Skip Main Navigation
Office of Management and Budget
President's Budget
Management
Information &
Regulatory Affairs
Legislative Information
Agency Information

DEPARTMENT OF HEALTH AND HUMAN SERVICES

CFDA 93.778 MEDICAL ASSISTANCE PROGRAM (Medicaid; TITLE XIX)
CFDA 93.775 STATE MEDICAID FRAUD CONTROL UNITS
CFDA 93.777 STATE SURVEY AND CERTIFICATION OF HEALTH CARE PROVIDERS AND SUPPLIERS

Note: In accordance with OMB Circular A-133, §___.525(c)(2), when the auditor is using the risk-based approach for determining major programs, the auditor should consider that HHS has identified the Medicaid Assistance Program as a program of higher risk. While not precluding an auditor from determining that the Medicaid Cluster qualifies as a low-risk program (e.g., because prior audits have shown strong internal controls and compliance with Medicaid requirements), this identification by HHS should be considered as part of the risk assessment process.

I. PROGRAM OBJECTIVES

Medical Assistance Program

The objective of the Medical Assistance Program (Medicaid or Title XIX of the Social Security Act, as amended, (42 USC 1396, et seq.)) is to provide payments for medical assistance to low-income persons who are age 65 or over, blind, disabled, or members of families with dependent children or qualified pregnant women or children.

State Medicaid Fraud Control Units

The objective of the State Medicaid Fraud Control Units is to control provider fraud in the Medicaid program. The State Medicaid Fraud Control Unit's grant application contains the organization, administration, agreements, and procedures for the unit. Federal requirements are contained in 42 CFR part 1007. This unit is separate and distinct from the State Medicaid agency.

State Survey and Certification of Health Care Providers and Suppliers

The objective of the State Survey and Certification of Health Care Providers and Suppliers program is to determine whether the providers and suppliers of health care services under the Medicaid program are in compliance with regulatory health and safety standards and conditions of participation. This program is administered in a manner similar to Medicaid and includes an approved State plan which addresses Federal requirements.

Even though the State Medicaid Fraud Control Units and State Survey and Certification of Health Care Providers and Suppliers have substantially less Federal expenditures than the Medicaid Assistance Program, they are clustered with Medicaid because these programs provide significant controls over the expenditures of Medicaid funds. It is unlikely that the expenditures for these two programs would be material to the Medicaid cluster, however noncompliance with the requirements to administer these controls may be material.

II. PROGRAM PROCEDURES

The following paragraphs are intended to provide a high-level, overall description of how Medicaid generally operates. It is not practical to provide a complete description of program procedures because Medicaid operates under both Federal and State laws and regulations and States are afforded flexibility in program administration. Accordingly, the following paragraphs are not intended to be used in lieu of or as a substitute for the Federal and State laws and regulations applicable to this program.

Authoritative Sources

The auditor is expected to use the applicable laws and regulations (including the applicable State approved plan) when auditing this program. The Federal law that authorizes these programs is Title XIX of the Social Security Act (Title XIX), enacted in 1965 and subsequently amended (42 USC 1396, et seq.). The Federal regulations applicable to the Medicaid program are found in 42 CFR parts 430 through 456, 1002, and 1007.

Administration

The U.S. Department of Health and Human Services' (HHS) Health Care Financing Administration (HCFA) administers the Medicaid program in cooperation with State governments. The Medicaid program is jointly financed by the Federal and State governments and administered by the States. For purposes of this program, the term "State" includes the 50 States, the District of Columbia, and five U.S. territories: Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands. Medicaid operates as a vendor payment program, with States paying providers of medical services directly. Participating providers must accept the Medicaid reimbursement level as payment in full. Within broad Federal rules, each State decides eligible groups, types and range of services, payment levels for services, and administrative and operating procedures.

State Plans

States administer the Medicaid program under a State plan approved by HCFA. The Medicaid State plan is a comprehensive written statement submitted by the State Medicaid agency describing the nature and scope of its Medicaid program. A State plan for Medicaid consists of preprinted material that covers the basic requirements, and individualized content that reflects the characteristics of each particular State's program. The State plan is referenced to the applicable Federal regulation for each requirement and will also contain references to applicable State regulations.

The State plan contains all information necessary for HCFA to determine whether the State plan can be approved to serve as a basis for determining the level of Federal financial participation in the State program. The State plan must specify a single State agency (hereinafter referred to as the "State Medicaid agency") established or designated to administer or supervise the administration of the State plan. The State plan must also include a certification by the State Attorney General which cites the legal authority for the State Medicaid agency to determine eligibility.

The State plan also specifies the criteria for determining the validity of payments disbursed under the Medicaid program. This encompasses the system the State will use to ensure that payments are disbursed only to eligible providers for appropriately-priced services that are covered by the Medicaid program and provided to eligible beneficiaries. Payments must also be based on claims that are adequately supported by medical records, and payments not be duplicated.

A State plan or plan amendment will be considered approved unless HCFA sends the State written notice of disapproval or a request for additional information within 90 days after receipt of the State plan or plan amendment. Copies of the State plan are available from the State Medicaid agency.

Waivers

The State Medicaid agency may apply for a waiver of Federal requirements. Waivers are intended to provide the flexibility needed to enable States to try new or different approaches to the efficient and cost-effective delivery of health care services, or to adapt their programs to the special needs of particular areas or groups of beneficiaries. Waivers allow exceptions to State plan requirements and permit a State to implement innovative programs or activities on a time-limited basis, and are subject to specific safeguards for the protection of beneficiaries and the program.

Actions that States may take if waivers are obtained include: (1) implement a primary care case-management system or a specialty physician system; (2) designate an entity to act as a central broker in assisting Medicaid beneficiaries to choose among competing health care plans; (3) share with beneficiaries (through the provision of additional services) cost-savings made possible through the beneficiaries' use of more cost effective medical care; (4) limit beneficiaries' choice of providers to providers that fully meet reimbursement, quality, and utilization standards, which are established under the State plan and are consistent with access, quality, and efficient and economical furnishing of care; (5) include as "medical assistance," under its State plan, home and community-based services furnished to beneficiaries who would otherwise need inpatient care that is furnished in a hospital, skilled nursing facility (SNF), or intermediate care facility (ICF), and is reimbursable under the State plan; and, (6) impose a deduction, cost-sharing or similar charge of up to twice the "nominal charge" established under the State plan for outpatient services for certain nonemergency services. A State may also obtain a waiver of statutory requirements to provide an array of home and community-based services which may permit an individual to avoid institutionalization (42 CFR part 441 subpart G). Depending on the type of requirement being waived, a waiver may be effective for initial periods ranging from two to three years, with varying renewal periods. Copies of waivers are available from the State Medicaid agency.

Payments to States

Once HCFA has approved a State plan and waivers, it makes quarterly grant awards to the State to cover the Federal share of Medicaid expenditures for services, training, and administration. The amount of the quarterly grant is determined on the basis of information submitted by the State Medicaid agency (in quarterly estimate and quarterly expenditure reporting). The grant award authorizes the State to draw Federal funds as needed to pay the Federal financial participation portion of qualified Medicaid expenditures. The HHS Payment Management System Division of Payment Management (PMS-DPM) in Rockville, MD disburses Federal funds to States including funding under Medicaid. Currently, all States use a system developed by HHS called SMARTLINK to request funds on an as needed basis. States may use one of two payment mechanisms which are linked to SMARTLINK: (1) wire transfers through the Automated Clearinghouse in conjunction with the Federal Reserve Bank, which is settled the day after the request date, or (2) FEDWIRE transfers through the U.S. Department of the Treasury, which is a same day payment mechanism. The payment method is selected by the State and approved by the U.S. Department of the Treasury and HHS before payments are made through either mechanism. States report cash activity to PMS-DPM with a quarterly Cash Transactions Report (PMS-272).

State Expenditure Reporting

Thirty days after the end of the quarter, States electronically submit form HCFA-64 , "Quarterly Statement of Expenditures for the Medical Assistance Program." The HCFA-64 presents expenditures and recoveries and other items that reduce expenditures for the quarter and prior period expenditures. The amounts reported on the HCFA-64 and its attachments must be actual expenditures for which all supporting documentation, in readily reviewable form, has been compiled and is available immediately at the time the claim is filed. States use the Medicaid Budget and Expenditure System to electronically submit the HCFA-64 directly to HCFA.

Eligibility

Eligibility for Medicaid is based primarily on income and resources. The States must provide services to mandatory categorically needy and other required special groups (e.g., individuals receiving Aid to Families With Dependent Children (AFDC), Temporary Assistance for Needy Families (TANF), or Supplemental Security Income (SSI)). States may provide coverage to members of optional groups who do not receive cash assistance (e.g., individuals who would be eligible for but are not receiving AFDC) and medically needy individuals (individuals who are eligible for Medicaid after deducting large medical expenditures from their income). Eligibility criteria will be specified in the individual State plan.

Under the Personal Responsibility and Work Opportunity Reconciliation Act of 1996, the cash welfare program known as AFDC was repealed and replaced with block grants to States known as TANF. Under the old AFDC law, children and parents who received cash welfare were automatically enrolled in the Medicaid program. While the new law eliminates the entitlement to welfare, access to Medicaid for children and parents who would have met the State's old AFDC income and asset standards in place on July 16, 1996 has been preserved--whether or not these individuals are eligible for the new TANF system (P.L. 104-193).

States must provide limited Medicaid coverage for "qualified Medicare beneficiaries." These are aged and disabled persons who are receiving Medicare, whose income is below 100 percent of the Federal poverty level, and whose resources do not exceed twice the allowable amount under SSI (42 CFR section 407.40).

The State plan will specify if determinations of eligibility are made by agencies other than the State Medicaid agency and will define the relationships and respective responsibilities of the State Medicaid agency and the other agencies. The application process includes completing and filing an application form, being interviewed, and having information verified. The State plan must also provide that the State Medicaid agency will maintain individual records on each applicant and Medicaid beneficiary including: date of application, date and basis for disposition, facts essential to determination of initial and continuing eligibility, provision of medical assistance, and basis for discontinuing assistance.

Services

Medicaid expenditures include medical assistance payments for eligible recipients for such services as hospitalization, prescription drugs, nursing home stays, outpatient hospital care, and physicians' services, and expenditures for administration and training. In order for a medical assistance payment to be considered valid, it must comply with the requirements of Title XIX, as amended, (42 USC 1396, et seq.) and implementing Federal regulations. Determinations of payment validity are made by individual States in accordance with approved State plans under broad Federal guidelines.

Some States have managed care arrangements under which the State enters into a contract with an entity, such as an insurance company, to arrange for medical services to be available for beneficiaries. The State pays a fixed rate per person (capitation rate) without regard to the actual medical services utilized by each beneficiary.

Also, Medicaid expenditures include administration and training, the State Survey and Certification Program, and State Medicaid Fraud Control Units.

Control Systems

Utilization Control and Program Integrity

The State plan must provide methods and procedures to safeguard against unnecessary utilization of care and services, including those provided by long term care institutions. In addition, the State must have: (1) methods of criteria for identifying suspected fraud cases; (2) methods for investigating these cases; and, (3) procedures, developed in cooperation with legal authorities, for referring suspected fraud cases to law enforcement officials.

These requirements may be met by the State Medicaid agency assuming direct responsibility for assuring the requirements or met by contracting with a peer review organization (PRO) to perform such reviews. The reviewer must establish and use written criteria for evaluating the appropriateness and quality of Medicaid services.

The State Medicaid agency must have procedures for the ongoing post-payment review, on a sample basis, for the necessity, quality, and timeliness of Medicaid services. The State Medicaid agency may conduct this review directly or may contract with a PRO.

Suspected fraud identified by utilization control and program integrity should be referred to the State Medicaid Fraud Control Units.

Inpatient Hospital and Long Term Care Facility Audits

States are required to establish as part of the State plan standards and methodology for reimbursing inpatient hospital and long term care facilities based on payment rates that represent the cost to efficiently and economically operate such facilities and provide Medicaid services. The State Medicaid agency must provide for the filing of uniform cost reports by each participating provider. These cost reports are used by the State Medicaid agency to aid in the establishment of payment rates. The State Medicaid agency must provide for periodic audits of the financial and statistical records of the participating providers. Such audits could include desk audits of cost reports in addition to field audits. These audits are an important control for the State Medicaid agency in ensuring that established payment rates are proper.

ADP Risk Analyses and System Security Reviews

The Medicaid program is highly dependent on extensive and complex computer systems that include controls for ensuring the proper payment of Medicaid benefits. States are required to establish a security plan for ADP systems that include policies and procedures to address: (1) physical security of ADP resources; (2) equipment security to protect equipment from theft and unauthorized use; (3) software and data security; (4) telecommunications security; (5) personnel security; (6) contingency plans to meet critical processing needs in the event of short or long term interruption of service; (7) emergency preparedness; and, (8) designation of an agency ADP security manager.

State agencies must establish and maintain a program for conducting periodic risk analyses to ensure appropriate, cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. On a biennial basis State agencies shall review the ADP system security of installations involved in the administration of HHS programs. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices.

Medicaid Management Information System (MMIS)

The MMIS is the mechanized Medicaid benefit claims processing and information retrieval system that States are required to have, unless this requirement is waived by the Secretary of HHS. HHS provides general systems guidelines (42 CFR sections 433.110 through 433.131) but it does not provide detailed system requirements or specifications for States to use in the development of MMIS systems. As a result, MMIS systems will vary from State to State. The system may be maintained and operated by the State or a contractor.

The MMIS is normally used to process payments for most medical assistance services and normally includes edits and controls which identify unusual items for follow up by the utilization control and program integrity unit. However, the State may use systems other than MMIS to process medical assistance payments. In many cases the operation of the MMIS is contracted out to a private contractor. The State plan will describe the administration of each State's claims processing system.

Generally, the MMIS does not process claims from State agencies (e.g., State operated intermediate care facility for the mentally retarded (ICF/MR)) and certain selected types of claims. The claims payments which are not processed through MMIS may be material to the Medicaid program.

Medicaid Eligibility Quality Control System (MEQC)

Each State is required to operate a MEQC system in accordance with requirements specified by HCFA. This HCFA-approved system redetermines eligibility for individual sampled cases and provides national and State measures of the accuracy of eligibility and benefit amount determinations (commonly referred to as "payment accuracy"), including both underpayments and overpayments, and of the correctness of decisions to deny benefits. The MEQC system reviews the determinations of beneficiary eligibility made by a State agency, or its designee, and uses statistical sampling methods to select claims for review and project the number and dollar impact of payments to ineligible beneficiaries (42 CFR sections 431.800 through 431.865).

Federal Oversight and Compliance Mechanisms

HCFA oversees State operations through its organization consisting of a headquarters and 10 regional offices.

HCFA program oversight includes budget review, reviews of financial and program reports, and on-site reviews which are normally targeted to cover a specific area of concern. HCFA conveys areas of national and local concerns to the States through the regions. Technical assistance is used extensively to promote improvements in State operation of the program but enforcement mechanisms are available. HCFA considers the single audit as an important internal control in its monitoring of States.

Federal program oversight, because of its targeted nature, should not be used as a substitute for audit evidence gained through transaction testing.

HHS Office of Inspector General (OIG) Fraud Alerts

The HHS OIG issues fraud alerts, some of which relate to the Medicaid program. These alerts are available on the Internet from the HHS OIG Home Page, Special Fraud Alerts section (http://www.sbaonline.sba.gov/ignet/internal/hhs/invlist.html#sfa).

III. COMPLIANCE REQUIREMENTS

In developing the audit procedures to test compliance with the requirements for a Federal program, the auditor should first look to Part 2, Matrix of Compliance Requirements, to identify which of the 14 types of compliance requirements described in Part 3 are applicable and then look to Parts 3 and 4 for the details of the requirements.

General Audit Approach for Medicaid Payments

To be allowable, Medicaid costs for medical services must be: (1) covered by the State plan and waivers; (2) for an allowable service rendered (including supported by medical records or other evidence indicating that the service was actually provided and consistent with the medical diagnosis); (3) properly coded; and, (4) paid at the rate allowed by the State plan. Additionally, Medicaid costs must be net of applicable credits (e.g., insurance, recoveries from other third parties who are responsible for covering the Medicaid costs, and drug rebates), paid to eligible providers, and only provided on behalf of eligible individuals.

Due to the complexity of Medicaid program operations, it is unlikely the auditor will be able to support an opinion that Medicaid expenditures are in compliance with applicable laws and regulations (e.g., are allowable under the State plan) without relying upon the systems and internal controls.) Examples of complexities include:

- Dependence upon large and complex ADP systems to process the large volume of Medicaid transactions.

- Medical services are provided directly to an eligible beneficiary, normally without prior approval by the State.

- Medical service providers normally determine the scope and medical necessity of the services.

- Notice to the State that service is rendered is after-the-fact when a bill is sent.

- Payments systems do not include a review of original detailed documentation supporting the claim prior to payment.

- Complex billing charge structures and payment rates for medical services, including significance of proper coding of services (e.g., billing by diagnosis related groups (DRG)).

- Different types of Medicaid payments (e.g., inpatient hospital, physicians, prescription drugs and drug rebates).

Medicaid has required control systems that should aid the auditor in obtaining sufficient audit evidence for Medicaid expenditures. These control systems are discussed in the preceding Program Procedures under Control Systems and are: (1) utilization control and program integrity; (2) inpatient hospital and long term care facility audits; (3) ADP risk analyses and system security reviews (e.g, of the MMIS); and (4) the MMIS normally includes edits and controls that identify unusual items for follow up by the utilization control and program integrity function. The first three are generally performed by specialists retained by the State Medicaid agency. The following table indicates the major types of Medicaid payments to which these controls will likely relate:



Type of Medicaid Payment 1 2 3 4
Inpatient Hospital X X X X
Physicians (including dental) X X X
Prescription Drugs (net of rebates) X X X
Institutional Long-Term Care X X X X




Each of the above Medicaid payment types are tested for compliance with applicable laws and regulations under either "A. Activities Allowed or Unallowed;" "B. Allowable Costs/Cost Principles;" or "E. Eligibility." Based upon the assessed level of control risk, the auditor should design appropriate tests of the allowability of Medicaid payments. Testing likely will include tests of medical records, in which case the auditor should consider the need for assistance of specialists. The auditor may consider using the same specialists used by the State.

The auditor should consider the following in planning and performing tests of controls and compliance:

1. Section "N. Special Tests and Provisions," includes required internal control, which are compliance requirements (i.e., controls (1), (2), and (3) above), and audit objectives and procedures for each. The audit procedures will entail tests of work performed by the State Medicaid agency.

2. Tests of compliance with laws and regulations relating to sections A, B, and E below, and the compliance requirements enumerated in Section N should be coordinated.

A. Activities Allowed or Unallowed

1. Allowability of Specific Transactions and Activities

a. Funds can only be used for Medicaid benefit payments (as specified in the State plan, Federal regulations, or an approved waiver), expenditures for administration and training, expenditures for the State Survey and Certification Program, and expenditures for State Medicaid Fraud Control Units (42 CFR sections 435.10, 440.210, 440.220, and 440.180).

b. Case Management Services - The State plan may provide for case management services as an optional medical assistance service. The term case management services means services which will assist individuals eligible under the plan in gaining access to needed medical, social, educational, and other services.

Medicaid case management services are divided into two separate categories:

Administrative case management - Services must be identifiable with Title-XIX benefit (e.g., outreach services provided by public school districts to Medicaid recipients).

Medical/Targeted case management - Services must be provided to an eligible Medicaid recipient. Services do not have to be specifically medical in nature and can include securing shelter, personal needs, etc. (e.g., services provided by community mental health boards, county offices of aging).

Case management services is an area of risk because of the high growth of expenditures, the relative newness of the provision that allows these expenditures to be claimed, and prior experience which indicates problems with the documentation of case management expenditures.

With the exception of case management services provided through capitation (a process in which payment is made on a per beneficiary basis) or prepaid health plans, Federal regulations typically require the following documentation for case management services: date of service; name of recipient; name of provider agency and person providing the service; nature, extent, or units of service; and, place of service (P.L. 99-272, Section 9508; 42 CFR part 434).

c. Managed Care - A State may obtain a waiver of statutory requirements in order to develop a system that more effectively addresses the health care needs of its population. For example, a waiver may involve the use of a program of managed care for selected elements of the client population or allow the use of program funds to serve specified populations that would be otherwise ineligible (Sections 1115 and 1915 of the Social Security Act). Managed care providers must be eligible to participate in the program at the time services are rendered, payments to managed care plans should only be for eligible clients for the proper period, and the capitation payment should be properly calculated. Medicaid medical services payments (e.g., hospital and doctors charges) should not be made for services that are covered by managed care. States should ensure that capitated payments to providers are discontinued when a benificiary is no longer enrolled for services. Requirements related to beneficiaries' access to managed care services are covered under N.6., Special Tests and Provisions, Managed Care.

d. Medicaid Health Insurance Premiums - A State may enroll certain Medicare-eligible recipients under Medicare Part B and pay the premium, deductibles, cost sharing, and other charges (42 CFR section 431.625).

e. Disproportionate Share Hospital - Federal financial participation is available for aggregate payments to hospitals that serve a disproportionate number of low income patients with special needs. The State plan must specifically define a disproportionate share hospital and the method of calculating the rate for these hospitals. Specific limits for the total disproportionate share hospital payments for the State and the individual hospitals are contained in the legislation (Section 1923 of the Social Security Act and 42 USC 1396(r)).

f. Home Health Care - A State may obtain a waiver of statutory requirements to provide an array of home and community-based services which may permit an individual to avoid institutionalization (42 CFR part 441 subpart G). The HHS OIG has issued a special fraud alert concerning home health care. Problems noted include cost report frauds, billing for excessive services or services not rendered, and use of unlicensed staff. The full alert was published in the Federal Register on August 10, 1995 (page 40847) and is available on the Internet from the HHS OIG Home Page, Special Fraud Alerts section (http://www.sbaonline.sba.gov/ignet/internal/hhs/invlist.html#sfa).

2. Allowability of Activities for Subrecipients - Normally this is not applicable because most States do not use subrecipients in the Medicaid program. However, if a State uses a subrecipient for Medicaid, this may be applicable.

B. Allowable Costs/Cost Principles

Recoveries, Refunds, and Rebates (Costs must be the net of all applicable credits)

1. States must have a system to identify medical services that are the legal obligation of third parties, such as private health or accident insurers. Such third party resources should be exhausted prior to paying claims with program funds. Where a third party liability is established after the claim is paid, reimbursement from the third party should be sought (42 CFR sections 433.135 through 433.154).

2. The State is required to credit the Medicaid program for (1) State warrants that are canceled and uncashed checks beyond 180 days of issuance (escheated warrants) and (2) overpayments made to providers of medical services within specified time frames. In most cases, the State must refund provider overpayments to the Federal Government within 60 days of identification of the overpayment, regardless of whether the overpayment was collected from the provider (42 CFR sections 433.300 through 433.320 and 433.40).

3. Section 1903 (w)(1) of the Social Security Act (as amended by P.L. 102-234) provides that, effective January 1, 1992, before calculating the amount of Federal financial participation, certain revenues received by a State will be deducted from the State's medical assistance expenditures. The revenues to be deducted are (1) donations made by health providers and entities related to providers (except for bona fide donations and, subject to a limitation, donations made by providers for the direct costs of out stationed eligibility workers); and (2) impermissible health care-related taxes that exceed a specified limit ( 42 USC 1396(b)(w) and 42 CFR section 433.57).

"Provider related donations" are any donations or other voluntary payments (in-cash or in-kind) made directly or indirectly to a State or unit of local government by (1) a health care provider, (2) an entity related to a health care provider, or (3) an entity providing goods or services under the State plan and paid as administrative expenses. "Bona fide provider-related donations" are donations that have no direct or indirect relationship to payments made under Title XIX (42 USC 1396, et seq.) to (1) that provider, (2) providers furnishing the same class of items and services as that provider, or (3) any related entity (42 CFR sections 433.58(d) and 433.66(b)).

Permissible health care-related taxes are those taxes which are broad-based taxes, uniformly applied to a class of health care items, services, or providers, and which do not hold a taxpayer harmless for the costs of the tax, or a tax program for which HCFA has granted a waiver. Health care-related taxes that do not meet these requirements are impermissible health care-related taxes (42 CFR section 433.68(b)).

The provisions of P.L. 102-234 apply to all 50 States and the District of Columbia, except those States whose entire Medicaid program is operated under a waiver granted under section 1115 of the Social Security Act (42 CFR part 433; Federal Register published August 13, 1993, 58 FR 43156-43183).

4. Section 1927 of the Social Security Act allows States to receive rebates for drug purchases the same as other payers receive. Drug manufacturers are required to provide a listing to HCFA of all covered outpatient drugs and, on a quarterly basis, are required to provide their average manufacturer's price and their best prices for each covered outpatient drug. Based upon these data, HCFA calculates a unit rebate amount for each drug which it then provides to States. No later than 60 days after the end of the quarter, the State Medicaid agency must provide to manufactures drug utilization data. Within 30 days of receipt of the utilization data from the State, the manufacturers are required to pay the rebate or provide the State with written notice of disputed items not paid because of discrepancies found.

E. Eligibility

1. Eligibility for Individuals

The State Medicaid agency or its designee is required to determine client eligibility in accordance with eligibility requirements defined in the approved State plan (42 CFR section 431.10). States have a high degree of flexibility in designating who will determine eligibility.

The State is required to operate a MEQC system in accordance with requirements specified by HCFA. The MEQC system reviews the determinations of beneficiary eligibility made by State Medicaid agencies, or their designee, and uses statistical sampling methods to select claims for review and project the number and dollar impact of incorrect payments to ineligible beneficiaries (42 CFR sections 431.800 through 431.865).

As discussed in the General Audit Approach for Medicaid Payments, the auditor will likely combine Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility testing. Therefore, compliance requirements related to amounts provided to or on behalf of eligibles were combined with Activities Allowed or Unallowed.

1. Eligibility of Group of Individuals or Area of Service Delivery - Not Applicable

2. Eligibility for Subrecipients - Not Applicable

G. Matching, Level of Effort, Earmarking

1. Matching

The State is required to pay part of the costs of providing health care to the poor and part of the costs of administering the program. Different State participation rates apply to medical assistance payments. There are also different Federal financial participation rates for the different types of costs incurred in administering the Medicaid program, such as administration, family planning, training, computer, and other costs (42 CFR sections 433.10 and 433.15). The auditor should refer to the State plan for the matching rates.

2. Level of Effort

A State waiver may contain a level of effort requirement.

3. Earmarking

A State waiver may contain an earmarking requirement.

L. Reporting

1. Financial Reporting

a. SF-269, Financial Status Report - Not applicable

b. SF-270, Request for Advance or Reimbursement - Not applicable

c. SF-271, Outlay Report and Request for Reimbursement for Construction Program - Not applicable

d. SF-272, Federal Cash Transaction Report - Not applicable

e. HCFA-64, Quarterly Statement of Expenditures for the Medical Assistance Program (OMB No. 0938-0067) - Required to be used in lieu of the Financial Status Report (FSR) SF-269 and is required to be prepared quarterly and submitted electronically to HCFA within 30 days after the end of the quarter.

f. PMS-272, Quarterly Cash Transactions Report (OMB No. 0937-0200) - Required in lieu of the Federal Cash Transaction Report (SF-272).

2. Performance Reporting - Not Applicable

3. Special Reporting - Not Applicable

N. SPECIAL TESTS AND PROVISIONS

1. Utilization Control and Program Integrity

Compliance Requirements - The State plan must provide methods and procedures to safeguard against unnecessary utilization of care and services, including long term care institutions. In addition, the State must have: (1) methods or criteria for identifying suspected fraud cases; (2) methods for investigating these cases; and, (3) procedures, developed in cooperation with legal authorities, for referring suspected fraud cases to law enforcement officials (42 CFR parts 455, 456, and 1002).

Suspected fraud should be referred to the State Medicaid Fraud Control Units (42 CFR part 1007).

The State Medicaid agency must establish and use written criteria for evaluating the appropriateness and quality of Medicaid services. The agency must have procedures for the ongoing post-payment review, on a sample basis, of the need for and the quality and timeliness of Medicaid services. The State Medicaid agency may conduct this review directly or may contract with a PRO.

Audit Objectives - To determine whether the State has established and implemented procedures to (1) safeguard against unnecessary utilization of care and services, including long term care institutions, (2) identify suspected fraud cases, (3) investigate these cases, and (4) refer those cases with sufficient evidence of suspected fraud cases to law enforcement officials.

Suggested Audit Procedures

a. Obtain and evaluate the adequacy of the procedures used by the State Medicaid agency to conduct utilization reviews and identifying suspected fraud.

1. Consider the qualifications of the personnel conducting the reviews and identifying suspected fraud. Ascertain that the individuals possess the necessary skill or knowledge by considering the following: (1) professional certification, license, or specialized training; (2) the reputation and standing of licensed medical professionals in the view of peers; and, (3) experience in the type of tasks to be performed.

2. Consider the personnel performing the utilization review and identifying suspected fraud are sufficiently organized outside the control of other Medicaid operations to objectively perform their function.

3. Ascertain if the sampling plan implemented by the State Medicaid agency or the PRO was properly designed and executed.

b. Test a sample of the cases examined by State Medicaid agency or the PRO and ascertain if such examinations were in accordance with the agency's procedures.

c. Test a sample of the identified suspected cases of fraud and ascertain if the agency took appropriate steps to investigate and, if appropriate, make a referral.

d. Based on the above procedures, consider the degree of reliance that can be placed on the utilization review and identification of suspected fraud in performing tests under sections A, B, and E.

2. Inpatient Hospital and Long-Term Care Facility Audits

Compliance Requirement - The State Medicaid agency pays for inpatient hospital services and long term care facility services through the use of rates that are reasonable and adequate to meet the costs that must be incurred by efficiently and economically operated providers. The State Medicaid agency must provide for the filing of uniform cost reports for each participating provider. These cost reports are used to establish payment rates. The State Medicaid agency must provide for the periodic audits of financial and statistical records of participating providers. The specific audit requirements will be established by the State Plan (42 CFR section 447.253).

Audit Objectives - To determine whether the State Medicaid agency performed inpatient hospital and long term care facility audits as required.

Suggested Audit Procedures

a. Review the State Plan and State Medicaid agency operating procedures and document the types of audits performed (e.g., desk audits, field audits) and the methodology for determining when audits are conducted, and the objectives and procedures of the audits.

b. Through examination of documentation, ascertain that the sampling plan was carried out as planned.

c. Select a sample of audits and ascertain if the audits were in compliance with the State Medicaid agency's audit procedures.

d. Based on the above, consider the degree of reliance that can be placed on the inpatient hospital and long term care facility audits in performing tests under sections A, B, and E.

3. ADP Risk Analysis and System Security Review

Compliance Requirement - State agencies must establish and maintain a program for conducting periodic risk analyses to ensure that appropriate, cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. State agencies shall review the ADP system security installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The State agency shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS onsite reviews (45 CFR section 95.621).

Audit Objective - To determine whether the State Medicaid agency has performed the required ADP risk analyses and system security reviews.

Suggested Audit Procedures

a. Review the State Medicaid agency's policies and procedures and document the frequency, timing, and scope of ADP security reviews. This should include any reviews following Statement on Auditing Standards No. 70 (SAS 70) which may have been performed on outside processors.

b. Consider the appropriateness and extent of reliance on such reviews based on the qualifications of the personnel performing the risk analyses and security reviews and their organizational independence from the ADP systems.

c. Review the work performed during the most recent risk analysis and security review.

d. Based on the above, consider the degree of reliance that can be placed on the ADP Risk Analysis and System Security Reviews in performing tests under sections A, B, and E.

4. Provider Eligibility

Compliance Requirement - In order to receive Medicaid payments, providers of medical services furnishing services must be licensed in accordance with Federal, State, and local laws and regulations to participate in the Medicaid program (42 CFR sections 431.107 and 447.10; and section 1902(a)(9) of the Social Security Act) and the providers must make certain disclosures to the State (42 CFR subpart B).

Audit Objective - To determine whether providers of medical services are licensed to participate in the Medicaid program in accordance with Federal, State, and local laws and regulations, and whether the providers have made the required disclosures to the State.

Suggested Audit Procedures

a. Obtain an understanding of the State plan's provisions for licensing and entering into agreements with providers.

b. Select a sample of providers receiving payments and ascertain if:

(1) The provider is licensed in accordance with the State Plan.

(2) The agreement with the provider complies with the requirements of the State Plan, including the disclosure requirements of 42 CFR 455 subpart B.

5. Provider Health and Safety Standards

Compliance Requirement - Providers must meet the prescribed health and safety standards for hospital, nursing facilities, and ICF/MR (42 CFR part 442). The standards may be modified in the State plan.

Audit Objective - To determine whether the State ensures that hospitals, nursing facilities, and ICF/MR that serve Medicaid patients meet the prescribed health and safety standards.

Suggested Audit Procedures

a. Obtain an understanding of the State Plan provisions which ensure that payments are made only to institutions which meet prescribed health and safety standards.

b. Select a sample of payments for each provider type (i.e., hospitals, nursing facilities, and ICF/MR) and ascertain if the State Medicaid agency has documentation that the provider has met the prescribed health and safety standards.

6. Managed Care

Compliance Requirement - A State may obtain a waiver of statutory requirements in order to develop a system that more effectively addresses the health care needs of its population. A waiver may involve the use of a program of managed care for selected elements of the client population or allow the use of program funds to serve specified populations that would be otherwise ineligible (Sections 1115 and 1915 of the Social Security Act).

Audit Objective - To determine whether the State is operating managed care in compliance with the approved State plan waiver.

Suggested Audit Procedures

a. Obtain an understanding of the State plan's managed care waiver.

b. Perform tests to ascertain if the State has a system to handle beneficiary complaints of not receiving necessary care and provider complaints of not receiving payments for services provided to Medicaid recipients.

c. Perform tests to ascertain if the State has a system to ensure beneficiaries have adequate access to health care from managed care organizations which are being paid premiums on the beneficiaries' behalf.