News & Perspectives

The Government Accountability Office issues recommendations on fraud prevention

25. January 2018 Kevin Hutchinson Health

On December 5, 2017, the Government Accountability Office (GAO) issued a a report on Centers for Medicare and Medicaid Services (CMS) fraud prevention efforts, recommending that CMS more closely align its approach with the Fraud Risk Framework put forth by the GAO in 2015.

Medicaid and Medicare fraud and abuse prevention has been increasingly in the spotlight as the federal government attempts to curb an increasing trend.  In federal fiscal year 2016, improper payment estimates for these programs totaled about $95 billion. The GAO recommendations are likely to impact both CMS’s approach to fraud and abuse prevention as well as its expectations of states.

The GAO report credits CMS with anti-fraud efforts of the Center for Program Integrity (established in 2010) and CMS anti-fraud stakeholder training for providers, beneficiaries, and health insurance plans.  However, the GAO points out that CMS has not conducted a fraud risk assessment for Medicare or Medicaid, nor has it designed or implemented a risk-based anti-fraud strategy. These approaches are crucial to the GAO’s Fraud Risk Framework, which draws on the proven lifecycle model—used in project management and other best practice approaches—of plan, execute, evaluate, repeat.  The GAO Fraud Risk Framework incorporates four key steps:


  1. Commit to combating fraud by creating an organizational culture and structure conducive to fraud risk management.


  1. Assess risks determine a fraud risk profile via regular fraud risk assessments.


  1. Design and implement a strategy with specific control activities to mitigate assessed fraud risks and collaborate to help ensure effective implementation.


  1. Evaluate outcomes using a risk-based approach and adapt activities to improve fraud risk management.


Implementing the GAO Fraud Risk Framework

GAO makes three general recommendations for how CMS can employ this Fraud Risk Framework.  

  1. Increase new hire and employee training for fraud identification and prevention.   CMS has increased fraud prevention training to employees, including through the Center for Program Integrity.  However, to truly pursue a culture of fraud prevention, the Fraud Risk Framework recommends all employees be trained as new hires and on an ongoing basis.  

  2. Conduct fraud risk assessments and generate risk profiles.  The Fraud Risk Framework provides a structure by which to conduct risk assessments through:

    -Identifying inherent risks;
    -Assessing the likelihood and impact of risks;
    -Determining the appropriate level of risk tolerance;
    -Examining the suitability of existing controls; and
    -Documenting the fraud risk profile by analyzing and comparing the all risks collectively in light of current resources available for prevention and mitigation.

  3. Develop an anti-fraud strategy.  Ultimately, GAO identified that CMS has not designed or implemented an anti-fraud strategy using the Risk Management Framework for Medicaid and Medicare.  GAO recommends that CMS develop such a Risk-Based Anti-Fraud Strategy.  The strategy should identify existing fraud control activities as well as new and emerging activities.  It should include plans for monitoring and evaluation, and all components should include assignments and timelines.

The Department of Health and Human Services generally agreed with GAO’s findings and recommendations. As such, it is expected that CMS will take a more methodical approach to risk assessment, mitigation, and management.

What does this mean for states?

Importantly for states, it is likely that CMS will come to demand that states invest a higher degree of prescriptiveness and rigor in their approach to preventing fraud, waste, and abuse.   For Medicaid programs that are tight on staff and resources—state agencies and plans alike—it is often challenging enough to play catch-up or keep up with the fraud complaints coming in.  A more efficient and proactive approach will position these Medicaid organizations to be more strategic and obtain better outcomes.   Furthermore, employees of state Medicaid agencies and plans alike will be expected to receive regular training aimed at the prevention of fraud and abuse.

If you would like more information on developing Medicaid anti-fraud strategies or anti-fraud training, PCG can provide insights and advice on what to consider in ensuring a comprehensive and CMS-compliant approach.  PCG provides consulting and outsourced operations to Medicaid agencies and plans around risk management, fraud prevention, and program integrity, inclusive of provider screening, training, payment reviews, and investigations.

To discuss how PCG can help your organization’s fraud prevention strategy, contact Kevin Hutchinson at 919-576-2210 or