Medicaid and PeachCare managed care: lack of coordinated integrity efforts increases risk of improper payments

Performance Audit Report No. 18-05

July 2020

Georgia Department of Audits and Accounts
Performance Audit Division
Greg S. Griffin, State Auditor Leslie McGuire, Director

Why we did this review
The Georgia Department of Community Health (DCH) serves as the single state agency for the administration of the Medicaid and PeachCare for Kids (PeachCare) programs. Medicaid and PeachCare members are insured either directly from DCH or through one of four managed care organizations (CMOs) contracted by DCH to provide services. In fiscal year 2019, nearly 75% (1.5 million) of Medicaid and PeachCare members were insured through one of the four CMOs. Premium payments to these CMOs comprise approximately 41% ($4.4 billion) of $10.6 billion Medicaid and PeachCare expenditures.
This report examines program integrity activities associated with Medicaid and PeachCare managed care. These activities occur within DCH's Medical Assistance Plans Division and are critical in detecting and recovering improper payments.

Medicaid & PeachCare Managed Care
Lack of coordinated integrity efforts
increases risk of improper payments
What we found Efforts to detect, prevent, and address fraud and abuse within the Georgia Medicaid and PeachCare programs occur in siloed functional areas within DCH and its four CMOs, causing those efforts to be fragmented and uncoordinated. As a result, we estimate that approximately $41.1 million in Medicaid and PeachCare payments were not subject to adequate oversight and claims review between calendar years 2013 and 2019. Additionally, the lack of adequate oversight can result in overpayments and lead to the state paying higher capitation rates to CMOs. The capitation rate is the monthly rate paid by the state to the CMOs for each enrollee.

About Program Integrity
The federal Centers for Medicare & Medicaid Services (CMS) requires states to have an integrity program dedicated to preventing, detecting, and reviewing suspected fraud and abuse cases.
DCH's managed care contracts require CMOs to identify, investigate, and address potential fraud and abuse. By monitoring CMO program integrity efforts, DCH can limit the amount of improper payments.

270 Washington Street, SW, Suite 1-156

Atlanta, Georgia 30334

Phone: (404)656-2180

www.audits.ga.gov

Providers often participate in DCH's Fee-For-Service program and in multiple CMO networks. As such, to sufficiently detect patterns of potential fraud and abuse, all Medicaid and PeachCare payments and related information should be methodically analyzed by DCH, regardless of payer (the four CMOs or DCH). Once questionable claims patterns have been identified, program integrity activities should be coordinated among all payers.
DCH does not adequately coordinate program integrity efforts across the various Medicaid/PeachCare payers. Consequently, these payers inconsistently apply program integrity actions such as prepayment reviews, post-payment reviews/investigations, and terminations.
DCH has not analyzed the CMOs' activity reports to identify trends or baseline data that could help DCH develop program integrity standards or goals. After reviewing these reports, we found that activity levels and outcomes varied among CMOs; however, without defined performance goals, we cannot determine whether CMOs' efforts have been sufficient or effective. In addition, we identified significant discrepancies and missing information in the program integrity activity reports the CMOs are required to submit to DCH. Because DCH does not review the quality of these reports, the deficiencies we observed had not been identified or addressed by DCH management.
O.C.G.A. 33-20A-62 limits the time CMOs may recover overpayments using administrative actions such as claims audits to 18 to 24 months from the date of service, while the Fee-For-Service program has three years. Any recovery after this "look back" period must be accomplished through civil or criminal prosecution of Medicaid fraud based on the Georgia False Medicaid Claims Act or the Georgia Medical Assistance Act. Because provider overpayments do not always warrant civil or criminal prosecution, Georgia's "look back" time limitation for managed care plans can indirectly reduce the recovery of Medicaid overpayments when the referral and investigative process exceeds these limits. For example, 20 cases referred to the Medicaid Fraud Control Unit during calendar years 2017 and 2018 were closed without civil or criminal prosecution after the "look back" time limitation had expired, leaving $1.4 million in potential overpayments unrecoverable.
What we recommend To limit improper Medicaid payments, DCH should utilize an enterprise perspective that encompasses all organizational units including Fee-For-Service and the CMOs. To facilitate an enterprise approach, DCH should consider changing its organizational structure to consolidate overall responsibility for program integrity efforts from across all organizational units to a single party, such as the Program Integrity Director. This report also contains many recommendations for how DCH and CMOs can improve program integrity efforts. The General Assembly should consider exempting CMOs Medicaid operations from O.C.G.A. 33-20A-62 to allow CMOs more time to conduct post-payment audits and recover associated overpayments. These improvements should help reduce Medicaid overpayments and reduce the state's managed care premium costs.
A detailed listing of recommendations can be found in Appendix A.
Agency Response: DCH generally agreed with and are taking actions to address our recommendations. Specific responses are included at the end of each relevant finding.

Medicaid Managed Care Program Integrity

i

Table of Contents

Purpose of the Audit

1

Background

1

Fee-For-Service

1

Managed Care

2

Program Integrity

3

Financial Information

6

Findings and Recommendations

8

Finding 1: Program integrity efforts are fragmented and uncoordinated among various

DCH units and its CMOs, which increases the risk of undetected and

unrecovered improper payments.

8

Finding 2: DCH does not analyze payment trends for providers across all Medicaid

payers once questionable claims patterns indicative of fraud or abuse are

identified.

8

Finding 3: DCH does not notify CMOs of providers DCH has identified as a potential

risk for submission of questionable claims.

11

Finding 4: DCH does not ensure that all payers analyze claims data for providers

placed on prepayment reviews by one payer to determine if the other payers

should take similar actions.

12

Finding 5: DCH does not ensure that Fee-For-Service and CMOs review claims data

for providers investigated by other payers to determine if they should also

investigate.

15

Finding 6: DCH does not ensure CMOs consistently report the termination of provider

contracts due to concerns of program abuse or non-compliance.

19

Finding 7: DCH has not defined acceptable levels of CMO program integrity activity

or developed objectives for determining whether CMOs' activities are

effective in identifying and preventing improper payments.

20

Finding 8: DCH does not ensure that information reported by CMOs regarding the

number and status of CMO program integrity investigations is accurate or

complete.

24

Finding 9: DCH does not ensure that it receives or communicates accurate and timely

information regarding CMO fraud referrals or the status of CMO fraud

investigations resulting in inadequate oversight of these cases.

26

Finding 10: DCH does not monitor CMO cases to ensure that actions, including fraud referrals, are made within the statutory time limits for administrative

Medicaid Managed Care Program Integrity

ii

recovery of improper provider payments, resulting in the forfeiture of

approximately $1.4 million in estimated recoverable funds.

30

Finding 11: DCH does not ensure that CMOs monitor their subcontractors'

performance in preventing, detecting, and recovering improper Medicaid

payments.

34

Appendix A: Table of Recommendations

37

Appendix B: Objectives, Scope, and Methodology

40

Appendix C: Current DCH Organization Chart

43

Medicaid Managed Care Program Integrity

1

Purpose of the Audit
This report examines program integrity activities associated with Medicaid and PeachCare managed care within the Medical Assistance Plans Division of the Georgia Department of Community Health (DCH). Specifically, the audit examines the extent to which
1. DCH has included adequate program integrity provisions in its contract with managed care organizations (CMOs) and ensures CMOs comply with these requirements;
2. DCH utilizes Medicaid managed care encounter data to detect potential acts of fraud, abuse, or overpayments in the Medicaid managed care program and refers identified cases to the CMOs for action;
3. DCH coordinates activities and actions of all payment providers; 4. DCH ensures CMOs adequately monitor their subcontractors' performance
in completing program integrity responsibilities; and 5. the Medicaid Fraud Control Unit referral process maximizes the
identification and recovery of managed care provider overpayments.
A description of the objectives, scope, and methodology used in this review is included in Appendix B. A draft of the report was provided to DCH and the Medicaid Fraud Control Unit for review, and pertinent responses were incorporated into the report.
Background
The Georgia Department of Community Health (DCH) serves as the single state agency for the administration of the Medicaid and PeachCare for Kids (PeachCare) programs, which are described below. During fiscal year 2019, DCH expended approximately $10.6 billion to provide access to health care and related services for more than 2.1 million individuals through the Medicaid and PeachCare programs.
Medicaid is a joint federal and state program that provides free health coverage to low-income families and children, pregnant women, the elderly, and people with disabilities. DCH administers Medicaid under Title XIX of the Social Security Act.
PeachCare is Georgia's Children's Health Insurance Program, which provides low-cost health coverage to uninsured children in families that earn too much income to qualify for Medicaid. To qualify for PeachCare, family income must be less than or equal to 235% of the federal poverty level.
Medicaid and PeachCare members are insured either directly from DCH through the Fee-For-Service program or through one of four managed care organizations-- referred to by DCH as Care Management Organizations (CMOs)--contracted by DCH to provide services. Throughout the report DCH's Fee-For-Service program and the CMOs are collectively referred to as payers because they pay for provided services.
Fee-For-Service Under the Fee-For-Service program, DCH pays providers directly for each covered service received by a Medicaid beneficiary. DCH also enrolls providers to participate in the Medicaid program and ensures beneficiaries statewide have access to care. DCH is responsible for setting provider payment rates, which are required by federal law (Section 1902 (a)(30)(A) of the Social Security Act) to be consistent with efficiency,

Medicaid Managed Care Program Integrity

2

economy, and quality of care and sufficient to provide access equivalent to the general non-Medicaid population. The Georgia Medicaid population served by the Fee-ForService program includes persons who are:
aging, blind, and/or disabled, in long-term care facilities, or in nursing homes.
Managed Care Effective June 1, 2006, the state of Georgia implemented Georgia Families, a statewide managed care program through which health care services are delivered to certain members of Medicaid and PeachCare. Under managed care, Georgia pays a monthly fee to a CMO for each enrolled beneficiary. The CMO manages and finances the beneficiaries' health care, develops provider networks, and monitors the providers' compliance with Medicaid laws, rules, and regulations.
All PeachCare members and the following Medicaid populations are served through Georgia Families:
Parent/Caretaker with Children Medicaid (formerly known as Low Income Medicaid)
Transitional Medicaid Pregnant Women with Children Under 19 Newborns Women Eligible Due to Breast and Cervical Cancer Children, Youth and Young Adults in Foster Care, Adoption Assistance and
Juvenile Justice System
DCH contracts with the following four CMOs to manage health care benefits and pay providers for services to Georgia Families members:
Amerigroup CareSource Peach State Health Plan WellCare
Georgia Families members may enroll in the CMO of their choice. The CMOs are responsible and accept full financial risk for providing and authorizing covered services. CMOs contract with and pay doctors, hospitals, and other care providers to establish a network that provides health care services for plan participants. DCH contracts with an independent actuarial firm to determine per-member monthly premium rates, referred to as capitation payments, that the state pays each CMO. Capitation rates are based on CMO-reported data and costs.

Medicaid Managed Care Program Integrity

3

As shown in Exhibit 1, approximately 1.5 million members were enrolled in one of the four CMOs during fiscal year 2019, with WellCare serving the largest number of members.

Exhibit 1
Approximately 1.5 million Members in the Georgia Families Program Enrolled in a CMO1, Fiscal Years 2016-2019

Note:
1. Fiscal Year 2018 was the first year of CareSource's contract to provide services for the Georgia Families program.
Sources: DCH enrollment reports

Fraud is an intentional deception or misrepresentation made by a person with the knowledge that the deception could result in some unauthorized benefit to himself or some other person.
Abuse means provider practices that are inconsistent with sound fiscal, business, or medical practices and result in an unnecessary cost to Medicaid.

Program Integrity
The federal Centers for Medicare & Medicaid Services (CMS) requires states to have an integrity program dedicated to preventing, detecting, and reviewing suspected fraud and abuse cases. As a condition for receiving payment under the Georgia Families program, Georgia's managed care contracts require CMOs to identify, investigate, and address potential fraud and abuse. Improper payments are often the result of provider fraud and abuse, which can be detected through program integrity activities. By monitoring CMO program integrity efforts, DCH can limit the amount of improper payments that are included in capitation rate calculations.
The capitation rate is the monthly rate paid by the state to the CMOs for each Georgia Families enrollee. DCH's actuary calculates the monthly capitation rates based on many factors including the amounts paid to providers. As shown in Exhibit 2, undetected, unrecovered, or unreported overpayments made by CMOs lead to increased capitation rates the state pays to CMOs.

Medicaid Managed Care Program Integrity

4

Exhibit 2
CMO Overpayments Can Result in Higher State Costs Through Increased Capitation Rates

Sources: DCH documentation
The federal Centers for Medicare & Medicaid Services (CMS) requires Georgia to have an integrity program dedicated to preventing, detecting, and reviewing suspected fraud and abuse cases. Responsibility for program integrity between the two programs is described below.
For the Fee-For-Service program, DCH is responsible for identifying potential fraud and abuse in addition to processing and paying claims and monitoring improper claims.
For Georgia Families, DCH's contracts with CMOs require CMOs to conduct program integrity activities. CMOs have the primary responsibility for processing, paying, and monitoring the claims of providers in the CMO networks.
CMO Program Integrity Oversight As shown in Exhibit 3, three DCH units (the Contract Compliance Unit, the Program Integrity Unit, and the Data Integrity and Analysis Unit) monitor CMO program integrity activities.
The Contract Compliance Unit in the Medical Assistance Plans Division provides oversight for the CMO contracts, which outline CMO program integrity activity and reporting responsibilities. Division staff review and approve the CMOs' Program Integrity Compliance Plans. Division staff also collect quarterly reports required by the contract, such as Quarterly Fraud Reports. Quarterly Fraud Reports include details of provider reviews/investigations, listings of provider terminations, and totals for amounts recovered as a result of program integrity actions.

Medicaid Managed Care Program Integrity

5

The Program Integrity Unit within the Office of Inspector General (OIG) is responsible for approving CMO requests to open investigations and obtaining and reviewing periodic CMO program integrity activity reports1. The unit also conducts quarterly meetings with all CMOs and the Medicaid Fraud Control Unit (described below) to share program integrity case information.
The Data Integrity and Analysis Unit periodically analyzes Medicaid claims (including Fee-For-Service claims and CMO encounter data) to identify providers that are outliers in terms of billing more than their peers. These analyses are referred to as Surveillance Utilization Reviews.
Exhibit 3
Oversight of CMO Program Integrity Activities Occurs in Three Separate DCH Units
DCH Commissioner

Deputy Commissioner, Chief Medical Assistance Plans
(Medicaid, Peachcare for Kids)
Assistant Chief Managed Care

Deputy Commissioner
Inspector General Office of Inspector General

Contract Compliance Unit (8 positions)

Program Integrity Unit (18 positions)

Data Integrity and Analysis Unit (15 positions)

Note: Prior to completion of the audit, DCH implemented a structural reorganization which, in part, addresses issues concerning the lack of coordination and accountability for CMO program integrity actions and activity levels. The current DCH organization chart is presented in Appendix C.
Sources: DCH documents and DOAA interviews with DCH staff members

Managed Care Program Integrity Actions DCH and CMOs take a variety of actions to prevent, detect, and recover improper provider payments for managed care services.
Actions taken to prevent improper payments include: Payment System Edits: CMOs' automated payment systems should include edits designed to detect obvious errors and prevent payment. Examples of obvious errors include claims with dates of service before birth or after death, hysterectomies performed on men, or multiple extractions for the same tooth.

1 These reports include Quarterly Meeting Reports which are provided separately from the Quarterly Fraud Reports submitted to the Medicaid Assistance Plans Division.

Medicaid Managed Care Program Integrity

6

Medicaid Fraud Control Unit: Part of the Georgia Department of Law and authorized to investigate and prosecute suspected cases of Medicaid fraud.

Prepayment Reviews: Some providers may be identified as being at higher risk for submitting questionable payments. Prior to paying claims from these providers, the Fee-For-Service program or CMO requests and reviews medical records to ensure that claimed services were medically necessary and met all Medicaid requirements.
Actions taken to detect and recover improper payments include: Data Analytics: DCH and CMOs analyze claims data for questionable trends or billing patterns indicative of fraud or abuse. For example, DCH's Data Integrity and Analytics Unit analyzes claims data to identify providers who bill for more services per client than their peers.

Investigations: DCH and CMOs may investigate providers identified as risks for submitting questionable claims through data analytics or other means such as informants. These investigations may include reviewing medical records and other documentation to determine whether providers are
compliant with Medicaid law and regulations. If investigations result in credible allegations of fraud, the providers are referred for criminal investigation to the state's Medicaid Fraud Control Unit. If fraud is not apparent, CMOs may pursue the recovery of identified overpayments and other sanctions such as termination from their provider network.

Financial Information
Georgia Families is funded by a combination of state, federal, and other funds. As shown in Exhibit 4, fiscal year 2019 expenditures for the program were approximately $4.7 billion. The largest components are federal funds (approximately $3.4 billion-- 71% of total) and state general funds (approximately $943.5 million--20% of total). Total funding has grown 4.6% from fiscal years 2017-2019; however, state general funds have slightly declined.

Exhibit 4
Funding for Georgia Families Has Grown 4.6% from $4.5 Billion to $4.7 Billion, Fiscal Years 2017-2019

State General Funds Tobacco Federal Other Total

2017 $943,583,672
$93,892,175 $3,198,849,561
$266,278,273 $4,502,603,682

2018 $910,194,105 $105,910,484 $3,334,342,853 $317,260,780 $4,667,708,221

Source: State Accounting Office Budgetary Compliance Reports

2019 $943,480,247 $121,060,626 $3,354,745,875 $290,667,529 $4,709,954,276

Georgia Families expenditures are largely associated with capitation payments made to the CMOs for Medicaid enrollees. CMOs pay a wide variety of capitation rates based on factors such as Medicaid or PeachCare enrollment, geographic location, and the member's age and gender. As shown in Exhibit 5, Georgia Medicaid capitation payments to the CMOs has increased by 9.0% between fiscal years 2016 and 2019 from approximately $3.99 billion to $4.35 billion. Payments are distributed among all four CMOs, with WellCare receiving the largest portion (33%) of payments. During fiscal

Medicaid Managed Care Program Integrity

7

year 2019, its second year of participation, CareSource received $656.3 million (15%) of total capitation payments.
Exhibit 5
Total CMO Capitation Payments Have Increased by 9.0%, Fiscal Years 2016-2019

Source: DCH Financial Data

Medicaid Managed Care Program Integrity

8

Findings and Recommendations

Finding 1:

Program integrity efforts are fragmented and uncoordinated among various DCH units and its CMOs, which increases the risk of undetected and unrecovered improper payments.

Efforts to detect, prevent, and address fraud and abuse within the Georgia Medicaid and PeachCare programs occur in siloed functional areas within DCH and its CMOs, causing those efforts to be fragmented and uncoordinated. This fragmentation may have exposed approximately $41.1 million2 in Medicaid/PeachCare payments to inadequate oversight and claims review between calendar years 2013 and 2019.
Because DCH inadequately coordinates program integrity efforts across the various Medicaid payers (the four CMOs and the DCH Fee-For-Service program), these payers inconsistently apply program integrity actions such as prepayment reviews, post-payment reviews/investigations, and terminations. In addition, DCH does not analyze claims and payment trends for providers across all Medicaid payers, leaving the potential for questionable claims patterns indicative of fraud or abuse to remain undetected. The inconsistent and fragmented application of program integrity efforts is discussed in findings 2-6 on pages 8-18.

RECOMMENDATIONS
1. DCH should assess and address risk of questionable payments in the Medicaid program utilizing an enterprise perspective that encompasses all organizational units, including Fee-For-Service and the four CMOs.
2. DCH should assign responsibility for program integrity to a single party. This assignment would provide the discipline and structure necessary to coordinate and guide program integrity efforts.

Agency Response: DCH agreed with these recommendations. DCH has made organizational changes to resolve these issues. Specifically, DCH's Office of Inspector General "recently optimized its program integrity organizational structure to functionally align teams to conduct end to end processes." It has expanded data analytics capabilities which "allow the Program Integrity Unit to use an enterprise perspective to assess and address questionable payments in the Medicaid program across all payers." DCH also plans to assign the Program Integrity Unit as DCH's single party responsible for program integrity efforts. DCH anticipates that "coordinating program integrity efforts for all Medicaid payers will strengthen its ability to detect questionable patterns indicative of fraud or abuse."

Finding 2:

DCH does not analyze payment trends for providers across all Medicaid payers once questionable claims patterns indicative of fraud or abuse are identified.
DCH does not typically direct or coordinate analyses across the five Medicaid payers. Consequently, both DCH and the four CMOs may fail to detect potentially improper payments and patterns indicative of fraud or abuse.

2 Components of the $41.1 million Medicaid/PeachCare payments potentially subject to inadequate oversight and review are identified in bold in the following findings.

Medicaid Managed Care Program Integrity

9

Detective controls include comparing and relating different sets of data to one another to analyze
relationships.

Medicaid providers often participate with both the Fee-For-Service program and with multiple CMOs. As such, to sufficiently detect patterns of potential fraud and abuse, all Medicaid payments regardless of payer should be analyzed once questionable claims patterns have been identified. DCH has access to information from all Medicaid payers that include claims data and providers identified with questionable claims patterns. impose
DCH staff do not analyze or review payment trends for providers that have been identified as risks for questionable claims by one or more CMO. While CMOs report to DCH providers they have identified as having questionable claims practices and providers they have initiated enforcement actions, DCH does not analyze these providers' Medicaid claims to determine whether the Fee-For-Service program or any other CMOs have similar exposure for questionable claims patterns.
Exhibit 6 illustrates a pattern of claims indicative of fraud that is apparent when the totality of a provider's claims data is reviewed. In this example, the provider submits claims under three separate Medicaid identification numbers--one for each of the two partners and one for the practice. Billing patterns indicate the provider used these different Medicaid identification numbers to avoid payment controls.
Because DCH does not review the totality of a provider's claims data, it may fail to identify claims patterns indicative of fraud and abuse. In this example, CMO B opened investigations of each partner in 2014, resulting in the establishment of prepayment reviews in 2016. Within two years of the prepayment reviews, the provider appears to have substituted claims using the practice's Medicaid identification number as opposed to using both partners' identification numbers. We have referred this case to the Medicaid Fraud Control Unit for a fraud investigation.
By not analyzing claims data in a comprehensive manner, DCH may fail to implement corrective actions in the timeframe necessary to reduce improper Medicaid payments. As shown in Exhibit 6, DCH waited five years to analyze a provider's Medicaid claims after being informed by a CMO of improper claims practices. After CMO A investigated and terminated the provider's contract in 2014, the Fee-For-Service program and remaining two CMOs continued to pay the provider approximately $2.6 million in Medicaid payments.
The provider's improper claims practices were pervasive. After the first CMO notification of questionable claims practices, the remaining CMOs and the Fee-For-Service program also identified improper claims practices and initiated program integrity actions over the subsequent five years. If DCH had analyzed payment patterns across the three CMOs and Fee-For-Service program upon the first CMO's notification, the larger scope of the provider's problematic claims patterns could have been identified and addressed earlier.

Medicaid Managed Care Program Integrity

10

Exhibit 6
Claims Pattern Indicative of Fraud the Provider Used Different Medicaid IDs to Avoid Payment Controls Was Not Identified by DCH, Calendar Years 2013-2019

$600,000

$400,000

$200,000 Partner

2

Practice

$- Partner 1
. CMO CMO CMO FFS ABC

CMO A terminates provider contract with Partner 2
CMO B investigates Partners 1 and 2 and initiates prepayment
review

$600,000 $400,000

Practice

$200,000 Partner

2

$- Partner 1

. CMO CMO CMO FFS

ABC

$600,000

Practice

$400,000

$200,000 Partner

2

$- Partner 1

. CMO CMO CMO FFS

ABC

Fee-For-Service Program initiates prepayment review of Practice/ Payments decline
No CMO C payments to Partner 1

$600,000 $400,000 $200,000
$-

Practice
Partner 2
. CMO CMO CMO FFS ABC

2013 2014 2015 2016 2017 2018 2019

CMO A opens investigation of Partner 1

$600,000

$400,000

Practice

$200,000 Partner

2

$- Partner 1

. CMO CMO CMO FFS

ABC

CMO C opens investigation of Partner 1

$600,000 $400,000

Practice

$200,000 Partner

2

$- Partner 1

. CMO CMO CMO FFS

ABC

All CMO B payments shift from Partners 1 and 2 to the Practice

$600,000 $400,000 $200,000
$-

Practice Practice
Partner 2
. CMO CMO CMO FFS ABC

Fee-For-Service Payments continue to decline

Sources: CMO Quarterly Fraud Reports, DCH Quarterly Meeting Reports, and Medicaid Claims Data

Medicaid Managed Care Program Integrity

11

RECOMMENDATION 1. Once a pattern of questionable claims is identified, DCH should analyze payment trends for providers across all Medicaid payers to identify whether corrective actions should be taken.
Agency Response: DCH agrees with the recommendation. DCH anticipates that expanded data analytics capabilities will allow the Program Integrity Unit to use an enterprise perspective to assess and address questionable payments in the Medicaid program across all payers. DCH further stated that the Program Integrity Unit "will establish a protocol with the CMOs to communicate and share knowledge regarding questionable billing patterns" noting that "this will strengthen DCH's ability to detect potential improper payments, to identify patterns indicative of fraud and abuse, and to determine if corrective actions should be taken."

Finding 3:

DCH does not notify CMOs of providers DCH has identified as a potential risk for submission of questionable claims.
While DCH's Data Integrity and Analysis Unit reviews both managed care and FeeFor-Service claims to identify providers with questionable claims patterns, DCH only pursues Fee-For-Service providers. DCH neither pursues providers with questionable claims patterns related to managed care claims nor forwards this information to the respective CMOs.
Because DCH does not notify the CMOs of providers it identifies with questionable claims practices, CMOs may fail to apply necessary control activities to prevent further potential abuse of the Medicaid program. Only 18 of the 74 (24%) providers reviewed by the Data Integrity and Analysis Unit during calendar years 2016-2018 for questionable claims practices have been investigated by the CMOs. However, it is not apparent that these 18 investigations were influenced by DCH actions because the investigations occurred prior to or long after the Data Integrity and Analysis Unit's analysis.
As shown in Exhibit 7, the Data Integrity and Analysis Unit identified a Fee-ForService provider that demonstrated potentially fraudulent claims patterns. While this provider received over 90% of its Medicaid payments from the CMOs, DCH did not inform the CMOs of this finding. As a result, DCH failed to ensure that the CMOs applied preventive and detective controls in a timely manner on over $2.5 million in managed care payments. After DCH completed its analysis, within one year, two CMOs independently identified the questionable claims practices--one through data analytics and the other through an informant--and opened investigations.

Medicaid Managed Care Program Integrity

12

Exhibit 7
DCH Identified a Potentially Fraudulent Claims Pattern and Did Not Inform CMOs Even Though Over 90% of Payments Were from CMOs, Calendar Years 2017-2019

Sources: DCH Data Integrity and Analysis Unit reports, CMO Quarterly Fraud Reports, DCH Quarterly Meeting reports
RECOMMENDATION 1. DCH should inform CMOs of the providers it identifies with questionable claims practices to enable CMOs to implement timely detective and preventive controls.
Agency Response: DCH agrees with the recommendation. DCH intends for the Program Integrity Unit to establish a protocol with the CMOs to communicate questionable billing patterns noting that "this will strengthen DCH's ability to assist CMOs in implementing timely detective and preventive controls."

Finding 4:

DCH does not ensure that all payers analyze claims data for providers placed on prepayment reviews by one payer to determine if the other payers should take similar actions.
When a prepayment review is initiated for a specific provider by one CMO or by the Fee-For-Service program, it is typically not applied to the provider by the other payers. Prepayment reviews are designed to prevent improper Medicaid payments by reviewing a provider's medical documentation prior to payment of a claim. Fee-ForService payments to providers subject to prepayment review by the Fee-For-Service program typically decline following initiation of the prepayment review. Currently, DCH does not ensure that all payers analyze claims data for providers placed on prepayment reviews by one payer to determine if the other payers should take similar actions. Therefore, the Medicaid/PeachCare program has not taken full advantage of potential savings.

Medicaid Managed Care Program Integrity

13

As shown in Exhibit 8, CMOs applied prepayment reviews to only 12 of the 58 providers who were subjected to prepayment reviews by the Fee-For-Service program.3 Likewise, the Fee-For-Service program did not initiate prepayment reviews for all providers subjected to prepayment reviews by one or more CMO. For example, CMO C initiated prepayment reviews for 73 providers, only one of which was also subjected to a prepayment review by the Fee-For-Service program.

Exhibit 8
CMOs Rarely Apply Prepayment Reviews to the Same Providers as the Fee-For-Service Program1, Calendar Years 2014-2019

Prepayment Reviews Initiated by the Fee-For-Service Program

Providers Under Fee-For-Service Prepayment Review that also Participate with CMOs

Providers also Subjected to

6

CMO A Prepayment Review

Providers also Subjected to

CMO B Prepayment Review

6

Provider also Subjected to

CMO C Prepayment Review

1

70 58

Note:
1. The fourth CMO, was not included in this analysis because its contract was effective less than a year during the analysis time period.
Source: DCH documents
When CMOs or the Fee-For-Service program do apply a prepayment review to the same provider, the prepayment review is often of a different scale (i.e., some prepayment reviews are comprehensive while others only include specific procedure codes). For example, prepayment reviews reported by CMO A were limited to specific procedure codes, whereas only 11 of the 73 prepayment reviews initiated by CMO C and none of the prepayment reviews initiated by the Fee-For-Service program include such limitations.
Because prepayment reviews are applied inconsistently by the Fee-For-Service program and CMOs, the Medicaid program has not taken full advantage of the cost savings that could be realized by the control. As shown in Exhibit 9, prepayment reviews imposed by the Fee-For-Service program had an immediate impact on provider payments, with total payments declining by 86% from $36.8 million in the year prior to the prepayment review to $5.0 million in the year following the prepayment review. However, CMO payments to these providers increased 19% over this same time period from $13.5 million to $16.1 million.

3 Two CMOs applied a prepayment review to the same provider.

Medicaid Managed Care Program Integrity

14

Exhibit 9
Fee-For-Service Payments to Providers Subjected to Prepayment Reviews Declined 86% Within a Year of the Review but CMO Payments to these Providers Increased 19%, Fiscal Years 2014-2018

Sources: Medicaid claims data, DCH documents
Prepayment reviews are not consistently applied by the Fee-For-Service program and the four CMOs due to the decentralized program integrity function and lack of contract enforcement provisions, as described below.
The Fee-For-Service program and the CMOs conduct independent risk assessments to determine whether providers should be placed on prepayment review. These payers may decide to place a provider on prepayment review if they identify patterns of inappropriate claims, if the providers have a history of program abuse, or if claims data analyses indicate questionable claims practices. Each payer conducts the assessment in isolation and does not include data from other Medicaid payers.
Although CMOs are required to report to DCH providers they have placed on prepayment review and DCH shares this information with other CMOs, DCH does not require CMOs to determine if they have similar risk exposure and if application of prepayment reviews is warranted. According to DCH staff, the CMO contract does not include provisions that would enable DCH to require CMOs to take such action.
Contract provisions providing DCH with authority to direct CMO risk assessments would be beneficial to increase the number of and scope of CMO prepayment reviews. CMOs likely have not maximized the use of prepayment reviews because they can result in significant costs to the CMO and providers associated with medical documentation requests and reviews. In addition, the reviews delay provider payments.

Medicaid Managed Care Program Integrity

15

RECOMMENDATION
1. DCH should revise its CMO contract to allow DCH to direct CMOs to conduct improper billing risk assessments for providers who have been identified as risks by other payers and placed on prepayment reviews to determine if they should take similar action.
Agency Response: DCH agreed with this recommendation. Currently, "DCH and CMOs have different prepayment review policies and procedures." DCH's Program Integrity Unit will assess the policies and procedures for each entity "to determine which process best protects the integrity of the Medicaid program." Because "DCH is the only program integrity entity that has access to the data for all payers," its Program Integrity Unit "will develop a process that alerts all payers when a provider has been placed on prepayment review by another payer." DCH also plans to "revise the CMO contracts to allow DCH to direct CMOs to conduct improper billing risk assessments and cost avoidance measures where there is credible evidence of aberrant billing."

Finding 5:
Investigations: Occur after payment and include analysis of medical records and
other documentation to determine if providers
are compliant with Medicaid law and
regulations.

DCH does not ensure that Fee-For-Service and CMOs review claims data for providers investigated by other payers to determine if they should also investigate.
Providers are not subject to investigations uniformly across all Medicaid payers. Each Medicaid payer has identified providers whose claims patterns indicate fraud or abuse and opened investigations to determine whether providers are compliant with Medicaid law and regulations. After the payer initiates the investigation, payments to the provider may decline. However, because DCH does not require the Fee-ForService program and CMOs to review claims data for providers investigated by other payers to determine if they should also investigate, DCH has not taken full advantage of potential savings.
We found that when providers are investigated, they are typically subject to investigation by only one Medicaid payer. For example, only 119 of 578 (21%) providers under investigation as of the January 2019 reporting period were subject to investigation by more than one CMO. Although these providers typically participate with multiple Medicaid payers, only the provider's claims associated with the payer conducting the investigation are reviewed. This limited review may result in the under detection and consequent continuation of improper or fraudulent claims practices.
As with prepayment reviews, we found that investigations may result in the reduction of provider payments for the payer - the Fee-For-Service program or one of the CMOs - conducting the investigation but not for the remaining organizations. While it is possible that payments for other organizations did not decrease because they already had adequate payment controls in place, we did find cases where payments either increased for the other organizations or continued after the investigating organization terminated the provider's contract.
Exhibit 10 illustrates that inconsistent and uncoordinated investigation efforts can expose significant Medicaid payments to insufficient oversight and review. In this example, three CMOs conducted investigations of the provider at varying times from 2013 through 2018, resulting in significant reductions in payments.

Medicaid Managed Care Program Integrity

16

After the first investigation, conducted by CMO A, the provider's network contract was terminated in 2013. However, after this termination, three CMOs and the Fee-For-Service program continued to participate with and pay the provider $10.5 million.
In 2014, CMO B opened an investigation resulting in the 2016 termination of the provider's contract. However, after this second termination, the Fee-ForService program and remaining two CMOs continued to pay the provider $4.2 million.
In 2017, CMO C opened an investigation that found that 100% of the claims included in the investigation should not have been paid due to insufficient documentation.
The frequency of investigations and resulting reductions in payments to this provider indicate pervasive and persistent improper claims patterns. However, no investigations or actions have been reported by the Fee-For-Service program, which continued to pay the provider $5.7 million after the first CMO's contract termination.

Medicaid Managed Care Program Integrity

17

Exhibit 10
Inconsistent and Uncoordinated Investigation Efforts of a Provider Resulted in Disparate Oversight of Medicaid Payments and Potential Continuation of Improper Payments, Calendar Years 2013-2019

$1,500,000 $1,000,000
$500,000 $-

CMO CMO

A

B

CMO CMO Fee-For-

C

D Service

CMO B, CMO C and Fee-For-Service pay $1.9 million
CMO B opens investigation

$1,500,000 $1,000,000
$500,000 $-

CMO CMO CMO CMO Fee-For-

A

B

C

D Service

CMO B, CMO C and Fee-For-Service pay $2.2 million
CMO B terminates provider

$1,500,000 $1,000,000
$500,000 $-

CMO CMO CMO CMO Fee-For-

A

B

C

D Service

CMO C, CMO D and Fee-ForService pay $1.3 million

$1,500,000 $1,000,000
$500,000 $-

CMO CMO CMO CMO Fee-For-

A

B

C

D Service

2013 2014 2015
2016 2017 2018 2019

CMO A terminates provider after investigation

$1,500,000

$1,000,000

$500,000

$- CMO CMO CMO CMO Fee-For-

A

B

C

D Service

CMO B, CMO C and Fee-ForService pay $2.2 million
CMO B Payments Decline

$1,500,000

$1,000,000

$500,000

$-

CMO CMO CMO CMO Fee-For-

A

B

C

D Service

CMO B Payments End

CMO C, CMO D and Fee-ForService pay $1.5 million

CMO C opens investigation

$1,500,000 $1,000,000
$500,000 $-

CMO CMO CMO CMO Fee-For-

A

B

C

D Service

CMO C, CMO D and Fee-ForService pay $1.4 million

Sources: Medicaid Claims data, CMO Quarterly Fraud Reports, CMO Provider Termination Reports

Medicaid Managed Care Program Integrity

18

As described below, investigations are not consistently initiated by the Fee-ForService program and the four CMOs due to the decentralized program integrity function and lack of contract enforcement provisions.
The Fee-For-Service program and the CMOs conduct independent risk assessments to determine whether providers should be investigated. These payers may decide to investigate if they identify patterns of inappropriate claims, if the providers have a history of program abuse, or if claims data analyses indicate questionable claims practices. Each of these payers conduct the assessment in isolation and do not include data from other Medicaid payers.
Although CMOs are required to report to DCH providers they are investigating, and DCH shares this information with other CMOs, DCH does not require other payers to conduct a risk assessment on these providers. According to DCH staff, the CMO contract does not include provisions that would enable DCH to require CMOs to conduct this assessment.
While DCH informs each CMO of investigations the other three CMOs conduct, it does not inform CMOs of its own investigations. CMOs typically will not be informed of Fee-For-Service investigations unless the investigations have resulted in credible allegations of fraud and are referred to the Medicaid Fraud Control Unit for a criminal investigation. At this point, CMOs will be instructed to "stand down" from initiating or continuing investigations.
RECOMMENDATION 1. DCH should revise its CMO contract to require that CMOs assess the risk of improper billing practices for providers who have been investigated by other CMOs or the Fee-For-Service program to determine if they should open an investigation.
Agency Response: DCH partially agreed with this recommendation. "CMOs do not have access to all payer data to analyze enterprise billing trends or practices." DCH explained that the Program Integrity Unit currently hosts a quarterly CMO meeting where each payer discusses which providers are currently under investigation. The Medicaid Fraud Control Unit and DCH's CMO Contract Compliance Unit are active participants in this quarterly meeting. To address this finding, DCH stated that it plans to" revise the CMO contracts to allow DCH to direct CMOs to conduct improper billing risk assessments and cost avoidance measures where other payers have initiated an investigation."

Medicaid Managed Care Program Integrity

19

Finding 6:
"For Cause" Terminations: The state or CMOs initiate action to terminate a provider's Medicaid contract due to fraud, integrity, or quality issues. Federal law requires that states terminate participation of any provider who has been terminated "for cause" under Medicare or any other Medicaid State plan.
Providers terminated "for cause" are entitled
to appeal the action including a hearing
before an Administrative Law Judge. This process
may consume administrative and financial resources of the CMOs and/or
DCH.

DCH does not ensure CMOs consistently report the termination of provider contracts due to concerns of program abuse or non-compliance.
DCH has not developed policies and procedures to ensure provider terminations made as a result of concerns of program abuse or non-compliance are consistently reported. Federal law (Section 6501 of the Affordable Care Act) requires states to terminate the participation of any provider who has been terminated "for cause" under Medicare or any other state's Medicaid program. However, we found that DCH does not ensure that the CMOs payers within its own state Medicaid/PeachCare program report when they have terminated providers for program integrity-related reasons.
To protect the Medicaid program from improper payments, DCH may terminate a provider's participation in the Medicaid program if the provider has been identified as intentionally or negligently failing to comply with Medicaid policies and procedures. CMOs may also terminate or not renew contracts for providers they identify with similar patterns of non-compliance or program abuse.
We found that provider terminations associated with program integrity concerns enacted by one payer are often not enacted by other payers within the same time frame. For example, during fiscal year 2018, the number of providers CMOs terminated from their networks ranged from 23 to 89. Consequently, providers terminated by one payer may continue or increase their participation with other payers. Exhibit 10 on page 17 shows where both CMO A and CMO B investigated a provider and subsequently terminated their contract for issues that appear to meet the standards of a "for cause" termination. However, the provider continued to receive payments from the Fee-For-Service program and remaining two CMOs.
The following weaknesses in DCH's procedures contribute to the inconsistent application and reporting of provider terminations.
Underreporting of CMO Contract Terminations Related to Program Integrity Issues: The CMS review team found several cases where CMOs found credible allegations of fraud but terminated the provider contracts for business reasons rather than "for cause." We also found cases where CMOs conducted pre- and post-payment reviews and subsequently terminated the provider's contracts, but the official reasons for the terminations were vague. These business practices may protect the particular CMO from further improper payments, but they allow the provider to continue improper claims with other Georgia Medicaid payers.
Inadequate Information Sharing Among DCH Units: CMOs do provide provider termination reports to the Managed Care Unit; however, the Managed Care Unit does not review the reports to identify providers who have been terminated "for cause." In addition, according to the Program Integrity director, the Managed Care Unit does not provide these reports to DCH's Program Integrity Division. Consequently, the reported "for cause" terminations are not acted upon by DCH or shared with other CMOs.
Inadequate CMO Contract Requirements: Although CMOs provide provider termination reports to the Managed Care Unit, these reports are not specifically produced or reviewed in relation to program integrity. The

Medicaid Managed Care Program Integrity

20

contract does not require CMOs report to DCH when providers are terminated for fraud, integrity, or quality issues. Although the contract does require CMOs to list on their Quarterly Fraud Reports any providers they have identified to be related to debarred, suspended, or otherwise excluded entities, it does not specifically require them to report any providers they have terminated for cause.
RECOMMENDATIONS
1. DCH should revise its CMO contract to clearly define when and how the CMOs should report terminations related to fraud, integrity, and quality issues to DCH.
2. DCH should develop a framework that allows for the informal communication of provider terminations made as a result of program integrity concerns, but not categorized as such by the CMOs. Such communication would alert DCH to assess its risk associated with these providers.
Agency Response: DCH agreed with these recommendations. DCH plans to "revise the CMO contracts to clearly define when and how CMOs should report provider terminations regarding fraud, abuse, integrity and quality issues." In addition, DCH stated that it "will develop a framework which will allow CMOs to informally communicate provider terminations" and that "will incorporate a risk assessment to evaluate the exposure to the Fee-For-Service program by terminated providers."

Finding 7:
Management should clearly define
objectives to enable the identification of
risks and risk tolerances.

DCH has not defined acceptable levels of CMO program integrity activity or developed objectives for determining whether CMOs' activities are effective in identifying and preventing improper payments.
DCH has not analyzed the CMOs' activity reports to identify trends or baseline data that could help DCH to develop program integrity standards or goals. After reviewing these reports, we found that activity levels and outcomes varied among CMOs; however, without defined performance goals, we cannot determine whether CMOs' efforts have been sufficient or effective.
In its 2018 review of DCH's Medicaid managed care program integrity effort, CMS noted that the current CMO contract "has an extremely limited fraud and abuse section with only a few generally outlined program integrity requirements." The contract does not include any performance goals or metrics that can be used to assess effectiveness and hold the CMOs accountable. Although DCH has developed a revised contract with increased program integrity language that is currently under review by CMS, the revised contract still lacks clearly defined program integrity performance goals. Without such language, DCH staff have stated that they do not have any grounds to assess CMOs performance beyond whether they have submitted required reports of activity.

Medicaid Managed Care Program Integrity

21

Quarterly Fraud Reports (QFRs) contain a listing of and status updates for program integrity investigations active during the quarter.

DCH staff was unable to provide statistics on CMO cases, such as average case age and time to completion. We analyzed CMOs' quarterly fraud reports for calendar years 2017 and 2018 to calculate these statistics. As described below, we noted varying activity levels and length of investigations, as well as inconsistent outcome reporting. These issues are described below.
CMO Program Integrity Activity Levels Vary
During calendar years 2017-2018, CMO activity levels varied from each other and from year to year. As shown in Exhibit 11, CMO C closed almost twice as many cases as the other two CMOs in calendar year 2018. CMO B closed more than three times as many cases in 2018 as it did in 2017. Without established performance goals, we cannot determine whether CMO investigation activity levels indicate that CMOs are sufficiently identifying and addressing potential fraud and abuse.

Exhibit 11 CMOs' Investigation Activity Levels Vary, Calendar Years 2017-2018

Sources: CMO Quarterly Fraud Reports
Program Integrity Investigations Have Remained Open for Extended Time Periods
DCH has not defined acceptable time frames for CMOs to complete their program integrity investigations, even though Georgia's managed care law limits the time available for CMOs to recover overpayments to 18 months from the claim submission date. If CMO investigations exceed the statutorily set 18-month time frame, associated overpayments can no longer be recovered unless the case is resolved by the Medicaid Fraud Control Unit using criminal and civil statutes. As many of these cases do not involve issues meeting the standards for criminal or civil prosecution, associated overpayments can no longer be recovered. However, as shown in Exhibit 11, all three CMOs took more than 18 months on average to close investigations. In addition, the average age of open cases is generally approaching or exceeding the 18-month mark.

Medicaid Managed Care Program Integrity

22

Investigation Outcomes Vary and Are Inconsistently Reported
CMOs investigations outcomes vary when investigations reveal policy violations. When CMOs identify policy violations from their investigations, they may take various enforcement actions such as recovering identified overpayments, terminating the provider's network contract, or referring the provider to the Medicaid Fraud Control Unit for criminal investigation. In addition to these actions, CMOs may limit action to educating the provider regarding the policy violation but take no punitive action. These variances occur because DCH has not developed standards or guides related to the actions CMOs should take when investigations reveal policy violations.
As shown in Exhibit 12, CMOs took enforcement action prior to closing the investigation for 31% to 78% of their cases. In addition, one CMO relied more heavily on provider education as an action than the other two CMOs.

Exhibit 12
Prior to Closing Investigations with Identified Policy Violations, CMOs Did Not Take Enforcement Action on 22%-69% of Cases, Calendar Years 2017-2018

Unrecovered or unreported provider overpayments can
increase the managed care capitation rate, thus increasing state
costs.

Sources: CMO Quarterly Fraud Reports
When CMOs did recover overpayments, terminate provider contracts, or refer the cases to the Medicaid Fraud Control Unit for fraud investigations, the frequency and reporting of these actions to DCH varied. For example, as shown in Exhibit 13, most of the CMOs' cases were closed without the reported recovery of overpayments. Over the two-year period, the amount of CMOs' reported recoveries, as reported on quarterly fraud reports, varied significantly, from $14,577 to $849,806. However, DCH does not require that CMOs report overpayment recoveries on the quarterly fraud reports and, as a result, the CMOs did not consistently report this information on those reports. Consequently, CMOs may have recovered more overpayments than reported.

Medicaid Managed Care Program Integrity

23

Exhibit 13
The Majority of Cases Were Closed Without the Reported Recovery of Overpayments, Cases Closed Calendar Years 2017-2018

Sources: CMO Quarterly Fraud Reports
RECOMMENDATIONS 1. DCH should clearly define standards or goals related to each CMO's program integrity activity levels. These goals should be included in the CMO contracts to provide the necessary foundation for assessing CMO performance and for enforcing the adherence to established standards. 2. DCH staff should analyze CMO activity reports to identify trends in CMO program integrity activity levels and outcomes. 3. DCH should establish performance standards related to the timeliness of investigation completion to ensure that associated overpayments remain eligible for recovery. 4. DCH should track overpayment recoveries resulting from program integrity actions. Case reports should then be analyzed by DCH to identify baseline investigation outcome measures and to develop performance goals related to CMO overpayment recovery.
Agency Response: DCH agreed with these recommendations. DCH's Program Integrity Unit "will analyze CMO activity reports to identify trends in CMO program activity levels and outcomes" including tracking reported overpayment recoveries resulting from program integrity actions and to identify baseline investigation outcome measures.
DCH also stated that it will "revise the CMO contracts to identify specific standards and goals regarding program integrity activities" including standards related to the timeliness of investigation completion to ensure that associated overpayments remain eligible for recovery and performance goals related to CMO overpayment recovery. The contract will also be revised to allow DCH to enforce adherence to these established standards.

Medicaid Managed Care Program Integrity

24

Finding 8:
Management should use quality
information to achieve the entity's objectives. Quality information is appropriate, current, complete, accessible,
and provided on a timely basis.

DCH does not ensure that information reported by CMOs regarding the number and status of CMO program integrity investigations is accurate or complete.
We identified significant discrepancies and missing information in the program integrity activity reports the CMOs are required to submit to DCH. Because DCH does not review the quality of these reports, the deficiencies we observed had not been identified or addressed by DCH management.
CMOs provide information regarding provider investigations to two DCH units in two separate reports.
Quarterly Fraud Reports: CMOs submit quarterly fraud reports to the DCH Managed Care Unit.
Quarterly Meeting Reports: CMOs submit quarterly meeting reports to the DCH Program Integrity Unit.
Both reports list CMO investigations, their current status, and their disposition. Because both reports are provided during the same time periods (on a quarterly basis), they should list the same investigations and indicate similar status and actions taken. However, as described below, we identified inconsistent and missing information when reviewing a sample of reports.
Report Discrepancies: We compared each CMO's quarterly fraud report to the quarterly meeting report for the fourth quarter of 2018 and identified 50 cases that were included on the quarterly fraud reports but not included on the quarterly meeting report. Because the DCH Program Integrity Unit uses the quarterly meeting report to inform other CMOs of potential cases of fraud and abuse, these omissions decrease the likelihood that other CMOs apply similar program integrity controls to these providers.
Missing Cases: We tracked cases reported in quarterly fraud reports submitted during calendar years 2017 through 2018 and found that 104 of 1,043 (10%) cases disappeared from one reporting period to the next without indication of closure. Cases were missing from three of the four CMOs' reports: 49 from CMO A, 36 from CMO B, and 19 from CMO C. Using CMO estimates reported on the quarterly fraud reports, these 104 missing cases involved $3.3 million in potentially improper payments. Because the cases did not reappear on subsequent reports, DCH does not have the necessary information to identify their outcome to determine whether the CMOs took appropriate action and recovered any funds.
Neither the Program Integrity Unit nor the Managed Care Unit identified that these 104 cases were missing.

Incomplete Overpayment Recovery Information: DCH does not require that CMOs consistently report when overpayments are recovered or the amount of recovered funds. Without this information, DCH lacks the information necessary to determine the effectiveness of CMO program integrity efforts.

Medicaid Managed Care Program Integrity

25

Based on our review of notes in calendar year 2017-2018 quarterly fraud reports, CMOs reported the overpayment recovery amount for only 78 (60%) of 130 cases. Additionally, when recovery amounts were included, the amounts were often embedded in text rather than in a separate field, which would enable more efficient tracking and analysis.
Incomplete and inaccurate information included in the quarterly fraud reports and quarterly meeting reports occurred due to inadequate coordination among DCH units. DCH is unlikely to discover these deficiencies because neither unit compares information from the two reports. In addition, neither unit tracks the progress of CMO cases from one reporting period to the next.
DCH also lacks a case management system that would enable staff to track and monitor program integrity cases. Although Program Integrity Unit staff enter basic case information such as the assigned case number, provider name, and CMO into their system, this information is not tied to the quarterly fraud reports or quarterly meeting reports and is not updated to include progress or status. The system also lacks the functionality necessary to produce basic management information, such as a list of open CMO cases.
RECOMMENDATIONS 1. DCH should consider eliminating the duplicate quarterly reports required of the CMOs. CMOs should report case information on one standard quarterly report. 2. If two reports are continued, DCH should review and compare quarterly fraud reports and quarterly meeting reports to identify potential discrepancies, gaps, and errors. 3. DCH should require CMOs to report potential and actual overpayment recoveries. This information should be included as a separate field in the quarterly fraud reports and quarterly meeting reports. 4. DCH should develop an information system which would enable program integrity to track each CMO's caseload.
Agency Response: DCH agreed with recommendations 1, 2 and 3. DCH stated that the Program Integrity Unit will evaluate the Quarterly Meeting Reports and Quarterly Fraud Reports and "will create a standard reporting tool to use across all Medicaid payers." In addition, DCH stated that it "will revise the CMO quarterly reports currently used to include potential and actual overpayments" noting that it "may need to revise the CMO contracts to address reporting standards."
DCH partially agreed with recommendation 4, explaining that the Program Integrity Unit "currently captures minimal CMO audit information within the Laserfiche and SharePoint software systems." However, DCH plans to" work with the Office of Information Technology to determine what is needed to enhance the current tracking capabilities."

Medicaid Managed Care Program Integrity

26

Finding 9:
Management should communicate with and obtain quality information from
external parties using established reporting
lines.
Management should periodically evaluate the entity's methods of communication so that the organization has the appropriate tools to communicate quality information
throughout and outside of the entity on a timely basis.

DCH does not ensure that it receives or communicates accurate and timely information regarding CMO fraud referrals or the status of CMO fraud investigations resulting in inadequate oversight of these cases.
Lapses in communication between DCH and the CMOs have led to inadequate oversight of investigations. We found that DCH does not communicate accurate or timely information to the CMOs regarding the status of Medicaid Fraud Control Unit investigations, resulting in the unnecessary delay of CMO actions. Due to this delay, providers received over $4.7 million in Medicaid payments during calendar years 2017 through 2019 without the additional oversight a CMO investigation would provide.
As shown in Exhibit 14, DCH has established a reporting structure in which it plays a role in the opening and closure of CMO investigations and serves as an intermediary between CMOs and the Medicaid Fraud Control Unit for fraud investigations. According to DCH staff, its involvement is necessary to ensure that CMO investigative actions do not impede ongoing Medicaid Fraud Control Unit investigations and that CMOs refer cases to the Medicaid Fraud Control Unit when credible allegations of fraud are apparent. However, we found that this reporting structure does not ensure that necessary case information is communicated to each of the involved parties.
According to the Medicaid Fraud Control Unit, CMOs have occasionally circumvented DCH by referring cases directly to them. Consequently, DCH lacks knowledge of these cases, which impedes its ability to properly track their status.
A CMO may be ordered to delay its administrative investigation into a provider if the Medicaid Fraud Control Unit is also investigating the provider. However, DCH does not have a process to notify CMOs when the Medicaid Fraud Control Unit rejects or closes its investigations. Therefore, DCH does not effectively inform CMOs when it is permissible to re-open their investigation and seek recovery of overpayments.

Medicaid Managed Care Program Integrity

27

Exhibit 14
Lapses in Communication Regarding CMO Cases Referred for Fraud Investigations

CMO

DCH

Medicaid Fraud Control Unit

Determines if

Opens Case

Provider Investigated

Current MFCU

by MFCU

investigation No Current

Investigation Delay/
Stand Down

Investigation Proceeds

MFCU investigation

CMOs have referred cases directly to MFCU

No Fraud Close Case?

Recommend Fraud Referral

Close Case/ Recover
Overpayment

No Fraud Referral

DCH does not inform CMO When MFCU Closes Case

Reviews For Potential

Refers Case

Fraud

Rejects Case

Reviews Referred
Case
Accepts Case

Informs DCH of Case
Rejection or Closure

Investigates

No Prosecution
Case Closed

Prosecution

Sources: DCH and Medicaid Fraud Control Unit Interview, Medicaid Fraud Control Unit data, DCH and CMO reports

Inadequate Tracking of Fraud Cases
DCH does not maintain a current and complete list of CMO fraud referrals or Medicaid Fraud Control Unit fraud cases. When DCH refers a CMO case to the Medicaid Fraud Control Unit, it adds the case to its fraud tracking report (which it uses to track fraud cases). On the quarterly fraud reports submitted to DCH, CMOs also identify cases that have been referred to the Medicaid Fraud Control Unit or are on hold due to a related Medicaid Fraud Control Unit case. DCH does not compare its fraud tracking report to the quarterly fraud reports to ensure that its list of fraud referrals is current and complete. In addition, DCH does not obtain information from the Medicaid Fraud Control Unit to ensure its tracking report or information reported in the CMO quarterly fraud reports is current and complete.
As shown in Exhibit 15, 31 of 78 (40%) cases CMOs reported on their calendar year 2017 and 2018 quarterly fraud reports as referred to the Medicaid Fraud Control Unit for suspected Medicaid fraud did not appear in DCH's tracking report, did not appear in the Medicaid Fraud Control Unit's database, or were missing from both. The discrepancies we identified in each stage of the fraud referral process are discussed below.
As shown in Exhibit 15 (Part B), we identified 31 cases that the CMOs reported as Medicaid Fraud Control Unit referrals but that did not show up

Medicaid Managed Care Program Integrity

28

in DCH's primary fraud referral tracking report. Upon our inquiry, DCH identified the status of 25 missing cases by searching through email correspondence with the CMOs; however, staff could not locate case information for six reported referrals.
We determined that 21 of the 31 cases missing from the DCH tracking report involved cases already under investigation by the Medicaid Fraud Control Unit and the CMO was directed to "stand down" so as not to disrupt the investigation. By excluding these cases from its tracking report, DCH is unable to effectively track when the related Medicaid Fraud Control Unit case closes and when to instruct the CMO to resume its investigation or to recover overpayments.
As shown in Exhibit 15 (Part C), six cases that were reported by the CMOs as Medicaid Fraud Control Unit referrals did not appear in the Medicaid Fraud Control Unit's database. For these cases, no party is actively investigating or recovering overpayments from the providers although CMOs identified potential fraudulent behavior. CMOs suspended additional investigation or recovery actions with the understanding that the Medicaid Fraud Control Unit was conducting investigations.
We found that five providers have continued to receive over $4.7 million in Medicaid payments after the CMO reported the referral in its calendar year 2017-2018 quarterly fraud reports. Although this total cannot be confirmed as fraudulent, no party (DCH, CMOs, or the Medicaid Fraud Control Unit) has subjected the providers to further scrutiny.

Medicaid Managed Care Program Integrity

29

Exhibit 15
DCH Failed to Identify and Manage all CMO Fraud Referrals, Calendar Years 2017-2018

CMOs Referred Fraud Cases (Part A)

DCH s Case Tracking Report (Part B)

Medicaid Fraud Control Unit s Case Database (Part C)

The CMOs Quarterly Fraud Reports from calendar years 2017-2018 listed 78 cases as fraud referrals

21 Cases Not on Tracking Report: CMOs requested to open case but were instructed by DCH to stand down due to other CMO s or FeeFor-Service program s existing fraud case on provider.
4 Cases Not on Tracking Report: DCH confirmed it referred case to the Medicaid Fraud Control Unit but mistakenly excluded the case from the report.
6 Cases Not on Tracking Report: DCH had no record of these CMO case referrals.

! !!!!
!

! !!

6 Cases Not in Medicaid Fraud Control Unit Data: Medicaid Fraud Control Unit had no record of referrals for these providers
25 Cases in Medicaid Fraud Control Unit Data: Medicaid Fraud Control Unit had a record of a case for the associated provider.

Source: CMO Quarterly Fraud Reports, DCH Tracking Report, Medicaid Fraud Control Unit Database; compiled by DOAA

Medicaid Managed Care Program Integrity

30

RECOMMENDATIONS 1. DCH should develop an information system that would enable program integrity staff to track cases referred to the Medicaid Fraud Control Unit. Email correspondence should be eliminated as a primary means to track case status. 2. DCH should issue notices to CMOs when Medicaid Fraud Control Unit investigations have concluded, which would enable the CMOs to resume their investigations and recover any associated overpayments.
Agency Response: DCH partially agreed with recommendation 1. DCH "currently captures minimal CMO audit information within the Laserfiche and SharePoint software systems." However, DCH plans to "work with the Office of Information Technology to determine what is needed to enhance the current tracking capabilities."
DCH agreed with recommendation 2. DCH's Program Integrity Unit is planning to "formalize a process to track and notify CMOs when the Medicaid Fraud Control Unit has concluded an investigation into fraudulent activity." DCH explained that this "process will enable the CMOs to effectively continue the administrative review and to pursue potential and actual overpayments."

Finding 10:

DCH does not monitor CMO cases to ensure that actions, including fraud referrals, are made within the statutory time limits for administrative recovery of improper provider payments, resulting in the forfeiture of approximately $1.4 million in estimated recoverable funds.

DCH does not monitor CMO case status to ensure that all actions, including claims audits and fraud referrals, occur within the time frame allowed by state law (generally 18 to 24 months) for administrative recovery of overpayments. In addition, DCH does not track the status of Medicaid Fraud Control Unit investigations to identify any CMO cases at risk of aging out of eligibility for administrative recovery.

As shown in Exhibit 16, of the 47 CMO cases DCH reported as being referred for fraud investigations during calendar years 2017 and 2018, the Medicaid Fraud Control Unit closed 26 (55%) without civil or criminal prosecution after the statutory eligibility for administrative recovery had expired. For over 75% of these cases (20 of the 26), the statutory time limit expired prior to the Medicaid Fraud Control Unit referral. Consequently, $1.4 million in potential improper payments identified by the CMOs can no longer be recovered.

Medicaid Managed Care Program Integrity

31

Exhibit 16
$1.4 Million in Potential Medicaid Overpayments Cannot Be Recovered Due to Fraud Referrals and Investigations Exceeding Statutory Time Limits, Calendar Years 2017-2018

47 Fraud Referrals

Closed/No Prosecution (33 Cases)

Medicaid Fraud Control Unit Case
Status

Active (14 Cases)

CMO Exceeded Lookback Period (20 Cases)
Av g. 35 months to MFCU Referral
$1,137,237 could not be
recovered

Medicaid Fraud Control Unit
Exceeded Lookback Period
(6 Cases)
Av g. 24 months from Referral to Closure

Lookback Not Exceeded (7 Cases)
Av g. 14 months from Case Start to MFCU
Closure

$261,363 could not be
recovered

$111,711 Potentially eligible for recovery

CMO Exceeded Lookback Period (3 Cases)
Av g. 28 months to MFCU Referral

Medicaid Fraud Control Unit Exceeded Lookback Period (11 Cases)
Active Cases

$422,720 Recovery Requires Medicaid Fraud Control
Unit Prosecution

$332,336 Recovery Requires Medicaid Fraud Control
Unit Prosecution

Sources: CMO Quarterly Fraud Reports, Medicaid Fraud Control Unit case data, Medicaid Claims data
Georgia's Managed Health Care Plans statute (O.C.G.A. 33-20A-62) restricts the amount of time health plans may audit claims and recover overpayments in the managed care environment, including the Medicaid program. Consequently, CMOs are generally limited to 18 to 24 months from the date of service to recover overpayments using administrative actions such as claims audits. Any recovery after this "look back" period must be accomplished through civil or criminal prosecution of Medicaid fraud based on the Georgia False Medicaid Claims Act or the Georgia Medical Assistance Act.

Medicaid Managed Care Program Integrity

32

Statutory "Look Back" Time Limitation for Managed Care Provider Audits and Overpayment Recoveries
For claims submitted within 90 days of the date of service:
Health Plans have 12 months from the last date of service to inform a provider of an intent to conduct a post-payment audit and 18 months from the last date of service to complete the audit and inform the provider of the outcome.
For claims submitted after 90 days of the date of service:
Health Plans have 12 months from the claim submission date to inform a provider of an intent to conduct a post-payment audit and the sooner of 18 months from the claim submission date or 24 months from the last date of service to complete the audit and inform the provider of the outcome.

Because provider overpayments do not always warrant civil or criminal prosecution, Georgia's "look back" time limitation for managed care plans can indirectly reduce the recovery of Medicaid overpayments when the referral and investigative process exceeds these limits. Additionally, Georgia Medicaid Program's managed care health plans are limited to a shorter time frame for claims audits and administrative recoveries than Georgia's Medicaid Fee for Service (Fee-For-Service) Program. For its Fee-For-Service program, DCH has three years from the claims' dates of service to audit and recover funds through an administrative process, whereas Medicaid CMOs have only 18 to 24 months.
As shown in Exhibit 17, we identified four other states that have managed care laws restricting audit and recovery time frames similar to Georgia's, but they exempt Medicaid operations from these time frames. Other states also provide longer time periods to conduct program integrity audits.

Medicaid Managed Care Program Integrity

33

Exhibit 17

Other States Exclude Their Medicaid Programs from Legislation that Limits the Time Permitted for Managed Care Overpayment Recoveries

South Carolina

SC Code 38-71-1810. Pharmacy audit rights Pharmacies have the right to have the period covered by an audit limited to 24 months from the date a claim was submitted to, or adjudicated by a managed care organization (MCO) or other entity.
SC Code 38-71-1840. Exemptions This article does not apply to an investigation: (1) that involves alleged insurance fraud or abuse, Medicare fraud or abuse, or other fraud or misrepresentation; or (2) conducted by or on the behalf of the Department of Health and Human Services in the performance of its duties in administering Medicaid under Titles XIX and XXI of the Social Security Act.

New York

Insurance law ISC 3224-b "(3) A health plan shall not initiate overpayment recovery efforts more than twenty-four months after the original payment was received by a health care provider. However, no such time limit shall apply to overpayment recovery efforts that are: (i) based on a reasonable belief of fraud or other intentional misconduct, or abusive claims, (ii) required by, or initiated at the request of, a self-insured plan, or (iii) required or authorized by a state or federal government program or coverage that is provided by this state or a municipality thereof to its respective employees, retirees or members."

Texas

"TIC 1211.001 requires the Commissioner of Insurance to exempt Medicaid if, after consulting with the Commissioner of Health and Human Services (HHSC), he determines that the prompt pay provisions would have a negative fiscal impact on the Medicaid program. The Commissioner of HHSC has indicated that the bill would have a negative fiscal impact. Consequently, the Commissioner of Insurance has adopted rules exempting traditional Medicaid and Medicaid HMO plans from the prompt pay provisions"

Tennessee

(Explanation of TIC 1211.001 on Texas Dept. of Insurance website) Tennessee Code Title 56. Insurance 56-7-110 (k)(1) "This section shall not interfere or otherwise repeal the following...The authority of the TennCare bureau to collect overpayments made to providers more than eighteen (18) months from the date that the MCO paid the claim if discovered and verified by the bureau pursuant to an audit of an MCO;"

RECOMMENDATIONS
1. The General Assembly should consider exempting the CMOs' operations from O.C.G.A. 33-20A-62 to allow CMOs more time to conduct postpayment audits and recover associated overpayments. As in other states, DCH could facilitate Medicaid managed care audits and recoveries according to the time frames that currently exist for DCH in Fee-For-Service Medicaid (i.e., three years).
2. DCH should implement procedures to monitor the status of CMO cases to ensure that all actions, including claims audits and fraud referrals, occur within the time frame allowed by state law for administrative recovery of overpayments.
3. DCH should implement procedures to track the status of Medicaid Fraud Control Unit investigations to identify any CMO cases at risk of aging out of eligibility for administrative recovery and to request that the Medicaid Fraud Control Unit expedite their prosecution decision.

Medicaid Managed Care Program Integrity

34

Agency Response: DCH agreed with recommendation 2. DCH's Program Integrity Unit "will develop a process to monitor the status of CMO cases to ensure that all actions occur within the time frame allowed by state law for administrative recovery of overpayments." DCH further stated that it "may need to revise the CMO contracts to ensure oversight of audits and referral actions occur within time constraints imposed by state law."
DCH partially agreed with recommendation 3. DCH stated it currently monitors the timeliness of Fee-For-Service cases referred to the Medicaid Fraud Control Unit. However, DCH stated that the Program Integrity Unit "will begin monitoring the timeliness of CMO referrals to ensure that audits at risk of aging out of eligibility for administratively recovery are addressed. Based on the severity and complexity of the case, the Medicaid Fraud Control Unit may not elect to expedite its decision."

Finding 11:

DCH does not ensure that CMOs monitor their subcontractors' performance in preventing, detecting, and recovering improper Medicaid payments.

Subcontract: Any written contract between the CMO and a third party to perform a specified part of the CMO's obligations under the state/DCH contract

DCH is unable to verify that CMOs monitor their subcontractors4 to ensure they are adequately detecting, preventing, and/or addressing improper Medicaid payments. DCH does not ensure that CMO subcontracts contain performance standards and penalties for non-compliance related to program integrity. In addition, although DCH requires CMOs to conduct periodic reviews of subcontractor performance, it does not obtain or review evidence of such reviews. As a result, we found that reported subcontractor program integrity activity levels appear low in comparison to the proportion of Medicaid claims they administer.
Federal Medicaid regulation (CFR 438.608) requires DCH, through its contract with each CMO, to require that each CMO or its subcontractors implement and maintain procedures designed to detect and prevent fraud and abuse. The regulation outlines specific program integrity activity and reporting responsibilities for which CMOs are responsible, regardless of whether they were delegated to a subcontractor. We found that DCH's contract with each CMO stipulates that all contracts between CMOs and subcontractors should be in writing, specify responsibilities (including program integrity), and include sanctions for non-performance. The DCH contract also requires that CMOs monitor the performance of their subcontractors.

Although DCH requires that CMO subcontracts outline program integrity responsibilities and include sanctions for non-performance, DCH does not review the CMO subcontracts to ensure they include these elements. None of the subcontracts we reviewed included program integrity provisions such as

requirements for policies and procedures to identify, investigate, and refer suspected cases of fraud and abuse to the CMO; and

4 Subcontractors are entities contracted by a CMO to manage one or more of the service areas the CMO is required to provide under the DCH Georgia Families contract. Such service areas may include but are not limited to dental, vision, or pharmacy services.

Medicaid Managed Care Program Integrity

35

penalties for non-compliance related to inadequate policies, procedures, activities, or recoveries associated with fraud and abuse.
Only 2 of the 12 subcontracts reviewed included requirements for periodic reporting of program integrity investigative activities or recoveries associated with fraud and abuse.
DCH does not obtain the information necessary to determine whether CMOs are adequately monitoring the performance of their subcontractors in relation to program integrity responsibilities. Although the DCH contract with CMOs requires CMOs to periodically monitor their subcontractors, it does not review the monitoring reports to determine whether the reviews cover program integrity issues.
This lack of oversight may lead to the apparent low program integrity activity levels we observed in quarterly CMO reporting. The Quarterly Fraud Reports submitted by each CMO includes subcontractors' investigations, terminations, and recoveries associated with fraud and abuse. We found instances in which the percent of these activities associated with services delegated to subcontractors appears low in comparison to the proportion of Medicaid payments they administer. For example, as shown in Exhibit 18, for each of the three CMOs the proportion of program integrity cases related to pharmacy services was lower than the proportion of payments.
Exhibit 18
The Proportion of Program Integrity Cases Associated with Pharmacy Services is Lower than the Proportion of Associated Payments, Fiscal Year 2018

Sources: DCH Medicaid Claims data and CMO quarterly fraud reports
In addition to program integrity cases, other program integrity activities appeared low. None of the prepayment reviews reported in the CMO Quarterly Fraud Reports were associated with pharmacy, vision, or dental services--services typically delegated to subcontractors. During fiscal year 2018, none of the CMOs reported

Medicaid Managed Care Program Integrity

36

involuntarily terminating network contracts for pharmacy providers, and three of the four CMOs reported no involuntary terminations for vision or dental providers.
RECOMMENDATIONS 1. DCH should implement procedures to ensure that the contract documents contain necessary program integrity activity and reporting requirements. 2. DCH should implement procedures to review program integrity activity information reported by CMOs for indicators confirming CMOs' subcontractors are conducting a satisfactory level of program integrity activities.
Agency Response: DCH agreed with these recommendations. DCH "will revise the CMO contracts to require CMO contracts with subcontractors to include the necessary program integrity activity and reporting requirements." In addition, DCH's Program Integrity Unit "will develop a process to review the program integrity activity information reported by CMOs for indicators confirming CMOs' subcontractors are conducting satisfactory levels of program integrity activities."

Medicaid Managed Care Program Integrity

37

Appendix A: Table of Recommendations

Finding #1: Program integrity efforts are fragmented and uncoordinated among various DCH units and its CMOs, which increases the risk of undetected and unrecovered improper payments. (p. 8)
1. DCH should assess and address risk of questionable payments in the Medicaid program utilizing an enterprise perspective that encompasses all organizational units, including Fee-For-Service and the four CMOs.

2. DCH should assign responsibility for program integrity to a single party. This assignment would provide the discipline and structure necessary to coordinate and guide program integrity efforts.

Finding #2: DCH does not analyze payment trends for providers across all Medicaid payers once questionable claims patterns indicative of fraud or abuse are identified. (p. 8)
3. Once a pattern of questionable claims is identified, DCH should analyze payment trends for providers across all Medicaid payers to identify whether corrective actions should be taken.

Finding #3: DCH does not notify CMOs of providers DCH has identified as a potential risk for submission of questionable claims. (p. 11)
4. DCH should inform CMOs of the providers it identifies with questionable claims practices to enable CMOs to implement timely detective and preventive controls.

Finding #4: DCH does not ensure that all payers analyze claims data for providers placed on prepayment reviews by one payer to determine if the other payers should take similar actions. (p. 12)
5. DCH should revise its CMO contract to allow DCH to direct CMOs to conduct improper billing risk assessments for providers who have been identified as risks by other payers and placed on prepayment reviews to determine if they should take similar action.

Finding #5: DCH does not ensure that Fee-For-Service and CMOs review claims data for providers investigated by other payers to determine if they should also investigate. (p.15)
6. DCH should revise its CMO contract to require that CMOs assess the risk of improper billing practices for providers who have been investigated by other CMOs or the Fee-For-Service program to determine if they should open an investigation.

Finding #6: DCH does not ensure CMOs consistently report the termination of provider contracts due to concerns of program abuse or non-compliance. (p.19)
7. DCH should revise its CMO contract to clearly define when and how the CMOs should report terminations related to fraud, integrity, and quality issues to DCH.

8. DCH should develop a framework that allows for the informal communication of provider terminations made as a result of program integrity concerns, but not categorized as such by the CMOs. Such communication would alert DCH to assess its risk associated with these providers.

Finding #7: DCH has not defined acceptable levels of CMO program integrity activity or developed objectives for determining whether CMOs' activities are effective in identifying and preventing improper payments (p.20)

Medicaid Managed Care Program Integrity

38

9. DCH should clearly define standards or goals related to each CMO's program integrity activity levels. These goals should be included in the CMO contracts to provide the necessary foundation for assessing CMO performance and for enforcing the adherence to established standards.
10. DCH staff should analyze CMO activity reports to identify trends in CMO program integrity activity levels and outcomes.
11. DCH should establish performance standards related to the timeliness of investigation completion to ensure that associated overpayments remain eligible for recovery.
12. DCH should track overpayment recoveries resulting from program integrity actions. Case reports should then be analyzed by DCH to identify baseline investigation outcome measures and to develop performance goals related to CMO overpayment recovery.
Finding #8: DCH does not ensure that information reported by CMOs regarding the number and status of CMO program integrity investigations is accurate or complete. (p. 24)
13. DCH should consider eliminating the duplicate quarterly reports required of the CMOs. CMOs should report case information on one standard quarterly report.
14. If two reports are continued, DCH should review and compare quarterly fraud reports and quarterly meeting reports to identify potential discrepancies, gaps, and errors.
15. DCH should require CMOs to report potential and actual overpayment recoveries. This information should be included as a separate field in the quarterly fraud reports and quarterly meeting reports.
16. DCH should develop an information system which would enable program integrity to track each CMO's caseload.
Finding #9: DCH does not ensure that it receives or communicates accurate and timely information regarding CMO fraud referrals or the status of CMO fraud investigations resulting in inadequate oversight of these cases. (p.26)
17. DCH should develop an information system that would enable program integrity staff to track cases referred to the Medicaid Fraud Control Unit. Email correspondence should be eliminated as a primary means to track case status.
18. DCH should issue notices to CMOs when Medicaid Fraud Control Unit investigations have concluded, which would enable the CMOs to resume their investigations and recover any associated overpayments.
Finding #10: DCH does not monitor CMO cases to ensure that actions, including fraud referrals, are made within the statutory time limits for administrative recovery of improper provider payments, resulting in the forfeiture of approximately $1.4 million in estimated recoverable funds. (p.30)
19. The General Assembly should consider exempting the CMOs' operations from O.C.G.A. 33-20A-62 to allow CMOs more time to conduct post-payment audits and recover associated overpayments. As in other states, DCH could facilitate Medicaid managed care audits and recoveries according to the time frames that currently exist for DCH in Fee-For-Service Medicaid (i.e., three years).

Medicaid Managed Care Program Integrity

39

20. DCH should implement procedures to monitor the status of CMO cases to ensure that all actions, including claims audits and fraud referrals, occur within the time frame allowed by state law for administrative recovery of overpayments.
21. DCH should implement procedures to track the status of Medicaid Fraud Control Unit investigations to identify any CMO cases at risk of aging out of eligibility for administrative recovery and to request that the Medicaid Fraud Control Unit expedite their prosecution decision.
Finding #11: DCH does not ensure that CMOs monitor their subcontractors' performance in preventing, detecting, and recovering improper Medicaid payments. (p.34)
22. DCH should implement procedures to ensure that the contract documents contain necessary program integrity activity and reporting requirements.
23. DCH should implement procedures to review program integrity activity information reported by CMOs for indicators confirming CMOs' subcontractors are conducting a satisfactory level of program integrity activities.

Medicaid Managed Care Program Integrity

40

Appendix B: Objectives, Scope, and Methodology
Objectives
This report examines program integrity activities associated with Medicaid and PeachCare managed care, referred to as the Georgia Families program, within the Medical Assistance Plans Division of the Georgia Department of Community Health (DCH). Specifically, the audit examines the extent to which
1. DCH has included adequate program integrity provisions in its contract with managed care organizations (CMOs) and ensures CMOs comply with these requirements,
2. DCH utilizes Medicaid managed care encounter data to detect potential acts of fraud, abuse, or overpayments in the Medicaid managed care program and refers identified cases to the CMOs for action,
3. DCH coordinates activities and actions of all payment providers, 4. DCH ensures CMOs adequately monitor their subcontractor's performance
in completing program integrity responsibilities, and 5. the Medicaid Fraud Control Unit referral process maximizes the
identification and recovery of managed care provider overpayments.
Scope
This audit generally covered activity related to Medicaid managed care program integrity that occurred during calendar years 2017-2018 with consideration of earlier or later periods when relevant. Information used in this report was obtained by reviewing relevant laws, rules, and regulations, interviewing agency officials and staff from DCH and other state agencies as necessary; analyzing data from the Medicaid claims database and from the Medicaid Fraud Control Unit's case management system; and, analyzing CMO activity reports.
The primary data set used to inform our objectives was the Georgia Medicaid Management Information System (GAMMIS) which is a database that includes a record of all Medicaid FFS claims and CMO encounter records. DOAA obtains and maintains a monthly feed of this data directly from DCH's fiscal agent DXC/HP. DOAA staff test the upload and test the data on a regular and continual basis. In addition, DCH ensures data reliability through its contract with Myers & Stauffer who conducts annual testing tracing the FFS claims data to source documents such as medical records. Myers & Stauffer also conducts routine reviews of managed care encounter data submitted by CMOs to the GAMMIS to ensure that data in the CMO claims system matches data submitted by CMOs to GAMMIS. We have determined that the data is sufficiently reliable for our analyses.
Government auditing standards require that we also report the scope of our work on internal control that is significant within the context of the audit objectives. All of the objectives address aspects of DCH's internal control structure in relation to managing and/or oversight of the program integrity actions and activities of CMOs. Specific information related to the scope of our internal control work is described by objective in the methodology section below.

Medicaid Managed Care Program Integrity

41

Methodology
To determine if DCH has included adequate program integrity provisions in its contract with managed care organizations (CMOs) and ensures CMOs comply with these requirements, we reviewed federal and state laws and regulations specifying the state's responsibility for ensuring the integrity of the Medicaid program, include activities contracted to CMOs. We interviewed agency staff to identify the department's methods for establishing program integrity provisions in contracts and for monitoring CMOs compliance with these provisions. We reviewed federal audits of Georgia's Medicaid program integrity program, including an audit specifically related to managed care, to identify contract standards and to assess the adequacy of DCH's CMO contracts. We reviewed CMO contracts to identify previous and current program integrity provisions. This information supports the Background section and Findings 3,4,5, 7, 8 and 10.
To determine the extent to which DCH utilizes Medicaid managed care encounter data to detect potential acts of fraud, abuse, or overpayments in the Medicaid managed care program and refers identified cases to the CMOs for action, we interviewed DCH staff including those in the Program Integrity Unit and the Data Analytics and Investigation Unit (DAIU) about how and how often encounter data is analyzed and if and/or how cases are referred to CMOs. We reviewed case listings from these units to identify providers identified as risks by DCH through claims/encounter analyses. We reviewed CMO case listings to identify providers identified as risks by CMOs. We analyzed Medicaid claims and encounter data to calculate the potential amount of funds at risk due to the lack of information sharing between DCH and CMOs. These analyses involved identifying the amount of Medicaid payments made by CMOs after providers had been identified as risks by DCH. Similar analyses were made to identify DCH Medicaid payments made after CMOs identified providers as risks. During these analyses, we identified a provider with claims billing patterns indicative of fraud. We referred this provider to the Medicaid Fraud Control Unit. This information supports Findings 2-5.
DCH coordinates activities and actions of all payment providers, we interviewed DCH staff about if and how DCH coordinates its program integrity actions with those of the CMOs. We compared program integrity actions applied by DCH for specific providers with the actions applied by CMOs. We analyzed trends of Medicaid/PeachCare claims payments by the DCH FFS program and each CMO for these providers to assess the degree to which the lack of coordination affected the program's ability to prevent and detect overpayments across Medicaid/PeachCare payers. Findings 2 through 7.
To determine if DCH ensures CMOs adequately monitor their subcontractor's performance in completing program integrity responsibilities, we reviewed federal and state laws and regulations regarding CMO program integrity responsibilities for services delegated to vendors/subcontractors. We reviewed CMO contracts to identify contractual responsibilities related to ensuring subcontractors provide program integrity services. We interviewed DCH staff about their role in approving CMO subcontracts and monitoring CMOs efforts to manage subcontractor performance. We obtained and reviewed several CMO subcontracts to determine if they contained program integrity language. We reviewed quarterly fraud reports submitted by CMOs to DCH to assess subcontractor program integrity activity levels. This information supports Finding 11.

Medicaid Managed Care Program Integrity

42

To determine the extent to which the Medicaid Fraud Control Unit (MFCU) referral process maximizes the identification and recovery of managed care provider overpayments, we reviewed federal and state laws and regulations regarding fraud referrals for civil and criminal prosecution. We interviewed DCH and MFCU staff to gain an understanding of the fraud referral process for managed care cases. We analyzed managed care case data from the MFCU case management system to identify referral timeliness, case acceptance rates, prosecution rates, and overpayment recovery rates. We also obtained managed care case referral information from DCH through records including quarterly fraud reports and meeting reports. We analyzed Medicaid claims and encounter data to calculate the amount of payments that were made after CMO fraud referrals. This information supports Findings 9 and 10.
We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Medicaid Managed Care Program Integrity

43

Appendix C: Current DCH Organization Chart

DCH Commissioner

Chief Health Policy Officer
Executive Director Medical Assistance Plans
Deputy Executive Director Service Delivery & Administration
Managed Care Services & Compliance (10 positions)
Source: DCH documents

Chief Compliance and Technology Officer
Inspector General Office of Inspector General
Director Program Integrity

Intake & Analytics (12 positions)

Review & Investigation (14 positions)

The Performance Audit Division was established in 1971 to conduct in-depth reviews of state-funded programs. Our reviews determine if programs are meeting goals and objectives; measure program results and effectiveness; identify alternate methods to meet goals; evaluate efficiency of resource allocation; assess compliance with laws and regulations; and provide credible management information to decision makers. For more information, contact
us at (404)656-2180 or visit our website at www.audits.ga.gov.