Beta This is a new resource - your feedback will help us improve it.
Recommendations Tracker
HHS-OIG provides independent and objective oversight that promotes economy, efficiency, and effectiveness in HHS programs and operations. To drive positive change, we produce reports and identify recommendations for improvement. We have developed this public-facing page for tracking all of our open recommendations. Learn More
Summary of Recommendations Data
Updated Monthly · Last updated on May 17, 2023
1,380
Open recommendations since start of FY 2000
$249.9B
Potential savings from open recommendations
2,087
Closed recommendations since start of FY 2018
Explore Open Recommendations
-
The Risk of Misuse and Diversion of Buprenorphine for Opioid Use Disorder Appears to Be Low in Medicare Part D
- Evaluation
- OEI-02-22-00160
- HHS Agency
- CMS
- Issued
- 05/16/2023
- Report link
- Report pending
Recommendation text Responsible agency Potential savings CMS should follow up on the prescribers with concerning patterns identified in this report. CMS – CMS should monitor the use of buprenorphine and share information, as appropriate, with Departmental partners. CMS – CMS should inform providers about buprenorphine use and the low risk of diversion to encourage providers to treat more Part D enrollees who have opioid use disorder. CMS – CMS should take steps to inform providers about the availability of buprenorphine combination products in Part D, which can minimize the risk of misuse and diversion. CMS – -
Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2022
- Audit
- A-18-22-11200
- HHS Agency
- OS
- Issued
- 05/09/2023
- Report link
- Report pending
Recommendation text Responsible agency Potential savings We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement the requirement to resolve high and critical vulnerabilities within 30 and 15 days respectively and create POA&Ms to monitor and resolve the weakness in a timely manner. OS – We recommend that the HHS OCIO work with the OpDivs to ensure the timely completion of PIAs for all systems to identify privacy and compliance risk with federal regulations or laws, tracking implementation of privacy controls, identifying instances where the Agency collects or handles PII and/or PHI subject to the Privacy Act of 1974. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement the requirement to resolve high and critical vulnerabilities within 30 and 15 days respectively and create POA&Ms to monitor and resolve the weakness in a timely manner. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that OpDivs define and implement policy for data exfiltration, enhanced network defenses, e-mail authentication, and DNS infrastructure tampering mitigation and to ensure the OpDiv enforces implementation of data encryption in transit and at rest in accordance with HHS policy, NIST standards, and OMB guidance. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that policies and procedures for identity and access management are being consistently implemented and proper safeguards (i.e., logging, monitoring, review of privileged user activity) are developed across the Department to ensure their execution and to implement oversight sufficient to ensure that all OpDivs review pre-defined privileged users' activities periodically and document the review and any follow-up activities for all systems. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs finalize and implement draft policies and procedures to include the review of suppliers or contractors for risks to the organization's systems and system components. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs create POA&Ms to monitor and resolve the weakness in a timely manner. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that secure configuration settings are being maintained as defined by existing policy. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that data encryption methods to protect data determined to be PII or sensitive are implemented across the organization for all systems. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all operational systems have multifactor or an alternative strong authentication mechanism (PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) 3 credential) for both privileged and non-privileged users. OS – To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS continue to work with the OpDivs to implement automated CDM solutions to increase awareness and improve mitigation efforts across all of HHS. OS – We recommend that the HHS OCIO work with the OpDivs to consistently implement the requirement to assign risk designations, re-signing access agreements, and training for all systems so that OpDivs can restrict privileges for users based on risk designations. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that policies and procedures for identity and access management are being consistently implemented and proper safeguards (i.e., logging, monitoring, review of privileged user activity) are developed across the Department to ensure their execution. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all operational systems have multifactor or an alternative strong authentication mechanism (PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) 3 credential) for both privileged and non-privileged users. OS – We recommend that the HHS OCIO work with the OpDivs to implement oversight procedures sufficient to ensure that all personnel complete role-based training in a timely manner. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement the capability to deny access to mobile devices, such as smartphones and tablets, from connecting to the network if the device's software is outdated. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that operational systems have valid and current ATO's and that security controls are assessed annually as per HHS policy. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs remediate weaknesses identified during controls assessments and review/perform risk assessments within the timeframe established by HHS policy. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs finalize and implement draft policies and procedures to include the review of suppliers or contractors for risks to the organization's systems and system components. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs enforce its policies and procedures established to review users' activities periodically. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDiv's SCRM policies and procedures are being consistently implemented across the organization and ensure their execution. OS – To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS continue to advance the SCRM program to implement defined standards across HHS. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that SCAs are conducted within the appropriate timeframe as defined by policy for all systems. OS – To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS continue to work with the OpDivs to ensure privileged users' logical access contains strong authentication mechanisms; and to confirm that OpDivs are periodically performing sufficient monitoring over privileged user access. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that policies and procedures for identity and access management are being consistently implemented and proper safeguards (i.e., logging, monitoring, review of privileged user activity) are developed across the Department to ensure their execution. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement its policies and procedures to perform periodic BIAs and contingency plan testing within the timeframe required by HHS policy. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement its policies and procedures to perform periodic BIAs and contingency plan testing within the timeframe required by HHS policy. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement its policies and procedures to perform periodic BIAs and contingency plan testing within the timeframe required by HHS policy. OS – To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS confirm that the OpDivs contingency plan testing is being performed within the timeframe required by HHS policy. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs complete its discovery of all information systems and maintain an up- to-date inventory of systems, software, and licenses. OS – We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs complete its discovery of all information systems and maintain an up- to-date inventory of systems, software, and licenses. OS – We recommend that the HHS OCIO work with the OpDivs to implement oversight sufficient to ensure that ISCM policies and procedures are consistently implemented in accordance with NIST standards for all systems. OS – -
The Office of Refugee Resettlement Needs To Improve Its Practices for Background Checks During Influxes
- Audit
- A-06-21-07003
- HHS Agency
- ACF
- Issued
- 05/02/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that the Office of Refugee Resettlement re-evaluate the need for waivers of background checks and explore alternative means of obtaining required checks. ACF – We recommend that the Office of Refugee Resettlement re-evaluate the use of public records checks in lieu of, or prior to receiving the results of, FBI fingerprint and CA/N checks, and require a DOJ sex offender registry check in addition to a public records check if ORR determines there is a need to use public records checks. ACF – We recommend that the Office of Refugee Resettlement ensure that future awards and subawards for services that involve contact with children (e.g., transportation) include detailed information on background check requirements and specify that background checks must be conducted prior to hire. ACF – We recommend that the Office of Refugee Resettlement reiterate to EISs the importance of ensuring that access to a site is secure and that access badges are collected and deactivated for individuals who no longer require access to EISs. ACF – We recommend that the Office of Refugee Resettlement clarify and reissue guidance for background checks at EISs so that it is clear which checks are required, who is responsible for conducting the checks, and which checks must be conducted prior to hire. ACF – We recommend that the Office of Refugee Resettlement include a review of compliance by ICFs and EISs with all background check requirements and facility access as a part of ORR's routine site visit monitoring. ACF – We recommend that the Office of Refugee Resettlement ensure that all ICFs and EISs currently in operation have conducted the required background checks on current employees whose checks were not conducted or take action to ensure that these employees do not have direct access to children while any results of the checks are pending. ACF – -
Medicare Improperly Paid Providers for Some Psychotherapy Services, Including Those Provided via Telehealth, During the First Year of the COVID-19 Public Health Emergency
- Audit
- A-09-21-03021
- HHS Agency
- CMS
- Issued
- 05/02/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that the Centers for Medicare & Medicaid Services work with the MACs to based upon the results of this audit, notify appropriate providers (i.e., those for whom CMS determines this audit constitutes credible information of potential overpayments) so that the providers can exercise reasonable diligence to identify, report, and return any overpayments in accordance with the 60-day rule and identify any of those returned overpayments as having been made in accordance with this recommendation. CMS – Now that CMS has reinstituted most program integrity measures, we also recommend that CMS take the following steps, which if in effect during the audit period could have saved Medicare an estimated $579,667,510 during that period: Implement system edits for psychotherapy services, including services provided via telehealth, to prevent payments for services that were billed incorrectly. CMS – Now that CMS has reinstituted most program integrity measures, we also recommend that CMS take the following steps, which if in effect during the audit period could have saved Medicare an estimated $579,667,510 during that period: Strengthen educational efforts to make providers aware of educational materials on how to meet Medicare requirements and guidance for psychotherapy services, including services provided via telehealth. CMS – Now that CMS has reinstituted most program integrity measures, we also recommend that CMS work with the MACs to take the following steps, which if in effect during the audit period could have saved Medicare an estimated $579,667,510 during that period: Review MAC jurisdictions' LCD requirements for psychotherapy services to identify which provisions effectively promote program integrity, and consider additional steps that CMS could undertake to ensure appropriate coverage and payment for psychotherapy services across all jurisdictions. CMS – We recommend that the Centers for Medicare & Medicaid Services work with the MACs to recover $35,560 in improper payments made to providers for the 128 sampled enrollee days that did not meet Medicare requirements. CMS $35,560 Now that CMS has reinstituted most program integrity measures, we also recommend that CMS take the following steps, which if in effect during the audit period could have saved Medicare an estimated $579,667,510 during that period: Conduct medical reviews of psychotherapy services, including services provided via telehealth, to verify that the services are documented and billed in accordance with Medicare requirements. CMS $579,631,950 -
Medicare Could Have Saved Up To $128 Million Over 5 Years if CMS Had Implemented Controls To Address Duplicate Payments for Services Provided to Individuals With Medicare and Veterans Health Administration Benefits
- Audit
- A-09-22-03004
- HHS Agency
- CMS
- Issued
- 04/24/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that the Centers for Medicare & Medicaid Services issue guidance to providers on not billing Medicare for a medical service that was authorized by VHA. CMS – We recommend that the Centers for Medicare & Medicaid Services establish an interagency process to integrate VHA enrollment, claims, and payment data into the CMS IDR to identify potential fraud, waste, and abuse under the Medicare program. CMS – We recommend that the Centers for Medicare & Medicaid Services establish an internal process (such as system edits) to address duplicate payments made by Medicare for medical services authorized and paid for by VHA, which could have saved Medicare up to $128 million during our audit period. CMS $127,981,462 We recommend that the Centers for Medicare & Medicaid Services establish a comprehensive data-sharing agreement with VHA for the ongoing sharing of data. CMS – -
Crow/Northern Cheyenne Hospital—an IHS-Operated Health Facility—Did Not Timely Conduct Required Background Checks of Staff and Supervise Certain Staff
- Audit
- A-02-21-02004
- HHS Agency
- IHS
- Issued
- 04/21/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that Crow/Northern Cheyenne Hospital, Billings Area Office, and Indian Health Service Headquarters work together to update standard operating procedures for provisional staff supervision to address the deficiencies we identified in this report. IHS – We recommend that Crow/Northern Cheyenne Hospital, Billings Area Office, and Indian Health Service Headquarters work together to take action to complete background investigations for staff members identified in this report as not having a satisfactory background investigation and adjudicate the investigations that were still pending adjudication. IHS – We recommend that Crow/Northern Cheyenne Hospital, Billings Area Office, and Indian Health Service Headquarters work together to establish a monitoring system to ensure all elements of required background investigations in accordance with Federal requirements are completed within required timeframes. IHS – We recommend that Crow/Northern Cheyenne Hospital, Billings Area Office, and Indian Health Service Headquarters work together to update standard operating procedures for background investigations to address the deficiencies we identified in this report. IHS – We recommend that Crow/Northern Cheyenne Hospital, Billings Area Office, and Indian Health Service Headquarters work together to determine which staff members in contact with Indian children currently have a pending background investigation and take immediate action to ensure that there is adequate documented evidence that these staff members meet IHS sight and supervision requirements when children are in their care. IHS – We recommend that Crow/Northern Cheyenne Hospital, Billings Area Office, and Indian Health Service Headquarters work together to establish a monitoring system to ensure that the Hospital meets sight and supervision requirements for staff with pending background investigations and documents that they are met. IHS – -
CMS Did Not Accurately Report on Care Compare One or More Deficiencies Related to Health, Fire Safety, and Emergency Preparedness for an Estimated Two-Thirds of Nursing Homes
- Audit
- A-09-20-02007
- HHS Agency
- CMS
- Issued
- 04/10/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that the Centers for Medicare & Medicaid Services strengthen its processes for reviewing inspection results reported on Care Compare by requiring State survey agencies to verify that deficiencies shown in ASPEN are also shown in CASPER when they are preparing to conduct an inspection. CMS – We recommend that the Centers for Medicare & Medicaid Services strengthen its processes for reviewing inspection results reported on Care Compare by providing technical assistance and additional training to State survey agencies that are not following procedures in the State Operations Manual and ASPEN Central Office Procedures Guide for reporting deficiencies in ASPEN. CMS – We recommend that the Centers for Medicare & Medicaid Services strengthen its processes for reviewing inspection results reported on Care Compare by including in its manual quality assurance check a verification that nursing home inspection results are accurately reported. CMS – We recommend that the Centers for Medicare & Medicaid Services correct existing programming in ASPEN that prevented the 56 emergency preparedness deficiencies from being reported on Care Compare. CMS – We recommend that the Centers for Medicare & Medicaid Services ensure that any future revisions to the list of deficiencies that is used to describe deficiencies reported on Care Compare are accurate. CMS – We recommend that the Centers for Medicare & Medicaid Services evaluate whether additional modifications are needed to existing programming in CASPER that prevented the entry of 2 different inspections that were performed on the same date. CMS – We recommend that the Centers for Medicare & Medicaid Services correct the inaccurately reported deficiencies that we identified for the sampled nursing homes. CMS – -
Medicare Advantage Compliance Audit of Specific Diagnosis Codes That HumanaChoice (Contract H6609) Submitted to CMS
- Audit
- A-05-19-00013
- HHS Agency
- CMS
- Issued
- 04/04/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that HumanaChoice refund to the Federal Government the $480,295 of net overpayments. CMS $480,295 We recommend that HumanaChoice examine its existing compliance procedures to identify areas where improvements can be made to ensure that diagnosis codes that are at high risk for being miscoded comply with Federal requirements and take the necessary steps to enhance those procedures. CMS – We recommend that HumanaChoice identify, for the high-risk diagnoses included in this report, similar instances of noncompliance that occurred before or after our audit period and refund any resulting overpayments to the Federal Government. CMS – -
Rhode Island Medicaid Fraud Control Unit: 2022 Inspection
- Evaluation
- OEI-07-22-00370
- HHS Agency
- MFCU
- Issued
- 03/29/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings Take steps to ensure that convictions and adverse actions are reported to Federal partners within the appropriate timeframes. OIG-MFCU – Update its policies and procedures manual to reflect current practices. OIG-MFCU – Establish policies and/or procedures to ensure that case files are maintained in an effective manner. OIG-MFCU – Assess the duties of the Supervisor of Investigations, and if warranted, develop a plan to reduce his nonmanagerial duties. OIG-MFCU – Take steps to track and verify that Unit staff meet requirements in its training plan. OIG-MFCU – Assess whether the Office of the Attorney General's case management system can be modified to fully meet the Unit's needs, and if appropriate, seek approval to implement its own case management system. OIG-MFCU – Develop a plan to ensure that case files include documentation of periodic supervisory reviews and update the Unit's policies and procedures manual to describe the Unit's current practices for periodic supervisory reviews. OIG-MFCU – -
Medicare Advantage Compliance Audit of Specific Diagnosis Codes That Cigna-HealthSpring Life & Health Insurance Company, Inc. (Contract H4513) Submitted to CMS
- Audit
- A-07-19-01192
- HHS Agency
- CMS
- Issued
- 03/28/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that Cigna-HealthSpring Life & Health Insurance Company, Inc. continue its examination of its existing compliance procedures to identify areas where improvements can be made to ensure that diagnosis codes that are at high risk for being miscoded comply with Federal requirements (when submitted to CMS for use in CMS's risk adjustment program) and take the necessary steps to enhance those procedures. CMS – We recommend that Cigna-HealthSpring Life & Health Insurance Company, Inc. refund to the Federal Government the $468,372 of overpayments. CMS $468,372 We recommend that Cigna-HealthSpring Life & Health Insurance Company, Inc. identify, for the high-risk diagnoses included in this report, similar instances of noncompliance that occurred before or after our audit period and refund any resulting overpayments to the Federal Government. CMS – -
Medicare Advantage Compliance Audit of Specific Diagnosis Codes That MCS Advantage, Inc. (Contract H5577) Submitted to CMS
- Audit
- A-02-20-01008
- HHS Agency
- CMS
- Issued
- 03/24/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that MCS Advantage, Inc. refund to the Federal Government the $220,577 of net overpayments. CMS $220,577 We recommend that MCS Advantage, Inc. identify, for the high-risk diagnoses included in this report, similar instances of noncompliance that occurred before or after our audit period and refund any resulting overpayments to the Federal Government. CMS – We recommend that MCS Advantage, Inc. continue its examination of its existing compliance procedures to identify areas where improvements can be made to ensure that diagnosis codes that are at high risk for being miscoded comply with Federal requirements (when submitted to CMS for use in CMS's risk adjustment program) and take the necessary steps to enhance those procedures. CMS – -
Maryland's Child Support Administration Generally Claimed Administrative Costs That Were Allowable and Allocable
- Audit
- A-01-22-02500
- HHS Agency
- ACF
- Issued
- 03/23/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that the Maryland Department of Human Services, Child Support Administration periodically review the support of payroll costs invoiced by the AOC. ACF – We recommend that the Maryland Department of Human Services, Child Support Administration periodically review the allocation of payroll costs invoiced by the AOC. ACF – We recommend that the Maryland Department of Human Services, Child Support Administration verify that the AOC calculates indirect costs charged to the CSE program by applying the de minimis rate of 10 percent to the correct allocation base. ACF – -
Medicare Improperly Paid Physicians an Estimated $30 Million for Spinal Facet-Joint Interventions
- Audit
- A-09-22-03006
- HHS Agency
- CMS
- Issued
- 03/22/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that the Centers for Medicare & Medicaid Services encourage the MACs to: (1) develop collaborative training programs to be used for all of the MAC jurisdictions and that are specific to Medicare requirements for facet-joint interventions, which could have saved an estimated $29,566,172 for our audit period; and (2) develop solutions to prevent the incorrect billing of diagnostic facet-joint injections as therapeutic facet-joint injections, such as developing additional education specific to billing injections with modifier KX or updating guidance on how each type of injection should be billed. CMS $29,548,088 We recommend that the Centers for Medicare & Medicaid Services instruct the MACs to, based upon the results of this audit, notify appropriate physicians (i.e., those for whom CMS determines this audit constitutes credible information of potential overpayments) so that the physicians can exercise reasonable diligence to identify, report, and return any overpayments in accordance with the 60-day rule and identify any of those returned overpayments as having been made in accordance with this recommendation. CMS – We recommend that the Centers for Medicare & Medicaid Services direct the MACs to recover $18,084 in improper payments made to physicians for the 66 sampled sessions for facet-joint interventions. CMS $18,084 -
Missouri's Oversight of Certified Individualized Supported Living Provider Health and Safety Could Be Improved in Some Areas
- Audit
- A-07-21-03247
- HHS Agency
- CMS
- Issued
- 03/21/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that the Missouri Department of Social Services, Missouri HealthNet Division ensure that the Missouri Department of Mental Health consider strengthening its background screening requirements for ISL providers to include periodic background screenings of staff after the date of hire and establish a timeframe for doing so. CMS – We recommend that the Missouri Department of Social Services, Missouri HealthNet Division ensure that the Missouri Department of Mental Health maintains all supporting documentation of the ISL provider certification surveys. CMS – We recommend that the Missouri Department of Social Services, Missouri HealthNet Division ensure that the Missouri Department of Mental Health consider strengthening its infection control and prevention guidelines for ISL providers to include periodic training of staff after the date of hire. CMS – We recommend that the Missouri Department of Social Services, Missouri HealthNet Division ensure that the Missouri Department of Mental Health works to improve the completion timeliness of the certification surveys. CMS – We recommend that the Missouri Department of Social Services, Missouri HealthNet Division ensure that the Missouri Department of Mental Health continues to monitor ISL providers to ensure that providers maintain documentation to support that: ISL provider staff have taken all required trainings; background screenings of all ISL provider staff have been performed in a timely manner; all ISL provider staff who transport recipients possess current and valid driver's licenses; and all recipients have received an annual review of the DMH individual rights brochure and a monthly visit from a service coordinator. CMS – -
The District of Columbia Has Taken Significant Steps To Ensure Accountability Over Amounts Managed Care Organizations Paid to Pharmacy Benefit Managers
- Audit
- A-03-20-00200
- HHS Agency
- CMS
- Issued
- 03/16/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that the District of Columbia Department of Health Care Finance develop policies and procedures for validating MCO, PBM, and pharmacy transactions on a periodic basis to ensure transparency of costs associated with the prescription drug program. CMS – -
Medicare Advantage Compliance Audit of Specific Diagnosis Codes That Geisinger Health Plan (Contract H3954) Submitted to CMS
- Audit
- A-09-21-03011
- HHS Agency
- CMS
- Issued
- 03/16/2023
- Report link
- Report pending
Recommendation text Responsible agency Potential savings We recommend that Geisinger Health Plan identify, for the high-risk diagnoses included in this report, similar instances of noncompliance that occurred before and after our audit period and refund any resulting overpayments to the Federal Government. CMS – We recommend that Geisinger Health Plan refund to the Federal Government the $566,476 of net overpayments. CMS $566,476 We recommend that Geisinger Health Plan examine its existing compliance procedures to identify areas where improvements can be made to ensure that diagnosis codes that are at high risk for being miscoded comply with Federal requirements (when submitted to CMS for use in CMS's risk adjustment program) and take the necessary steps to enhance those procedures. CMS – -
Georgia Did Not Comply With Federal Waiver and State Requirements at All 20 Adult Day Health Care Facilities Reviewed
- Audit
- A-04-22-00134
- HHS Agency
- CMS
- Issued
- 03/14/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that the Georgia Department of Community Health work with providers to improve their facilities, staffing, and training. CMS – We recommend that the Georgia Department of Community Health ensure that providers correct the 312 instances of provider noncompliance identified in this report. CMS – We recommend that the Georgia Department of Community Health improve its oversight and monitoring of providers. CMS – -
Georgia Did Not Always Invoice Rebates to Manufacturers for Pharmacy and Physician-Administered Drugs
- Audit
- A-04-21-08089
- HHS Agency
- CMS
- Issued
- 03/13/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that the Georgia Department of Community Health complete the process for rebating pharmacy drug claims totaling $1,240,894 (Federal share) for single-source and $360,454 (Federal share) for multiple-source drugs that it had not previously sent for invoicing or refund the Federal share. CMS $1,601,348 We recommend that the Georgia Department of Community Health work with CMS to determine and refund the unallowable portion of $52,837 (Federal share) for other multiple-source physician-administered drug claims that may have been ineligible for Federal reimbursement and consider invoicing drug manufacturers for rebates for those drug claims that CMS determines are allowable. CMS $52,837 We recommend that the Georgia Department of Community Health work with CMS to determine and refund the unallowable portion of Federal reimbursement for physician-administered drug claims that were not invoiced for rebates after December 31, 2019. CMS – We recommend that the Georgia Department of Community Health refund to the Federal Government $9,325 (Federal share) for top-20 multiple-source physician-administered drug claims that were ineligible for Federal reimbursement. CMS $9,325 We recommend that the Georgia Department of Community Health refund to the Federal Government $644,802 (Federal share) for single-source physicianadministered drug claims that were ineligible for Federal reimbursement. CMS $644,802 We recommend that the Georgia Department of Community Health strengthen its internal controls to ensure that all pharmacy and physician-administered drugs eligible for rebates are invoiced. CMS – -
Medicare Improperly Paid Physicians for Epidural Steroid Injection Sessions
- Audit
- A-07-21-00618
- HHS Agency
- CMS
- Issued
- 03/10/2023
- Report link
- View report
Recommendation text Responsible agency Potential savings We recommend that the Centers for Medicare and Medicaid Services assess the effectiveness of oversight mechanisms, put in place after our audit period, that are specific to preventing or detecting improper payments to physicians for more than 4 epidural steroid injection sessions in a 12-month period and modify the oversight mechanisms, if necessary, based on that assessment. CMS – We recommend that the Centers for Medicare and Medicaid Services instruct the MACs to, based on the results of this audit, notify appropriate physicians (i.e. those for whom CMS determines this audit constitutes credible information of potential overpauments) so that the physicians can exercise reasonable diligence to identify, report, and return any overpayments in accordance with the 60-day rule and identify any of those returned overpayments as having been made in accordance with this recommendation. CMS – We recommend that the Centers for Medicare and Medicaid Services direct the MACs to recover the $3,585,422 in improper payments made to physicians for epidural steroid injection sessions. CMS $3,585,422 We recommended that Centers for Medicare and Medicaid Services direct the MACs (or other CMS-designated entities) to review a sample of claims for epidural steroid injection sessions administered during the period beginning on January 1, 2021, and ending on the date that the revised coverage limitations (i.e., up to four sessions per 12-month period) became effective in the relevant MAC's jurisdiction (I.e. December 5, 2021, and June 19, 2022), to identify instances in which Medicare paid physicians for injection sessions that exceeded the number of allowable sessions (in accordance with the applicable LCDs) and recover any improper payments identified. CMS – -
Michigan MMIS and E&E Systems Security Controls Were Generally Effective, but Some Improvements Are Needed
- Audit
- A-18-20-08004
- HHS Agency
- CMS
- Issued
- 03/09/2023
- Report link
- Report pending
Recommendation text Responsible agency Potential savings We recommend that the Michigan Department of Health assess the effectiveness of all required NIST SP 800-53 controls according to the organization's defined frequency. CMS – We recommend that the Michigan Department of Health assess the cryptographic configurations of public servers at least annually and adjust if the requirements have changed. CMS – We recommend that the Michigan Department of Health remediate the six security control findings OIG identified. CMS –