Washington State Auditor: 'Medicaid Program Integrity – Examining Health Care Authority's Oversight of Efforts at State Agencies'

OLYMPIA, Washington, July 9 -- The office of the Washington State Auditor issued the following performance audit report (No. 1028710) on July 8, 2021, entitled "Medicaid Program Integrity - Examining Health Care Authority's Oversight of Efforts at State Agencies":

* * *

Here are excerpts:

Table of Contents

Executive Summary ... 3

Background ... 8

Audit Results ... 15

HCA executives recently created a Division of Program Integrity to highlight its work, but they can improve oversight through strategic planning and performance measurement ... 15

HCA has not provided federally required oversight of Medicaid program integrity efforts at sister state agencies ... 25

The Division of Program Integrity has expanded its program integrity efforts with MCOs, but it can do more to reduce fraud and other improper payments ... 31

Improvements to audit selection practices would help the Division prioritize resources for high-risk cases and meet federal requirements_ ... 37

State Auditor's Conclusions ... 44

Recommendations ... 45

Agency Response ... 48

Appendix A: Initiative 900 and Auditing Standards ... 54

Appendix B: Scope, Objectives and Methodology ... 57

Appendix C: Medicaid Program Integrity Activities ... 62

Appendix D: Requirements and Best Practices for Performance Measures ... 66

Appendix E: CMS Guidance and Other State Practices for Sister State Agency Oversight ... 67

Appendix F: State Usage of Selected Expert Recommendations ... 69

Bibliography ... 74

* * *

Executive Summary

Background (page 8)

About two million state residents are enrolled in Medicaid (a program providing health coverage to people with low incomes), representing more than one in four Washingtonians. Every year the cost of Washington's Medicaid program increases, accounting for approximately $14.6 billion in state and federal funding in fiscal year 2020. More than half went to five managed care organizations (MCOs), with one receiving $3.7 billion.

Program integrity efforts focus on paying the right dollar amount to the right provider for the right reason. Federal program integrity requirements include:

* Incorporating specific provisions into contracts with MCOs

* Verifying beneficiaries meet eligibility requirements

* Screening providers to see if they are on federal exclusion lists

* Investigating questionable practices and referring credible allegations of fraud to law enforcement

States must comply with these requirements as a necessary condition to receiving considerable amounts of federal funding. About $9.5 billion of the $14.6 billion spent on Medicaid in fiscal year 2020 came from the federal government. Also, states can choose to go beyond federal program integrity requirements.

Strengthening program integrity efforts helps ensure every Medicaid dollar stretches as far as possible for those insured through Medicaid. Also, as the single state Medicaid agency, the Health Care Authority (HCA) is responsible for overseeing all of Washington's Medicaid programs, including those administered by other agencies.

HCA executives recently created a Division of Program Integrity to highlight its work, but they can improve oversight through strategic planning and performance measurement (page 15)

As the state's Medicaid agency, HCA executives are responsible for oversight of program integrity efforts. In 2020, HCA executives consolidated many of the agency's program integrity efforts into a single division. Before this change, repeated restructuring led to ever-shifting responsibilities and accountability.

Most recently, HCA executives created a Division of Program Integrity (the Division) to increase the visibility of program integrity efforts within the agency. Although HCA executives have taken steps to consolidate program integrity efforts, this work would benefit from improved strategic planning at the agency and division level.

While HCA executives conduct some oversight of program integrity efforts, they can improve their monitoring through better use of performance measures. Current meetings and committees are insufficient to verify the agency is meeting all program integrity requirements. Developing and monitoring performance measures are important leadership oversight activities. HCA has some program integrity measures but lacks others recommended by experts and used by other states. In addition, HCA does not use available measures to monitor program integrity performance.

HCA has not provided federally required oversight of Medicaid program integrity efforts at sister state agencies (page 25)

As Washington's state Medicaid agency, HCA must oversee all program integrity efforts, including those at sister state agencies. Oversight is a safety net to ensure policies are implemented and funding is spent as intended, and can include reviewing reports, monitoring results and implementing corrective action plans when necessary. In Washington, two sister state agencies - the Department of Social and Health Services (DSHS) and the Department of Children, Youth, and Families (DCYF) - spent more than $4 billion total in Medicaid funding in fiscal year 2020. Federal regulations require HCA to oversee program integrity efforts at DSHS and DCYF. HCA executives formalized oversight responsibilities in agency policy and interagency agreements, and assigned this responsibility to the Division of Program Integrity.

However, the Division has not overseen program integrity efforts at sister state agencies. Nonetheless, the Centers for Medicare and Medicaid Services (CMS) expects sound fiscal stewardship of Medicaid funding, and other states provide useful examples of what this could look like. While the sister state agencies say they have processes in place to ensure Medicaid funding is spent properly, the Division has not overseen those program integrity efforts because:

* Division managers have not assigned oversight of sister state agencies to any of the units

* The Division lacks a Statewide Medicaid Fraud and Abuse Prevention Plan outlining roles and responsibilities across key partners

* Change, transition and the lack of a Statewide Medicaid Fraud and Abuse Prevention Plan left managers uncertain of their oversight responsibilities

The Division has expanded its program integrity efforts with MCOs, but it can do more to reduce fraud and other improper payments (page 31)

Managed care changed how Medicaid pays for services, requiring a different approach to program integrity efforts. The Division is establishing ways to hold MCOs accountable for their role in program integrity efforts. For example, HCA executives sanctioned the five MCOs a total of nearly $1 million, based on the Division's audit of the data used to set monthly payment rates. Also, the Division requires MCOs to regularly report on their program integrity efforts, and has been discussing them with the organizations on a quarterly basis. In addition, HCA recently updated the contract to allow additional financial penalties for failure to fulfill program integrity requirements.

However, the Division could improve its oversight of MCOs by directly auditing providers and recovering overpayments. In addition to auditing encounter data, the Division should also audit providers contracted with the MCOs. The Division started reviewing providers contracted with MCOs but never initiated formal audits due to uncertainty as to what to do with the results. Also, Division managers still want guidance on how to handle identified overpayments.

Improvements to audit selection practices would help the Division prioritize resources for high-risk cases and meet federal requirements (page 37)

The Division can improve the ways it generates and evaluates the incoming leads that become reviews, audits and investigations of Medicaid providers. Other states' integrity programs provide examples of how to implement expert recommendations. For example, Florida's integrity program reports that shifting to a risk-based approach for identifying suspicious activity resulted in a significant increase in referrals to law enforcement.

The Division does not use risk assessments or formally established risk factors to guide its audit plans. While Division staff look for outliers and trends, only two of four units rely on proactive data analytics to develop their workplans. The Division recently established a team to review and prioritize leads, but Division managers had different perspectives on whether the team consistently received necessary data.

As the Division does not determine the credibility of fraud allegations for MCOs and DSHS, it cannot take appropriate action for many situations that merit scrutiny. In addition, analyzing all leads from MCOs would help Division staff gain experience and monitor MCO engagement in program integrity. Furthermore, collaborating with a Unified Program Integrity Contractor would allow the Division to pursue fraudsters working across Medicaid and Medicare.

State Auditor's Conclusions (page 44)

Medicaid is our state's largest public assistance program. It provides health coverage to about two million Washingtonians through a state-federal partnership, at a cost of more than $14 billion in fiscal year 2020. Given the size and importance of Medicaid, it needs a robust program integrity function to help ensure money is spent appropriately. Ensuring program integrity for a program this large and complicated is an inherently difficult task. That task is made even more difficult when the responsibility spans several state agencies and managed care organizations (MCOs).

As the single state Medicaid agency, HCA is responsible for overseeing all program integrity efforts -- including the work of other agencies and the MCOs. That has not always happened, but to its credit, HCA has taken steps to improve its oversight. These efforts include reorganizing its own program integrity function and welcoming help from our Office in the form of this performance audit. Our audit has identified a number of opportunities for HCA to improve both its own program integrity efforts and its oversight of other entities' efforts. We would strongly encourage HCA to implement these recommendations.

Recommendations (page 45)

We recommend HCA executives improve overall oversight, strategic planning and performance measurement. We also recommend Division of Program Integrity managers improve strategic planning and performance measurement, oversight of program integrity at sister state agencies and MCOs, and the audit selection and assignment process.

Next steps

Our performance audits of state programs and services are reviewed by the Joint Legislative Audit and Review Committee (JLARC) and/or by other legislative committees whose members wish to consider findings and recommendations on specific topics. Representatives of the Office of the State Auditor will review this audit with JLARC's Initiative 900 Subcommittee in Olympia. The public will have the opportunity to comment at this hearing. Please check the JLARC website for the exact date, time and location (www.leg.wa.gov/JLARC). The Office conducts periodic follow-up evaluations to assess the status of recommendations and may conduct follow-up audits at its discretion. See Appendix A, which addresses the I-900 areas covered in the audit. Appendix B contains information about our methodology. See the Bibliography for a list of references and resources used to develop our understanding of Medicaid program integrity.

* * *

Background

Medicaid is a state and federal partnership that provides health coverage to people with low incomes

Medicaid is a jointly funded state and federal partnership that insures people with low incomes. While all states participate in Medicaid, states have discretion in how they structure their programs, including which services they will provide and eligibility categories, as long as they meet minimum federal requirements. Both states and the federal government pay for these services. The federal contribution varies based on many factors, including the service provided and state poverty levels.

In Washington, Medicaid is referred to as Apple Health, and it offers a wide array of services (see sidebar). These services are available to all low-income Washingtonians, with qualifying income levels varying based on age and conditions like pregnancy. Commonly eligible populations include children, the elderly and people with developmental disabilities. The Health Care Authority (HCA) has been Washington's single state Medicaid agency since 2011. This designation makes HCA responsible for meeting numerous federal requirements, including oversight of Medicaid programs administered by other state agencies.

Medicaid insures one in four Washingtonians, with costs rising during the last decade to more than $14 billion

Medicaid is Washington's largest public assistance program, in terms of both cost and people served. About 2 million state residents were enrolled in Medicaid as of December 2020, representing more than one in four Washingtonians. Beginning January 2014, as part of the Affordable Care Act, Washington expanded Medicaid eligibility to include low-income adults. Two years later, a total of almost 600,000 newly eligible adults had joined the program and overall costs had increased almost 50 percent (see Exhibit 1). After that, enrollment was steady until the economic effects of the COVID-19 pandemic resulted in nearly 200,000 additional residents joining the program. Although enrollment had been stable, over the last five years Medicaid's overall costs increased at an average rate of 4.8 percent, until the program accounted for about $14.6 billion in state and federal funding in state fiscal year 2020.

* * *

Chart: Exhibit 1 - Medicaid spending in Washington

[Link to chart at bottom of document]

* * *

Similar to many states, Washington has transitioned most clients to managed care

Washington has steadily transitioned most of its clients away from fee-for service, where the state Medicaid agency pays providers directly for each service rendered, to managed care, where private insurance companies provide specific services in exchange for monthly payments. Exhibit 2 shows the difference between these payment arrangements. Nationwide, state Medicaid agencies have tried to reduce costs and better manage how health services are used by contracting with managed care organizations (MCOs). These private health insurance companies provide specific services in exchange for monthly payments. The monthly payments are based in part on the actual cost of services the MCOs have paid for in previous years.

Prior to 1987, all Washingtonians covered by Medicaid received services through a fee-for-service program. Currently 85 percent of enrollees receive physical and behavioral health services through one of five MCOs. In fiscal year 2020, the state directed almost $8 billion in payments to the five organizations: one received $3.7 billion to serve approximately 750,000 clients.

* * *

Exhibit 2 - Comparing fee-for-service and managed care processes for paying Medicaid service providers

[Link to chart at bottom of document]

* * *

Because Medicaid is a large, high-risk program, federal regulations include numerous program integrity requirements

A large volume of claims and complex rules increase the risk of fraud and other improper payments

Medicaid has been on the Government Accountability Office's high risk list since 2003 due to a diverse and expanding population of clients and providers; large overall payment sums; complex billing and coding systems; and the challenges inherent in providing federal oversight to more than 50 independent programs in the states and territories.

While media reports occasionally describe organized crime rings defrauding Medicaid, most improper payments result from challenges with documentation and complex Medicaid requirements. In September 2020, federal and state law enforcement charged more than 300 defendants nationwide, including more than 100 licensed medical professionals, for their apparent involvement in a $4.5 billion fraud scheme that allegedly billed unnecessary care to clients on Medicare and Medicaid based on brief telehealth calls. These events draw media attention. However, the Centers for Medicare and Medicaid Services (CMS), which provides the federal regulatory framework for Medicaid program integrity, reported significant amounts of improper payments during 2019 were due to two primary reasons. First, insufficient documentation to verify client eligibility. Second, state Medicaid agencies did not comply with federal requirements for screening and enrolling providers. These issues produced a nationwide Medicaid improper payment rate of 14.9 percent. This means approximately one in seven Medicaid payments lacked sufficient documentation or displayed some sort of error.

To combat the risks, states must meet numerous federal program integrity requirements

Program integrity efforts focus on paying the right dollar amount to the right provider for the right reason. These efforts are intended to prevent and detect fraud and other improper payments, so that taxpayer dollars are available for delivering necessary care. Federal program integrity requirements include:

* Incorporating specific provisions into contracts with MCOs, to ensure these private insurance companies identify and address fraud and other improper payments

* Verifying clients meet eligibility requirements, to identify situations like families hiding assets so their elders qualify for financial assistance for long-term care

* Screening providers against federal exclusion lists, to ensure providers with known histories of defrauding government programs do not provide services for Medicaid

* Verifying clients received billed services, to identify providers billing for services that were never rendered

* Investigating questionable practices and referring credible allegations of fraud to law enforcement, to pursue criminal charges when appropriate

States can also choose to do more than the federal requirements - they have as much discretion in structuring their program integrity efforts as they do the rest of their Medicaid programs. A continuum of state program integrity activities - both optional and required - is listed in Appendix C.

Gaps in program integrity efforts have financial consequences for Washington

State programs that fail to comply with federal program integrity requirements risk paying back federal funding. This is a substantial sum: about $9.5 billion of the $14.6 billion Washington spent on Medicaid in fiscal year 2020 came from the federal government. Every year, the Office of the Washington State Auditor conducts the federally required Single Audit, to determine if state agencies are complying with specific federal requirements. Concerns are publicly reported as findings. These findings are often resolved within months, but sometimes persist for several years. Ten of Washington's 13 repeat Medicaid Single Audit findings are related to program integrity requirements. Some of these requirements are HCA's responsibility; others are the responsibility of the Department of Social and Health Services (DSHS). While many of these findings did not involve questioned costs, some did. For example, in August 2020 CMS requested a refund of $114 million for one such finding. (The state does not agree with this finding and is currently discussing it with CMS, so the final amount the state must repay may be reduced or eliminated.)

Program integrity efforts ensure available funding goes to needed services, and can help flatten the rising Medicaid cost curve. Potential return on investment depends on the amount of existing fraud and other improper payments, and states' methods for calculating return on investment will differ. Florida regularly publishes a comprehensive report of program integrity efforts. Florida reported that during fiscal year 2019, it recovered nearly $5 for every dollar it spent on program integrity recovery efforts, and nearly $45 for every dollar spent on program integrity prevention efforts.

In Washington, state agencies and managed care organizations play a role in program integrity efforts

Key participants in Washington's program integrity efforts include:

* The Health Care Authority (HCA), which has been the state's Medicaid agency and primary payer for health care services since 2011. As the state Medicaid agency, HCA must ensure Washington meets the numerous federal program integrity requirements associated with the federal Medicaid grant award. HCA has a newly established Division of Program Integrity (Division), which is responsible for many - but not all - of the state's Medicaid program integrity efforts.

* The Department of Social and Health Services (DSHS) primarily uses Medicaid funding to pay for long-term care for the elderly and people with disabilities. It has its own program integrity efforts for ensuring client and provider eligibility.

* The Department of Children, Youth, and Families (DCYF) primarily uses Medicaid funding on supports and services for children and young adults who have complex needs and experience significant behavioral health challenges.

* The five managed care organizations (MCOs) operating in Washington are private health insurance companies with large networks of contracted providers, which include doctors, counselors and specialists. The MCOs must establish their own program integrity efforts to identify and address fraud and other improper payments.

* The Medicaid Fraud Control Division in the Attorney General's Office handles the law enforcement side of program integrity.

This audit examined opportunities to improve Washington's Medicaid program integrity efforts

The cost of Washington's Medicaid program has risen during the last decade, and the program expands to meet rising needs that come during times of economic decline. Strengthening program integrity efforts helps ensure every Medicaid dollar stretches as far as possible to serve those insured through the program. HCA suggested a performance audit of its program integrity efforts could be beneficial, because the agency is making improvements in this area.

The audit answers the following questions:

1. Are there opportunities for HCA executive management to improve its oversight over program integrity?

2. How can the Division of Program Integrity improve its structure and processes to more effectively reduce fraud and other

improper payments?

The audit team identified leading practices for program integrity efforts and worked with HCA and experts to identify states considered nationwide leaders in Medicaid program integrity. We spoke to officials from integrity programs in seven states and reviewed comprehensive reports for an eighth state. We also interviewed leadership and management at HCA and sister state agencies. In addition, we reviewed federal regulations, state laws, the State Medicaid Plan, agreements between HCA and sister state agencies, policies and procedures at HCA and DSHS, contracts between HCA and the MCOs, organizational charts, performance measures, strategic plans, and other related documents. Then, we compared Washington's practices with other states' practices and expert recommendations to identify potential gaps and opportunities for improvement. For more information about our methodology, see Appendix B.

This report organizes our results into four broad areas:

* HCA executives' oversight responsibilities within their own agency

* Oversight of Medicaid program integrity efforts at sister state agencies

* The Division's program integrity efforts with MCOs and its oversight of the MCOs' efforts

* The Division's processes to generate and evaluate the leads that become audits, reviews and investigations of Medicaid providers

* * *

State Auditor's Conclusions

Medicaid is our state's largest public assistance program. It provides health coverage to about two million Washingtonians through a state-federal partnership, at a cost of more than $14 billion in fiscal year 2020. Given the size and importance of Medicaid, it needs a robust program integrity function to help ensure money is spent appropriately. Ensuring program integrity for a program this large and complicated is an inherently difficult task. That task is made even more difficult when the responsibility spans several state agencies and managed care organizations (MCOs).

As the single state Medicaid agency, the Health Care Authority (HCA) is responsible for overseeing all program integrity efforts - including the work of other agencies and the MCOs. That has not always happened, but to its credit, HCA has taken steps to improve its oversight. These efforts include reorganizing its own program integrity function and welcoming help from our Office in the form of this performance audit. Our audit has identified a number of opportunities for HCA to improve both its own program integrity efforts and its oversight of other entities' efforts. We would strongly encourage HCA to implement these recommendations.

* * *

Recommendations

For the Health Care Authority

To improve executive oversight of the agency's program integrity efforts, as described on pages 15-24, we recommend HCA executives:

1. Provide consistent oversight of program integrity, either through the existing committee structure (for example, by assigning a regular focus on program integrity) or by establishing an operations oversight committee focused on overseeing all program integrity requirements within HCA and at other state agencies.

2. In consultation with Division managers, determine key objectives for Medicaid program integrity and include them in the agency's overall strategic plan.

3. Ensure the most critical measures related to the Division's success are included in the agency's performance measurement processes. Periodically review and update these measures, as necessary.

4. Provide the newly formed Division sufficient organizational support and executive oversight to ensure the Division has an approved strategic plan with clear objectives, Division performance measures are appropriate to monitor progress, and corrective actions are initiated quickly when objectives may not be met.

We also recommend Division managers:

5. Develop a strategic plan for the new Division with stated strategic goals, agreed upon objectives, and a system to monitor progress and hold responsible parties accountable.

6. As part of developing a solid strategic plan, develop a management information and reporting strategy with performance measures and management reports. As Division managers develop this strategy, we recommend they consider the performance measures recommended by experts and used in other states.

To provide federally required oversight of Medicaid program integrity efforts at sister state agencies, as described on pages 25-30, we recommend Division managers:

7. Develop a Statewide Fraud and Abuse Prevention Plan. This plan should include:

* A clear outline of all of the state's program integrity activities, including regular assessments of which functions are most at risk, as well as the roles and responsibilities of key partners and stakeholders

* An updated cooperative agreement with DSHS that includes up-todate service-level agreements, a clear monitoring plan and a schedule for regular reviews and updates of the agreements

* An updated cooperative agreement and service-level agreements with DCYF, to include all federally required Medicaid program integrity activities, a clear monitoring plan and a schedule for regular reviews and updates of the agreements

* A communications strategy to ensure management at HCA, DSHS and DCYF are all aware of federal requirements and updated memorandums and agreements. HCA internal policy should be revised to include reference to these requirements and documents.

8. Develop procedures to provide consistent oversight of program integrity efforts at sister state agencies. In developing these procedures, consider other state practices as outlined in Appendix E.

9. Clarify the role of the Regulatory Compliance Unit in overseeing program integrity at sister state agencies, and determine which unit will be assigned this responsibility.

To expand program integrity efforts for MCOs, as described on pages 31-36, we recommend Division managers:

10. Consider other states' practices for auditing providers contracted with the MCOs as they develop guidance that sets out what the Division wants to examine in managed care and the approach they want to take to audit providers contracted with the MCOs.

11. Clarify the Clinical Review Unit's responsibilities regarding audits of providers contracted with the MCOs.

To improve audit selection practices to help the Division prioritize resources for high risk cases and meet federal requirements, as described on pages 37-43, we recommend Division managers:

12. Conduct a program integrity risk assessment to identify the areas and provider types the Division will prioritize for each internal unit's workplan. It could also establish formal risk factors the case management team will use to evaluate leads, and incorporate these risk factors in the Division's case management policy and procedures.

13. Improve the use of data analytics to identify leads. Ensure the new fraud and abuse detection system is able to analyze managed care organization leads and rank areas at greatest risk for improper payments.

14. Ensure the new team reviewing leads consistently receives needed data to determine which leads merit further investigation.

15. Hire and train staff dedicated to performing proactive data analytics. We also recommend HCA consider reclassifying these positions to attract and retain the expertise needed.

16. Establish a process to determine which referrals from MCOs and DSHS are credible allegations of fraud.

17. Develop a process to analyze the leads and other information in reports provided by MCOs.

18. Finalize the necessary arrangements to collaborate with the Unified Program Integrity Contractor and determine how to best use the contractor's services.

19. Establish a communications strategy to ensure staff are aware of new expectations as part of implementing the recommendations listed above.

* * *

View charts and full report at https://portal.sao.wa.gov/ReportSearch/Home/ViewReportFile?arn=1028710&isFinding=false&sp=false