GAO: CMS Must Improve Medicare, Medicaid Anti-Fraud Efforts

The Department of Health and Human Services has taken important steps to fight Medicare and Medicaid fraud, but it can further strengthen its efforts in several ways, according to a new government watchdog agency report.
See Also: Addressing the Identity Risk Factor in the Age of ‘Need It Now’
全球安全专家依然供不应求,每年都有这类新闻,都是同样的结果,靠专家认证和培训赚钱的,当然会称专家供不应求,不过,年年这样搞,没什么创新,让人疲劳。
The Government Accountability Office estimates that in fiscal 2016, improper Medicare and Medicaid payments totaled about $95 billion.
The GAO review of HHS’ Centers for Medicare and Medicaid Services’ anti-fraud efforts notes that CMS needs to more fully align those efforts with GAO’s Framework for Managing Fraud Risks in Federal Programs. That framework outlines best practices for four phases: commit; assess; design and implement; and evaluate and adapt.
Sizing Up CMS’ Efforts
“CMS has shown commitment to combating fraud in part by establishing a dedicated entity – the Center for Program Integrity – to lead anti-fraud efforts. Furthermore, CMS is offering and requiring anti-fraud training for stakeholder groups, such as providers, beneficiaries, and health insurance plans,” GAO writes.
But, the GAO notes: “CMS does not require fraud-awareness training on a regular basis for employees, a practice that the framework identifies as a way agencies can help create a culture of integrity and compliance.”
Regarding the assess, design and implement components, CMS has taken steps to identify fraud risks, such as by designating specific provider types as high risk and developing associated control activities, the watchdog agency writes.
“However, CMS has not conducted a fraud risk assessment for Medicare or Medicaid, and has not designed and implemented a risk-based anti-fraud strategy. A fraud risk assessment allows managers to fully consider fraud risks to their programs, analyze their likelihood and impact, and prioritize risks.”
Managers can then design and implement a strategy with specific control activities to mitigate these fraud risks, as well as an appropriate evaluation approach consistent with the evaluate and adapt component, GAO writes. “By developing a fraud risk assessment and using that assessment to create an anti-fraud strategy and evaluation approach, CMS could better ensure that it is addressing the full portfolio of risks and strategically targeting the most significant fraud risks facing Medicare and Medicaid.”
Major Fraud Risks
网络安全微视频——密码安全意识
CMS programs provide healthcare coverage for 145 million individuals, with annual outlays of about $1.1 trillion, GAO says. Medicare and Medicaid provides coverage for 129 million individuals, “but the size – in terms of number of beneficiaries and amount of expenditures – as well as complexity of these programs make them inherently susceptible to fraud and improper payments.”
The report notes: “CMS currently manages these risks across its programs as part of a broader approach to identifying and controlling for multiple sources of improper payments and by developing relationships with an extensive network of stakeholders. In Medicare and Medicaid specifically, we note that CMS has taken many important steps toward implementing a strategic approach for managing fraud. However, the agency could benefit by more fully aligning its efforts with the four components of the Fraud Risk Framework.”
Data Analytics
GAO also notes that as part of CMS’s anti-fraud efforts, the agency has implemented data analytics as called for under [the] Small Business Act of 2010, which required it to implement predictive-analytics technologies.

In 2011, CMS implemented a data-analytic system, called the Fraud Prevention System, that screens all Medicare fee-for-service claims to identify healthcare providers with suspect billing patterns for further investigation, GAO writes. Medicare contractors have used the data analytics system to identify and prioritize leads for investigations of potential fraud by high-risk Medicare fee-for-service providers, GAO says.
“Contractors told us that [the Fraud Prevention System] allows them to quickly identify and triage leads. CMS’s guidance requires contractors to prioritize investigations with the greatest program impact or urgency and identify required criteria for prioritizing investigations, such as patient abuse or harm, multistate fraud, and high dollar amount of potential overpayments.”
GAO Recommendations
GAO recommends CMS ramp up its anti-fraud efforts by implementing three key recommendations:
Provide fraud-awareness training relevant to risks facing CMS programs and require new hires to undergo such training and all employees to undergo training on a recurring basis;
Conduct fraud risk assessments for Medicare and Medicaid, including fraud risk profiles and plans for regularly updating the assessments and profiles;
Create, document, implement and communicate an anti-fraud strategy that is aligned with and responsive to regularly assessed fraud risks. This strategy should include an approach for monitoring and evaluation.
GAO notes that HHS agreed to the three recommendations and described how it plans to address the issues spelled out in the report.
For instance, regarding GAO’s recommendation to conduct fraud risk assessments for Medicare and Medicaid, HHS stated that it’s conducting a fraud risk assessment on the Affordable Care Act federally facilitated marketplaces and, when this assessment is completed, will apply the lessons learned in assessing this program to fraud risk assessments of Medicare and Medicaid.
Complex Issues
Fighting healthcare fraud clearly is a complex issue that requires a multifaceted approach.
“Medicaid reimbursements are notoriously low. Crooks use this as motivation to ‘game’ the system,” says Kerry McConnell, partner and principal consultant at tw-Security, who has previously worked in Medicaid claims processing. “Crooks get greedy and then they get flagged, caught. More training to identify fraud can’t hurt, but technical tools are more effective.”
Some security experts say private health insurers also might benefit from implementing some of the anti-fraud practices recommended by the GAO, although not all of those might prove effective.
For instance, fraud awareness training is “very important, but not something an organization can or should rely on,” says Mac McMillan, CEO of security consultancy CynergisTek. “Environmental awareness is not something users are particularly skilled at. And even when they do see something that doesn’t fit the profile, they often fail to report it, because they don’t want to get someone in trouble or be perceived as a busy body. It’s just not reliable.
For private sector healthcare organizations, “conducting risk assessments for fraud is only going to tell you perhaps where you are most at risk, but it’s not going to directly reduce fraud,” McMillan contends. “The new user and entity behavior analytics tools for behavioral analysis are uniquely suited to identify and alert on fraud activities and abnormal behavior by users. Organizations need to implement these advance analytics and alert tools. Compliance- based monitors are not going to help stem this problem.”
Value of Data Analytics Oversold?
But not everyone is sold on the benefits of data analytics and other technology in battling healthcare fraud.
“Anti-fraud technology has been – for at least two decades – some kind of unicorn,” claims privacy attorney Kirk Nahra of law firm Wiley Rein. “We all want to believe in it, and it seems beautiful, but it really hasn’t made too much of a difference. That doesn’t in any way mean that we shouldn’t keep trying to find better ways to use technology in these efforts, but it is just really hard.”
When it comes to healthcare provider organizations that can potentially become unwitting participants or victims of fraud committed by a rogue employee, training, technology and other such efforts only go so far, Nahra says.
“Most healthcare fraud is perpetrated through higher-level decisions, which can range from confusion about the rules, to aggressive billing to true [intentional] fraud,” he says. “It is very hard to draw these lines in some situations, particularly in advance of processing the claims. Patterns are particularly important, which is why ‘after the fact’ technology has been more effective in identifying [billing] fraud than ‘pre-pay’ [claims analysis] technology.”
通过白色恐怖来恫吓员工,员工的工作激情会受到打击,协同合作的氛围、员工及部门之间的信任关系也会受到重创,提升员工的信息安全意识才是正道。

猜您喜欢

信息安全意识教育案例之商业黑客参与搜索引擎专利大战
信息数据管理不善将业务推向风险边缘
网络安全法学习课堂
美国参议院通过国土安全部部长提名
YOGANANDA SHED-REVIEWS
信息安全培训检验