DEPARTMENT OF HEALTH AND HUMAN SERVICES
CFDA 93.778 MEDICAL ASSISTANCE PROGRAM (Medicaid; TITLE XIX)
CFDA 93.775 STATE MEDICAID FRAUD CONTROL UNITS
CFDA 93.777 STATE SURVEY AND CERTIFICATION OF HEALTH CARE
PROVIDERS AND SUPPLIERS
Note: In accordance with OMB Circular A-133, §___.525(c)(2), when the auditor is using the
risk-based approach for determining major programs, the auditor should consider that HHS has
identified the Medicaid Assistance Program as a program of higher risk. While not precluding an
auditor from determining that the Medicaid Cluster qualifies as a low-risk program (e.g., because
prior audits have shown strong internal controls and compliance with Medicaid requirements), this
identification by HHS should be considered as part of the risk assessment process.
I. PROGRAM OBJECTIVES
Medical Assistance Program
The objective of the Medical Assistance Program (Medicaid or Title XIX of the Social Security
Act, as amended, (42 USC 1396, et seq.)) is to provide payments for medical assistance to
low-income persons who are age 65 or over, blind, disabled, or members of families with
dependent children or qualified pregnant women or children.
State Medicaid Fraud Control Units
The objective of the State Medicaid Fraud Control Units is to control provider fraud in the
Medicaid program. The State Medicaid Fraud Control Unit's grant application contains the
organization, administration, agreements, and procedures for the unit. Federal requirements are
contained in 42 CFR part 1007. This unit is separate and distinct from the State Medicaid agency.
State Survey and Certification of Health Care Providers and Suppliers
The objective of the State Survey and Certification of Health Care Providers and Suppliers
program is to determine whether the providers and suppliers of health care services under the
Medicaid program are in compliance with regulatory health and safety standards and conditions of
participation. This program is administered in a manner similar to Medicaid and includes an
approved State plan which addresses Federal requirements.
Even though the State Medicaid Fraud Control Units and State Survey and Certification of Health
Care Providers and Suppliers have substantially less Federal expenditures than the Medicaid
Assistance Program, they are clustered with Medicaid because these programs provide significant
controls over the expenditures of Medicaid funds. It is unlikely that the expenditures for these
two programs would be material to the Medicaid cluster, however noncompliance with the
requirements to administer these controls may be material.
II. PROGRAM PROCEDURES
The following paragraphs are intended to provide a high-level, overall description of how
Medicaid generally operates. It is not practical to provide a complete description of program
procedures because Medicaid operates under both Federal and State laws and regulations and
States are afforded flexibility in program administration. Accordingly, the following paragraphs
are not intended to be used in lieu of or as a substitute for the Federal and State laws and
regulations applicable to this program.
The auditor is expected to use the applicable laws and regulations (including the applicable State
approved plan) when auditing this program. The Federal law that authorizes these programs is
Title XIX of the Social Security Act (Title XIX), enacted in 1965 and subsequently amended (42
USC 1396, et seq.). The Federal regulations applicable to the Medicaid program are found in 42
CFR parts 430 through 456, 1002, and 1007.
The U.S. Department of Health and Human Services' (HHS) Health Care Financing
Administration (HCFA) administers the Medicaid program in cooperation with State
governments. The Medicaid program is jointly financed by the Federal and State governments
and administered by the States. For purposes of this program, the term "State" includes the 50
States, the District of Columbia, and five U.S. territories: Puerto Rico, the Virgin Islands, Guam,
American Samoa, and the Northern Mariana Islands. Medicaid operates as a vendor payment
program, with States paying providers of medical services directly. Participating providers must
accept the Medicaid reimbursement level as payment in full. Within broad Federal rules, each
State decides eligible groups, types and range of services, payment levels for services, and
administrative and operating procedures.
States administer the Medicaid program under a State plan approved by HCFA. The Medicaid
State plan is a comprehensive written statement submitted by the State Medicaid agency
describing the nature and scope of its Medicaid program. A State plan for Medicaid consists of
preprinted material that covers the basic requirements, and individualized content that reflects the
characteristics of each particular State's program. The State plan is referenced to the applicable
Federal regulation for each requirement and will also contain references to applicable State
The State plan contains all information necessary for HCFA to determine whether the State plan
can be approved to serve as a basis for determining the level of Federal financial participation in
the State program. The State plan must specify a single State agency (hereinafter referred to as
the "State Medicaid agency") established or designated to administer or supervise the
administration of the State plan. The State plan must also include a certification by the State
Attorney General which cites the legal authority for the State Medicaid agency to determine
The State plan also specifies the criteria for determining the validity of payments disbursed under
the Medicaid program. This encompasses the system the State will use to ensure that payments
are disbursed only to eligible providers for appropriately-priced services that are covered by the
Medicaid program and provided to eligible beneficiaries. Payments must also be based on claims
that are adequately supported by medical records, and payments not be duplicated.
A State plan or plan amendment will be considered approved unless HCFA sends the State
written notice of disapproval or a request for additional information within 90 days after receipt of
the State plan or plan amendment. Copies of the State plan are available from the State Medicaid
The State Medicaid agency may apply for a waiver of Federal requirements. Waivers are intended
to provide the flexibility needed to enable States to try new or different approaches to the efficient
and cost-effective delivery of health care services, or to adapt their programs to the special needs
of particular areas or groups of beneficiaries. Waivers allow exceptions to State plan
requirements and permit a State to implement innovative programs or activities on a time-limited
basis, and are subject to specific safeguards for the protection of beneficiaries and the program.
Actions that States may take if waivers are obtained include: (1) implement a primary care
case-management system or a specialty physician system; (2) designate an entity to act as a central
broker in assisting Medicaid beneficiaries to choose among competing health care plans; (3) share
with beneficiaries (through the provision of additional services) cost-savings made possible
through the beneficiaries' use of more cost effective medical care; (4) limit beneficiaries' choice of
providers to providers that fully meet reimbursement, quality, and utilization standards, which are
established under the State plan and are consistent with access, quality, and efficient and
economical furnishing of care; (5) include as "medical assistance," under its State plan, home and
community-based services furnished to beneficiaries who would otherwise need inpatient care that
is furnished in a hospital, skilled nursing facility (SNF), or intermediate care facility (ICF), and is
reimbursable under the State plan; and, (6) impose a deduction, cost-sharing or similar charge of
up to twice the "nominal charge" established under the State plan for outpatient services for
certain nonemergency services. A State may also obtain a waiver of statutory requirements to
provide an array of home and community-based services which may permit an individual to avoid
institutionalization (42 CFR part 441 subpart G). Depending on the type of requirement being
waived, a waiver may be effective for initial periods ranging from two to three years, with varying
renewal periods. Copies of waivers are available from the State Medicaid agency.
Payments to States
Once HCFA has approved a State plan and waivers, it makes quarterly grant awards to the State
to cover the Federal share of Medicaid expenditures for services, training, and administration.
The amount of the quarterly grant is determined on the basis of information submitted by the
State Medicaid agency (in quarterly estimate and quarterly expenditure reporting). The grant
award authorizes the State to draw Federal funds as needed to pay the Federal financial
participation portion of qualified Medicaid expenditures. The HHS Payment Management System
Division of Payment Management (PMS-DPM) in Rockville, MD disburses Federal funds to
States including funding under Medicaid. Currently, all States use a system developed by HHS
called SMARTLINK to request funds on an as needed basis. States may use one of two payment
mechanisms which are linked to SMARTLINK: (1) wire transfers through the Automated
Clearinghouse in conjunction with the Federal Reserve Bank, which is settled the day after the
request date, or (2) FEDWIRE transfers through the U.S. Department of the Treasury, which is a
same day payment mechanism. The payment method is selected by the State and approved by the
U.S. Department of the Treasury and HHS before payments are made through either mechanism.
States report cash activity to PMS-DPM with a quarterly Cash Transactions Report (PMS-272).
State Expenditure Reporting
Thirty days after the end of the quarter, States electronically submit form HCFA-64 , "Quarterly
Statement of Expenditures for the Medical Assistance Program." The HCFA-64 presents
expenditures and recoveries and other items that reduce expenditures for the quarter and prior
period expenditures. The amounts reported on the HCFA-64 and its attachments must be actual
expenditures for which all supporting documentation, in readily reviewable form, has been
compiled and is available immediately at the time the claim is filed. States use the Medicaid
Budget and Expenditure System to electronically submit the HCFA-64 directly to HCFA.
Eligibility for Medicaid is based primarily on income and resources. The States must provide
services to mandatory categorically needy and other required special groups (e.g., individuals
receiving Aid to Families With Dependent Children (AFDC), Temporary Assistance for Needy
Families (TANF), or Supplemental Security Income (SSI)). States may provide coverage to
members of optional groups who do not receive cash assistance (e.g., individuals who would be
eligible for but are not receiving AFDC) and medically needy individuals (individuals who are
eligible for Medicaid after deducting large medical expenditures from their income). Eligibility
criteria will be specified in the individual State plan.
Under the Personal Responsibility and Work Opportunity Reconciliation Act of 1996, the cash
welfare program known as AFDC was repealed and replaced with block grants to States known
as TANF. Under the old AFDC law, children and parents who received cash welfare were
automatically enrolled in the Medicaid program. While the new law eliminates the entitlement to
welfare, access to Medicaid for children and parents who would have met the State's old AFDC
income and asset standards in place on July 16, 1996 has been preserved--whether or not these
individuals are eligible for the new TANF system (P.L. 104-193).
States must provide limited Medicaid coverage for "qualified Medicare beneficiaries." These are
aged and disabled persons who are receiving Medicare, whose income is below 100 percent of the
Federal poverty level, and whose resources do not exceed twice the allowable amount under SSI
(42 CFR section 407.40).
The State plan will specify if determinations of eligibility are made by agencies other than the
State Medicaid agency and will define the relationships and respective responsibilities of the State
Medicaid agency and the other agencies. The application process includes completing and filing
an application form, being interviewed, and having information verified. The State plan must also
provide that the State Medicaid agency will maintain individual records on each applicant and
Medicaid beneficiary including: date of application, date and basis for disposition, facts essential
to determination of initial and continuing eligibility, provision of medical assistance, and basis for
Medicaid expenditures include medical assistance payments for eligible recipients for such services
as hospitalization, prescription drugs, nursing home stays, outpatient hospital care, and physicians'
services, and expenditures for administration and training. In order for a medical assistance
payment to be considered valid, it must comply with the requirements of Title XIX, as amended,
(42 USC 1396, et seq.) and implementing Federal regulations. Determinations of payment
validity are made by individual States in accordance with approved State plans under broad
Some States have managed care arrangements under which the State enters into a contract with
an entity, such as an insurance company, to arrange for medical services to be available for
beneficiaries. The State pays a fixed rate per person (capitation rate) without regard to the actual
medical services utilized by each beneficiary.
Also, Medicaid expenditures include administration and training, the State Survey and
Certification Program, and State Medicaid Fraud Control Units.
Utilization Control and Program Integrity
The State plan must provide methods and procedures to safeguard against unnecessary utilization
of care and services, including those provided by long term care institutions. In addition, the
State must have: (1) methods of criteria for identifying suspected fraud cases; (2) methods for
investigating these cases; and, (3) procedures, developed in cooperation with legal authorities, for
referring suspected fraud cases to law enforcement officials.
These requirements may be met by the State Medicaid agency assuming direct responsibility for
assuring the requirements or met by contracting with a peer review organization (PRO) to
perform such reviews. The reviewer must establish and use written criteria for evaluating the
appropriateness and quality of Medicaid services.
The State Medicaid agency must have procedures for the ongoing post-payment review, on a
sample basis, for the necessity, quality, and timeliness of Medicaid services. The State Medicaid
agency may conduct this review directly or may contract with a PRO.
Suspected fraud identified by utilization control and program integrity should be referred to the
State Medicaid Fraud Control Units.
Inpatient Hospital and Long Term Care Facility Audits
States are required to establish as part of the State plan standards and methodology for
reimbursing inpatient hospital and long term care facilities based on payment rates that represent
the cost to efficiently and economically operate such facilities and provide Medicaid services. The
State Medicaid agency must provide for the filing of uniform cost reports by each participating
provider. These cost reports are used by the State Medicaid agency to aid in the establishment of
payment rates. The State Medicaid agency must provide for periodic audits of the financial and
statistical records of the participating providers. Such audits could include desk audits of cost
reports in addition to field audits. These audits are an important control for the State Medicaid
agency in ensuring that established payment rates are proper.
ADP Risk Analyses and System Security Reviews
The Medicaid program is highly dependent on extensive and complex computer systems that
include controls for ensuring the proper payment of Medicaid benefits. States are required to
establish a security plan for ADP systems that include policies and procedures to address: (1)
physical security of ADP resources; (2) equipment security to protect equipment from theft and
unauthorized use; (3) software and data security; (4) telecommunications security; (5) personnel
security; (6) contingency plans to meet critical processing needs in the event of short or long term
interruption of service; (7) emergency preparedness; and, (8) designation of an agency ADP
State agencies must establish and maintain a program for conducting periodic risk analyses to
ensure appropriate, cost effective safeguards are incorporated into new and existing systems.
State agencies must perform risk analyses whenever significant system changes occur. On a
biennial basis State agencies shall review the ADP system security of installations involved in the
administration of HHS programs. At a minimum, the reviews shall include an evaluation of
physical and data security operating procedures, and personnel practices.
Medicaid Management Information System (MMIS)
The MMIS is the mechanized Medicaid benefit claims processing and information retrieval system
that States are required to have, unless this requirement is waived by the Secretary of HHS. HHS
provides general systems guidelines (42 CFR sections 433.110 through 433.131) but it does not
provide detailed system requirements or specifications for States to use in the development of
MMIS systems. As a result, MMIS systems will vary from State to State. The system may be
maintained and operated by the State or a contractor.
The MMIS is normally used to process payments for most medical assistance services and
normally includes edits and controls which identify unusual items for follow up by the utilization
control and program integrity unit. However, the State may use systems other than MMIS to
process medical assistance payments. In many cases the operation of the MMIS is contracted out
to a private contractor. The State plan will describe the administration of each State's claims
Generally, the MMIS does not process claims from State agencies (e.g., State operated
intermediate care facility for the mentally retarded (ICF/MR)) and certain selected types of claims.
The claims payments which are not processed through MMIS may be material to the Medicaid
Medicaid Eligibility Quality Control System (MEQC)
Each State is required to operate a MEQC system in accordance with requirements specified by
HCFA. This HCFA-approved system redetermines eligibility for individual sampled cases and
provides national and State measures of the accuracy of eligibility and benefit amount
determinations (commonly referred to as "payment accuracy"), including both underpayments and
overpayments, and of the correctness of decisions to deny benefits. The MEQC system reviews
the determinations of beneficiary eligibility made by a State agency, or its designee, and uses
statistical sampling methods to select claims for review and project the number and dollar impact
of payments to ineligible beneficiaries (42 CFR sections 431.800 through 431.865).
Federal Oversight and Compliance Mechanisms
HCFA oversees State operations through its organization consisting of a headquarters and 10
HCFA program oversight includes budget review, reviews of financial and program reports, and
on-site reviews which are normally targeted to cover a specific area of concern. HCFA conveys
areas of national and local concerns to the States through the regions. Technical assistance is
used extensively to promote improvements in State operation of the program but enforcement
mechanisms are available. HCFA considers the single audit as an important internal control in its
monitoring of States.
Federal program oversight, because of its targeted nature, should not be used as a substitute for
audit evidence gained through transaction testing.
HHS Office of Inspector General (OIG) Fraud Alerts
The HHS OIG issues fraud alerts, some of which relate to the Medicaid program. These alerts
are available on the Internet from the HHS OIG Home Page, Special Fraud Alerts section
III. COMPLIANCE REQUIREMENTS
In developing the audit procedures to test compliance with the requirements for a Federal
program, the auditor should first look to Part 2, Matrix of Compliance Requirements, to
identify which of the 14 types of compliance requirements described in Part 3 are
applicable and then look to Parts 3 and 4 for the details of the requirements.
General Audit Approach for Medicaid Payments
To be allowable, Medicaid costs for medical services must be: (1) covered by the State plan and
waivers; (2) for an allowable service rendered (including supported by medical records or other
evidence indicating that the service was actually provided and consistent with the medical
diagnosis); (3) properly coded; and, (4) paid at the rate allowed by the State plan. Additionally,
Medicaid costs must be net of applicable credits (e.g., insurance, recoveries from other third
parties who are responsible for covering the Medicaid costs, and drug rebates), paid to eligible
providers, and only provided on behalf of eligible individuals.
Due to the complexity of Medicaid program operations, it is unlikely the auditor will be able to
support an opinion that Medicaid expenditures are in compliance with applicable laws and
regulations (e.g., are allowable under the State plan) without relying upon the systems and
internal controls.) Examples of complexities include:
- Dependence upon large and complex ADP systems to process the large volume of Medicaid
- Medical services are provided directly to an eligible beneficiary, normally without prior approval
by the State.
- Medical service providers normally determine the scope and medical necessity of the services.
- Notice to the State that service is rendered is after-the-fact when a bill is sent.
- Payments systems do not include a review of original detailed documentation supporting the
claim prior to payment.
- Complex billing charge structures and payment rates for medical services, including significance
of proper coding of services (e.g., billing by diagnosis related groups (DRG)).
- Different types of Medicaid payments (e.g., inpatient hospital, physicians, prescription drugs and
Medicaid has required control systems that should aid the auditor in obtaining sufficient audit
evidence for Medicaid expenditures. These control systems are discussed in the preceding
Program Procedures under Control Systems and are: (1) utilization control and program integrity;
(2) inpatient hospital and long term care facility audits; (3) ADP risk analyses and system security
reviews (e.g, of the MMIS); and (4) the MMIS normally includes edits and controls that identify
unusual items for follow up by the utilization control and program integrity function. The first
three are generally performed by specialists retained by the State Medicaid agency. The following
table indicates the major types of Medicaid payments to which these controls will likely relate:
|Type of Medicaid Payment
|Physicians (including dental)
|Prescription Drugs (net of rebates)
|Institutional Long-Term Care
Each of the above Medicaid payment types are tested for compliance with applicable laws and
regulations under either "A. Activities Allowed or Unallowed;" "B. Allowable Costs/Cost
Principles;" or "E. Eligibility." Based upon the assessed level of control risk, the auditor should
design appropriate tests of the allowability of Medicaid payments. Testing likely will include tests
of medical records, in which case the auditor should consider the need for assistance of specialists.
The auditor may consider using the same specialists used by the State.
The auditor should consider the following in planning and performing tests of controls and
1. Section "N. Special Tests and Provisions," includes required internal control, which are
compliance requirements (i.e., controls (1), (2), and (3) above), and audit objectives and
procedures for each. The audit procedures will entail tests of work performed by the State
2. Tests of compliance with laws and regulations relating to sections A, B, and E below, and the
compliance requirements enumerated in Section N should be coordinated.
A. Activities Allowed or Unallowed
1. Allowability of Specific Transactions and Activities
a. Funds can only be used for Medicaid benefit payments (as specified in the State plan, Federal
regulations, or an approved waiver), expenditures for administration and training, expenditures for
the State Survey and Certification Program, and expenditures for State Medicaid Fraud Control
Units (42 CFR sections 435.10, 440.210, 440.220, and 440.180).
b. Case Management Services - The State plan may provide for case management services as an
optional medical assistance service. The term case management services means services which
will assist individuals eligible under the plan in gaining access to needed medical, social,
educational, and other services.
Medicaid case management services are divided into two separate categories:
Administrative case management - Services must be identifiable with Title-XIX benefit (e.g.,
outreach services provided by public school districts to Medicaid recipients).
Medical/Targeted case management - Services must be provided to an eligible Medicaid
recipient. Services do not have to be specifically medical in nature and can include securing
shelter, personal needs, etc. (e.g., services provided by community mental health boards, county
offices of aging).
Case management services is an area of risk because of the high growth of expenditures, the
relative newness of the provision that allows these expenditures to be claimed, and prior
experience which indicates problems with the documentation of case management expenditures.
With the exception of case management services provided through capitation (a process in which
payment is made on a per beneficiary basis) or prepaid health plans, Federal regulations typically
require the following documentation for case management services: date of service; name of
recipient; name of provider agency and person providing the service; nature, extent, or units of
service; and, place of service (P.L. 99-272, Section 9508; 42 CFR part 434).
c. Managed Care - A State may obtain a waiver of statutory requirements in order to develop a
system that more effectively addresses the health care needs of its population. For example, a
waiver may involve the use of a program of managed care for selected elements of the client
population or allow the use of program funds to serve specified populations that would be
otherwise ineligible (Sections 1115 and 1915 of the Social Security Act). Managed care
providers must be eligible to participate in the program at the time services are rendered,
payments to managed care plans should only be for eligible clients for the proper period, and the
capitation payment should be properly calculated. Medicaid medical services payments (e.g.,
hospital and doctors charges) should not be made for services that are covered by managed care.
States should ensure that capitated payments to providers are discontinued when a benificiary is
no longer enrolled for services. Requirements related to beneficiaries' access to managed care
services are covered under N.6., Special Tests and Provisions, Managed Care.
d. Medicaid Health Insurance Premiums - A State may enroll certain Medicare-eligible recipients
under Medicare Part B and pay the premium, deductibles, cost sharing, and other charges (42
CFR section 431.625).
e. Disproportionate Share Hospital - Federal financial participation is available for aggregate
payments to hospitals that serve a disproportionate number of low income patients with special
needs. The State plan must specifically define a disproportionate share hospital and the method of
calculating the rate for these hospitals. Specific limits for the total disproportionate share
hospital payments for the State and the individual hospitals are contained in the legislation
(Section 1923 of the Social Security Act and 42 USC 1396(r)).
f. Home Health Care - A State may obtain a waiver of statutory requirements to provide an array
of home and community-based services which may permit an individual to avoid
institutionalization (42 CFR part 441 subpart G). The HHS OIG has issued a special fraud alert
concerning home health care. Problems noted include cost report frauds, billing for excessive
services or services not rendered, and use of unlicensed staff. The full alert was published in the
Federal Register on August 10, 1995 (page 40847) and is available on the Internet from the HHS
OIG Home Page, Special Fraud Alerts section
2. Allowability of Activities for Subrecipients - Normally this is not applicable because most
States do not use subrecipients in the Medicaid program. However, if a State uses a subrecipient
for Medicaid, this may be applicable.
B. Allowable Costs/Cost Principles
Recoveries, Refunds, and Rebates (Costs must be the net of all applicable credits)
1. States must have a system to identify medical services that are the legal obligation of third
parties, such as private health or accident insurers. Such third party resources should be
exhausted prior to paying claims with program funds. Where a third party liability is established
after the claim is paid, reimbursement from the third party should be sought (42 CFR sections
433.135 through 433.154).
2. The State is required to credit the Medicaid program for (1) State warrants that are canceled
and uncashed checks beyond 180 days of issuance (escheated warrants) and (2) overpayments
made to providers of medical services within specified time frames. In most cases, the State must
refund provider overpayments to the Federal Government within 60 days of identification of the
overpayment, regardless of whether the overpayment was collected from the provider (42 CFR
sections 433.300 through 433.320 and 433.40).
3. Section 1903 (w)(1) of the Social Security Act (as amended by P.L. 102-234) provides that,
effective January 1, 1992, before calculating the amount of Federal financial participation, certain
revenues received by a State will be deducted from the State's medical assistance expenditures.
The revenues to be deducted are (1) donations made by health providers and entities related to
providers (except for bona fide donations and, subject to a limitation, donations made by
providers for the direct costs of out stationed eligibility workers); and (2) impermissible health
care-related taxes that exceed a specified limit ( 42 USC 1396(b)(w) and 42 CFR section 433.57).
"Provider related donations" are any donations or other voluntary payments (in-cash or in-kind)
made directly or indirectly to a State or unit of local government by (1) a health care provider, (2)
an entity related to a health care provider, or (3) an entity providing goods or services under the
State plan and paid as administrative expenses. "Bona fide provider-related donations" are
donations that have no direct or indirect relationship to payments made under Title XIX (42 USC
1396, et seq.) to (1) that provider, (2) providers furnishing the same class of items and services as
that provider, or (3) any related entity (42 CFR sections 433.58(d) and 433.66(b)).
Permissible health care-related taxes are those taxes which are broad-based taxes, uniformly
applied to a class of health care items, services, or providers, and which do not hold a taxpayer
harmless for the costs of the tax, or a tax program for which HCFA has granted a waiver. Health
care-related taxes that do not meet these requirements are impermissible health care-related taxes
(42 CFR section 433.68(b)).
The provisions of P.L. 102-234 apply to all 50 States and the District of Columbia, except those
States whose entire Medicaid program is operated under a waiver granted under section 1115 of
the Social Security Act (42 CFR part 433; Federal Register published August 13, 1993, 58 FR
4. Section 1927 of the Social Security Act allows States to receive rebates for drug purchases the
same as other payers receive. Drug manufacturers are required to provide a listing to HCFA of
all covered outpatient drugs and, on a quarterly basis, are required to provide their average
manufacturer's price and their best prices for each covered outpatient drug. Based upon these
data, HCFA calculates a unit rebate amount for each drug which it then provides to States. No
later than 60 days after the end of the quarter, the State Medicaid agency must provide to
manufactures drug utilization data. Within 30 days of receipt of the utilization data from the
State, the manufacturers are required to pay the rebate or provide the State with written notice of
disputed items not paid because of discrepancies found.
1. Eligibility for Individuals
The State Medicaid agency or its designee is required to determine client eligibility in accordance
with eligibility requirements defined in the approved State plan (42 CFR section 431.10). States
have a high degree of flexibility in designating who will determine eligibility.
The State is required to operate a MEQC system in accordance with requirements specified by
HCFA. The MEQC system reviews the determinations of beneficiary eligibility made by State
Medicaid agencies, or their designee, and uses statistical sampling methods to select claims for
review and project the number and dollar impact of incorrect payments to ineligible beneficiaries
(42 CFR sections 431.800 through 431.865).
As discussed in the General Audit Approach for Medicaid Payments, the auditor will likely
combine Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility
testing. Therefore, compliance requirements related to amounts provided to or on behalf of
eligibles were combined with Activities Allowed or Unallowed.
1. Eligibility of Group of Individuals or Area of Service Delivery - Not Applicable
2. Eligibility for Subrecipients - Not Applicable
G. Matching, Level of Effort, Earmarking
The State is required to pay part of the costs of providing health care to the poor and part of the
costs of administering the program. Different State participation rates apply to medical assistance
payments. There are also different Federal financial participation rates for the different types of
costs incurred in administering the Medicaid program, such as administration, family planning,
training, computer, and other costs (42 CFR sections 433.10 and 433.15). The auditor should
refer to the State plan for the matching rates.
2. Level of Effort
A State waiver may contain a level of effort requirement.
A State waiver may contain an earmarking requirement.
1. Financial Reporting
a. SF-269, Financial Status Report - Not applicable
b. SF-270, Request for Advance or Reimbursement - Not applicable
c. SF-271, Outlay Report and Request for Reimbursement for Construction Program - Not
d. SF-272, Federal Cash Transaction Report - Not applicable
e. HCFA-64, Quarterly Statement of Expenditures for the Medical Assistance Program (OMB
No. 0938-0067) - Required to be used in lieu of the Financial Status Report (FSR) SF-269 and is
required to be prepared quarterly and submitted electronically to HCFA within 30 days after the
end of the quarter.
f. PMS-272, Quarterly Cash Transactions Report (OMB No. 0937-0200) - Required in lieu of the
Federal Cash Transaction Report (SF-272).
2. Performance Reporting - Not Applicable
3. Special Reporting - Not Applicable
N. SPECIAL TESTS AND PROVISIONS
1. Utilization Control and Program Integrity
Compliance Requirements - The State plan must provide methods and procedures to safeguard
against unnecessary utilization of care and services, including long term care institutions. In
addition, the State must have: (1) methods or criteria for identifying suspected fraud cases; (2)
methods for investigating these cases; and, (3) procedures, developed in cooperation with legal
authorities, for referring suspected fraud cases to law enforcement officials (42 CFR parts 455,
456, and 1002).
Suspected fraud should be referred to the State Medicaid Fraud Control Units (42 CFR part
The State Medicaid agency must establish and use written criteria for evaluating the
appropriateness and quality of Medicaid services. The agency must have procedures for the
ongoing post-payment review, on a sample basis, of the need for and the quality and timeliness of
Medicaid services. The State Medicaid agency may conduct this review directly or may contract
with a PRO.
Audit Objectives - To determine whether the State has established and implemented procedures
to (1) safeguard against unnecessary utilization of care and services, including long term care
institutions, (2) identify suspected fraud cases, (3) investigate these cases, and (4) refer those
cases with sufficient evidence of suspected fraud cases to law enforcement officials.
Suggested Audit Procedures
a. Obtain and evaluate the adequacy of the procedures used by the State Medicaid agency to
conduct utilization reviews and identifying suspected fraud.
1. Consider the qualifications of the personnel conducting the reviews and identifying suspected
fraud. Ascertain that the individuals possess the necessary skill or knowledge by considering the
following: (1) professional certification, license, or specialized training; (2) the reputation and
standing of licensed medical professionals in the view of peers; and, (3) experience in the type of
tasks to be performed.
2. Consider the personnel performing the utilization review and identifying suspected fraud are
sufficiently organized outside the control of other Medicaid operations to objectively perform
3. Ascertain if the sampling plan implemented by the State Medicaid agency or the PRO was
properly designed and executed.
b. Test a sample of the cases examined by State Medicaid agency or the PRO and ascertain if such
examinations were in accordance with the agency's procedures.
c. Test a sample of the identified suspected cases of fraud and ascertain if the agency took
appropriate steps to investigate and, if appropriate, make a referral.
d. Based on the above procedures, consider the degree of reliance that can be placed on the
utilization review and identification of suspected fraud in performing tests under sections A, B,
2. Inpatient Hospital and Long-Term Care Facility Audits
Compliance Requirement - The State Medicaid agency pays for inpatient hospital services and
long term care facility services through the use of rates that are reasonable and adequate to meet
the costs that must be incurred by efficiently and economically operated providers. The State
Medicaid agency must provide for the filing of uniform cost reports for each participating
provider. These cost reports are used to establish payment rates. The State Medicaid agency
must provide for the periodic audits of financial and statistical records of participating providers.
The specific audit requirements will be established by the State Plan (42 CFR section 447.253).
Audit Objectives - To determine whether the State Medicaid agency performed inpatient
hospital and long term care facility audits as required.
Suggested Audit Procedures
a. Review the State Plan and State Medicaid agency operating procedures and document the types
of audits performed (e.g., desk audits, field audits) and the methodology for determining when
audits are conducted, and the objectives and procedures of the audits.
b. Through examination of documentation, ascertain that the sampling plan was carried out as
c. Select a sample of audits and ascertain if the audits were in compliance with the State Medicaid
agency's audit procedures.
d. Based on the above, consider the degree of reliance that can be placed on the inpatient hospital
and long term care facility audits in performing tests under sections A, B, and E.
3. ADP Risk Analysis and System Security Review
Compliance Requirement - State agencies must establish and maintain a program for conducting
periodic risk analyses to ensure that appropriate, cost effective safeguards are incorporated into
new and existing systems. State agencies must perform risk analyses whenever significant system
changes occur. State agencies shall review the ADP system security installations involved in the
administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an
evaluation of physical and data security operating procedures, and personnel practices. The State
agency shall maintain reports on its biennial ADP system security reviews, together with pertinent
supporting documentation, for HHS onsite reviews (45 CFR section 95.621).
Audit Objective - To determine whether the State Medicaid agency has performed the required
ADP risk analyses and system security reviews.
Suggested Audit Procedures
a. Review the State Medicaid agency's policies and procedures and document the frequency,
timing, and scope of ADP security reviews. This should include any reviews following Statement
on Auditing Standards No. 70 (SAS 70) which may have been performed on outside processors.
b. Consider the appropriateness and extent of reliance on such reviews based on the qualifications
of the personnel performing the risk analyses and security reviews and their organizational
independence from the ADP systems.
c. Review the work performed during the most recent risk analysis and security review.
d. Based on the above, consider the degree of reliance that can be placed on the ADP Risk
Analysis and System Security Reviews in performing tests under sections A, B, and E.
4. Provider Eligibility
Compliance Requirement - In order to receive Medicaid payments, providers of medical
services furnishing services must be licensed in accordance with Federal, State, and local laws and
regulations to participate in the Medicaid program (42 CFR sections 431.107 and 447.10; and
section 1902(a)(9) of the Social Security Act) and the providers must make certain disclosures to
the State (42 CFR subpart B).
Audit Objective - To determine whether providers of medical services are licensed to participate
in the Medicaid program in accordance with Federal, State, and local laws and regulations, and
whether the providers have made the required disclosures to the State.
Suggested Audit Procedures
a. Obtain an understanding of the State plan's provisions for licensing and entering into
agreements with providers.
b. Select a sample of providers receiving payments and ascertain if:
(1) The provider is licensed in accordance with the State Plan.
(2) The agreement with the provider complies with the requirements of the State Plan, including
the disclosure requirements of 42 CFR 455 subpart B.
5. Provider Health and Safety Standards
Compliance Requirement - Providers must meet the prescribed health and safety standards for
hospital, nursing facilities, and ICF/MR (42 CFR part 442). The standards may be modified in the
Audit Objective - To determine whether the State ensures that hospitals, nursing facilities, and
ICF/MR that serve Medicaid patients meet the prescribed health and safety standards.
Suggested Audit Procedures
a. Obtain an understanding of the State Plan provisions which ensure that payments are made only
to institutions which meet prescribed health and safety standards.
b. Select a sample of payments for each provider type (i.e., hospitals, nursing facilities, and
ICF/MR) and ascertain if the State Medicaid agency has documentation that the provider has met
the prescribed health and safety standards.
6. Managed Care
Compliance Requirement - A State may obtain a waiver of statutory requirements in order to
develop a system that more effectively addresses the health care needs of its population. A waiver
may involve the use of a program of managed care for selected elements of the client population
or allow the use of program funds to serve specified populations that would be otherwise
ineligible (Sections 1115 and 1915 of the Social Security Act).
Audit Objective - To determine whether the State is operating managed care in compliance with
the approved State plan waiver.
Suggested Audit Procedures
a. Obtain an understanding of the State plan's managed care waiver.
b. Perform tests to ascertain if the State has a system to handle beneficiary complaints of not
receiving necessary care and provider complaints of not receiving payments for services provided
to Medicaid recipients.
c. Perform tests to ascertain if the State has a system to ensure beneficiaries have adequate access
to health care from managed care organizations which are being paid premiums on the