Skip to main content

Medicaid: CMS Should Take Steps to Mitigate Program Risks in Managed Care

GAO-18-291 Published: May 07, 2018. Publicly Released: Jun 06, 2018.
Jump To:

Fast Facts

Medicaid paid $171 billion—about half its total 2017 federal expenditures—to managed care organizations. The Centers for Medicare & Medicaid Services estimated that about 0.3% of that amount were improper payments.

For the entire Medicaid program, CMS estimated about 10% of payments were improper, which led us to question the managed care rate.

We examined state and federal reviews of managed care and the estimating method. We found that the estimation does not fully account for key risks such as overpayments and unallowable costs.

We recommended that CMS take steps to mitigate such risks.

 

Photo showing a person signing a form in front of a medical provider in a white coat

Photo showing a person signing a form in front of a medical provider in a white coat

Skip to Highlights

Highlights

What GAO Found

The Centers for Medicare & Medicaid Services' (CMS) estimate of improper payments for Medicaid managed care has limitations that are not mitigated by the agency's and states' current oversight efforts. One component of the Payment Error Rate Measurement (PERM) measures the accuracy of capitated payments, which are periodic payments that state Medicaid agencies make to managed care organizations (MCO) to provide services to enrollees and to cover other allowable costs, such as administrative expenses. However, the managed care component of the PERM neither includes a medical review of services delivered to enrollees, nor reviews of MCO records or data. Further, GAO's review of the 27 federal and state audits and investigations identified key program risks.

Ten of the 27 federal and state audits and investigations identified about $68 million in overpayments and unallowable MCO costs that were not accounted for by PERM estimates; another of these investigations resulted in a $137.5 million settlement.

These audits and investigations were conducted over more than 5 years and involved a small fraction of the more than 270 MCOs operating nationwide as of September 2017.

To the extent that overpayments and unallowable costs are unidentified and not removed from the cost data used to set capitation rates, they may allow inflated MCO payments and minimize the appearance of program risks in Medicaid managed care.

CMS and states have taken steps to improve oversight of Medicaid managed care through updated regulations, focused reviews of states' managed care programs, and federal program integrity contractors' audits of managed care services.

However, some of these efforts went into effect only recently, and others are unlikely to address the risks in managed care across all states.

Furthermore, these efforts do not ensure the identification and reporting of overpayments to providers and unallowable costs by MCOs.

Federal internal control standards call for agency management to identify and respond to risks. Without addressing key risks, such as the extent of overpayments and unallowable costs, CMS cannot be certain that its estimated improper payment rate for managed care (0.3 percent compared with 12.9 percent in Medicaid fee-for-service) accurately reflects program risks.

Why GAO Did This Study

The improper payment rate is a sentinel measure of program integrity risks for the Medicaid program. CMS and the states oversee Medicaid, whose size, structure, and diversity make it vulnerable to improper payments. CMS estimates the Medicaid improper payment rate annually through its PERM, which includes an estimate for Medicaid managed care, in which states contract with MCOs to provide services to Medicaid enrollees.

GAO was asked to study the PERM methodology for managed care. In this report, GAO examined the extent to which the PERM accounts for program integrity risks in Medicaid managed care, including CMS's and states' oversight. GAO identified program integrity risks reported in 27 federal and state audits and investigations issued between January 2012 and September 2017; reviewed federal regulations and guidance on the PERM and CMS's Focused Program Integrity Reviews; and contacted program integrity officials in the 16 states with a majority of 2016 Medicaid spending for managed care, as well as CMS officials and program integrity experts.

Recommendations

The Administrator of CMS should consider and take steps to mitigate the program risks that are not measured in the PERM, such as overpayments and unallowable costs; such an effort could include actions such as revising the PERM methodology or focusing additional audit resources on managed care. HHS concurred with this recommendation. HHS also provided technical comments, which were incorporated as appropriate.

Recommendations for Executive Action

Agency Affected Recommendation Status
Centers for Medicare & Medicaid Services
Priority Rec.
The Administrator of CMS should consider and take steps to mitigate the program risks that are not measured in the PERM, such as overpayments and unallowable costs; such an effort could include actions such as revising the PERM methodology or focusing additional audit resources on managed care. (Recommendation 1)
Closed – Implemented
CMS concurred with this recommendation and has taken steps to focus additional audit resources on managed care. As of December 2022, the agency continues to develop an enhanced program integrity strategy, but since our report, CMS published additional guidance for states and audit contractors, and significantly increased its investment of audit resources on managed care. This contributed to a significant increase-over tenfold-in the number of managed care investigations opened by audit contractors from 16 in FYs 2016-2018 to 893 in FY 2019-2021.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Allowable costsCompliance oversightImproper paymentsManaged health careMedicaidMedicaid programOverpaymentsPayment errorsProgram integrityCriminal investigations