On April 23, CMS Administrator Dr. Mehmet Oz sent a letter to all 50 Governors calling upon their Medicaid programs to “undertake a swift revalidation of Medicaid providers of services at high risk of waste, fraud, abuse, and corruption.” In the letter he requests that the Governor notify CMS within 10 business days (May 7) whether the state intends to carry out the “swift revalidation” and if so, on what timetable. “It is urgent,” he writes, “that action be taken immediately to address the rapid increase in fraud, waste, abuse, and corruption in Medicaid and to bar fraudulent actors from further abusing the program.” “Please be advised,” he warns, “that failure to carry out swift revalidation” will be considered as we evaluate the likelihood of fraud in each state moving forward.”
These letters were sent in tandem with the issuance of a letter to State Medicaid Directors (SMD), also signed by Dr. Oz (not the Director of the Center for Medicaid and CHIP Services as is customary). In addition to requesting a timeline for “swift revalidation” of “high-risk” providers within 10 days, the SMD requests that the Medicaid agency “develop and submit a comprehensive two-year provider revalidation (PR) strategy” within 30 days (June 5 on a business day basis). Among other elements, the strategy must include “a proposed methodology and timeline for conducting off-cycle provider revalidation, with a focus on high-risk providers, including providers without an NPI” (National Provider Identifier).” Pointedly, the SMD requires that the strategy be submitted by the state’s Medicaid Director, not by a designee.
Background
There is, regrettably, fraud against Medicaid, as there is against Medicare and commercial health insurers. Most of it is committed by bad actor providers. One of the primary tools for mitigating fraud against the program is to keep bad actors out of the program in the first place. The regulatory regime for doing so is provider screening and enrollment. (Enacted in the ACA, provider screening and enrollment applies to Medicare as well as Medicaid).
Under regulations adopted by CMS in 2011, state Medicaid programs must require all professionals who provide Medicaid services to be enrolled in the program as participating providers. All enrolled providers, whether individual or institutional, must be screened, both at initial enrollment and at revalidation of enrollment. States can determine the cadence of revalidation, but all providers must be revalidated at least once every five years.
There are three levels of “categorical risk:” limited, moderate, and high. Limited risk screening includes verification of provider licenses and a check of federal databases like the List of Excluded Individuals/Entities maintained by the OIG. Moderate risk screening includes the limited risk screening plus an on-site visit (announced or unannounced) to verify that the information submitted to the Medicaid agency is accurate. High risk screening includes both the limited and moderate risk screening plus the submission of fingerprints and a criminal background check. The state Medicaid agency designates the risk level that applies to each provider, except that some providers must be designated as high risk (for example, when the agency imposes a payment suspension based on a credible allegation of fraud, waste, or abuse).
This brief summary does not begin to do justice to the complexity of provider screening and enrollment. For the details, see the CMS Medicaid Provider Enrollment Compendium (MPEC).
Focus on “High-risk” Providers
Dr. Oz makes it quite clear that his highest priority is that providers designated by states as “high-risk” be revalidated more frequently than once every five years. In this connection, the SMD suggests that states “prioritize high-risk providers who have not been screened within the past 12 months for near-term revalidation.” And in his letter to the Governors he writes: “States have the ability to designate which providers are high-risk. However, CMS expects that your definition include any provider without a National Provider Identifier.” So much for state flexibility.
The NPI is a unique (10-digit) identification number assigned to providers of medical or other health services, both institutional providers (e.g., hospitals and nursing homes) and practitioners (e.g., physicians and nurses). The primary purpose is to identify a provider on health care claims. CMS regulations require that each provider furnishing services to Medicaid enrollees include its NPI on all claims the provider submits. In the case of claims for services ordered or referred, the claims must include the NPI or the ordering or referring physician or other professional. These requirements apply to both providers in fee-for-service Medicaid and providers in managed care networks.
Not all providers of Medicaid services have NPIs. For example, state Medicaid programs are not required to assign NPIs to Personal Care Attendants, and PCAs are not required to obtain NPIs. (PCAs make it possible for individuals with disabilities and frail elderly individuals to remain in their homes by assisting them with activities such as bathing, dressing, toileting, body movement, and feeding). CMS guidance makes clear, however, that states may elect to use NPIs to identify Personal Care Attendants. The guidance notes that an NPI “would be an efficient method of electronically recording which individual PCA provided personal care services for a particular beneficiary on a particular visit.” There does not appear to be any publicly-available national database on which states require PCAs to obtain NPIs.
It’s not clear what the evidence base is for Dr. Oz’s conviction that all PCAs or other providers of non-medical services who do not have NPIs should be subjected to “high-risk” screening. There are a wide range of non-medical Medicaid home care services in addition to those provided by PCAs (case management, home-delivered meals, non-medical transportation, etc.); many of those service providers may also not have NPIs. The lack of an NPI is not fraud. Of course, states must have program integrity policies and practices in place to protect against fraud by home care providers as well as all other provider types. But overly aggressive anti-fraud efforts focused on home care services, including frequent “high-risk” screening of those providers and limited data leading to mistaken conclusions, may jeopardize access to those services without reducing actual fraud against the program.
Observations
Dr. Oz appears to be extending his project on fraud against Medicaid to all 50 states (and presumably DC), not just Minnesota and other Democratic-led states. If this is not just performative, and all states are in fact held to the requirements of this letter, this is a welcome development. Reducing fraud against Medicaid is an imperative that state and federal officials can support on a bipartisan basis.
By focusing on provider revalidation, Dr. Oz recognizes that bad actor providers, not enrollees, are largely responsible for fraud against Medicaid and that keeping them out of the program is critical. And while overdue, his emphasis on a CMS “partnership” with states—rather than withholding federal funds from them—is the right approach to actually reducing fraud against the program. Again, if this holds, it is a very welcome development.
There are some indications that this effort may be more about generating headlines than addressing fraud. First, the SMD was published on the Fox News website yesterday and, as of this writing, has still not been published on the Medicaid.gov website, where the public would normally turn for information about official CMS actions. Second, both of Dr. Oz’s letters add the flourish of “corruption” to the long-standing “waste, fraud and abuse.” It’s unclear what exactly he means by “corruption,” but the expansion of the phrase has the potential to ratchet up the reputational insults against Medicaid.
Implications
A “swift revalidation” will not be quick, much less easy to administer. Depending on the state, it will require considerable time and staff resources. Consider Minnesota. Its Medicaid program has been the target of an unprecedented combination of federal funding withholds. As part of this ongoing battle, CMS on March 19 approved a Corrective Action Plan (CAP) submitted by the state Medicaid agency that includes a provision for off-cycle revalidation for providers in 13 service areas identified by the agency as high risk for fraud. Those services are largely home care services and non-medical transportation designed to keep individuals with disabilities and frail elderly in the community and out of institutions. The CAP will require “an in-person visit, fingerprint background study for individuals with a controlling interest in the provider organization, and verification of provider credentials for approximately 5,800 providers.”
This major undertaking began in late January with the sending of notices of revalidation requirements to providers; the target date for completion of all revalidations is May 31. Staff from across state government have been reassigned to this task to augment the provider revalidation staff of the state Medicaid agency—all at the same time as the agency has to prepare to implement the work reporting requirements and 6-month renewals for expansion adults mandated by H.R. 1.
The results of Minnesota’s revalidation efforts are not yet in, but when they are, other states—as well as advocates for people who are covered by Medicaid, providers, and other stakeholders — will want to study its experience to understand the impacts on provider participation, access to services, fraud against the program, and state administrative costs. Unfortunately, Dr. Oz’s 10 business-day deadline will limit the ability of other states to get the full benefit of this “lessons learned” opportunity. Given the complexity of provider revalidation—see the MPEC—that may prove to be a loss for all those concerned about reducing fraud against the program without undermining access to care.
.