Auditor finds problems within state’s oversight of Medicaid programs

Fraud, Waste, and Abuse Vulnerabilities Remain as Steps to Address Program Integrity Findings Were Not Always Taken

by Timothy McQuiston, Vermont Business Magazine

State Auditor Doug Hoffer released an audit report today on Medicaid fraud investigations conducted by the Vermont Department of Health Access. The auditor found that there were programmatic and bureaucratic issues that resulted in fraud cases not being fully addressed, funds that were not recovered, the complexity of the pandemic-era payments in 2021 were not sorted out and there was not sufficient oversight of the $300 million annual payments to OneCare. 

The auditor in particular cited a lack of reporting, oversight and compliance within the Agency of Human Services, which is ultimately responsible for the Medicaid programs.

The auditor wrote that Vermont Medicaid providers, including hospitals, nursing homes, general practitioners, and specialists deliver critical access to healthcare across the state to serve some of Vermont’s most vulnerable populations. The state spent more than $2 billion in fiscal year 2024 on Vermont Medicaid and Medicaid-related activities, providing vital healthcare support to almost 197,000 individual Vermonters. Because of its size, scope, and complexity, Medicaid is vulnerable to fraud, waste, and abuse.

Highlights of the audit include:

  • The SIU identified about $1.2 million in improper payments in the 20 investigations reviewed as part of the audit’s sample. In most of these cases, the SIU collected or is in the process of collecting these improper payments from providers. However, almost $517,000 will not be recovered due almost entirely to DVHA management’s decisions that effectively nullified the SIU’s improper payment findings.
  • The SIU identified programmatic risks during the course of their investigations and sent “vulnerability memos” to DVHA and other State Medicaid organizations related to 8 of the 20 investigations reviewed. In most cases the state entities did not act to address all the vulnerabilities the SIU identified. For example, a June 2021 SIU vulnerability memo pertaining to the Agency of Education’s (AOE) school-based health services program reported that some services provided under a bundled rate were not always received or provided in full and were duplicative with claims billed under another program. Three years later, despite escalation to the Secretaries of Human Services and Education, DVHA and the AOE have not been able to reach an agreement on how to address the vulnerability.
  • DVHA generally took SIU concerns into account when making policy changes. However, in three of the 20 policy changes reviewed, the SIU’s program integrity concerns were not addressed, leaving Medicaid open to potential risk including in two high-cost healthcare categories.
  • Even though DVHA’s contract with OneCare can exceed $300 million annually, their oversight of OneCare’s program integrity activities has not been robust.

 

To fight fraud, waste, and abuse, the Agency of Human Services (AHS) is responsible for overseeing the program integrity activities of its subordinate organization, the Department of Vermont Health Access (DVHA), Vermont’s managed care-like entity. DVHA’s Special Investigation Unit (SIU), in turn, conducts reviews, audits, and investigations which may result in a variety of outcomes, including the recovery of improper payments, provider termination from the Medicaid program, and the identification of Medicaid control weaknesses. The SIU’s work to identify and prevent fraud, waste, and abuse is critical to ensuring Medicaid funds can be spent as intended on the health and welfare of Vermont Medicaid recipients. 

Because of Medicaid’s impact on state government and Vermonters, Hoffer wrote: ”We decided to conduct an audit focused on actions being taken in response to the SIU’s findings. We found that DVHA and partner State organizations did not consistently act in response to SIU-identified findings, vulnerabilities, and policy concerns, thereby putting Medicaid funds at risk. In addition, in 20 investigations initiated between 2020 and 2023, the SIU identified about $1.2 million in improper payments to providers of which almost $517,000 will not be recovered due almost entirely to decisions by DVHA’s leadership at the time to retroactively change a rule that was the basis for the SIU’s findings and to backdate the Medicaid provider enrollment of certain clinicians.” 

The auditor concluded that, “AHS, DVHA leadership, and other state organizations that support the Medicaid program have not always taken action in support of the SIU’s findings. In particular, DVHA made a retroactive change to a rule, which allowed the payment of claims the SIU had determined were improper. In addition, when the SIU has found program vulnerabilities, fewer than half have been fully addressed. This has occurred because neither the SIU, DVHA leadership, or AHS have monitored whether corrective actions have been taken in response to the SIU’s findings nor was there an explicit process to resolve disputes with other organizations. The SIU itself also did not follow up on an allegation that OneCare was not complying with contract requirements even though the contract allowed the SIU to conduct oversight reviews.”

In response to the auditor’s report, Monica Ogelby, state Medicaid Director, and DaShawn Groves, DVHA Commissioner, largely agreed with the findings. They noted that many of the recommendations were already in process and that there is also a new DVHA commissioner and new SIU director.

As for OneCare, the state response is less accommodating. AHS Deputy Secretary Todd Daloz said that the documents that the auditor has sought from OneCare could be viewed as “bad faith” in light of a Vermont Supreme Court ruling which stated that OneCare did not have to provide the auditor with accounting records and this latest effort by the auditor to get them through the DVHA in a sort of work-around could put the agency in legal jeopardy.

Daloz wrote: “We have no desire to involve ourselves in potential litigation exercising our contract rights on behalf of a party that the Supreme Court has already determined is not a third -party beneficiary of the contract.”

OneCare is ending at the end of this year, and a new program, called AHEAD, will take over similar Medicaid-related tasks starting January 1, 2027.

20 investigations initiated between 2020 and 2023, the SIU identified about $1.2 million in improper payments to providers of which almost $517,000 will not be recovered

According to the report: 

In fiscal year 2024, Vermont’s Medicaid and Medicaid-related expenditures exceeded $2 billion for a caseload of almost 197,000 individuals who are served by thousands of Vermont Medicaid providers, including hospitals, nursing homes, general practitioners, and specialists. Because of its size, scope, and complexity, Medicaid is vulnerable to fraud, waste, and abuse (FWA). For instance, health care providers may bill for unfurnished or unnecessary services or submit claims that result in a higher payment than is justified. For example, in a January 2024 settlement with the Vermont Attorney General’s Medicaid Fraud & Residential Abuse Unit (MFRAU), a provider agreed to repay Medicaid $326,000 for billing for an individual who had been disenrolled as a client and for services that were not provided or were otherwise ineligible. Medicaid overpayments may also result from other circumstances. For example, a Vermont provider voluntarily came forward after realizing that they had been overpaid due to an error in their system and is now in the process of repaying about $40,600 to Medicaid.

States are required to have a program integrity function in place to identify, investigate, and report Medicaid FWA. Under Federal regulation, the Agency of Human Services (AHS) is responsible for Vermont’s program integrity responsibilities as the Single State Medicaid Agency. AHS fulfills this role by overseeing the program integrity activities of the State’s managed care-like entity, the Department of Vermont Health Access (DVHA). An example of a DVHA program integrity activity is the FWA investigations performed by the Special Investigations Unit (SIU). The SIU works collaboratively with the MFRAU, making referrals when the SIU identifies potential fraud. DVHA also contracts with OneCare Vermont Accountable Care Organization, LLC (OneCare), which has a provider network that is accountable for the quality, cost, and overall care of designated patients. The contract requires OneCare to perform specified program integrity activities.

Because of Medicaid’s impact on State government and Vermonters and the program’s vulnerability to FWA, we decided to conduct an audit with the following objectives: (1) to determine if and what actions were taken in response to findings and vulnerabilities associated with Medicaid providers identified by DVHA’s SIU and (2) to assess DVHA’s oversight of OneCare’s program integrity activities.

The audit found that DVHA and partner State organizations did not consistently act in response to SIU identified findings to reduce Medicaid vulnerability to FWA. The SIU identified about $1.2 million in improper payments in the 20 investigations we reviewed. In most of these cases, the SIU collected or is in the process of collecting these improper payments from providers. However, almost $517,000 will not be recovered due almost entirely to DVHA management’s decisions that effectively nullified the SIU’s improper payment findings.

The $517,000 that will not be collected stems largely from a DVHA decision that affected three SIU investigations of providers that inappropriately billed for supervised non-licensed and non-certified (NLNC) clinicians and for licensed clinicians who failed to enroll as Medicaid providers. In these three investigations, the SIU found that almost all reviewed providers had submitted claims for NLNC clinicians that did not have adequate documentation, did not otherwise meet Medicaid rules, or had failed to respond to the SIU. Initially, the SIU started to recover the improper claims from some of these providers.

Four providers submitted appeals to the former DVHA Commissioner as allowed by SIU procedures. The Commissioner, or designee, ruled in three of these appeals that the SIU findings were correct. However, the former Commissioner also made a retroactive change to a Vermont Medicaid rule that was the basis for the SIU’s findings, nullifying the SIU’s overpayment findings. As a result, DVHA returned about $72,000 to providers that the SIU had collected based on their original findings and no longer sought recovery of the overpayment balances related to these findings. The fourth appeal was related to this rule but also involved a provider billing for clinicians that were licensed but had not enrolled as Medicaid providers, which violates Vermont Medicaid rules. The DVHA Deputy Commissioner approved backdating the licensed clinicians’ enrollments in Medicaid. The provider was then allowed to resubmit and be paid for claims that the SIU had determined had been improperly paid. The provider then withdrew the appeal request.

Summarized plainly, the SIU identified improper payments and DVHA management agreed with those determinations, but then changed an existing rule to make what had been unacceptable acceptable.

The SIU also identified programmatic risks during the course of their investigations and sent vulnerability memos to DVHA and other State Medicaid organizations related to 8 of the 20 investigations we reviewed. In most cases the organizations did not act to address all the vulnerabilities the SIU identified. For example, a June 2021 SIU vulnerability memo pertaining to the Agency of Education’s (AOE) school based health services program reported that some services provided under a bundled rate were not always received or provided in full and were duplicative with claims billed under another program. Three years later, despite escalation to the Secretaries of Human Services and Education, DVHA and the Agency of Education have not been able to reach an agreement on how to address the vulnerability.

Our audit found two root causes for inaction in response to the SIU’s vulnerability memos: (1) while the SIU makes itself available to discuss its findings, they do not follow up on whether, or the extent to which, organizations address the identified vulnerabilities, and (2) the memorandum of understanding (MOU) between the State Medicaid organizations does not clearly define roles and responsibilities for these organizations when there is a dispute, leaving no clear path to resolution.

Lastly, we found that DVHA generally took any SIU concerns into account when making policy changes. However, in three of the 20 (15 percent) policy changes we reviewed, the SIU’s program integrity concerns were not addressed, leaving Medicaid open to potential risk including in two high-cost healthcare categories. For example, the former SIU director refused to approve a policy change that would reduce system controls for a service known nationally to have FWA issues. Despite the known risk, a DVHA Deputy Commissioner, in favor of streamlining the process, decided to implement the change against the SIU’s recommendation. This newly introduced risk would be addressed, the Deputy Commissioner asserted, through planned provider education and monitoring. The SIU has since opened an investigation to monitor claims affected by this specific change. At the time of our audit, this investigation was ongoing but the SIU’s tentative findings found improperly paid claims.

As for OneCare, even though DVHA’s contract with OneCare can exceed $300 million annually, its oversight of OneCare’s program integrity activities has not been robust. DVHA’s oversight was largely limited to the SIU’s reviews of program integrity documents submitted by OneCare as required by the contract.

DVHA has the authority to conduct more in-depth analyses of OneCare’s program integrity activities. Since 2017, DVHA’s contract with OneCare has allowed the SIU to conduct oversight reviews of OneCare’s compliance program or other program integrity related activities. Yet, the SIU has never performed such a review. Moreover, the SIU did not investigate a 2022 allegation that OneCare was not following contract requirements and had presented misleading information in its reports to DVHA. The allegations may not be true, but they deserved to be investigated, as allowed by the OneCare contract.

Lastly, even though OneCare is part of a sector that is a frequent target of FWA, OneCare has never reported to DVHA suspected FWA or provider terminations or denials due to program integrity concerns, both of which it is contractually required to do. There could be several reasons why there has been no such reports, such as (1) there were no instances of FWA or provider terminations for program integrity reasons, (2) there were such instances and OneCare failed to report them, or (3) OneCare’s processes are not designed to identify such instances. Without a review of OneCare’s compliance program or other program integrity activities, DVHA does not know which of these reasons, or any other, is the cause of the lack of reporting.

The auditor subsequently made recommendations to the Secretary of AHS and the Commissioner of DVHA, including that the Commissioner direct the SIU to follow up on SIU-identified vulnerabilities and to report to the Commissioner and AHS the extent to which these vulnerabilities are eliminated or mitigated.

To support vital journalism, access our archives and get unique features like our award-winning profiles, Book of Lists & Business-to-Business Directory, subscribe HERE!

www.vermontbiz.com