The General Accounting Office issued a report Thursday criticizing the Centers for Medicare and Medicaid Services, saying that the agency has not addressed system vulnerabilities that have allowed $231 million in improper payments.
The agency operated a congressionally-mandated demonstration project for three years through March 2008 to see if recovery audit contractors (RACs) could identify Medicare improper payments and recoup overpayments.
According to the GAO, the demonstration project discovered that RACs identified $231 million in overpayments, some of which involved paying duplicate claims for the same service. The finding may be seen as an indication that the RAC process has only scratched the surface.
"However, the agency did not develop a plan to take corrective action or implement sufficient monitoring, oversight, and control activities to ensure these significant vulnerabilities were addressed," the GAO said. "Thus, CMS did not address significant vulnerabilities representing $231 million in overpayments identified by the RACs."
Five years after the start of the demonstration project, the agency said, "CMS has not yet implemented corrective actions for 60% of the most significant RAC-identified vulnerabilities that led to improper payments, a situation that left 35 of 58 unaddressed. These were vulnerabilities for which RACs identified over $1 million in improper payments for medical services or $500,000 for durable medical equipment."
The report added, "CMS did not begin to evaluate the most significant vulnerabilities that resulted in improper payments until almost two years after the program began.
"Agency officials told us they did not anticipate that the RACs would identify such a high volume of improper payments and did not have systems in place to collect data at the beginning of the demonstration project."
Carrying the findings from the demonstration project to the national program, the GAO report said, CMS developed a process to compile vulnerabilities and recommend preventive actions.
"However, this corrective action process lacks certain essential procedures and staff with the authority to ensure that these vulnerabilities are resolved promptly and adequately to prevent further improper payments."
The GAO said CMS did learn some lessons from the demonstration project. The agency "learned that having regular communication with claims administration contractors on improper payment vulnerabilities that the RACs were identifying was important," learned the data warehouse needed more room, and took positive steps to remedy other administrative problems, such as automating the claims adjustment process.
The GAO recommended that the CMS administrator develop and implement policies and procedures to ensure that the agency promptly evaluates RAC audit findings and decides on an appropriate response and timeframe for taking action to correct identified vulnerabilities.
It also recommended that the agency give key personnel authority to ensure that corrective actions are implemented when RACs identify claim payment vulnerabilities.