U.S. Department of Health and Human Services Office of Inspector General Weaknesses Exist in Medicaid Managed Care Organizations’ Efforts To Identify and Address Fraud and Abuse OEI-02-15-00260 July 2018 Daniel R. Levinson Inspector General oig.hhs.gov Report in Brief U.S. Department of Health and Human Services July 2018 OEI-02-15-00260 Office of Inspector General Why OIG Did This Weaknesses Exist in Medicaid Managed Care Review Organizations’ Efforts To Identify and Managed care is the primary delivery system for Medicaid. Address Fraud and Abuse As of 2015, it covered 80 percent of all Medicaid What OIG Found enrollees. Although managed Managed care organizations (MCOs) play an increasingly important role in fighting fraud care has rapidly expanded, and abuse in Medicaid, yet weaknesses exist in their efforts to identify and address fraud program integrity issues have and abuse. Although the number of cases varied widely, some MCOs identified and not received the same referred few cases of suspected fraud or abuse to the State in 2015, and not all MCOs used attention in managed care as proactive data analysis—a critical tool for fraud identification. they have in Medicaid fee-for- In addition, MCOs took actions against providers suspected of fraud or abuse but did not service. The Office of typically inform the State, including when MCOs terminated provider contracts for reasons Inspector General (OIG) and associated with fraud or abuse. Finally, MCOs did not always identify and recover others have ongoing concerns overpayments, including those associated with fraud or abuse; overpayments are factored about program integrity in into future MCO payments from the State. These weaknesses may limit States’ ability to Medicaid managed care. effectively address fraud and abuse in their Medicaid programs. How OIG Did This Key Takeaway Review At the same time, selected States employ a We based this study on data number of strategies to address MCOs’ CMS and States have opportunities from three sources: (1) a survey weaknesses and improve their efforts. These to improve MCOs’ efforts to protect requesting 2015 data from the include providing education and training and Medicaid and to ensure taxpayer MCO with the largest facilitating information sharing among MCOs. dollars are spent appropriately. expenditures in each of the 38 States also reported using encounter data to States that provides Medicaid conduct their own proactive data analysis, but services through managed these data have limitations. care, (2) structured interviews with officials from five selected What OIG Recommends and How the Agency Responded MCOs, and (3) structured We recommend that the Centers for Medicare & Medicaid Services (CMS) work with States interviews with officials from the to (1) improve MCO identification and referral of cases of suspected fraud or abuse, same five States as the selected (2) increase MCO reporting to the State of corrective actions taken against providers MCOs. suspected of fraud or abuse, (3) clarify the information MCOs are required to report regarding providers that are terminated or otherwise leave the MCO network, (4) identify and share best practices about payment-retention policies and incentives to increase recoveries, (5) improve coordination between MCOs and other State program integrity entities, (6) standardize reporting of referrals across all MCOs in the State, (7) ensure that MCOs provide complete, accurate, and timely encounter data, and (8) monitor encounter data and impose penalties on States for submitting inaccurate or incomplete encounter data. CMS concurred with all but one of our recommendations; it did not concur with our recommendation to work with States to standardize the reporting of referrals in the State. Full report can be found atof Health & Human Services U.S. Department oig.hhs.gov/oei/reports/oei-02-15-00260.asp Office of Inspector General TABLE OF CONTENTS BACKGROUND 1 Methodology 6 FINDINGS Although the numbers of cases varied widely, some MCOs identified and referred few cases of 8 suspected fraud or abuse MCOs took actions against providers suspected of fraud or abuse but did not typically 11 inform the State MCOs did not always identify and recover overpayments 14 Selected States employ a number of strategies to improve MCOs’ efforts 17 CONCLUSION AND RECOMMENDATIONS Improve MCO identification and referral of cases of suspected fraud or abuse 21 Increase MCO reporting of corrective actions taken against providers suspected of fraud or 21 abuse to the State Clarify the information MCOs are required to report regarding providers that are 22 terminated or otherwise leave the MCO network Identify and share best practices about payment retention policies and incentives to increase 22 recoveries Improve coordination between MCOs and other State program integrity entities 22 Standardize reporting of referrals across all MCOs in the State 23 Ensure that MCOs provide complete, accurate, and timely encounter data 23 Monitor encounter data and impose penalties on States for submitting inaccurate or 23 incomplete encounter data AGENCY COMMENTS AND OIG RESPONSE 25 APPENDICES A: Total number and median number of cases identified and referred by MCOs. 26 B: Detailed Methodology 28 C: Agency Comments 30 ACKNOWLEDGMENTS 34 BACKGROUND Objectives To assess Medicaid Managed Care Organizations’ (MCOs’) and States’ program integrity efforts by reviewing: 1. the extent to which MCOs identify and refer cases of suspected fraud or abuse; 2. the extent to which MCOs address cases of suspected fraud or abuse and inform the State; 3. the extent to which MCOs identify and recover overpayments, including those associated with fraud or abuse; and 4. selected States’ strategies to strengthen MCOs’ efforts to identify and address cases of suspected fraud or abuse. Fraud, waste, and abuse in Medicaid cost States billions of dollars every year, diverting funds that could otherwise be used for legitimate health care services.1 Not only do fraudulent and abusive practices increase the cost of Medicaid without adding value—they increase risk and potential harm to patients who are exposed to unnecessary procedures. Managed care is the primary delivery system for Medicaid, serving more than 80 percent of all Medicaid enrollees.2 Payments to MCOs amounted to more than $236 billion of the $554 billion in total Medicaid expenditures in ___________________________________________________________ 1National Council of State Legislatures. Accessed at http://www.ncsl.org/research/health/ medicaid-fraud-and-abuse.aspx on August 10, 2017. 2 This represents beneficiaries enrolled in any Medicaid managed care program, including comprehensive MCOs, limited-benefit MCOs, and Primary Care Case Management (PCCM). See Centers for Medicare & Medicaid Services, Medicaid Managed Care Enrollment and Program Characteristics, 2015. Accessed at https://www.medicaid.gov/medicaid/managed- care/ downloads/enrollment/2015-medicaid-managed-care-enrollment-report.pdf on May 23, 2018. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 1 OEI-02-15-00260 2016.3 During that year, 43 percent of total Medicaid spending was paid to MCOs, up from just 28 percent in 2013.4 The Office of Inspector General (OIG) and others have had ongoing concerns about program integrity efforts in Medicaid managed care. In December 2011, OIG found that States and MCOs were concerned about the prevalence of fraud and abuse in managed care.5 Additionally, OIG identified concerns about the lack of fraud or abuse referrals being provided by MCOs, and that MCOs often lacked the incentive to detect and refer potential fraud.6 The Government Accountability Office and the Medicaid and CHIP Payment and Access Commission (MACPAC) have also noted that program integrity initiatives in managed care still lag behind those in fee-for-service.7 Prior OIG work has primarily focused on States’ efforts in Medicaid and the need to improve Medicaid data, including data submitted by MCOs.8 This review builds on prior work by focusing on MCOs’ efforts to identify and address cases of suspected fraud or abuse. It also provides information about strategies that States employ to strengthen MCOs’ program integrity efforts. ___________________________________________________________ 3This represents Medicaid payments to MCOs providing comprehensive services to Medicaid enrollees. See Kaiser Family Foundation, Medicaid Managed Care Tracker, “Total Medicaid MCO Spending, 2016.” Accessed at https://www.kff.org/other/state-indicator/total- medicaid-mco-spending/? Current Timeframe=0&sortModel=%7B%22 colId%22:%22Location%22,%22 sort%22:%22asc%22%7Dr/ on January 2, 2018. 4 Kaiser Family Foundation, “Data Note: Medicaid Managed Care Growth and Implications of the Medicaid Expansion,” April 24, 2017. Accessed at https://www.kff.org/medicaid/issue- brief/data-note-medicaid-managed-care-growth-and-implications-of-the-medicaid- expansion/ on January 2, 2018. 5OIG, Medicaid Managed Care: Fraud and Abuse Concerns Remain Despite Safeguards (OEI- 01-09-00550), December 2011. 6OIG, Medicaid Fraud Control Units Fiscal Year 2014 Annual Report (OEI-06-15-00010), April 2015. See also OIG, Medicaid Fraud Control Units Fiscal Year 2013 Annual Report (OEI-06-13- 00340), March 2014. 7 Government Accountability Office, Medicaid Program Integrity: Increased Oversight Needed to Ensure Integrity of Growing Managed Care Expenditures, Report to the Committee on Finance, U.S. Senate, June 2014 (GAO-14-341). Accessed at http://www.gao.gov/assets/670/663306.pdf on October 24, 2017. See also MACPAC, Report to Congress on Medicaid and CHIP, June 2017. Accessed at https://www.macpac.gov /wp- content/uploads/2017/06/June-2017-Report-to-Congress-on-Medicaid-and-CHIP.pdf on October 10, 2017. 8OIG, Not All States Reported Medicaid Managed Care Encounter Data as Required (OEI-07- 13-00120), July 2015. See also OIG, Status Update: T-MSIS Data Not Yet Available for Overseeing Medicaid (OEI-05-15-00050), June 2017. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 2 OEI-02-15-00260 Program Integrity in Medicaid Managed Care The Centers for Medicare & Medicaid Services (CMS), State Medicaid agencies, and MCOs are responsible for program integrity in Medicaid. However, the nature of the State’s efforts changes when Medicaid services are provided through managed care.9 Under a traditional fee-for-service model, the State is responsible for identifying potential fraud and abuse in addition to processing and paying claims and monitoring improper claims.10 Under a managed care model, the State contracts with MCOs to conduct many of these activities.11 MCOs have the primary responsibility for processing, paying, and monitoring the claims of providers in the MCOs’ networks. Identifying and Addressing Cases of Suspected Fraud or Abuse As a condition of receiving payment under the Medicaid managed care program, MCOs are required to identify, investigate, and address potential fraud and abuse.12 Although establishing a Special Investigative Unit (SIU) is not specifically required by Federal law or regulation, MCOs typically establish such a unit to combat provider fraud and abuse. Specifically, an SIU identifies and refers cases, takes corrective actions, and identifies and recovers overpayments.13 In addition, MCOs are required to submit encounter data to the State.14 Encounter data typically come from claims that providers submit to the MCO for the services they provided; analysis of encounter data can be used to detect fraud and abuse. The process MCOs typically employ is described below. Identify Suspected Fraud or Abuse. Once suspected fraud or abuse is identified, the MCO opens a case. The MCO typically conducts an investigation, often reviewing claims, requesting medical records, or initiating audits of suspected providers. If no additional action is warranted, the MCO may close the case. ___________________________________________________________ 9 The following summary of MCO program integrity responsibilities is based on Federal law and regulations applicable during our review period—calendar year 2015. For more information about changes to Federal regulations in 2016, see page 4. 10 42 CFR part 455. 11 42 CFR § 438, subpart J (2015). 1242 CFR § 438.602 (2015). As part of these conditions of payment, MCOs also have to undertake certain activities to combat fraud and abuse, such as developing a training plan for staff. For additional information, see 42 CFR § 438.608 (2015). 1342 CFR § 438.608 (2015). Although an SIU is not specifically required, many functions of an SIU are addressed in regulation. Generally, MCOs were required to have compliance plans that included elements such as effective training and education for the compliance officer and MCO employees, as well as procedures for internal monitoring and auditing. 14 42 CFR § 438.242 (2015). Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 3 OEI-02-15-00260 Refer Cases to State. If the MCO uncovers evidence of suspected fraud or abuse, it typically refers the case to the State. When the MCO refers a case, it submits the case to the State Medicaid agency, the Medicaid Fraud Control Unit (MFCU), or both.15 The State Medicaid agency can, along with other actions, terminate providers from the entire State Medicaid program, whereas, MFCUs have the responsibility to investigate and prosecute cases of Medicaid fraud in the State. Take Actions Against Providers. In addition to making referrals, the MCO may take other actions against providers suspected of fraud or abuse. For example, the MCO may conduct prepayment and postpayment reviews of provider claims to ensure that all claims are appropriately submitted and paid. In addition, the MCO may conduct provider education as well as initiate corrective action plans. Further, the MCO may terminate the contracts of providers suspected of fraud or abuse, or it may remove the provider from the network by not renewing the provider’s contract. Identify and Recover Overpayments. The MCO is also responsible for identifying and recovering overpayments associated with fraud or abuse and overpayments not associated with fraud or abuse, such as simple billing errors.16 States have different arrangements with MCOs about the retention of both types of payments. The recovered payments may be retained by the MCO, returned to the State, or shared between the two. Accurate identification and reporting of recoveries is essential; this information is factored into future payments to the MCO and may lower these payments.17 Submit Encounter Data. Finally, the MCO is responsible for providing encounter data to the State. Accurate encounter data are key to program integrity efforts and to the oversight of Medicaid. States may use encounter data to conduct proactive data analysis as part of their own efforts to identify and address fraud and abuse. ___________________________________________________________ 15Social Security Act § 1903(q). Generally, MFCUs investigate and prosecute Medicaid provider fraud and instances of patient abuse and neglect in select settings. MFCUs must employ an interdisciplinary staff that consists of at least an investigator, an auditor, and an attorney. 16Examples of overpayments that are not associated with fraud or abuse include simple billing errors, coding mistakes, or erroneous fee schedule reimbursement that is not the result of fraudulent intent, recklessness, or other conduct that could result in a potential violation of Federal criminal, civil, or administrative law for which civil monetary penalties are authorized. 1742 CFR §§ 438.6(b) and (c) (2015). Note that future rate setting calculations are based on historical data about the amount and type of services used. If fraudulent payments are included in this historical data, and not adjusted at a later date, the rate setting calculations will not be based on accurate data and payments may not be reduced appropriately. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 4 OEI-02-15-00260 Medicaid Managed Care Final Rule CMS issued a final rule (hereinafter “the final rule”) in May 2016 that codified the processes described above.18 The final rule’s objectives include improving fraud detection by both MCOs and States.19 Notably, the final rule requires MCOs to promptly refer any suspected fraud, waste, or abuse to the State.20 Additionally, MCOs must notify the State about changes in a provider’s circumstances that may affect the provider’s eligibility to participate in managed care.21 Further, all MCOs are required to promptly report all overpayments identified or recovered, and to specify overpayments resulting from potential fraud.22 The final rule also requires States to specify their retention policies for all recoveries in the MCO contracts.23 The rule also strengthens encounter data requirements. It standardizes the level of detail and format of the data.24 It also allows CMS to penalize States for noncompliance with encounter data requirements, in that CMS can defer or disallow a portion of the Medicaid funding provided to the State.25 The program integrity provisions in the final rule went into effect for managed care contracts with rating periods beginning on or after July 1, 2017.26 However, in June 2017 CMS announced its intention to use its discretion to focus on working with States unable to implement the requirements as scheduled rather than take immediate enforcement ___________________________________________________________ 1881 Fed. Reg. 27498 (May 6, 2016). Accessed at https://www.federalregister.gov/documents /2016 /05/06/2016-09581/p.3199 on November 7, 2017. 19 Generally, most of the program integrity regulations of the final rule are found at 42 CFR § 438.608. 20 42 CFR § 438.608(a)(7). The language in the regulatory text refers to “potential” cases of fraud or abuse; in this report we use the term “suspected.” 21 Ibid. at § 438.608(a)(4). 22 Ibid. at § 438.608(a)(2). 23 Ibid. at § 438.608(d)(1). The final rule also requires all MCO network providers to enroll with the State and to comply with all Federal provider disclosure, screening, and enrollment requirements. See also 42 CFR § 438.608(b). The 21st Century Cures Act moved the compliance date to January, 2018. See 21st Century Cures Act, P.L. No. 114-255 § 5005 (Dec. 13, 2016). 24 Ibid. at § 438.818. 25 Ibid. at § 438.818(c). Note that CMS indicated that although the issue was outside the scope of the Final Rule, “the retraction of [a] capitation [payment] to a [MCO] as a result of a deferral and/or disallowance of Federal Financial Participation [related to encounter data] . . . should be addressed by the State in its managed care plan contracts.” See 81 Fed. Reg. 27498, 27743. 26 Ibid. at 27499. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 5 OEI-02-15-00260 actions.27 To target its efforts, CMS asked States to identify those regulations that they are unable to implement by the required compliance date. CMS added that this use of enforcement discretion would be applied based on State-specific facts and circumstances and focused on States’ specific needs. Methodology This review focuses on MCOs that provide full-risk managed care for a comprehensive set of Medicaid services.28 We based this study on data from three sources: (1) a survey requesting 2015 data from the MCO with the largest expenditures in each of the 38 States that provides Medicaid services through managed care, (2) structured interviews with officials from five selected MCOs, and (3) structured interviews with officials from the same five States as the selected MCOs. We analyzed the data collected from the MCOs to determine the number of cases of suspected fraud or abuse they identified and referred and the overpayments they identified and recovered.29 These MCOs varied in size, ranging from $90 million to more than $6 billion in expenditures in 2015. The number of enrollees ranged from 18,000 to more than 1.6 million in 2015. See Appendix B for a detailed description of the methodology. Limitations The data are self-reported by the MCOs; we did not verify these data. In some instances, we reviewed the relevant regulatory requirements or requirements in the State contracts; however, we did not independently review all parts of the State contracts or regulations associated with MCO ___________________________________________________________ 27 CMCS Informational Bulletin. Accessed at https://www.medicaid.gov/federal-policy- guidance/downloads/cib063017.pdf, on October 11, 2017. CMS is unable to permit this flexibility for all provisions of the final rule, such as those with fiscal implications for the Medicaid program. Further excluded from State discretion is the requirement to report specific data about provider terminations to HHS within 30 days of a termination. See 21st Century Cures Act, P.L. No. 114-255 § 5005 (Dec. 13, 2016). 28We excluded partial-risk managed care models, such as primary care case management programs, prepaid inpatient health plans, and prepaid ambulatory health plans, as these programs do not provide a full range of services under managed care. In addition, we excluded comprehensive Programs of All-Inclusive Care for the Elderly, as these programs provide services to both Medicaid and Medicare enrollees. Finally, we included Health Insuring Organizations, which are county-level MCOs in California. 29We analyzed these data by the size of the MCO—measured in terms of Medicaid expenditures and number of Medicaid enrollees—and found that MCO size did not fully explain the number of cases identified or referred or the amount of payments identified or recovered. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 6 OEI-02-15-00260 responses. In addition, some differences in the MCOs’ responses could be due, in part, to how the MCOs define various terms. Further, the results about MCOs and States cannot be generalized to all MCOs or all States. Standards This study was conducted in accordance with the Quality Standards for Inspection and Evaluation issued by the Council of the Inspectors General on Integrity and Efficiency. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 7 OEI-02-15-00260 FINDINGS Although the MCOs are responsible for identifying and referring cases of suspected fraud or abuse. It is essential that all MCOs identify and refer cases of suspected numbers of cases fraud or abuse to the State to ensure that ranged widely, some Medicaid dollars are spent appropriately MCOs play a key role MCOs identified and and that the integrity of the program is referred few cases protected. MCOs are on the front line of of suspected fraud Seven MCOs identified few cases of ensuring the integrity of Medicaid payments. or abuse suspected fraud or abuse The 38 MCOs ranged widely in the number of cases they identified; the median number of cases identified by the 38 MCOs was 106 in 2015. Seven MCOs identified fewer than 30 cases of suspected fraud or abuse.30 Three of these MCOs identified about one case per month, and another two of these MCOs did not identify a single case during the year. These seven MCOs received a total of $4.4 billion in Medicaid funds. See Appendix A for the number of cases identified by each MCO. In contrast, three MCOs identified more than 800 cases each. Although these three MCOs were generally larger in terms of Medicaid expenditures and number of Medicaid enrollees, the size of the MCOs did not fully explain the number of cases identified by each MCO. Further, the larger number of cases identified by some MCOs shows that MCOs can be more active in looking for and working cases of fraud or abuse to potentially pursue additional actions. Thirteen MCOs referred very few cases of suspected fraud or abuse to the State One-third of MCOs referred fewer than 10 cases of suspected fraud or abuse to the State in 2015.31 Two of these MCOs did not refer a single case of suspected fraud or abuse—the same two that did not identify a single case during 2015. 32 In total, these 13 MCOs received more than $9.3 billion in Medicaid funds. In contrast, 4 MCOs each referred more than 100 cases to the State. It is important for MCOs to refer cases so the State can take ___________________________________________________________ 30As previously mentioned, after opening a case, MCOs may determine that the case does not warrant any additional action and subsequently close the case. 31When making a referral to the State, the MCO can refer the case to the State Medicaid agency, the MFCU, or both. 32Of the other 11 MCOs that referred fewer than 10 cases to the State, 4 were also MCOs that identified fewer than 30 cases. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 8 OEI-02-15-00260 appropriate action and protect the Medicaid program from fraud or abuse.33 See Appendix A for the number of cases referred by each MCO. The variation in the number of cases that Benefits of MCOs referring cases of MCOs referred is partly suspected fraud or abuse to the State explained by the number  Referrals allow the State Medicaid of cases that MCOs agency to terminate fraudulent identified. It is also partly providers. explained by what States expect MCOs to refer to  Referrals allow the MFCU to the State. 34 For example, investigate fraudulent providers. some States expected  Referrals allow the State Medicaid MCOs to refer only cases agency to share information about of confirmed fraud or suspicious providers or practices with abuse that they identified other MCOs. after conducting a full investigation, whereas, other States required MCOs to refer all cases they identified. Not all MCOs used proactive data analysis to identify cases of fraud or abuse Proactive data analysis uses data to Proactive data analysis identify patterns that may indicate “helps lead us to where potential fraud, waste, or abuse.35 Ten to look for potential MCOs did not commonly use proactive data analysis; these MCOs each identified fraud, waste, and abuse.” — MCO official 10 or fewer cases through such analysis.36 MCO officials noted that proactive data analysis is an effective approach to look for outliers—such as providers billing for an excessive number of services per enrollee. In one example, the MCO followed up on an outlier that ultimately led to the discovery of a fraud scheme between several physicians and a home health provider that cost the State Medicaid program $3.2 million. MCOs reported identifying other cases of suspected fraud or abuse from State information and from enrollee complaints, as well as other sources ___________________________________________________________ 33 MCOs may also refer cases to other law enforcement agencies. 34The final rule requires all MCOs to refer cases of suspected fraud, waste, and abuse to the State. See 42 CFR § 438.608 (a)(7). 35Proactive data analysis differs from edits placed on claims that preadjudicate the claims prior to payment. 36These MCOs included the two MCOs that did not identify a single case and three MCOs that identified fewer than 30 cases. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 9 OEI-02-15-00260 such as audits and provider complaints. While all of these sources are important, it is essential for MCOs to conduct proactive analysis to detect providers engaging in suspicious behaviors or billing patterns and to promptly identify and address suspected fraud and abuse. MCOs with smaller SIUs generally referred fewer cases of fraud or abuse One factor that affects the number of cases referred is the size of the MCOs’ SIU.37 MCOs with relatively small SIUs—defined as the number of staff dedicated to program integrity activities for the specific plan in that State— were less likely to refer cases of fraud or abuse compared to MCOs with larger SIUs.38 Specifically, MCOs with fewer than 5 SIU employees dedicated to the plan referred a median of 14 cases. In contrast, the MCOs with 5 or more SIU employees dedicated to the plan identified a median of 60 cases. See Exhibit 1. Exhibit 1: MCOs with small SIUs referred fewer cases of fraud or abuse. 5 or more SIU staff 60 Fewer than 5 SIU staff 14 0 15 30 45 60 Median number of cases referred. Source: OIG analysis of MCO data, 2017. ___________________________________________________________ 37 During 2015, Federal regulations did not specifically require MCOs to establish SIUs. The final rule does not specifically require MCOs to establish SIUs, but it does require State MCO contracts to include provisions for MCOs to establish a compliance program that has “procedures and a system with dedicated staff for routine internal monitoring and auditing of compliance risk.” 42 CFR § 438.608(a)(1)(vii). 38The size of the SIU is based on the number of full-time equivalent employees dedicated to identifying or addressing fraud or abuse for that plan in the State Medicaid program. Three MCOs reported that they did not have an SIU in 2015 and are not included in the analysis. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 10 OEI-02-15-00260 MCO officials highlighted several advantages of having larger SIUs to identify and address fraud or abuse. For example, larger SIUs allowed the MCO to hire staff with a wide range of backgrounds and skills, enabling the MCOs to analyze data and investigate cases more comprehensively.39 SIUs also help to optimize limited resources and improve efficiency, in part by coordinating efforts to identify program integrity issues and share information across the organization. An MCO official added that SIUs are a good investment, noting that benefits extend to members, taxpayers, and business partners. Additionally, selected State officials noted that requiring MCOs to hire certain SIU staff improved the number and quality of referrals. For example, some State officials reported requiring a certain ratio of SIU staff to enrollees, whereas, other State officials required staff with specific expertise, such as investigators. They further noted that requiring MCOs—which can be national and operate in multiple States—to have at least one or more staff members physically located in their State was beneficial. As one State official explained, the field presence of local investigators improved the quality of the referrals and improved communication and coordination with the State. MCOs took actions MCOs may pursue various actions once they suspect a provider of fraud or abuse. These actions can range from provider education to implementing a against providers corrective action plan; under certain circumstances, MCOs can terminate a suspected of fraud provider’s contracts. or abuse but did not The 38 MCOs initiated 2,668 corrective actions against providers suspected typically inform the of fraud or abuse in 2015.40 They most commonly conducted prepayment State or postpayment reviews of the provider’s billing, which represented more than two-thirds (68 percent) of all corrective actions. MCOs also took other corrective actions, such as conducting education to correct the provider’s billing practices (28 percent), suspending payments to providers (4 percent), and initiating corrective action plans to providers (1 percent).41 Although they were not necessarily required to do so, many MCOs did not always inform the State of these actions.42 Sixty-four percent of MCOs that ___________________________________________________________ 39Examples of staff employed by the SIUs include Accredited Healthcare Fraud Investigators, Registered Nurses, Certified Professional Coders, and Certified Pharmacy Technicians. 40 Note that a MCO can take multiple actions against a single provider. Note that these are payment suspensions initiated by MCOs. States can also initiate their 41 own payment suspensions. 42 States may require MCOs to report actions taken against providers suspected of fraud or abuse as part of their contracts with MCOs. The final rule does not specifically require MCOs to report such actions. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 11 OEI-02-15-00260 educated providers (18 of the 28) did not inform the State about all of these actions. See Exhibit 2. Further, 48 percent of MCOs that conducted prepayment or postpayment reviews of suspected providers (15 of the 31) did not report all of these actions to the State. When States are unaware of actions taken against providers suspected by the MCO of fraud or abuse, they are unable to effectively monitor these providers across the States’ Medicaid programs. This means suspected providers can potentially defraud other MCOs within the State or the fee-for-service component of the Medicaid program. Exhibit 2: MCOs took corrective actions but did not always report these actions to the State. Prepayment/Postpayment Review Provider Education Suspension of Payment Corrective Action Plan 0 5 10 15 20 25 30 35 MCOs reported all actions MCOs did not report all actions Source: OIG analysis of MCO data, 2017. MCOs sometimes terminated the contracts of providers suspected of fraud or abuse but did not always notify the State In addition to corrective actions, the MCO can terminate the contract of suspected providers and remove them from its network. In total, 23 MCOs terminated 5 percent (252 of 4,724) of providers that were suspected of fraud or abuse. Although they were not necessarily required to do so, these MCOs did not always notify the State about these terminations.43 It is ___________________________________________________________ 43 During 2015, Federal regulations did not require MCOs to report terminations. States may require MCOs to report this information as part of their contracts with MCOs. In addition, the final rule requires the MCO to notify the State about changes in a provider’s circumstances, including termination of a provider agreement (42 CFR § 438.608(a)(4)); however, the final rule does not further specify what type of information MCOs need to report. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 12 OEI-02-15-00260 important for MCOs to notify the State about terminations and other reasons that providers leave the network. This allows States to monitor these providers and perhaps take other actions—such as terminations at the State level so that they do not defraud other parts of the Medicaid program. In addition, if the State takes steps to terminate such providers from its Medicaid program, it has broader implications to protect other Medicaid programs, Children’s Health Insurance Program (CHIP), and Medicare.44 Specifically, 18 MCOs terminated the contracts of a total of 179 providers “for cause.”45 Three of these MCOs reported they did not typically notify the State when terminating providers for cause.46 It is important for MCOs to pursue for-cause terminations and notify the State of terminated providers, and identify terminations resulting from suspected fraud or abuse so the State may take additional actions. See Exhibit 3. Exhibit 3: MCOs sometimes terminated suspected providers but did not always notify the State. For Cause Termination Not For Cause Termination 0 5 10 15 20 MCOs Terminated providers and notified the State Terminated providers and did not notify the State Source: OIG analysis of MCO data, 2017. ___________________________________________________________ 44 When a provider is terminated for cause by Medicare or any State’s Medicaid program or CHIP program, and the termination is included in the Department of Health and Human Services termination database, other State Medicaid programs must terminate the providers. Social Security Act § 1902(a)(39); 42 CFR 455.416(c). Beginning July 1, 2018, States are required to report specific data about provider terminations to HHS within 30 days of a termination. 21st Century Cures Act, P.L. No. 114-255 § 5005 (Dec. 13, 2016). 45During 2015, there were no Federal laws or regulations regarding an MCO’s termination of a provider and no definition of “for cause” terminations for MCOs. However, for the purposes of this study, we assessed “for cause” MCO terminations consistent with the definition of “termination” in 42 CFR § 455.101 that applied to State Medicaid programs. 46MCOs in this study pursued for-cause terminations for reasons of fraud, integrity, or quality; they also pursued terminations for other noncause reasons. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 13 OEI-02-15-00260 Twelve MCOs terminated a total of 73 provider contracts “not for cause” in 2015. MCOs may opt to terminate the provider contract not for cause if they want to remove the suspected provider from the network in a timely manner to protect their network. It allows the MCO, as one official noted, to “just agree to part ways, so that we would not have to work with [the provider] anymore.” Two of these 12 MCOs did not typically notify the State when terminating providers’ contracts not for cause.47 In making the decision to terminate a provider, MCOs consider a number of factors. For example, MCO officials noted that terminations expose the MCO to potential litigation filed by terminated providers, which can be time consuming. Other State and MCO officials noted potential adverse effects on members, including network disruptions and access issues. In addition, 4 MCOs did not renew the contracts of a total of 30 providers suspected of fraud or abuse. Further, 7 MCOs reported that a total of 99 of the suspected providers opted not to renew their contracts and thus left the respective MCOs’ network. As one MCO official noted, this can occur when the provider becomes aware that the MCO is monitoring their behavior, or when the MCO takes some kind of corrective action against the provider. If MCOs are not terminating the contracts of providers for cause and allowing them simply to leave the network, they are able to join other MCO networks in the State or be a fee-for-service provider, potentially defrauding other parts of the Medicaid program. MCOs have responsibilities for ensuring the integrity of Medicaid. They are MCOs did not responsible for identifying and recovering overpayments that are associated always identify and with fraud or abuse and overpayments not associated with fraud or abuse, recover such as billing errors. MCOs reported identifying and recovering a range of overpayments overpayments; however, some MCOs reported identifying and recovering few overpayments. It is essential for MCOs to identify and recover overpayments as this information is factored into future payments to the MCO.48 Overpayments associated with fraud or abuse. MCOs did not always identify overpayments associated with fraud or abuse. In total, the 38 MCOs identified $57.8 million in 2015; the median amount identified was $402,000 per MCO. However, four of these MCOs identified no such payments. ___________________________________________________________ 47 In total, 9 of the 38 MCOs did not typically notify the State. The State factors the amount of the overpayments recovered into the rates received by the 48 MCO in subsequent years. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 14 OEI-02-15-00260 Moreover, MCOs did not always recover overpayments associated with fraud or abuse from providers. Overall, MCOs recovered overpayments equal to 22 percent of the amount they identified. However, this amount varied greatly. Seven of these MCOs recovered overpayments equal to 2 percent or less of the amount they identified, whereas, six MCOs recovered the same amount they identified in 2015. See Exhibit 4. Exhibit 4: MCOs did not always identify and recover overpayments. (dollars in millions) Overpayments associated with $57.8 $12.5 fraud or abuse Overpayments not associated $831.4 $561.4 with fraud or abuse $900 $0 $900 identified recovered Source: OIG analysis of MCO data, 2017. MCO and State officials noted several factors that limited MCOs’ ability to recover overpayments associated with fraud or abuse. They explained that if a case is accepted by the State, the MCO is prohibited from collecting the payments or instructed to wait until after the case is resolved.49 One MCO official reported that this has been a “sore spot,” preventing the MCO from recovering a greater amount of these payments. Overpayments not associated with fraud or abuse. In contrast, MCOs were more likely to identify and recover overpayments, such as erroneous billing, not related to fraud. In total, the 38 MCOs identified $831.4 million in overpayments in 2015; the median amount identified was $7.1 million per MCO.50 Six of these MCOs did not identify any overpayments. On average, the MCOs recovered overpayments equal to two-thirds of the amount they ___________________________________________________________ 49This may also be true if the case is accepted by Federal or State law enforcement authorities. 50MCOs may have defined overpayments differently, which could explain some of the variance. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 15 OEI-02-15-00260 identified. Eight MCOs recovered the same amount of overpayments they identified in 2015. Reporting of recoveries. One factor that may lead to greater identification of overpayments associated with fraud or abuse and overpayments not associated with fraud or abuse is reporting of recoveries.51 MCOs that reported these payments to the State generally identified more overpayments than MCOs that did not have these requirements. Notably, the 22 MCOs that reported overpayments not associated with fraud or abuse to the State identified a median of $19.8 million in these types of overpayments. Conversely, the 10 MCOs in States that did not have these requirements identified a median of $4.1 million in overpayments. State officials explained that requiring MCOs to report their recoveries to the State incentivizes MCOs to open more cases and recover more money; one State official noted it also provides a baseline for the State to measure MCOs’ performance. MCOs and State officials reported that additional incentives may encourage MCOs to identify and recover overpayments associated with fraud or abuse MCOs and States offered several options to increase the identification and recovery of overpayments associated with fraud or abuse.52 A number of MCO and State officials noted that additional ways to further incentivize MCOs would be beneficial. Notably, for some MCOs, their State applies a “finders keepers” policy that allows whichever entity that identified the case —the MCO or the State—to share in the State recoveries.53 State officials noted that this strategy can introduce positive competition among the MCOs as well as with the State to identify and recover these overpayments. However, the State did not always clearly communicate its policies to MCOs. Further, policies differ by State and, in many instances, the State largely determines who retains the recoveries on a case-by-case basis. As one MCO official explained, if the State does not communicate “a firm stance ___________________________________________________________ 51 Statesmay require MCOs to report this information as part of their contracts with MCOs. The final rule, 42 CFR § 438.608(a)(2), requires prompt reporting of all overpayments, specifying those resulting from potential fraud. CMS has not further defined these requirements. 52During 2015, Federal regulations did not specifically require MCO contracts to include provisions related to identifying and reporting overpayments. The final rule requires MCOs to promptly identify and report overpayments and also requires States to include overpayment retention policies in their MCO contracts. 42 CFR §§ 438.608(a)(2) and 438.608(d). “Finders keepers” policies do not typically apply to recoveries from cases pursued by the 53 MFCU. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 16 OEI-02-15-00260 [on which entity is] able to get some of the money back, there is no incentive for the MCO.” MCO and State officials also noted the lack of incentives for MCOs to proactively invest resources to effectively prevent overpayments related to fraud or abuse and implement cost avoidance measures. For example, one MCO official explained that MCOs do not have incentives to conduct proactive data analysis or take actions to put providers on prepayment review to prevent “bad dollars from going out the door.” Several MCO and State officials noted the need to figure out how to measure these cost- avoidance efforts and then to explore ways that incentivize MCOs to continue to pursue and expand these activities. Selected States The five selected States we reviewed engage in a number of activities that enhance MCOs’ efforts to identify and address fraud or abuse.54 employ a number of Specifically, these States facilitate cooperation and information sharing strategies to among MCOs, provide ongoing training and education, require additional improve MCOs’ information from MCOs, and use encounter data to conduct their own efforts proactive data analysis (although these data have limitations). As one State official noted, a strong State role in identifying and addressing provider fraud in the Medicaid program is an asset to State activities that enhance MCO efforts MCOs and  Facilitating cooperation and information complements their sharing among MCOs efforts.  Providing education and training to States facilitate strengthen MCOs’ efforts cooperation and  Requiring additional MCO information to information sharing improve fraud identification among MCOs MCO and State  Using MCO encounter data to identify officials noted the fraud or abuse importance of States in fostering a collaborative relationship and promoting information sharing among the different MCOs operating in that State. In particular, they emphasized the value of the State in facilitating regular, structured meetings with the MCOs to discuss specific cases as well as broader fraud and abuse trends to improve identification efforts. As one MCO official reported, “information is very useful for us. . . . We run it through analytics to determine if we are impacted, and it has led to other cases for us.” ___________________________________________________________ 54 This section is primarily based on information from the structured interviews with officials from the 5 States and the 5 MCOs; it also includes some information from the survey of 38 MCOs. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 17 OEI-02-15-00260 States also play an important role in communicating and collaborating with MCOs to strengthen their investigation of cases. According to one MCO official, “the collaboration is very much a bonus.” State officials also supported the investment in relationships with MCOs to ensure information is effectively moving back and forth, noting a significant increase in volume and improvement in quality of information because of these efforts. As one State official explained, “When you collaborate and work together, you will get better results—MCOs cannot do it alone or in a vacuum.” States provide education and training to strengthen MCOs’ efforts State officials reported that providing ongoing education and training to MCOs has been a successful strategy for improving identification and referral of fraud and abuse. For example, the training not only Healthcare Fraud Prevention brings together SIU staff and Partnership other specialists—including case managers, care Several MCOs supported the Healthcare coordinators, and credentialing Fraud Prevention Partnership, which staff—from the respective includes private and public partners MCOs to share information but dedicated to detecting and preventing also develops a common fraud by exchanging data and sharing understanding of what makes a successful antifraud practices across good referral. One State official public and private sectors. explained: “We have worked really hard to target education of the MCOs and their SIUs as a best practice.” State officials also highlighted the value of including the MFCU and other law enforcement agencies in the training. According to one State official, these agencies often explain the actions taken by the State after a case is referred and the process for recovering overpayments associated with fraud or abuse identified by the MCOs. State-sponsored education and training has been so effective in many States that MCOs have requested more frequent training and training on additional topics. States sometimes require MCOs to standardize information to improve fraud identification Officials from selected States noted the value of standardizing templates for MCOs to use to refer cases of suspected fraud or abuse and to provide regular updates to the State. Collecting consistent data and developing a common language to define terms enable States to aggregate MCO data and compare data across plans. As one State official explained, MCOs had been referring cases using individualized forms and long narratives, which made it difficult to identify actions or focus the investigation. After the State trained MCOs to use a standardized referral form with illustrative examples, the quality and consistency of referrals improved. Another State reported Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 18 OEI-02-15-00260 similar success with standardized reporting forms. States use MCO encounter data to identify fraud or abuse, but these data have limitations States use encounter data to conduct their own analysis to identify fraud or abuse in Medicaid. Encounter data are submitted by the MCOs to the State. Encounter data typically include detailed information regarding the services provided to Medicaid enrollees and are essential for fraud detection. State and MCO officials Need for Better Encounter Data To highlighted the importance of Improve State Proactive Data States using encounter data to Analysis conduct proactive data analysis and help safeguard Medicaid. One State recently implemented a According to one State official, promising home health initiative “encounter data is the key to combining data from both fee-for- everything.” In particular, this service and MCO plans to identify State official noted that the State high-risk providers and conduct joint is better positioned to use on-site audits. Although this was a encounter data to see the successful partnership, the State behaviors and trends of needed to go back to the MCOs providers across all MCOs in the repeatedly to request data so that it State, compared to MCOs that could proactively identify providers to can only look at the encounter target for review. data for their individual plans. As this State official further explained, the State generates a lot of leads and flags from its predictive analytic program, which it then provides to its MCOs to determine whether each MCO has problems with these providers. Although the quality of the encounter data has improved in recent years, State officials reported concerns about the accuracy, completeness, and level of detail of the encounter data. Further, State officials reported challenges with aligning data from different MCOs, such as inconsistencies in definitions or level of granularity. For example, one State official noted that the State needed to request additional data from the MCOs using a standardized template, including uniform service codes and variables. He noted that the State would appreciate having more robust encounter data, adding that it would be ideal if encounter data were as close to fee-for- service claims data as possible. Some States have sought to incentivize MCOs to improve encounter data by establishing financial penalties for encounter data that are not accurate, complete, or timely. For example, one State official reported withholding a proportion of the amount that States pay MCOs for incomplete encounter data. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 19 OEI-02-15-00260 CONCLUSION AND RECOMMENDATIONS Fraud, waste, and abuse in Medicaid cost States billions of dollars every year. As managed care in Medicaid has grown, MCOs play an increasingly important role in combatting fraud and abuse, as they can scrutinize the activities of providers in their networks. Along with States, MCOs are essential to safeguarding the Medicaid program and taxpayer dollars. Yet weaknesses exist in MCOs’ efforts to identify and address fraud and abuse in Medicaid. These weaknesses center around two themes: (1) some MCOs identified and referred few cases of suspected fraud or abuse, and (2) some MCOs identified and recovered few overpayments, including those associated with fraud or abuse. The second indicates limited MCO and State communication. MCOs took actions against providers suspected of fraud or abuse, but they did not typically inform the State about those actions, including when MCOs terminated the provider contracts for reasons associated with fraud or abuse. The weaknesses suggest that MCOs need additional incentives to identify and refer cases and identify and recover overpayments. The five States we reviewed employ a number of strategies to address these weaknesses and strengthen the incentives. These strategies include providing education and training as well as facilitating information sharing among MCOs. They also include exploring financial incentives, such as a “finders keepers” policies, to increase the identification, reporting, and recovery of overpayments. As it moves forward with the implementation of the final rule, CMS should take the information in this report into account. The Medicaid managed care final rule is a step forward in strengthening Medicaid program integrity in managed care. The report shows that requiring MCOs to report fraud, waste, and abuse to the State and report the overpayments they identify and recover are important provisions in the final rule for strengthening program integrity in Medicaid. The report reveals that States must commit to taking needed steps to improve program integrity. It also shows that CMS and States have opportunities to work together to make improvements in MCOs’ efforts to identify and address fraud and abuse. These improvements will further protect the integrity of Medicaid and help ensure taxpayer dollars are spent appropriately. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 20 OEI-02-15-00260 To that end, we recommend that CMS work with States to: Improve MCO identification and referral of cases of suspected fraud or abuse CMS should provide technical assistance to States and share best practices with them to improve MCOs’ efforts to identify and refer cases of suspected fraud or abuse. To improve the identification of suspected fraud or abuse, CMS should focus on assisting States with developing MCOs’ capacity to conduct proactive data analysis. Further, CMS should provide information about innovative ways to incentivize MCOs to conduct such analysis more regularly and more effectively. CMS should also work with States to increase the States’ own use of proactive data analysis to support MCOs’ efforts. Specifically, CMS should provide technical assistance to bolster States’ efforts to conduct proactive data analysis to identify cases of fraud or abuse. On the basis of this analysis, the State could then provide tips and trends to MCOs throughout the State. To improve referrals of suspected fraud or abuse, CMS should provide technical assistance to States about how to improve MCOs’ referrals. It should share information with States about ways to hold MCOs accountable and incentivize MCOs to provide a greater number of quality referrals. For example, CMS could provide information about developing benchmarks for quality referrals and share best practices and contract provisions that have been used by States to incentivize MCOs, including financial bonuses for meeting benchmarks, or penalties for failing to do so. Additionally, CMS should identify and share best practices with States about increasing MCO program integrity staff, whether in an SIU or otherwise, that are dedicated to the State to improve MCOs’ identification and referral of fraud and abuse cases. This should include sharing contract provisions designed to improve program integrity performance as well as strategies such as requiring MCOs to have a certain number of staff per enrollee and staff with specific expertise or who are physically located in the State. Increase MCO reporting of corrective actions taken against providers suspected of fraud or abuse to the State CMS should work with States to increase MCO reporting of actions that MCOs take against providers suspected of fraud or abuse. These actions include conducting prepayment and postpayment reviews and initiating corrective action. MCOs are not required to report these actions to the State as part of the final rule. CMS should identify and share best practices—including contract provisions—with States to increase MCOs’ reporting of these actions. This information would provide comprehensive and actionable information to the State. It would alert the State that suspected fraud or abuse was serious enough to warrant corrective action Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 21 OEI-02-15-00260 by the MCO; it also allows the State to share this information with other MCOs in the State to see if any larger patterns raise concerns. Clarify the information MCOs are required to report regarding providers that are terminated or otherwise leave the MCO network CMS should work with States to clarify the information that MCOs should report to the State when a provider’s circumstances change. The final rule requires MCOs to notify the State about a change in a provider’s circumstances that may affect the provider’s eligibility to participate in managed care, including termination of the provider agreement. However, the rule does not specify what information MCOs need to report. CMS should clarify the information that MCOs are required to report regarding providers that are terminated for cause. In addition, CMS should encourage States to collect additional information about providers suspected of fraud or abuse. Specifically, CMS should share best practices and model contract language to encourage States to require MCOs to notify the State when a provider suspected of fraud or abuse (1) is terminated not for cause, (2) is removed from the network because of nonrenewal of the provider contract by the MCO, or (3) voluntarily leaves the network. This information will bolster the State’s program integrity efforts and help better protect the Medicaid program. Knowing the action that MCOs take is important for States to consider when taking their own actions. This information allows States to better monitor these providers and perhaps take other actions so that these providers do not defraud other parts of the Medicaid program. Identify and share best practices about payment retention policies and incentives to increase recoveries The new rule requires MCOs to promptly report all overpayments identified or recovered. This reporting will help to hold MCOs more accountable and is one policy that has shown to increase recoveries. However, additional policies or incentives may be needed to further increase recoveries. To that end, CMS should identify States that have such policies and incentives in place, including finders keepers or other arrangements. CMS should share this information with States to help them clarify the circumstances in which the State or the MCO retains the recoveries. States can also use this information to create stronger incentives for MCOs to increase recoveries. Improve coordination between MCOs and other State program integrity entities CMS should provide assistance to States to help facilitate improvement of communication and coordination between MCOs and State-level program integrity entities. These entities include Medicaid Program Integrity Units, Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 22 OEI-02-15-00260 MFCUs, State Offices of Inspector General, State auditors, and others. As part of its efforts, CMS should identify and share best practices with States. Examples of these best practices could include holding regular meetings with all MCOs and the State program integrity entities and sharing tips of providers suspected of fraud or abuse. Best practices could also include using regular meetings to inform MCOs of emerging fraud trends, to educate MCOs about processes and regulations, and to train MCOs about fraud identification and quality referrals. Standardize reporting of referrals across all MCOs in the State CMS should work with States to standardize referrals across MCOs in the State. For instance, CMS could identify and provide examples of model forms with standardized fields, clear definitions, and examples to States. Consistent, standardized reporting of referrals would benefit States by improving the accuracy and completeness of the data. This enables the State to more effectively aggregate and analyze the referrals across all MCO plans. Ensure that MCOs provide complete, accurate, and timely encounter data CMS should work with States to improve submission of complete, accurate, and timely encounter data by MCOs. The final rule strengthens encounter data requirements and standardizes the types of data and the level of detail required. CMS should work with States to ensure that MCOs provide data that are accurate, complete, and timely and meet these requirements. To accomplish this goal, CMS should share best practices and contract provisions with States that help ensure MCOs are providing data that meet these standards. CMS should also work with States to provide information about including penalties for incomplete or inaccurate encounter data in their MCO contracts. Monitor encounter data and impose penalties on States for submitting inaccurate or incomplete encounter data CMS should continue to monitor encounter data submitted by States and use its authority to impose penalties on States for submitting inaccurate or incomplete encounter data, when appropriate. Specifically, OIG continues to support a recommendation made in a prior report that CMS monitor encounter data submitted by States.55 In addition, CMS should monitor encounter data to ensure that all of the new data provisions in the final rule are being met. These provisions standardize the level of detail and format of the data and allow CMS to penalize States for noncompliance when these provisions are not being met. CMS should also use the authority provided ___________________________________________________________ 55 OIG, Not All States Reported Medicaid Managed Care Encounter Data as Required (OEI-07-13-00120), July 2015. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 23 OEI-02-15-00260 in the final rule to impose appropriate penalties. Such actions would result in improved data quality and would better enable States to leverage their unique ability to analyze aggregated MCO data across the State to identify fraud or abuse patterns that may not be apparent to a single MCO. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 24 OEI-02-15-00260 AGENCY COMMENTS AND OIG RESPONSE CMS concurred with all but one of our recommendations. CMS concurred with our first recommendation and noted that it will work with States to provide technical assistance and education to identify and share best practices to assist States in improving MCO identification and referral of cases of suspected fraud or abuse. CMS concurred with our second and third recommendations related to MCO reporting. CMS stated that it will work with States to discuss increasing the scope of reporting that results in actionable information to increase MCO reporting of corrective actions taken against providers suspected of fraud or abuse to the State, in line with CMS’s authority under the final rule. CMS also stated that it will clarify the information MCOs are required to report regarding providers that are terminated or had a change in circumstance that may affect their ability to participate in the Medicaid program, in line with CMS’s authority under the final rule. OIG supports reporting information about actions taken against providers and reasons for providers’ change in circumstance in addition to the information required in the final rule. This information will improve States’ ability to address fraud and abuse in Medicaid. In addition, CMS concurred with our fourth recommendation, noting that it will work with States to share best practices about payment retention policies and incentives to obtain recoveries. It concurred with our fifth recommendation, stating that it will work with States to improve coordination between MCOs and other State program integrity entities through regularly scheduled outreach and training courses. CMS did not concur with our sixth recommendation to work with States to standardize reporting of referrals across all MCOs in the State. CMS noted that State flexibility is an important feature of the Medicaid program and that States have the flexibility to decide whether standardization would be beneficial to their managed care environment. While OIG agrees that State flexibility is an important feature of the Medicaid program, OIG continues to support working with States to develop a standardized template for MCOs, which can reduce provider burden and improve the quality and consistency of referrals. Finally, CMS concurred with our final two recommendations to improve managed care reporting of encounter data. CMS stated that it will provide guidance and technical assistance that States can use to collect more complete, accurate, and timely encounter data. CMS also stated it will continue to monitor encounter data that States submit and that, to the extent necessary, it will use its authority to impose appropriate penalties on States submitting inaccurate or incomplete encounter data. For the full text of CMS’s comments, see Appendix C. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 25 OEI-02-15-00260 APPENDIX A: Total number and median number of cases identified and referred by MCOs Seven MCOs identified fewer than 30 cases of suspected fraud or abuse in 2015.1 Median=106 cases 0 250 500 750 1,000 1,250 Two MCOs identified 0 cases of suspected fraud or abuse in 2015. 1 Source: OIG analysis of MCO data, 2017. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 26 OEI-02-15-00260 MCOs referred fewer than 10 cases of suspected fraud or abuse in 2015.2 Median=19 cases 0 100 200 300 2 Two MCOs identified and referred 0 cases of suspected fraud or abuse in 2015 Source: OIG analysis of MCO data, 2017. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 27 OEI-02-15-00260 APPENDIX B: Detailed Methodology Survey of MCOs To identify the MCOs to survey, we first contacted all 50 States and Washington, D.C., to request information about MCOs that offered comprehensive full-risk plans in 2014 and in 2015. In total, we identified 38 States with such MCOs. From each of these States, we selected the MCO with the largest Medicaid expenditures to survey for this study.56 We then surveyed and collected data from each of these 38 MCOs. We conducted this survey in March and April 2016. We received a response from all 38 MCOs. We asked about the number of cases of suspected fraud or abuse that each MCO identified and referred to the State in 2015. We also asked about the actions the MCO took to address suspected of fraud or abuse, including terminating providers’ contracts. In addition, our questions focused on the amount of overpayments, including those associated with fraud or abuse that the MCO identified and recovered in 2015. We analyzed these data by the size of the MCO—measured in terms of Medicaid expenditures and number of Medicaid enrollees—and found that MCO size did not fully explain the number of cases identified or referred or the amount of payments identified or recovered.57 Structured Interviews With Officials From Selected MCOs We conducted structured telephone interviews with officials from five MCOs in five States. We selected MCOs that represented a wide range of practices related to identifying and addressing fraud or abuse. We asked the MCO officials about their strategies to identify and address suspected fraud or abuse and to identify and recover overpayments, including those associated with fraud or abuse. We also asked them about any challenges they faced in identifying and addressing suspected fraud and abuse. We conducted these interviews in May 2017. ___________________________________________________________ 56We based this on 2014 expenditures data reported by States for each MCO. In several instances, MCOs from different States were affiliated with a national corporation. 57 Expenditures for the 38 MCOs ranged from more than $90 million to more than $6 billion in 2015; the median expenditure was $1.06 billion. The sum of all expenditures for the 38 MCOs was $62.2 billion. The number of enrollees in the 38 MCOs ranged from more than 18,000 to more than 1.6 million in 2015; the median enrollment was approximately 231,000. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 28 OEI-02-15-00260 Structured Interviews With Officials From Selected States We conducted structured interviews with officials from the State Medicaid agencies in the same five States as the selected MCOs.58 These interviews focused on their States’ strategies to strengthen MCOs’ efforts to identify and address fraud and abuse. We also asked them specifically about the extent to which they use encounter data to identify fraud and abuse. Finally, we asked about any challenges they faced in identifying and addressing suspected fraud and abuse. We conducted these interviews in June 2017. ___________________________________________________________ 58 These officials included representatives from the State Medicaid agency, its program integrity unit or Office of the Medicaid Inspector General, and the Survey and Utilization Review Subsystem. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 29 OEI-02-15-00260 APPENDIX C: Agency Comments Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 30 OEI-02-15-00260 Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 31 OEI-02-15-00260 Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 32 OEI-02-15-00260 Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 33 OEI-02-15-00260 ACKNOWLEDGMENTS Vincent Greiber served as the team leader for this study. Others in the Office of Evaluation and Inspections who conducted the study include Marissa Baron, Jillian Husman, Michael Novello, and Lauren Peterson. Office of Evaluation and Inspections staff who provided support include Clarence Arnold and Kevin Manley. This report was prepared under the direction of Jodi Nudelman, Regional Inspector General for Evaluation and Inspections in the New York regional office, and Nancy Harrison and Meridith Seife, Deputy Regional Inspectors General. To obtain additional information concerning this report or to obtain copies, contact the Office of Public Affairs at Public.Affairs@oig.hhs.gov. Weaknesses Exist in MCOs’ Efforts To Identify and Address Fraud and Abuse 34 OEI-02-15-00260 ABOUT THE OFFICE OF INSPECTOR GENERAL The mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is to protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the health and welfare of beneficiaries served by those programs. This statutory mission is carried out through a nationwide network of audits, investigations, and inspections conducted by the following operating components: Office of Audit The Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with its own audit resources or by overseeing audit Services work done by others. Audits examine the performance of HHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are intended to provide independent assessments of HHS programs and operations. These assessments help reduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS. Office of Evaluation The Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress, and the public with timely, useful, and reliable and Inspections information on significant issues. These evaluations focus on preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of departmental programs. To promote impact, OEI reports also present practical recommendations for improving program operations. Office of The Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and misconduct related to HHS programs, Investigations operations, and beneficiaries. With investigators working in all 50 States and the District of Columbia, OI utilizes its resources by actively coordinating with the Department of Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI often lead to criminal convictions, administrative sanctions, and/or civil monetary penalties. Office of Counsel to The Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering advice and opinions on HHS programs and the Inspector operations and providing all legal support for OIG’s internal operations. General OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS programs, including False Claims Act, program exclusion, and civil monetary penalty cases. In connection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG renders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides other guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement authorities.