Why GAO did this study. CMS, an agency within the Department of Health and Human Services (HHS), provides health coverage for over 145 million Americans through its four principal programs, with annual outlays of about $1.1 trillion. GAO has designated the two largest programs, Medicare and Medicaid, as high risk partly due to their vulnerability to fraud, waste, and abuse. In fiscal year 2016, improper payment estimates for these programs totaled about $95 billion. GAO's Fraud Risk Framework and the subsequent enactment of the Fraud Reduction and Data Analytics Act of 2015 have called attention to the importance of federal agencies' antifraud efforts. This report examines (1) CMS's approach for managing fraud risks across its four principal programs, and (2) how CMS's efforts managing fraud risks in Medicare and Medicaid align with the Fraud Risk Framework. GAO reviewed laws and regulations and HHS and CMS documents, such as program-integrity manuals. It also interviewed CMS officials and a sample of CMS stakeholders, including state officials and contractors. GAO selected states based on fraud risk and other factors, such as geographic diversity. GAO selected contractors based on a mix of companies and geographic areas served. What GAO Found. The approach that the Centers for Medicare & Medicaid Services (CMS) has taken for managing fraud risks across its four principal programs--Medicare, Medicaid, the Children's Health Insurance Program (CHIP), and the health-insurance marketplaces--is incorporated into its broader program-integrity approach. According to CMS officials, this broader program-integrity approach can help the agency develop control activities to address multiple sources of improper payments, including fraud. As the figure below shows, CMS views fraud as part of a spectrum of actions that may result in improper payments. CMS's efforts managing fraud risks in Medicare and Medicaid partially align with GAO's 2015 A Framework for Managing Fraud Risks in Federal Programs (Fraud Risk Framework). This framework describes leading practices in four components: commit, assess, design and implement, and evaluate and adapt. CMS has shown commitment to combating fraud in part by establishing a dedicated entity--the Center for Program Integrity--to lead antifraud efforts. Furthermore, CMS is offering and requiring antifraud training for stakeholder groups such as providers, beneficiaries, and health-insurance plans. However, CMS does not require fraud-awareness training on a regular basis for employees, a practice that the framework identifies as a way agencies can help create a culture of integrity and compliance. Regarding the assess and design and implement components, CMS has taken steps to identify fraud risks, such as by designating specific provider types as high risk and developing associated control activities. However, it has not conducted a fraud risk assessment for Medicare or Medicaid, and has not designed and implemented a risk-based antifraud strategy. A fraud risk assessment allows managers to fully consider fraud risks to their programs, analyze their likelihood and impact, and prioritize risks. Managers can then design and implement a strategy with specific control activities to mitigate these fraud risks, as well as an appropriate evaluation approach consistent with the evaluate and adapt component. By developing a fraud risk assessment and using that assessment to create an antifraud strategy and evaluation approach, CMS could better ensure that it is addressing the full portfolio of risks and strategically targeting the most-significant fraud risks facing Medicare and Medicaid.
The National Library of Medicine believes this item to be in the public domain. (More information)