Recommendations Tracker
HHS-OIG provides independent and objective oversight that promotes economy, efficiency, and effectiveness in HHS programs and operations. To drive this positive change, we produce reports and identify recommendations for improvement. We have developed this public-facing page for tracking all of our open recommendations.
Use the Top Unimplemented View below to read OIG's Top Unimplemented Recommendations. In OIG’s view, these top recommendations for HHS programs, if implemented, would have the greatest impact in terms of cost savings, program effectiveness and efficiency, and public health and safety. Learn more
Summary of All Recommendations
Updated Monthly · Last updated on April 15, 2026
1,094
Unimplemented
recommendations
3,367
Implemented and Closed
recommendations since FY 2017
Views
OIG Recommendations Grouped by Report
Showing 201–220 of 1,385 reports, containing 4,461 recommendations
Sorted by latest release date
-
Alaska Medicaid Fraud Control Unit: 2023 Inspection
24-E-12-026.01Revise its procedures for screening referrals to incorporate the expertise of each professional discipline and to reflect current Unit priorities and workloads.- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.02Take steps to improve communication and collaboration across professional disciplines throughout the investigative phase of cases.- Status
- Closed Implemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/18/2025
- Legislative Related
- No
24-E-12-026.03Revise its procedures for opening, assigning, and closing cases to better enable cases to be completed in an appropriate timeframe.- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.04Implement a comprehensive case management system to manage its investigative case information in an efficient and secure manner.- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.05Take steps to improve the accuracy and completeness of case information and performance data in its electronic case management system.- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.06Take steps to maintain case files in a consistent and effective manner.- Status
- Closed Implemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/18/2025
- Legislative Related
- No
24-E-12-026.07Take steps to improve its ability to staff its administrative functions consistently and appropriately.- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.08Take steps to expand upon the Unit's efforts to encourage referrals to the Unit.- Status
- Closed Implemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/18/2025
- Legislative Related
- No
24-E-12-026.09Establish procedures for regularly communicating and coordinating with OIG's Office of Investigations and the U.S. Attorney's Office.- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.10Develop procedures to improve the accuracy of its inventory list and verify that all Unit property is properly secured.- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.11Revise its policies and procedures for periodic supervisory reviews and conduct and document the reviews in accordance with its updated policies.- Status
- Closed Implemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/18/2025
- Legislative Related
- No
24-E-12-026.12Modify its supervisory structure so that all Unit staff are under the supervision of the Unit Director or another Unit supervisor.- Status
- Closed Implemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/18/2025
- Legislative Related
- No
24-E-12-026.13Include acknowledgments of Federal funding in its press releases and other public documents.- Status
- Closed Implemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/18/2025
- Legislative Related
- No
-
Heluna Health May Not Have Used California’s CDC COVID-19 Funds in Accordance With Award Requirements
24-A-04-090.01We recommend that Heluna Health refund $3,585,834 to the Federal government.- Status
- Open Unimplemented
- Responsible Agency
- CDC
- Response
- Concur
- Potential Savings
- $3,585,834
- Last Update Received
- 02/19/2025
- Next Update Expected
- 08/19/2025
- Legislative Related
- No
24-A-04-090.02We recommend that Heluna Health develop and implement a policy that requires California Department of Public Health (CDPH) to provide adequate supporting documentation to ensure the costs claimed are allowable and allocable.- Status
- Open Unimplemented
- Responsible Agency
- CDC
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 02/19/2025
- Next Update Expected
- 08/19/2025
- Legislative Related
- No
24-A-04-090.03We recommend that Heluna Health work with CDC to determine the allowable portion of $366,850,858 related to local health jurisdiction (LHJ) start-up costs and refund to the Federal Government any unallowable amount.- Status
- Open Unimplemented
- Responsible Agency
- CDC
- Response
- Concur
- Potential Savings
- $366,850,858
- Last Update Received
- 02/19/2025
- Next Update Expected
- 08/19/2025
- Legislative Related
- No
-
California Made Capitation Payments for Enrollees Who Were Concurrently Enrolled in a Medicaid Managed Care Program in Another State
24-A-05-089.01We recommend that the California Department of Health Care Services resume and enhance procedures that are in accordance with current Federal requirements to identify and disenroll enrollees who are residing and enrolled in Medicaid managed care in another State.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 09/26/2024
- Legislative Related
- No
24-A-05-089.02We recommend that the California Department of Health Care Services work with CMS to consider the potential use of T-MSIS data to identify potential cases of concurrent enrollment.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/25/2025
- Legislative Related
- No
-
West Virginia Medicaid Fraud Control Unit: 2023 Inspection
24-E-12-023.01Eliminate access to sensitive case material for unauthorized staff.- Status
- Closed Implemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/07/2025
- Legislative Related
- No
24-E-12-023.02Take steps to ensure that its new case management system allows for the accurate reporting of performance data.- Status
- Closed Implemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/07/2025
- Legislative Related
- No
24-E-12-023.03Take steps to report adverse actions to the NPDB within the required timeframe.- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/23/2025
- Legislative Related
- No
24-E-12-023.04Take steps to report all convictions to OIG within the required timeframe.- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/23/2025
- Legislative Related
- No
24-E-12-023.05Implement a method to monitor the State's responses to the Unit's program recommendations.- Status
- Closed Implemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/07/2025
- Legislative Related
- No
24-E-12-023.06Work with the Bureau of Medicaid Services to ensure the return of the Federal Government's share of all recoveries.- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/23/2025
- Legislative Related
- No
-
HHS Office of the Secretary Needs to Improve Key Security Controls to Better Protect Certain Cloud Information Systems
24-A-18-088.01We recommend that the HHS Office of the Secretary develop a procedure to ensure cloud system inventories are accurate and completed in accordance with HHS security requirements.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 08/06/2025
- Next Update Expected
- 02/06/2026
- Legislative Related
- No
24-A-18-088.02We recommend that the HHS Office of the Secretary remediate the 12 control findings in accordance with NIST SP 800-53.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 10/01/2024
- Legislative Related
- No
24-A-18-088.03We recommend that the HHS Office of the Secretary implement a strategy that includes leveraging cloud security assessment tools that identify misconfigurations and other control weaknesses in its cloud services, and remediate weak controls in a timely manner.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 03/07/2025
- Next Update Expected
- 09/07/2025
- Legislative Related
- No
24-A-18-088.04We recommend that the HHS Office of the Secretary develop and implement a policy and process to ensure qualified staff are assigned as System Security Officers for its cloud systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 02/12/2025
- Next Update Expected
- 08/26/2025
- Legislative Related
- No
-
ASPR Did Not Consistently Comply With Federal Requirements for Awarding Research and Development Contracts
24-A-03-087.01We recommend that the Administration for Strategic Preparedness and Response note on the CPARS assessment report for the original contractor that the contractor failed to submit the novation to report the sale of the business interests and transfer of the contract.- Status
- Closed Implemented
- Responsible Agency
- ASPR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/04/2025
- Legislative Related
- No
24-A-03-087.02We recommend that the Administration for Strategic Preparedness and Response provide technical assistance or education to the new contractor regarding novation procedures.- Status
- Closed Implemented
- Responsible Agency
- ASPR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/04/2025
- Legislative Related
- No
24-A-03-087.03We recommend that the Administration for Strategic Preparedness and Response implement a review process to verify that Federal acquisition awarding procedures and contract funding are fully completed before contract performance begins.- Status
- Closed Implemented
- Responsible Agency
- ASPR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/04/2025
- Legislative Related
- No
24-A-03-087.04We recommend that the Administration for Strategic Preparedness and Response correct the Recording Statute violation for the contract that was not properly finalized by ratifying the original contract and properly recording an obligation.- Status
- Closed Implemented
- Responsible Agency
- ASPR
- Response
- Concur
- Potential Savings
- $14,000
- Last Update Received
- -
- Closed Date
- 03/04/2025
- Legislative Related
- No
24-A-03-087.05We recommend that the Administration for Strategic Preparedness and Response correct the time violation for the improperly created purchase order by using no-year funds or multi-year funds available for obligation and report an Antideficiency Act violation if the time violation cannot be corrected.- Status
- Closed Implemented
- Responsible Agency
- ASPR
- Response
- Concur
- Potential Savings
- $14,000
- Last Update Received
- -
- Closed Date
- 03/04/2025
- Legislative Related
- No
24-A-03-087.06We recommend that the Administration for Strategic Preparedness and Response create policies and procedures for the maintenance and organization of electronic contract files.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/17/2025
- Next Update Expected
- 09/04/2025
- Legislative Related
- No
24-A-03-087.07We recommend that the Administration for Strategic Preparedness and Response implement a periodic documentation review process to assess completeness of contract files and provide training to address deficiencies identified from the review.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 03/04/2025
- Next Update Expected
- 09/04/2025
- Legislative Related
- No
-
Medicare Advantage Compliance Audit of Specific Diagnosis Codes That Independent Health Association, Inc. (Contract H3362) Submitted to CMS
24-A-07-085.01We recommend that Independent Health Association, Inc. refund to the Federal Government the $646,217 of overpayments.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $646,217
- Last Update Received
- 10/01/2025
- Next Update Expected
- 04/01/2026
- Legislative Related
- No
24-A-07-085.02We recommend that Independent Health Association, Inc. identify, for the high-risk diagnoses included in this report, similar instances of noncompliance that occurred before and after our audit period and refund any resulting overpayments to the Federal Government.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 10/01/2025
- Next Update Expected
- 04/01/2026
- Legislative Related
- No
24-A-07-085.03We recommend that Independent Health Association, Inc. continue its examination of its existing compliance procedures to identify areas where improvements can be made to ensure that diagnosis codes that are at high risk for being miscoded comply with Federal requirements (when submitted to CMS for use in CMS's risk adjustment program) and take the necessary steps to enhance those procedures.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 10/01/2025
- Next Update Expected
- 04/01/2026
- Legislative Related
- No
-
Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023
24-A-18-086.01Refine their enterprise architecture system inventory and software/hardware asset inventories to ensure the inclusion of the information systems and components active on the HHS network. HHS should utilize these inventories to monitor assets continuously and identify and remediate vulnerabilities timely to better manage the risks to these assets.- Status
- Closed Unimplemented
- Responsible Agency
- OS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 01/23/2025
- Legislative Related
- No
24-A-18-086.02We recommend that HHS require OpDivs to implement a cybersecurity risk management strategy to assess and respond to identified risks within the agency, watch for new risks, and monitor risks and confirm implementation. The strategy should define a standardized process to accept and monitor risks that cannot be adequately mitigated.- Status
- Closed Unimplemented
- Responsible Agency
- OS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 01/23/2025
- Legislative Related
- No
24-A-18-086.03We recommend that HHS confirm that all organization-wide and system-level risk assessments have been completed in an accurate and timely manner and include data points such as the threat vectors, likelihood, and tolerance level. This will help with the ability to address risks at the organization consistently and promptly.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.04We recommend that HHS require OpDivs to implement an effective SCRM program that meets the defined standards across HHS and confirm implementation is consistent with established standard. HHS should ensure that all OpDivs are appropriately assessing vendors and submitting data points to assist with tracking and monitoring components on the network.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.05We recommend that HHS require OpDivs to assess and inventory privileged user accounts across the agency by an established due date and confirm completion. HHS should confirm that OpDivs policies are defined to require privileged user account monitoring in both logging and activity reviews, preferably at an automated level.- Status
- Closed Unimplemented
- Responsible Agency
- OS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 01/23/2025
- Legislative Related
- No
24-A-18-086.06We recommend that the HHS OCIO monitor and confirm that the OpDivs conduct an annual review of the System Security & Privacy Plan and annually perform risk assessments for all operational systems, according to organizational policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.07We recommend that the HHS OCIO monitor and confirm that the OpDivs appropriately track software license information and maintain an accessible, up-to-date inventory for all its software licenses.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.08We recommend that the HHS OCIO monitor and confirm that the OpDivs perform the SAR and ATO in accordance with the organization's policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/16/2024
- Next Update Expected
- 06/17/2025
- Legislative Related
- No
24-A-18-086.09We recommend that the HHS OCIO monitor and confirm that the OpDivs utilize automated solutions to provide a portfolio view of cybersecurity risk at the organization is consistently implemented in accordance with NIST standards.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.10We recommend that the HHS OCIO confirm OpDivs define and implement an OpDiv level supply chain risk management strategy based on HHS departmental policy and NIST standards.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.11We recommend that the HHS OCIO ensure that OpDivs' vulnerabilities are tracked and remediated in a timely manner and create POA&Ms for any vulnerabilities in accordance with the organization's policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.12We recommend that the HHS OCIO ensure that all OpDivs' baseline configurations are documented and tracked for each system in the OpDiv.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/13/2024
- Next Update Expected
- 06/16/2025
- Legislative Related
- No
24-A-18-086.13We recommend that the HHS OCIO ensure that all OpDivs' TIC 3.0 program use cases are reviewed for relevance and capabilities that are new to the latest revision of the TIC guidance are consistently implemented in accordance with HHS Policy for the Implementation of TIC and OMB M-19-26.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.14We recommend that the HHS OCIO ensure that all OpDivs acquire the resources to fully implement MFA or an alternative strong authentication and implement multi-factor authentication or an alternative strong authentication for both privileged and non-privileged users on all operational systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.15We recommend that the HHS OCIO ensure that all OpDivs provision, manage, and review privileged user accounts for operational systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.16We recommend that the HHS OCIO ensure that all OpDivs are properly implementing remote session timeouts of 30 minutes (or less) for operating systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/13/2024
- Next Update Expected
- 06/17/2025
- Legislative Related
- No
24-A-18-086.17We recommend that the HHS OCIO ensure that all OpDivs consistently implement access policies and procedures in accordance with the organization's Risk Management Safeguards policy across the organization.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.18We recommend that the HHS OCIO ensure that all OpDivs' operational systems have an approved and up-to-date PIA in accordance with the HHS Policy of Privacy Impact Assessment.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/13/2024
- Next Update Expected
- 06/16/2025
- Legislative Related
- No
24-A-18-086.19We recommend that the HHS OCIO ensure that all OpDivs implement data encryption methods to protect data determined to be PII or sensitive by the systems and enhanced network defenses in accordance with NIST standards.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.20We recommend that the HHS OCIO require and confirm that all OpDivs have a process in place to evaluate their workforce gaps. Furthermore, confirm that all OpDivs are implementing a compliant security training strategy as defined by overarching HHS policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.21We recommend that the HHS OCIO ensure that all OpDivs are inheriting and consistently implementing policies and procedures defined by HHS department level policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.22We recommend that the HHS OCIO continuously monitor to ensure that all OpDivs inherit and consistently implement policies or procedures to govern their incident response strategy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.23We recommend that the HHS OCIO continuously monitor to ensure that all OpDivs define common threat vector taxonomy for classifying incidents and its processes for detecting, analyzing, and prioritizing incidents in accordance with NIST standards, USCERT Federal Incident Notification Guidelines and OMB guidance across the organization.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 01/13/2025
- Next Update Expected
- 07/23/2025
- Legislative Related
- No
24-A-18-086.24We recommend that the HHS OCIO work with the OpDivs to require and confirm that all OpDivs' operational systems have a complete and up-to-date BIA.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 01/17/2025
- Legislative Related
- No
24-A-18-086.25We recommend that the HHS OCIO work with the OpDivs to require and confirm that all OpDivs' operational systems conduct Contingency Plan testing and exercises as required by their risk rating. Any testing and exercises conducted should be followed with after-action reports as necessary.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 01/23/2025
- Legislative Related
- No
24-A-18-086.26We recommend that the HHS OCIO work with the OpDivs to confirm that all OpDivs' policies and procedures covering Contingency Plan testing are in accordance with policy requirements by Departmental policy, NIST standards, and OMB guidance.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/13/2024
- Next Update Expected
- 07/17/2025
- Legislative Related
- No
-
The National Institutes of Health Has Made Progress But Could Further Improve Its Closeout Process for Grants and Similar Awards
24-A-04-084.01We recommend that the National Institutes of Health formalize the recently implemented FRPPR monitoring control into NIH policy.- Status
- Open Unimplemented
- Responsible Agency
- NIH
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/17/2024
- Next Update Expected
- 07/02/2025
- Legislative Related
- No
24-A-04-084.02We recommend that the National Institutes of Health facilitate timely unilateral closeout within 1 year of the PPE date by implementing a policy that requires the unilateral closeout process be completed early enough to allow for final closeout within 1 year of the PPE date; and providing additional training to staff involved in the closeout process to increase staff awareness (i.e., sending monitoring reports to ICs for awards eligible for unilateral closeout).- Status
- Open Unimplemented
- Responsible Agency
- NIH
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/17/2024
- Next Update Expected
- 07/02/2025
- Legislative Related
- No
24-A-04-084.03We recommend that the National Institutes of Health create policies and procedures for reporting award recipients in SAM.gov that do not submit the required final reports within 1 year of the award PPE date.- Status
- Open Unimplemented
- Responsible Agency
- NIH
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/17/2024
- Next Update Expected
- 07/02/2025
- Legislative Related
- No
24-A-04-084.04We recommend that the National Institutes of Health retroactively report all recipients with unilateral closeout actions in calendar year 2023 in SAM.gov.- Status
- Closed Implemented
- Responsible Agency
- NIH
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 01/02/2025
- Legislative Related
- No
-
Many States Lack Information To Monitor Maltreatment in Residential Facilities for Children in Foster Care
24-E-07-018.01ACF should provide guidance and technical assistance to States to build data collection and monitoring capabilities that are foundational to effective oversight of maltreatment in residential facilities.- Status
- Closed Implemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/02/2026
- Legislative Related
- No
24-E-07-018.02ACF should help States to improve their abilities to monitor patterns of maltreatment and performance across chains of residential facilities operating in multiple States.- Status
- Closed Implemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/02/2026
- Legislative Related
- No
24-E-07-018.03ACF should take steps to improve inter-State communication when children are placed in out-of-State residential facilities.- Status
- Closed Implemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/02/2026
- Legislative Related
- No
24-E-07-018.04ACF should work with States to improve reporting of placement data in NCANDS.- Status
- Closed Implemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 02/20/2025
- Legislative Related
- No
-
North Carolina Did Not Report and Return All Medicaid Overpayments for the State’s Medicaid Fraud Control Unit Cases
24-A-06-083.01We recommend that the North Carolina Department of Health and Human Services report and return the Federal share for the seven unreported cases, totaling $30,352,630 ($20,134,402 Federal share).- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $20,134,402
- Last Update Received
- -
- Closed Date
- 03/04/2026
- Legislative Related
- No
24-A-06-083.02We recommend that the North Carolina Department of Health and Human Services strengthen internal controls by expanding written policies and procedures to include procedures for requesting, recording, and reporting all MFCU-determined Medicaid overpayments within prescribed regulatory timeframes, and ensuring they received all case files.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 02/27/2026
- Legislative Related
- No
24-A-06-083.03We recommend that the North Carolina Department of Health and Human Services work with the MFCU to determine the Medicaid overpayments for cases after our audit period and ensure that all overpayments are reported on the Form CMS-64.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 02/27/2026
- Legislative Related
- No
-
NIH Did Not Close Contracts in Accordance With Federal Requirements, Resulting in the Increased Risk of Fraud, Waste, and Abuse
24-A-04-082.01We recommend that the National Institutes of Health complete the administrative closeout requirements for the 29 contracts totaling more than $1.9 billion identified in our audit.- Status
- Closed Implemented
- Responsible Agency
- NIH
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 09/10/2025
- Legislative Related
- No
24-A-04-082.02We recommend that the National Institutes of Health incorporate, by reference, the administrative closeout requirements from the FAR and HHSCCD into the NIH Policy Manual.- Status
- Closed Implemented
- Responsible Agency
- NIH
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/13/2026
- Legislative Related
- No
24-A-04-082.03We recommend that the National Institutes of Health update the NIH Policy Manual to address migration of contract file records to new contract management systems; preservation of all contract file records when employees depart the agency; and prevention of contract records from being destroyed before contract closeout has occurred.- Status
- Closed Implemented
- Responsible Agency
- NIH
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/13/2026
- Legislative Related
- No
24-A-04-082.04We recommend that the National Institutes of Health establish control activities for monitoring the performance of contract personnel's compliance with administrative closeout requirements.- Status
- Open Unimplemented
- Responsible Agency
- NIH
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/01/2025
- Next Update Expected
- 06/01/2026
- Legislative Related
- No
-
CMS Could Strengthen Program Safeguards To Prevent and Detect Improper Medicare Payments for Short Inpatient Stays
24-A-09-081.01To strengthen program safeguards for preventing and detecting improper payments for short inpatient stays and recovering overpayments for claims that do not comply with Medicare requirements, we recommend that the Centers for Medicare & Medicaid Services work with its contractors to add information to inpatient claims indicating any stay that did not span two or more midnights because of an unforeseen circumstance (e.g., a condition code).- Status
- Closed Unimplemented
- Responsible Agency
- CMS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 08/25/2025
- Legislative Related
- No
24-A-09-081.02To strengthen program safeguards for preventing and detecting improper payments for short inpatient stays and recovering overpayments for claims that do not comply with Medicare requirements, we recommend that the Centers for Medicare & Medicaid Services work with its contractors to develop a list of ICD-10 procedure codes associated with the HCPCS codes on the inpatient only procedures list.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Partial Concur
- Potential Savings
- -
- Last Update Received
- 12/02/2025
- Next Update Expected
- 06/02/2026
- Legislative Related
- No
24-A-09-081.03To strengthen program safeguards for preventing and detecting improper payments for short inpatient stays and recovering overpayments for claims that do not comply with Medicare requirements, we recommend that the Centers for Medicare & Medicaid Services work with its contractors to implement prepayment edits for claims for short inpatient stays at risk for noncompliance with the two-midnight rule (i.e., short inpatient stays with risk factors such as canceled procedures or certain MS-DRGs).- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/17/2025
- Legislative Related
- No
24-A-09-081.04To strengthen program safeguards for preventing and detecting improper payments for short inpatient stays and recovering overpayments for claims that do not comply with Medicare requirements, we recommend that the Centers for Medicare & Medicaid Services work with its contractors to update policies and procedures for postpayment reviews to focus on claims for short inpatient stays identified as at risk for noncompliance with the two-midnight rule and recovery of overpayments (e.g., through additional reviews by RACs or other contractors).- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 10/23/2024
- Legislative Related
- No
-
The Food and Drug Administration’s Inspection and Recall Process Should Be Improved To Ensure the Safety of the Infant Formula Supply
24-A-01-080.01We recommend that the Food and Drug Administration prioritize maintaining the NCCC's continuity of operations by cross-training staff on whistleblower policies and procedures and NCCC duties, including monitoring the Occupational Safety and Health Administration whistleblower email inbox.- Status
- Closed Implemented
- Responsible Agency
- FDA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/28/2025
- Legislative Related
- No
24-A-01-080.02We recommend that the Food and Drug Administration develop and implement policies and procedures requiring periodic reporting (e.g.,monthly reporting) to senior leadership on the status of open whistleblower complaints.- Status
- Closed Implemented
- Responsible Agency
- FDA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 01/30/2025
- Legislative Related
- No
24-A-01-080.03We recommend that the Food and Drug Administration implement policies and procedures that facilitate reporting consumer complaints in real time to investigators onsite when an active inspection is occurring at the facility identified in the complaint.- Status
- Closed Implemented
- Responsible Agency
- FDA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 09/16/2025
- Legislative Related
- No
24-A-01-080.04We recommend that the Food and Drug Administration strengthen the QFC process to identify data entry inaccuracies.- Status
- Closed Implemented
- Responsible Agency
- FDA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 01/30/2025
- Legislative Related
- No
24-A-01-080.05We recommend that the Food and Drug Administration formalize written policies and procedures that either require that the CAERS coordinator forward all reports that originate in CAERS to the NCCC or identify specific factors that the CAERS coordinator must consider when determining if adverse event reports should be forwarded to the NCCC, and include specific examples of types of adverse event reports that do not need to be forwarded to the NCCC.- Status
- Closed Acceptable Alternative
- Responsible Agency
- FDA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 12/19/2024
- Legislative Related
- No
24-A-01-080.06We recommend that the Food and Drug Administration develop policies and procedures that FDA can use during future public health emergencies to identify how and when it is necessary to conduct mission-critical inspections and ensure that mission-critical inspections are conducted in a timely manner.- Status
- Closed Implemented
- Responsible Agency
- FDA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/03/2026
- Legislative Related
- No
24-A-01-080.07We recommend that the Food and Drug Administration design and implement policies and procedures specific to the use of its FDA-required infant formula recall authority.- Status
- Open Unimplemented
- Responsible Agency
- FDA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 04/10/2026
- Next Update Expected
- 10/10/2026
- Legislative Related
- No
24-A-01-080.08We recommend that the Food and Drug Administration amend the language on the CAERS adverse event report form to emphasize the importance of including the lot number to encourage the public to report this information.- Status
- Closed Implemented
- Responsible Agency
- FDA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 12/19/2024
- Legislative Related
- No
24-A-01-080.09We recommend that the Food and Drug Administration continue to seek legislative authority to require infant formula manufacturers to notify and provide the bacterial isolate to FDA every time a product sample is found to be positive for Cronobacter or Salmonella, even if the affected lots have not been distributed, and update its existing databases with the information received.- Status
- Closed Implemented
- Responsible Agency
- FDA
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 01/30/2025
- Legislative Related
- Yes
-
Washington Medicaid Fraud Control Unit: 2023 Inspection
24-E-09-017.01Implement new policies and procedures to ensure required reporting of convictions and adverse actions to Federal partners.- Status
- Closed Implemented
- Responsible Agency
- MFCU
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 01/02/2025
- Legislative Related
- No
-
Medicare Remains Vulnerable to Fraud, Waste, and Abuse Related to Off-the-Shelf Orthotic Braces, Which May Result in Improper Payments and Impact the Health of Enrollees
24-A-09-079.01We recommend that the Centers for Medicare & Medicaid Services determine why claims that did not have the required modifiers were paid for replacement OTS braces, and take steps to prevent payments for such claims.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 08/28/2024
- Legislative Related
- No
24-A-09-079.02We recommend that the Centers for Medicare & Medicaid Services identify providers who ordered OTS braces for enrollees with whom they had no treating relationships and use that information to determine whether to provide additional education to—or take administrative or legal action against—the ordering providers or associated suppliers.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 10/03/2024
- Legislative Related
- No
24-A-09-079.03We recommend that the Centers for Medicare & Medicaid Services analyze supplier billing patterns and use that information to determine whether to conduct additional prepayment or postpayment reviews of suppliers or impose a temporary moratorium on enrolling new suppliers of OTS braces if CMS determines that there is significant potential for fraud, waste, or abuse.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 10/03/2024
- Legislative Related
- No
24-A-09-079.04We recommend that the Centers for Medicare and Medicaid Services review Medicare allowable amounts for OTS braces that are not currently in the DMEPOS Competitive Bidding Program to ensure that Medicare payments for OTS braces are reasonably comparable with payments made by non-Medicare payers, and determine whether to include any of those procedure codes for braces in future rounds of competitive bidding.- Status
- Closed Superseded
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 10/02/2024
- Legislative Related
- No
24-A-09-079.05We recommend that the Centers for Medicare & Medicaid Services educate suppliers and enrollees on telemarketing practices for OTS braces, specifically on not using direct solicitation of enrollees, and consider revoking billing privileges of suppliers that engage in prohibited solicitation practices.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/21/2025
- Legislative Related
- No
24-A-09-079.06We recommend that the Centers for Medicare & Medicaid Services use predictive data analysis and information from other Federal agencies and from State agencies to identify emerging fraud schemes related to OTS braces, and use CMS's authority to prevent further losses to the Medicare program.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 10/03/2024
- Legislative Related
- No
-
Selected CDC Racial and Ethnic Approaches to Community Health Program Recipients Generally Complied With Federal Requirements But Did Not Meet All Targets and Charged Some Unallowable Costs
24-A-02-078.01We recommend that the Centers for Disease Control and Prevention require the five recipients in our sample identified as having charged unallowable REACH program costs to refund $236,587 to the Federal Government.- Status
- Open Unimplemented
- Responsible Agency
- CDC
- Response
- Partial Concur
- Potential Savings
- $236,587
- Last Update Received
- 12/17/2025
- Next Update Expected
- 06/17/2026
- Legislative Related
- No
24-A-02-078.02We recommend that the Centers for Disease Control and Prevention require the six recipients in our sample that may have improperly charged salary, related fringe benefit, and overhead costs to the REACH program award to refund $1,377,025 to the Federal Government or work with the recipients to determine what portion of these costs is allocable to their REACH program award and refund any unallocable portion of these costs to the Federal Government.- Status
- Open Unimplemented
- Responsible Agency
- CDC
- Response
- Partial Concur
- Potential Savings
- $1,377,025
- Last Update Received
- 12/17/2025
- Next Update Expected
- 06/17/2026
- Legislative Related
- No
24-A-02-078.03We recommend that the Centers for Disease Control and Prevention provide additional technical assistance to recipients to ensure that only allowable, allocable, and documented costs are charged to their REACH program awards.- Status
- Closed Implemented
- Responsible Agency
- CDC
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/07/2024
- Legislative Related
- No
-
California Improperly Claimed $52.7 Million in Federal Medicaid Reimbursement for Capitation Payments Made on Behalf of Noncitizens With Unsatisfactory Immigration Status
24-A-09-076.01We recommend that the California Department of Health Care Services refund to the Federal Government the improperly claimed Federal reimbursement of $52,652,689 for capitation payments made on behalf of noncitizens with UIS.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $52,652,689
- Last Update Received
- -
- Closed Date
- 08/25/2024
- Legislative Related
- No
24-A-09-076.02We recommend that the California Department of Health Care Services work with CMS to determine the amount of any improperly claimed Federal reimbursement for capitation payments made on behalf of noncitizens with UIS for an agreed-upon period not covered by our audit.- Status
- Closed Acceptable Alternative
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/05/2025
- Legislative Related
- No
-
Medicaid Managed Care: States Do Not Consistently Define or Validate Paid Amount Data for Drug Claims
24-E-03-015.01CMS should revise the T-MSIS Data Dictionary to instruct States to report the paid amount as the amount paid to the pharmacy for all Medicaid managed care drug claims.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 12/13/2024
- Legislative Related
- No
24-E-03-015.02CMS should provide additional technical assistance to States to clarify what to include or exclude from the reported paid amounts to providers for Medicaid managed care drug claims.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 08/19/2025
- Next Update Expected
- 09/11/2026
- Legislative Related
- No
24-E-03-015.03CMS should follow up with States that did not verify that paid amounts for managed care drug claims were complete.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 09/11/2025
- Legislative Related
- No
-
Plans and Enrollment Often Fell Short for Underrepresented Groups in a Sample of NIH-Funded Clinical Trials
24-E-01-016.01NIH should hold researchers accountable for clearly describing the rationale for planned study population, as required by NIH policy.- Status
- Closed Implemented
- Responsible Agency
- NIH
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/31/2025
- Legislative Related
- No
24-E-01-016.02NIH should develop additional ways of supporting researchers in meeting inclusion enrollment targets.- Status
- Closed Implemented
- Responsible Agency
- NIH
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 12/03/2024
- Legislative Related
- No
24-E-01-016.03NIH should promptly take steps to align NIH's demographic data collection and reporting with the revised OMB requirements and obtain more precise clinical trial inclusion enrollment data.- Status
- Closed Implemented
- Responsible Agency
- NIH
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 01/06/2026
- Legislative Related
- No