Chairman Jenkins, Ranking Member Lewis, and Members of the Subcommittee:

I am pleased to appear before you today to discuss ways to better manage Medicare fraud risks that we identified in a recent report. n1 Although there are no reliable estimates of fraud in Medicare, in fiscal year 2017 improper payments for Medicare were estimated at about $52 billion. n2

A recent example illustrates the scope and scale of fraud risks. The Department of Health and Human Services (HHS) Office of Inspector General's (OIG) latest Semiannual Report to Congress highlighted the recent activities of the Medicare Fraud Strike Force (Strike Force). n3 During the period from October 1, 2017, through March 31, 2018, Strike Force efforts resulted in the filing of charges against 77 individuals or entities, 107 criminal actions, and more than $100.3 million in investigative receivables. In one example, a Strike Force investigation led to the conviction of two owners of a medical billing company, who were both found guilty of conspiracy and health-care fraud, for fraudulently billing Medicare for services that were never provided. They also conspired to circumvent Medicare's fraud investigation of one of the owners by creating sham companies. The owners were sentenced to 10 years in prison, and 15 years in prison, respectively, and ordered to pay nearly $9.2 million in restitution.

Overall, HHS OIG and the Department of Justice report annually on monetary and other results of their efforts against health-care fraud and abuse: in fiscal year 2017, about $1.4 billion was returned to Medicare Trust Funds as a result of recoveries, fines, and asset forfeitures. n4

Medicare, which is administered within HHS by its Centers for Medicare & Medicaid Services (CMS), has been on our high-risk list since 1990 n5 because of the size and complexity of the program, and its susceptibility to fraud, waste, and abuse. Medicare covered over 58 million people in 2017 and it has wide-ranging current and long-term effects beyond beneficiaries, the health-care sector, and the overall U.S. economy. The following statistics illustrate the program's impact.

* According to the Congressional Budget Office (CBO), in 2017 Medicare outlays totaled $702 billion. Under current law, the outlays are projected to rise to $1.5 trillion in 2028, growing at about 7 percent a year; that is, faster than the economy, as the population ages and health-care costs rise. n6

* In 2017, these expenditures accounted for 3.7 percent of gross domestic product (GDP) and 17.6 percent of federal outlays. CBO estimates that, in 2028, under current law, Medicare will account for 5.1 percent of GDP and 21.9 percent of federal outlays.

* Over 1 million health-care providers, contractors, and suppliers from across the health sector--including private health plans, physicians, hospitals, skilled-nursing facilities, durable medical equipment suppliers, ambulance providers, and many others--receive payments from Medicare.

Given the size and impact of Medicare on the health-care sector and U.S. economy overall, we recently reported on CMS's fraud risk management efforts relative to GAO's 2015 A Framework for Managing Fraud Risks in Federal Programs (Fraud Risk Framework). n7 The Fraud Risk Framework describes key components and leading practices for agencies to proactively and strategically manage fraud risks. Our objectives in the December 2017 report were to determine: (1) CMS's approach for managing fraud risks across its four principal programs (including Medicare) and (2) how CMS's efforts for managing fraud risks in Medicare and Medicaid align with the Fraud Risk Framework.

Drawing from the December 2017 report, my testimony today discusses the extent to which CMS's management of fraud risks in Medicare aligned with the Fraud Risk Framework and the actions needed to better manage fraud risks.

We performed our work on CMS antifraud efforts in Medicare and Medicaid for the December 2017 report under the authority of the Comptroller General to assist Congress with its oversight. The report provides further detail on our scope and methodology. Because this statement focuses on Medicare, we have omitted references to Medicaid in some instances when discussing organizational structure and agency-wide efforts.

We conducted the work in the December 2017 report in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Background

Medicare is one of four principal health-insurance programs administered by CMS; it provides health insurance for persons aged 65 and over, certain individuals with disabilities, and individuals with end-stage renal disease. n8 See table 1 for information about Medicare's component programs.

Table 1: Summary of Medicare Parts

Medicare program Program description

Medicare Fee-for-Service (FFS) (Parts A and B) Providers submit claims for reimbursement after services have been rendered. Medicare pays providers for each service delivered (e.g., office visit, test, or procedure).

Part A--hospital insurance

Part B--outpatient care

Medicare Advantage (Part C) Alternative to Parts A and B that allows beneficiaries to receive Medicare benefits through a private health plana

Medicare Prescription Drug (Part D) Voluntary, outpatient prescription-drug coverage through stand-alone drug plans or Medicare Advantage drug plans

Source: GAO. | GAO-18-660T

aHealth-insurance plans are paid a predetermined, fixed periodic amount per enrollee. The payment is risk-adjusted based on enrollee diagnoses, but that does not vary based on number or cost of health-care services an enrollee uses.

Medicare is the largest CMS program, at $702 billion in fiscal year 2017. As discussed earlier, according to CBO, Medicare outlays are projected to rise to $1.5 trillion in 2028 (see fig. 1).

Fraud Vulnerabilities and Improper Payments in Medicare

Fraud involves obtaining something of value through willful misrepresentation. There are no reliable estimates of the extent of fraud in the Medicare program, or in the health-care industry as a whole. By its very nature, fraud is difficult to detect, as those involved are engaged in intentional deception. Further, potential fraud cases must be identified, investigated, prosecuted, and adjudicated--resulting in a conviction--before fraud can be established.

As I mentioned earlier, we designated Medicare as a high-risk program in 1990 because its size, scope, and complexity make it vulnerable to fraud, waste, and abuse. Similarly, the Office of Management and Budget (OMB) designated all parts of Medicare a "high priority" program because they each report $750 million or more in improper payments in a given year. n9 We also highlighted challenges associated with duplicative payments in Medicare in our annual report on duplication and opportunities for cost savings in federal programs. n10

Improper payments are a significant risk to the Medicare program and may include payments made as a result of fraud. However, I would note that improper payments are not a proxy for the amount of fraud or extent of fraud risk in a particular program as improper payment measurement does not specifically identify or estimate such payments due to fraud. Improper payments are those that are either made in an incorrect amount (overpayments and underpayments) or those that should not have been made at all.

CMS's Fraud Risk Management Approach

Our December 2017 report found that CMS manages its fraud risks as part of a broader program-integrity approach working with a broad array of stakeholders. CMS's program-integrity approach includes efforts to address waste, abuse, and improper payments as well as fraud across its four principal programs. In Medicare, CMS collaborates with contractors, health-insurance plans, and law-enforcement and other agencies to carry out its program-integrity responsibilities. According to CMS officials, this broader program-integrity approach can help the agency develop control activities to address multiple sources of improper payments, including fraud.

Fraud Risk Management Standards and Guidance

According to federal standards and guidance, executive-branch agency managers are responsible for managing fraud risks and implementing practices for combating those risks. Federal internal control standards call for agency management officials to assess the internal and external risks their entities face as they seek to achieve their objectives. The standards state that as part of this overall assessment, management should consider the potential for fraud when identifying, analyzing, and responding to risks. n11 Risk management is a formal and disciplined practice for addressing risk and reducing it to an acceptable level. n12

In July 2015, GAO issued the Fraud Risk Framework, which provides a comprehensive set of key components and leading practices that serve as a guide for agency managers to use when developing efforts to combat fraud in a strategic, risk-based way. n13 The Fraud Risk Framework describes leading practices in four components: commit, assess, design and implement, and evaluate and adapt, as depicted in figure 2.

The Fraud Reduction and Data Analytics Act of 2015, enacted in June 2016, requires OMB to establish guidelines for federal agencies to create controls to identify and assess fraud risks and design and implement antifraud control activities. The act further requires OMB to incorporate the leading practices from the Fraud Risk Framework in the guidelines. In July 2016, OMB published guidance about enterprise risk management and internal controls in federal executive departments and agencies. n14 Among other things, this guidance affirms that managers should adhere to the leading practices identified in the Fraud Risk Framework. Further, the act requires federal agencies to submit to Congress a progress report each year for 3 consecutive years on the implementation of the controls established under OMB guidelines, among other things. n15

CMS's Efforts Managing Fraud Risks in Medicare Were Partially Aligned with the Fraud Risk Framework

CMS's antifraud efforts partially aligned with the Fraud Risk Framework. Consistent with the framework, CMS has demonstrated commitment to combating fraud by creating a dedicated entity to lead antifraud efforts. It has also taken steps to establish a culture conducive to fraud risk management, although it could expand its antifraud training to include all employees. CMS has taken some steps to identify fraud risks in Medicare; however, it has not conducted a fraud risk assessment or developed a risk-based antifraud strategy for Medicare as defined in the Fraud Risk Framework. CMS has established monitoring and evaluation mechanisms for its program-integrity control activities that, if aligned with a risk-based antifraud strategy, could enhance the effectiveness of fraud risk management in Medicare.

CMS's Organizational Structure Includes a Dedicated Entity for Program-Integrity and Antifraud Efforts

The commit component of the Fraud Risk Framework calls for an agency to commit to combating fraud by creating an organizational culture and structure conducive to fraud risk management. This component includes establishing a dedicated entity to lead fraud risk management activities. n16

Within CMS, the Center for Program Integrity (CPI) serves as the dedicated entity for fraud, waste, and abuse issues in Medicare, which is consistent with the Fraud Risk Framework. CPI was established in 2010, in response to a November 2009 Executive Order on reducing improper payments and eliminating waste in federal programs. n17 This formalized role, according to CMS officials, elevated the status of program-integrity efforts, which previously were carried out by other parts of CMS.

As an executive-level Center--on the same level with five other executive-level Centers at CMS, such as the Center for Medicare--CPI has a direct reporting line to executive-level management at CMS. The Fraud Risk Framework identifies a direct reporting line to senior-level managers within the agency as a leading practice. According to CMS officials, this elevated organizational status offers CPI heightened visibility across CMS, attention by CMS executive leadership, and involvement in executive-level conversations.

CMS Has Taken Steps to Create a Culture Conducive to Fraud Risk Management but Could Enhance Antifraud Training for Employees

The commit component of the Fraud Risk Framework also includes creating an organizational culture to combat fraud at all levels of the agency. Consistent with the Fraud Risk Framework, CMS has promoted an antifraud culture by, for example, coordinating with internal and external stakeholders.

Consistent with leading practices in the Fraud Risk Framework to involve all levels of the agency in setting an antifraud tone, CPI has worked collaboratively with other CMS Centers. In addition to engaging executive-level officials of other CMS Centers through the Program Integrity Board, CPI has worked collaboratively with other Centers within CMS to incorporate antifraud features into new program design or policy development and established regular communication at the staff level. For example:

* Center for Medicare and Medicaid Innovation (CMMI). When developing the Medicare Diabetes Prevention Program, CMMI officials told us they worked with CPI's Provider Enrollment and Oversight Group and Governance Management Group to develop risk-based screening procedures for entities that would enroll in Medicare to provide diabetes-prevention services, among other activities. The program was expanded nationally in 2016, and CMS determined that an entity may enroll in Medicare as a program supplier if it satisfies enrollment requirements, including that the supplier must pass existing high categorical risk-level screening requirements. n18

* Center for Medicare (CM). In addition to building safeguards into programs and developing policies, CM officials told us that there are several standing meetings, on monthly, biweekly, and weekly bases, between groups within CM and CPI that discuss issues related to provider enrollment, FFS operations, and contractor management. A senior CM official also told us that there are ad hoc meetings taking place between CM and CPI: "We interact multiple times daily at different levels of the organization. Working closely is just a regular part of our business."

CMS has also demonstrated its commitment to addressing fraud, waste, and abuse to its stakeholders. Representatives of CMS's extensive stakeholder network whom we interviewed--contractors and officials from public and private entities--generally recognized the agency's commitment to combating fraud. In our interviews with stakeholders, officials observed CMS's increased commitment over time to address fraud, waste, and abuse and cited examples of specific CMS actions. CMS contractors told us that CMS's commitment to combating fraud is incorporated into contractual requirements, such as requiring (1) data analysis for potential fraud leads and (2) fraud-awareness training for providers. Officials from entities that are members of the Healthcare Fraud Prevention Partnership (HFPP), specifically, a health-insurance plan and the National Health Care Anti-Fraud Association, added that CMS's effort to establish the HFPP and its ongoing collaboration and information sharing reflect CMS's commitment to combat fraud in Medicare. n19

The Fraud Risk Framework identifies training as one way of demonstrating an agency's commitment to combating fraud. Training and education intended to increase fraud awareness among stakeholders, managers, and employees serve as a preventive measure to help create a culture of integrity and compliance within the agency. The Fraud Risk Framework discusses requiring all employees to attend training upon hiring and on an ongoing basis thereafter.

To increase awareness of fraud risks in Medicare, CMS offers and requires training for stakeholder groups such as providers, beneficiaries, and health-insurance plans. Specifically, through its National Training Program and Medicare Learning Network, CMS makes available training materials on combating Medicare fraud, waste, and abuse. n20 These materials help to identify and report fraud, waste, and abuse in CMS programs and are geared toward providers, beneficiaries, as well as trainers and other stakeholders. Separately, CMS requires health-insurance plans working with CMS to provide annual fraud, waste, and abuse training to their employees. n21

However, CMS does not offer or require similar fraud-awareness training for the majority of its workforce. For a relatively small portion of its overall workforce--specifically, contracting officer representatives who are responsible for certain aspects of the acquisition function--CMS requires completion of fraud and abuse prevention training every 2 years. According to CMS, 638 of its contracting officer representatives (or about 10 percent of its overall workforce) completed such training in 2016 and 2017. Although CMS offers fraud-awareness training to others, the agency does not require fraud-awareness training for new hires or on a regular basis for all employees because the agency has focused on providing process-based internal controls training for its employees.

While fraud-awareness training for contracting officer representatives is an important step in helping to promote fraud risk management, fraud-awareness training specific to CMS programs would be beneficial for all employees. Such training would not only be consistent with what CMS offers to or requires of its stakeholders and some of its employees, but would also help to keep the agency's entire workforce continuously aware of fraud risks and examples of known fraud schemes, such as those identified in successful HHS OIG investigations. Such training would also keep employees informed as they administer CMS programs or develop agency policies and procedures. Considering the vulnerability of Medicare and Medicaid programs to fraud, waste, and abuse, without regular required training CMS cannot be assured that its workforce of over 6,000 employees is continuously aware of risks facing its programs.

In our December 2017 report, we recommended that the Administrator of CMS provide fraud-awareness training relevant to risks facing CMS programs and require new hires to undergo such training and all employees to undergo training on a recurring basis. In its March 2018 letter to GAO, HHS stated that CMS is in the process of developing Fraud, Waste, and Abuse Training for all new employees, to be presented at CMS New Employee Orientations. Additionally, CMS is also developing training to be completed by current CMS employees on an annual basis. As of July 2018, this recommendation remains open.

CMS Has Taken Steps to Identify Fraud Risks but Has Not Conducted a Fraud Risk Assessment for Medicare

The assess component of the Fraud Risk Framework calls for federal managers to plan regular fraud risk assessments and to assess risks to determine a fraud risk profile. n22 Identifying fraud risks is one of the steps included in the Fraud Risk Framework for assessing risks to determine a fraud risk profile.

In our December 2017 report, we discussed several examples of steps CMS has taken to identify fraud risks as well as control activities that target areas the agency has designated as higher risk within Medicare, including specific provider types and specific geographic locations. These examples include

* data analytics to assist investigations in Medicare FFS, including Medicare's Fraud Prevention System (FPS ), n23

* prior authorization for Medicare FFS services or supplies, n24

* revised provider screening and enrollment processes for Medicare FFS, n25 and

* temporary provider enrollment moratoriums for certain providers and geographic areas for Medicare FFS.

CMS officials told us that CPI initially focused on developing control activities for Medicare FFS and consider these activities to be the most mature of all CPI efforts to address fraud risks.

CMS Has Not Conducted a Fraud Risk Assessment for Medicare

The assess component of the Fraud Risk Framework calls for federal managers to plan regular fraud risk assessments and assess risks to determine a fraud risk profile. Furthermore, federal internal control standards call for agency management to assess the internal and external risks their entities face as they seek to achieve their objectives. The standards state that, as part of this overall assessment, management should consider the potential for fraud when identifying, analyzing, and responding to risks. n26

The Fraud Risk Framework states that, in planning the fraud risk assessment, effective managers tailor the fraud risk assessment to the program by, among other things, identifying appropriate tools, methods, and sources for gathering information about fraud risks and involving relevant stakeholders in the assessment process. Fraud risk assessments that align with the Fraud Risk Framework involve (1) identifying inherent fraud risks affecting the program, (2) assessing the likelihood and impact of those fraud risks, (3) determining fraud risk tolerance, (4) examining the suitability of existing fraud controls and prioritizing residual fraud risks, and (5) documenting the results (see fig. 3).

Although CMS had identified some fraud risks posed by providers in Medicare FFS, the agency had not conducted a fraud risk assessment for the Medicare program as a whole. Such a risk assessment would provide the detailed information and insights needed to create a fraud risk profile, which, in turn, is the basis for creating an antifraud strategy.

According to CMS officials, CMS had not conducted a fraud risk assessment for Medicare because, within CPI's broader approach of preventing and eliminating improper payments, its focus has been on addressing specific vulnerabilities among provider groups that have shown themselves particularly prone to fraud, waste, and abuse. With this approach, however, it is unlikely that CMS will be able to design and implement the most-appropriate control activities to respond to the full portfolio of fraud risks.

A fraud risk assessment consists of discrete activities that build upon each other. Specifically:

* Identifying inherent fraud risks affecting the program. As discussed earlier, CMS took steps to identify fraud risks. However, CMS has not used a process to identify inherent fraud risks from the universe of potential vulnerabilities facing Medicare, including threats from various sources. According to CPI officials, most of the agency's fraud control activities are focused on fraud risks posed by providers. The Fraud Risk Framework discusses fully considering inherent fraud risks from internal and external sources in light of fraud risk factors such as incentives, opportunities, and rationalization to commit fraud. For example, according to CMS officials, the inherent design of the Medicare Part C program may pose fraud risks that are challenging to detect. n27 A fraud risk assessment would help CMS identify all sources of fraudulent behaviors, beyond threats posed by providers, such as those posed by health-insurance plans, contractors, or employees.

* Assessing the likelihood and impact of fraud risks and determining fraud risk tolerance. CMS has taken steps to prioritize fraud risks in some areas, but it had not assessed the likelihood or impact of fraud risks or determined fraud risk tolerance across all parts of Medicare. Assessing the likelihood and impact of inherent fraud risks would involve consideration of the impact of fraud risks on program finances, reputation, and compliance. Without assessing the likelihood and impact of risks in Medicare or internally determining which fraud risks may fall under the tolerance threshold, CMS cannot be certain that it is aware of the most-significant fraud risks facing this program and what risks it is willing to tolerate based on the program's size and complexity.

* Examining the suitability of existing fraud controls and prioritizing residual fraud risks. CMS had not assessed existing control activities or prioritized residual fraud risks. According to the Fraud Risk Framework, managers may consider the extent to which existing control activities--whether focused on prevention, detection, or response--mitigate the likelihood and impact of inherent risks and whether the remaining risks exceed managers' tolerance. This analysis would help CMS to prioritize residual risks and to determine mitigation approaches. For example, CMS had not established preventive fraud control activities in Medicare Part C. Using a fraud risk assessment for Medicare Part C and closely examining existing fraud control activities and residual risks, CMS could be better positioned to address fraud risks facing this growing program and develop preventive control activities. n28 Furthermore, without assessing existing fraud control activities and prioritizing residual fraud risks, CMS cannot be assured that its current control activities are addressing the most-significant risks. Such analysis would also help CMS determine whether additional, preferably preventive, fraud controls are needed to mitigate residual risks, make adjustments to existing control activities, and potentially scale back or remove control activities that are addressing tolerable fraud risks.

* Documenting the risk-assessment results in a fraud risk profile. CMS had not developed a fraud risk profile that documents key findings and conclusions of the fraud risk assessment. According to the Fraud Risk Framework, the risk profile can also help agencies decide how to allocate resources to respond to residual fraud risks. Given the large size and complexity of Medicare, a documented fraud risk profile could support CMS's resource-allocation decisions as well as facilitate the transfer of knowledge and continuity across CMS staff and changing administrations.

Senior CPI officials told us that the agency plans to start a fraud risk assessment for Medicare after it completes a separate fraud risk assessment of the federally facilitated marketplace. This fraud risk assessment for the federally facilitated marketplace eligibility and enrollment process is being conducted in response to a recommendation we made in February 2016. n29 In April 2017, CPI officials told us that this fraud risk assessment was largely completed, although in September 2017 CPI officials told us that the assessment was undergoing agency review. CPI officials told us that they have informed CM officials that there will be future fraud risk assessments for Medicare; however, they could not provide estimated timelines or plans for conducting such assessments, such as the order or programmatic scope of the assessments.

Once completed, CMS could use the federally facilitated marketplace fraud risk assessment and apply any lessons learned when planning for and designing fraud risk assessments for Medicare. According to the Fraud Risk Framework, factors such as size, resources, maturity of the agency or program, and experience in managing risks can influence how the entity plans the fraud risk assessment. Additionally, effective managers tailor the fraud risk assessment to the program when planning for it. The large scale and complexity of Medicare as well as time and resources involved in conducting a fraud risk assessment underscore the importance of a well-planned and tailored approach to identifying the assessment's programmatic scope. Planning and tailoring may involve decisions to conduct a fraud risk assessment for Medicare as a whole or divided into several subassessments to reflect their various component parts (e.g., Medicare Part C).

CMS's existing fraud risk identification efforts as well as communication channels with stakeholders could serve as a foundation for developing a fraud risk assessment for Medicare. The leading practices identified in the Fraud Risk Framework discuss the importance of identifying appropriate tools, methods, and sources for gathering information about fraud risks and involving relevant stakeholders in the assessment process. CMS's fraud risk identification efforts discussed earlier could provide key information about fraud risks and their likelihood and impact. Furthermore, existing relationships and communication channels across CMS and its extensive network of stakeholders could support building a comprehensive understanding of known and potential fraud risks for the purposes of a fraud risk assessment. For example, the fraud vulnerabilities identified through data analysis and information sharing with health-insurance plans, law-enforcement organizations, and contractors could inform a fraud risk assessment. CPI's Command Center missions--facilitated collaboration sessions that bring together experts from various disciplines to improve the processes for fraud prevention in Medicare n30--could bring together experts to identify potential or emerging fraud vulnerabilities or to brainstorm approaches to mitigate residual fraud risks.

As CMS makes plans to move forward with a fraud risk assessment for Medicare, it will be important to consider the frequency with which the fraud risk assessment would need to be updated. While, according to the Fraud Risk Framework, the time intervals between updates can vary based on the programmatic and operating environment, assessing fraud risks on an ongoing basis is important to ensure that control activities are continuously addressing fraud risks. The constantly evolving fraud schemes, the size of the programs in terms of beneficiaries and expenditures, as well as continual changes in Medicare--such as development of innovative payment models and increasing managed-care enrollment--call for constant vigilance and regular updates to the fraud risk assessment.

In our December 2017 report we recommended that the Administrator of CMS conduct fraud risk assessments for Medicare and Medicaid to include respective fraud risk profiles and plans for regularly updating the assessments and profiles. In its March 2018 letter to GAO, HHS stated that it is currently evaluating its options with regards to implementing this recommendation. As of July 2018, the recommendation remains open.

CMS Needs to Develop a Risk-Based Antifraud Strategy for Medicare, Which Would Include Plans for Monitoring and Evaluation

The design and implement component of the Fraud Risk Framework calls for federal managers to design and implement a strategy with specific control activities to mitigate assessed fraud risks and collaborate to help ensure effective implementation.

According to the Fraud Risk Framework, effective managers develop and document an antifraud strategy that describes the program's approach for addressing the prioritized fraud risks identified during the fraud risk assessment, also referred to as a risk-based antifraud strategy. A risk-based antifraud strategy describes existing fraud control activities as well as any new fraud control activities a program may adopt to address residual fraud risks. In developing a strategy and antifraud control activities, effective managers focus on fraud prevention over detection, develop a plan for responding to identified instances of fraud, establish collaborative relationships with stakeholders, and create incentives to help effectively implement the strategy. Additionally, as part of a documented strategy, management identifies roles and responsibilities of those involved in fraud risk management activities; describes control activities as well as plans for monitoring and evaluation; creates timelines; and communicates the antifraud strategy to employees and stakeholders, among other things.

As discussed earlier, CMS had some control activities in place to identify fraud risk in Medicare, particularly in the FFS program. n31 However, CMS had not developed and documented a risk-based antifraud strategy to guide its design and implementation of new antifraud activities and to better align and coordinate its existing activities to ensure it is targeting and mitigating the most-significant fraud risks.

Antifraud strategy. CMS officials told us that CPI does not have a documented risk-based antifraud strategy. Although CMS has developed several documents that describe efforts to address fraud, n32 the agency had not developed a risk-based antifraud strategy for Medicare because, as discussed earlier, it had not conducted a fraud risk assessment that would serve as a foundation for such strategy.

In 2016, CPI identified five strategic objectives for program integrity, which include antifraud elements and an emphasis on prevention. n33 However, according to CMS officials, these objectives were identified from discussions with CMS leadership and various stakeholders and not through a fraud risk assessment process to identify inherent fraud risks from the universe of potential vulnerabilities, as described earlier and called for in the leading practices. These strategic objectives were presented at an antifraud conference in 2016, n34 but were not announced publicly until the release of the Annual Report to Congress on the Medicare and Medicaid Integrity Programs for Fiscal Year 2015 in June 2017.

Stakeholder relationships and communication. CMS has established relationships and communicated with stakeholders, but, without an antifraud strategy, stakeholders we spoke with lacked a common understanding of CMS's strategic approach. Prior work on practices that can help federal agencies collaborate effectively calls for a strategy that is shared with stakeholders to promote trust and understanding. n35 Once an antifraud strategy is developed, the Fraud Risk Framework calls for managers to collaborate to ensure effective implementation. Although some CMS stakeholders were able to describe various CMS program-integrity priorities and activities, such as home health being a fraud risk priority, the stakeholders could not communicate, articulate, or cite a common CMS strategic approach to address fraud risks in its programs.

Incentives. The Fraud Risk Framework discusses creating incentives to help ensure effective implementation of the antifraud strategy once it is developed. Currently, some incentives within stakeholder relationships may complicate CMS's antifraud efforts. Among contractors, CMS encourages information sharing through conferences and workshops; however, competition for CMS business among contractors can be a disincentive to information sharing. CMS officials acknowledged this concern and said that they expect contractors to share information related to fraud schemes, outcomes of investigations, and tips for addressing fraud, but not proprietary information such as algorithms to risk-score providers.

Without developing and documenting an antifraud strategy based on a fraud risk assessment, as called for in the design and implement component of the Fraud Risk Framework, CMS cannot ensure that it has a coordinated approach to address the range of fraud risks and to appropriately target and allocate resources for the most-significant risks. Considering fraud risks to which Medicare is most vulnerable, in light of the malicious intent of those who aim to exploit the programs, would help CMS to examine its current control activities and potentially design new ones with recognition of fraudulent behavior it aims to prevent. This focus on fraud is distinct from a broader view of program integrity and improper payments by considering the intentions and incentives of those who aim to deceive rather than well-intentioned providers who make mistakes. Also, continued growth of the program, such as growth of Medicare Part C, calls for consideration of preventive fraud control activities across the entire network of entities involved.

Furthermore, considering the large size and complexity of Medicare and the extensive stakeholder network involved in managing fraud in the program, a strategic approach to managing fraud risks within the programs is essential to ensure that a number of existing control activities and numerous stakeholder relationships and incentives are being aligned to produce desired results. Once developed, an antifraud strategy that is clearly articulated to various CMS stakeholders would help CMS to address fraud risks in a more coordinated and deliberate fashion. Thinking strategically about existing control activities, resources, tools, and information systems could help CMS to leverage resources while continuing to integrate Medicare program-integrity efforts along functional lines. A strategic approach grounded in a comprehensive assessment of fraud risks could also help CMS to identify future enhancements for existing control activities, such as new preventive capabilities for its Fraud Prevention System (FPS) or additional fraud factors in provider enrollment and revalidation, such as provider risk-scoring, to stay in step with evolving fraud risks.

CMS Has Established Monitoring and Evaluation Mechanisms That Could Inform a Risk-Based Antifraud Strategy for Medicare

The evaluate and adapt component of the Fraud Risk Framework calls for federal managers to evaluate outcomes using a risk-based approach and adapt activities to improve fraud risk management. Furthermore, according to federal internal control standards, managers should establish and operate monitoring activities to monitor the internal control system and evaluate the results, which may be compared against an established baseline. n36 Ongoing monitoring and periodic evaluations provide assurances to managers that they are effectively preventing, detecting, and responding to potential fraud.

CMS has established monitoring and evaluation mechanisms for its program-integrity activities that it could incorporate into an antifraud strategy.

As described in the Fraud Risk Framework, agencies can gather information on the short-term or intermediate outcomes of some antifraud initiatives, which may be more readily measured. For example, CMS has developed some performance measures to provide a basis for monitoring its progress towards meeting the program-integrity goals set in the HHS Strategic Plan and Annual Performance Plan. Specifically, CMS measures whether it is meeting its goal of "increasing the percentage of Medicare FFS providers and suppliers identified as high risk that receive an administrative action." n37 CMS does not set specific antifraud goals for other parts of Medicare; other CMS performance measures relate to measuring or reducing improper payments in the various parts of Medicare.

CMS uses return-on-investment and savings estimates to measure the effectiveness of its Medicare program-integrity activities and FPS. n38 For example, CMS uses return-on-investment to measure the effectiveness of FPS n39 and, in response to a recommendation we made in 2012, CMS developed outcome-based performance targets and milestones for FPS. n40 CMS has also conducted individual evaluations of its program-integrity activities, such as an interim evaluation of the prior-authorization demonstration for power mobility devices that began in 2012 and is currently implemented in 19 states.

Commensurate with greater maturity of control activities in Medicare FFS compared to other parts of Medicare and Medicaid, monitoring and evaluation activities for Medicare Parts C and D and Medicaid are more limited. For example, CMS calculates savings for its program-integrity activities in Medicare Parts C and D, but not a full return-on-investment. CMS officials told us that calculating costs for specific activities is challenging because of overlapping activities among contractors. CMS officials said they continue to refine methods and develop new savings estimates for additional program-integrity activities.

According to the Fraud Risk Framework, effective managers develop a strategy and evaluate outcomes using a risk-based approach. In developing an effective strategy and antifraud activities, managers consider the benefits and costs of control activities. Ongoing monitoring and periodic evaluations provide reasonable assurance to managers that they are effectively preventing, detecting, and responding to potential fraud. Monitoring and evaluation activities can also support managers' decisions about allocating resources, and help them to demonstrate their continued commitment to effectively managing fraud risks.

As CMS takes steps to develop an antifraud strategy, it could include plans for refining and building on existing methods such as return-on-investment or savings measures, and setting appropriate targets to evaluate the effectiveness of all of CMS's antifraud efforts. Such a strategy would help CMS to efficiently allocate program-integrity resources and to ensure that the agency is effectively preventing, detecting, and responding to potential fraud. For example, while doing so would involve challenges, CMS's strategy could detail plans to advance efforts to measure a potential fraud rate through baseline and periodic measures. Fraud-rate measurement efforts could also inform risk assessment activities, identify currently unknown fraud risks, align resources to priority risks, and develop effective outcome metrics for antifraud controls. Such a strategy would also help CMS ensure that it has effective performance measures in place to assess its antifraud efforts beyond those related to providers in Medicare FFS, and establish appropriate targets to measure the agency's progress in addressing fraud risks.

In our December 2017 report we recommended that the Administrator of CMS should, using the results of the fraud risk assessments for Medicare, create, document, implement, and communicate an antifraud strategy that is aligned with and responsive to regularly assessed fraud risks. This strategy should include an approach for monitoring and evaluation. In its March 2018 letter to GAO, HHS stated that it is currently evaluating its options with regards to implementing this recommendation. As of July 2018, the recommendation remains open.

Chairman Jenkins and Ranking Member Lewis, this concludes my prepared statement. I look forward to the subcommittee's questions.

n1 GAO, Medicare and Medicaid: CMS Needs to Fully Align Its Antifraud Efforts with the Fraud Risk Framework, GAO-18-88 (Washington, D.C.: Dec. 5, 2017).

n2 An improper payment is defined as any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. It includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except for such payments where authorized by law), and any payment that does not account for credit for applicable discounts. See 31 U.S.C. [Sec.] 3321 note. OMB guidance also instructs agencies to report as improper payments any payment for which insufficient or no documentation was found.

n3 Medicare Fraud Strike Force, a joint Department of Justice (DOJ) and HHS OIG program, consists of investigators and prosecutors who use data-analysis and traditional law-enforcement techniques to identify, investigate, and prosecute potentially fraudulent billing patterns in geographic areas with high rates of health-care fraud.

n4 Department of Health and Human Services and Department of Justice, Health Care Fraud and Abuse Control Program: Annual Report for Fiscal Year 2017.

n5 GAO, High-Risk Series: Progress on Many High-Risk Areas, While Substantial Efforts Needed on Others, GAO-17-317 (Washington, D.C.: Feb. 15, 2017).

n6 Congressional Budget Office, The Budget and Economic Outlook: 2018 to 2028 (April 2018).

n7 GAO, A Framework for Managing Fraud Risks in Federal Programs, GAO-15-593SP (Washington, D.C.: July 2015).

n8 Other CMS programs are Medicaid, the Children's Health Insurance Program (CHIP), and the health-insurance marketplaces.

n9 Starting in fiscal year 2018, the threshold for high-priority program determinations is $2 billion in improper payments regardless of the improper payment rate.

n10 GAO, 2017 Annual Report: Additional Opportunities to Reduce Fragmentation, Overlap, and Duplication and Achieve Other Financial Benefits, GAO-17-491SP (Washington, D.C.: April 2017).

n11 GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: September 2014).

n12 MITRE, Government-wide Payment Integrity: New approaches and Solutions Needed (McLean, Va.: February 2016).

n13 See GAO-15-593SP.

n14 Office of Management and Budget, Management's Responsibility for Enterprise Risk Management and Internal Control, Circular No. A-123 (Washington, D.C.: July 15, 2016).

n15 Pub. L. No. 114-186, [Sec.] 3, 130 Stat. 546 (2016).

n16 See GAO-15-593SP.

n17 Reducing Improper Payments, Exec. Order No. 13520, 74 Fed. Reg. 226 (Nov. 20, 2009).

n18 82 Fed. Reg. 52,976 (Nov. 15, 2017) (codified at 42 C.F.R. Parts 405, 410, 414, 424, and 425). For additional information about CMS provider-enrollment activities for Medicare, see GAO, Medicare: Initial Results of Revised Process to Screen Providers and Suppliers, and Need for Objectives and Performance Measures, GAO-17-42 (Washington, D.C.: Nov. 15, 2016).

n19 In 2012, CMS created the HFPP to share information with public and private stakeholders and to conduct studies related to health-care fraud, waste, and abuse. According to CMS, as of October 2017, the HFPP included 89 public and private partners, including Medicare- and Medicaid-related federal and state agencies, law-enforcement agencies, private health-insurance plans, and antifraud and other health-care organizations.

n20 The CMS National Training Program provides support for partners and stakeholders, not-for-profit professionals and volunteers who work with seniors and people with disabilities, and others who help people make informed health-care decisions. The program offers an online training library with materials to conduct outreach and education sessions. The Medicare Learning Network provides free educational materials for health-care professionals on CMS programs, policies, and initiatives.

n21 For example, 42 C.F.R. [Sec.] 422.503(b)(4)(vi)(C).

n22 According to the Fraud Risk Framework, a fraud risk profile documents the findings from a fraud risk assessment. We discuss this concept later in the report.

n23 The FPS is a data-analytic system that analyzes Medicare fee-for-service claims to identify health-care providers with suspect billing patterns for further investigation and to prevent improper payments. See GAO, Medicare: CMS Fraud Prevention System Uses Claims Analysis to Address Fraud, GAO-17-710 (Washington, D.C.: Aug. 30, 2017).

n24 Prior authorization is a payment approach that generally requires health-care providers and suppliers to first demonstrate compliance with coverage and payment rules before certain items or services are provided to patients, rather than after the items or services have been provided. See GAO, Medicare: CMS Should Take Actions to Continue Prior Authorization Efforts to Reduce Spending, GAO-18-341 (Washington, D.C.: Apr. 20, 2018).

n25 GAO-17-42.

n26 GAO-14-704G.

n27 In Medicare Part C, health-insurance plans may pose a fraud risk, as shown by a recent legal settlement. See the Freedom Health case at Department of Justice, Medicare Advantage Organization and Former Chief Operating Officer to Pay $32.5 Million to Settle False Claims Act Allegations, May 30, 2017, accessed May 31, 2017, https://www.justice.gov/opa/pr/medicare-advantage-organization-and-former-chief-operating-officer-pay-325-million-settle.

n28 We have reported about concerns with improper payments in Part C. For example, we examined CMS's audits of Medicare Advantage organizations--which help CMS recover improper payments in cases where beneficiary diagnoses are unsupported by medical records--and recommended that CMS improve the timeliness of, and processes for, selecting contracts to include in its audits. We have also recommended that CMS develop specific plans for incorporating a recovery auditor into the agency's Part C audit program. Both recommendations remain open. See GAO, Medicare Advantage Program Integrity: CMS's Efforts to Ensure Proper Payments and Identify and Recover Improper Payments, GAO-17-761T (July 19, 2017).

n29 GAO, Patient Protection and Affordable Care Act: CMS Should Act to Strengthen Enrollment Controls and Manage Fraud Risk, GAO-16-29 (Washington, D.C.: Feb. 23, 2016).

n30 According to CMS, the Command Center opened in July 2012 and provides an opportunity for Medicare and Medicaid policy experts, law-enforcement officials from the HHS OIG and the Federal Bureau of Investigation, clinicians, and CMS fraud investigators to collaborate before, during, and after the development of fraud leads in real time. In fiscal year 2015, CMS conducted 41 Command Center missions.

n31 The individual CMS fraud control activities and other antifraud efforts described in the December 2017 report serve as examples of CMS activities; we did not evaluate the effectiveness of these efforts.

n32 Centers for Medicare & Medicaid Services, New Strategic Direction and Key Antifraud Activities (Nov. 3, 2011); Comprehensive Medicaid Integrity Plan: Fiscal Years 2014-2018; Annual Report to Congress on the Medicare and Medicaid Integrity Programs for Fiscal Year 2015; Annual Report to Congress on the Medicare and Medicaid Integrity Programs for Fiscal Years 2013 and 2014; CMS Medicare and Medicaid Program Integrity Strategy (Mar. 3, 2013).

n33 The five strategic objectives are: (1) address the full spectrum of fraud, waste, and abuse; (2) proactively manage provider screening and enrollment; (3) continue to build states' capacity to protect Medicaid; (4) extend work in Medicare Parts C and D, Medicaid managed care, and the Marketplace; and (5) provide greater transparency into program-integrity issues.

n34 National Health Care Anti-Fraud Association conference in Atlanta, Georgia, November 15-18, 2016.

n35 GAO, Results-Oriented Cultures: Implementation Steps to Assist Mergers and Organizational Transformations, GAO-03-669 (Washington, D.C.: July 2, 2003).

n36 See GAO-14-704G.

n37 This performance metric refers to providers identified by FPS whose behavior is aberrant and potentially fraudulent. CMS can take a variety of administrative actions against those providers, from payment suspensions to revoking providers' billing privileges. CMS has met this goal from 2013 to 2015; the 2016 data were pending at the time of the writing of the December 2017 report.

n38 We previously found flaws with CMS's return-on-investment calculation and made two recommendations regarding the methodology. CMS has implemented both of the recommendations. See GAO, Medicare Integrity Program: CMS Used Increased Funding for New Activities but Could Improve Measurement of Program Effectiveness, GAO-11-592 (Washington, D.C.: July 29, 2011).

n39 HHS OIG has reviewed CMS's methodology and calculations and certified the use of adjusted savings, which in 2014 yielded the FPS return-on-investment of approximately 3 to 1.

n40 GAO, Medicare Fraud Prevention: CMS Has Implemented a Predictive Analytics System, but Needs to Define Measures to Determine Its Effectiveness, GAO-13-104 (Washington, D.C.: Oct. 15, 2012).

Read this original document at: https://waysandmeans.house.gov/wp-content/uploads/2018/07/20180717OS-Witness-Testimony-GAO.pdf

ST. LOUIS — Andrew C. Hubbard schemed with a cousin to give his mother laced drugs and cause an overdose so he could collect a $150,000 life insurance policy, prosecutors said in federal court Thursday.

The plan to lace crack cocaine with heroin or fentanyl didn't kill her, so the cousin shot the woman instead and dumped her body in a St. Louis alley, Hubbard admitted in U.S. District Court as he pleaded guilty.

Hubbard, 40, pleaded to murder-for-hire and conspiracy to commit murder-for-hire in connection with the death of his mother, Andreaia Worthem.

Worthem, 53, was shot in the chest, arm and face. Her body was found in the north alley in the 4400 block of Kennerly Avenue on the morning of July 7, 2023.

Others facing the same charges in connection with her death are the cousin, Eric Washington, 47, of Jennings; Justin R. Lee, 40, of Northwoods; and Hubbard's girlfriend, Kim Mosley, 33. Their cases are pending.

Assistant U.S. Attorney Matthew A. Martin unveiled new details about the case as he read in court from a 14-page document.

Hubbard took out a life-insurance policy on his mother in 2019 and was the sole beneficiary.

His plan was to have Lee and Washington supply his mother with a "bad pack," crack cocaine laced with enough fentanyl to kill her, Martin said. Hubbard knew that his cousin had recently experienced a near-fatal overdose after ingesting drugs Lee had supplied.

In exchange, Washington would get $10,000, and Mosley would get $50,000, the prosecutor said.

Washington used Lee's phone to tell Hubbard, "It's done." Later, Hubbard asked if the "bad pack" caused a quick overdose. Washington admitted it didn't work, so he instead shot her, Martin said.

Mosley gave Washington $200 in exchange for the victim's cellphone, which was then destroyed, according to the plea agreement. Hubbard also gave Washington $450 cash and cocaine and marijuana, Martin said.

According to the plea agreement, Washington, impatient because he hadn't been paid the full $10,000, called Primerica, the insurance company, to ask when the policy would be paid.

Washington told the insurer that he had "done some work" for Hubbard and the insurance money would help cover what he is owed, the court document said.

When Hubbard found out Washington had made that call, he confronted his cousin and told him that it would lead the police to them.

The plea agreement didn't say whether Hubbard ever received the insurance money.

Hubbard, jailed in Illinois, lived in the 12200 block of Corrida Court in Maryland Heights.

U.S. District Judge Henry E. Autrey scheduled Hubbard's sentencing for Sept. 23.

Each charge is punishable by life in prison and a fine of up to $250,000. Federal prosecutors already announced they would not seek the death penalty.

------------

© 2026 the St. Louis Post-Dispatch. Visit www.stltoday.com. Distributed by Tribune Content Agency, LLC.