Government Accountability Office (GAO) Report to Congress Calls For Increasing The Consistency of Requirements Upon Medicare Contractors Performing Post-Payment Review of Fee-For-Service Claims
On August 22, 2013, the United States Government Accountability Office (GAO) publicly released its report of July 23, 2013 to Congressional Requesters on “MEDICARE PROGRAM INTEGRITY: Increasing Consistency of Contractor Requirements May Improve Administrative Efficiency”. The GAO’s findings and recommendations for increasing the consistency of requirements upon the various Medicare fee-for-service contractors conducting post-payment review of claims are summarized below.
In response to bipartisan requests from the leadership of four different Senate and House Committees and three interested subcommittees raising questions about CMS’s use of the many different types of contractors to conduct post-payment claims reviews to identify improper payments in the Medicare fee for service (FFS) program, the United States Government Accountability Office (GAO) conducted a performance audit focused on CMS’s coordination and oversight of the different types of Medicare FFS contractors that perform post-payment claims reviews, whether such claims reviews are effective and efficient, and whether the agency is maintaining an appropriate balance between detecting improper payments efficiently and adding unnecessary administrative burden to providers. The GAO’s audit was conducted between October 2012 and July 2013, and the GAO’s findings, conclusions, and recommendations were released publicly on August 22, 2013, in the form of its report to the congressional requesters dated July 23, 2013, GAO-13-522, titled: MEDICARE PROGRAM INTEGRITY: Increasing Consistency of Contractor Requirements May Improve Administrative Efficiency.
The latest GAO Report follows a number of GAO studies and reports of recent years focused on the increased funding, use, and oversight of contractors by CMS to perform post-payment medical reviews (See, for example, GAO-10-143, “Medicare Recovery Audit Contracting: Weaknesses Remain in Addressing Vulnerabilities to Improper Payments, Although Improvements Made to Contractor Oversight” (March 31, 2010); GAO -11-592, “Medicare Integrity Program: CMS Used Increased Funding for New Activities but Could Improve Measurement of Program Effectiveness,” (July 29, 2011); and GAO -13-104, “Medicare Fraud Prevention: CMS Has Implemented a Predictive Analytics System but Needs to Define Measures to Determine Its Effectiveness,” (October 15, 2012). The GAO continues to designate Medicare as a “high –risk program” (as it as for the past 23 years) “because of its size, complexity, and susceptibility to mismanagement and improper payments.” (See GAO-13-283, “High-Risk Series: An Update,” (February 2013). The GAO is the audit, evaluative, and investigative arm of Congress, and its mission focuses on the evaluation of federal programs and policies to provide analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions.
The GAO’s recent study of Centers for Medicare & Medicaid Services (CMS) contractors found that over time, Congress has provided for CMS to use contractors to carry out many different functions in connection with the Medicare fee-for-service (FFS) program, which has resulted in the use of several different types of contractors to conduct claims reviews. The GAO’s report noted that the multiple types of Medicare contractors performing post-payment reviews were established by different legislative actions; are managed by different offices within CMS; and have different characteristics and serve different primary functions in the program, all of which affect their use and conduct of post-payment claims reviews. Currently, CMS uses: (1) Medicare Administrative Contractors (MAC), the contractors that process and pay claims, also conduct pre- and post-payment claims reviews and recoup overpayments or remediate underpayments; (2) Zone Program Integrity Contractors (ZPIC), which perform pre- and post-payment claims reviews as a part of investigating potential fraud; (3) Comprehensive Error Rate Testing (CERT) contractors, which estimate the Medicare FFS improper payment rate, in part by conducting post-payment claims reviews on a random sample of claims processed by the MACs; and (4) Recovery Auditors (RA) (also commonly known as Recovery Audit Contractors or RACs), which conduct data analysis and post-payment claims reviews to identify improper payments.
All four types of Medicare contractors performing post-payment reviews conduct complex reviews, in which the contractor examines medical records and other documentation sent by providers to determine if the claims meet Medicare coverage and payment requirements. Medical records and other documentation are reviewed to examine whether the claims that have been paid adhere to Medicare’s requirements (including medical necessity of services), and each contractor should apply the same Medicare coverage and payment requirements in their reviews. However, a number of differences were identified by the GAO, with regard to the requirements applicable to how each of such contractors conducts post-payment reviews.
I. A Brief History - Development of Current Medicare Contractor Roles
The GAO’s recent report of its study of those contractors performing post-payment review re-traces and summarizes the history of the Medicare FFS program’s use of contractors, and the major program administrative changes that have sprung from several legislative acts. In 1965, when Medicare was established, Congress provided for two types of contractors that could be used to administer the program. From then until 1996, responsibility for processing and paying Medicare claims, as well as for the program integrity tasks of developing potential cases and coordinating with law enforcement regarding any investigations of suspected Medicare fraud, resided with contractors called fiscal intermediaries and carriers. Although contractors have been used for Medicare since the beginning of the program, several statutory changes since the 1990’s increased CMS’s resources and authority to use new types of contractors—MACs, RAs, ZPICs, and CERT contractors—to conduct post-payment claims reviews in order to help detect and recoup overpayments or repay underpayments, and to investigate potential fraud.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established the Medicare Integrity Program (MIP), which authorized CMS to contract separately for program safeguard contractors (PSC)—the precursor to the ZPICs—to conduct activities, such as identifying and investigating potential fraud, that had previously been conducted by fiscal intermediaries and carriers and provided funding for MIP.
In 2003, the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) required CMS to replace the fiscal intermediaries and carriers with the MACs. During the implementation of the MACs, CMS consolidated the number of contractors that process and pay Medicare FFS claims, enlarged their geographic jurisdictions compared to the previous contractors, and combined Part A and Part B claims processing within each jurisdiction. As part of the changes made while implementing MACs, CMS also transitioned fraud investigation from PSCs to ZPICs in all but one zone.
The Medicare Modernization Act (MMA) also directed CMS to establish a demonstration program to test the use of RAs on a contingency fee basis in the Medicare program. Subsequently, the Tax Relief and Health Care Act of 2006 required CMS to implement a permanent and national Medicare recovery audit contractor program to increase efforts to identify and recoup improper payments.
Although HHS had begun estimating the extent of improper payments in Medicare FFS claims in 1996, the Improper Payments Information Act of 2002 (IPIA) required executive-branch federal agencies to annually review all programs and activities to identify those that are susceptible to significant improper payments, estimate the annual amount of improper payments for those programs and activities, and report such estimates along with actions taken to reduce improper payments for programs with estimates that exceed $10 million. In fiscal year 2003, as part of its IPIA compliance efforts, CMS established the CERT program to measure improper payment rates for Medicare FFS claims, including one CERT contractor that is responsible for reviewing a random sample of claims nationwide, with their related medical records and other documentation to determine if they are proper.
II. What GAO Found
A. Differences In Contractor Oversight.
The GAO’s Report found that in administering the Medicare FFS program, CMS has established and divided the responsibility within CMS for overseeing the four types of contractors between different parts of its matrixed organization. Three different organizational components within CMS—the Center for Medicare (CM), the Office of Financial Management (OFM), and the Center for Program Integrity (CPI)—oversee the four different types of contractors. CM oversees the MACs, which conduct several program integrity activities, including post-payment claims review. CMS’s Provider Compliance Group within the OFM oversees the RAs and CERT contractors. The OFM Provider Compliance Group has the overall responsibility for the oversight of the claims review activity conducted by MACs, RAs, and CERT contractors and for measurement of the FFS improper payment rate. The CPI oversees the ZPICs and has direct responsibility for program activities involved in investigating potential fraud.
B. GAO Finds Differences By Contractor Type In CMS Requirements For Post-Payment Reviews.
To assess the extent of the differences in CMS’s requirements for contractors’ post-payment reviews and whether any differences could impede effective and efficient claims reviews, the GAO examined the most recent statements of work for each contractor type, the relevant chapters from the many CMS Medicare Manuals (current as of May 7, 2013), interviewed CMS officials responsible for management and oversight of the four contractor types and confirmed its analysis of the differences in requirements with agency staff. The GAO also interviewed multiple national trade associations representing a broad cross-section of the many types of Medicare FFS providers who have experienced post-payment claims reviews to obtain information on the effect that the differences in CMS contractor requirements have on providers. In addition, the GAO reviewed white papers sent by health care stakeholders in response to the Senate Committee on Finance’s May 2, 2012 letter requesting suggestions to improve efforts to address Medicare and Medicaid fraud, waste, and abuse. The GAO also interviewed CMS staff working on an internal work group charged with reducing provider burden to gain better understanding of any proposed changes to the requirements.
The GAO identified that CMS has different requirements for many aspects of the post-payment review process when compared across these four contractor types. There are differences in oversight of claims selection, time frames for providers to send in documentation, communications to providers about the reviews, reviewer staffing, and the processes to ensure the quality of claims reviews. For example, while the CERT contractor must give a provider 75 days to respond to a request for documentation before it can find the claim improper due to lack of documentation, the ZPIC is only required to give the provider 30 days.
CMS officials indicated to the GAO that a number of requirement differences across contractors generally developed due to the setting of requirements at different times by staff in different parts of the agency. The GAO noted in its report that some of these differences may impede the efficiency and effectiveness of claims reviews by increasing the administrative burden upon providers. CMS reports that it is moving to standardize the minimum number of days a contractor must give a provider to respond to an Additional Development Request (ADR) before the contractor has the authority to deny the claim.
1. Submission Requirements.
Different types of contractors are subject to different requirements regarding the formats in which they will accept providers’ documentation, whether by paper, fax, or electronic submission. While RAs and the CERT contractor are required to accept submission of files stored electronically on compact discs or digital video discs (DVD), the other contractors are not. CMS has developed a system called electronic submission of medical documentation (esMD) for providers to transmit medical documentation electronically, which began to be adopted by contractors in 2011. Though its use is discretionary, the GAO reported that most of the MACs, all of the RAs, the CERT contractor, and about one-third of ZPICs accept electronic submissions through esMD at the time of the GAO’s review of the available systems. One provider association indicated to the GAO that having all contractors accept electronic submissions, such as submissions of e-documents on compact discs and DVDs, could reduce the administrative burden on providers.
2. Additional Documentation Requests.
Differences in contractors’ requirements for sending ADRs and the timelines for providers’ responses to the contractors were also found and noted by the GAO in its report, including as noted above. In some cases, in addition to reviewing documentation from the provider whose claim is under review, the medical review contractor will also need to review documentation from a third party—such as the provider who referred the beneficiary for the service or item to the service provider whose claim is being reviewed. The MACs, ZPICs, and RAs have the discretion to send a separate ADR to a third-party provider for additional documentation to support the medical necessity of the service or supply. If the service provider cannot obtain the necessary third-party documentation or if the contractor decides that the documentation is insufficient to support the claim, the claim will be denied, but not the third-party’s claim. The CERT contractor is the only one that is required to directly contact the third party for an ADR if the provider being reviewed requests it and the claim exceeds $40.
3. Staffing Requirements-Medical Directors.
The GAO identified that CMS requirements for staffing vary depending on the type of contractor, from the minimum number of medical directors and their responsibilities to the claims reviewers’ qualifications. CMS requirements for the minimum number of medical directors that each contractor must have on staff include the following:(1) A/B MACs must have at least three full-time equivalent (FTE) medical directors on staff, (2) RAs are required to have one FTE medical director on staff, (3) ZPICs are required to have at least one part-time medical director, and (4) the CERT contractor is required to have two FTE medical directors.
The GAO noted further that the overall scope of medical director responsibilities also varies from one type of contractor to the next. For example, in addition to supporting post-payment claims review the MAC medical directors are also responsible for developing local coverage policies, provider outreach and education, oversight of prepayment review, and representing the contractor in appeals. By comparison, while the RA medical directors do not have some of the other responsibilities of the MAC medical directors (beyond post-payment review, as noted above), they have much larger geographic jurisdictions than the MACs. The variances by contractor type in the minimum number of required medical director staff and the scope of medical director responsibilities each contribute to cause differences respectively, by contractor type, in the number of contractor medical directors on staff and the degree of their availability and involvement in the post-payment review process.
4. Requirements for Other Staff Conducting Claims Reviews Also Differ Across Contractors.
Representatives from six different provider associations indicated to the GAO that on the basis of some of the claims review results, their members had questioned whether some reviewers were qualified to review claims, and several associations indicated that erroneous claims reviews have led to appeals that would not have been needed had the determination been correct. With regard to the qualifications CMS requires for contractor medical review staff, the GAO found that requirements differ across contractors. Specifically, CMS requires RAs to use registered nurses (RNs) or licensed therapists in making determinations of medical necessity, but the others may use licensed practical nurses (LPNs). CMS officials reportedly noted to the GAO that making claims reviewers’ staffing requirements more consistent could increase the cost of claims reviews—for example that requiring A/B MACs and ZPICs to hire RNs instead of LPNs to conduct claims reviews would likely increase the contract costs.
CMS also requires RAs and the CERT contractor to employ certified coders to determine compliance with Medicare coding requirements, but does not require MACs or ZPICs to do so. In addition, CMS has a requirement for ZPICs, that when Medicare policy for a given service is not clearly articulated, the ZPICs must involve a medical specialist trained and experienced in providing the type of service being reviewed. There is no similar requirement for the other contractors.
C. Requirements Upon RAs-Lessons Learned From the Recovery Audit Contractor Demonstration Project.
During the course of the RA demonstration program, providers reported several specific problems. From the providers’ perspective the RA’s contingency fee payment structure created an incentive for these contractors to be too aggressive in determining that claims were improper. Providers also faulted CMS for not penalizing RAs for inaccurate claim determinations, noting that contractor determinations resulted in thousands of provider appeals that were expensive and burdensome for providers. In addition, providers stated that during the demonstration project RAs did not have the necessary medical expertise to make their determinations, because they were not required to have a physician medical director on staff or coding experts conducting the claims reviews.
The GAO’s study found that due in part to CMS’s experience with the RA demonstration and issues raised by providers, CMS currently sets more limits through claims review requirements on RAs than on other contractors. CMS took a number of steps to address issues raised by providers about the RA demonstration program when it implemented the RA national program. As a result of lessons learned during the RA demonstration project and to establish tighter controls on RAs, CMS imposed certain post-payment review requirements unique to the RAs when it implemented the national program. For example, RAs are required to limit the number of ADRs made to a single provider during a given period, while the other contractors do not have such limits, and RAs must submit to CMS for review and approval descriptions of the billing issues that they propose to review, and the basis for assessing whether the claims for those services are proper prior to widespread use of such criteria by the RAs.
CMS also put in place more rigorous staffing requirements for RAs and eliminated contingency fee payments when RAs’ claims determinations are overturned on appeal. In addition, CMS took steps to improve oversight of the accuracy of RAs’ claims review determinations and the quality of RA service to providers in the national program. CMS added processes to review the accuracy of RA determinations and established performance metrics to monitor RA accuracy and service to providers.
Similarly, unlike the other contractors, RAs cannot make claim denials for lapses in documentation standards unrelated to reasonableness or medical necessity, such as denials based on illegible physician signatures or dates. Other requirements unique to the RAs include: (1) posting notice on their website of those billing issues (by provider type) targeted for post-payment review; (2) reimbursing certain providers for the expense entailed in providing requested medical records; (3) making claims reviewers’ credentials available upon provider request; (4) providing access to RA staff physicians for discussion of claim denials upon provider request; and (5) giving providers 40 days to request an opportunity to provide additional documentation to the contractor and to informally discuss any revision prior to having to file an appeal.
The GAO reported that representatives of three different provider associations indicated that if certain RA requirements were applied to the other contractors, this could reduce administrative burden and improve the efficiency of claims reviews. Representatives from one provider association indicated that it is valuable for providers to be able to discuss informally any revision to the contractor’s initial claims determination prior to providers filing an appeal. When such discussion results in providers being able to properly explain their billing, it can lessen the administrative burden by reducing the number of appeals filed. Three provider associations also indicated that having a limit on the number of medical records that could be requested in a given time period helps manage the burden of responding to the requests.
D. GAO’s Reported Conclusions.
The GAO concluded that differences in CMS’s post-payment claims review requirements for the four types of contractors may reduce the efficiency and effectiveness of claims reviews by complicating providers’ compliance with the requirements. Differences in requirements may have come about because the contractors’ requirements were developed at different times, the contractors’ activities have changed over time, or because different types of contractors and their associated requirements are managed by different parts of CMS.
While the GAO noted that some of the differences identified may be appropriate given the different functions and responsibilities of the contractors, providers and their representative trade associations generally indicated to the GAO that some of the above differences between contractors and their post-payment review processes have hindered their understanding of and compliance with the claims review process. The GAO observed that having inefficient processes that complicate compliance can reduce the effectiveness of claims reviews and that the current differences are inconsistent with executive-agency guidelines to streamline service delivery and with having a strong internal control environment. The GAO believes that greater consistency in the claims review requirements across contractors may improve the efficiency of post-payment reviews by strengthening the control environment, lessening providers’ confusion, and reducing administrative burdens.
III. GAO’s Recommendations for Executive Action
In order to improve the efficiency and effectiveness of Medicare program integrity efforts and simplify compliance for providers, the GAO Report recommended that: (1) the Administrator of CMS should examine all post-payment review requirements for contractors to determine those that could be made more consistent without negative effects on program integrity; (2) the Administrator of CMS should communicate publicly CMS's findings and its time frame for taking further action; and (3) the Administrator of CMS should reduce differences in post-payment review requirements where it can be done without impeding the efficiency of its efforts to reduce improper payments.
In its comments to the GAO Report, the Department of Health and Human Services (DHHS) concurred with each of the above GAO recommendations, agreed to take steps to reduce differences in post-payment review requirements where appropriate, and noted that CMS had begun examining and reviewing the post-payment requirements. The only specific category of requirements mentioned by DHHS as being under current review are those requirements related to Additional Development Requests (ADRs), which DHHS reported it believes should be standardized across contractors with regard to the minimum number of days a contractor must give a provider to respond to an ADR before the contractor has the authority to deny the claim.
It is expected that the GAO will continue to monitor and review those actions which are identified and implemented by CMS going forward in response to the GAO’s report and recommendations, and that such matters will be the subject of future reviews and reports by the GAO.