Recommendations Tracker

We recommended that CMS ensure that all necessary information is included in the CWF edits to accurately identify and prevent incorrect payments for nonphysician outpatient services provided within 3 days before the date of admission, on the date of admission, or during IPPS stay.

We recommended that CMS direct the MACs to, based upon the results of this audit, notify the appropriate providers so that the providers can exercise reasonable diligence to identify, report, and return any overpayments in accordance with the 60-day rule and identify any of those returned overpayments as having been made in accordance with this recommendation.

ASPR should clarify HPP guidance that HCCs’ membership should ensure strategic, comprehensive coverage of their communities’ gaps in preparedness and response.

ASPR should identify ways to incentivize core member participation in HCCs.

We recommend that the North Carolina Department of Health and Human Services, Division of Health Benefits reclassify $124,636,146 ($112,172,531 Federal share) from health home expenditures to PCCM expenditures.

We recommend that the Illinois Department of Human Services conduct all required criminal background checks for the 2 individuals we reviewed who did not have all required checks at the time of our data requests and site visits.

We recommend that the Illinois Department of Human Services ensure that childcare providers notify the State when a new employee is hired or a new household member is added so that the State may conduct the required criminal background checks.

We recommend that Grand Desert Psychiatric Services refund to Noridian $421,272 in estimated overpayments for psychotherapy services.

We recommended that Grand Desert Psychiatric Services implement policies and procedures to ensure that psychotherapy services billed to Medicare are adequately documented, including the time spent on those services.

We recommended that Grand Desert Psychiatric Services improve its billing system to ensure that Medicare claims identify the correct provider of psychotherapy services.

We recommend that Palmetto Government Benefits Administrator, LLC decrease the Medicare segment pension assets by $2,126,821 and recognize $73,630,103 as the Medicare segment pension assets as of January 1, 2017.

We recommend that Companion Data Services, LLC decrease the Medicare segment pension assets by $777,081 and recognize $17,276,454 as the Medicare segment pension assets as of January 1, 2017.

We recommend that Palmetto Government Benefits Administrator, LLC, revise its FACP for FY 2012 to reduce its claimed Medicare pension costs by $42,054.

We recommend that Palmetto Government Benefits Administrator, LLC, revise its FACP for FY 2012 to decrease its Medicare PRB costs by $11,699.

We recommend that the Administration for Children and Families take steps through the bankruptcy process to recover $1,196,293 in Federal Head Start funds based on CCCDP’s approximately $1,495,366 non-Federal share shortfall.

We recommend that the Michigan Department of Health and Human Services refund $1,217,800 of overpayments not reported on the Form CMS-64.

We recommend that the Michigan Department of Health and Human Services refund $648,194 of overpayments not reported from the previous audit (A-05-09-00103) on the Form CMS-64.

We recommend that the Indian Health Service establish an edit in the RCIS to enforce the requirement that each beneficiary submits documentation showing that he or she meets the geographic component of IHS’s eligibility requirements.

We recommend that the Indian Health Service conduct outreach to beneficiaries and providers to ensure that they submit notifications of healthcare services within 72 hours (or 30 days for elderly and disabled beneficiaries).

We recommend that the Indian Health Service educate providers about informing beneficiaries that they must notify IHS if they have alternate resources that may cover health services.

We recommend that the Indian Health Service work with IHS’s fiscal intermediary to ensure that the fiscal intermediary pays completed claim requests within 30 days of claim submission and work with providers to ensure that they submit accurate and complete claims in a timely manner.

We recommend that the Centers for Medicare & Medicaid Services increase the number of postpayment reviews of IPF claims to provide IPFs with more feedback on their compliance with Medicare requirements.

We recommend that the Centers for Medicare & Medicaid Services, while the certification requirements remain in place, revise regulations or guidance to IPFs to require that physician certifications and recertifications be in a specific form, format, or language.

We recommend that the Centers for Medicare & Medicaid Services conduct a study to determine whether outlier payments are being made only for cases with unusually high costs, and, if not, consider designing and testing alternatives to the current outlier payment methodology.

We recommend that the Centers for Medicare & Medicaid Services determine whether patient in-hospital fall rates should be added to the IPFQR program and whether CMS should require present-on-admission indicators on claims as an aid to tracking in-hospital falls.

We recommend that Residential Home Health for the estimated $2,068,902 overpayment for claims that are outside of the Medicare reopening period, exercise reasonable diligence in identifying and returning overpayments in accordance with the 60-day rule, and identify any returned overpayments as having been made in accordance with this recommendation.

We recommend that Residential Home Health strengthen its procedures to ensure that the homebound statuses of Medicare beneficiaries are verified and continually monitored and the specific factors qualifying beneficiaries as homebound are documented and beneficiaries are receiving only reasonable and necessary skilled services.

We recommend that New York State Department of Health bill for and collect from manufacturers rebates for single-source and top-20 multiple-source pharmacy and physician-administered drugs and refund the estimated $7,846,147 (Federal share).

We recommend New York State Department of Health strengthen its internal controls to ensure that all pharmacy and physician-administered drugs eligible for rebates are invoiced.

We recommend that the Iowa Department of Human Services, Iowa Medicaid Enterprise refund $37,132,109 to the Federal Government.

We recommend that the Iowa Department of Human Services, Iowa Medicaid Enterprise revise the State plan to define the documentation requirements that health home providers must follow to bill and receive the higher IHH PMPM payments for intense IHH services, and educate providers on these requirements.

We recommend that the New Hampshire Department of Health and Human Services conduct or renew all required criminal background checks for the 98 individuals we reviewed who did not have all required checks or who had expired background checks at the time of our data requests and site visits.

We recommend that the New Hampshire Department of Health and Human Services determine whether it is feasible to increase the ratio of State licensing inspectors to childcare providers to meet industry standards so that it can review all employee criminal background checks at all childcare centers.

HHS should commit to creating and implementing a Cybersecurity Maturity Migration Strategy to advance the cybersecurity program from its current maturity state to an effective state across HHS. This strategy should include the following. Perform a risk assessment and identify the optimal maturity level that achieves cost-effective security based on your missions and risks faced, risk appetite, and risk tolerance level. Identify gaps between the current state at each OPDIV and the criteria required to reach the optimal level across HHS’ enterprise-wide cybersecurity program and develop security controls to implement effective security. Ensure the requirements for all metrics is Consistently Implemented or higher are achieved. Articulate roles and shared responsibilities needed to meet the requirements for effective maturity, including whether requirements are to be implemented through centralized, federated, or hybrid controls.

The Information Security and Privacy Policy (IS2P) is HHS’ primary policy document governing cybersecurity which is pending a rewrite to address the upcoming requirements in NIST 800-53 revision 5. When this update occurs to the IS2P, HHS should specify required cybersecurity control maturity levels in addition to identifying the selection of NIST controls; describe HHS’ Cybersecurity Shared Responsibility Model, including the key roles under centralized, federated and hybrid strategies for control implementation; include responsibilities of the OCIO, the OPDIVs, and third-party stakeholders (including contractors); and communicate that a Managed and Measurable or the optimal maturity level, based on HHS’s risk assessment, be required to be deemed “Effective".

We recommend that the HHS OCIO work with the OPDIVs to ensure that the OPDIVs cybersecurity management create and implement a patch management strategy to ensure that patches are installed timely as required by HHS and Federal requirements.

We recommend that the HHS OCIO work with the OPDIVs to identify roles of stakeholders to ensure proper identification of responsibilities in a shared responsibility environment.

We recommend that the HHS OCIO work with the OPDIVs to implement the enterprise-wide configuration management plan, working with system owners to align system configuration management plans with the enterprise plan.

We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs create and implement a process to require privileged users to sign a privileged user rules of behavior agreement for all systems prior to provisioning privileged access to those systems.

We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs ensure implementation of strong authentication mechanisms for privileged and non-privileged users to all OPDIV systems using multifactor PIV credentials, NIST 800-63 Identity Assurance Level 3/Authenticator Assurance Level 3/Federated Assurance Level 3 credential or other strong authentication for non-privileged and privileged users.

We recommend that the HHS OCIO work with the OPDIVs to ensure that all PIAs are reviewed, approved and signed by the appropriate HHS personnel at a minimum within three (3) years of the last PIA approval date.

We recommend that the HHS OCIO work with the ODPIVs ensure that role-based training is obtained for all users with significant security responsibilities before granting access to the system and annually thereafter.

We recommend that the HHS OCIO work with the OPDIVs to ensure that they plan and execute resource staffing such that ATOs are kept up to date without a lapse of authorization.

We recommend that the HHS OCIO work with the OPDIVs to ensure that they plan and execute resource staffing such that SCAs are kept up to date as needed to support the ATO process.

We recommend that the HHS OCIO work with the OPDIV to implement threat profiling techniques within the defined framework that helps management understand where the OPDIV’s high-value assets are located, who could be interested in taking control of them, and what attack vectors and under which scenarios they would likely be used to exploit vulnerabilities to succeed in their pursuits.

We recommend that the HHS OCIO work with the OPDIVs to monitor and validate each OPDIV’s implementation progress, which should include periodically sampling HHS systems to ensure the effectiveness of contingency plans, including adequate testing based on system categorization.

We recommend that the South Carolina Department of Health and Human Services refund $1,524,536 to the Federal Government.

We recommend that the South Carolina Department of Health and Human Services enhance the monitoring of provider compliance by conducting periodic reviews of telemedicine payments for compliance with documentation requirements.

We recommend that the Mississippi Department of Human Services refund to the Federal Government the estimated $22,284,900 Federal CCDF share of the Child Care Payment Program claims paid during FYs 2016 and 2017.

We recommend that the Mississippi Department of Human Services develop policies and procedures to ensure that attendance documentation is maintained and provided to the State agency when a provider closes.