State Medicaid Fraud Control Units; Data Mining
This proposed rule amends a provision in HHS regulations that prohibits State Medicaid Fraud Control Units (MFCU) from using Federal matching funds to identify fraud through screening and analyzing State Medicaid claims data, known as data mining. To support and modernize MFCU efforts to effectively pursue Medicaid provider fraud, we propose to permit Federal Financial Participation (FFP) in the costs of defined data mining activities under specified conditions. In addition, we propose that MFCUs annually report the costs and results of approved data mining activities to OIG.
Table of Contents
- I. Background
- II. Provisions of the Proposed Regulation
- III. Regulatory Impact Statement
- A. Regulatory Analysis
- Executive Order 12866
- Unfunded Mandates Reform Act
- Regulatory Flexibility Act
- Executive Order 13132
- B. Paperwork Reduction Act
- IV. Public Inspection of Comments and Response to Comments
In commenting, please refer to file code OIG-1203-P. Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission.
You may submit comments in one of three ways (please choose only one of the ways listed):
1. Electronically. You may submit electronic comments on specific recommendations and proposals through the Federal eRulemaking Portal at http://www.regulations.gov.(Attachments should be in Microsoft Word, if possible.)
2. By regular, express, or overnight mail. You may send written comments to the following address: Office of Inspector General, Department of Health and Human Services, Attention: OIG-1203-P, Room 5541, Cohen Building, 330 Independence Avenue, SW., Washington, DC 20201. Please allow sufficient time for mailed comments to be received before the close of the comment period.
3. By hand or courier. If you prefer, you may deliver, by hand or courier, your written comments before the close of the comment period to Office of Inspector General, Department of Health and Human Services, Cohen Building,330 Independence Avenue, SW., Washington, DC 20201. Because access to the interior of the Cohen Building is not readily available to persons without Federal Government identification, commenters are encouraged to schedule their delivery with one of our staff members at (202) 619-1343.
For information on viewing public comments, please see the SUPPLEMENTARY INFORMATION section.
For further information contact: ↑
Richard Stern, Department of Health & Human Services, Office of Inspector General, (202) 619-0480.
Supplementary information: ↑
Inspection of Public Comments: All comments received before the end of the comment period are available for viewing by the public, including any personally identifiable or confidential business information that is included in a comment. All comments will be posted on http://www.regulations.gov as soon as possible after they have been received. Comments received timely will also be available for public inspection as they are received, generally beginning approximately 3 weeks after publication of a document, at Office of Inspector General, Department of Health and Human Services, Cohen Building, 330 Independence Avenue, SW., Washington, DC 20201, Monday through Friday of each week from 10 a.m. to 5 p.m. To schedule an appointment to view public comments, phone (202) 619-1368.
I. Background ↑
In 1977, the Medicare-Medicaid Anti-Fraud and Abuse Amendments (Pub. L. 95-142) were enacted to strengthen the capability of the Government to detect, prosecute, and punish fraudulent activities under the Medicare and Medicaid programs. Section 17(a) of the statute amended section 1903(a) of the Social Security Act (the Act) to provide for Federal participation in the costs attributable to establishing and operating an MFCU. The requirements for operating an MFCU appear at section 1903(q) of the Act. Regulations implementing the MFCU authority appear at 42 CFR part 1007 and were promulgated in 1978.
Section 1903(a)(6) of the Act requires the Secretary of Health and Human Services (the Secretary) to pay FFP to a State for MFCU costs “found necessary by the Secretary for the elimination of fraud in the provision and administration of medical assistance provided under the State plan.” Under the section, States receive 90 percent FFP for an initial 3 year period for the costs of establishing and operating a MFCU, including the costs of training, and 75 percent FFP thereafter. Presently, all States with MFCUs receive FFP at a 75 percent rate. General administrative costs of operating a State Medicaid program are reimbursed at a rate of 50 percent, although enhanced FFP rates are available for other activities, including those associated with Medicaid management information systems (MMIS).
To increase MFCU effectiveness in eliminating Medicaid fraud, we propose to modify an existing prohibition on the payment of FFP for activities generally known as “data mining.” We discuss the reasons for this proposed modification below.
For the purposes of this proposed rule, we are using the term “data mining” to refer specifically to the practice of electronically sorting Medicaid claims through statistical models and intelligent technologies to uncover patterns and relationships contained within the Medicaid claims activity and history to identify aberrant utilization and billing practices that are potentially fraudulent.
Routine program monitoring activities, including data mining, are conducted through analysis of Medicaid data and have historically been the responsibility of each State Medicaid agency. This practice places the sole burden of identifying potentially fraudulent practices based on this type of analysis on the State Medicaid agencies and requires the MFCUs to remain highly dependent on referrals from State Medicaid agencies and other external sources.
While MFCUs may have access to Medicaid data, which currently may be used for the purposes of individual case development, they do not have the authority to claim FFP to conduct data mining to identify potential Medicaid fraud and, therefore, are limited to relying on referrals from State Medicaid agencies based on the State agencies' analysis methods, tools, and techniques. Many MFCUs work actively with a variety of State agencies and private referral sources, such as individual providers and private citizens, to identify possible fraud or cases of patient abuse and neglect and to undertake detection activities.
We believe that amending the existing regulation to permit FFP in data mining activities will be an efficient use of available resources. At the Federal level, analysis of claims data has increased OIG's effectiveness in deploying law enforcement resources and proactively identifying suspected fraud. Using data analysis, Medicare Fraud Strike Forces operated by HHS and the U.S. Department of Justice have identified seven “hot spots” based on high indicators of fraud against the Medicare program. The Strike Forces analyze Medicare data to identify unexplained high-billing levels in concentrated areas so that interagency teams can target emerging or migrating schemes along with chronic fraud. By using data mining and other law enforcement tools to efficiently focus Federal law enforcement activities, Medicare Fraud Strike Force efforts have resulted in hundreds of criminal charges, convictions and more than $355 million in court-ordered restitutions, fines and penalties for fraud against the Medicare program since 2007. We could not attribute these results directly to use of data mining and data analysis techniques alone. Moreover, we would not expect individual State MFCUs to produce results comparable to the combined efforts of HHS and DOJ in a high priority national Medicare investigative and prosecutorial effort. However, we anticipate that data mining by MFCUs at the State level could enhance the MFCU's ability to counter new and existing fraud schemes by more effectively identifying early fraud indicators. In addition, data mining would equip MFCUs with more modern tools that have been shown at the Federal level to help increase the numbers of credible investigative leads, pursue recoveries, and detect emerging fraud and abuse schemes and trends.
The 1978 publication of the final rule now codified in 42 CFR part 1007 addressed in some detail the relationship between the MFCUs and the State Medicaid agency. In response to a comment that MFCUs should be responsible for the “investigation of non-fraudulent program abuse,” the preamble to the final rule noted that functions such as “claims processing, utilization control and other reviews or analysis” are already subject to incentive funding as part of the mechanized claims processing systems operated by the State Medicaid agency (43 FR 32078, 32080-32081 (July 24, 1978)). The preamble stated that “there is no indication that Congress intended an overlap of funding for such matters” (43 FR 32081). Data mining is one such function that may be conducted as part of the State Medicaid agency's mechanized claims processing system and is subject to Federal reimbursement received by State Medicaid agencies.
Since issuance of the 1978 rule, tools and methods for identifying aberrant patterns in claims data have advanced significantly and become more widely available. At the same time, health carefraud schemes have become more sophisticated. Use of data mining technology is a strategy that is routinely used by law enforcement agencies to identify billing patterns and provider linkages that may have been previously undetected with traditional methods of claims review. We believe that allowing MFCUs the ability to receive funding for use of sophisticated data mining technology would allow them to marshal their resources more effectively and take full advantage of their expertise in detecting and investigating Medicaid fraud. It would also allow the MFCUs to operate without relying solely on individual case referrals from a Medicaid program integrity unit or from other sources.
“Review contractors” selected by the CMS Medicaid Integrity Group also may perform data mining as part of their activities. Therefore, MFCUs that receive approval to conduct data mining as part of their respective memorandums of understanding would need to coordinate their activities both with State Medicaid agencies and the review contractors. All review contractors already operate under a “Joint Operating Agreement” with each of the States in which they are operating. Review contractors are also required to share with MFCUs, as well as with other interested law enforcement or oversight agencies, the algorithms they are using and the identity of any targets that are identified as a result of their data mining activities.
A 2007 OIG study identified variability among States in the level of cooperation in identifying cases of potential fraud and in the number and quality of referrals from State Medicaid agencies to MFCUs (Suspected Medicaid Fraud Referrals, OEI-07-04-00181, January 2007). Based on the variability found in this study, we believe that allowing MFCUs to claim FFP to conduct data mining, performed in cooperation with the State Medicaid agencies, would reduce such variability and increase the level of referrals in some States.
We believe that three elements are critical to ensuring the effective use of data mining by MFCUs. First, we believe that MFCUs and State Medicaid agencies must fully coordinate the MFCUs' use of data mining and the identification of possible provider fraud. For example, MFCUs should not pursue fraud investigations without determining whether the State Medicaid agency is considering an overpayment or other administrative action for the same provider. Second, programmatic changes (for example, changes in billing codes) may result in certain data appearing aberrant when in fact they are not. In such situations, MFCU staff conducting data mining would need to rely on the programmatic knowledge of State Medicaid agency staff to appropriately identify possible instances of fraud. Third, we believe that MFCU staff would need to be properly trained in data mining techniques.
For these reasons, we are proposing to include additional language in 42 CFR section 1007.20 that establishes the following conditions under which an MFCU may claim FFP in costs of data mining: (1) The MFCU describes the duration of the data mining activity and the amount of staff time to be expended; (2) the MFCU identifies the methods of cooperation between the MFCU and Medicaid agency, and between the MFCU and review contractors selected by the CMS Medicaid Integrity Group; and (3) MFCU employees engaged in data mining receive specialized training in data mining techniques. We are also proposing that the agreement between the MFCU and Medicaid agency, required under section 1007.9(d) of the regulations, describe how the MFCU will satisfy these conditions and that OIG, as the oversight agency for the MFCUs, must approve this part of the agreement. OIG would review and approve proposed agreements in consultation with CMS. FFP will only be available to those States that satisfy the conditions at section 1007.20 and receive approval from OIG.
Including the terms of an MFCU's data mining in the existing agreement with the Medicaid agency would be logical and efficient. Data mining has been the traditional province of State Medicaid agencies and depends upon access to data maintained by the Medicaid agencies. Thus, data mining requires unique coordination of the resources and expertise of both an MFCU and a State Medicaid agency to avoid duplication and to leverage each agency's resources. We do not intend that this coordination, as part of the agreement between the agencies, interfere with an MFCU's independence or its separate and distinct identity. As before, a Medicaid agency may not provide ongoing scrutiny or review of an MFCU's data mining activities and under no circumstances would a State Medicaid agency be able to prevent or prohibit an MFCU from initiating, carrying out or completing an investigation or prosecution that may result from data mining.
We are also proposing to add a provision that requires those MFCUs approved to claim FFP and engage in data mining to include the following information in their annual report: Costs associated with expenditures attributed to data mining activities; the number of cases generated from those data mining activities; the outcome and status of those cases; and monetary recoveries resulting from those activities. This information will be used by OIG in conducting its oversight and monitoring of the MFCUs.
II. Provisions of the Proposed Regulation ↑
Federal regulations at 42 CFR 1007.19(e)(2) specify that State MFCUs are prohibited from using Federal matching funds to conduct “efforts to identify situations in which a question of fraud may exist, including the screening of claims, analysis of patterns of practice, or routine verification with recipients of whether services billed by providers were actually received.” The prohibition on Federal matching for “screening of claims [and] analysis of patterns of practice” is commonly interpreted as a prohibition on Federal matching for the costs of data mining by MFCUs. We propose to amend section 1007.19(e) to provide for an exception to this general prohibition on FFP under conditions described in new section 1007.20.
We propose to add a new section 1007.20 that would describe the conditions under which the Federal share of data mining costs would be available to MFCUs. We would also amend section 1007.1 (Definitions) by adding a definition of data mining for the purposes of this rule. Finally, the proposed rule would amend 42 CFR section 1007.17 (Annual Report) to include additional reporting requirements by MFCUs to capture costs associated with expenditures attributed to data mining activities; the number of cases generated from those data mining activities; the outcome and status of those cases; and monetary recoveries resulting from those activities.
III. Regulatory Impact Statement ↑
A. Regulatory Analysis ↑
We have examined the impacts of this proposed rule as required by Executive Order 12866, the Unfunded Mandates Reform Act of 1995, and the Regulatory Flexibility Act of 1980 (RFA) (Pub. L. 96-354).
Executive Order 12866 ↑
Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximizenet benefits (including potential economic, environmental, public health, and safety effects; distributive impacts; and equity). A regulatory impact analysis must be prepared for major rules with economically significant effects ($100 million or more in any given year). Since this proposed regulation will not have a significant effect on program expenditures and as there are no additional substantive costs to implement the resulting provision, we do not consider this to be a major rule.
The proposed rule would allow MFCUs to obtain Federal matching funds to conduct data mining in efforts to detect potential fraudulent activity. We believe that the aggregate economic impact of this rule will be minimal and will have no significant effect on the economy or on Federal or State expenditures. However, since MFCUs have until this year not conducted data mining, we have only limited information about costs and benefits at the State level. One State MFCU, Florida, received approval from the Secretary of Health and Human Services to conduct data mining as a demonstration project under section 1115 of the Social Security Act that commenced on August 1, 2010.
Any economic impact from reimbursing State MFCU data mining activities will likely result in savings of both State and Federal dollars. For the MFCU community as a whole, the return on investment from MFCU activities (calculated from the ratio of total reported dollar value of civil and criminal recoveries to the total dollar value of Federal and State expenditures for all MFCUs) exceeded 6.0 for the last 3 available years, Federal Fiscal Years (FYs) 2007, 2008, and 2009. This ratio does not reflect the considerable output of the MFCUs related to their criminal prosecutions that do not result in monetary recoveries, including more than 1,200 criminal convictions for each of FYs 2007, 2008, and 2009.
We anticipate that the return on investment from data mining activities by the MFCUs will enhance the ability of MFCUs to effectively target and deploy existing enforcement resources, which is expected to result in increased numbers of enforcement actions and recoveries. To the extent that there is any economic impact, that impact will likely result in savings of Federal and State dollars.
Unfunded Mandates Reform Act ↑
Title II of the Unfunded Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 1531-1538) establishes requirements for Federal agencies to assess the effects of their regulatory actions on State, local, and tribal governments and the private sector. Under UMRA, before issuing any rule that may result in costs greater than $110 million to State, local, or tribal governments, in the aggregate, or to the private sector, agencies must assess the rule's anticipated costs and benefits. This proposed rule does not impose any Federal mandates on any State, local, or tribal government or the private sector within the meaning of UMRA, and thus, a full analysis under UMRA is not necessary.
Regulatory Flexibility Act ↑
The Regulatory Flexibility Act (RFA) (5 U.S.C. 601et seq.) generally requires an agency to conduct a regulatory flexibility analysis of any rule subject to notice and comment rulemaking requirements unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. For the purposes of RFA, small entities include small businesses, certain nonprofit organizations, and small government jurisdictions. Individuals and States are not included in this definition of a small entity. This proposed rule would revise regulations that prohibit State MFCUs from using Federal matching funds to conduct “efforts to identify situations in which a question of fraud may exist, including the screening of claims, analysis of patterns of practice, or routine verification with recipients of whether services billed by a provider were actually received.” These revisions impose no significant economic impact on a substantial number of small entities. Therefore, the undersigned certifies that this rule will not have a significant impact on a substantial number of small entities.
Executive Order 13132 ↑
Executive Order 13132 (entitled “Federalism”) prohibits, to the extent practicable and permitted by law, an agency from promulgating a regulation that has federalism implications and either imposes substantial direct compliance costs on State and local governments and is not required by statute, or preempts State law, unless the relevant requirements of section 6 of the Executive Order are met. This rule does not have federalism implications and does not impose substantial direct compliance costs on State and local governments or preempt State law within the meaning of the Executive Order.
B. Paperwork Reduction Act ↑
Under the Paperwork Reduction Act (PRA) of 1995, before a collection-of-information requirement is submitted to Office of Management and Budget (OMB) for review and approval, we are required to provide a 60-day notice in the Federal Register and solicit public comment. We propose to require that MFCUs report annually on the costs of data mining and the outcomes of cases identified, including monetary recoveries. In order to evaluate fairly whether this information collection should be approved by OMB, section 3506(c)(2)(A) of the PRA requires that we solicit comment on the following issues:
• The need for the information collection and its usefulness in carrying out the proper functions of our agency;
• The accuracy of our estimate of the information collection burden;
• The quality, utility, and clarity of the information to be collected; and
• Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.
Under the PRA, the time, effort, and financial resources necessary to meet the information collection requirements referenced in this section are to be considered. We explicitly seek, and will consider, public comment on our assumptions as they relate to the PRA requirements summarized in this section. Comments on these information collection activities should be sent to the following address within 60 days following the Federal Register publication of this proposed rule: OIG Desk Officer, Office of Management and Budget, Room 10235, New Executive Office Building, 725 17th Street, NW., Washington, DC 20053.
IV. Public Inspection of Comments and Response to Comments ↑
Comments will be available for public inspection beginning May 16, 2011, in Room 5541, Office of External Affairs, Office of Inspector General, at 330 Independence Avenue, SW., Washington, DC 20201, from Monday through Friday of each week (Federal holidays excepted) between the hours of 10 a.m. and 5 p.m., (202) 619-1368.
Because of the large number of items of correspondence we normally receive on Federal Register documents published for comment, we are not able to acknowledge or respond to them individually. We will consider all comments we receive by the date and time specified in the DATES section of this preamble, and will respond to the comments in the preamble of the final rule.
List of subjects in 42 cfr part 1007 ↑
Administrative practice and procedure, Fraud, Grant programs—health, Medicaid, Reporting and recordkeeping requirements.
Accordingly, 42 CFR part 1007 is proposed to be amended as set forth below:
Part 1007—[amended] ↑
1. Revise the authority citation to part 1007 to read as follows:
42 U.S.C. 1396b(a)(6), 1396b(b)(3), 1396b(q), and 1302.
2. In § 1007.1, add in alphabetical order the definition for “data mining” to read as follows:§ 1007.1 * * * * *
Data mining is defined as the practice of electronically sorting Medicaid claims through statistical models and intelligent technologies to uncover patterns and relationships contained within the Medicaid claims activity and history to identify aberrant utilization and billing practices that are potentially fraudulent.* * * * *
3. In § 1007.17, add paragraph (i) to read as follows:§ 1007.17 * * * * *
(i) All costs expended that year attributed to data mining activities under § 1007.20; the number of cases generated from those data mining activities; the outcome and status of those cases, including the expected and actual monetary recoveries (both Federal and non-Federal share); and any other relevant indicia of return on investment from such activities.* * * * *
4. In § 1007.19, revise paragraph (e)(2) to read as follows:§ 1007.19 * * * * *
(e) * * *
(2) Routine verification with recipients of whether services billed by providers were actually received, or, except as provided in section 1007.20, efforts to identify situations in which a question of fraud may exist, including the screening of claims and analysis of patterns of practice that involve data mining as defined in section 1007.1;* * * * *
5. Add § 1007.20 to read as follows:§ 1007.20
(a) Notwithstanding § 1007.19(e)(2), a unit may engage in data mining and receive Federal Financial Participation only under the three following conditions:
(1) The activity has a defined duration and staff time devoted to the activity is described;
(2) The MFCU identifies the methods of cooperation between the MFCU and State Medicaid agency as well as a primary point of contact for data mining at the two agencies; and
(3) MFCU employees engaged in data mining receive specialized training in data mining techniques.
(b) The MFCU shall describe how it will comply with each of the conditions described in paragraph (a) of this section as part of the agreement required by § 1007.9(d).
(c) The Office of Inspector General, Department of Health and Human Services, in consultation with the Centers for Medicare & Medicaid Services, approves in advance the provisions of the agreement as defined in paragraph (b) of this section.Dated: May 14, 2010. Daniel R. Levinson, Inspector General. Dated: October 15, 2010. Kathleen Sebelius, Secretary, Department of Health and Human Services.
Editorial note: ↑
This document was received in the Office of the Federal Register on March 10, 2011.