Recommendations Tracker

We recommend that the National Institutes of Health provide additional training and implement oversight controls to ensure that contractor performance assessments are completed and uploaded to the Contractor Performance Assessment Reporting System timely.

We recommend that the Office of Children's Services continue to identify ways to address the challenges related to meeting the requirements for conducting monthly caseworker visits and home inspections, including consulting with ACF.

We recommend that Saint Louis University ensure that it always manages NIH awards in accordance with Federal and award requirements by strengthening procedures for reconciliation of payroll costs to approved salaries and wages and to payroll reports, and strengthening controls to ensure the timely completion and certification of employee time and effort reports after completion of each 6-month reporting period.

We recommend that Saint Louis University strengthen its controls, to include policies and procedures, to ensure that it properly monitors its subaward subrecipients, to include: evaluating its current risk assessment policies and procedures and implementing procedures to improve monitoring of subrecipients classified as high or medium risk and developing and implementing notification and followup procedures to be executed in cases of subrecipient subaward or contract cancellation.

We recommend that Keystone identify, for the high-risk diagnoses included in the report, similar instances of noncompliance that occurred before or after our audit period and refund any resulting overpayments to the Federal Government.

We recommend that Keystone ensure that it collects, for audits of risk adjustment data, medical records that comply with CMS requirements.

We recommend that the Centers for Medicare & Medicaid Services notify appropriate practitioners (i.e., those for whom CMS determines this audit constitutes credible information of potential overpayments) so that they can exercise reasonable diligence to identify, report, and return any overpayments in accordance with the 60-day rule and identify any of those returned overpayments as having been made in accordance with this recommendation.

We recommend that the Centers for Medicare & Medicaid Services take the necessary steps, including seeking legislative authority, if necessary, to revise its regulations to ensure that Medicare pays the facility rate for physician services furnished while enrollees are Part A SNF or hospital inpatients irrespective of where the services are actually furnished or otherwise ensure that Medicare does not pay twice for any of the practice expenses incurred for physician services furnished while enrollees were Part A SNF or hospital inpatients, which could have resulted in the Medicare program paying up to $22,142,489 less and enrollees paying up to $5,609,125 less in cost-sharing during our 2-year audit period.

We recommend that the Centers for Medicare & Medicaid Services provide additional education to practitioners on the appropriate use of place-of-service codes while an enrollee is a Part A inpatient.

We recommend that the Florida Department of Children and Families, instruct PATH providers to review consumers' case files to determine if consumers are eligible and disenroll ineligible consumers from the PATH program.

We recommend that the Maryland Department of Health assess the effectiveness of all required NIST SP 800-53 controls according to the organization's defined frequency.

We recommend that the Maryland Department of Health perform periodic phishing exercises and enhance employee and contractor cybersecurity awareness training based on the results of the phishing exercises, if needed.

We recommend that the Vermont Department of Health, Division of Substance Use Programs require subrecipients to provide and retain supporting documentation for invoices submitted for reimbursement under Federal grants as recommended in Bulletin No. 5.

We recommend that the Vermont Department of Health, Division of Substance Use Programs provide training to State employees responsible for conducting pre-award risk assessments of potential subrecipients of Federal grant funds.

We recommend that the Centers for Medicare & Medicaid Services update security controls to align with the most current NIST SP 800-53 requirements.

We recommend that the Office of Refugee Resettlement strengthen oversight of transfers between care provider facilities by requiring that all transfer documentation be maintained in the UC Portal and by developing procedures for tracking and reviewing that documentation.

We recommend that the Office of Refugee Resettlement assess needs to expand the Office of Refugee Resettlement's network capacity to serve the needs of children with mental health and behavioral issues.

We recommend that HHS continue to work with OMB and other stakeholders to develop and implement an approach to reporting on TANF IPs going forward. This process will aid in identifying root causes of TANF IPs and allow HHS to report CAPs in the AFR.

We recommend that HHS continue to work with OMB and other stakeholders to develop and implement an approach to reporting on COVID-19 UIP in FY 2023.

We recommend that HHS focus on the root causes of the IP percentage and evaluate critical and feasible action steps to assist states with their compliance efforts for these requirements. This would include working with the states to bring their respective systems into full compliance with the requirements to decrease the IP rate percentage below 10 percent. HHS should work with the states to follow up on repeat root causes of errors and enhance the CAPs for implementation. In addition, as HHS reviews only 17 states each year for the Medicaid and CHIP IP rate, HHS should continue to follow up with states during the interim period to verify that corrective actions identified after the Payment Error Rate Measurement (PERM) review are being implemented. HHS should also consider sharing corrective action best practices across states to help address these issues.

While HHS continues to make improvements in certain areas of the Medicare FFS program that have reduced IP, the impact of IP stemming from the two drivers mentioned above outweighed this progress in FY 2022. We recommend that HHS continue to focus on the root causes of the IP percentage, especially the new drivers related to SNF and Hospice, and evaluate and document critical and feasible action steps to meet the Medicare FFS reduction target.

We recommend that the Health Resources and Services Administration work with the 13 health centers identified in our report that may not have properly allocated COVID-19 supplemental grant funding costs to determine what portion of the $15,056,835 is allocable to their COVID-19 supplemental grant funding and require the health centers to refund the improperly allocated funds to the Federal Government.

CMS should inform providers about buprenorphine use and the low risk of diversion to encourage providers to treat more Part D enrollees who have opioid use disorder.

CMS should follow up on the prescribers with concerning patterns identified in this report.

We recommend that the Massachusetts Department of Health and Human Services assess the effectiveness of all required NIST SP 800-53 controls according to the organization's defined frequency.

To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS continue to advance the SCRM program to implement defined standards across HHS.

To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS confirm that the OpDivs contingency plan testing is being performed within the timeframe required by HHS policy.

We recommend that the HHS OCIO work with the OpDivs to implement oversight sufficient to ensure that Information Security Continuous Monitoring (ISCM) policies and procedures are consistently implemented in accordance with NIST standards for all systems.

We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs complete its discovery of all information systems and maintain an up- to-date inventory of systems, software, and licenses.

We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDiv's SCRM policies and procedures are being consistently implemented across the organization and ensure their execution.

We recommend that the HHS OCIO work with the OpDivs to ensure that OpDivs define and implement policy for data exfiltration, enhanced network defenses, e-mail authentication, and DNS infrastructure tampering mitigation. Further, ensure the OpDiv enforces implementation of data encryption in transit and at rest in accordance with HHS policy, NIST standards, and OMB guidance.

We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement its policies and procedures to perform periodic BIAs and contingency plan testing within the timeframe required by HHS policy.

We recommend that the HHS OCIO work with the OpDivs to ensure that secure configuration settings are being maintained as defined by existing policy.

We recommend that the HHS OCIO work with the OpDivs to ensure that policies and procedures for identity and access management are being consistently implemented and proper safeguards (i.e., logging, monitoring, review of privileged user activity) are developed across the Department to ensure their execution.

We recommend that the HHS OCIO work with the OpDivs to implement oversight procedures sufficient to ensure that all personnel complete role-based training in a timely manner.

We recommend that the HHS OCIO work with the OpDivs to implement oversight sufficient to ensure that all OpDivs review pre-defined privileged users' activities periodically and document the review and any follow-up activities for all systems.

We recommend that the HHS OCIO work with the OpDivs to ensure that data encryption methods to protect data determined to be PII or sensitive are implemented across the organization for all systems.

We recommend that the Office of Refugee Resettlement clarify and reissue guidance for background checks at EISs so that it is clear which checks are required, who is responsible for conducting the checks, and which checks must be conducted prior to hire.

We recommend that the Office of Refugee Resettlement ensure that future awards and subawards for services that involve contact with children (e.g., transportation) include detailed information on background check requirements and specify that background checks must be conducted prior to hire.

We recommend that the Office of Refugee Resettlement re-evaluate the use of public records checks in lieu of, or prior to receiving the results of, FBI fingerprint and CA/N checks, and require a DOJ sex offender registry check in addition to a public records check if ORR determines there is a need to use public records checks.

We recommend that the Centers for Medicare & Medicaid Services work with the MACs to based upon the results of this audit, notify appropriate providers (i.e., those for whom CMS determines this audit constitutes credible information of potential overpayments) so that the providers can exercise reasonable diligence to identify, report, and return any overpayments in accordance with the 60-day rule and identify any of those returned overpayments as having been made in accordance with this recommendation.

Now that CMS has reinstituted most program integrity measures, we also recommend that CMS take the following steps, which if in effect during the audit period could have saved Medicare an estimated $579,667,510 during that period: Implement system edits for psychotherapy services, including services provided via telehealth, to prevent payments for services that were billed incorrectly.

Now that CMS has reinstituted most program integrity measures, we also recommend that CMS work with the MACs to take the following steps, which if in effect during the audit period could have saved Medicare an estimated $579,667,510 during that period: Review MAC jurisdictions' LCD requirements for psychotherapy services to identify which provisions effectively promote program integrity, and consider additional steps that CMS could undertake to ensure appropriate coverage and payment for psychotherapy services across all jurisdictions.

We recommend that the Centers for Medicare & Medicaid Services establish an interagency process to integrate VHA enrollment, claims, and payment data into the CMS IDR to identify potential fraud, waste, and abuse under the Medicare program.

We recommend that the Centers for Medicare & Medicaid Services issue guidance to providers on not billing Medicare for a medical service that was authorized by VHA.