Recommendations Tracker

CMS should take additional steps to validate the information reported in MDS assessments.

We recommend that Visiting Nurse Association of Maryland based on the results of this audit, exercise reasonable diligence to identify, report, and return any overpayments in accordance with the 60-day rule and identify any returned overpayments as having been made in accordance with this recommendation.

We recommend that the National Heart, Lung, and Blood Institute strengthen its internal controls for OTs by updating its policies and procedures to require that OT justification memos be signed, dated, and written or developed with involvement from appropriate parties, including OT Agreements Officers.

We recommend that the National Heart, Lung, and Blood Institute strengthen its internal controls for OTs by updating its policies and procedures to require that justifications for the continued use of OT authority be documented throughout the life of OT agreements with reconsideration required at a defined frequency.

We recommend that the National Heart, Lung, and Blood Institute strengthen its internal controls for OTs by updating its policies and procedures to specify requirements for determining and documenting the allowability of costs charged to OT awards.

We recommend that Humana, Inc. refund to the Federal Government the $197,720,651 of net overpayments.

We recommend that the Colorado Department of Human Services conduct all required criminal background checks for the 107 individuals in our sample who did not have the required checks at the time of our audit (if still employed).

We recommend that the Colorado Department of Human Services ensure that all required background checks are completed and retain these records until the background check expires.

We recommend that the Georgia Department of Community Health remind nursing facilities of Federal and State requirements for reporting incidents of potential abuse or neglect.

We recommended that the State agency ensure that it documents actions it takes when nursing facilities fail to report incidents and fail to report incidents on time.

We recommend that Palmetto Government Benefits Administrator, LLC decrease its Excess Plan Medicare segment pension assets by $9,196 and recognize $737,271 as the Excess Plan Palmetto Medicare segment pension assets as of January 1, 2017.

We recommend that Palmetto Government Benefits Administrator, LLC decrease its Excess Plan Medicare segment pension assets by $9,196 and recognize $737,271 as the Excess Plan Palmetto Medicare segment pension assets as of January 1, 2017.

We recommend that Noridian Healthcare Solutions LLC work with CMS to ensure that its final settlement of contract costs reflects a decrease in Medicare restoration costs of $160,315 for CYs 2015 and 2016.

We recommend that HHS: Communicate to all stakeholders the roles and shared responsibilities that must be implemented to meet the requirements for an "effective" level of security in the context of the maturity model, including whether such requirements are to be implemented through centralized, federated, or hybrid controls. This should also include the responsibilities of the OCIO, the OpDivs, and third-party stakeholders (including contractors).

Develop oversight process and procedures to ensure comprehensive policies and procedures for managing the configurations of information systems are developed and tailored to the OpDivs environment.

Update the ISCM strategy to include a roadmap for complete deployment across all HHS OpDivs, and key performance indicators and benchmarks to facilitate the implementation of CDM toolsets across all OpDivs.

Conduct an assessment of privileged IT staff to identify users with significant cybersecurity responsibilities and ensure they complete specialized role-based training.

We recommend that the HHS OCIO work with the OpDivs to develop a formal risk management strategy to establish, communicate, and implement its risk management controls, including for supply chain risk management. Additionally, within the Risk Management Strategy, the OpDiv should document procedures to ensure that all system owners have implemented processes and methodologies for categorizing risk, developing a risk profile, assessing risk, risk acceptance/tolerance levels, responding to risk, and monitoring risk.

We recommend that the HHS OCIO work with the OpDivs to establish oversight procedures for contractor owned systems to ensure change control activities and record retention procedures are being implemented appropriately across all systems.

We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs conduct periodic review and adjustment of privileged user accounts and permissions as required by OpDiv policy is being implemented consistently across all systems within the established time period. Additionally, the OpDiv should ensure that privileged user account activities are logged and periodically reviewed.

Implement oversight of contractor system procedures to ensure that periodic user access reviews are performed and that privileged user account activities are logged and periodically reviewed. In addition, management should implement a review process for the monitoring activities by the Computer Security Incident Response Center (CSIRC) and DCIO Ops over government-owned systems with the OpDiv portfolio.

We recommend that the HHS OCIO work with its OpDivs to improve the incident evaluation process for determining whether an incident is major in accordance with the full OMB definition contained in the OMB FISMA guidance. This process should include a documented adjudication process that assesses the perceived or actual impact of the American people's public confidence in US Government systems, their civil liberties, or their public health and safety from the knowledge of the incident as noted in the OMB guidance.

CMS should encourage MAOs to perform program integrity oversight using ordering NPIs.

We recommend that Sunrise Hospital & Medical Center refund to the Medicare contractor $23,606,895 ($23,615,809 less $8,914 that the Hospital has already repaid) in net estimated overpayments for the audit period for claims that it incorrectly billed that are within the 4-year reopening period.

We recommend that Sunrise Hospital & Medical Center strengthen controls to ensure that: (1) all IRF beneficiaries meet Medicare criteria for acute inpatient rehabilitation and all required documentation is included in the medical records, (2) all inpatient beneficiaries meet Medicare requirements for inpatient hospital services, (3) outlier payments are calculated correctly by billing the correct units of service and charges on the claim and staff are properly trained, (4) the use of bypass modifiers is supported in the medical records and staff are properly trained, and (5) HCPCS codes are supported in the medical records and staff are properly trained.

We recommend that the Louisiana Department of Health refund $1,326,830 to the Federal Government in BIPP funding that it received for ineligible expenditures.

We recommend that the Clinic refund to Noridian $398,625 in estimated overpayments for intravitreal injections of Eylea and for other services provided on the same day as intravitreal injections of Eylea and Lucentis.

We recommend that the Clinic implement policies and procedures to ensure that it does not bill for services that are not separately payable from intravitreal injections of Eylea and Lucentis.

CMS should review States' managed care payment data in T-MSIS and ensure that States have corrective action plans to improve data completeness and quality, as appropriate.

CMS should clarify and expand its initiative on payment data.

Develop and implement a plan to address the challenges presented by the Unit's organizational structure.

Establish a process to coordinate on cases and improve collaboration with Federal partners.

Take steps to ensure that newly hired investigators complete new employee trainings.

We recommend that North Mississippi Medical Center refund to the Medicare program the estimated $67,038 in overpayments for claims that it incorrectly billed.

We recommend that North Mississippi Medical Center educate its staff on properly billing for polysomnography services.

CMS should provide data to consumers on nurse staff turnover and tenure, as required by Federal law.

CMS should consider residents' level of need when identifying nursing homes for weekend inspections.

We recommend that the Florida Agency for Health Care Administration, Division of Health Quality Assurance work with CMS to provide clear guidance to nursing facilities regarding what constitutes a reportable incident.

We recommend that the Florida Agency for Health Care Administration, Division of Health Quality Assurance establish and implement written policies and procedures for incident report processing.

We recommend that the Florida Agency for Health Care Administration, Division of Health Quality Assurance improve the intake process by assessing all Federal 24-Hour Reports to identify whether potential noncompliance with quality of care standards caused the incidents and whether the incident occurred after the last standard survey; assessing the severity and urgency of harm to the resident(s) that may have been caused by abuse, neglect, or nursing facility noncompliance with CoPs to assign a priority level; and using ACTS to create an incident record with start and end dates for all Federal 24-Hour Report assessments and to record priority assignments.

We recommend that the Florida Agency for Health Care Administration, Division of Health Quality Assurance establish and implement written policies and procedures for managing APS complaint notifications and conducting assessments of APS complaints to identify and survey more facilities where resident harm may have been caused by nursing facility noncompliance.

We recommend that Peninsula Regional Medical Center refund to the Medicare program the estimated $66,647 overpayment for claims that it incorrectly billed.

We recommend that Peninsula Regional Medical Center implement policies and procedures to ensure that Medicare claims for polysomnography services comply with Medicare requirements.