Medicare Program Integrity: Activities to Protect Medicare from Payment Errors, Fraud, and Abuse
Prepared for Members and Committees of Congress
In FY2008, Medicare is expected to cover an estimated 44.6 million beneficiaries at a total cost of
$456 billion. With an average annual growth rate of 7.0%, the Congressional Budget Office
(CBO) projects Medicare costs to double over the next 10 years. Because of a number of factors,
such as an aging population, overall increases in medical costs, and the new Part D prescription
drug benefit, spending on Medicare services is expected to grow more than spending in the U.S.
economy. As expenditures continue to rise in the nation’s largest health insurance program, efforts
to preserve the integrity of the program receive increased attention from policy makers.
Program integrity is considered a component of the effective and efficient administration of
government programs, which are entrusted with ensuring that taxpayer dollars are spent wisely.
Efforts to ensure Medicare program integrity encompass a wide range of activities and require
coordination among multiple private and public entities. In general, initiatives designed to fight
fraud, waste, and abuse are considered program integrity activities. This includes processes
directed at reducing payment errors to Medicare providers, as well as activities to prevent, detect,
investigate, and ultimately prosecute health care fraud and abuse.
Because of the size and scope of the Medicare program, multiple government entities are
involved in protecting Medicare’s integrity. As the agency responsible for administering the
Medicare program, the Centers for Medicare and Medicaid Services (CMS) oversees a network of
private contractors that conduct various program integrity activities. The six main types of
activities are conducting audits, reviewing claims for medical necessity, identifying and
investigating potentially fraudulent behavior, ensuring that Medicare pays only for services for
which it has primary responsibility, educating providers on Medicare billing procedures, and
managing a Medicare-Medicaid data match program to identify fraud that may affect both federal
health insurance programs. Contractors refer suspected cases of fraud to the Department of Health
and Human Services (DHHS) Office of the Inspector General (OIG) and the Department of
Justice (DOJ) for further investigation and prosecution.
Medicare program integrity activities are funded in statute, largely through the Medicare Integrity
Program (MIP) and the Health Care Fraud and Abuse Control Program (HCFAC), which provide
CMS and other federal agencies with dedicated funds to prevent fraud, waste, and abuse in
This report provides an overview of Medicare’s program integrity efforts. A definition of program
integrity is presented, as well as descriptions of the types of activities, organizations, and agencies
involved in protecting Medicare’s integrity on a day-to-day basis. The report continues with a
history of federal funding for Medicare’s anti-fraud activities and a discussion of findings from
recent studies on program integrity efforts. The report concludes with a brief description of
current issues. This report will be updated to reflect legislative changes.
Introduc tion ..................................................................................................................................... 1
Background on Medicare................................................................................................................2
Program Integrity Defined...............................................................................................................3
Types of Program Integrity Activities.............................................................................................4
Cost Report Auditing..........................................................................................................5
Medicare Secondary Payer (MSP)......................................................................................6
Medicare-Medicaid Data Match Program...........................................................................7
Types of Program Integrity Contractors..........................................................................................7
Claims Administration Contractors.....................................................................................7
Program Safeguard Contractors (PSCs)..............................................................................8
Recovery Audit Contractors (RACs)..................................................................................8
Coordination of Benefits (COB) Contractor.......................................................................8
Medicare Managed Care Program Integrity Contractors (MMC-PICs).............................8
Medicare Drug Integrity Contractors (MEDICs)................................................................9
Quality Improvement Organizations (QIOs)......................................................................9
Medicare Program Integrity Partners..............................................................................................9
History of Funding for Medicare Program Integrity Activities......................................................11
Current Funding for Medicare Program Integrity Activities.........................................................13
Assessment of Program Integrity Efforts......................................................................................14
Improper Payment Rates...................................................................................................14
HCFAC Annual Reports...................................................................................................16
GAO HCFAC Reports......................................................................................................17
OMB Program Assessment Rating Tool (PART)..............................................................18
Other GAO Reports..........................................................................................................18
Current Program Integrity Issues...................................................................................................19
Durable Medical Equipment.............................................................................................19
Recovery Audit Contractor Program................................................................................20
Program Safeguard Contractors........................................................................................21
Program Integrity Activities for Part D.............................................................................22
Table 1. HCFAC and MIP Appropriations for Selected Fiscal Years............................................13
Table 2. Medicare National Paid Claim Error Rates and Gross Improper Payments for
Every Two Years Between 1996 and 2008.................................................................................15
Table 3. HCFAC Summary of Results and Accomplishments for Years 1998-2005.....................17
Author Contact Information..........................................................................................................24
According to the 2007 Medicare Trustees report, Medicare expenditures were $408 billion in 1
FY2006 for 43.2 million beneficiaries. In FY2008, Medicare is expected to cover an estimated 23
44.6 million beneficiaries at a total cost of $456.3 billion. The Congressional Budget Office
(CBO) projects these expenditures to double over the next 10 years. The majority of Medicare
spending, approximately 75%, is for benefits provided by Parts A and B, the fee-for-service
portion of the program. As one of the fastest growing sectors of the federal budget, challenges
exist in maintaining and ensuring the integrity of the nation’s largest health insurance program.
Ensuring program integrity is typically discussed in connection with program administration and
financial management issues. Its chief purpose is the effective and efficient use of taxpayer
dollars. In general, initiatives designed to fight fraud, waste, and abuse are considered program
integrity activities. This includes processes directed at reducing payment errors, as well as
activities to prevent, detect, investigate, and ultimately prosecute health care fraud and abuse.
More specifically, program integrity ensures that correct payments are paid to legitimate
providers for appropriate and reasonable services for eligible beneficiaries.
Because of the size and scope of the Medicare program, multiple government entities are
involved in preserving Medicare’s integrity. As the agency responsible for administering the
Medicare program, the Centers for Medicare and Medicaid Services (CMS) oversees a network of
private contractors that conduct a variety of program integrity activities as part of its Medicare
Integrity Program (MIP). Examples of such activities include auditing providers, reviewing
claims for medical necessity, and identifying and investigating alleged fraud. Contractors will
develop and refer suspected cases of fraud to the Department of Health and Human Services
(DHHS) Office of the Inspector General (OIG) and the Department of Justice (DOJ) for further
investigation and prosecution.
Medicare program integrity activities are funded in statute, largely through the Medicare Integrity
Program (MIP) and the Health Care Fraud and Abuse Control Program (HCFAC), which provide
CMS and federal law enforcement agencies with dedicated funds to safeguard federal monies and
prevent fraud, waste, and abuse in Medicare. The MIP and HCFAC programs were both
established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA, P.L. 104-4
This report provides an overview of Medicare’s program integrity efforts. The report begins with
a definition of program integrity, followed by detailed information on typical program integrity
activities, a description of Medicare contractors and their role in ensuring Medicare integrity, and
a discussion of other government agencies involved in protecting Medicare from fraud, waste,
and abuse. A history of funding for Medicare’s program integrity and anti-fraud activities is
1 Centers for Medicare and Medicaid Services (CMS) Office of the Actuary, 2007 Medicare Board of Trustees Report,
April 23, 2007, at http://www.cms.hhs.gov/ReportsTrustFunds/downloads/tr2007.pdf.
2 Department of Health and Human Services, Budget in Brief, 2008, at http://www.hhs.gov/budget/08budget/
3 Congressional Budget Office (CBO), Medicare March 2007 Fact Sheet, at http://www.cbo.gov/ftpdocs/78xx/
4 Section 1893 of the Social Security Act (SSA) governs the Medicare Integrity Program (MIP), and Section 1128C of
the Social Security Act governs the Health Care Fraud and Abuse Control (HCFAC) program.
presented, as well a discussion of findings from recent studies on program integrity activities. The
report concludes with a brief description of current issues. Although this report addresses program
integrity activities undertaken to combat fraud in Medicare’s private Part C and D programs, it is
largely focused on Medicare’s approaches to ensure integrity in its fee-for-service program (Parts
A and B), which constitute the largest share of Medicare spending.
Medicare is the nation’s health insurance program for persons aged 65 and older and certain
disabled persons. Of the program’s 43.2 million enrollees, approximately 85% are aged and the 5
remaining 15% are disabled. In 2006, spending on Medicare services accounted for an estimated 6
58% of total federal health expenditures and 20% of all national health expenditures. The
majority of Medicare spending, nearly 75%, is for benefits provided by Parts A and B, the fee-for-
service portion of the program otherwise known as “original” or “traditional” Medicare. The
remaining 25% is spent on private health care plans that deliver Medicare services to
beneficiaries under Part C, the Medicare Advantage (MA) program, and Part D, the new
prescription drug benefit.
Medicare consists of four distinct parts: Parts A, B, C, and D. Medicare Part A (Hospital
Insurance) covers inpatient hospital services, skilled nursing facility services, home health, and
hospice services. Medicare Part B (Supplementary Medical Insurance) covers a variety of other
medical services, such as physician services, outpatient hospital care, laboratory services, and
durable medical equipment. Beneficiaries also have the option to enroll in a private Medicare Part
C or MA plan to receive all required Part A and B benefits, and a private Medicare Part D or
Prescription Drug Plan (PDP) for prescription drug benefits. Most beneficiaries who opt to enroll
in a private plan choose a MA-PD (Medicare Advantage Prescription Drug) plan for combined
Part C and D coverage. Approximately 80% of beneficiaries receive services through the fee-for-
service portion of the program (original Medicare), and 20% of Medicare beneficiaries receive
services through a private Part C MA plan.
Medicare pays for services in Parts A and B, or traditional Medicare, differently than it does for
services under Parts C and D. Under the traditional fee-for-service program, Medicare pays
providers directly for each specified unit of service delivered to a beneficiary. The unit of service
may be a single procedure, visit, or test, or a group of services, such as a hospital stay. In contrast,
for Parts C and D, Medicare pays private health plans to deliver Medicare services to
beneficiaries. In addition, unlike Part A and B Medicare providers, private plans participating in
Medicare are paid on a capitated basis as opposed to a fee-for-service basis. Under capitation,
private plans receive a fixed monthly payment per enrollee regardless of the amount of services
provided. Payment is made in advance for a pre-determined set of benefits; either Part A and B
benefits administered by a Part C plan or prescription drug benefits administered by a Part D PDP
5 The disabled population includes persons under age 65 who receive cash disability benefits from Social Security or
the Railroad Retirement systems for at least 24 months and persons under age 65 with end stage renal disease (ESRD).
6 Centers for Medicare and Medicaid Services, National Health Expenditure Projections 2006-2016, at
Each method of payment produces conflicting financial incentives for health plans and providers.
These conflicting incentives result in different forms of fraud and abuse unique to each payment
system. Under fee-for-service, providers may have an incentive to over-utilize health care
services or provide more care to beneficiaries in order to maximize reimbursement. The more
services providers deliver, the more money they receive. The opposite is true in capitated
payment systems. Under capitation, where the payment is a fixed monthly amount per enrollee,
providers may have an incentive to limit health services or provide less health care to
beneficiaries. A provider’s reimbursement amount does not vary with the number of services
Medicare is administered by the Centers for Medicare and Medicaid Services (CMS) within the
Department of Health and Human Services (DHHS). CMS contracts with more than 40 private
entities to oversee day-to-day operations and conduct program integrity activities for Medicare
Parts A, B, C, and D. Each year, Medicare contractors process nearly 1 billion claims from over 1
million providers enrolled in the Medicare program. In addition to processing and paying claims,
contractors perform certain program integrity functions. Contractor activities are overseen by two
departments within CMS: the Program Integrity Group and the Center for Beneficiary Choices.
The Program Integrity Group is responsible for oversight related to Parts A and B. The Center for
Beneficiary Choices is responsible for oversight activities related to Part C—the MA program.
Both departments share oversight responsibility for Part D.
Program integrity is often discussed in connection with financial management and oversight
issues. It is considered an essential component of the efficient and effective administration of
government programs and integral to accomplishing a program’s social goals. In Medicare, one of
these social goals is to ensure access to high-quality care for all beneficiaries. To meet this
objective, Medicare implements activities designed to ensure that correct payments are made to
legitimate providers for appropriate and reasonable services for eligible beneficiaries. On a
practical level, program integrity activities are those directed at protecting the program from
payment errors, fraud, and abuse.
Broadly defined, Medicare program integrity functions encompass two types of activities
designed to safeguard program payments: (1) activities directed at reducing payment errors or
improper payments and (2) activities directed at protecting the Medicare program from fraud,
waste, and abuse. The first set of activities emphasizes prevention and relies largely on automated
processes to detect improper or potentially fraudulent claims before they are paid. The second set
of activities emphasizes the identification and detection of health care fraud through the analysis
of claims after they have been paid. An effective program integrity strategy incorporates elements
from both approaches.
To protect the Medicare Trust Fund from improper payments, CMS contracts with private
organizations that review claims to determine whether the services provided are medically
reasonable and necessary. Although program integrity activities directed at reducing improper
payments will identify some instances of fraud, they are not specifically designed to do so. In
Medicare, improper payments are largely the result of mistakes or inadvertent billing errors on
the part of Medicare providers submitting claims or Medicare contractors processing claims.
Improper payments pose a significant financial risk to the Medicare program.7 In November
$10.8 billion in expenditures.
To protect the Medicare Trust Fund from fraud and abuse, CMS contracts with private
organizations to conduct program integrity activities directed at identifying and detecting actual
fraud. CMS typically classifies these activities as benefit integrity activities. Examples of benefit
integrity methods may include performing ongoing data analysis of claims to identify aberrant
billing patterns, developing fraud investigations, and referring suspected cases of fraud to law
enforcement personnel for prosecution. Although law enforcement personnel may point to a
deterrent effect associated with these types of activities, their focus is not on preventing fraud.
Their focus is on tracking down offenders and recovering improper payments after fraud has been
Although there is a certain level of overlap, program integrity approaches to address fraud and
abuse in Medicare’s fee-for-service program are generally different than those used to address
fraud in Medicare’s Part C and D private plans. These differences stem largely from differences in
Medicare’s payment structure. In fee-for-service, where providers have an incentive to provide
more services, examples of fraud may include billing for services not rendered, billing multiple
insurers for the same service, or accepting bribes or kickbacks for referring patients. In capitated
payment systems, where providers have an incentive to provide fewer services, types of
fraudulent activities may include employing misleading marketing tactics in an effort to
discourage utilization, “cherry picking” or selectively enrolling healthy enrollees, or failing to
provide medically necessary care. Historically, the government’s anti-fraud methods have focused
on combating fraud in the fee-for-service sector. However, with enrollment in private Medicare
plans on the rise, program integrity approaches to fight fraud in capitated payment systems are
becoming more important.
Ensuring Medicare program integrity is a coordinated effort involving CMS, Medicare
contractors, law enforcement agencies, providers, and beneficiaries. By analyzing billing data,
monitoring improper payments, and investigating potential fraud, Medicare contractors play a
significant role in the detection and prevention of health care fraud and abuse. When these
activities reveal suspected fraudulent activity, contractors develop and refer cases to the
Department of Health and Human Services (DHHS) Office of the Inspector General (OIG) for
further investigation and administrative sanctions. If the OIG suspects federal criminal law has
been violated, fraud cases are then referred to the Department of Justice (DOJ) for prosecution.
To protect the Medicare program from improper payments, as well as fraud, waste, and abuse,
CMS conducts six main types of program integrity activities: cost report auditing, medical
review, benefit integrity, Medicare secondary payer, provider education, and operating a
Medicare-Medicaid Data Match Program. These six functions are stipulated in law and are
7 Since 1990, GAO has designated Medicare a high-risk program because of its vulnerability to improper payments.
8 See CMS annual improper payment rate report for November 2007: https://www.cms.hhs.gov/apps/er_report/
largely performed as part of CMS’s MIP program.9 CMS contracts with private organizations,
otherwise known as Medicare contractors, to conduct these activities, the bulk of which are
performed for Part A and B Medicare providers. Specific information on the types of private
organizations that perform these functions are described in the next section.
Part A Medicare providers such as hospitals, nursing homes, home health agencies, and other 10
institutional providers are required to submit cost reports to CMS annually. Cost reports contain
information on the provider’s allocation of costs across services. CMS contractors analyze these
cost reports by conducting desk reviews. The objective of the desk review is to assess whether the
reported costs are adequate and accurate, and to determine whether a more comprehensive, on-
site audit is necessary. If the desk review reveals problems with the cost report, contractors will
conduct field audits at the provider’s place of business. Field audits are designed to ensure
compliance with Medicare regulations and reimbursement policies and to obtain reasonable
assurance that the cost report was prepared in accordance with Medicare laws, regulations, and
instructions. The cost report auditing activity also includes audits of Medicare Part C or private 11
MA plan cost reports. Part B Medicare providers (physicians, outpatient hospital, durable
medical equipment providers, and others) are not required to submit cost reports to CMS.
Medical review activities are designed to identify and prevent payment errors and mistakes in
billing. More specifically, medical review activities ensure that a payment is appropriate for the
service that is provided and meets professionally recognized standards of care. As part of this
process, Medicare contractors review claims, largely through the use of automated computer
edits, to verify that the services are (1) covered by Medicare, (2) provided by legitimate 12
providers, (3) delivered to eligible beneficiaries, and (4) reasonable and medically necessary.
9 The Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) created Section 1893 of the Social
Security Act, which established the Medicare Integrity Program or MIP. As part of MIP, the legislation outlines the
activities that are to be conducted in carrying out the program. Section 1893 also includes an additional activity. This
activity is developing a list of items of durable medical equipment in accordance with section 1834(a)(15) that are
subject to prior authorization. This item is not addressed in this report because CMS does not use MIP funds to support
10 Generally, Part A Medicare providers are paid under a prospective payment system (PPS). With PPS, providers are
paid pre-determined payment amounts based on specified units of service, such as hospital stays. When performing cost
report audits, CMS reviews the few items that could affect a provider’s payment under PPS, such as bad debt, organ
procurement costs, payments for indirect and direct medical education, and the number of low-income patients
hospitals serve. Recent studies conducted by GAO and MEDPAC have questioned the degree to which CMS’s current
audit process assesses the accuracy of Medicare costs for providers paid under PPS. See GAO-06-813, Medicare
Integrity Program: Agency Approach for Allocating Funds Should be Revised, September 2006, at
http://www.gao.gov/new.items/d06813.pdf, and MEDPAC, Report to the Congress: Sources of Financial Data on
Medicare Providers, June 2004, at http://www.medpac.gov/publications/congressional_reports/
11 Although the law requires that CMS annually audit the financial records of at least one-third of Part C MA plans, a
recent GAO report released in July 2007 found that CMS did not document its process for ensuring that it met this
requirement for years 2001-2005. See GAO-07-945, Medicare Advantage: Required Audits of Limited Value, July
2007, at http://www.gao.gov/new.items/d07945.pdf.
12 Computerized edits also check for errors such as incomplete or duplicate claims, claims where diagnosis codes do
not match procedure codes, and unallowable code combinations.
Medical review methods also include issuing Local Coverage Determinations (LCDs) for
providers, which outline which items and services will be eligible for payment under the 13
Medicare statute. LCDs are used to develop and update computer edits on an ongoing basis.
When an edit reveals a billing error or problem with a claim, Medicare contractors may conduct a
manual pre-payment or post-payment claims review, request additional medical documentation 14
from the provider, or contact beneficiaries to verify that the services were actually provided.
Benefit integrity involves the identification and investigation of potential fraud cases and referrals
to law enforcement. CMS contractors hired to perform benefit integrity work may conduct
national and regional data analysis to identify aberrant patterns of billing, request medical
documentation from providers to verify services delivered, investigate beneficiary complaints
related to fraud, educate providers about fraud detection and prevention, and review and process
applications from certain Medicare providers. When fraud is suspected, contractors refer cases to
the OIG or law enforcement for further investigation, prosecution, or both. Benefit integrity
activities may also include recoupment of overpayments and suspension of future payments when
fraud is suspected.
MSP activities ensure that Medicare pays only for those services where it has primary
responsibility for payment. Under MSP rules, Medicare is prohibited from making payments for
any item or service when payment has been made or can reasonably expect to be made by certain
third-party payers. Statutorily, Medicare is the secondary payer to employer-based insurance
plans, auto liability insurance, and workers compensation insurance. CMS maintains a
comprehensive database of all Medicare beneficiaries health insurance information and uses the
database to conduct investigations related to MSP.
To help prevent errors and keep providers abreast of any changes in Medicare billing and coding
procedures, contractors are required to conduct regular outreach and educational activities.
Examples of educational activities include seminars, workshops, articles and fact sheets, and
other website publications. Provider education activities also include developing resources for
providers to help them avoid and detect fraud, waste, and abuse. When billing problems or
improper payments are identified, CMS contractors are required to work with Medicare providers
directly to correct mistakes.
13 A Local Coverage Determination (LCD), as established by Section 522 of the Benefits Improvement and Protection
Act of 2000 (BIPA, P.L. 106-554), is a decision by a fiscal intermediary or carrier whether to cover a particular service
on an intermediary-wide or carrier-wide basis in accordance with Section 1862(a)(1)(A) of the Social Security Act (i.e.,
a determination as to whether the service is reasonable and necessary).
14 Manual pre-payment and post-payment claims reviews are initiated only after billing problems have been identified
with a provider. Under pre-payment review, contractors will conduct a manual medical review on a percentage of
claims before payment is made. When conducting postpayment review, contractors examine a statistically valid sample
of paid claims from a provider.
15 For more information on Medicare Secondary Payer, see CRS Report RL33587, Medicare Secondary Payer:
Coordination of Benefits, by Hinda Chaikind.
Referred to as the Medi-Medi program, this activity is designed to identify fraudulent or improper
billing practices that affect both Medicare and Medicaid programs. By matching data across both
programs, CMS investigates atypical billing patterns that may not be evident when analyzing the
data from each program separately. When problems are identified, CMS works with the states to
initiate payment recovery actions. CMS currently has Medi-Medi projects in 10 states and plans
to expand the program nationwide.
To conduct the six program integrity activities described in the previous section, CMS contracts
with a mix of different private organizations, called Medicare contractors. The types of program
integrity activities undertaken by the different contractors vary depending on their Statement of
Work (SOW). Some process and pay Medicare claims in addition to performing select program
integrity functions (Claims Administration Contractors). Program Safeguard Contractors (PSCs),
Recovery Audit Contractors (RACs), and the Coordination of Benefits (COB) contractor
specialize solely in program integrity and fraud prevention activities for Part A and B Medicare
providers. Medicare Managed Care Program Integrity Contractors (MMC-PICs) and Medicare
Drug Integrity Contractors (MEDICs) handle a wide variety of anti-fraud activities for Part C MA
plans and Part D PDPs. Finally, Quality Improvement Organizations (QIOs) are responsible for
safeguarding payments to inpatient hospitals. A brief description of each of these contractors and
their scope of work are described below. This list is not exhaustive.
Claims administration contractors include Fiscal Intermediaries (FIs), Carriers, and Medicare 16
Administrative Contractors (MACs). FIs process claims for Part A providers (hospital, home
health, and skilled nursing facilities), and Carriers process claims for Part B providers (physician, 17
laboratory, and durable medical equipment [DME] providers). MACs process claims for both
Part A and B providers. In addition to processing and paying claims, these contractors perform
certain program integrity tasks related to medical review, which includes reviewing claims to
ensure that Medicare pays for services that are reasonable and medically necessary. They also
perform other program integrity-related tasks, such as conducting provider audits, educating
providers on appropriate billing practices, and screening beneficiary complaints related to alleged
16 Section 911 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA, P.L. 108-173)
mandated that the Secretary implement Medicare fee-for-service (FFS) contracting reform. Effective October 1, 2005,
the Secretary has the authority to replace the current claims administration contractors (FIs and Carriers) with
performance-based Medicare Administrative Contractors, otherwise known as MACs, by 2011. MACs will process and
pay claims for both Part A and B Medicare providers. Contracting reform is expected to generate savings to the
government by promoting greater efficiency in processing Medicare claims.
17 DME includes items such as hospital beds, wheelchairs, respirators, walkers, and artificial limbs specifically for
home use. According to CMS FY2008 Budget Justification, there are currently 23 FIs, 17 Carriers, 1 A/B MAC, and 3
DME MACs in operation.
PSCs specialize in benefit integrity functions, which focus on detecting and investigating
potential fraud and abuse in Parts A and B. By performing ongoing data analysis to identify
potentially fraudulent billing patterns and investigating leads from a variety of sources (law
enforcement agencies, CMS, beneficiaries, and Medicare supplemental insurers), PSCs identify
suspected cases of fraud and make appropriate referrals to the OIG for consideration of civil or
criminal prosecution. PSCs will also arrange Medicare training for law enforcement officials at
the Federal Bureau of Investigation (FBI) and Department of Justice (DOJ) when requested. PSCs
conducting benefit integrity work have the authority to suspend and deny payments and initiate
payment recoupment. Some PSCs also perform medical review functions. Separate PSCs detect 18
alleged Medicare fraud among durable medical equipment providers (DME PSCs).
RACs are responsible for reducing the rate of Medicare improper payments in Parts A and B by
identifying under- and overpayments made to providers, recovering overpayments, and working
with providers to prevent future improper payments. Section 306 of the Medicare Prescription
Drug, Improvement, and Modernization Act of 2003 (P.L. 108-173) authorized the Secretary to
contract with RACs as a three-year demonstration project. The RAC initiative was made
permanent with the Tax Relief and Health Care Act of 2006 (P.L. 109-432). There are currently
six RACs operating in three states: New York, California, and Florida. CMS expects to expand
the program nationwide by 2010. Additional information on RACs is included in the current
The main purpose of the COB contractor is to identify payments that are the responsibility of
another or secondary payer. Statutorily, Medicare is the secondary payer to employer-based
insurance plans, auto liability insurance, and workers compensation insurance. By using data
match programs, the Medicare COB is responsible for the collection, management, and reporting
of other health insurance coverage for Medicare beneficiaries. In January of 2001, the COB
contractor assumed responsibility for researching and conducting all MSP claim investigations.
There is one COB contractor that handles all program integrity functions related to MSP.
CMS currently maintains eight MMC-PIC contracts, which are responsible for identifying and
detecting fraud, waste, and abuse in Medicare Part C MA plans. Among the services performed
by MMC-PICs are evaluating the marketing operations of Part C plans, auditing plan financial
and medical records, evaluating enrollment and encounter data from Part C plans, and completing
all retroactive payment adjustments and retroactive enrollments or disenrollments submitted by
18 Currently, CMS has 18 active benefit integrity PSC task orders—15 for Medicare Parts A and B and 3 for DME.
As part of its Part D oversight program, CMS awarded four MEDIC contracts in FY2006. One
MEDIC was operational in FY2006, and the remaining three MEDICs began operations in
FY2007. MEDICs have responsibility for monitoring program integrity and potential fraud issues
that may arise with the new prescription drug benefit. The areas of oversight the MEDICs are
involved with include reviewing bids from prescription drug plans for participation in the
program, conducting audits of Part D participating organizations, investigating fraud complaints
from beneficiaries, and making referrals to law enforcement as necessary.
QIOs are responsible for providing technical assistance to Medicare providers on quality
improvement, conducting medical review activities, and investigating beneficiary complaints
related to inappropriate or medically unnecessary care. Although QIOs provide technical
assistance to all types of Medicare providers (physicians, hospitals, nursing homes, and home
health agencies), the majority of their medical review activities relate to care provided in inpatient
hospitals. As part of their medical review function, QIOs take measures to reduce the hospital
improper payment rate, ensure compliance with Medicare billing codes and procedures, and
assess whether the care provided to beneficiaries meets professionally recognized standards.
When a QIO determines, either through its medical review activities or beneficiary complaints,
that the care provided does not meet Medicare standards, it will work with the provider to rectify 19
deficiencies or refer the case to law enforcement for sanctions.
CMS contracts separately for program integrity activities related to suppliers of DME. These
include the National Supplier Clearinghouse (NSC), Data Analysis and Coding (DAC)
Contractor, and Durable Medical Equipment Program Safeguard Contractors (DME PSCs). The
NSC is responsible for enrolling DME suppliers in the Medicare program, conducting site visits
to DME facility locations, and issuing Medicare billing numbers to suppliers. The DAC performs
ongoing data analysis on supplier billing patterns, and the DME PSCs are responsible for
detecting and investigating alleged fraud among DME suppliers.
CMS shares responsibility for ensuring Medicare program integrity with three federal agencies:
the Department of Health and Human Services (DHHS) Office of the Inspector General (OIG),
19 Recent studies and news articles on the activities of QIOs have raised concerns related to the QIOs’ ability to
effectively monitor the quality of care provided to Medicare beneficiaries. For example, an OIG report released in May
2007 reported that between 2003 and 2006, the QIOs assigned more than 80% of confirmed quality concerns to two of
the least serious quality classifications. (See OEI-01-06-00170: Quality Concerns Identified Through QIO Medical
Record Review, May 2007, at http://oig.hhs.gov/oei/reports/oei-01-06-00170.pdf). In February 2006, the Institute of
Medicine (IOM) recommended in a congressionally mandated report that CMS consider removing medical review
functions from the QIOs responsibilities, mainly because the number of sanctions issued to providers for quality
violations has declined over time. (See IOM Report Medicare’s Quality Improvement Organization Program:
Maximizing Potential, March 2006, at http://www.nap.edu/catalog.php?record_id=11604).
the Department of Justice (DOJ), and the Federal Bureau of Investigation (FBI). The OIG is an
independent unit within DHHS that has the primary responsibility for detecting health care fraud
and abuse in all federal health care programs. Most of its work, however, relates to the Medicare
and Medicaid programs. The agency conducts audits of health care programs, providers, and
agencies, and it performs criminal and civil investigations related to specific instances of health
care fraud or abuse. CMS contractors, upon detecting potential fraud, will develop and refer cases
to the OIG for further investigation and possible administrative sanctions.
The OIG has the authority to impose civil monetary penalties20 and program exclusions21 on
Medicare providers that have been convicted of certain fraudulent activities. The OIG does not
have the authority to prosecute offenders for violations of federal criminal law. In these instances,
the OIG would refer the case to the DOJ for prosecution. During FY2005, the OIG excluded 22
Medicare contractors, beneficiaries, the DOJ, and private citizens.
Annually, OIG releases a work plan, which is available publicly, outlining its priorities for the
upcoming fiscal year. These areas represent vulnerabilities in the Medicare program. For FY2007,
vulnerabilities include oversight of DME suppliers, accuracy of payments to home health 24
agencies, quality of care in nursing homes, and potential fraud in Medicare Part D.
The FBI is the lead investigative agency in the fight against health care fraud. Unlike the OIG,
which has the authority to investigate fraud only in federal programs, the FBI has jurisdiction
over both federal and private sector health care fraud. Typically, the agency investigates complex
fraud schemes involving large-scale medical providers, such as hospitals and corporations. The
FBI does not have the authority to impose sanctions. Currently, the FBI is participating in a
workgroup with CMS, DOJ, the OIG and others dedicated to investigating fraud in the Medicare
Part D program. In FY2006, FBI-led investigations resulted in 535 criminal health care fraud 25
20 Section 1128A of the Social Security Act authorizes the Secretary to impose penalties and assessments on persons
for engaging in certain activities. For example, a person who knowingly submits a false claim to a federal health care
program is subject to a penalty of up to $10,000 for each item or service fraudulently claimed, an assessment of up to
three times the amount fraudulently claimed, and possible exclusion.
21 Section 1128 of the Social Security Act authorizes the Secretary to exclude individuals and entities from
participation in federal health care programs. Exclusions are authorized for convictions of criminal offenses related to
the delivery of health care, including (1) Medicare or Medicaid fraud, (2) patient abuse or neglect, (3) felonies for other
health care fraud, and (4) felonies for the illegal manufacture, distribution, prescription, or dispensing of controlled
substances. The Secretary has discretionary authority to exclude individuals on other grounds, such as health care fraud
offenses involving misdemeanors, license suspension or revocation, provision of unnecessary or substandard services,
submission of false or fraudulent claims, and engaging in unlawful kickback arrangements.
22 Health Care Fraud and Abuse Control (HCFAC) Annual Report for FY2005, at http://oig.hhs.gov/publications/docs/
23 Under the Federal False Claims Act, 31 U.S.C. §§ 3729-3733, private citizens and relators may file suit on behalf of
the U.S. government. Relators are private persons with direct knowledge of health care fraud who file complaints on
behalf of the federal government. They are entitled to a percentage of any fraud recoveries.
24 See http://oig.hhs.gov/publications/docs/workplan/2007/Work%20Plan%202007.pdf.
25 Taken from testimony of Alexander Acosta, United States Attorney for the Southern District of Florida, Miami, at
House Committee on Ways and Means Health and Oversight Subcommittee Hearing on Medicare Program Integrity,
March 8, 2007, at http://waysandmeans.house.gov/hearings.asp?formmode=view&id=5581.
CMS contractors, the OIG, and the FBI all refer potential health care fraud cases to the DOJ for
prosecution. Within the DOJ, the Civil and Criminal Divisions handle health care fraud. One of
the enforcement tools for prosecuting health care fraud is the False Claims Act (FCA), which 26
prohibits knowingly submitting false or fraudulent claims to the U.S. government. Lawsuits
may be brought by private plaintiffs, known as relators or whistleblowers, under the FCA. There
are also 93 U.S. Attorneys Offices nationwide, which prosecute civil and criminal health care
fraud. During FY2006, prosecutors for the DOJ and U.S. Attorneys Offices opened 836 new 27
criminal and 698 new civil health care fraud investigations.
Finally, Medicare beneficiaries are a source for detecting fraud. Beneficiaries who suspect fraud
can call the OIG’s National Fraud Hotline at 1-800-HHS-TIPS. To educate beneficiaries on how
to detect and report fraud and abuse, the Administration on Aging oversees Senior Medicare
Patrol Projects, which recruit retired professionals in all 50 states to conduct one-on-one and
group training sessions for Medicare beneficiaries. The OIG collects annual performance data on
these projects and in its most recent report (April 2007) reported that in 2006, Medicare patrol
projects received 11,830 fraud complaints from beneficiaries; of this amount, 4,123 were referred 28
for further investigation. Contractors investigating anomalies in billing patterns may also
contact beneficiaries to verify that the services claimed were actually received by the beneficiary.
Medicare program integrity and anti-fraud activities are funded through the Medicare Integrity
Program (MIP) and Health Care Fraud and Abuse Control (HCFAC) program. The MIP and
HCFAC programs were both established by the Health Insurance Portability and Accountability
Act of 1996 (HIPAA), which sought to increase and stabilize federal funding for health care anti-
fraud activities. Specifically, HCFAC funds are directed to the enforcement and prosecution of all
health care fraud, whereas MIP funding supports the Medicare program integrity activities
undertaken by CMS contractors.
HIPAA authorized the creation of the HCFAC program, which was to be jointly administered by
the Secretary of HHS and the Attorney General. To fund the program, HIPAA established within
the Hospital Insurance (HI) Trust Fund an expenditure account called the HCFAC account. All
amounts equal to monies collected from health care investigations and enforcement efforts are to 29
be deposited into the HI Trust fund.
26 Under the Federal False Claims Act, 31 U.S.C. §§ 3729-3733, a person or entity is liable for up to treble damages
and a penalty between $5,500 and $11,000 for each false claim it knowingly submits or causes to be submitted to a
27 Taken from testimony of Alexander Acosta, United States Attorney for the Southern District of Florida, Miami, at
House Committee on Ways and Means Health and Oversight Subcommittee Hearing on Medicare Program Integrity,
March 8, 2007, at http://waysandmeans.house.gov/hearings.asp?formmode=view&id=5581.
28 See OEI-02-07-00360: Performance Data for the Senior Medicare Patrol Projects, April 2007, at
29 As specified in Section 1817(k)(C) of the Social Security Act (SSA), amounts equal to the following are to be
deposited into the Federal Hospital Insurance Trust Fund from the U.S. Treasury: (1) amounts equaling unconditional
gifts and bequests; (2) criminal fines recovered in cases involving a federal health care offense as defined in Title 18
U.S.C. § 982(a)(6)(B); (3) civil monetary penalties and assessments imposed in health care cases, including amounts
Within the HCFAC account, HIPAA authorized funding for health care anti-fraud activities
undertaken by HHS, DOJ, OIG, and the FBI for years 1997-2003. All HIPAA appropriations were 30
capped at the FY2003 level and remained at the FY2003 level through FY2006. HIPAA
established that up to $104 million could be appropriated for health care anti-fraud and abuse
activities undertaken by the HHS, DOJ, and OIG in FY1997. For FY2003-FY2006, this amount
would increase to $240.6 million. Within these amounts, HIPAA earmarked specific funding
amounts for activities undertaken by the OIG. The annual OIG appropriation increased from $70
million in FY1997 to a maximum of $160 million for fiscal years 2003 through 2006. HIPAA
authorized a separate funding stream for the FBI. The annual FBI appropriation increased from
$47 million in FY1997 to $114 million for fiscal years 2003 through 2006.
The largest share of the HCFAC appropriation was dedicated to the MIP program, which
increased from $440 million in FY1997 to $720 million for fiscal years 2003 through 2005. Prior
to HIPAA and the establishment of the MIP program, funding for Medicare program integrity
activities was taken from Medicare’s program management budget, which was subject to the
annual appropriations process. This sometimes led to fluctuations in funding, as monies originally
intended to support program integrity functions were redirected to fund ongoing Medicare
operations, such as day-to-day claims processing functions. With the passage of this legislation,
HHS was ensured a stable funding source that it could commit to Medicare anti-fraud activities.
Prior to HIPAA, Medicare program integrity approaches relied heavily on “pay and chase”
methods, which entailed paying claims and then chasing after providers to recover inappropriate
payments. Long-term financial support was intended to assist CMS in developing more
innovative and preventive strategies to combat fraud and abuse, such as reviewing claims prior to
payment as opposed to after payment.
During years 1997 through 2005, total funding for program integrity and health care fraud and
abuse activities almost doubled, increasing from approximately $0.6 billion in FY1997 to $1.1
billion by FY2005. The Deficit Reduction Act (DRA) of 2005 raised funding for the MIP
program by $112 million for FY2006 to implement program integrity and oversight activities for
the Medicare prescription drug benefit. This increased the annual MIP allocation from $720
million in FY2005 to $832 million for FY2006 only. Twelve million of this additional
appropriation in FY2006 was earmarked for the Medi-Medi data matching program. The DRA 31
provided increasing amounts for the Medi-Medi program through year 2010. Table 1 shows the
allocation of HCFAC and MIP appropriation amounts for selected years between 1997 and 2007.
recovered under titles XI, XVIII, and XIX, of the SSA and Chapter 38 of Title 31 of the U.S.C.; (4) amounts resulting
from the forfeiture of property by reason of a federal health care offense; and (5) penalties and damages obtained under
the False Claims Act, 31 U.S.C. §§ 3729-3933.
30 The one exception to this is the Deficit Reduction Act’s increase for the MIP program, from $720 million to $832
million, for year 2006 only.
31 The DRA appropriated $12M for the Medi-Medi program in FY2006, $24M in FY2007, $36M in FY2008, $48M in
FY2009, and $60M in FY2010 and each year thereafter.
Table 1. HCFAC and MIP Appropriations for Selected Fiscal Years
(dollars in thousands)
1997 2001 2003 2005 2006a 2007 (CR Level)b
HHS $11,800 $8,428 $31,143 $31,143 $31,143 $32,296
DOJ $22,200 $43,469 $49,415 $49,415 $49,415 $51,243
OIG $70,000 $130,000 $160,000 $160,000 $160,000 $165,920
FBI $47,000 $88,000 $114,000 $114,000 $114,000 $118,218
TOTAL $151,000 $269,897 $354,558 $354,558 $354,558 $367,677
MIP $440,000 $680,000 $720,000 $720,000 $820,000 $720,000
Medi-Medi $12,000 $24,000
TOTAL $591,000 $949,897 $1,074,558 $1,074,558 $1,186,558 $1,111,677
Source: Data extracted from 1997, 2001, 2003, and 2005 HCFAC Annual Reports and CMS Justification of
Estimates for Appropriations Committees FY2008.
a. HIPAA capped appropriations for HCFAC and MIP at the FY2003 level. Congress, with the passage of the
DRA in 2005, increased the amount for MIP for FY2006 only.
b. The 2007 CR Level includes the percentage increase in the consumer price index as mandated by the Tax
Relief and Health Care Act (TRHCA) of 1996 for HCFAC.
In addition to HCFAC and MIP mandatory funds, each year Congress appropriates funds to
support CMS contractor operations as part of its annual program management request (not shown 32
in Table). A portion of these funds are directed to the claims administration contractors to
conduct program integrity functions. According to the final rule on the MIP program published on
August 24, 2007, approximately one-third of the total contractor budget was dedicated to program
integrity activities in FY2004. The funding level for contractor activities that same year was $1.7
billion. In FY2007, funding for contractor operations had increased to $2.1 billion, an increase of 33
approximately $420 million from FY2004.
In December 2006, Congress passed the Tax Relief and Health Care Act of 2006 (P.L. 109-432),
which extended the mandatory annual appropriation for HCFAC to 2010. For fiscal years 2007
through 2010, the mandatory annual appropriation would be the limit for the preceding year plus
the percentage increase in the consumer price index for urban consumers. For each fiscal year
32 Funding for program integrity activities conducted by Medicare QIOs comes from a separate QIO budget. QIOs are
funded via a three-year mandatory apportionment from the Medicare Trust Funds rather than an annual discretionary
appropriation. The three-year budget for the QIO program, which runs from August 2005-August 2008, is
approximately $1.25 billion.
33 CRS analysis of CMS financial data for years 2004 and 2007: http://www.cms.hhs.gov/CapMarketUpdates/
beyond 2010, the mandatory annual appropriation would be capped at the FY2010 level. Funding
for MIP, however, was not addressed with this legislation and will remain capped at the FY2003
level of $720 million plus the additional DRA appropriation for the Medicare-Medicaid data
For FY2008, the President’s budget included a request of $183 million in discretionary funds to
augment the $1.1 billion in mandatory funding for the health care fraud and abuse control
program. The HCFAC account has not been funded using discretionary funds in prior years. Of
this $183 million, $138 million would have been allocated to MIP for oversight activities related
to the prescription drug program. The House and Senate proposed $383 million in discretionary
funds for the these activities. The amended version of the Consolidated Appropriations Act of
2008 (H.R. 2764), signed by the President on December 26, 2007, did not include funding for the
health care fraud and abuse control program.
There are a limited number of performance statistics and reports available to help policy makers
evaluate the success of Medicare’s program integrity efforts. Studies to date have generally
examined the performance of the HCFAC and MIP programs separately. When the HIPAA
legislation was passed in 1996, Congress mandated that DOJ and HHS report annually the results
and accomplishments of its HCFAC efforts to the public. The legislation also required that the
Government Accountability Office (GAO) biennially assess the appropriateness and adequacy of
HCFAC expenditures for fraud control efforts. However, Congress did not require that HHS,
DOJ, or GAO evaluate the MIP program as part of these assessments. As a result, there is less
empirical data available on MIP performance than on the results of the HCFAC program. To date,
the most comprehensive evaluation on MIP program integrity efforts was a study released by
GAO in September of 2006, which identified weaknesses in the methods CMS uses to allocate
funds across five MIP program integrity activities (cost report auditing, medical review, benefit
integrity, medicare secondary payer, and provider education). This section summarizes findings
from reviews and studies conducted on the HCFAC and MIP programs during the past decade.
When assessing the performance of the MIP program, CMS relies on statistics measuring the
percentage of improper payments the Medicare program makes to providers each year. CMS
produces midyear and annual improper payment reports, which can be accessed publicly on the 34
agency website. To measure improper payments in fee-for-service Medicare, CMS calculates a
national paid claims error rate, contractor-specific improper payment rates, and provider-specific
improper payment rates. The national paid claims error rate consists of the Comprehensive Error
Rate Testing Program (CERT), which calculates error rates for all Medicare contractors that
process and pay Part A and B claims, and the Hospital Payment Monitoring Program (HPMP),
which calculates an error rate for Medicare’s QIOs, which are responsible for ensuring
34 The Improper Payments Information Act of 2002 requires federal agencies to estimate and report their annual rate of
improper payments. To access CMS annual improper payment rate reports, visit https://www.cms.hhs.gov/apps/
appropriate payments to inpatient hospitals. Improper payment rates have not yet been created for 35
Medicare Parts C and D.
CMS uses the contractor-specific error rates to evaluate the performance of its MIP contractors:
FIs, Carriers, and QIOs. To keep their improper payment rates low, contractors are expected to
continually educate the provider community on Medicare coverage and coding policies. CMS
uses the provider-specific error rates to determine where they should target their provider
Despite its value as a tool for estimating payment accuracy and administrative efficiency in
claims processing, the improper payment rate does not measure fraud and abuse in the Medicare
program. It is mainly a measure of administrative errors. According to CMS’s most recent
improper payment rate report, the main types of payment errors are incorrect coding by providers,
claims for medically unnecessary services, and claims submitted with insufficient or no
documentation. In its November 2007 report, CMS reported a national claims error rate of 3.9%,
which amounted to approximately $10.8 billion in improper payments. This is down from 4.4%
in 2006, 5.2% in 2005, and 10.1% in 2004.
At the time the HIPAA legislation was passed in 1996, the OIG calculated a Medicare improper
payment rate of 14.2%, or approximately $23.2 billion in improper payments. CMS has set a goal
to reduce the error rate to 3.8% by the end of FY2008. Table 2 lists the national paid claims error
rates and the total in gross improper payments for every two years between 1996 and 2008. In
April 2006, the GAO reported that the significant reduction in Medicare’s national paid claims
error rate between years 2004 and 2005 was largely due to CMS’s efforts to educate providers
about the importance of submitting requested documentation to justify payments. When providers
do not respond to requests for additional documentation, CMS automatically counts the payments
as erroneous. According to GAO, despite the success and importance of these educational efforts,
they do not reflect an improvement in payment safeguards or internal controls implemented by 36
Table 2. Medicare National Paid Claim Error Rates and Gross Improper Payments
for Every Two Years Between 1996 and 2008
(dollars in billions)
Year National Paid Claims Error Rate (as a % of FFS expenditures) Gross Improper Paymentsa
1996 14.2% $23.2
1998 8.4% $14.9
2000 9.4% $16.4
2002 8.0% $17.1
2004b 10.1% $21.7
35 According to testimony prepared by Tim Hill of the Office of Financial Management at CMS, CMS is in the process
of developing payment error rates for Part C and Part D. Medicare Part C currently represents approximately 15% of
Medicare’s total outlays. Excerpt taken from hearing on Medicare Program Integrity for the Health and Oversight
Subcommittee, House Ways and Means Committee, March 8, 2007, at http://waysandmeans.house.gov/
36 See GAO-06-581T: Challenges Continue in Meeting Requirements of the Improper Payments Information Act, April
2006, at http://www.gao.gov/new.items/d06581t.pdf.
Year National Paid Claims Error Rate (as a % of FFS expenditures) Gross Improper Paymentsa
2006 4.4% $10.8
2008 3.8% (est.) —
Source: CMS and OIG Improper Payment Rate Reports for years 1996-2007.
a. CMS arrives at a gross improper payment amount by adding underpayments to overpayments.
b. From 1996-2002, the OIG calculated an error rate based on approximately 6,000 claims. Beginning in 2003,
CMS took over the calculation of the error rate from OIG and expanded the sample of claims reviewed
from 6,000 to approximately 128,000.
HIPAA requires that every year DHHS and the DOJ release a joint annual report to Congress on
HCFAC results and accomplishments. Typically, these reports are released late summer or early
fall and contain the amounts deposited into the HI Trust Fund for health care fraud enforcement
and the justifications for these expenditures. Numbers and examples of enforcement actions,
program accomplishments, and total recoveries in health care fraud cases are also described.
The most recent annual HCFAC report indicates that the federal government won or negotiated
approximately $1.5 billion in judgements and settlements related to health care fraud in FY2005 37
and returned $1.6 billion to the HI Trust Fund as a result of these efforts. This is compared with
$.6 billion in judgements and settlements and $1.5 billion returned to the trust fund in FY2004.
Although the dollar value in fraud recoveries fluctuates from year to year, the amount of money
transferred to the HI Trust Fund as a result of health care fraud enforcement efforts has been
steadily increasing since 1998. Furthermore, the number of new civil and criminal investigations
has accelerated, particularly in recent years. There is debate as to whether the increase in
enforcement actions is actually the result of more fraud and abuse in Medicare. Some experts
contend that the increase is the result of having more resources to fight and detect health care
fraud, as opposed to an actual increase in the amount of fraud. Others indicate that the definition
of what constitutes health care fraud has expanded over the years, making it appear as though 38
fraud has escalated when the actual level has remained relatively steady.
Table 3 provides a summary of HCFAC fraud recoveries, transfers to the HI Trust Fund, and
enforcement actions for years 1998 through 2005. Table 3 also highlights payment amounts
awarded to relators or whistleblowers. Relators are private persons with direct knowledge of
health care fraud who file complaints on behalf of the federal government under the False Claims
Act. Relators are entitled to a share of the recoveries in successful cases. As the table
demonstrates, these individuals are a significant referral source for health care fraud. In 1998, the
federal government paid relators $4.3 million in settlements. By 2002, this amount had increased
to $101.2 million. In 2005, relators payments had risen to $136.8 million.
37 Health Care Fraud and Abuse Control (HCFAC) Annual Report for FY2005, at http://oig.hhs.gov/publications/docs/
hcfac/hcfacreport2005.pdf. The difference between the amount collected in fraud recoveries and the amount transferred
to the HI Trust Fund in any given year can be attributed to the fact that fraud litigation is a lengthy process that can
sometimes take several years. As a result, some of the judgements, settlements, and administrative actions that occurred
in one year may not result in monies being transferred to the trust fund until one or more years later.
38 Health Care Fraud and Abuse: Practical Perspectives, Chapter 4, 2004.
Table 3. HCFAC Summary of Results and Accomplishments for Years 1998-2005
1998 1999 2000 2001 2002 2003 2004 2005
Fraud Recoveriesa $0.5B $0.5B $1.2B $1.7B $1.8B $1.8B $0.6B $1.5B
Transfers to the Trust
Fund $0.3B $0.4B $0.6B $1.0B $1.4B $0.7B $1.5B $1.6B
New Criminal Health Care
Fraud Investigations 322 371 457 445 361 870 1,002 935
New Civil Health Care
Fraud Investigations 107 91 233 188 221 231 868 778
FBI Health Care Fraud
Investigations 2,700 3,027 2,980 2,870 2,418 2,262 2,468 2,547
Program Exclusions 3,021 2,976 3,350 3,746 3,448 3,275 3,293 3,804
Relators Payments $4.3M $44.4M $90.0M $83.3M $101.2M $269.6M $82.9M $136.8M
Source: HCFAC Reports from FY1998-2005.
a. The amount the federal government won or negotiated in judgements, settlements, and administrative
impositions in health care fraud cases.
Congress did not require that HHS and DOJ include expenditures or results for the MIP program
in these reports. Therefore, these reports are only an indication of HCFAC’s successes and
challenges in the area of health care fraud enforcement and prosecution and not fraud prevention,
which is a key objective of the MIP program. In addition, these reports do not separate out
funding and expenditures for specific enforcement actions related to Medicare, Medicaid, or other 39
health care programs.
HIPAA also required that GAO submit a report to Congress every two years on HCFAC
appropriations and deposits. Starting in June 1998, GAO released four reports using data from the
HCFAC annual reports for years 1997 through 2003. The most recent and final report, released in
April 2005, reviewed HCFAC activities for years 2002 and 2003. Similar to the HCFAC annual
reports, these studies do not include MIP in their analysis. In all four reports, GAO noted that
while HCFAC deposit amounts reported to the HI Trust Fund were consistent with the HIPAA
legislation, HHS included a measure of cost savings resulting from health care fraud enforcement 40
efforts that could not entirely be attributed to the HCFAC program. In addition, because fraud
investigation and litigation take several years, savings may not be realized until future years. The
Office of Management and Budget (OMB) echoed a similar finding in its Program Assessment
39 The HIPAA legislation does not require that HHS or DOJ separately track Medicare and non-Medicare expenditures.
DOJ officials commented in a 2002 GAO Report on the HCFAC program that it is not practical to separate non-
Medicare and Medicare expenditures because of the nature of health care fraud (GAO-02-731: Medicare, Health Care
Fraud and Abuse Control Program for Fiscal Years 2000 and 2001, June 2002). Health care fraud cases typically cross
several health care programs, making it difficult to attribute expenses and recoveries to separate programs.
40 The OIG defines cost savings as funds put to better use as a result of implemented legislative or other program
Rating Tool (PART) evaluation of the HCFAC program in 2004 (see description below). Despite
this weakness, GAO consistently found HHS’s and DOJ’s accounting of HCFAC deposits and
expenditures to be fiscally appropriate and accurate.
In 2002, OMB evaluated the HCFAC and MIP programs separately using the PART, a 25-
question survey addressing federal agency management and performance. The agency noted
conflicting assessments for both programs. HCFAC received a “results not demonstrated” rating
and criticized the OIG for not having sufficient performance measures to assess the program’s
progress in reducing fraud, waste, and abuse. Specifically, OMB noted that savings is not a good
indicator of performance because it is too difficult to ascertain how much of the reported savings
is the direct result of HCFAC activities conducted during the previous year. In the 2005 HCFAC
annual report, the OIG estimates that health care fraud activities in 2005 (investigations, audits,
and evaluations) resulted in savings of approximately $30.0 billion, of which $22.9 billion could
be accrued to the Medicare program.
At the same time OMB gave HCFAC a “results not demonstrated” rating, the agency gave MIP
an “effective” rating—the highest rating a program can receive. OMB attributes this largely to the
OIG’s and CMS’s measurement and reduction of the annual Medicare improper payment rate.
CMS often cites the improper payment rate as a measure of its performance in protecting
Medicare from fraud, waste, and abuse. In the PART report, OMB notes that at the time MIP was
created in 1996, OIG estimated the improper payment rate at 14.2%. By 2006, the rate had
dropped to 4.4%.
Subsequent GAO reports released over the last few years have raised questions about how
HCFAC and MIP funding are being used. An April 2005 report on HCFAC funding for the FBI
found that the agency could not adequately demonstrate that its share of HCFAC expenditures for
FY2000-FY2003 were used for health care investigations. The study showed that funds
previously devoted to fighting health care fraud at the FBI had been shifted to counterterrorism 42
In a report released in September 2006, the GAO identified weaknesses in CMS’s approach for
allocating MIP funds across the various program integrity activities (cost report auditing, medical 43
review, benefit integrity, Medicare secondary payer, and provider education). GAO noted that
CMS bases its MIP allocation decisions on historical funding levels, as opposed to examining the
relative effectiveness of one activity to another in ensuring Medicare program integrity. For
example, despite receiving the largest share of MIP funds in FY2005, CMS has not yet developed
a reliable quantitative measure to assess the impact of cost report audits of Part A providers on
41 See Office of Management and Budget Program Assessment Rating Tool website at http://www.whitehouse.gov/
omb/part/ for PART assessments of the Medicare Integrity Program and the Health Care Fraud and Abuse Control
42 GAO-05-388, Federal Bureau of Investigation: Accountability over the HIPAA Funding of Health Care
Investigations is Inadequate, April 2005, at http://www.gao.gov/new.items/d05388.pdf.
43 GAO-06-813, Medicare Integrity Program, Agency Approach for Allocating Funds Should be Revised, September
2006, at http://www.gao.gov/new.items/d06813.pdf.
preventing fraud, waste, and abuse. GAO recommended that CMS develop additional methods
for allocating MIP funds that take into account the effectiveness of MIP activities, as well as
contractor performance, particularly in light of new vulnerabilities related to the prescription drug
Between April 2006 and March 2007, Medicare paid $9.9 billion to DME suppliers. Of this 44
amount, improper payments were estimated at $1.0 billion, or approximately 10.2%. Although
many improper payments are the result of honest billing mistakes by providers, others result from
fraud and abuse. DME fraud tends to be higher in South Florida and Los Angeles, where both the
number of Medicare beneficiaries and the number of DME suppliers are high. According to CMS,
the primary types of DME fraud committed in these areas include billing for services not 45
rendered and billing for services that are not medically necessary for the beneficiary.
Before a DME supplier can bill Medicare, it must meet certain standards. CMS contracts with the
National Supplier Clearinghouse (NSC) to enroll and screen potential suppliers before they can
participate in the program. Once a supplier is found to be compliant with these standards, it can 46
receive a Medicare supplier number and bill Medicare for services rendered. The NSC is
required to conduct site visits to DME physical locations upon initial enrollment and three years
later to ensure ongoing compliance.
In March 2007, the OIG released two reports indicating that compliance with DME enrollment
standards was lacking. One investigation found that 45% of Medicare participating DME
companies in South Florida failed to comply with at least one of five Medicare enrollment 47
standards in CY05. The second investigation, which involved site-visits to 169 DME suppliers
in 10 states (excluding Florida), found 10 suppliers without an actual physical facility at their
address. These 10 suppliers subsequently billed Medicare almost $393,000 in the two months 48
following the OIG’s visit.
Criticism surrounding the adequacy and enforcement of enrollment standards for DME suppliers
is not new. In 2001, the OIG recommended that CMS conduct random, unannounced site visits to
DME suppliers to help reduce the potential for fraudulent billing. A few years later, a 2005 GAO
report declared the standards inadequate and reported that many DME suppliers were able to
resume participation in Medicare after being suspended for enrollment violations. The GAO
44 “Improper Medicare FFS Payments Report,” Centers for Medicare and Medicaid Services, November 2007.
45 HHS Press Release, “Medicare Provider Enrollment Demonstration Involving Suppliers of Durable Medical
Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) in High-Risk Areas,” July 2, 2007.
46 See 42 CFR 424.57(c) for a description of the 21 standards. Some of the standards include being complaint with
federal and state licensure requirements, maintaining a physical facility, maintaining a primary business telephone, and
being accessible (open and staffed) during business hours.
47 See OEI-03-07-00150: South Florida Suppliers’ Compliance with Medicare Standards: Results from Unannounced
Visits, March 2007, at http://oig.hhs.gov/oei/reports/oei-03-07-00150.pdf.
48 See OEI-04-05-00380: Medical Equipment Suppliers: Compliance with Medicare Enrollment Requirements, March
2007, at http://oig.hhs.gov/oei/reports/oei-04-05-00380.pdf.
echoed the OIG’s 2001 recommendation to conduct random site visits to DME supplier locations 49
outside of the initial enrollment and re-enrollment periods.
On July 2, 2007, CMS announced a demonstration project requiring all DME suppliers in Los
Angeles and Miami to reapply to participate in the Medicare program. As part of the demo,
approximately 7,500 DME suppliers will be contacted by mail and requested to complete another
Medicare enrollment application. Those that fail to submit the new application within 30 days
will automatically lose Medicare billing privileges. The agency also plans to conduct random,
unannounced site visits to supplier locations in these areas.
In addition to meeting enrollment standards, CMS will also be requiring DME suppliers to meet 50
new quality standards and become accredited by a CMS-approved Accreditation Organization.
For FY2008 and beyond, the NSC will be prohibited from issuing a Medicare billing number to
any supplier that is not accredited under the new rule.
Due to a growing concern that Medicare needed extra protection against improper payments,
Congress in Section 306 of the Medicare Modernization Act of 2003 (P.L. 108-173) authorized
the Secretary to contract with Recovery Audit Contractors (RACs) to identify over- and
underpayments in Medicare Parts A and B. The program started in March 2005 as a
demonstration project in three states (California, Florida, and New York). The Tax Relief and
Healthcare Act of 2006 (P.L. 109-432) made the RAC initiative permanent and mandated the
expansion of RAC contractors to all 50 states by 2010.
In November 2006, CMS released a status document on RAC performance for FY2006 which
found that the contractors had identified $303.5 million in improper payments in the three
demonstration states. Of this $303.5 million, $68.6 million had been collected in overpayments
from providers and $2.9 million had been identified as underpayments. The remaining $232.0
million is currently in the collection process. The majority of the overpayments were to inpatient 51
hospitals and skilled nursing facilities.
The RAC program is controversial because of how RAC contractors are paid. RACs are paid on a
contingency basis, which means that each RAC receives a percentage of what they collect in
overpayments from providers. In contrast, other CMS program integrity contractors are paid a
fixed annual amount based on their costs. This alternative payment mechanism for RACs has
certain provider groups concerned. For instance, providers claim that paying contractors on a
contingency basis creates incentives to aggressively audit and deny claims to receive higher 52
payments from CMS. Providers that wish to dispute a denied claim must file an appeal and are
49 See GAO-05-656: More Effective Screening and Stronger Enrollment Standards Needed for Medical Equipment
Suppliers, September 2005, at http://www.gao.gov/new.items/d05656.pdf.
50 Section 302(a)(1) of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (PL ) requires
Medicare to develop and implement quality standards for DME suppliers.
51 CMS RAC Status Document FY2006, November 2006, at http://www.cms.hhs.gov/RAC/Downloads/
52 In May 2007, 36 California House Members wrote to CMS reporting that Inpatient Rehabilitation Facilities (IRFs)
were experiencing high claim denial rates from the CA RAC: http://www.house.gov/list/speech/ca23_capps/morenews/
obligated to pay the claim until a determination on the appeal is made. If the provider wins an
appeal at the first level, any associated contingency payments paid to the RAC must be returned
to CMS. However, if the provider wins an appeal at the second or higher level, the RAC retains
the contingency payment. In FY2006, providers in the three RAC demonstration states filed 2,596 53
appeals challenging RAC overpayment determinations.
In response to these concerns, CMS ceased RAC activity of Inpatient Rehabilitation Facilities
(IRFs) in California and made some changes to the permanent RAC program set to begin at the 54
end of March 2008. Under the permanent program, if a RAC determination is overturned at any
level of appeal, the RACs will be required to refund all contingency fees to CMS. In addition, the
agency has placed nationwide limits on the number of medical records a RAC can request from a
provider and is requiring that all RACs hire a medical director to oversee the review process.
By 2010, CMS plans to have four RACs in place. Each RAC will be responsible for identifying
overpayment and underpayments in approximately one-fourth of the country. In 2007, the RAC
demonstration was expanded to three additional states: South Carolina, Massachusetts, and 55
In addition to creating the HCFAC and MIP programs, the 1996 HIPAA legislation gave CMS the
authority to contract with specialized private organizations to conduct certain program integrity
activities. Program Safeguard Contractors (PSCs), which are responsible for reducing fraud and
abuse in the Medicare program, are one of these types of organizations. Among the tasks that
PSCs undertake are conducting fraud investigations, referring suspected cases to law
enforcement, and performing data analysis to identify trends and billing patterns that might
indicate fraudulent billing (otherwise referred to as benefit integrity work). CMS assesses the
performance of PSCs on an annual basis by examining monthly statistics related to contractor 56
Since CMS awarded the first 12 contracts to PSCs in 1999, questions have been raised related to
their effectiveness and CMS’s oversight of PSC performance. Prior to creating PSCs, fraud and
abuse detection work was the responsibility of the Part A and B claims administration
contractors—FIs and carriers. Transferring these responsibilities to specialized entities was seen
as a strategy to improve Medicare’s program integrity capabilities. In 2001, two years after the
PSCs became operational, the GAO reported that CMS lacked clear and quantifiable measures to
53 CMS RAC Status Document FY2006, November 2006, at http://www.cms.hhs.gov/RAC/Downloads/
54 After conducting an independent review of a sample of IRF claims previously reviewed by the California RAC, CMS
found that Medicare contractors were not applying coverage and payment policies consistently for IRF services. In
response, CMS ceased RAC review of IRF claims in California. RAC reviews of these facilities will resume at the start
of the permanent RAC program in March 2008. Letter from CMS Administrator Kerry N. Weems to Representative
Lois Capps. December 7, 2007. Available at http://www.aha.org/aha/letter/2007/071207-let-cms-capps.pdf.
55 CMS Website, Physician Regulatory Issues Team (PRIT), Active PRIT Issues, accessed on August 10, 2007, at
56 At present, CMS has 18 PSC task orders; 15 are for deterring fraud in Medicare Parts A and B, and 3 are for
deterring fraud in DME. Specifically, CMS assesses the timeliness of PSC performance, the degree to which quality
cases are developed for referral to the OIG, and the PSCs responsiveness to law enforcement agencies.
adequately assess PSC performance and recommended the agency develop specific criteria to 57
better evaluate the contractors’ effectiveness at detecting and preventing fraud and abuse.
On July 20, 2007, the OIG released a report on the performance of PSCs. The OIG found
significant variation in the number of new investigations and case referrals initiated by the 58
contractors. Neither the size of the PSC’s budget nor its oversight responsibility were correlated
with the number of new investigations or referrals to law enforcement. Also, PSCs are expected
to engage in pro-active data analysis to identify suspected patterns of fraud. However, only a
small percentage of new investigations resulted from this type of data-analysis.
An earlier OIG analysis of PSC evaluation reports from years 1999 through 2004 indicated that
the type of information collected by CMS in these reports was lacking. Many of the evaluation
reports contained limited quantitative and qualitative data related to PSCs activities and
achievements, and the majority of the reports were incomplete. According to CMS, quantifying
PSC results could create perverse incentives for the PSCs by rewarding them for the volume of 59
cases they refer to law enforcement.
In FY2007, CMS awarded $119M to support 18 PSC task orders.
On January 1, 2006, Medicare began covering prescription drugs as part of the new Part D
benefit. Coverage is provided through private plans offered by MA-PDs or stand-alone PDPs. For
FY2008, outlays for Part D benefits are expected to total $52.2 billion. According to CBO, this 60
amount is expected to triple to $141 billion by FY2017. CMS, the OIG, and the GAO have
stated that the new benefit is at risk for significant fraud and abuse. Potential areas of
vulnerability related to the Part D benefit are extensive and include eligibility and enrollment; the
bidding process; beneficiary, plan, and retail pharmacy fraud; incentives to reduce cost sharing;
formulary development; and many others.
To protect the integrity of Part D funds, CMS announced in October 2005 a plan to award
contracts to eight Medicare Drug Integrity Contractors (MEDICs). MEDICs responsibilities to
protect the Trust Fund from abuses may include reviewing bids from prescription drug plans for
participation in the program, performing audits of Part C MA-PD and Part D PDP plans,
investigating fraud complaints from beneficiaries, conducting data analysis to identify potentially
fraudulent billing patterns, and providing support to law enforcement agencies with fraud
57 See GAO-01-616: Medicare, Opportunities and Challenges in Contracting for Program Safeguards, May 2001, at
58 In 2005, PSCs produced between 5 and 479 new Part A investigations and 18 and 3,707 new Part B investigations.
Excerpt taken from OIG Report: Medicare’s Program Safeguard Contractors: Activities to Detect and Deter Fraud and
Abuse, July 2007, at http://oig.hhs.gov/oei/reports/oei-03-06-00010.pdf.
59 See OEI-03-04-00050: Medicare Program Safeguard Contractors: Performance Evaluation Reports, March 2006, at
60 Congressional Budget Office (CBO), Medicare 2007 Fact Sheet, at http://www.cbo.gov/ftpdocs/78xx/doc7861/
Concerns have been raised related to CMS oversight of the MEDICs and the Part D benefit in
general. In April 2006, the Senate Finance Committee wrote a letter to CMS inquiring why CMS
had issued only one task order to a MEDIC organization after identifying numerous Part D fraud
vulnerabilities. In FY2006, the DRA provided $100 million in funds to address fraud associated
with the prescription drug program, a portion of which was to be allocated to the MEDICs. CMS
then awarded an additional four MEDIC contracts later that year. In addition, an OIG report
released in October 2007 found that by the end of FY2006, CMS had not yet commenced
financial audits of Part D plans and data analysis of billing trends to identify potential fraud—two
other key responsibilities of the MEDICs. Instead, CMS relied largely on beneficiary complaints
to detect abusive practices in FY2006. CMS expects to begin financial audits of Part D plans in 61
In a September 2006 report, GAO noted that CMS does not have an adequate method for
allocating program integrity funding to areas with the greatest risk, including risk associated with 62
the Part D benefit. In light of an October 2007 announcement by CMS that the agency plans to
recover $4 billion in payments made to plans in 2006, this is worth noting. As part of the bidding
process, Part D plans must prospectively estimate how much it is going to cost to provide
prescription drug coverage to an average Medicare beneficiary. At the end of the year, CMS
compares actual costs with predicted costs as part of a payment reconciliation process. Because of
lower-than-expected drug costs for 2006, the predicted costs were $4 billion more than plans’
actual costs. Plans are required to return these extra payments to CMS. As Part D plans gain more
experience with the program, CMS predicts the difference between plans’ expected and actual
costs to decrease in future years.
As the Medicare program continues to grow in size and complexity, developing innovative
strategies to ensure the integrity of program will become increasingly important. Program
integrity activities encompass a broad set of strategies and processes designed to meet numerous
objectives, including preventing improper payments, identifying and detecting fraud,
investigating individuals suspected of committing Medicare fraud, and prosecuting offenders. To
carry out the six main types of program integrity activities for the Medicare Integrity Program
(MIP), the Center for Medicare and Medicaid Services (CMS) contracts with a diverse mix of
private organizations tasked with a variety of different oversight responsibilities. The
effectiveness of these efforts depends on close collaboration and coordination between these
organizations and federal enforcement agencies.
The implementation of the Health Care Fraud and Abuse (HCFAC) and MIP programs in 1996
provided CMS and Medicare enforcement agencies with a dedicated funding source to fight fraud
and abuse in health care programs. From 1997 through 2005, resources available to fight fraud
increased from $0.6 billion to $1.1 billion, and the number of new civil and criminal fraud
enforcement actions more than doubled. Furthermore, the amount of money transferred to the
Hospital Insurance (HI) Trust Fund as a result of health care fraud enforcement activities has been
61 See OEI-06-06-00280: CMS’s Implementation of Safeguards During Fiscal Year 2006 to Prevent and Detect Fraud
and Abuse in Medicare Prescription Drug Plans, October 2007, at http://oig.hhs.gov/oei/reports/oei-06-06-00280.pdf.
62 See GAO-06-813: Medicare Integrity Program, Agency Approach for Allocating Funds Should be Revised,
September 2006, at http://www.gao.gov/new.items/d06813.pdf.
steadily increasing. These statistics, however, do not apply to MIP activities, which receive the
largest share of HCFAC funding. Recent Government Accountability Office (GAO) reports have
raised questions about how MIP funding is being used and have recommended CMS develop
more quantitative measures to assess the impact of MIP program integrity activities in the future.
Outcomes and results from program integrity activities are difficult to assess for a number of
reasons. While perpetrators of fraud and abuse cost the Medicare program large amounts of
money annually, there are no reliable estimates on the size of the problem. The National Health
Care Anti-Fraud Association estimates that health care fraud accounts for at least 3% of total 63
health care expenditures annually, but measuring the amount of true fraud is difficult. This
makes it challenging for policy makers to determine the extent of resources needed to effectively
combat the problem.
The implementation of the prescription drug benefit presents a new challenge for CMS and its
partners. In addition to increasing expenditures, contracting with private prescription drug plans
to deliver services to beneficiaries adds a new layer of complexity in administration. Since the
start of the prescription drug benefit on January 1, 2006, policy makers have expressed concerns
related to CMS oversight of the Part D MEDICs, which are responsible for ensuring Medicare
integrity in the Part D benefit. As payments to Part D plans continue to rise over the next several
years, it will be important to monitor the program integrity activities undertaken to safeguard
payments to Part D plans and providers.
Protecting the Medicare program from improper payment, fraud, and abuse is a complex and
challenging undertaking. With fraud perpetrators continually devising more sophisticated
schemes to defraud the system, administrators need to invest in a broad mix of preventive and
investigative techniques to uncover fraud and abuse. While the permanent authorization of
HCFAC and MIP funds have enhanced Medicare’s program integrity efforts, improvements in
oversight are needed to continue to ensure Medicare beneficiaries access to high quality and
Analyst in Health Care Financing
63 See “The Problem of Health Care Fraud,” the National Health Care Anti-Fraud Association, at
h t t p :/ / www. n h caa. o r g/ eweb /
DynamicPage.aspx?webcode=anti_fraud_resource_centr&wpscode=TheProblemOfHCFraud, accessed on October 23,