WHAT TO KNOW ABOUT RECENT FEDERAL ACTIONS INVOLVING STATE MEDICAID PROGRAM INTEGRITY
The following information was released by the
Authors:
Published:
Print Email Copy Link Add KFF on Google
CMS state-specific financial action and inquiries:
In early 2026, CMS used multiple procedures simultaneously to address potential fraud in
In
CMS has also sent letters seeking information about Medicaid program integrity, provider oversight, and fraud prevention to
50-state requests/reviews:
In
In
Federal request for information:
In
There are no reliable measures of fraud against Medicaid. Measuring fraud is difficult, in part, because it can only be determined with certainty after the fact and if it is identified (through recovery and enforcement actions). Recovery and enforcement data show that in 2025 the 53 state and territory Medicaid Fraud Control Units reported
The current use of payment deferrals, given the magnitude of federal funding at stake and the time it takes to resolve administrative disputes, creates uncertainty and could be destabilizing for state budgets. If states have inadequate funding to maintain existing Medicaid programs, they may face difficult decisions regarding how to limit Medicaid spending or divert spending from other state programs. Additionally, new program integrity requests come at a time when states are facing historic reductions in federal Medicaid funding and new administrative requirements, including implementing work requirements and more frequent eligibility renewals for Medicaid expansion adults. Against this backdrop, this brief describes recent HHS actions (state-specific and nationwide) related to Medicaid program integrity and outlines some open questions going forward.
How has CMS engaged with individual states on program integrity?
CMS focused its increased state-specific Medicaid oversight first on
As of
On
Previously, CMS requested documentation from
CMS has also deferred
Box 1. CMS deferred
On
Withdeferrals, CMS pauses payment for state Medicaid expenditures that have already occurred and requires the state to provide additional information demonstrating that expenditures are "allowable." If CMS ultimately disallows some or all of the federal matching payments that have been deferred, the state could request reconsideration from CMS or appeal with the Departmental Appeals Board. If an appeal is unsuccessful, the state could seek relief in
In addition to taking compliance action (MN) and issuing deferrals (CA, MN), CMS has sent letters seeking detailed information about Medicaid program integrity to four states (CA, FL, ME and NY) (Figure 2). In each letter, CMS posed a series of program integrity related questions (Table 1). States were asked to supply program integrity process and policy information as well as specific data. The inquiries could provide some insight into broader federal program integrity priorities, and/or could be part of a process that eventually leads to compliance action or payment deferrals. CMS laid out context for each inquiry including concerns stemming from recent fraud cases in the state and/or analyses of state claims showing growth in the use of certain "high-risk" services, although CMS publicly confirmed errors in analysis related to New York Medicaid data. The high-risk services cited by CMS are specific to each state, except for
As of
Provided detailed answers to CMS questions and additional context in response to the motivating factors described in the CMS letters.
Emphasized that the trends reported by CMS do not necessarily indicate fraud, waste, or abuse, but instead are the result of policy and payment choices (approved and often encouraged by CMS) to increase enrollees' access to and use of certain services (e.g., home care and behavioral health services).
Characterized existing program integrity infrastructure and program integrity processes as robust, with multi-layered safeguards, reporting current practices often go beyond minimum federal requirements.
What new provider revalidation actions have been initiated by CMS?
On
CMS requested that states confirm whether they will immediately revalidate "high-risk" Medicaid providers. CMS acknowledges that factors contributing to fraud are multi-faceted and require a comprehensive approach to address; however, CMS notes revalidating high-risk providers immediately may help deter criminal actors and allow federal/state governments to suspend or terminate them from the program. CMS notes classes of Medicaid providers with less rigorous enrollment and billing requirements (e.g., CMS cites providers without a National Provider Identifier (NPI) are most vulnerable to fraud. States have flexibility to designate which providers are "high-risk," though CMS expects the definition to include any provider without an NPI (Box 2).
CMS requested that states notify them of their intent to carry out immediate revalidation of high-risk providers within 10 days of receipt of the letter, along with a proposed timetable for revalidation. CMS noted that failure to immediately revalidate high-risk providers would be "considered as we [CMS] evaluate the likelihood of fraud in each state moving forward." Some states have publicly expressed their intent to conduct accelerated, off-cycle provider revalidation exercise, while others have emphasized compliance with CMS's request as part of a broader, coordinated fraud prevention effort.
Box 2. An NPI is a unique ID number that identifies the provider who referred, ordered, or delivered services billed on health care claims.
NPIs were introduced in 19965to improve efficiency and reduce errors in electronic health care claims. Federal law requires an NPI from all medical providers (e.g. physicians, dentists, or nurses) and organizations (e.g. hospitals, pharmacies, or physician practices) who participate in electronic health care claims. Non-medical providers may deliver certain Medicaid services, particularly home care services; these providers may not have an NPI due to federal rules describing who is required and permitted to obtain an NPI.
CMS also requested that states develop a broader strategy on provider revalidations. CMS requested states develop and submit a comprehensive two-year provider revalidation strategy within 30 days of receipt of the letter as well as the strategy's results upon completion. CMS notes the provider revalidation strategy should be tailored to the unique landscape of the state and prioritize a comprehensive review and revalidation of the state's enrolled Medicaid providers. CMS asks states to increase oversight of high-risk providers (including by adopting off-cycle or more frequent revalidation intervals than the minimum five-year requirement and potentially prioritize high-risk providers who have not been screened within the past 12 months for revalidation.) CMS notes that states should define the scope and priorities of their provider revalidation strategies, but asked that certain elements be included:
Methodology and timeline for conducting off-cycle revalidation, with a focus on high-risk providers (including those without an NPI)
Metrics to measure the revalidation strategy effectiveness
Approach for confirming provider information is accurate and up to date, on an ongoing basis (across fee-for-service and managed care delivery systems) approach to coordinating with relevant law enforcement partners
How has HHS-OIG heightened scrutiny of state Medicaid fraud control units (MFCUs)?
On
Federal requirements and performance standards serve as the basis for MFCU annual recertification by HHS-OIG (which oversees MFCUs). When a MFCU applies for annual recertification, the MFCU submits performance and budget data, including staffing, costs, case numbers and outcomes, and other information requested by HHS-OIG. HHS-OIG may conduct an onsite review of the MFCU. In the
What is the CRUSH Request for Information (RFI)?
On
Potential expansions or modifications to existing program integrity laws/rules
Enhanced provider enrollment and identity verification
State-level program integrity oversight, particularly of high-risk services
Responses to the
The Medicaid and
Comprehensively review existing federal requirements to reduce duplication and focus on requiring or supporting activities that deliver returns on investment
Enhance payment transparency and data sharing
Examine existing barriers to program integrity in managed care and promote successful state practices
What to watch in future program integrity-related developments?
Recent CMS action related to program integrity has been focused both on specific states as well as initiatives and requests that affect all states. Many open questions remain, including:
Whether future compliance actions or deferrals will impact states beyond
Whether state responses to CMS's provider revalidation exercise will become public, including comprehensive details on how provider classes are categorized as "high-risk,"
What are the implications of the focus on providers without NPIs (will more non-medical providers obtain NPIs, or will there be fewer providers for certain services?)
Whether the OIG letter to state Attorneys General will lead to an increase in indictments, convictions, and fraud recoveries by state MFCUs,
Whether CMS pursues rulemaking or sub-regulatory action following the
Whether CMS and HHS-OIG have capacity to carry out recently announced activities,
Whether
Whether increased oversight requires trade-offs with access to care or services.
The FY 2025 MFCU Statistical Chart notes that "Recoveries are defined as the amount of money that defendants are required to pay as a result of a settlement, judgment, or prefiling settlement in criminal and civil cases and may not reflect actual collections. Recoveries may involve cases that include participation by other Federal and State agencies." ↩'
On
States are permitted to delegate provider screening responsibilities to managed care organizations but must maintain oversight of screening activities. ↩'
Federal law requires that states assign 'limited,' 'moderate,' or 'high,' risk categories to providers. States assign risk categories to providers based on several guidelines, including the Medicare risk category for that provider type, provider-specific risk factors (e.g., receiving a prior Medicaid overpayment), and audit findings assessing the fraud, waste, or abuse risk of a specific provider type. While federal rules establish minimum risk levels, states can choose to use higher risk levels across a provider type and can change a provider's risk level based on new information (e.g., following credible allegations of fraud, waste, or abuse). ↩'
NPIs were introduced and mandated by the Health Insurance Portability and Accountability Act (HIPAA). ↩'
The federal government reimburses states for MFCU costs. States that have operated MFCUs for longer than 12 quarters receive reimbursement for 75% of allowable costs incurred operating a MFCU; states contribute the other 25% share. ↩'



WOMEN'S HEALTH INSURANCE COVERAGE
Rob Sand says audit shows PBMs may be overcharging Iowa taxpayers
Advisor News
- The overlooked retirement security risk that must be addressed
- What advisors should know about hedge funds in retirement planning
- Retirement control is top success measure for middle class, ACLI says
- Industry groups applaud House passage of Financial Exploitation Prevention Act
- Younger workers more likely to be eligible for a retirement plan after changing jobs
More Advisor NewsAnnuity News
- MassMutual Ranks No. 100 on the 2026 Fortune 500® List
- What’s fueling record annuity growth?
- Jackson Named InvestmentNews 2026 Annuities Provider of the Year
- State Farm’s agency overhaul: What distribution can learn
- IRI, ACLI express support for CLEAR Forms Act
More Annuity NewsHealth/Employee Benefits News
- HAFA praises bill to establish multifactor authentication for ACA enrollees
- Corvese, Famiglietti bill to protect patients’ insurance rights signed into law
- More Hoosiers go uninsured, resulting in higher emergency department usage
- WA CARES FUND BENEFITS OPEN, LAUNCHING NATION'S FIRST PUBLIC LONG-TERM CARE INSURANCE PROGRAM
- 16,000 new moms to benefit from expanded Medicaid coverage starting Wednesday
More Health/Employee Benefits NewsLife Insurance News
- PHL Variable liquidation pushed out to 2027, Connecticut regulators say
- ‘Recession-Proof’ Insurance Is Trending. Safety Net or Scam?
- Winged Keel Group Expands National Presence and PPLI Leadership, Welcomes SBSI, Inc. (dba NFP Insurance Solutions)
- MassMutual Ranks No. 100 on the 2026 Fortune 500® List
- 180-year Old New York Life Adds to Tokenized Funds
More Life Insurance News