We recommend that Bridge Home Health identify similar instances of noncompliance that occurred before, during, and after the audit period and determine the impact and return any overpayments to the Federal Government.

We recommend that Triple-S Advantage, Inc. identify, for the high-risk diagnoses included in this report, similar instances of noncompliance that occurred before or after our audit period and refund any resulting overpayments to the Federal Government.

We recommend that the Centers for Medicare & Medicaid Services develop and implement guidance for skilled nursing facilities on the appropriate methods for providers to determine their allowable related-party costs.

We recommend that the Agency for Healthcare Research and Quality update the AHRQ Mobile Application Development Policy to require project officers and app developers to assess AHRQ mobile apps for unnecessary or unused functionality and remove or disable such functionality where feasible before submitting it to an app store and establish a procedure to ensure adherence to these requirements.

We recommend that the Indiana Family and Social Services Administration provide additional guidance to ABA facilities for documenting ABA, including services that must be provided to support the use of CPT codes 97155 and 97156, State signature requirements, the detail in session notes needed to support ABA provided, and what the State agency considers billable ABA time.

We recommend that the Indiana Family and Social Services Administration periodically review its prior authorization contractor's procedures for verifying ABA facilities' compliance with requirements for State diagnostic evaluations and treatment referrals for ABA.

We recommend that the Centers for Medicare & Medicaid Services emphasize to States that they should consistently follow their procedures for calculating the Federal share of collections, including during periods of increased FMAPs.

We recommend that the Centers for Medicare & Medicaid Services revise its policies and procedures for reviewing States' reported collections to include review of States' calculations of the Federal share for all collections.

We recommend that the Department of Health and Human Services Office of the Chief Information Officer enforce HHS's continuous monitoring policy for detecting, preventing, and reporting unauthorized or suspicious network activity across OpDivs.

IHS should explore options for expanding housing for DSFC staff.

We recommend that the Health Resources and Services Administration require the OPTN IT system contractor to improve network monitoring by implementing NIST SP 800-53, Revision 5, for the OPTN IT system, to include data loss prevention technology to prevent unauthorized exfiltration of information (Control SC-7(10)) and red-team exercises to simulate attempts by adversaries to compromise organizational systems (Control CA-8(2)).

We recommend that CGS Administrators, LLC revise its policies and procedures so that it meets the reopening deadlines established in Federal requirements.

We recommend that the Puerto Rico Department of Health (the Health Department) provide training to staff on policies and procedures.

We recommend that the Office for Civil Rights document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner.

We recommend that the Office for Civil Rights define metrics for monitoring the effectiveness of OCR's HIPAA audits at improving audited entities' protections over ePHI and periodically review whether these metrics should be refined.

We recommend that HHS complete implementation of a cybersecurity risk management strategy to assess and respond to identified risks within the agency and identified across OpDivs, watch for new risks, and monitor risks and confirm implementation. The strategy should define a standardized process to accept and monitor risks that cannot be adequately mitigated.

We recommend that HHS require OpDivs to implement an effective SCRM program that meets the defined standards across HHS and confirm implementation is consistent with established standard. This should include requiring OpDivs to assess vendors and submit said monitoring results to HHS to assist with tracking and monitoring components on the network.

We recommend that HHS confirm that OpDivs' policies require monitoring of privileged user accounts for both logging and activity reviews, in an automated manner.

We recommend that the Washington State Department of Social and Health Services' Aging and Long-Term Support Administration reissue to all adult family homes the notification of requirements for a written succession plan.

We recommend that the Utah Department of Health and Human Services improve its estate recovery program by implementing formal procedures to periodically review open cases and establish a timeframe for doing so.

We recommend that the Centers for Medicare & Medicaid Services take the following actions, which could have saved Medicare an estimated $190.1 million in payments made to acute-care hospitals for outpatient services provided to hospice enrollees and could have saved enrollees an estimated $43.6 million in deductibles and coinsurance that may have been incorrectly collected from them or from someone on their behalf during our audit period: Educate acute-care hospitals to understand that each hospice enrollee's hospice election statement addendum is available on request, and educate hospices to provide the addendum if requested to help an acute-care hospital assess whether an outpatient service palliated or managed an enrollee's terminal illness and related conditions.

We recommend that the Centers for Medicare & Medicaid Services take the following actions, which could have saved Medicare an estimated $190.1 million in payments made to acute-care hospitals for outpatient services provided to hospice enrollees and could have saved enrollees an estimated $43.6 million in deductibles and coinsurance that may have been incorrectly collected from them or from someone on their behalf during our audit period: Educate acute-care hospitals to analyze not only whether outpatient services palliated or managed enrollees' terminal illnesses but also whether outpatient services palliated or managed a condition related to a terminal illness.

We recommend that the Centers for Medicare & Medicaid Services take the following actions, which could have saved Medicare an estimated $190.1 million in payments made to acute-care hospitals for outpatient services provided to hospice enrollees and could have saved enrollees an estimated $43.6 million in deductibles and coinsurance that may have been incorrectly collected from them or from someone on their behalf during our audit period: Direct MACs or other appropriate contractors, such as Recovery Audit Contractors, to: (1) analyze Medicare claims data to identify acute-care hospitals that have aberrant billing patterns for condition code 07, and conduct Targeted Probe and Educate reviews of these acute-care hospitals; and (2) conduct prepayment or postpayment reviews of acute-care hospital claims for outpatient services provided to hospice enrollees and billed with condition code 07.

We recommend that the Health Resources and Services Administration work with the hospice identified in our report as having used $3,967,025 of its PRF payments for potentially unallowable expenditures to determine what amounts should have been allocated and require the hospice to return unallowable amounts to the Federal Government or ensure that the hospice properly replaces these unallowable expenditures with unreimbursed lost revenues or eligible expenses, if applicable.

We recommend that the Maine Department of Health and Human Services, Office of Child and Family Services develop written policies and procedures that require its supervisors to review and approve documentation of caseworker interviews with children and adults.

We recommend that the Maine Department of Health and Human Services, Office of Child and Family Services develop written policies and procedures that outline the steps a caseworker must take to override a report from screened-out to screened-in and manually input a response time.

We recommend that the Centers for Medicare & Medicaid Services use the information in this report and consider implementing changes suggested by hospitals, including providing written guidance clarifying the definition of "shoppable services" and developing a training and compliance program that is tailored for smaller hospitals.