According to a new Government Accountability Office (GAO) report, state Medicaid programs are not properly screening beneficiaries and providers for fraudulent activity and ineligibility.  The GAO found that states were concurrently paying for beneficiaries, and paying for deceased or incarcerated beneficiaries.  Further, hundreds of providers received improper payments due to problems like suspended licenses or exclusion from federal healthcare programs.  Soon after the GAO report, CMS announced that states must, within one year, implement fingerprint-based criminal background checks (FCBC) for “high-risk” newly enrolling providers or those subject to revalidation.

Examining FY 2011 data from Arizona, Florida, Michigan, and New Jersey, the GAO found that approximately 8,600 beneficiaries had services paid for concurrently by two or more of those states in violation of federal regulations, totaling over $18.3 million.  Furthermore, around 200 deceased beneficiaries corresponded with $9.6 million in benefits after their date of death.  Lastly, approximately 3,600 incarcerated beneficiaries received $4.2 million in benefits, which the GAO labeled as indicating identity theft.  The GAO also found inconsistencies with Social Security numbers and mailing addresses, which likewise implicated millions of dollars in payments of Medicaid benefits.

Additionally, the GAO examined provider payments and found that approximately 90 providers, working with suspended or revoked licenses, received $2.8 million in Medicaid payments.  Another approximately $600,000 in payments were given to deceased providers, excluded providers, or providers with “virtual” (that is, a P.O. Box) mailing addresses.  The GAO also found a number of providers with foreign addresses, or addresses that did not appear in United States Postal Service records.

The report also highlighted steps CMS has already taken to enhance Medicaid enrollment verification and data screening.  Because some of these measures occurred subsequent to FY 2011, GAO noted that some of the problems addressed in its report may now be less of an issue.  Nonetheless, gaps remain, including concerns about data sharing among state Medicaid programs.

Just after the release of the GAO report, on June 1, 2015, CMS sent a letter to all state Medicaid directors directing implementation of FCBCs for “high-risk” provider enrollees.  Under regulations adopted in February 2011, States are required to establish categorical risk levels for types Medicaid providers who pose an increased financial risk of fraud, waste, or abuse, and States must screen initial Medicaid applications and re-enrollment and revalidation applications based on each provider’s categorical risk level.  FCBCs are required for all “high-risk” providers, including any individual with a 5 percent or greater direct or indirect ownership interest in the provider.  CMS’s letter advises that States have 60 days from the date of the letter to begin implementation of the FCBC requirement, and must complete implementation within 1 year. 

If a provider fails to submit to the FCBC, or is determined to have been convicted of a criminal offense related to the person’s involvement with a federal healthcare program within the last 10 years, the state must terminate or deny enrollment.  Although states have some flexibility in categorizing risk, they must at minimum apply Medicare designations of “high” risk.  All home health agencies and durable medical equipment suppliers are “high” risk, as are providers who have had payment suspended or billing privileges revoked within the last 10 years.

If a “high-risk” provider is enrolled in, and therefore presumably already screened by Medicare, state Medicaid agencies are not required to conduct additional FCBCs.  States may also rely on other state Medicaid agency FCBC screening if the provider is enrolled in that other state program and has met certain revalidation requirements.

The GAO report was released May 29, 2015, and is available here.  The CMS guidance was released June 1, 2015, and may be found here.