Appendix A - HHS FY 2003 Top Management Challenges Identified by the Office of Inspector General
Management Issue #1: Bioterrorism Preparedness
Management Challenge
The tragedy of September 11, 2001, and events since then underscore the importance of having the
infrastructure and resources to respond to threatened and actual acts of terrorism and bioterrorism, as well as other public health emergencies. Because the Department of Health and Human Services (HHS) manages most of the Nation's federal health resources through research, surveillance, coordination, and delivery programs, the Office of Inspector General (OIG) has focused on vulnerabilities in those programs. We assess how well programs recognize and respond to outside health threats, the security of HHS laboratory facilities, and the readiness and capacity of responders at all levels of government to protect the public health.
In evaluating the effectiveness of the Centers for Disease Control and Prevention (CDC) bioterrorism
preparedness efforts, OIG assessed the ability of 12 state and 36 local health departments to detect and respond to bioterrorist events. We also conducted a review of the deployment capability of the National Pharmaceutical Stockpile (now known as the Strategic National Stockpile, a program designed to supplement and restock state and local public health agency pharmaceutical supplies in the event of a biological or chemical incident) in 11 states and 21 localities. We found that states and localities were underprepared, and that planning documents tended to overstate preparedness. At CDC's request, we are currently conducting follow-up reviews on progress made by states and localities in improving their readiness.
We also assessed security controls at a number of laboratory facilities operated by CDC, the National Institutes of Health, and the Food and Drug Administration, and several colleges and universities. Reviews to date reveal substantial problems regarding perimeter, entry, and interior security, and security planning measures at these labs. In addition, we found that CDC's implementation of the regulation governing facilities that transfer and receive select agents needs improvement.
Assessment of Progress to Address the Challenge
HHS agencies have sought additional resources and are working on corrective action plans responsive to our concerns. Federal, state, and local health departments are working cooperatively to ensure that bioterrorist attacks are detected early and responded to appropriately. CDC has taken steps to expand the availability of pharmaceuticals needed in the event of chemical, biological, or radiological attacks. States and localities are currently strengthening their bioterrorism preparedness programs, and recent increases in HHS funding address some of our concerns. However, we continue to believe that the general readiness of state and local governments to detect and respond to bioterrorist attacks is below acceptable levels. Until we confirm that our recommendations regarding lab security have been implemented, we also remain concerned about significant vulnerabilities. As a result, we have begun follow-ups at departmental laboratory facilities, as well as reviews at ten additional colleges and universities. We also initiated reviews to examine states' progress in developing and implementing Laboratory Response Networks (LRN); state health departments' legal authorities to respond to bioterrorism; and accountability for funds under the
Hospital Bioterrorism Program and the CDC Bioterrorism Cooperative Grant.
Management's Comments in Brief
To address the challenges associated with terrorist threats, CDC, in FY 2003, intensified its strategic direction, programmatic activities, and resources to address the preparedness and response capacity of the public health system. CDC's major contributions to this effort include the following:
Developed a National Public Health Strategy for Terrorism Preparedness and Emergency Response. The strategy identified several strategic imperatives that must be addressed to prepare public health: (1) timely, effective, and integrated detection and investigation; (2) sustained prevention and consequence management programs; (3) coordinated public health emergency preparedness and response; (4) qualified, equipped, and integrated laboratories; (5) a competent and sustainable
workforce; (6) protected workers and workplaces; (7) innovative, relevant, and applied research and
evaluation; and (8) timely, accurate, and coordinated communications. Within this framework, CDC
channels its terrorism preparedness and response efforts to address three key themes and
components of biodefense:
Biointelligence;
Containment and response; and
Recovery.
Awarded more than $1 billion to the 62 grantees (all 50 states, the four largest urban areas, Puerto Rico, the Virgin Islands, and six Pacific Territories); provided oversight, technical assistance, and site visits to all 62 grantees; evaluated grantee progress toward achievement of the critical capabilities and benchmarks outlined in the program guidance; supported the review of grantees' emergency public health powers to assist them in strengthening their legal preparedness for terrorism and other public health threats and emergencies; and supported five states in building capacity to rapidly measure the metabolites of chemical agents in blood and urine of persons who are/were potentially exposed to chemical terrorism.
The following is a list of some of the terrorism preparedness and response enhancements made by the 62 grantees to date:
Eighty two percent have established systems to rapidly detect terrorist events through
mandatory disease reporting;
Ninety five percent operate 24/7 systems to activate response plans;
Ninety eight percent have the capability to test for b. anthracis (anthrax);
Ninety eight percent operate systems to disseminate health risk information to the public
and key partners; and
Ninety one percent can initiate a field investigation within six hours of an urgent disease report from all parts of their jurisdiction on a 24/7 basis.
Developed the following new performance measures for the State and Local Preparedness Program to provide a more complete representation of overall national preparedness:
Properly equipped public health emergency response teams will be on-site within four
hours of notification by local public health officials to assess the public health impact and
determine the appropriate public health intervention in response to Category A agents;
One hundred percent of state public health agencies will improve their capacity to respond
to exposure to chemicals or category A agents by annually exercising scalable plans and
implementing corrective action plans to minimize any gaps identified;
One hundred percent of state and local public health agencies will be in compliance with
CDC recommendations for using standards-based electronic disease surveillance systems
for appropriate routine public health information collection, analysis, and reporting to
appropriate public health authorities;
One hundred percent of LRN laboratories will pass proficiency testing for bacillus
anthracis, yersina pestis, Francisella tularensis, Clostridium botulinum toxin, Variola major,
vaccina, and varicella;
One hundred percent of states will have level-1 chemical laboratory capacity, and have
agreements with and access to (specimens arriving within eight hours) a level-three
chemical laboratory equipped to detect exposure to nerve agents, mycotoxins, and select
industrial toxins;
One hundred percent of state public health agencies are certified by CDC as prepared to
receive material from the Strategic National Stockpile and distribute material in accordance
with public health response plans; and
One hundred percent of state and local public health agencies will be in compliance with
CDC recommendations for using standards-based, public health information network
systems for appropriate routine public health information collection, analysis, and reporting
to public health authorities.
CDC has committed substantial resources to support the Select Agent Program (SAP). FY 2002's
budget of approximately $5 million was more than tripled in FY 2003. Two letter contracts were
awarded in February 2003. One contractor, Constella Health Sciences, is providing services for
registering and inspecting laboratory facilities. More than 100 inspections have already been done
under the new regulation. Inspections will be prioritized according to potential risk and other appropriate factors. The other contractor, Science Applications International Corporation, is developing and implementing a new database management system that will provide a web-based interface. Nineteen of the 21 FTE positions committed to the SAP have been filled. The SAP has received approximately 487 registration applications under the new regulation (42 CFR Part 73) from laboratory facilities to date. Program officials are contacting more than 200 laboratory facilities that had previously declared possession of a select microbiological agent or toxin to determine their current status.
Improved the LRN through laboratorian training, testing research, and technical assistance for the transfer of agents to a confirmatory laboratory. The following accomplishments demonstrate:
Enhanced LRN to include smallpox roll out capability across U.S. clinical labs;
Seventy five percent, structures established to provide rapid and effective laboratory
services to support terrorism preparedness and response;
Eighty four percent, timeline prepared to improve relations between clinical labs and LRN member labs;
Ninety eight percent, can test for Bacillus anthracis;
Eighty six percent, can test for Yersinia pestis;
Eighty six percent, can test for Francisella tularensis; and
Thirty three percent, systems in place to screen for radiological, explosive, and chemical risk of specimens prior to biological analysis.
Increased the number of rapid diagnostic tests to 39. Specifically, 39 Polymerase Chain Reaction (nucleic acid detection) and Time-Resolved Fluorescence (antigen detection) assays were developed to cover additional biodetection needs with ten bioterrorism agents on five different instrument platforms. Final results will be reported in December 2003.
Developed a memorandum of understanding with the Federal Bureau of Investigation and U.S.
Department of Agriculture that will expand the LRN to include the addition of public health laboratories, animal laboratories, and laboratories overseas.
Managed the Strategic National Stockpile (SNS), a national repository of life-saving pharmaceuticals and medical material. Maintained 12 12-hour Push packages of pharmaceuticals, antidotes, and medical supplies designed to provide rapid delivery of a broad spectrum of assets for an ill-defined threat within the early hours of an event; and maintained a follow-on vendor managed inventory (VMI) available to ship within 24 to 36 hours if the incident requires additional pharmaceuticals. VMI can also be tailored to respond to a defined threat. CDC initiated a SNS project named "Chempack" that is the forward placement of SNS nerve agent antidotes. Chempack material will be under state and selected municipalities' custody for quick access for state and local responders. The project will begin in December 2003 with full deployment over the next two years.
In January 2003, CDC opened its state-of-the-art Director's Emergency Operations Center (DEOC). The DEOC serves as the agency's central public health incident management center for coordinating and supporting staff, information, and other assets associated with CDC/ATSDR's preparedness for, and response to, public health emergencies. The DEOC also serves as a central point for monitoring and tracking CDC/ATSDR's worldwide public health commitments.
As of August 8, 2003, 38,267 health care and public health responders were vaccinated. Of these, 2,667 are first responders (fire fighters, police, and emergency medical services personnel).
The Smallpox Emergency Personnel Protection Act (SEPPA) was passed on April 30, 2003. Note that the
actual implementation of SEPPA is pending the approval of the compensation injury table that will outline eligibility criteria for benefits. Therefore, we are unable to judge if passing this legislation has affected vaccination rates. Unfortunately, since April 30 the numbers of volunteers for smallpox vaccination have continued to decrease each week. Prior to April 30 the number of volunteers ranged between 1,097 and 5,336, with an average of 3,097 volunteers each week. Since May 2 a total of 2,354 volunteers have been vaccinated, with an average of 168 volunteers per week.
Besides a smallpox compensation program, factors that have been attributed to the low acceptance of the vaccine include the following:
Low perceived threat of a smallpox event;
Concerns about hospital liability related to potential nosocomial transmission of vaccinia from vaccinated health care workers;
Continuing concerns about personal risk of adverse reactions to vaccination, highlighted by the recent discovery of cardiac adverse events (myo-pericarditis); and
Other public health emergencies such as Severe Acute Respiratory Syndrome (SARS).
Because interpretations of the phased approach to implementing the smallpox vaccination program vary widely, CDC has outlined a new strategy for smallpox grantees which does not emphasize "phases" or "stages." CDC will not recommend offering the vaccine to all traditional first responders and all health care providers. Rather, the focus will be on enhancing response teams so that they can quickly perform all the necessary activities to contain any potential smallpox outbreaks. CDC will allow states to decide the types of staff they need to respond, such as those the Advisory Committee on Immunization Practices (ACIP) identified for public health teams in its April 4, 2003, recommendations, that included persons designated as medical team leaders, public health advisors, medical epidemiologists, disease investigators, diagnostic laboratory scientists, nurses, personnel who could administer smallpox vaccines, security or law enforcement personnel, and other medical personnel to assist in evaluating suspected smallpox cases. Using this approach, we would concentrate less on the number of people being vaccinated and more on groups of individuals trained in their roles and responsibilities as part of smallpox response teams. This approach emphasizes a focus on all the elements needed to assure acceptable levels of readiness for a smallpox event. This new direction takes advantage of public health response strategies needed to control and contain an outbreak of smallpox and includes the following preparedness elements that must be addressed:
Preparing key responders before an event occurs;
Rapid detection, identification, investigation, and response to suspect or confirmed cases of smallpox; and
Protection of the public, including the provision of mass vaccination clinics.
According to the World Health Organization (WHO), 8,437 people worldwide became sick with SARS during the course of this outbreak; and of these, 813 died. Through July 2003, 192 SARS cases had been reported in the U.S., including 159 suspect and 33 probable cases. Of the 33 probable cases, only eight had laboratory evidence of SARS-CoV (SARS-associated Coronavirus) infection. No SARS related deaths occurred in the U.S., and SARS cases reported in the U.S. occurred primarily among people who traveled to SARS-affected areas. Only one person may have contacted SARS after
exposure in the U.S. (this person is the spouse of a SARS case who was exposed overseas). There
was no evidence that SARS spread more widely within the U.S.
To minimize the risk for SARS among U.S. residents, the public health system took careful and thorough precautions to prevent the spread of SARS. People who were suspected of having SARS were isolated from others and received care, while people arriving from affected parts of the world (who might have been exposed to SARS) received information about SARS and instructions on what they should do if they became ill. SARS patients and their contacts were monitored to help prevent spread of the disease. CDC worked closely with WHO and other partners in a global effort to address the SARS outbreak. For its part, CDC took the following actions:
Activated its Emergency Operations Center to provide round-the-clock coordination and response;
Committed more than 800 medical experts and support staff to work on the SARS response;
Deployed medical officers, epidemiologists, and other specialists to assist with on-site investigations around the world;
Provided assistance to state and local health departments in investigating possible cases of SARS in the U.S.;
Conducted extensive laboratory testing of clinical specimens from SARS patients to identify the cause of the disease; and
Initiated a system for distributing health alert notices to travelers who may have been exposed to cases of SARS.
In addition, CDC is continuing to work with federal, state, and local health departments and other
professional organizations to plan for a rapid recognition and response should SARS reemerge.
Management Issue #2: Payment for Prescription Drugs
Management Challenge
Because prescription drugs are such a significant part of medical care, it is important that Medicare and Medicaid beneficiaries' access to pharmaceuticals not be hindered by overpricing. Yet our work has
revealed just such overpricing of drugs.
Medicare does not pay for most outpatient prescription drugs. However, under specific circumstances,
Medicare Part B will cover drugs that are furnished incident to a physician's service that are not usually self-administered and certain prescription drugs that are used with durable medical equipment, infusion devices, dialysis, chemotherapy, pain management, and organ transplantation. Yet, in calendar year 2002, Medicare and its beneficiaries paid more than $8.2 billion for such prescription drugs, nearly six times the $1.4 billion allowed in 1994. In the Medicaid program, drug costs represent one of the fastest growing categories of expenditures. The federal share of dollars spent for Medicaid prescription drugs was $15.8 billion compared with $8.2 billion in FY 1994.
We have consistently found that Medicare and Medicaid pay too much for prescription drugs -- more than
most other payers. For example, Medicare payments for 24 leading drugs in FY 2000 were $887 million
higher than actual wholesale prices available to physicians and suppliers and $1.9 billion higher than prices available through the Federal Supply Schedule. This excessive payment continues to grow as the amount paid by Medicare increases. In an August 2001 report, we estimated that the Medicaid program could have saved as much as $1 billion if brand name prescription drug reimbursement (not including the dispensing fee) had been in line with the pharmacies' estimated acquisition costs for the drugs.
Excessive Medicare and Medicaid payments have occurred because the reimbursement methodologies are
fundamentally flawed. By law, Medicare's payment is equal to 95 percent of a drug's average wholesale
price. However, the prices used to set Medicare and Medicaid payments are not really wholesale prices.
These published prices used to establish drug reimbursement often bear little or no resemblance to actual
wholesale prices available to physicians, suppliers, and large government purchasers. Further, because
physicians and suppliers keep the difference between the actual price they pay for a drug and 95 percent of the published wholesale price, they have a financial incentive to buy from a drug company with the highest published prices, and manufacturers may have a financial incentive to artificially inflate their published data in an attempt to gain market share.
Numerous OIG reports indicate that Medicaid is also paying too much for prescription drugs because state reimbursement methodologies are also based on inflated published wholesale prices. Most states currently reimburse pharmacies for drugs using an average discount of 10.3 percent of the average wholesale price. Our reviews have shown that the actual acquisition costs can range from 17.2 percent to 72.1 percent discounts off the published prices depending upon the classification of the drug.
As further evidence of the vulnerabilities in the drug area, the Federal Government recently settled with three pharmaceutical manufacturers who allegedly set and reported certain wholesale prices at levels far higher than the actual acquisition cost. The government alleged that these prices were higher than those paid by the majority of their customers and resulted in excess Medicare and/or Medicaid reimbursement. To resolve their liability for this and other conduct, these three companies agreed to pay $875 million, $355 million, and $14 million; a total of $1.25 billion. Additional examples involve three companies that paid almost $400 million to resolve their liabilities in cases involving their failure to pay appropriate rebates under the Medicaid drug rebate program.
Assessment of Progress in Addressing the Challenge
OIG reports continue to show that these flawed payment methodologies remain essentially unchanged.
However, the Benefits Improvement and Protection Act of 2000 authorized the Secretary to make some
administrative adjustments to the Medicare payment methodology. The Centers for Medicare & Medicaid
Services (CMS) would prefer that Congress reform the drug payment system legislatively. However, in the interim, CMS has issued a notice of proposed rulemaking, soliciting comments on four options to reform Medicare prescription drug payment methodology.
Management's Comments in Brief
As of November 2003, the different Medicare bills proposed in the House and Senate are in conference,
but to date no legislation has been enacted. In the absence of legislation, CMS published a notice of
proposed rulemaking (NPRM) on August 20, 2003 (68 FR 50428).
Management Issue #3: Nursing Facilities
Management Challenge
Given the vulnerability of nursing facility residents, appropriate and quality care is a top priority for the OIG. We continue to be concerned about the quality of living conditions and care in these facilities.
In recent work, we found increases in the total number of deficiencies and in the proportion of nursing homes being cited for substandard care deficiencies. Specifically, the deficiencies cited by surveyors in 2001, compared with those cited in 1998, showed that the overall number went up both in the aggregate and in the number per nursing home surveyed. We found that 78 percent of the nursing homes received at least one deficiency in the three categories related to quality of care, an eight percent increase from 1998. The greatest overall increase in deficiency citations was for resident assessments and care plans, important tools in developing the framework for the appropriate care of residents. In 2001, 50.1 percent of nursing homes had at least one deficiency related to resident assessments, up from 11.6 percent in 1998.
We also found that inconsistencies in citing deficiencies resulted from variations of survey focus, unclear guidelines, lack of a common review process for draft survey reports, and high surveyor staff turnover.
In our review of psychosocial services in nursing homes, we found that not all of the facilities had
developed the necessary care plans to address psychosocial needs and that 46 percent of beneficiaries
with such plans did not receive the care outlined in them. A further indication of quality of life and care problems is evident in the increasing number of nursing home complaints registered in the National
Ombudsman Reporting System.
Assessment of Progress in Addressing the Challenge
CMS has taken a number of steps to strengthen the survey and certification process, including clarifying its guidance to states on citing deficiencies. CMS indicated that it had initiated a contract to develop guidance for determining the severity of deficiency findings and for citing single or multiple deficiencies. The agency also agreed to improve nurse aide training and competency evaluation program requirements, and to strengthen the oversight process associated with the psychosocial service portion of the resident assessment. Nevertheless, because of the pervasive and continuing nature of the problems we found, there is still cause for serious concerns.
Management's Comments in Brief
There has been an increase in the number of deficiencies resulting from nursing home surveys. However,
it would not be accurate to assume the number of deficiencies is an automatic reflection of decreased
quality of care to residents. The CMS has undertaken a number of initiatives that explain, at least in part, the pattern of deficiency citations discussed under "Management Challenge." The CMS initiatives have had an impact on the regulation of nursing homes and resulted in the identification of problems that may have previously been present but not identified. These initiatives include the following:
An increased focus on acceptable care related to pressure ulcers, dehydration, and unintended weight loss. The increased focus on these areas of care included issuance of additional protocols in 1999 to guide surveyor information gathering and decision-making associated with determining compliance with
federal requirements;
Emphasis has been placed on citing not only compliance issues related to quality of care tags but also failures associated with related assessment and care planning requirements. The result of this effort has been an increased citation of noncompliance with assessment and care planning requirements.
Prior to this effort there was greater inconsistency in the pattern of citations (citing specific care
practices and not making an association with the related process requirements);
The CMS presented a national satellite broadcast for surveyors and providers on "Mental Illness in
Nursing Facilities." Objectives of the broadcast were to educate surveyors about implementation of the
Preadmission Screening and Resident Review (PASRR) requirements, and enhance surveyor ability to
determine facility compliance using an assessment process to identify residents with mental illness or
significant change in mental health and to develop appropriate care plans. We anticipate this training
may result in the identification of additional problems in facilities and believe this is an indication that surveyors are better prepared to identify when problems of compliance may be present. As previously
stated, this should not be automatically construed to mean there has been a decrease in the quality of
care;
The CMS developed and implemented the use of state performance standards to evaluate survey
agency (SA) performance. Use of the performance standards by regional office staff is one method of
evaluating each SA. The performance standards include evaluation of the survey findings and whether
actions leading to certification by the SA are fully documented and consistent with applicable law,
regulations, and general instructions. We believe this process of SA evaluation will identify if problems
are present regarding the adequacy of documentation by surveyors;
The CMS is developing additional survey process guidance. This guidance includes developing
additional instructions with the assistance of national experts to upgrade clinical information and
provide specific information regarding determining severity levels of critical tags. This effort is capable of leading to additional findings of noncompliance and changes in the level of severity associated with determinations of deficient practice. This is shared as an indication of how a change in the number of deficiencies or their severity may occur even though there has not necessarily been a decline in the quality of care;
The CMS has developed a complaint tracking system and is currently in the final stages of a national pilot prior to implementation. The Aspen Complaint and Incident Reporting System (ACTS) will assist in managing complaints and their investigations by SAs. This is mentioned since we believe more
complete reporting and tracking of complaints may occur although it would be an error to conclude that
care has diminished simply because we have mechanisms for better reporting the number and nature
of complaints; and
The General Accounting Office is currently conducting a study of the manner in which SAs budget their expenses and CMS distributes funds to carry out the certification program. It is possible this study may impact on the adequacy of funding and to the extent that surveyor salaries are related to turnover, which may prove informative to CMS.
Management Issue #4: Integrity of Medicaid Payments
Management Challenge
Accuracy in the federal share of Medicaid costs is important to help ensure fairness across all state
Medicaid programs as well as assure these federal health care dollars reach and achieve their maximum
intended health care purposes. We found that some states inappropriately inflated the federal share of
Medicaid by billions of dollars by requiring public providers to return Medicaid payments to the state
governments through intergovernmental transfers. Once the payments were returned, the states used the
funds for other purposes, some of which were unrelated to Medicaid. Although this abusive practice could
potentially occur with any type of Medicaid payment to public facilities, we identified serious problems with this practice in Medicaid enhanced payments available under upper payment limits and Medicaid
disproportionate share hospital payments. These federal/state enhanced payments are made to nursing
homes, or hospitals; and these facilities then return the monies to the states through intergovernmental
transfers.
Assessment of Progress in Addressing the Challenge
To curb abuses and ensure that state Medicaid payment systems promote economy and efficiency, CMS
issued final rules, effective March 13, 2001, November 5, 2001, and May 14, 2002, which modified upper
payment limit regulations in accordance with the Benefits Improvement and Protection Act of 2000. The
regulatory action created three aggregate upper payment limits – one each for private, state, and non-state government-operated facilities. The new regulations will be gradually phased in and become fully effective on October 1, 2008. CMS projects that these revisions combined will save $90 billion in federal Medicaid funds over the next ten years.
However, when fully implemented, these changes will only limit, not eliminate, the amount of state financial manipulation of the Medicaid program because the regulations do not require that the targeted facilities retain the enhanced funds to provide medical services to Medicaid beneficiaries. We also believe the transition periods included in the regulations are longer than needed for states to adjust their financial operations.
CMS has developed procedures for conducting Financial Management Reviews to ensure state
accountability with respect to disproportionate share payments to hospitals. We are continuing audit work
in this area and will recommend program improvements once the work is completed.
Management's Comments in Brief
The CMS and the OIG will continue to work closely on analyzing the effects of the upper payment limit issue and regulations, and the correct expenditure of disproportionate share hospital funds. During FY 2003, CMS requested the assistance of the OIG in the review of upper payment limit and disproportionate share hospital methodologies in ten states. These OIG reviews will greatly aid CMS in the identification of abusive upper payment limit and disproportionate share hospital practices.
Regarding the length of the upper payment limit transition periods, CMS has little control. The two- and five- year transition periods were adopted pursuant to notice and comment rulemaking. The Benefits Improvement and Protection Act (BIPA) of 2000 further extended the transition periods by mandating the eight-year transition period.
In August 2003, CMS commenced in-depth questioning of states' funding and payment recycling practices. It is CMS's goal to end all state practices that result in federal Medicaid dollars not being used for their maximum intended health care purposes.
Management Issue #5: Oversight of Medicare Contractors
Management Challenge
Because of the crucial role that Medicare claims processing contractors play in helping to deliver efficient and effective health care to approximately 41 million Medicare beneficiaries, it is important they be held accountable for their responsibilities in the health care financing and delivery system. For several years, we have been concerned about Medicare contractors' financial management problems, such as accounts receivable documentation inadequacies and the lack of integrated dual-entry accounting systems; information systems control weaknesses; integrity issues; and weaknesses in the way they assign and maintain provider numbers. These deficiencies could contribute to the loss of program funds through improper payments, manipulation, fraud, and abuse.
Of particular concern is that the integrity of the contractors themselves continues to be an issue, and the potential for fraud exists. Since 1993, 18 settlements and agreements (criminal and civil) have resulted in over $458 million in HHS recoveries for alleged improper contractor operations. One contractor agreed to pay $76 million to settle allegations of misconduct while acting as a Medicare Part B carrier between 1966 and 1998. Among other things, the contractor had failed to process claims properly, then submitted false information to CMS regarding the accuracy and timeliness with which it handled those claims. In addition, a former Medicare fiscal intermediary agreed to pay $9.3 million to resolve its potential liability under the False Claims Act and Civil Monetary Penalties Law for allegedly falsifying its performance data on Medicare cost reports.
Assessment of Progress in Addressing the Challenge
Some progress is being made with respect to financial management problems cited above, but more needs to be done. The OIG expressed an unqualified opinion on the CMS FY 1999 through FY 2002 financial statements because CMS continued to contract for validation and documentation of accounts receivable. However, once again, OIG's FY 2002 financial statement audit disclosed that the lack of a fully integrated financial management system continued to impair CMS's and the Medicare contractors' abilities to adequately support and analyze accounts receivable and other reported financial balances. To address these problems, CMS has initiated steps to implement the Healthcare Integrated General Ledger Accounting System (HIGLAS). This is expected to be fully operational in FY 2007.
FY 2002 reviews of information systems (IS) controls also disclosed numerous and continuing general control weaknesses at Medicare contractors, as well as application control weaknesses in contractors' shared systems. The most significant IS weakness, the distribution of source code to Medicare contractors, was corrected during FY 2002. However, as a result of the remaining vulnerabilities, controls would not effectively prevent unauthorized access, malicious changes, improper Medicare payments, or critical operation disruptions. Corrective action is needed to address the fundamental causes of control weaknesses. We continue to assess the status of these weaknesses in our annual audit of the CMS financial statements.
With regard to the integrity of the contractors themselves, the OIG and CMS continue to work to resolve cases as they arise with resulting settlements as previously discussed.
Management's Comments in Brief
The CMS concurs with the OIG's assessment. The fact that CMS's financial statements received an
unqualified opinion for the fourth consecutive year reflects the steady progress that CMS has made in
achieving its financial management goals. A key element of our strategic vision is to implement a state-of-the-art financial management system that fully integrates CMS's accounting system with those of our Medicare contractors. Recent HIGLAS accomplishments include the mapping of HIGLAS requirements to the Oracle Federal Financial software and the completion of nine technical requirement pilots and six conference room pilots needed to complete the business and technical design for the pilot contractors. Pilot test training development and end-user training development are also underway. Validation and user testing at the two contractor pilot sites (Major Milestone 1 of the project) is on track to begin in October 2003 as scheduled. Prior to HIGLAS implementation, CMS continues to conduct Statement on Auditing Standards (SAS) 70 internal control reviews to validate Medicare contractors' accounts receivable.
The Medicare Information Systems and Controls material weakness is an accumulation of findings at the fee-for-service contractor operations as well as at the CMS Central Office. The weakness is not
attributable to any one location or any one vulnerability, nor has there been any evidence that the
weakness has been exploited. This weakness will in all likelihood remain an issue until CMS is well along
on its information technology (IT) modernization effort.
The President's budget for FY 2004 includes $65 million to revitalize CMS's IT systems. A secure
system environment is a key component of the IT Modernization Plan;
A good example of how this will impact security is data center consolidation. Data center consolidation will reduce the number of locations within the Medicare security perimeter; and
Rather than focus resources on managing corrective actions of individual findings or implementation of safeguards, CMS IT modernization emphasizes funding the architectural foundation needed to protect our systems and infrastructure.
The CMS is implementing Electronic Data Processing (EDP) security safeguards at the Medicare
contractors. A total of 683 safeguards have been funded. Contractors have reported completing about two
thirds of the safeguards. The CMS is validating the implementation of the safeguards. Implementation of all the safeguards will improve security, although as mentioned the long-term fix for the Medicare contractors lies in the CMS IT Modernization initiative.
Management Issue #6: Medicare Payment Errors
Management Challenge
To help ensure the financial integrity of the Medicare program, continued access to Medicare benefits, as well as the long-term viability of the Medicare trust fund, documented and accurate bills for properly rendered health care services must be submitted for correct payment. Based on a statistical sample, OIG estimated that improper Medicare benefit payments made during FY 2002 totaled $13.3 billion, or about 6.3 percent of the $212.7 billion in processed fee-for-service payments reported by CMS. These improper payments could range from reimbursement for services provided, but inadequately documented, to inadvertent mistakes, to outright fraud and abuse. When these claims were submitted for payment to Medicare contractors, they contained no visible errors; however, the overwhelming majority were detected through medical record reviews. While OIG's seven-year analysis indicates continuing progress in reducing improper payments, unsupported and medically unnecessary services remain pervasive problems.
We have also conducted targeted audits and inspections to identify improper payments and problem areas in specific parts of the program. These reviews have analyzed duplicate payments for the same service, payments made on behalf of deceased beneficiaries, payments made for incarcerated beneficiaries, and other types of improper payments. For example, we found over $45 million in improper payments for equipment and supplies billed by durable medical equipment suppliers for beneficiaries residing in skilled nursing facilities. And Medicare made over $64 million in potential overpayments for ambulance and radiology services billed for beneficiaries during their inpatient stays in prospective payment system hospitals.
An issue was identified where a provider manipulated the Medicare payment rules in the hospital outlier payments. Reviews of a major chain of providers have shown that the chain's actions to aggressively increase charges for services triggered higher than normal Medicare outlier payment increases of several hundred million dollars. CMS issued a regulation to address this problem. However, this manipulation by the chain highlights the vulnerability present in Medicare payments that are extra or that are made to enhance the basic payments.
We will continue these targeted reviews to ensure that Medicare payments are made in accordance with program rules. For example, we are currently reviewing the accuracy of payments for power wheelchairs, ambulance services, chiropractic services, allergy treatments, physician evaluation and management services, and services and supplies billed "incident to" physician services.
Assessment of Progress in Addressing the Challenge
The FY 2002 error rate is less than half of the 13.8 percent reported for FY 1996. Since we developed the first error rate, CMS has demonstrated continued vigilance in monitoring the error rate and developing appropriate corrective action plans. In addition, due to CMS's work with the provider community to clarify reimbursement rules and to impress upon health care providers the importance of fully documented services, the overwhelming majority of health care providers follow Medicare reimbursement rules and bill correctly.
In FY 2003, CMS will fully implement its Comprehensive Error Rate Testing (CERT) program and Hospital Payment Monitoring Program (HPMP) to produce a Medicare fee-for-service error rate. This methodology will establish, for the first time, baselines to measure each contractor's progress toward correctly processing and paying claims. The result will reflect the contractor's performance and will identify specific provider billing anomalies in the region. Contractors will then develop targeted corrective action plans to reduce payment errors through provider education, claim reviews, and other activities; and CMS will evaluate their rate of improvement. We will also continue targeted reviews of specific Medicare benefits where vulnerabilities have been identified, to determine appropriateness of payments.
Management's Comments in Brief
The CMS concurs with the OIG's assessment. In FY 1996, the OIG began estimating the national
Medicare fee-for-service paid claims error rate. By FY 2000, the error rate was cut in half due in part to CMS's corrective actions that enhanced internal pre- and post- payment controls; targeted vulnerable program areas; and educated providers regarding documentation guidelines and common billing errors.
Since the OIG's error rate measure was valid only at the national level, CMS developed a new, more
precise measure for 2003 and beyond. The CMS's CERT program and Hospital Payment Monitoring
Program HPMP will produce the following error rates in November 2003:
Monitoring Program
Type of Error Rate(s) Produced
Provider Compliance Error Rate
Paid Claims Error Rate
Processed Claims Error Rate
Comprehensive Error Rate Testing (CERT)
For all carriers (as a group)
X
X
X
For all Durable Medical Equipment Carriers (DMERCs) (as a group)
X
X
X
For all Fiscal Intermediaries (FIs) (as a group)
Available in 2005
X
Available in 2005
For each individual carrier
X
X
X
For each individual DMERC
X
X
X
For each individual FI
Available in 2005
Available in 2004
Available in 2005
By type of service
X
X
X
By type of provider
X
X
X
Hospital Payment Monitoring Program (HPMP)
For all Quality Improvement Organizations (QIOs) (as a group)
Not Produced
X
Not Produced
For each individual QIO
Not Produced
X
Not Produced
By type of service
Not Produced
Not Produced
Not Produced
CERT + HPMP
A Medicare-wide rate
Not Produced
X
Not Produced
Management Issue #7: Grant Management
Management Challenge
Departmental discretionary grants, estimated to total over $35 billion in FY 2003, must be used
appropriately to achieve their intended purposes. Most of the departmental agencies rely on the grant
mechanism as a pivotal tool in meeting their mission objectives, such as providing critical health services to underserved individuals, researching the causes and treatments of disease, elevating the social and economic status of vulnerable populations, and supporting the nationwide infrastructure for the health surveillance and prevention network. As such, it is incumbent upon HHS to award grant funds to the most worthy and competent organizations and to adequately monitor program results and use of federal funds. However, the programs are numerous and diverse. Vigilance is required to ensure that specific awards are free of abuse and the monitoring systems to manage them are capable of identifying improper behavior.
To address this challenge, we have initiated reviews that will focus on the effectiveness and efficiency of management controls over federal grants. We are systematically studying several HHS agencies' grantmaking and oversight processes. At the same time, we are assessing individual grantees' program performance-based outcomes and stewardship of funds. This strategy is designed so that findings and recommendations derived at the agency level can be used in examinations at the grantee level and vice
versa.
Thus far, we have found inadequate performance on the part of some grantees in achieving grant
objectives, limited required reporting to federal offices on progress in meeting program objectives, and the misuse of grant funds. In addition, we noted poor oversight on the part of federal program offices and inadequate follow-up on significant identified problems. We will continue to address grant oversight and performance throughout the Department's grant-making programs in FY 2004.
Assessment of Progress in Addressing the Challenge
Through the government-wide Federal Grant Streamlining Program (FGSP), the HHS grant management
environment is undergoing significant changes. The program is intended to implement the Federal
Financial Assistance Management Improvement Act of 1999, which requires agencies to improve the
effectiveness and performance of their grant programs, simplify the grant application and reporting process, improve the delivery of services to the public, and increase communication among entities responsible for delivering services. The initiative requires grant officials to examine the way they do business, focusing not only on streamlining the grant process but also on ensuring that results are achieved and federal funds are used appropriately for maximum benefit of program recipients.
Management Comments in Brief
A wide variety of departmental activities are currently underway which are complementing the various OIG studies and providing a renewed focus on how departmental staff assess grantee progress in achieving grant outcomes and monitoring grantee compliance with federal and agency specific grant requirements. Specific initiatives include the following:
HHS agencies are continuing their efforts to establish performance goals in various grant programs by requiring applicants, as part of their grant application proposals, to identify performance targets to be achieved by the end of each budget period. HHS agencies review grantee progress reports to assess achievement of performance targets and, if deemed necessary, more intensive monitoring and/or technical assistance may be provided to assist grantees in accomplishing identified outcome(s);
Targeted reviews of specific grant operations within the Department are currently underway or being planned under the aegis of the Assistant Secretary for Administration and Management. These
reviews, building on previously developed grants management systems review protocols, examine a
variety of pre- and post- award activities performed by an HHS awarding agency. For example, a review of a grant program in the Division of Adolescent and School Health (DASH), a program within
the Centers for Disease Control and Prevention, was conducted in FY 2003 to ascertain whether DASH
grant practices are in compliance with established departmental regulations and policies; i.e.
evaluations of pre-award processes, including a determination as to whether the award process
effectively maximizes competition; and examinations of post-award monitoring activities, including
performance and financial report submissions and site-visits;
HHS's Grants Management Balanced Scorecard is a self-administered review protocol enabling HHS
agencies to assess perceptions of performance by soliciting feedback from a variety of internal and
external users/customers. The results indicate how well an HHS agency is performing a variety of pre-
and post- award grant activities enabling HHS agencies to develop and implement action plans to
address areas targeted for improvement. To date, all HHS agencies have administered both phases of
the Balanced Scorecard (Phase One focused on internal HHS agency surveys, and Phase Two
focused on external surveys of grant recipients). HHS agencies are at varying stages in reviewing
Scorecard data results, developing action plans to implement process improvements, and readministering
the Scorecards. For example, HHS agencies such as HRSA, AHRQ, and AoA have
developed and implemented initial process improvements and will measure their success in future
Scorecard surveys;
Special award conditions of a programmatic and/or administrative nature may be appropriate if an organization has a history of poor programmatic performance, is financially unstable, has inadequate management systems, or has not complied with the terms of previous HHS awards. If special
conditions are included in an award, the awarding office is required to designate the grantee as "high risk/special award conditions". In order to notify all HHS awarding offices of entities considered "high risk/special award conditions" by one or more awarding offices and/or those for which the OIG has issued an alert, HHS maintains a Department Alert List. If an award contains special conditions, the HHS agencies must ensure that the grantee is aware of those conditions and understands the action that is necessary to satisfy them. Furthermore, HHS agencies must develop a corrective action plan with the affected grantee, monitor improvement, and assess, at the conclusion of the corrective action period (generally no more than two years), whether the special award conditions can be removed. SAMHSA has been especially diligent in placing appropriate organizations on the Alert List in a timely manner, monitoring progress with corrective action plans, and removing them from the Alert List once the corrective actions have been satisfactorily addressed;
Through the government-wide FGSP, the HHS grant management environment is undergoing
changes. The FGSP is an effort required by Public Law 106-107, the Federal Financial Assistance
Management Improvement Act of 1999, which requires all federal agencies to improve the
effectiveness and performance of their grant programs, simplify the grant application and reporting
process, improve the delivery of services to the public, and increase communication among entities
responsible for delivering services. As the lead agency in this multi-year initiative, HHS continues to provide both strategic oversight for the Act's implementation as well as a leadership role in the various streamlining and simplification workgroups created under the FGSP. Achievements to date include, but are not limited to, the establishment of the Grants.gov Office within HHS which collaborates with multiple federal agencies to help meet the requirements for electronic access to funding opportunities and electronic submission of applications; participation in the development and issuance of several Federal Register notices soliciting public comment on key initiatives encompassed under the act; e.g., proposals for simplifying and clarifying the various government-wide cost principles applicable to grant programs; and increased development and use by HHS agencies of electronic technologies to ensure the ability to electronically receive and process applications as well as required reports under grant awards; and
The National Institutes of Health (NIH), which continues to actively represent the Department's research programs in the interagency forums, was one of the original participants in developing the concept and planning for the e-Grants portal, which built on the NIH Commons concept. NIH also was an active partner in the development of the Transaction Set 194, which is serving as the starting point for the core data set for applications to be submitted through the e-Grants portal. In addition, NIH is developing a web-based system that will provide easier grantee access and a friendlier user-interface for submission of Financial Status Report data to replace its current electronic system. The HHS agencies are also making greater use of fillable forms and electronic processing of grant applications. While most of this activity is directed at discretionary grants, SAMHSA is using an automated block grant application system, which it plans to convert to an interactive system.
Because these initiatives require grant officials to examine the way they do business, they are in a good position to focus not only on streamlining the grant process but also on ensuring that results are achieved and federal funds are used appropriately.
As one of several initiatives designed to ensure that the Department meets the President's Management Agenda for improving the management and performance of the Federal Government, the Office of Grants
Management and Policy, within the Office of the Assistant Secretary for Administration and Management,
was authorized by the Secretary to conduct a departmental review of grants management activities
involving the pre-award process. Special interest was given to the development of funding announcements
in order to develop best practices, afford greater efficiencies and increased accountability, and ensure that announcements are consistent with regulations and departmental policies. The departmental review has
identified various recommendations for improvements in announcement preparation and presentation
which have subsequently been promulgated through a directed action transmittal to the awarding
components. All HHS agencies are making strides at integrating best practices into the development of
their announcements resulting in greater consistency across the Department.
Management Issue #8: Protection of Critical Systems
Management Challenge
To accomplish its major missions – providing health care to the elderly, the disabled, and the poor;
facilitating research; preventing and controlling disease; and serving families and children – the
Department must rely on a computing environment that is decentralized, accessible to all users, and
distributed over multiple platforms, agencies, and operating systems. Management, therefore, must ensure
the creation of an integrated process to establish security policies for IT and to monitor compliance. This process is essential for an effective IT security program, both for existing systems and those being
developed. Due to its major responsibilities for public health and safety, the Department has been
identified as a Tier I agency, which signifies a dramatic negative national impact should certain HHS
systems be compromised. Additional HHS systems are critical for maintaining the financial integrity of
billions of dollars expended on services to the American public.
Through Presidential Decision Directive 63 and the Federal Information Security Management Act, the
Federal Government has been mandated to assess the controls in place to protect assets critical to the
Nation's well-being and report on their vulnerability. The events of September 11, 2001 greatly heightened the importance of protecting physical and cyber-based systems essential to the minimum operations of the economy and the government. However, reviews at contractors, grantees, HHS agencies, and states continue to disclose significant impediments to the creation of an effective security program. And the Department now faces the additional challenge of ensuring the privacy of medical records in electronic systems and transmissions, as required by the Health Insurance Portability and Accountability Act (HIPAA) of 1996, effective April 14, 2003.
Assessment of Progress in Addressing the Challenge
HHS has made progress in securing the most critical of essential assets, both physical and cyber-based,
such as Department laboratories, computer systems, and data communication networks. Core
requirements for security controls were established and distributed, and systems architecture documents
are being developed. However, recent OIG assessments found numerous control weaknesses in entity-
wide security, access controls, service continuity, and segregation of duties. A collective assessment of
deficiencies in Medicare systems resulted in the reporting of a material weakness in the FY 2002 HHS
financial statement audit. Although we have not found any evidence that these weaknesses have been
exploited, they leave the Department vulnerable to: (1) unauthorized access to and disclosure of sensitive information; (2) malicious changes that could interrupt data processing or destroy data files; (3) improper payments; or (4) disruption of critical operations.
While continuing to assess Medicare systems controls, OIG reviews will place new emphasis on
compliance with HIPAA privacy rules and on security plans for the development of new systems, such as
the Unified Financial Management System and the Health Insurance General Ledger Accounting System.
Management's Comments in Brief
In accordance with external guidance and initiatives, HHS has increased its focus on security. As HHS
relies more heavily on using IT to support its business and services to citizens, clearly defined IT security strategies and standard practices are required. This includes providing safeguards to protect the security and confidentiality of patient health information as well as providing a secure environment for leading researchers to share and store their research information.
The Department's critical IT infrastructure is composed of thousands of interconnected computers, servers, routers, switches, and fiber optic cable, that allow its critical information systems to work. A healthy, wellfunctioning IT infrastructure is essential to enable HHS to serve its citizens and meet their needs. Unfortunately, recent national events have highlighted the existence of IT vulnerabilities and the fact that malicious entities are seeking to exploit those vulnerabilities.
A number of internal initiatives and HHS enterprise goals support investment in an enterprise wide
approach to security. These include:
Secretary Priorities: The Secretary of HHS has publicly stated that IT security is one of his top priorities. His One HHS vision also has ramifications within IT security, from the need to establish an overarching IT security program to enhancing communication and collaboration across HHS, to
consolidating IT infrastructures and common administrative systems;
Emerging role of HHS as a key organization in the area of Homeland Security: Certain homeland security initiatives, such as first responder programs for biological, chemical, and terrorism attacks, and other domestic emergencies rely heavily on HHS resources and capabilities for information. Should key security functions be compromised during a crisis, the effects of the disaster would be intensified because of the disruption in information flow to the end users;
HHS Enterprise Strategic Goals: IT security is directly integrated into three of five HHS's Enterprise Strategic Goals: Goal 1 – Provide a secure and trusted IT environment, Goal 2 – Enhance the ability of the Nation's healthcare system to effectively respond to bioterrorism and other public health
challenges, and Goal 3 – Achieve excellence in IT management practices;
HHS Enterprise IT Strategic Plan: The HHS Enterprise IT Strategic Plan for FY 2003 - FY 2008 defines IT mission, vision, goals, initiatives, and measures for the Department including the
development of an HHS IT Security Program; and
Growing Impact of Security: Related events, such as denial of service attacks, virus incidents, system intrusions, and other events adversely effect HHS mission of "improving the health, safety, and well being of the American people."
The external legislation and guidance, and internal business demands, defined above, clearly highlight the importance and priority of IT security in fulfilling the HHS mission, both at a strategic level through IT strategies as well as at the operational level through enterprise IT initiatives.
HHS has made progress in securing the most critical of essential assets, both physical and cyber-based, such as Department laboratories, computer systems, and data communication networks. Core
requirements for security controls were established and distributed, and systems architecture documents
are being developed.
To further meet the aggressive demands of an overarching HHS security program, Secure One HHS, a
strong governance structure with clearly defined roles, responsibilities, and security expertise is required. At the Headquarters (HQ) level, the Department Chief Information Officer (CIO) leads all Department IT efforts and the HHS Chief Security Officer (CSO) leads all security efforts. The CSO reports to the CIO and is legislatively charged with coordinating all department-wide IT security activities. At the HHS agency level, each HHS agency has its own CIO, CSO or equivalent, and IT organization.
Secure One HHS will function as an overarching IT security program, managed at the HQ level by the HHS
CSO, with control and implementation responsibilities distributed across the 12 HHS agencies. By
managing the program at the HQ level, HHS will achieve a consistent IT security baseline across the HHS
agencies by relying upon systematic and universal security requirements; however, local implementation
control within the HHS agencies will enable the HHS agencies to implement security controls within the
confines of their unique operating environments.
Download Reader 
