Purpose

To determine the implementation status of the 11 recommendations made in our initial audit report, Medicaid Managed Care Organization Fraud and Abuse Detection (Report 2014-S-51).

Background

Medicaid managed care organizations (MCOs) are responsible for ensuring they do not make payments to ineligible health care providers who have been excluded or terminated from the Medicaid program. In addition, MCOs are required to have effective compliance programs, including full-time Special Investigation Units (SIUs) dedicated solely to the prevention, detection, and investigation of fraud and abuse. State oversight of MCOs must ensure that only eligible health care providers participate in Medicaid.

We issued our initial audit report on July 15, 2016. The audit objective was to determine if United HealthCare (UHC) and Amerigroup made payments to ineligible health care providers and whether these MCOs established and implemented adequate SIUs to detect, prevent, and follow up on instances of fraud and abuse. Our audit covered the period January 1, 2011 through December 31, 2014.

We determined that UHC and Amerigroup made improper and questionable payments totaling more than $6.6 million to providers who were excluded from the Medicaid program. Furthermore, recoveries of improper payments by UHC's and Amerigroup's SIUs were very limited. We also found that New York’s Medicaid program had no specific requirements or criteria for SIU staffing levels, and there was a considerable risk that UHC and Amerigroup did not adequately staff their SIUs. With minimal staffing, the MCOs had limited ability to identify and recover fraudulent and improper payments, which increased the risk that Medicaid paid for improper claims. Lastly, we found the SIU staff at both MCOs received inadequate annual training.  

We made 11 recommendations to the Department of Health (Department) to: ensure the improper MCO payments made to ineligible providers were recovered; strengthen steps to oversee and monitor MCOs to ensure that only eligible providers are reimbursed; and take steps to establish appropriate criteria for SIU staffing levels, adequate training requirements for the SIU staff, and a process for ensuring consistency and accuracy in reporting SIU activities and recoveries.

Key Finding

Department officials have made some progress in correcting the problems we identified in the initial audit report. However, significant actions are still needed. With the Department’s implementation of the 21st Century Cures Act, all MCO network providers are now required to enroll as Medicaid providers and obtain a Medicaid ID. MCOs can access this enrollment information to help ensure only eligible (non-excluded) providers are included in their networks. However, a significant amount of the MCO payments to ineligible providers that we identified in the initial audit have not been recovered, and the Department has not developed a process to verify that all recoveries are reported to the Department to ensure that managed care premium payments are properly calculated. Of the initial report’s 11 audit recommendations, 2 were implemented, 4 were partially implemented, and 5 were not implemented.

Key Recommendation

Officials are given 30 days after the issuance of the follow-up report to provide information on any actions that are planned to address the unresolved issues discussed in this report.

Other Related Audit/Report of Interest

Department of Health: Medicaid Managed Care Organization Fraud and Abuse Detection (2014-S-51)