Curbing Waste, Fraud, and Abuse in Medicaid

Executive Summary

Growth in the Medicaid program, like most other entitlement programs in the U.S., has caused the program to reach a point of unsustainability. Since 2013, enrollment in Medicaid has increased 25 percent. Total program expenditures increased 11 percent in 2014 and federal expenditures increased an estimated 16 percent in 2015. States spend more than a fourth of their annual budget on Medicaid, crowding out funding for other essential services.

Any efforts to reform Medicaid and restore fiscal sustainability to the program must include plans to eliminate improper payments in the program. Medicaid has been on the Government Accountability Office’s (GAO) list of high-risk programs since 2003 because of its high improper payment rate, consistently ranking second among federal programs with the highest improper payment rates. Since 2008, Medicaid’s improper payment rate has averaged 8.4 percent, resulting in $161 billion worth of improper payments and accounting for more than 17 percent of all improper payments made by the federal government. Eliminating all of the waste, fraud, and abuse in just Medicaid (assuming a continued improper payment rate of the current 9.8 percent) would reduce the deficit by approximately 11.4 percent, according to the Congressional Budget Office’s most recent projections.

The high rate of improper payments in Medicaid is astounding given the number of programs and tools designed to combat such waste, fraud, and abuse. However, many of the current tools are ineffective, duplicative, and/or simply not used. Most of Medicaid’s reporting protocols intended to help prevent fraud and other improper payments are optional. Because reporting information consumes already-limited resources, and states have historically had little incentive to recover improper payments—due to the fact that for each dollar recovered, states may only keep their share of the funding (which is always less than half)—many states choose to not report. While recent changes should help overcome this disincentive, more needs to be done. States should be held to a higher level of accountability and tools which show the potential to be the most effective at preventing fraud before it occurs should be more widely and consistently used.


Whenever the policy discussion turns to the nation’s budgetary problems, a call to “get rid of the waste, fraud, and abuse” in government assistance programs is sure to follow. Collectively, payments for wasteful, fraudulent, and/or abusive claims are referred to as “improper payments.” To know if simply eliminating improper payments is a feasible and sufficient solution, we must examine how much waste, fraud, and abuse exists, what the extent of our budgetary problems are, and the cost and effectiveness of tools to combat such payments.

Defining “Improper Payments”

Improper payments include payments of an incorrect amount (either overpayments or underpayments) or payments that should not have been made at all. Improper payments may be made to an ineligible recipient, made for an ineligible good or service, a duplicate payment, a payment for a good or service not provided or received, or a payment that does not account for credit of applicable discounts. Waste includes inaccurate payments for services, such as unintentional duplicate payments, or payments for unnecessary services or higher cost services when a lower-cost service would have served the patient just as well. Abuse occurs when an individual knowingly and intentionally misrepresents his or her actions or acts in a manner which is inconsistent with acceptable business or medical practices.[1]

Opportunities for Improper Payments

There are many opportunities for fraud and abuse to occur in the Medicaid program. Some of these opportunities are the result of efforts to guard against improper denial of benefits. Other opportunities exist because of the overwhelming effort required to verify every piece of information and ensure compliance with all laws and regulations.

Patient Waste, Fraud, and Abuse

Patients can commit fraud in a number of ways. An individual may falsify information pertaining to his or her eligibility. One example of an opportunity for fraud that results from efforts to protect beneficiaries is a Medicaid law that prohibits states from denying benefits to eligible beneficiaries without a permanent home or fixed mailing address; this increases the possibility for ineligible individuals to conceal household size and thus household income levels in order to illegally enroll in Medicaid.[2] Patients may commit fraud by filing false claims, such as for services or products not received or by altering the amount of the claim paid or owed. Additionally, patients may see multiple providers for the same condition or alter prescriptions; this typically happens when an individual is seeking medication either to aid an addiction or to profit from illegally reselling the drugs. (The Centers for Medicare and Medicaid Services (CMS) has responded to this type of action by requiring physicians seeing Medicaid patients to use tamper-resistant prescription pads.)

Provider Waste, Fraud, and Abuse

Providers may also commit fraud or abuse the system for personal gain. Due to a lack of resources and poor information sharing among states, ineligible providers may find ways to enroll in the system. Providers may have been excluded from participating in federal programs—typically due to previous criminal activity—or had their license suspended or revoked by one state, but move to and enroll with another state.[3] Providers—or, more likely, individuals falsely claiming to be providers—may be using a false address and/or provider number. Individuals may be making claims under the provider number of someone who is now deceased. Providers may be billing for services not performed or billing for the same service multiple times. Providers may “upcode” (bill for a service more costly than the one actually provided) or bill for a covered service when a non-covered service was provided. Some examples of waste and abuse are ordering excessive or inappropriate tests, prescribing unnecessary medication or medication for use by someone other than the patient seen, or performing unnecessary services. While some of these practices may be the result of “defensive medicine,” most are not.

Other Abuses

States also have ways to abuse the system. States must use state funds to finance at least 40 percent of the nonfederal share of a state’s Medicaid expenditures. However, states have found ways to draw down more federal matching funds than they are intended to receive. While not fraud, states can provide supplemental payments to providers—which exceeded total DSH payments in 2011—and receive matching federal funds for such payments.[4] The state share for these supplemental payments may be financed by a tax on providers or by local governments, essentially allowing the states to draw down additional federal funds without putting up their own funds to finance the state share.[5] For example, in Pennsylvania, a state tax on Medicaid managed care plans was used to draw down an additional $1 billion over three years.[6]

Amount of Improper Payments

GAO has designated Medicaid a high-risk program since 2003 because of its rates of improper payments, which have totaled $161 billion since 2008.[7] (Of course, these figures are only based on the amounts of known improper payments; these totals are surely higher as it must be assumed that not every improper payment is detected.)

In 2014, 6.7 percent of all Medicaid payments were improper, causing Medicaid to be responsible for 14 percent ($17.5 billion) of all federal improper payments, second only to Medicare, which was responsible for 49 percent of federal improper payments. In 2015, Medicaid’s improper payment rate (IPR) increased by nearly half to 9.78 percent or $29 billion.[8]

According to CMS officials, a significant factor contributing to this increase is new requirements in the Affordable Care Act (ACA), including the program’s significant expansion.[9] Almost all improper payments in the Medicaid program occurred when a patient was treated through fee-for-service (IPR of 10.6 percent), as opposed to beneficiaries enrolled in Medicaid managed care programs (0.12 percent).[10] Given that enrollment in Medicaid managed care plans has reached more than 50 percent of beneficiaries, we should expect the IPR to decrease. However, while Managed Care Organizations (MCOs) may be required as part of their contract with the state to identify and report incidents of fraud and/or improper payments, federal regulations regarding provider enrollment do not apply to MCOs.[11]

Organizations Responsible for Detecting and Combating Medicaid Fraud

There are many organizations tasked with detecting and preventing fraud, prosecuting violators, and recovering improper payments once they have been identified.

State Medicaid Agencies

The federal government has a significant interest in combatting waste, fraud, and abuse in the Medicaid program because it provides more than half of the program’s financing (approximately 60 percent), but the states are largely responsible for carrying out Medicaid fraud prevention and detection activities because the states are the administrators of the program.

Medicaid is to be the “payer of last resort,” meaning that all other liable payers are required to pay before Medicaid, including Medicare. States may enforce this provision in order to prevent improper payments in two ways. First is “cost avoidance” whereby Medicaid rejects a claim until all other liable payers have covered their share. The second approach, used when other liable payers are unknown at the time the claim is received, is known as “pay and recover later.” If a Medicaid agency learns of a liable payer after the claim has been paid by the agency, the agency is to seek recovery of such funds within 60 days.[12] States must return the federal share of overpayment within 60 days of discovery of the improper payment, regardless of whether or not the state has recovered the funds, unless the funds are not recoverable because the provider has been determined bankrupt or out of business.[13]

The ACA included provisions aimed at assisting states in fraud prevention and detection efforts. A web-based portal was established for states to report and view information on providers who have been terminated or had billing privileges revoked; states are required to report such information but not to check the website when screening providers.[14] As a result, 12 percent of providers terminated by one state in 2011 were found to still be participating in another state in 2012.[15] However, the ACA did increase provider screening and enrollment/re-enrollment requirements, based on the provider’s categorical risk level in Medicare: “limited”, “moderate”, or “high.”[16] Screening requirements include license verifications, database checks, unscheduled medical site visits, fingerprinting, and background checks. States must suspend payments to individuals or entities where there is a credible allegation of fraud, and states are allowed to impose temporary moratoria to prevent waste, fraud, and abuse among new providers.

The Transformed Medicaid Statistical Information System (T-MSIS) initiative to modernize and enhance state Medicaid data was supposed to allow states to study and analyze patient encounter, claims, and enrollment data to, among other things, help identify and prevent waste, fraud, and abuse.[17] However, like previous efforts by CMS, the initiative has not been successful, largely due to the lack of complete and accurate information, a problem highlighted by the Health and Human Services (HHS) Office of Inspector General (OIG) in its most recent annual compendium of management challenges facing the agency.

As of March 2011, certain providers must be enrolled as participating providers, according to federal enrollment requirements (as opposed to previously when providers did not necessarily have to enroll and therefore could bill for services without having first been screened).[18] Providers must now be screened during the initial enrollment, and at least every 5 years; screenings should include a criminal background check, verification that such providers are not on exclusion or disbarment lists, and an evaluation of the provider’s ownership interests to check against any financial conflicts of interest. States are required to report any suspicious activity or information to law enforcement officials.[19] Moderate- and high-risk providers and suppliers are to be subjected to unscheduled and unannounced random site visits; high-risk providers and suppliers must also submit fingerprints for criminal background checks.[20]

In April 2012, states were given access to Provider Enrollment, Chain and Ownership System (PECOS) and allowed to use Medicare enrollment data to verify eligibility of Medicaid providers. However, the PECOS system is not widely used, and some state officials have blamed the system for not being user-friendly (it requires manual look-ups of individual providers). Further, while PECOS has ownership information that states are required to check, the information provided to them through PECOS in a read-only format does not include this data.[21] Modifications to the type and format of the information provided could make this data much more useful for states.

In October 2013, CMS began requiring states to use the Data Services Hub to verify applicant information. Beneficiary eligibility must be re-verified at least once every 12 months.[22]

States’ fraud recovery efforts are largely carried out through Medicaid Fraud Control Units (MFCUs). These units typically operate through the state Attorney General’s office, and are certified and overseen by the HHS OIG. These units investigate and prosecute provider fraud, as well as investigate and report patient abuse and neglect in health care facilities. States are reimbursed with federal funds for operating expenses based on the amount of time a state’s MFCU has been operational: in the first three years, the federal government will pay 90 percent of a state’s costs, and 75 percent thereafter.[23]

Technological advancements are providing new tools to combat waste, fraud, and abuse, though it wasn’t until May 2013 that states could receive federal matching funds for data mining efforts in Medicaid, and MFCUs must submit an application to do so to the OIG for approval. If certain criteria are satisfied, applications are approved for three years. Data mining and other large scale data analysis techniques, particularly when combined with machine learning, can be a very powerful tool for preventing and detecting fraud. Computer programs can be designed to detect anomalies in the data that indicate potential fraud. Models can be built using existing data to make predictions about future claims through pattern recognition, and can even adapt as treatment options and payment models change such that the new normal does not look like old fraud. A greater prevalence of the use of large scale data analysis and machine learning has the potential to drastically reduce the amount of improper payments.

Currently, only seven states have had an application for data mining approved,[24] but CMS is considering expanding the Fraud Prevention System, a predictive analytics technology currently used in Medicare, to the Medicaid program after seeing a return on investment of $5 for each $1 invested in the second year of its use.[25]

In FY2014, MFCUs had a 79 percent conviction rate, and recovered, on average, more than $1 million per MFCU employee.[26] Between FY2010 and FY2014, the 50 MFCUs across the country settled 4,573 civil cases, had 4,772 providers excluded from participation in federal health care programs, and recovered a total of $11.1 billion, as shown in the chart below.[27] Given government investment of slightly more than $1 billion over this five year period, this equates to a return of $10.13 for each dollar invested. Eighty-two percent of recovered funds were from civil settlements rather than criminal cases.

CMS Center for Program Integrity

In 2005, Congress ordered CMS to establish the Medicaid Integrity Program (MIP) and to develop every five years a strategy outlined in the Comprehensive Medicaid Integrity Plan (CMIP) which details how auditing contractors (RACs and Audit MICs) will be used and how CMS will effectively support state efforts to combat fraud and abuse.[28] CMS must report to Congress annually on their use and effectiveness of MIP funds. CMS contracts with independent Audit Medicaid Integrity Contractors (Audit MICs) and Recovery Audit Contractors (RACs) to audit providers and reconcile improper payments. [29]

The ACA also required CMS to notify states of methodologies available for use in Medicaid through the National Correct Coding Initiative (NCCI). The NCCI promotes a national standard for diagnostic, procedural, and billing coding in an effort to reduce improper coding which leads to improper payments. For example, the NCCI identifies for states codes that should not be used together and the maximum units of service that would typically be provided to a single beneficiary during a given appointment. The MIP further supports states by training state employees through the Medicaid Integrity Institute (MII), an interagency collaboration with the Department of Justice, and by developing guidance and tools for states to use. Every three years CMS reviews states’ compliance with federal requirements and highlights state models for adoption by other states. Additionally, CMS maintains a database of state assessments in order to evaluate state programs over time and offer technical assistance support. The Public Assistance Reporting Information System (PARIS) Medicaid Interstate Match program could assist states in reducing improper payments made on behalf of ineligible individuals by allowing states to identify beneficiaries enrolled in multiple state Medicaid programs, but few states use the match program and fully and accurately report information.[30]

Since 2008, CMS has been reporting improper payment rates for each state in three-year cycles through the Payment Error Rate Measurement (PERM) program. States are audited and a Corrective Action Plan (CAP) is developed to identify corrective actions that can be taken to eliminate identified errors. A CMS CAP Liaison provides states with technical guidance, monitors progress of that action, and is responsible for the collection of and response to the CAPs.

Government Accountability Office

The Government Accountability Office (GAO) also investigates federal agencies and programs, including Medicaid, and publishes reports on their findings and recommendations for improvement.

Recent Changes and Legislative Proposals

Since most of the reporting protocols are optional, and because reporting information consumes already-limited resources, many states choose not to report. States have had little incentive in the past to recover improper payments due to the fact that for each dollar recovered, states may only keep their share, which, on average, has only been 43 cents (and declining as the federal government covers a larger share of payments for the expansion population). However, recent changes should help overcome this disincentive. CMS’s announcement that they would permanently continue to pay for 90 percent of a state’s costs to modernize their eligibility and enrollment systems leaves the states with little excuse to not update their systems and ensure complete and accurate information is accessible.[31] Such updates should enable the creation of a complete and accurate national Medicaid database. Such a database is needed in order to effectively eliminate improper payments, and ultimately prevent them from being made in the first place, which should be the goal.

Legislation such as H.R. 3716, introduced by Rep. Larry Buschon (R-IN), would require all participating providers to enroll with the state and for states to report any terminated providers to CMS. CMS must then include these terminations along with Medicare provider terminations in a database, and states would be required to pay back the Federal portion of any Medicaid and CHIP payments made to an ineligible provider more than two months after that provider’s termination was included in the database. Such a repayment penalty should provide a strong incentive for states to check the database—an incentive that is currently lacking. This legislation passed the House on March 2, 2016, by a vote of 406-0.

Since preventing fraud and improper payments is more efficient and cost-effective than trying to recover payments already made, fraud prevention efforts should be enhanced. While it is important that more is not spent on fraud detection, prevention, and recovery than is being recovered, given a return on investment of more than $10 for each dollar invested in MFCUs, and the minimum 75 percent federal match rate for the operation of such units, states should certainly continue funding them.

H.R. 3444, introduced by Rep. Joe Pitts (R-PA), would allow U.S. territories to invest in their Medicaid Fraud Control Units without such funds counting against the cap imposed on the amount of federal Medicaid funds available to the territories; this policy has been included in the president’s budget in the past. Targeted reforms such as these offer a good starting point for reigning in the waste, fraud, and abuse of this expansive program, helping to place it on a sustainable path. However, it is important to remember that this will not be the magic bullet that solves all the program’s problems.


With federal Medicaid spending estimated to have increased more than 16 percent in 2015 alone, substantial, programmatic reforms combined with efforts to eliminate improper payments will be necessary to put this program on a sustainable path.[32] Eliminating all known improper payments made by the government in 2014 would have reduced the annual deficit by nearly 26 percent, and the problem must be tackled on a program-by-program basis. [33] Given that the Medicaid program consistently has the 2nd highest amount of waste, fraud, and abuse, more can and should be done to combat the occurrence of improper payments within the program. While eliminating such payments will not solve the program’s long-term budgetary problems alone, the problem is large enough that successfully addressing it would generate substantial savings. With the latest outlook from CBO projecting a federal budget deficit of $544 billion in FY2016—driven primarily by growth in mandatory health care spending, eliminating all of the waste, fraud, and abuse in just Medicaid (assuming a continued improper payment rate of the current 9.8 percent) would reduce the deficit by approximately 11.4 percent.[34]


[16] States are required to use standards similar to those used by Medicare for providers not enrolled in Medicare and thus not having a Medicare-assigned risk level.

Download PDF