WASHINGTON, D.C. - As of January 2011 the Centers for Medicare & Medicaid Services (CMS) had failed to resolve or even take any meaningful action to address 77 percent of vulnerabilities identified by contractors in 2009, according to a recent study by the U.S. Department of Health and Human Services Office of Inspector General (OIG).
CMS took what OIG labeled "significant" action to resolve 14 of 62 reported vulnerabilities, but only two were declared "fully resolved" by January 2011, the study indicated. The study involved issues reported by Program Safeguard Contractors (PSCs), Zone Program Integrity Contractors (ZPICs) and Medicare Drug Integrity Contractors (MDICs), as the OIG examined the monetary impact of the vulnerabilities and reviewed CMS policies and procedures for tracking, reviewing and resolving them.
"One of the ways that Medicare program integrity contractors help prevent fraud, waste and abuse is by identifying program vulnerabilities. To minimize the financial impact of these vulnerabilities on the Medicare program, CMS needs to take prompt action to resolve them," recently resigned CMS Administrator Donald Berwick said. "CMS currently has vulnerability standard operating procedures in place and continues to actively manage reported vulnerabilities on a monthly basis. CMS is collaborating and coordinating throughout the agency to address program vulnerabilities, as appropriate."
According to the OIG study, contractors reported monetary impacts for only one-third of all vulnerabilities, but the combined estimated impact amounted to $1.2 billion. The estimated impacts of individual vulnerabilities ranged from slightly more than $75,000 to more than $800 million. None of the areas of concern for which monetary impacts were determined had been resolved fully as of January 2011, the study indicated.
However, CMS has taken significant action to resolve four of those vulnerabilities, two of which had the largest monetary reported impact, although implementation of corrective actions will not be completed until 2012, the OIG reported.
"Although CMS has procedures to consistently track and review vulnerabilities, it lacks procedures to ensure that vulnerabilities are resolved," the OIG stated in a summary of the study.
"The three CMS divisions that are responsible for tracking and reviewing vulnerabilities each have procedures that outline the general steps they take to track and review vulnerabilities. However, although contractors have been submitting vulnerability reports since at least 2007, CMS did not begin developing procedures until 2010."
Furthermore, the OIG noted, only one of those three divisions has developed procedures to follow up on the implementation of corrective actions.
In the study summary the OIG recommended that CMS a) determine the status of all vulnerabilities that have not been resolved and take action to address them; b) require all benefit integrity contractors to report monetary impact, when calculable, in a consistent format; and c) ensure that vulnerabilities are resolved by establishing formal written procedures that include time frames for follow-up procedures and outline CMS and contractor responsibilities regarding resolutions. CMS concurred with the first recommendation, OIG officials noted, but the agency did not concur with the second recommendation and only partially concurred with the third recommendation.
"We note that CMS cannot always resolve the vulnerabilities or resolve them as promptly as CMS would like due to various constraints," Berwick said. "For example, the magnitude and complexity of the resolution, such as changing a regulation or requesting a system change, may require significant time to resolve the vulnerability."
About the Author
Mark Spivey is a correspondent for racmonitor.com and icd10monitor.com.
Contact the Author
To comment on this article please go to firstname.lastname@example.org