Recommendations Tracker

We recommend that the Centers for Medicare & Medicaid revise its regulations to provide sufficient guidance to ensure that providers meet coverage requirements for outpatient cardiac and pulmonary rehabilitation services.

We recommend that the New York State Department of Health refund $9,325,338 to the Federal Government.

We recommend that the New York State Department of Health ensure that improvements made to its processes for determining whether an individual applying for Medicaid has already been assigned a Medicaid ID number are effective by verifying that system queries are adequate to identify all individuals with existing Medicaid ID numbers and local district and Marketplace staff are following guidance on identifying individuals with Medicaid ID numbers and using all available resources to identify and prevent the issuance of more than one Medicaid ID number to the same individual.

We recommend that the Centers for Medicare & Medicaid Services direct the Medicare contractors to develop oversight mechanisms to identify at-risk providers (e.g., by reviewing claims for providers that routinely billed direct LDL tests in addition to lipid panels for the same beneficiary on the same date of service and appended to those claim lines an NCCI associated modifier) and prevent improper payments to these providers, which could have saved up to $20,351,424 for our audit period.

We recommend that Suncoast Hospice refund to the Federal Government the portion of the estimated $47,363,971 for hospice services that did not comply with Medicare requirements and that are within the 4-year claims reopening period.

We recommend that Suncoast Hospice strengthen its policies and procedures to ensure that hospice services comply with Medicare requirements.

We recommend that the Minnesota Department of Human Services develop new procedures or enhance current ones to identify beneficiaries with concurrent eligibility in another State, which could have saved the State agency an estimated $1,100,008 ($665,440 Federal share) in capitation payments for the month of August 2018.

We recommend that SAMHSA mitigate its Governance risk by formally documenting its full organizational structure.

We recommend that Louisiana work with community-based providers on processes to identify and report all critical incidents.

We recommend that Louisiana ensure that beneficiaries and their families are properly educated and understand that all hospital emergency room visits are critical incidents and should be reported.

We recommend that Louisiana correctly track whether direct service providers forward hardcopy critical incident reports to the support coordinator within 24 hours of discovery.

We recommend that Virtua Our Lady of Lourdes Hospital refund to the Medicare contractor the portion of the $4,765,305 in estimated overpayments for the audit period for claims that it incorrectly billed that are within the 4-year reopening period.

We recommend that Virtua Our Lady of Lourdes Hospital strengthen controls to ensure that all IRF beneficiaries meet Medicare criteria for acute inpatient rehabilitation and all required documentation is included in the medical records; all inpatient beneficiaries meet Medicare requirements for inpatient hospital services; procedure, diagnosis, and HCPCS codes are supported in the medical records and staff are properly trained; and the use of bypass modifiers is supported in the medical records.

CMS should take additional steps to validate the information reported in MDS assessments.

We recommend that Visiting Nurse Association of Maryland based on the results of this audit, exercise reasonable diligence to identify, report, and return any overpayments in accordance with the 60-day rule and identify any returned overpayments as having been made in accordance with this recommendation.

We recommend that the National Heart, Lung, and Blood Institute strengthen its internal controls for OTs by updating its policies and procedures to require that OT justification memos be signed, dated, and written or developed with involvement from appropriate parties, including OT Agreements Officers.

We recommend that the National Heart, Lung, and Blood Institute strengthen its internal controls for OTs by updating its policies and procedures to require that justifications for the continued use of OT authority be documented throughout the life of OT agreements with reconsideration required at a defined frequency.

We recommend that the National Heart, Lung, and Blood Institute strengthen its internal controls for OTs by updating its policies and procedures to specify requirements for determining and documenting the allowability of costs charged to OT awards.

We recommend that Humana, Inc. refund to the Federal Government the $197,720,651 of net overpayments.

We recommend that the Colorado Department of Human Services conduct all required criminal background checks for the 107 individuals in our sample who did not have the required checks at the time of our audit (if still employed).

We recommend that the Colorado Department of Human Services ensure that all required background checks are completed and retain these records until the background check expires.

We recommend that the Georgia Department of Community Health remind nursing facilities of Federal and State requirements for reporting incidents of potential abuse or neglect.

We recommended that the State agency ensure that it documents actions it takes when nursing facilities fail to report incidents and fail to report incidents on time.

We recommend that Palmetto Government Benefits Administrator, LLC decrease its Excess Plan Medicare segment pension assets by $9,196 and recognize $737,271 as the Excess Plan Palmetto Medicare segment pension assets as of January 1, 2017.

We recommend that Palmetto Government Benefits Administrator, LLC decrease its Excess Plan Medicare segment pension assets by $9,196 and recognize $737,271 as the Excess Plan Palmetto Medicare segment pension assets as of January 1, 2017.

We recommend that Noridian Healthcare Solutions LLC work with CMS to ensure that its final settlement of contract costs reflects a decrease in Medicare restoration costs of $160,315 for CYs 2015 and 2016.

We recommend that HHS: Communicate to all stakeholders the roles and shared responsibilities that must be implemented to meet the requirements for an "effective" level of security in the context of the maturity model, including whether such requirements are to be implemented through centralized, federated, or hybrid controls. This should also include the responsibilities of the OCIO, the OpDivs, and third-party stakeholders (including contractors).

Develop oversight process and procedures to ensure comprehensive policies and procedures for managing the configurations of information systems are developed and tailored to the OpDivs environment.

Update the ISCM strategy to include a roadmap for complete deployment across all HHS OpDivs, and key performance indicators and benchmarks to facilitate the implementation of CDM toolsets across all OpDivs.

Conduct an assessment of privileged IT staff to identify users with significant cybersecurity responsibilities and ensure they complete specialized role-based training.

We recommend that the HHS OCIO work with the OpDivs to develop a formal risk management strategy to establish, communicate, and implement its risk management controls, including for supply chain risk management. Additionally, within the Risk Management Strategy, the OpDiv should document procedures to ensure that all system owners have implemented processes and methodologies for categorizing risk, developing a risk profile, assessing risk, risk acceptance/tolerance levels, responding to risk, and monitoring risk.

We recommend that the HHS OCIO work with the OpDivs to establish oversight procedures for contractor owned systems to ensure change control activities and record retention procedures are being implemented appropriately across all systems.

We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs conduct periodic review and adjustment of privileged user accounts and permissions as required by OpDiv policy is being implemented consistently across all systems within the established time period. Additionally, the OpDiv should ensure that privileged user account activities are logged and periodically reviewed.

Implement oversight of contractor system procedures to ensure that periodic user access reviews are performed and that privileged user account activities are logged and periodically reviewed. In addition, management should implement a review process for the monitoring activities by the Computer Security Incident Response Center (CSIRC) and DCIO Ops over government-owned systems with the OpDiv portfolio.

We recommend that the HHS OCIO work with its OpDivs to improve the incident evaluation process for determining whether an incident is major in accordance with the full OMB definition contained in the OMB FISMA guidance. This process should include a documented adjudication process that assesses the perceived or actual impact of the American people's public confidence in US Government systems, their civil liberties, or their public health and safety from the knowledge of the incident as noted in the OMB guidance.

CMS should encourage MAOs to perform program integrity oversight using ordering NPIs.

We recommend that Sunrise Hospital & Medical Center refund to the Medicare contractor $23,606,895 ($23,615,809 less $8,914 that the Hospital has already repaid) in net estimated overpayments for the audit period for claims that it incorrectly billed that are within the 4-year reopening period.

We recommend that Sunrise Hospital & Medical Center strengthen controls to ensure that: (1) all IRF beneficiaries meet Medicare criteria for acute inpatient rehabilitation and all required documentation is included in the medical records, (2) all inpatient beneficiaries meet Medicare requirements for inpatient hospital services, (3) outlier payments are calculated correctly by billing the correct units of service and charges on the claim and staff are properly trained, (4) the use of bypass modifiers is supported in the medical records and staff are properly trained, and (5) HCPCS codes are supported in the medical records and staff are properly trained.