DEPARTMENT
OF HEALTH AND HUMAN SERVICES
CFDA
93.778 MEDICAL ASSISTANCE PROGRAM (Medicaid; TITLE XIX)
CFDA 93.775 STATE MEDICAID FRAUD CONTROL UNITS
CFDA 93.777 STATE SURVEY AND CERTIFICATION OF HEALTH CARE
PROVIDERS AND SUPPLIERS
Note: In accordance
with OMB Circular A-133, §___.525(c)(2), when the auditor is
using the risk-based approach for determining major programs, the
auditor should consider that HHS has identified the Medicaid Assistance
Program as a program of higher risk. While not precluding an auditor
from determining that the Medicaid Cluster qualifies as a low-risk
program (e.g., because prior audits have shown strong internal controls
and compliance with Medicaid requirements), this identification
by HHS should be considered as part of the risk assessment process.
I.
PROGRAM OBJECTIVES
Medical
Assistance Program
The objective
of the Medical Assistance Program (Medicaid or Title XIX of the
Social Security Act, as amended, (42 USC 1396, et seq.)) is to provide
payments for medical assistance to low-income persons who are age
65 or over, blind, disabled, or members of families with dependent
children or qualified pregnant women or children.
State Medicaid
Fraud Control Units
The objective
of the State Medicaid Fraud Control Units is to control provider
fraud in the Medicaid program. The State Medicaid Fraud Control
Unit's grant application contains the organization, administration,
agreements, and procedures for the unit. Federal requirements are
contained in 42 CFR part 1007. This unit is separate and distinct
from the State Medicaid agency.
State Survey
and Certification of Health Care Providers and Suppliers
The objective
of the State Survey and Certification of Health Care Providers and
Suppliers program is to determine whether the providers and suppliers
of health care services under the Medicaid program are in compliance
with regulatory health and safety standards and conditions of participation.
This program is administered in a manner similar to Medicaid and
includes an approved State plan which addresses Federal requirements.
Even though
the State Medicaid Fraud Control Units and State Survey and Certification
of Health Care Providers and Suppliers have substantially less Federal
expenditures than the Medicaid Assistance Program, they are clustered
with Medicaid because these programs provide significant controls
over the expenditures of Medicaid funds. It is unlikely that the
expenditures for these two programs would be material to the Medicaid
cluster, however noncompliance with the requirements to administer
these controls may be material.
II.
PROGRAM PROCEDURES
The following
paragraphs are intended to provide a high-level, overall description
of how Medicaid generally operates. It is not practical to provide
a complete description of program procedures because Medicaid operates
under both Federal and State laws and regulations and States are
afforded flexibility in program administration. Accordingly, the
following paragraphs are not intended to be used in lieu of or as
a substitute for the Federal and State laws and regulations applicable
to this program.
Authoritative
Sources
The auditor
is expected to use the applicable laws and regulations (including
the applicable State approved plan) when auditing this program.
The Federal law that authorizes these programs is Title XIX of the
Social Security Act (Title XIX), enacted in 1965 and subsequently
amended (42 USC 1396, et seq.). The Federal regulations applicable
to the Medicaid program are found in 42 CFR parts 430 through 456,
1002, and 1007.
Administration
The U.S. Department
of Health and Human Services' (HHS) Health Care Financing Administration
(HCFA) administers the Medicaid program in cooperation with State
governments. The Medicaid program is jointly financed by the Federal
and State governments and administered by the States. For purposes
of this program, the term "State" includes the 50 States, the District
of Columbia, and five U.S. territories: Puerto Rico, the Virgin
Islands, Guam, American Samoa, and the Northern Mariana Islands.
Medicaid operates as a vendor payment program, with States paying
providers of medical services directly. Participating providers
must accept the Medicaid reimbursement level as payment in full.
Within broad Federal rules, each State decides eligible groups,
types and range of services, payment levels for services, and administrative
and operating procedures.
State Plans
States administer
the Medicaid program under a State plan approved by HCFA. The Medicaid
State plan is a comprehensive written statement submitted by the
State Medicaid agency describing the nature and scope of its Medicaid
program. A State plan for Medicaid consists of preprinted material
that covers the basic requirements, and individualized content that
reflects the characteristics of each particular State's program.
The State plan is referenced to the applicable Federal regulation
for each requirement and will also contain references to applicable
State regulations.
The State plan
contains all information necessary for HCFA to determine whether
the State plan can be approved to serve as a basis for determining
the level of Federal financial participation in the State program.
The State plan must specify a single State agency (hereinafter referred
to as the "State Medicaid agency") established or designated to
administer or supervise the administration of the State plan. The
State plan must also include a certification by the State Attorney
General which cites the legal authority for the State Medicaid agency
to determine eligibility.
The State plan
also specifies the criteria for determining the validity of payments
disbursed under the Medicaid program. This encompasses the system
the State will use to ensure that payments are disbursed only to
eligible providers for appropriately-priced services that are covered
by the Medicaid program and provided to eligible beneficiaries.
Payments must also be based on claims that are adequately supported
by medical records, and payments not be duplicated.
A State plan
or plan amendment will be considered approved unless HCFA sends
the State written notice of disapproval or a request for additional
information within 90 days after receipt of the State plan or plan
amendment. Copies of the State plan are available from the State
Medicaid agency.
Waivers
The State Medicaid
agency may apply for a waiver of Federal requirements. Waivers are
intended to provide the flexibility needed to enable States to try
new or different approaches to the efficient and cost-effective
delivery of health care services, or to adapt their programs to
the special needs of particular areas or groups of beneficiaries.
Waivers allow exceptions to State plan requirements and permit a
State to implement innovative programs or activities on a time-limited
basis, and are subject to specific safeguards for the protection
of beneficiaries and the program.
Actions that
States may take if waivers are obtained include: (1) implement a
primary care case-management system or a specialty physician system;
(2) designate an entity to act as a central broker in assisting
Medicaid beneficiaries to choose among competing health care plans;
(3) share with beneficiaries (through the provision of additional
services) cost-savings made possible through the beneficiaries'
use of more cost effective medical care; (4) limit beneficiaries'
choice of providers to providers that fully meet reimbursement,
quality, and utilization standards, which are established under
the State plan and are consistent with access, quality, and efficient
and economical furnishing of care; (5) include as "medical assistance,"
under its State plan, home and community-based services furnished
to beneficiaries who would otherwise need inpatient care that is
furnished in a hospital, skilled nursing facility (SNF), or intermediate
care facility (ICF), and is reimbursable under the State plan; and,
(6) impose a deduction, cost-sharing or similar charge of up to
twice the "nominal charge" established under the State plan for
outpatient services for certain nonemergency services. A State may
also obtain a waiver of statutory requirements to provide an array
of home and community-based services which may permit an individual
to avoid institutionalization (42 CFR part 441 subpart G). Depending
on the type of requirement being waived, a waiver may be effective
for initial periods ranging from two to three years, with varying
renewal periods. Copies of waivers are available from the State
Medicaid agency.
Payments
to States
Once HCFA has
approved a State plan and waivers, it makes quarterly grant awards
to the State to cover the Federal share of Medicaid expenditures
for services, training, and administration. The amount of the quarterly
grant is determined on the basis of information submitted by the
State Medicaid agency (in quarterly estimate and quarterly expenditure
reporting). The grant award authorizes the State to draw Federal
funds as needed to pay the Federal financial participation portion
of qualified Medicaid expenditures. The HHS Payment Management System
Division of Payment Management (PMS-DPM) in Rockville, MD disburses
Federal funds to States including funding under Medicaid. Currently,
all States use a system developed by HHS called SMARTLINK to request
funds on an as needed basis. States may use one of two payment mechanisms
which are linked to SMARTLINK: (1) wire transfers through the Automated
Clearinghouse in conjunction with the Federal Reserve Bank, which
is settled the day after the request date, or (2) FEDWIRE transfers
through the U.S. Department of the Treasury, which is a same day
payment mechanism. The payment method is selected by the State and
approved by the U.S. Department of the Treasury and HHS before payments
are made through either mechanism. States report cash activity to
PMS-DPM with a quarterly Cash Transactions Report (PMS-272).
State
Expenditure Reporting
Thirty days
after the end of the quarter, States electronically submit form
HCFA-64 , "Quarterly Statement of Expenditures for the Medical Assistance
Program." The HCFA-64 presents expenditures and recoveries and other
items that reduce expenditures for the quarter and prior period
expenditures. The amounts reported on the HCFA-64 and its attachments
must be actual expenditures for which all supporting documentation,
in readily reviewable form, has been compiled and is available immediately
at the time the claim is filed. States use the Medicaid Budget and
Expenditure System to electronically submit the HCFA-64 directly
to HCFA.
Eligibility
Eligibility
for Medicaid is based primarily on income and resources. The States
must provide services to mandatory categorically needy and other
required special groups (e.g., individuals receiving Aid to Families
With Dependent Children (AFDC), Temporary Assistance for Needy Families
(TANF), or Supplemental Security Income (SSI)). States may provide
coverage to members of optional groups who do not receive cash assistance
(e.g., individuals who would be eligible for but are not receiving
AFDC) and medically needy individuals (individuals who are eligible
for Medicaid after deducting large medical expenditures from their
income). Eligibility criteria will be specified in the individual
State plan.
Under the Personal
Responsibility and Work Opportunity Reconciliation Act of 1996,
the cash welfare program known as AFDC was repealed and replaced
with block grants to States known as TANF. Under the old AFDC law,
children and parents who received cash welfare were automatically
enrolled in the Medicaid program. While the new law eliminates the
entitlement to welfare, access to Medicaid for children and parents
who would have met the State's old AFDC income and asset standards
in place on July 16, 1996 has been preserved--whether or not these
individuals are eligible for the new TANF system (P.L. 104-193).
States must
provide limited Medicaid coverage for "qualified Medicare beneficiaries."
These are aged and disabled persons who are receiving Medicare,
whose income is below 100 percent of the Federal poverty level,
and whose resources do not exceed twice the allowable amount under
SSI (42 CFR section 407.40).
The State plan
will specify if determinations of eligibility are made by agencies
other than the State Medicaid agency and will define the relationships
and respective responsibilities of the State Medicaid agency and
the other agencies. The application process includes completing
and filing an application form, being interviewed, and having information
verified. The State plan must also provide that the State Medicaid
agency will maintain individual records on each applicant and Medicaid
beneficiary including: date of application, date and basis for disposition,
facts essential to determination of initial and continuing eligibility,
provision of medical assistance, and basis for discontinuing assistance.
Services
Medicaid expenditures
include medical assistance payments for eligible recipients for
such services as hospitalization, prescription drugs, nursing home
stays, outpatient hospital care, and physicians' services, and expenditures
for administration and training. In order for a medical assistance
payment to be considered valid, it must comply with the requirements
of Title XIX, as amended, (42 USC 1396, et seq.) and implementing
Federal regulations. Determinations of payment validity are made
by individual States in accordance with approved State plans under
broad Federal guidelines.
Some States
have managed care arrangements under which the State enters into
a contract with an entity, such as an insurance company, to arrange
for medical services to be available for beneficiaries. The State
pays a fixed rate per person (capitation rate) without regard to
the actual medical services utilized by each beneficiary.
Also, Medicaid
expenditures include administration and training, the State Survey
and Certification Program, and State Medicaid Fraud Control Units.
Control
Systems
Utilization
Control and Program Integrity
The State plan
must provide methods and procedures to safeguard against unnecessary
utilization of care and services, including those provided by long
term care institutions. In addition, the State must have: (1) methods
of criteria for identifying suspected fraud cases; (2) methods for
investigating these cases; and, (3) procedures, developed in cooperation
with legal authorities, for referring suspected fraud cases to law
enforcement officials.
These requirements
may be met by the State Medicaid agency assuming direct responsibility
for assuring the requirements or met by contracting with a peer
review organization (PRO) to perform such reviews. The reviewer
must establish and use written criteria for evaluating the appropriateness
and quality of Medicaid services.
The State Medicaid
agency must have procedures for the ongoing post-payment review,
on a sample basis, for the necessity, quality, and timeliness of
Medicaid services. The State Medicaid agency may conduct this review
directly or may contract with a PRO.
Suspected fraud
identified by utilization control and program integrity should be
referred to the State Medicaid Fraud Control Units.
Inpatient
Hospital and Long Term Care Facility Audits
States are
required to establish as part of the State plan standards and methodology
for reimbursing inpatient hospital and long term care facilities
based on payment rates that represent the cost to efficiently and
economically operate such facilities and provide Medicaid services.
The State Medicaid agency must provide for the filing of uniform
cost reports by each participating provider. These cost reports
are used by the State Medicaid agency to aid in the establishment
of payment rates. The State Medicaid agency must provide for periodic
audits of the financial and statistical records of the participating
providers. Such audits could include desk audits of cost reports
in addition to field audits. These audits are an important control
for the State Medicaid agency in ensuring that established payment
rates are proper.
ADP Risk
Analyses and System Security Reviews
The Medicaid
program is highly dependent on extensive and complex computer systems
that include controls for ensuring the proper payment of Medicaid
benefits. States are required to establish a security plan for ADP
systems that include policies and procedures to address: (1) physical
security of ADP resources; (2) equipment security to protect equipment
from theft and unauthorized use; (3) software and data security;
(4) telecommunications security; (5) personnel security; (6) contingency
plans to meet critical processing needs in the event of short or
long term interruption of service; (7) emergency preparedness; and,
(8) designation of an agency ADP security manager.
State agencies
must establish and maintain a program for conducting periodic risk
analyses to ensure appropriate, cost effective safeguards are incorporated
into new and existing systems. State agencies must perform risk
analyses whenever significant system changes occur. On a biennial
basis State agencies shall review the ADP system security of installations
involved in the administration of HHS programs. At a minimum, the
reviews shall include an evaluation of physical and data security
operating procedures, and personnel practices.
Medicaid
Management Information System (MMIS)
The MMIS is
the mechanized Medicaid benefit claims processing and information
retrieval system that States are required to have, unless this requirement
is waived by the Secretary of HHS. HHS provides general systems
guidelines (42 CFR sections 433.110 through 433.131) but it does
not provide detailed system requirements or specifications for States
to use in the development of MMIS systems. As a result, MMIS systems
will vary from State to State. The system may be maintained and
operated by the State or a contractor.
The MMIS is
normally used to process payments for most medical assistance services
and normally includes edits and controls which identify unusual
items for follow up by the utilization control and program integrity
unit. However, the State may use systems other than MMIS to process
medical assistance payments. In many cases the operation of the
MMIS is contracted out to a private contractor. The State plan will
describe the administration of each State's claims processing system.
Generally,
the MMIS does not process claims from State agencies (e.g., State
operated intermediate care facility for the mentally retarded (ICF/MR))
and certain selected types of claims. The claims payments which
are not processed through MMIS may be material to the Medicaid program.
Medicaid
Eligibility Quality Control System (MEQC)
Each State
is required to operate a MEQC system in accordance with requirements
specified by HCFA. This HCFA-approved system redetermines eligibility
for individual sampled cases and provides national and State measures
of the accuracy of eligibility and benefit amount determinations
(commonly referred to as "payment accuracy"), including both underpayments
and overpayments, and of the correctness of decisions to deny benefits.
The MEQC system reviews the determinations of beneficiary eligibility
made by a State agency, or its designee, and uses statistical sampling
methods to select claims for review and project the number and dollar
impact of payments to ineligible beneficiaries (42 CFR sections
431.800 through 431.865).
Federal
Oversight and Compliance Mechanisms
HCFA oversees
State operations through its organization consisting of a headquarters
and 10 regional offices.
HCFA program
oversight includes budget review, reviews of financial and program
reports, and on-site reviews which are normally targeted to cover
a specific area of concern. HCFA conveys areas of national and local
concerns to the States through the regions. Technical assistance
is used extensively to promote improvements in State operation of
the program but enforcement mechanisms are available. HCFA considers
the single audit as an important internal control in its monitoring
of States.
Federal program
oversight, because of its targeted nature, should not be used as
a substitute for audit evidence gained through transaction testing.
HHS
Office of Inspector General (OIG) Fraud Alerts
The HHS OIG
issues fraud alerts, some of which relate to the Medicaid program.
These alerts are available on the Internet from the HHS OIG Home
Page, Special Fraud Alerts section (http://www.sbaonline.sba.gov/ignet/internal/hhs/invlist.html#sfa).
III.
COMPLIANCE REQUIREMENTS
In
developing the audit procedures to test compliance with the requirements
for a Federal program, the auditor should first look to Part 2,
Matrix of Compliance Requirements, to identify which of the 14 types
of compliance requirements described in Part 3 are applicable and
then look to Parts 3 and 4 for the details of the requirements.
General
Audit Approach for Medicaid Payments
To be allowable,
Medicaid costs for medical services must be: (1) covered by the
State plan and waivers; (2) for an allowable service rendered (including
supported by medical records or other evidence indicating that the
service was actually provided and consistent with the medical diagnosis);
(3) properly coded; and, (4) paid at the rate allowed by the State
plan. Additionally, Medicaid costs must be net of applicable credits
(e.g., insurance, recoveries from other third parties who are responsible
for covering the Medicaid costs, and drug rebates), paid to eligible
providers, and only provided on behalf of eligible individuals.
Due to the
complexity of Medicaid program operations, it is unlikely the auditor
will be able to support an opinion that Medicaid expenditures are
in compliance with applicable laws and regulations (e.g., are allowable
under the State plan) without relying upon the systems and internal
controls.) Examples of complexities include:
- Dependence
upon large and complex ADP systems to process the large volume of
Medicaid transactions.
- Medical services
are provided directly to an eligible beneficiary, normally without
prior approval by the State.
- Medical service
providers normally determine the scope and medical necessity of
the services.
- Notice to
the State that service is rendered is after-the-fact when a bill
is sent.
- Payments
systems do not include a review of original detailed documentation
supporting the claim prior to payment.
- Complex billing
charge structures and payment rates for medical services, including
significance of proper coding of services (e.g., billing by diagnosis
related groups (DRG)).
- Different
types of Medicaid payments (e.g., inpatient hospital, physicians,
prescription drugs and drug rebates).
Medicaid has
required control systems that should aid the auditor in obtaining
sufficient audit evidence for Medicaid expenditures. These control
systems are discussed in the preceding Program Procedures under
Control Systems and are: (1) utilization control
and program integrity; (2) inpatient hospital
and long term care facility audits; (3) ADP risk
analyses and system security reviews (e.g, of the MMIS); and (4)
the MMIS normally includes edits and controls that identify unusual
items for follow up by the utilization control and program integrity
function. The first three are generally performed by specialists
retained by the State Medicaid agency. The following table indicates
the major types of Medicaid payments to which these controls will
likely relate:
Type
of Medicaid Payment |
1 |
2 |
3
|
4 |
Inpatient
Hospital |
X |
X |
X |
X |
Physicians
(including dental) |
X |
|
X |
X |
Prescription
Drugs (net of rebates) |
X |
|
X |
X |
Institutional
Long-Term Care |
X |
X |
X |
X |
Each of the
above Medicaid payment types are tested for compliance with applicable
laws and regulations under either "A. Activities Allowed or Unallowed;"
"B. Allowable Costs/Cost Principles;" or "E. Eligibility." Based
upon the assessed level of control risk, the auditor should design
appropriate tests of the allowability of Medicaid payments. Testing
likely will include tests of medical records, in which case the
auditor should consider the need for assistance of specialists.
The auditor may consider using the same specialists used by the
State.
The auditor
should consider the following in planning and performing tests of
controls and compliance:
1. Section
"N. Special Tests and Provisions," includes required internal control,
which are compliance requirements (i.e., controls (1),
(2), and (3) above), and audit
objectives and procedures for each. The audit procedures will entail
tests of work performed by the State Medicaid agency.
2. Tests of
compliance with laws and regulations relating to sections A, B,
and E below, and the compliance requirements enumerated in Section
N should be coordinated.
A.
Activities Allowed or Unallowed
1.
Allowability of Specific Transactions and Activities
a. Funds can
only be used for Medicaid benefit payments (as specified in the
State plan, Federal regulations, or an approved waiver), expenditures
for administration and training, expenditures for the State Survey
and Certification Program, and expenditures for State Medicaid Fraud
Control Units (42 CFR sections 435.10, 440.210, 440.220, and 440.180).
b. Case
Management Services - The State plan may provide for case management
services as an optional medical assistance service. The term case
management services means services which will assist individuals
eligible under the plan in gaining access to needed medical, social,
educational, and other services.
Medicaid case
management services are divided into two separate categories:
Administrative
case management - Services must be identifiable with Title-XIX
benefit (e.g., outreach services provided by public school districts
to Medicaid recipients).
Medical/Targeted
case management - Services must be provided to an eligible
Medicaid recipient. Services do not have to be specifically medical
in nature and can include securing shelter, personal needs, etc.
(e.g., services provided by community mental health boards, county
offices of aging).
Case management
services is an area of risk because of the high growth of expenditures,
the relative newness of the provision that allows these expenditures
to be claimed, and prior experience which indicates problems with
the documentation of case management expenditures.
With the exception
of case management services provided through capitation (a process
in which payment is made on a per beneficiary basis) or prepaid
health plans, Federal regulations typically require the following
documentation for case management services: date of service; name
of recipient; name of provider agency and person providing the service;
nature, extent, or units of service; and, place of service (P.L.
99-272, Section 9508; 42 CFR part 434).
c. Managed
Care - A State may obtain a waiver of statutory
requirements in order to develop a system that more effectively
addresses the health care needs of its population. For example,
a waiver may involve the use of a program of managed care for selected
elements of the client population or allow the use of program funds
to serve specified populations that would be otherwise ineligible
(Sections 1115 and 1915 of the Social Security Act). Managed care
providers must be eligible to participate in the program at the
time services are rendered, payments to managed care plans should
only be for eligible clients for the proper period, and the capitation
payment should be properly calculated. Medicaid medical services
payments (e.g., hospital and doctors charges) should not be made
for services that are covered by managed care. States should ensure
that capitated payments to providers are discontinued when a benificiary
is no longer enrolled for services. Requirements related to beneficiaries'
access to managed care services are covered under N.6., Special
Tests and Provisions, Managed Care.
d. Medicaid
Health Insurance Premiums - A State may enroll certain Medicare-eligible
recipients under Medicare Part B and pay the premium, deductibles,
cost sharing, and other charges (42 CFR section 431.625).
e. Disproportionate
Share Hospital - Federal financial participation is available
for aggregate payments to hospitals that serve a disproportionate
number of low income patients with special needs. The State plan
must specifically define a disproportionate share hospital and the
method of calculating the rate for these hospitals. Specific limits
for the total disproportionate share hospital payments for the State
and the individual hospitals are contained in the legislation (Section
1923 of the Social Security Act and 42 USC 1396(r)).
f. Home
Health Care - A State may obtain a waiver of statutory requirements
to provide an array of home and community-based services which may
permit an individual to avoid institutionalization (42 CFR part
441 subpart G). The HHS OIG has issued a special fraud alert concerning
home health care. Problems noted include cost report frauds, billing
for excessive services or services not rendered, and use of unlicensed
staff. The full alert was published in the Federal Register
on August 10, 1995 (page 40847) and is available on the Internet
from the HHS OIG Home Page, Special Fraud Alerts section (http://www.sbaonline.sba.gov/ignet/internal/hhs/invlist.html#sfa).
2.
Allowability of Activities for Subrecipients - Normally
this is not applicable because most States do not use subrecipients
in the Medicaid program. However, if a State uses a subrecipient
for Medicaid, this may be applicable.
B.
Allowable Costs/Cost Principles
Recoveries,
Refunds, and Rebates (Costs must be the net of all applicable credits)
1. States must
have a system to identify medical services that are the legal obligation
of third parties, such as private health or accident insurers. Such
third party resources should be exhausted prior to paying claims
with program funds. Where a third party liability is established
after the claim is paid, reimbursement from the third party should
be sought (42 CFR sections 433.135 through 433.154).
2. The State
is required to credit the Medicaid program for (1) State warrants
that are canceled and uncashed checks beyond 180 days of issuance
(escheated warrants) and (2) overpayments made to providers of medical
services within specified time frames. In most cases, the State
must refund provider overpayments to the Federal Government within
60 days of identification of the overpayment, regardless of whether
the overpayment was collected from the provider (42 CFR sections
433.300 through 433.320 and 433.40).
3. Section
1903 (w)(1) of the Social Security Act (as amended by P.L. 102-234)
provides that, effective January 1, 1992, before calculating the
amount of Federal financial participation, certain revenues received
by a State will be deducted from the State's medical assistance
expenditures. The revenues to be deducted are (1) donations made
by health providers and entities related to providers (except for
bona fide donations and, subject to a limitation, donations
made by providers for the direct costs of out stationed eligibility
workers); and (2) impermissible health care-related taxes that exceed
a specified limit ( 42 USC 1396(b)(w) and 42 CFR section 433.57).
"Provider related
donations" are any donations or other voluntary payments (in-cash
or in-kind) made directly or indirectly to a State or unit of local
government by (1) a health care provider, (2) an entity related
to a health care provider, or (3) an entity providing goods or services
under the State plan and paid as administrative expenses. "Bona
fide provider-related donations" are donations that have no
direct or indirect relationship to payments made under Title XIX
(42 USC 1396, et seq.) to (1) that provider, (2) providers furnishing
the same class of items and services as that provider, or (3) any
related entity (42 CFR sections 433.58(d) and 433.66(b)).
Permissible
health care-related taxes are those taxes which are broad-based
taxes, uniformly applied to a class of health care items, services,
or providers, and which do not hold a taxpayer harmless for the
costs of the tax, or a tax program for which HCFA has granted a
waiver. Health care-related taxes that do not meet these requirements
are impermissible health care-related taxes (42 CFR section 433.68(b)).
The provisions
of P.L. 102-234 apply to all 50 States and the District of Columbia,
except those States whose entire Medicaid program is operated under
a waiver granted under section 1115 of the Social Security Act (42
CFR part 433; Federal Register published August 13, 1993,
58 FR 43156-43183).
4. Section
1927 of the Social Security Act allows States to receive rebates
for drug purchases the same as other payers receive. Drug manufacturers
are required to provide a listing to HCFA of all covered outpatient
drugs and, on a quarterly basis, are required to provide their average
manufacturer's price and their best prices for each covered outpatient
drug. Based upon these data, HCFA calculates a unit rebate amount
for each drug which it then provides to States. No later than 60
days after the end of the quarter, the State Medicaid agency must
provide to manufactures drug utilization data. Within 30 days of
receipt of the utilization data from the State, the manufacturers
are required to pay the rebate or provide the State with written
notice of disputed items not paid because of discrepancies found.
E.
Eligibility
1.
Eligibility for Individuals
The State Medicaid
agency or its designee is required to determine client eligibility
in accordance with eligibility requirements defined in the approved
State plan (42 CFR section 431.10). States have a high degree of
flexibility in designating who will determine eligibility.
The State is
required to operate a MEQC system in accordance with requirements
specified by HCFA. The MEQC system reviews the determinations of
beneficiary eligibility made by State Medicaid agencies, or their
designee, and uses statistical sampling methods to select claims
for review and project the number and dollar impact of incorrect
payments to ineligible beneficiaries (42 CFR sections 431.800 through
431.865).
As discussed
in the General Audit Approach for Medicaid Payments, the auditor
will likely combine Activities Allowed or Unallowed, Allowable Costs/Cost
Principles, and Eligibility testing. Therefore, compliance requirements
related to amounts provided to or on behalf of eligibles were combined
with Activities Allowed or Unallowed.
1.
Eligibility of Group of Individuals or Area of Service Delivery
- Not Applicable
2.
Eligibility for Subrecipients - Not Applicable
G.
Matching, Level of Effort, Earmarking
1.
Matching
The State is
required to pay part of the costs of providing health care to the
poor and part of the costs of administering the program. Different
State participation rates apply to medical assistance payments.
There are also different Federal financial participation rates for
the different types of costs incurred in administering the Medicaid
program, such as administration, family planning, training, computer,
and other costs (42 CFR sections 433.10 and 433.15). The auditor
should refer to the State plan for the matching rates.
2.
Level of Effort
A State waiver
may contain a level of effort requirement.
3.
Earmarking
A State waiver
may contain an earmarking requirement.
L.
Reporting
1.
Financial Reporting
a. SF-269,
Financial Status Report - Not applicable
b. SF-270,
Request for Advance or Reimbursement - Not applicable
c. SF-271,
Outlay Report and Request for Reimbursement for Construction
Program - Not applicable
d. SF-272,
Federal Cash Transaction Report - Not applicable
e. HCFA-64,
Quarterly Statement of Expenditures for the Medical Assistance Program
(OMB No. 0938-0067) - Required to be used in lieu of the Financial
Status Report (FSR) SF-269 and is required to be prepared quarterly
and submitted electronically to HCFA within 30 days after the end
of the quarter.
f. PMS-272,
Quarterly Cash Transactions Report (OMB No. 0937-0200) - Required
in lieu of the Federal Cash Transaction Report (SF-272).
2.
Performance Reporting - Not Applicable
3.
Special Reporting - Not Applicable
N.
SPECIAL TESTS AND PROVISIONS
1.
Utilization Control and Program Integrity
Compliance
Requirements - The State plan must provide methods and
procedures to safeguard against unnecessary utilization of care
and services, including long term care institutions. In addition,
the State must have: (1) methods or criteria for identifying suspected
fraud cases; (2) methods for investigating these cases; and, (3)
procedures, developed in cooperation with legal authorities, for
referring suspected fraud cases to law enforcement officials (42
CFR parts 455, 456, and 1002).
Suspected fraud
should be referred to the State Medicaid Fraud Control Units (42
CFR part 1007).
The State Medicaid
agency must establish and use written criteria for evaluating the
appropriateness and quality of Medicaid services. The agency must
have procedures for the ongoing post-payment review, on a sample
basis, of the need for and the quality and timeliness of Medicaid
services. The State Medicaid agency may conduct this review directly
or may contract with a PRO.
Audit
Objectives - To determine whether the State has established
and implemented procedures to (1) safeguard against unnecessary
utilization of care and services, including long term care institutions,
(2) identify suspected fraud cases, (3) investigate these cases,
and (4) refer those cases with sufficient evidence of suspected
fraud cases to law enforcement officials.
Suggested
Audit Procedures
a. Obtain and
evaluate the adequacy of the procedures used by the State Medicaid
agency to conduct utilization reviews and identifying suspected
fraud.
1. Consider
the qualifications of the personnel conducting the reviews and identifying
suspected fraud. Ascertain that the individuals possess the necessary
skill or knowledge by considering the following: (1) professional
certification, license, or specialized training; (2) the reputation
and standing of licensed medical professionals in the view of peers;
and, (3) experience in the type of tasks to be performed.
2. Consider
the personnel performing the utilization review and identifying
suspected fraud are sufficiently organized outside the control of
other Medicaid operations to objectively perform their function.
3. Ascertain
if the sampling plan implemented by the State Medicaid agency or
the PRO was properly designed and executed.
b. Test a sample
of the cases examined by State Medicaid agency or the PRO and ascertain
if such examinations were in accordance with the agency's procedures.
c. Test a sample
of the identified suspected cases of fraud and ascertain if the
agency took appropriate steps to investigate and, if appropriate,
make a referral.
d. Based on
the above procedures, consider the degree of reliance that can be
placed on the utilization review and identification of suspected
fraud in performing tests under sections A, B, and E.
2.
Inpatient Hospital and Long-Term Care Facility Audits
Compliance
Requirement - The State Medicaid agency pays for inpatient
hospital services and long term care facility services through the
use of rates that are reasonable and adequate to meet the costs
that must be incurred by efficiently and economically operated providers.
The State Medicaid agency must provide for the filing of uniform
cost reports for each participating provider. These cost reports
are used to establish payment rates. The State Medicaid agency must
provide for the periodic audits of financial and statistical records
of participating providers. The specific audit requirements will
be established by the State Plan (42 CFR section 447.253).
Audit
Objectives - To determine whether the State Medicaid agency
performed inpatient hospital and long term care facility audits
as required.
Suggested
Audit Procedures
a. Review the
State Plan and State Medicaid agency operating procedures and document
the types of audits performed (e.g., desk audits, field audits)
and the methodology for determining when audits are conducted, and
the objectives and procedures of the audits.
b. Through
examination of documentation, ascertain that the sampling plan was
carried out as planned.
c. Select a
sample of audits and ascertain if the audits were in compliance
with the State Medicaid agency's audit procedures.
d. Based on
the above, consider the degree of reliance that can be placed on
the inpatient hospital and long term care facility audits in performing
tests under sections A, B, and E.
3.
ADP Risk Analysis and System Security Review
Compliance
Requirement - State agencies must establish and maintain
a program for conducting periodic risk analyses to ensure that appropriate,
cost effective safeguards are incorporated into new and existing
systems. State agencies must perform risk analyses whenever significant
system changes occur. State agencies shall review the ADP system
security installations involved in the administration of HHS programs
on a biennial basis. At a minimum, the reviews shall include an
evaluation of physical and data security operating procedures, and
personnel practices. The State agency shall maintain reports on
its biennial ADP system security reviews, together with pertinent
supporting documentation, for HHS onsite reviews (45 CFR section
95.621).
Audit
Objective - To determine whether the State Medicaid agency
has performed the required ADP risk analyses and system security
reviews.
Suggested
Audit Procedures
a. Review the
State Medicaid agency's policies and procedures and document the
frequency, timing, and scope of ADP security reviews. This should
include any reviews following Statement on Auditing Standards No.
70 (SAS 70) which may have been performed on outside processors.
b. Consider
the appropriateness and extent of reliance on such reviews based
on the qualifications of the personnel performing the risk analyses
and security reviews and their organizational independence from
the ADP systems.
c. Review the
work performed during the most recent risk analysis and security
review.
d. Based on
the above, consider the degree of reliance that can be placed on
the ADP Risk Analysis and System Security Reviews in performing
tests under sections A, B, and E.
4.
Provider Eligibility
Compliance
Requirement - In order to receive Medicaid payments, providers
of medical services furnishing services must be licensed in accordance
with Federal, State, and local laws and regulations to participate
in the Medicaid program (42 CFR sections 431.107 and 447.10; and
section 1902(a)(9) of the Social Security Act) and the providers
must make certain disclosures to the State (42 CFR subpart B).
Audit
Objective - To determine whether providers of medical services
are licensed to participate in the Medicaid program in accordance
with Federal, State, and local laws and regulations, and whether
the providers have made the required disclosures to the State.
Suggested
Audit Procedures
a. Obtain an
understanding of the State plan's provisions for licensing and entering
into agreements with providers.
b. Select a
sample of providers receiving payments and ascertain if:
(1) The provider
is licensed in accordance with the State Plan.
(2) The agreement
with the provider complies with the requirements of the State Plan,
including the disclosure requirements of 42 CFR 455 subpart B.
5.
Provider Health and Safety Standards
Compliance
Requirement - Providers must meet the prescribed health
and safety standards for hospital, nursing facilities, and ICF/MR
(42 CFR part 442). The standards may be modified in the State plan.
Audit
Objective - To determine whether the State ensures that
hospitals, nursing facilities, and ICF/MR that serve Medicaid patients
meet the prescribed health and safety standards.
Suggested
Audit Procedures
a. Obtain an
understanding of the State Plan provisions which ensure that payments
are made only to institutions which meet prescribed health and safety
standards.
b. Select a
sample of payments for each provider type (i.e., hospitals, nursing
facilities, and ICF/MR) and ascertain if the State Medicaid agency
has documentation that the provider has met the prescribed health
and safety standards.
6.
Managed Care
Compliance
Requirement - A State may obtain a waiver of statutory
requirements in order to develop a system that more effectively
addresses the health care needs of its population. A waiver may
involve the use of a program of managed care for selected elements
of the client population or allow the use of program funds to serve
specified populations that would be otherwise ineligible (Sections
1115 and 1915 of the Social Security Act).
Audit
Objective - To determine whether the State is operating
managed care in compliance with the approved State plan waiver.
Suggested
Audit Procedures
a. Obtain an
understanding of the State plan's managed care waiver.
b. Perform
tests to ascertain if the State has a system to handle beneficiary
complaints of not receiving necessary care and provider complaints
of not receiving payments for services provided to Medicaid recipients.
c. Perform
tests to ascertain if the State has a system to ensure beneficiaries
have adequate access to health care from managed care organizations
which are being paid premiums on the beneficiaries' behalf.
|