Annually, the Office of Inspector General (OIG) prepares a summary of the most significant management and performance challenges facing the Department of Health and Human Services (HHS). OIG refers to this summary as the Top Management Challenges (TMC).
These challenges reflect continuing vulnerabilities that OIG has identified for HHS over recent years as well as new and emerging issues that HHS will face in the coming year. This summary fulfills OIG’s requirement under the Reports Consolidation Act of 2000, Public Law 106-531 to identify these management challenges, assess the Department’s progress in addressing each challenge, and submit this statement to the Department annually.
The TMC acknowledges how under the Affordable Care Act (ACA), HHS has new responsibilities with respect to promoting transparency in the health care industry. For example, OIG cited section 6002 of the ACA—the Physician Payment Sunshine Act—in which HHS will operate a “sunshine” database of information disclosed by applicable manufacturers and group purchasing organizations identifying financial relationships with physicians and teaching hospitals. The ACA also includes provisions that heighten transparency of hospital ownership, nursing facility ownership and management, drug sampling, and drug rebates, as well as provisions that foster more robust consumer information.
OIG maintained that HHS “must issue final regulations and develop effective and efficient operational and technology structures to implement and administer the ACA transparency provisions, including the database required by ACA section 6002.” OIG noted that “CMS continues to assess the requirements for” the Sunshine Act, and said that “CMS should use the additional time it has built into the process by changing the start date for required data collection by applicable manufacturers and group purchasing organizations to January 1, 2013, enabling it to address operational and implementation issues.”
Also of particular interest, OIG said it will continue to use its exclusion authority to protect the Department’s programs and beneficiaries, including considering cases in which excluding responsible corporate officers of sanctioned providers and suppliers is appropriate and monitoring the effect of such an exclusion on recidivism.
Fostering an Ethical and Transparent Environment
Conflicts of interest in the health care system and in Government have been the subject of scrutiny by Congress, the medical community, and the media. With a heightened focus on transparency in the Federal Government and the imperative to use resources efficiently and appropriately, the Department must ensure that employees, grantees, and contractors are free of conflicts of interest or other ethics concerns. However, OIG’s work indicates that the Department can do more to ensure that ethics vulnerabilities and transparency issues related to potential conflicts of interest in the health care arena are identified and addressed.
OIG has found that the Department provides limited oversight of conflicts of interest of FDA clinical investigators, NIH grantees, and Federal employees. For example, in a 2011 report, OIG found that 56 percent of the HHS employees’ conflict-of-interest waivers in our review were not documented as recommended in Government wide Federal ethics regulations, guidance, and the Secretary’s instructions. In another review, OIG found that only 70 of 156 responding NIH grantee institutions had written policies and procedures for addressing institutional conflicts of interest (these policies are not required by law).
HHS’ Office of General Counsel (OGC) has issued guidance concerning waivers to HHS component ethics officials as well as partially implemented a planned increase in both the number of waivers issued to Special Government Employees under 18 U.S.C. §208(b)(3) subject to preclearance by OGC and the scope of the review of such waivers.
To better address identified vulnerabilities related to FDA’s clinical investigators FDA now requires companies applying to market drugs, devices, and biologics to submit a complete list of clinical investigators and either certify the absence of a financial conflict of interest or disclose the nature of the financial arrangement to FDA for each clinical investigator. Additionally, FDA updated the Compliance Program Guidance Manual chapter on clinical investigator inspections to help ensure that clinical investigators submit required financial information to sponsors.
Similarly, NIH has taken actions to address conflict-of-interest vulnerabilities identified among NIH grantees. For instance, NIH published a final rule on August 25, 2011, revising 1995 regulations covering financial conflicts of interest for investigators. It addresses a number of issues related to promoting objectivity in research and addresses an OIG recommendation to require grantee institutions to provide details regarding the nature of financial conflicts of interest and the ways in which they are managed, reduced, or eliminated. Additionally, CMS is drafting a standardized, formal written policy to evaluate potential organizational conflicts of interest.
To encourage an environment of transparency and accountability among contractors, OIG has recommended that CMS:
(1) provide clearer guidance in the Request for Proposal to offerors and subcontractors regarding which business and contractual relationships should be identified as actual conflicts and which should be identified as possible conflicts;
(2) require offerors and subcontractors to distinguish those business and contractual relationships that they deem to be actual conflicts from those that they deem to be possible conflicts;
(3) state whether offerors and subcontractors need to report income amounts, periods of performance, and types of work performed for their contracts with CMS and income amounts generated from key personnel’s other employment;
(4) create a standardized format for reporting information in the Organizational Conflict of Interest Certificate and require its use by offerors and subcontractors; and
(5) develop a formal written policy outlining how conflict-of-interest information provided by offerors should be reviewed by CMS staff.
OIG also recommended that NIH develop regulations governing institutional conflicts of interest, but the final rule did not address our concerns. Instead, in the final rule, NIH states that “[w]e continue to believe that further careful consideration is necessary before PHS [Public Health Service] regulations could be formulated that would address the subject of institutional conflict of interest…” OIG continues to recommend that NIH issue regulations requiring institutions to have a written policy on institutional conflicts. This would provide consistency and clarity to institutions. The Department should ensure compliance with the Secretary’s guidance on conflict-of-interest waivers and their documentation.
Implementing ACA
Significant provisions remain to be implemented for the ACA, most notably the Affordable Insurance Exchanges (the Exchanges), which add a new dimension to the Department’s program landscape. While implementing the Exchanges, HHS must concurrently focus on sound administration of a wide range of new and modified program responsibilities covering reforms to private insurance, Medicare, Medicaid, the Children’s Health Insurance Program, public health service programs, and others. Notable reforms include those that seek to transform Medicare and Medicaid by changing from volume-driven to value-driven payment mechanisms and by focusing on achieving better health and lower costs through promoting coordinated rather than fragmented care.
As with any new initiative, HHS faces substantial challenges in ensuring efficient and effective implementation and administration of the ACA so that the programs achieve their objectives and operate free from fraud waste, and abuse. Developing effective oversight strategies to prevent, detect, and correct any problems that occur is critical. The large number of new and complex program responsibilities under the ACA makes achieving these twin goals challenging.
Responsibility for implementing ACA provisions, administering new and changed programs, and overseeing ACA funding rests with Operating Divisions (OpDiv) and Staff Divisions (StaffDiv) across HHS. Many programs, including the Exchanges, also require close coordination and sharing of sensitive data between the Department and other Federal and State agencies, necessitating effective management of intergovernmental relationships and infrastructure. In addition, the Department will be forging new relationships with private insurers, providers, employers and consumers, all of whom will need clear information about benefits and responsibilities under ACA programs.
HHD and its Government partners have issued and will continue to issue regulations and other guidance for ACA programs. Numerous informational resources are available to inform the public about ACA programs. The Department has taken steps to foster the integrity of new programs, as illustrated by the regulations for the Medicare Shared Savings Program (MSSP), which incorporate a number of specific safeguards intended to mitigate potential vulnerabilities. Although it is too early to assess the outcome of these particular regulations, the Centers for Medicare & Medicaid Services’ (CMS) efforts to integrate program integrity into the initial design of the MSSP is a promising approach that should be replicated in other programs.
OIG stated that HHS and its partners should be vigilant in identifying and addressing existing and emerging fraud, waste, and abuse risk areas across all ACA-related programs. This will require a comprehensive approach to program integrity that integrates effective front-end program gatekeeping, sound payment design, the promotion of provider compliance, vigilant monitoring of program operations and outcomes, and rapid remediation of detected problems. T he Department should continue to apply lessons learned about accountability, transparency, compliance, and risk management from its experience with the American Recovery and Reinvestment Act of 2009 (Recovery Act) and other programs.
Staff overseeing ACA grants and contracts should be trained on effective internal controls and best practices for preventing and detecting fraud, waste, and abuse. Data systems supporting ACA programs must be scrutinized for accuracy and completeness, as well as compliance with security and privacy rules. HHS should continue its efforts to provide stakeholders with clear guidance about ACA programs.
Identifying and Reducing Improper Payments
Improper payments cost Federal programs billions of dollars annually. An improper payment is any payment that should not have been made or that was made in an incorrect amount and includes overpayments and underpayments. For FY 2011, the Department reported improper payments totaling more than $64 billion in the Medicare and Medicaid programs.
The Office of Management and Budget (OMB) identified nine HHS programs as susceptible to significant improper payments: Medicare fee-for-service (FFS or Parts A and B), Medicare Advantage (Part C), the Medicare Prescription Drug Benefit (Part D), Medicaid, the Children’s Health Insurance Program (CHIP), Foster Care, Head Start, Temporary Assistance for Needy Families (TANF), and the Child Care and Development Fund.
Despite departmental efforts to reduce improper payments, OIG has found vulnerabilities in the Department’s ability to identify and eliminate improper payments. CMS relies largely on contractors to prevent and identify improper payments in Medicare and Medicaid. Challenge 6, Ensuring Efficiency and Effectiveness of Medicare and Medicaid Program Integrity Contractors, addresses specific issues associated with contractor oversight and effectiveness. OIG’s analyses of Medicare and Medicaid claims data have revealed improper billing patterns and payments for many services.
In addition, HHS did not fully comply with Executive Order 13520 in its fiscal year 2010 quarterly reports on high-dollar improper payments. HHS’ quarterly reports were incomplete and therefore cannot be used to adequately assess the level of risk of each of HHS’ programs or to determine the extent of existing oversight activities.
OIG found that HHS was in compliance with elements of OMB’s guidance for IPERA reporting for five of the nine programs deemed to be susceptible to significant improper payments: Medicare FFS, Medicare Part D, Medicaid, Foster Care, and Head Start. The Medicare Prescription Drug Benefit program reported an error rate for the first time in FY 2011.
The Department reported reductions in improper payment rates for five of the six programs for which it previously reported improper payment rates (i.e., Medicare FFS, Medicare Advantage, Medicaid, Head Start, and the Child Care and Development Fund). Although the Department reduced the improper payment rate for Medicare Advantage from 14.1 percent to 11 percent and for the Child Care and Development Fund from 13.3 percent to 11.2 percent, rates for both programs remain above 10%.
HHS has taken actions to address some improper payment vulnerabilities. CMS uses the Comprehensive Error Rate Testing (CERT) program as a way to measure the Medicare FFS error rate and as a guide in developing corrective actions to reduce improper payments. C MS analyzes the CERT improper payment data and uses the results to provide feedback to Medicare contractors to enhance their medical reviews, focus on high-risk areas, and reduce improper payments. Additionally, Medicare’s automated systems have edits in place to detect and reject payment for medical services that are physically impossible, such as a hysterectomy for a male beneficiary, and medically unlikely, such as services claimed for which the quantity billed exceeds acceptable clinical limits.
OIG is examining the extent to which Medicare contractors meet error rate reduction plan requirements and the extent to which implementation of these plans affects overall contractor evaluation. Error rate reduction plans describe the corrective actions that contractors plan to take to lower the CERT paid-claims error rate and provider-compliance error rate in their jurisdictions.
To prevent recurrence of improper payments, CMS has made policy and manual changes and has implemented local system edits and CMS Medicare Administrative Contractors have conducted local provider education. Moreover, the ACA expanded the Recovery Audit Contractors (RAC) program from Medicare FFS to identify improper payments in Medicaid and Medicare Parts C and D for recovery and corrective action. OIG work underway is evaluating the results of the RAC program in Medicare.
HHS is also examining techniques used by private sector entities to identify improper payments. In 2011, CMS implemented the Fraud Prevention System (FPS), which is an advanced predictive analytic technology used to conduct data analysis and predictive modeling, to identify improper payment claims as they enter the payment system, and to detect and generate alerts for suspicious billing behavior across provider types.
Additionally, CMS recently started a demonstration to require prior authorizations for certain power mobility devices in seven States with high populations of fraud and error-prone providers. CMS is also exploring ways to leverage existing compliance programs within the provider community to educate providers about payment vulnerabilities.
CMS developed the Payment Error Rate Measurement (PERM) program to review improper payments for Medicaid and CHIP FFS claims, managed care claims, and beneficiary eligibility. Though causes of improper Medicaid payments vary from State to State, PERM helps CMS identify trends and common errors across States. On the basis of PERM results, States are required to submit Corrective Action Plans (CAP) 90 days after they are notified by CMS of their error rates. Many States’ CAPs focus on provider education to reduce improper payment rates.
OIG recommended that HHS should use historical improper payment data to identify the root causes of improper payments. In addition, for Medicare FFS claims, CMS should continue to monitor its payment systems to identify additional edits and prepayment reviews that could identify suspicious claims and prevent improper payments.
HHS should also continue to identify best practices in the private sector that it can use to further prevent improper payments. It should also expand its provider education efforts around program requirements and improper payment vulnerabilities.
Implementation of planned program integrity initiatives, such as evaluating and monitoring risks, identifying and addressing cross-cutting issues, resolving reported grantee audit findings, and sharing best practices across HHS, will help the Department achieve its goal of integrating program integrity into all aspects of its operations and culture.
Preventing and Detecting Medicare and Medicaid Fraud
HHS faces multiple challenges in preventing and detecting these frauds, including:
- effectively using CMS’s provider enrollment and payment suspension authorities against those providers and suppliers that have exploited weaknesses to commit fraud rather than provide legitimate patient care;
- managing the Department’s expanding use of data analysis;
- collecting and maintaining complete and accurate data, particularly Medicaid data from diverse State programs and systems, to support CMS and OIG oversight and enforcement activities;
- monitoring Medicare and Medicaid benefits delivered by private plans for fraud; and
- excluding individuals and entities from Federal health care programs to protect the programs and beneficiaries.
Enrollment and Payment. In February 2011, CMS published a final rule implementing the ACA provisions concerning screening of providers and suppliers on the basis of fraud risk. CMS’s enhanced payment suspension regulations took effect in March 2011. In this rule and subsequent regulations, CMS established three levels of screening for providers (limited, moderate, and high) and designated categories of providers and suppliers to each level. In December 2011, CMS launched its Automated Provider Screening (APS) system, which is designed to identify ineligible providers or suppliers prior to their enrollment or revalidation. CMS completed the procurement of a national contractor to increase efficiency and standardization of provider site visits, and this contractor began performing these visits in January 2012. In addition, CMS plans to increase the frequency of unannounced out-of-cycle site visits.
Data Analysis and Data Quality. Enhanced data analysis made possible the impressive enforcement results of the nine Medicare Fraud Strike Forces, which are part of the Health Care Fraud Prevention and Enforcement Action Team (HEAT). The strike forces are interagency teams of prosecutors and special agents that focus enforcement resources on geographic areas at high risk for fraud. CMS has made claims data available more quickly and efficiently by providing law enforcement increased access to data, including real-time data. Through HEAT, these data are analyzed and inform the deployment of Strike Force teams.
CMS uses FPS to risk-score Medicare FFS claims prepayment and has awarded a contract to develop and test new predictive models for inclusion in the FPS. Additionally, CMS opened its Command Center, which provides a collaborative, multidisciplinary environment for investigators, data analysts, clinicians, and subject-matter experts to work on cases, drive innovation and improvement in predictive modeling, and monitor progress.
Monitoring Medicare and Medicaid Benefits Delivered by Private Plans. CMS has strengthened its oversight of Parts C and D program integrity by auditing Part D sponsors’ compliance plans; issuing guidance regarding Parts C and D sponsors’ program integrity training responsibilities, including identifying invalid prescriber identifiers; and hosting its first annual program integrity conference for Parts C and D sponsors. In 2010, CMS began implementing a broad set of Medicaid initiatives focused on assessing and improving States’ performance in meeting regulatory requirements and ensuring that managed care systems deliver accessible, available, and appropriate services to Medicaid beneficiaries.
Accountability. CMS’s imposition of payment suspensions is one example of the Department’s increased focus on using its administrative tools to ensure accountability. Each year, OIG excludes thousands of individuals and entities from participating in Federal health care programs for a variety of reasons set forth in law, ranging from health care fraud convictions to loss of medical license for professional incompetence. OIG issued guidance on its authority to pursue exclusion of responsible corporate officers of sanctioned providers and suppliers that may otherwise view civil penalties and fines as the cost of doing business. OIG and its law enforcement partners, including the Medicaid Fraud Control Units, also investigate suspected fraud and refer cases to the Department of Justice for criminal and civil adjudication.
CMS has additional opportunities to strengthen the enrollment system, including adopting a more flexible screening approach, tailoring screening measures to fraud risks, and classifying reenrolling durable medical equipment (DME) and home health providers as “high risk” when appropriate. CMS should also focus enrollment scrutiny on providers such as independent diagnostic testing facilities (IDTF) and comprehensive outpatient rehabilitation facilities (CORF), as OIG found that IDTFs and CORFs did not comply with basic Medicare requirements to maintain open and accessible physical locations as reported to and on file with CMS. In addition, CMS should consider instituting temporary enrollment moratoria for certain types of providers in geographic areas at significant risk for fraud, such as home health providers in Florida and Texas.
OIG also recommended that HHS continue to collect and maintain more robust data sets, particularly for State Medicaid programs, as well as further facilitate law enforcement’s access to data. OIG and HHS must also ensure that OIG has the capacity to handle the volume of new fraud referrals that can be expected from CMS’s expansion into predictive modeling and that CMS and OIG coordinate closely on such referrals. CMS should also strengthen fraud and abuse prevention efforts by issuing regulations for mandatory provider compliance plans under sections 6102 and 6401 of the ACA.
CMS must also continue to monitor Medicare Advantage and Part D plans’ implementation of integrity safeguards, provision of covered services to all eligible beneficiaries, and compliance with marketing rules. CMS will also need to oversee plans’ compliance with medical loss ratios and ensure that plans are not inflating their direct health care costs. As States increasingly use managed care to deliver Medicaid services, CMS should require that State contracts with managed care entities (MCEs) include a method to verify with beneficiaries whether services billed by providers were received, and CMS should update guidelines to reflect current concerns expressed by MCEs and States.
Protecting Consumers of Food, Drugs, and Medical Devices
OIG work has revealed weaknesses in FDA’s ability to adequately oversee the safety of drugs, biologics, medical devices, and food.
Ensuring Compliance With Marketing Requirements. OIG recognized that FDA faces ongoing challenges in adequately monitoring and preventing illegal off-label promotional activities.
Inadequate Procedures and Monitoring. OIG has found vulnerabilities in FDA’s oversight of regulatory decisions and monitoring of drugs and medical devices. For example, OIG found weaknesses in FDA’s management of internal scientific disagreements related to regulatory decisions for medical devices under agency review. Other concerns include weaknesses in ensuring the adequate monitoring of adverse-event reporting for medical devices and the accuracy of FDA’s National Drug Code Directory.
OIG is reviewing FDA’s progress in reclassifying high-risk devices cleared under the 510(k) process. OIG is also reviewing FDA’s monitoring of the Risk Evaluation and Mitigation Strategies (REMS) that sponsors are required to submit for drugs associated with known or potential risks that may outweigh a drug’s benefits.
OIG is working with law enforcement partners to investigate and prosecute drug and device manufacturers that engage in illegal activity. HHS and FDA will need to focus on implementing the new Food and Drug Administration Safety and Innovation Act (FDASIA), which was signed into law in July 2012.
Integrity and Security of Health Information Systems and Data
As health care providers modernize their medical recordkeeping and billing systems, the adoption of electronic health records (EHR) and other innovations offer opportunities for improved patient care and more efficient practice management. However, as growing quantities of personal medical information are stored in electronic format, protecting the privacy and security of these data and ensuring the integrity of EHRs is critical. In addition, ensuring the integrity, privacy, and security of sensitive data will be critical to the successful administration of the ACA Exchanges and related programs, including the premium tax credit program.
Data Security. A series of OIG audits revealed that some hospitals lack sufficient security features, potentially exposing patients’ electronic protected health information to unauthorized access. Vulnerabilities included unsecured wireless access, inadequate encryption, authentication failures, and other access control vulnerabilities. OIG also found security breaches in data stored by CMS’s contractors.
Over 5,000 Medicare physician identifiers and almost 300,000 Medicare beneficiary numbers are known to be compromised. Protecting beneficiaries’ and providers’ identifiers is critical because fraud perpetrators often use stolen beneficiary and/or physician identities to submit false claims.
Integrity of EHRs and EHR Investments. Between 2009 and 2021, the Federal Government will spend over $20 billion on the Medicare and Medicaid EHR incentive programs. HHS must ensure that recipients of Medicare and Medicaid EHR incentive payments truly qualify for payment and that policies effectively promote desirable technological practices and outcomes. OIG found shortcomings in Medicaid agencies’ ability to ensure the integrity of their EHR incentive programs and eligibility of providers receiving incentive payments. More than half of Medicare physicians currently use EHR systems. Beginning in 2015, the Department must implement Medicare payment reductions for physicians who cannot demonstrate meaningful use of certified EHR systems.
Finally, EHRs should facilitate more accurate billing and support better quality of care but, when misused, may promote fraudulent billing or inappropriate care. For example, cut-and-paste features and auto-fill templates can reduce paperwork burdens, but can also be misused to fabricate information, generating improper payments and corrupting patients’ records with inaccurate and potentially dangerous information. Similarly, well-designed decision support tools can help physicians select the best care for their patients, but inappropriately designed decision support tools can promote waste and inappropriate care.
HHS has promulgated various rules that address privacy and security of patient information, encourage health care providers to use EHRs, and ensure that record systems are interoperable and facilitate accurate and secure exchange of information between authorized users. HHS has provided guidance to help covered entities comply with privacy and security rules mandated by the Health Insurance Portability and Accountability Act of 1996 and pursued enforcement actions against entities that have failed to do so.
HHS has also addressed, in limited ways, privacy and security matters in its regulations governing Medicare and Medicaid EHR incentive payments. The Department has developed and shared with the States a pre- and post-payment audit toolkit to help States verify eligibility for incentive payments under the Medicaid EHR program.
The Department has implemented numerous recommendations to make its own electronic data more secure. The Department has educated physicians on protecting their provider identifiers and preventing unauthorized individuals from using the physicians’ credentials to order or bill for services. The Department established databases to track compromised beneficiary and provider identifiers and implemented a new remediation process to assist physicians whose identities were stolen and used to submit false bills to Medicare and Medicaid.
In addition, OIG has undertaken educational initiatives, including direct outreach by special agents and dissemination of an identity theft brochure, to help beneficiaries and providers protect themselves from medical identity theft.
OIG recommend that HHS heighten its focus on oversight and enforcement of privacy and security protections to ensure that health care providers and the Department’s own systems and contractors effectively safeguard individuals’ protected health and other sensitive personal information. This should entail continued compliance reviews to ensure adoption of adequate privacy and security standards. HHS should also increase protections for provider and beneficiary identifiers to prevent medical identity theft and better assist beneficiaries whose identifiers have been compromised.
The Department should also provide additional guidance on information technology security standards and best practices that the health care industry should adopt for EHRs. As providers increasingly claim financial incentives for adoption of electronic record and prescribing technologies, strict oversight, including prepayment verification and postpayment auditing, will be essential.