can be attributed to the fact that fraud litigation is a lengthy process that can sometimes take several years. As a result, some of the judgements, settlements, and administrative actions that occurred in one year may not result in monies being transferred to the trust fund until one or more years later. 38 Health Care Fraud and Abuse: Practical Perspectives, Chapter 4, 2004. ¢ 5002-8991 sraeY rof stnemhsilpmoccA dna stluseR fo yrammuS CAFCH .3 elbaT 8991 9991 0002 1002 2002 3002 4002 5002 stluseR yratenoM aseirevoceR duarF B5.0$ B5.0$ B2.1$ B7.1$ B8.1$ B8.1$ B6.0$ B5.1$ tsurT eht ot srefsnarT dnuF B3.0$ B4.0$ B6.0$ B0.1$ B4.1$ B7.0$ B5.1$ B6.1$ snoitcA tnemecrofnE eraC htlaeH lanimirC weN snoitagitsevnI duarF 223 173 754 544 163 078 200,1 539 eraC htlaeH liviC weN snoitagitsevnI duarF 701 19 332 881 122 132 868 877 duarF eraC htlaeH IBF snoitagitsevnI 745,2 864,2 262,2 814,2 078,2 089,2 720,3 007,2 snoisulcxE margorP 408,3 392,3 572,3 844,3 647,3 053,3 679,2 120,3 stnemyaP srotaleR M8.631$ M9.28$ M6.962$ M2.101$ M3.38$ M0.09$ M4.44$ M3.4$ .5002-8991YF morf stropeR CAFCH :ecruoS evitartsinimda dna ,stnemelttes ,stnemegduj ni detaitogen ro now tnemnrevog laredef eht tnuoma ehT .a .sesac duarf erac htlaeh ni snoitisopmi Congress did not require that HHS and DOJ include expenditures or results for the MIP program in these reports. Therefore, these reports are only an indication of HCFAC's successes and challenges in the area of health care fraud enforcement and prosecution and not fraud prevention, which is a key objective of the MIP program. In addition, these reports do not separate out funding and expenditures for specific enforcement actions related to Medicare, Medicaid, or other health care programs.39 HIPAA also required that GAO submit a report to Congress every two years on HCFAC appropriations and deposits. Starting in June 1998, GAO released four reports using data from the HCFAC annual reports for years 1997 through 2003. The most recent and final report, released in April 2005, reviewed HCFAC activities for years 2002 and 2003. Similar to the HCFAC annual reports, these studies do not include MIP in their analysis. In all four reports, GAO noted that while HCFAC deposit amounts reported to the HI Trust Fund were consistent with the HIPAA legislation, HHS included a measure of cost savings resulting from health care fraud enforcement efforts that could not entirely be attributed to the HCFAC program.40 In addition, because fraud investigation and litigation take several years, savings may not be realized until future years. The Office of Management and Budget (OMB) echoed a similar finding in its Program Assessment 39 The HIPAA legislation does not require that HHS or DOJ separately track Medicare and non-Medicare expenditures. DOJ officials commented in a 2002 GAO Report on the HCFAC program that it is not practical to separate non- Medicare and Medicare expenditures because of the nature of health care fraud (GAO-02-731: Medicare, Health Care Fraud and Abuse Control Program for Fiscal Years 2000 and 2001, June 2002). Health care fraud cases typically cross several health care programs, making it difficult to attribute expenses and recoveries to separate programs. 40 The OIG defines cost savings as funds put to better use as a result of implemented legislative or other program initiatives. ¢ Rating Tool (PART) evaluation of the HCFAC program in 2004 (see description below). Despite this weakness, GAO consistently found HHS's and DOJ's accounting of HCFAC deposits and expenditures to be fiscally appropriate and accurate. In 2002, OMB evaluated the HCFAC and MIP programs separately using the PART, a 25- question survey addressing federal agency management and performance. The agency noted conflicting assessments for both programs. HCFAC received a "results not demonstrated" rating and criticized the OIG for not having sufficient performance measures to assess the program's progress in reducing fraud, waste, and abuse. Specifically, OMB noted that savings is not a good indicator of performance because it is too difficult to ascertain how much of the reported savings is the direct result of HCFAC activities conducted during the previous year. In the 2005 HCFAC annual report, the OIG estimates that health care fraud activities in 2005 (investigations, audits, and evaluations) resulted in savings of approximately $30.0 billion, of which $22.9 billion could be accrued to the Medicare program. At the same time OMB gave HCFAC a "results not demonstrated" rating, the agency gave MIP an "effective" rating--the highest rating a program can receive. OMB attributes this largely to the OIG's and CMS's measurement and reduction of the annual Medicare improper payment rate. CMS often cites the improper payment rate as a measure of its performance in protecting Medicare from fraud, waste, and abuse. In the PART report, OMB notes that at the time MIP was created in 1996, OIG estimated the improper payment rate at 14.2%. By 2006, the rate had dropped to 4.4%. Subsequent GAO reports released over the last few years have raised questions about how HCFAC and MIP funding are being used. An April 2005 report on HCFAC funding for the FBI found that the agency could not adequately demonstrate that its share of HCFAC expenditures for FY2000-FY2003 were used for health care investigations. The study showed that funds previously devoted to fighting health care fraud at the FBI had been shifted to counterterrorism activities.42 In a report released in September 2006, the GAO identified weaknesses in CMS's approach for allocating MIP funds across the various program integrity activities (cost report auditing, medical review, benefit integrity, Medicare secondary payer, and provider education).43 GAO noted that CMS bases its MIP allocation decisions on historical funding levels, as opposed to examining the relative effectiveness of one activity to another in ensuring Medicare program integrity. For example, despite receiving the largest share of MIP funds in FY2005, CMS has not yet developed a reliable quantitative measure to assess the impact of cost report audits of Part A providers on 41 See Office of Management and Budget Program Assessment Rating Tool website at http://www.whitehouse.gov/ omb/part/ for PART assessments of the Medicare Integrity Program and the Health Care Fraud and Abuse Control Program. 42 GAO-05-388, Federal Bureau of Investigation: Accountability over the HIPAA Funding of Health Care Investigations is Inadequate, April 2005, at http://www.gao.gov/new.items/d05388.pdf. 43 GAO-06-813, Medicare Integrity Program, Agency Approach for Allocating Funds Should be Revised, September 2006, at http://www.gao.gov/new.items/d06813.pdf. ¢ preventing fraud, waste, and abuse. GAO recommended that CMS develop additional methods for allocating MIP funds that take into account the effectiveness of MIP activities, as well as contractor performance, particularly in light of new vulnerabilities related to the prescription drug benefit. ¢ Between April 2006 and March 2007, Medicare paid $9.9 billion to DME suppliers. Of this amount, improper payments were estimated at $1.0 billion, or approximately 10.2%.44 Although many improper payments are the result of honest billing mistakes by providers, others result from fraud and abuse. DME fraud tends to be higher in South Florida and Los Angeles, where both the number of Medicare beneficiaries and the number of DME suppliers are high. According to CMS, the primary types of DME fraud committed in these areas include billing for services not rendered and billing for services that are not medically necessary for the beneficiary.45 Before a DME supplier can bill Medicare, it must meet certain standards. CMS contracts with the National Supplier Clearinghouse (NSC) to enroll and screen potential suppliers before they can participate in the program. Once a supplier is found to be compliant with these standards, it can receive a Medicare supplier number and bill Medicare for services rendered.46 The NSC is required to conduct site visits to DME physical locations upon initial enrollment and three years later to ensure ongoing compliance. In March 2007, the OIG released two reports indicating that compliance with DME enrollment standards was lacking. One investigation found that 45% of Medicare participating DME companies in South Florida failed to comply with at least one of five Medicare enrollment standards in CY05.47 The second investigation, which involved site-visits to 169 DME suppliers in 10 states (excluding Florida), found 10 suppliers without an actual physical facility at their address. These 10 suppliers subsequently billed Medicare almost $393,000 in the two months following the OIG's visit.48 Criticism surrounding the adequacy and enforcement of enrollment standards for DME suppliers is not new. In 2001, the OIG recommended that CMS conduct random, unannounced site visits to DME suppliers to help reduce the potential for fraudulent billing. A few years later, a 2005 GAO report declared the standards inadequate and reported that many DME suppliers were able to resume participation in Medicare after being suspended for enrollment violations. The GAO 44 "Improper Medicare FFS Payments Report," Centers for Medicare and Medicaid Services, November 2007. 45 HHS Press Release, "Medicare Provider Enrollment Demonstration Involving Suppliers of Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) in High-Risk Areas," July 2, 2007. 46 See 42 CFR 424.57(c) for a description of the 21 standards. Some of the standards include being complaint with federal and state licensure requirements, maintaining a physical facility, maintaining a primary business telephone, and being accessible (open and staffed) during business hours. 47 See OEI-03-07-00150: South Florida Suppliers' Compliance with Medicare Standards: Results from Unannounced Visits, March 2007, at http://oig.hhs.gov/oei/reports/oei-03-07-00150.pdf. 48 See OEI-04-05-00380: Medical Equipment Suppliers: Compliance with Medicare Enrollment Requirements, March 2007, at http://oig.hhs.gov/oei/reports/oei-04-05-00380.pdf. ¢ echoed the OIG's 2001 recommendation to conduct random site visits to DME supplier locations outside of the initial enrollment and re-enrollment periods.49 On July 2, 2007, CMS announced a demonstration project requiring all DME suppliers in Los Angeles and Miami to reapply to participate in the Medicare program. As part of the demo, approximately 7,500 DME suppliers will be contacted by mail and requested to complete another Medicare enrollment application. Those that fail to submit the new application within 30 days will automatically lose Medicare billing privileges. The agency also plans to conduct random, unannounced site visits to supplier locations in these areas. In addition to meeting enrollment standards, CMS will also be requiring DME suppliers to meet new quality standards and become accredited by a CMS-approved Accreditation Organization.50 For FY2008 and beyond, the NSC will be prohibited from issuing a Medicare billing number to any supplier that is not accredited under the new rule. ¢ Due to a growing concern that Medicare needed extra protection against improper payments, Congress in Section 306 of the Medicare Modernization Act of 2003 (P.L. 108-173) authorized the Secretary to contract with Recovery Audit Contractors (RACs) to identify over- and underpayments in Medicare Parts A and B. The program started in March 2005 as a demonstration project in three states (California, Florida, and New York). The Tax Relief and Healthcare Act of 2006 (P.L. 109-432) made the RAC initiative permanent and mandated the expansion of RAC contractors to all 50 states by 2010. In November 2006, CMS released a status document on RAC performance for FY2006 which found that the contractors had identified $303.5 million in improper payments in the three demonstration states. Of this $303.5 million, $68.6 million had been collected in overpayments from providers and $2.9 million had been identified as underpayments. The remaining $232.0 million is currently in the collection process. The majority of the overpayments were to inpatient hospitals and skilled nursing facilities.51 The RAC program is controversial because of how RAC contractors are paid. RACs are paid on a contingency basis, which means that each RAC receives a percentage of what they collect in overpayments from providers. In contrast, other CMS program integrity contractors are paid a fixed annual amount based on their costs. This alternative payment mechanism for RACs has certain provider groups concerned. For instance, providers claim that paying contractors on a contingency basis creates incentives to aggressively audit and deny claims to receive higher payments from CMS.52 Providers that wish to dispute a denied claim must file an appeal and are 49 See GAO-05-656: More Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment Suppliers, September 2005, at http://www.gao.gov/new.items/d05656.pdf. 50 Section 302(a)(1) of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (PL ) requires Medicare to develop and implement quality standards for DME suppliers. 51 CMS RAC Status Document FY2006, November 2006, at http://www.cms.hhs.gov/RAC/Downloads/ RACStatusDocument--FY2006.pdf 52 In May 2007, 36 California House Members wrote to CMS reporting that Inpatient Rehabilitation Facilities (IRFs) were experiencing high claim denial rates from the CA RAC: http://www.house.gov/list/speech/ca23_capps/morenews/ pr_070605medicareaudits.shtml. ¢ obligated to pay the claim until a determination on the appeal is made. If the provider wins an appeal at the first level, any associated contingency payments paid to the RAC must be returned to CMS. However, if the provider wins an appeal at the second or higher level, the RAC retains the contingency payment. In FY2006, providers in the three RAC demonstration states filed 2,596 appeals challenging RAC overpayment determinations.53 In response to these concerns, CMS ceased RAC activity of Inpatient Rehabilitation Facilities (IRFs) in California and made some changes to the permanent RAC program set to begin at the end of March 2008.54 Under the permanent program, if a RAC determination is overturned at any level of appeal, the RACs will be required to refund all contingency fees to CMS. In addition, the agency has placed nationwide limits on the number of medical records a RAC can request from a provider and is requiring that all RACs hire a medical director to oversee the review process. By 2010, CMS plans to have four RACs in place. Each RAC will be responsible for identifying overpayment and underpayments in approximately one-fourth of the country. In 2007, the RAC demonstration was expanded to three additional states: South Carolina, Massachusetts, and Arizona.55 In addition to creating the HCFAC and MIP programs, the 1996 HIPAA legislation gave CMS the authority to contract with specialized private organizations to conduct certain program integrity activities. Program Safeguard Contractors (PSCs), which are responsible for reducing fraud and abuse in the Medicare program, are one of these types of organizations. Among the tasks that PSCs undertake are conducting fraud investigations, referring suspected cases to law enforcement, and performing data analysis to identify trends and billing patterns that might indicate fraudulent billing (otherwise referred to as benefit integrity work). CMS assesses the performance of PSCs on an annual basis by examining monthly statistics related to contractor workload.56 Since CMS awarded the first 12 contracts to PSCs in 1999, questions have been raised related to their effectiveness and CMS's oversight of PSC performance. Prior to creating PSCs, fraud and abuse detection work was the responsibility of the Part A and B claims administration contractors--FIs and carriers. Transferring these responsibilities to specialized entities was seen as a strategy to improve Medicare's program integrity capabilities. In 2001, two years after the PSCs became operational, the GAO reported that CMS lacked clear and quantifiable measures to 53 CMS RAC Status Document FY2006, November 2006, at http://www.cms.hhs.gov/RAC/Downloads/ RACStatusDocument--FY2006.pdf 54 After conducting an independent review of a sample of IRF claims previously reviewed by the California RAC, CMS found that Medicare contractors were not applying coverage and payment policies consistently for IRF services. In response, CMS ceased RAC review of IRF claims in California. RAC reviews of these facilities will resume at the start of the permanent RAC program in March 2008. Letter from CMS Administrator Kerry N. Weems to Representative Lois Capps. December 7, 2007. Available at http://www.aha.org/aha/letter/2007/071207-let-cms-capps.pdf. 55 CMS Website, Physician Regulatory Issues Team (PRIT), Active PRIT Issues, accessed on August 10, 2007, at http://www.cms.hhs.gov/PRIT/PRITIA/itemdetail.asp?filterType= none&filterByDID=0&sortByDID=1&sortOrder=descending&itemID=CMS061926&intNumPerPage=10. 56 At present, CMS has 18 PSC task orders; 15 are for deterring fraud in Medicare Parts A and B, and 3 are for deterring fraud in DME. Specifically, CMS assesses the timeliness of PSC performance, the degree to which quality cases are developed for referral to the OIG, and the PSCs responsiveness to law enforcement agencies. ¢ adequately assess PSC performance and recommended the agency develop specific criteria to better evaluate the contractors' effectiveness at detecting and preventing fraud and abuse.57 On July 20, 2007, the OIG released a report on the performance of PSCs. The OIG found significant variation in the number of new investigations and case referrals initiated by the contractors.58 Neither the size of the PSC's budget nor its oversight responsibility were correlated with the number of new investigations or referrals to law enforcement. Also, PSCs are expected to engage in pro-active data analysis to identify suspected patterns of fraud. However, only a small percentage of new investigations resulted from this type of data-analysis. An earlier OIG analysis of PSC evaluation reports from years 1999 through 2004 indicated that the type of information collected by CMS in these reports was lacking. Many of the evaluation reports contained limited quantitative and qualitative data related to PSCs activities and achievements, and the majority of the reports were incomplete. According to CMS, quantifying PSC results could create perverse incentives for the PSCs by rewarding them for the volume of cases they refer to law enforcement.59 In FY2007, CMS awarded $119M to support 18 PSC task orders. ¢ On January 1, 2006, Medicare began covering prescription drugs as part of the new Part D benefit. Coverage is provided through private plans offered by MA-PDs or stand-alone PDPs. For FY2008, outlays for Part D benefits are expected to total $52.2 billion. According to CBO, this amount is expected to triple to $141 billion by FY2017.60 CMS, the OIG, and the GAO have stated that the new benefit is at risk for significant fraud and abuse. Potential areas of vulnerability related to the Part D benefit are extensive and include eligibility and enrollment; the bidding process; beneficiary, plan, and retail pharmacy fraud; incentives to reduce cost sharing; formulary development; and many others. To protect the integrity of Part D funds, CMS announced in October 2005 a plan to award contracts to eight Medicare Drug Integrity Contractors (MEDICs). MEDICs responsibilities to protect the Trust Fund from abuses may include reviewing bids from prescription drug plans for participation in the program, performing audits of Part C MA-PD and Part D PDP plans, investigating fraud complaints from beneficiaries, conducting data analysis to identify potentially fraudulent billing patterns, and providing support to law enforcement agencies with fraud investigations. 57 See GAO-01-616: Medicare, Opportunities and Challenges in Contracting for Program Safeguards, May 2001, at http://www.gao.gov/new.items/d01616.pdf. 58 In 2005, PSCs produced between 5 and 479 new Part A investigations and 18 and 3,707 new Part B investigations. Excerpt taken from OIG Report: Medicare's Program Safeguard Contractors: Activities to Detect and Deter Fraud and Abuse, July 2007, at http://oig.hhs.gov/oei/reports/oei-03-06-00010.pdf. 59 See OEI-03-04-00050: Medicare Program Safeguard Contractors: Performance Evaluation Reports, March 2006, at http://oig.hhs.gov/oei/reports/oei-03-04-00050.pdf. 60 Congressional Budget Office (CBO), Medicare 2007 Fact Sheet, at http://www.cbo.gov/ftpdocs/78xx/doc7861/ m_m_schip.pdf. ¢ Concerns have been raised related to CMS oversight of the MEDICs and the Part D benefit in general. In April 2006, the Senate Finance Committee wrote a letter to CMS inquiring why CMS had issued only one task order to a MEDIC organization after identifying numerous Part D fraud vulnerabilities. In FY2006, the DRA provided $100 million in funds to address fraud associated with the prescription drug program, a portion of which was to be allocated to the MEDICs. CMS then awarded an additional four MEDIC contracts later that year. In addition, an OIG report released in October 2007 found that by the end of FY2006, CMS had not yet commenced financial audits of Part D plans and data analysis of billing trends to identify potential fraud--two other key responsibilities of the MEDICs. Instead, CMS relied largely on beneficiary complaints to detect abusive practices in FY2006. CMS expects to begin financial audits of Part D plans in January 2008.61 In a September 2006 report, GAO noted that CMS does not have an adequate method for allocating program integrity funding to areas with the greatest risk, including risk associated with the Part D benefit.62 In light of an October 2007 announcement by CMS that the agency plans to recover $4 billion in payments made to plans in 2006, this is worth noting. As part of the bidding process, Part D plans must prospectively estimate how much it is going to cost to provide prescription drug coverage to an average Medicare beneficiary. At the end of the year, CMS compares actual costs with predicted costs as part of a payment reconciliation process. Because of lower-than-expected drug costs for 2006, the predicted costs were $4 billion more than plans' actual costs. Plans are required to return these extra payments to CMS. As Part D plans gain more experience with the program, CMS predicts the difference between plans' expected and actual costs to decrease in future years. As the Medicare program continues to grow in size and complexity, developing innovative strategies to ensure the integrity of program will become increasingly important. Program integrity activities encompass a broad set of strategies and processes designed to meet numerous objectives, including preventing improper payments, identifying and detecting fraud, investigating individuals suspected of committing Medicare fraud, and prosecuting offenders. To carry out the six main types of program integrity activities for the Medicare Integrity Program (MIP), the Center for Medicare and Medicaid Services (CMS) contracts with a diverse mix of private organizations tasked with a variety of different oversight responsibilities. The effectiveness of these efforts depends on close collaboration and coordination between these organizations and federal enforcement agencies. The implementation of the Health Care Fraud and Abuse (HCFAC) and MIP programs in 1996 provided CMS and Medicare enforcement agencies with a dedicated funding source to fight fraud and abuse in health care programs. From 1997 through 2005, resources available to fight fraud increased from $0.6 billion to $1.1 billion, and the number of new civil and criminal fraud enforcement actions more than doubled. Furthermore, the amount of money transferred to the Hospital Insurance (HI) Trust Fund as a result of health care fraud enforcement activities has been 61 See OEI-06-06-00280: CMS's Implementation of Safeguards During Fiscal Year 2006 to Prevent and Detect Fraud and Abuse in Medicare Prescription Drug Plans, October 2007, at http://oig.hhs.gov/oei/reports/oei-06-06-00280.pdf. 62 See GAO-06-813: Medicare Integrity Program, Agency Approach for Allocating Funds Should be Revised, September 2006, at http://www.gao.gov/new.items/d06813.pdf. ¢ steadily increasing. These statistics, however, do not apply to MIP activities, which receive the largest share of HCFAC funding. Recent Government Accountability Office (GAO) reports have raised questions about how MIP funding is being used and have recommended CMS develop more quantitative measures to assess the impact of MIP program integrity activities in the future. Outcomes and results from program integrity activities are difficult to assess for a number of reasons. While perpetrators of fraud and abuse cost the Medicare program large amounts of money annually, there are no reliable estimates on the size of the problem. The National Health Care Anti-Fraud Association estimates that health care fraud accounts for at least 3% of total health care expenditures annually, but measuring the amount of true fraud is difficult.63 This makes it challenging for policy makers to determine the extent of resources needed to effectively combat the problem. The implementation of the prescription drug benefit presents a new challenge for CMS and its partners. In addition to increasing expenditures, contracting with private prescription drug plans to deliver services to beneficiaries adds a new layer of complexity in administration. Since the start of the prescription drug benefit on January 1, 2006, policy makers have expressed concerns related to CMS oversight of the Part D MEDICs, which are responsible for ensuring Medicare integrity in the Part D benefit. As payments to Part D plans continue to rise over the next several years, it will be important to monitor the program integrity activities undertaken to safeguard payments to Part D plans and providers. Protecting the Medicare program from improper payment, fraud, and abuse is a complex and challenging undertaking. With fraud perpetrators continually devising more sophisticated schemes to defraud the system, administrators need to invest in a broad mix of preventive and investigative techniques to uncover fraud and abuse. While the permanent authorization of HCFAC and MIP funds have enhanced Medicare's program integrity efforts, improvements in oversight are needed to continue to ensure Medicare beneficiaries access to high quality and appropriate care. Holly Stockdale Analyst in Health Care Financing hstockdale@crs.loc.gov, 7-9553 63 See "The Problem of Health Care Fraud," the National Health Care Anti-Fraud Association, at http://www.nhcaa.org/eweb/ DynamicPage.aspx?webcode=anti_fraud_resource_centr&wpscode=TheProblemOfHCFraud, accessed on October 23, 2007. ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-RL34217