State Medicaid Fraud Control Units; Data Mining, 14637-14641 [2011-6012]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Office of Inspector General

[Federal Register Volume 76, Number 52 (Thursday, March 17, 2011)]
[Proposed Rules]
[Pages 14637-14641]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-6012]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General

42 CFR Part 1007

[OIG-1203-P]


State Medicaid Fraud Control Units; Data Mining

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This proposed rule amends a provision in HHS regulations that 
prohibits State Medicaid Fraud Control Units (MFCU) from using Federal 
matching funds to identify fraud through screening and analyzing State 
Medicaid claims data, known as data mining. To support and modernize 
MFCU efforts to effectively pursue Medicaid provider fraud, we propose 
to permit Federal Financial Participation (FFP) in the costs of defined 
data mining activities under specified conditions. In addition, we 
propose that MFCUs annually report the costs and results of approved 
data mining activities to OIG.

DATES: To ensure consideration, public comments must be delivered to 
the address provided below no later than 5 p.m. on May 16, 2011.

ADDRESSES: In commenting, please refer to file code OIG-1203-P. Because 
of staff and resource limitations, we cannot accept comments by 
facsimile (FAX) transmission.
    You may submit comments in one of three ways (please choose only 
one of the ways listed):
    1. Electronically. You may submit electronic comments on specific 
recommendations and proposals through the Federal eRulemaking Portal at 
https://www.regulations.gov. (Attachments should be in Microsoft Word, 
if possible.)
    2. By regular, express, or overnight mail. You may send written 
comments to the following address: Office of Inspector General, 
Department of Health and Human Services, Attention: OIG-1203-P, Room 
5541, Cohen Building, 330 Independence Avenue, SW., Washington, DC 
20201. Please allow sufficient time for mailed comments to be received 
before the close of the comment period.
    3. By hand or courier. If you prefer, you may deliver, by hand or 
courier, your written comments before the close of the comment period 
to Office of Inspector General, Department of Health and Human 
Services, Cohen Building,

[[Page 14638]]

330 Independence Avenue, SW., Washington, DC 20201. Because access to 
the interior of the Cohen Building is not readily available to persons 
without Federal Government identification, commenters are encouraged to 
schedule their delivery with one of our staff members at (202) 619-
1343.
    For information on viewing public comments, please see the 
SUPPLEMENTARY INFORMATION section.

FOR FURTHER INFORMATION CONTACT: Richard Stern, Department of Health & 
Human Services, Office of Inspector General, (202) 619-0480.

SUPPLEMENTARY INFORMATION:
    Inspection of Public Comments: All comments received before the end 
of the comment period are available for viewing by the public, 
including any personally identifiable or confidential business 
information that is included in a comment. All comments will be posted 
on https://www.regulations.gov as soon as possible after they have been 
received. Comments received timely will also be available for public 
inspection as they are received, generally beginning approximately 3 
weeks after publication of a document, at Office of Inspector General, 
Department of Health and Human Services, Cohen Building, 330 
Independence Avenue, SW., Washington, DC 20201, Monday through Friday 
of each week from 10 a.m. to 5 p.m. To schedule an appointment to view 
public comments, phone (202) 619-1368.

I. Background

    In 1977, the Medicare-Medicaid Anti-Fraud and Abuse Amendments 
(Pub. L. 95-142) were enacted to strengthen the capability of the 
Government to detect, prosecute, and punish fraudulent activities under 
the Medicare and Medicaid programs. Section 17(a) of the statute 
amended section 1903(a) of the Social Security Act (the Act) to provide 
for Federal participation in the costs attributable to establishing and 
operating an MFCU. The requirements for operating an MFCU appear at 
section 1903(q) of the Act. Regulations implementing the MFCU authority 
appear at 42 CFR part 1007 and were promulgated in 1978.
    Section 1903(a)(6) of the Act requires the Secretary of Health and 
Human Services (the Secretary) to pay FFP to a State for MFCU costs 
``found necessary by the Secretary for the elimination of fraud in the 
provision and administration of medical assistance provided under the 
State plan.'' Under the section, States receive 90 percent FFP for an 
initial 3 year period for the costs of establishing and operating a 
MFCU, including the costs of training, and 75 percent FFP thereafter. 
Presently, all States with MFCUs receive FFP at a 75 percent rate. 
General administrative costs of operating a State Medicaid program are 
reimbursed at a rate of 50 percent, although enhanced FFP rates are 
available for other activities, including those associated with 
Medicaid management information systems (MMIS).
    To increase MFCU effectiveness in eliminating Medicaid fraud, we 
propose to modify an existing prohibition on the payment of FFP for 
activities generally known as ``data mining.'' We discuss the reasons 
for this proposed modification below.
    For the purposes of this proposed rule, we are using the term 
``data mining'' to refer specifically to the practice of electronically 
sorting Medicaid claims through statistical models and intelligent 
technologies to uncover patterns and relationships contained within the 
Medicaid claims activity and history to identify aberrant utilization 
and billing practices that are potentially fraudulent.
    Routine program monitoring activities, including data mining, are 
conducted through analysis of Medicaid data and have historically been 
the responsibility of each State Medicaid agency. This practice places 
the sole burden of identifying potentially fraudulent practices based 
on this type of analysis on the State Medicaid agencies and requires 
the MFCUs to remain highly dependent on referrals from State Medicaid 
agencies and other external sources.
    While MFCUs may have access to Medicaid data, which currently may 
be used for the purposes of individual case development, they do not 
have the authority to claim FFP to conduct data mining to identify 
potential Medicaid fraud and, therefore, are limited to relying on 
referrals from State Medicaid agencies based on the State agencies' 
analysis methods, tools, and techniques. Many MFCUs work actively with 
a variety of State agencies and private referral sources, such as 
individual providers and private citizens, to identify possible fraud 
or cases of patient abuse and neglect and to undertake detection 
activities.
    We believe that amending the existing regulation to permit FFP in 
data mining activities will be an efficient use of available resources. 
At the Federal level, analysis of claims data has increased OIG's 
effectiveness in deploying law enforcement resources and proactively 
identifying suspected fraud. Using data analysis, Medicare Fraud Strike 
Forces operated by HHS and the U.S. Department of Justice have 
identified seven ``hot spots'' based on high indicators of fraud 
against the Medicare program. The Strike Forces analyze Medicare data 
to identify unexplained high-billing levels in concentrated areas so 
that interagency teams can target emerging or migrating schemes along 
with chronic fraud. By using data mining and other law enforcement 
tools to efficiently focus Federal law enforcement activities, Medicare 
Fraud Strike Force efforts have resulted in hundreds of criminal 
charges, convictions and more than $355 million in court-ordered 
restitutions, fines and penalties for fraud against the Medicare 
program since 2007. We could not attribute these results directly to 
use of data mining and data analysis techniques alone. Moreover, we 
would not expect individual State MFCUs to produce results comparable 
to the combined efforts of HHS and DOJ in a high priority national 
Medicare investigative and prosecutorial effort. However, we anticipate 
that data mining by MFCUs at the State level could enhance the MFCU's 
ability to counter new and existing fraud schemes by more effectively 
identifying early fraud indicators. In addition, data mining would 
equip MFCUs with more modern tools that have been shown at the Federal 
level to help increase the numbers of credible investigative leads, 
pursue recoveries, and detect emerging fraud and abuse schemes and 
trends.
    The 1978 publication of the final rule now codified in 42 CFR part 
1007 addressed in some detail the relationship between the MFCUs and 
the State Medicaid agency. In response to a comment that MFCUs should 
be responsible for the ``investigation of non-fraudulent program 
abuse,'' the preamble to the final rule noted that functions such as 
``claims processing, utilization control and other reviews or 
analysis'' are already subject to incentive funding as part of the 
mechanized claims processing systems operated by the State Medicaid 
agency (43 FR 32078, 32080-32081 (July 24, 1978)). The preamble stated 
that ``there is no indication that Congress intended an overlap of 
funding for such matters'' (43 FR 32081). Data mining is one such 
function that may be conducted as part of the State Medicaid agency's 
mechanized claims processing system and is subject to Federal 
reimbursement received by State Medicaid agencies.
    Since issuance of the 1978 rule, tools and methods for identifying 
aberrant patterns in claims data have advanced significantly and become 
more widely available. At the same time, health care

[[Page 14639]]

fraud schemes have become more sophisticated. Use of data mining 
technology is a strategy that is routinely used by law enforcement 
agencies to identify billing patterns and provider linkages that may 
have been previously undetected with traditional methods of claims 
review. We believe that allowing MFCUs the ability to receive funding 
for use of sophisticated data mining technology would allow them to 
marshal their resources more effectively and take full advantage of 
their expertise in detecting and investigating Medicaid fraud. It would 
also allow the MFCUs to operate without relying solely on individual 
case referrals from a Medicaid program integrity unit or from other 
sources.
    ``Review contractors'' selected by the CMS Medicaid Integrity Group 
also may perform data mining as part of their activities. Therefore, 
MFCUs that receive approval to conduct data mining as part of their 
respective memorandums of understanding would need to coordinate their 
activities both with State Medicaid agencies and the review 
contractors. All review contractors already operate under a ``Joint 
Operating Agreement'' with each of the States in which they are 
operating. Review contractors are also required to share with MFCUs, as 
well as with other interested law enforcement or oversight agencies, 
the algorithms they are using and the identity of any targets that are 
identified as a result of their data mining activities.
    A 2007 OIG study identified variability among States in the level 
of cooperation in identifying cases of potential fraud and in the 
number and quality of referrals from State Medicaid agencies to MFCUs 
(Suspected Medicaid Fraud Referrals, OEI-07-04-00181, January 2007). 
Based on the variability found in this study, we believe that allowing 
MFCUs to claim FFP to conduct data mining, performed in cooperation 
with the State Medicaid agencies, would reduce such variability and 
increase the level of referrals in some States.
    We believe that three elements are critical to ensuring the 
effective use of data mining by MFCUs. First, we believe that MFCUs and 
State Medicaid agencies must fully coordinate the MFCUs' use of data 
mining and the identification of possible provider fraud. For example, 
MFCUs should not pursue fraud investigations without determining 
whether the State Medicaid agency is considering an overpayment or 
other administrative action for the same provider. Second, programmatic 
changes (for example, changes in billing codes) may result in certain 
data appearing aberrant when in fact they are not. In such situations, 
MFCU staff conducting data mining would need to rely on the 
programmatic knowledge of State Medicaid agency staff to appropriately 
identify possible instances of fraud. Third, we believe that MFCU staff 
would need to be properly trained in data mining techniques.
    For these reasons, we are proposing to include additional language 
in 42 CFR section 1007.20 that establishes the following conditions 
under which an MFCU may claim FFP in costs of data mining: (1) The MFCU 
describes the duration of the data mining activity and the amount of 
staff time to be expended; (2) the MFCU identifies the methods of 
cooperation between the MFCU and Medicaid agency, and between the MFCU 
and review contractors selected by the CMS Medicaid Integrity Group; 
and (3) MFCU employees engaged in data mining receive specialized 
training in data mining techniques. We are also proposing that the 
agreement between the MFCU and Medicaid agency, required under section 
1007.9(d) of the regulations, describe how the MFCU will satisfy these 
conditions and that OIG, as the oversight agency for the MFCUs, must 
approve this part of the agreement. OIG would review and approve 
proposed agreements in consultation with CMS. FFP will only be 
available to those States that satisfy the conditions at section 
1007.20 and receive approval from OIG.
    Including the terms of an MFCU's data mining in the existing 
agreement with the Medicaid agency would be logical and efficient. Data 
mining has been the traditional province of State Medicaid agencies and 
depends upon access to data maintained by the Medicaid agencies. Thus, 
data mining requires unique coordination of the resources and expertise 
of both an MFCU and a State Medicaid agency to avoid duplication and to 
leverage each agency's resources. We do not intend that this 
coordination, as part of the agreement between the agencies, interfere 
with an MFCU's independence or its separate and distinct identity. As 
before, a Medicaid agency may not provide ongoing scrutiny or review of 
an MFCU's data mining activities and under no circumstances would a 
State Medicaid agency be able to prevent or prohibit an MFCU from 
initiating, carrying out or completing an investigation or prosecution 
that may result from data mining.
    We are also proposing to add a provision that requires those MFCUs 
approved to claim FFP and engage in data mining to include the 
following information in their annual report: Costs associated with 
expenditures attributed to data mining activities; the number of cases 
generated from those data mining activities; the outcome and status of 
those cases; and monetary recoveries resulting from those activities. 
This information will be used by OIG in conducting its oversight and 
monitoring of the MFCUs.

II. Provisions of the Proposed Regulation

    Federal regulations at 42 CFR 1007.19(e)(2) specify that State 
MFCUs are prohibited from using Federal matching funds to conduct 
``efforts to identify situations in which a question of fraud may 
exist, including the screening of claims, analysis of patterns of 
practice, or routine verification with recipients of whether services 
billed by providers were actually received.'' The prohibition on 
Federal matching for ``screening of claims [and] analysis of patterns 
of practice'' is commonly interpreted as a prohibition on Federal 
matching for the costs of data mining by MFCUs. We propose to amend 
section 1007.19(e) to provide for an exception to this general 
prohibition on FFP under conditions described in new section 1007.20.
    We propose to add a new section 1007.20 that would describe the 
conditions under which the Federal share of data mining costs would be 
available to MFCUs. We would also amend section 1007.1 (Definitions) by 
adding a definition of data mining for the purposes of this rule. 
Finally, the proposed rule would amend 42 CFR section 1007.17 (Annual 
Report) to include additional reporting requirements by MFCUs to 
capture costs associated with expenditures attributed to data mining 
activities; the number of cases generated from those data mining 
activities; the outcome and status of those cases; and monetary 
recoveries resulting from those activities.

III. Regulatory Impact Statement

A. Regulatory Analysis

    We have examined the impacts of this proposed rule as required by 
Executive Order 12866, the Unfunded Mandates Reform Act of 1995, and 
the Regulatory Flexibility Act of 1980 (RFA) (Pub. L. 96-354).
Executive Order 12866
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, when regulation is 
necessary, to select regulatory approaches that maximize

[[Page 14640]]

net benefits (including potential economic, environmental, public 
health, and safety effects; distributive impacts; and equity). A 
regulatory impact analysis must be prepared for major rules with 
economically significant effects ($100 million or more in any given 
year). Since this proposed regulation will not have a significant 
effect on program expenditures and as there are no additional 
substantive costs to implement the resulting provision, we do not 
consider this to be a major rule.
    The proposed rule would allow MFCUs to obtain Federal matching 
funds to conduct data mining in efforts to detect potential fraudulent 
activity. We believe that the aggregate economic impact of this rule 
will be minimal and will have no significant effect on the economy or 
on Federal or State expenditures. However, since MFCUs have until this 
year not conducted data mining, we have only limited information about 
costs and benefits at the State level. One State MFCU, Florida, 
received approval from the Secretary of Health and Human Services to 
conduct data mining as a demonstration project under section 1115 of 
the Social Security Act that commenced on August 1, 2010.
    Any economic impact from reimbursing State MFCU data mining 
activities will likely result in savings of both State and Federal 
dollars. For the MFCU community as a whole, the return on investment 
from MFCU activities (calculated from the ratio of total reported 
dollar value of civil and criminal recoveries to the total dollar value 
of Federal and State expenditures for all MFCUs) exceeded 6.0 for the 
last 3 available years, Federal Fiscal Years (FYs) 2007, 2008, and 
2009. This ratio does not reflect the considerable output of the MFCUs 
related to their criminal prosecutions that do not result in monetary 
recoveries, including more than 1,200 criminal convictions for each of 
FYs 2007, 2008, and 2009.
    We anticipate that the return on investment from data mining 
activities by the MFCUs will enhance the ability of MFCUs to 
effectively target and deploy existing enforcement resources, which is 
expected to result in increased numbers of enforcement actions and 
recoveries. To the extent that there is any economic impact, that 
impact will likely result in savings of Federal and State dollars.
Unfunded Mandates Reform Act
    Title II of the Unfunded Mandates Reform Act of 1995 (UMRA) (2 
U.S.C. 1531-1538) establishes requirements for Federal agencies to 
assess the effects of their regulatory actions on State, local, and 
tribal governments and the private sector. Under UMRA, before issuing 
any rule that may result in costs greater than $110 million to State, 
local, or tribal governments, in the aggregate, or to the private 
sector, agencies must assess the rule's anticipated costs and benefits. 
This proposed rule does not impose any Federal mandates on any State, 
local, or tribal government or the private sector within the meaning of 
UMRA, and thus, a full analysis under UMRA is not necessary.
Regulatory Flexibility Act
    The Regulatory Flexibility Act (RFA) (5 U.S.C. 601 et seq.) 
generally requires an agency to conduct a regulatory flexibility 
analysis of any rule subject to notice and comment rulemaking 
requirements unless the agency certifies that the rule will not have a 
significant economic impact on a substantial number of small entities. 
For the purposes of RFA, small entities include small businesses, 
certain nonprofit organizations, and small government jurisdictions. 
Individuals and States are not included in this definition of a small 
entity. This proposed rule would revise regulations that prohibit State 
MFCUs from using Federal matching funds to conduct ``efforts to 
identify situations in which a question of fraud may exist, including 
the screening of claims, analysis of patterns of practice, or routine 
verification with recipients of whether services billed by a provider 
were actually received.'' These revisions impose no significant 
economic impact on a substantial number of small entities. Therefore, 
the undersigned certifies that this rule will not have a significant 
impact on a substantial number of small entities.
Executive Order 13132
    Executive Order 13132 (entitled ``Federalism'') prohibits, to the 
extent practicable and permitted by law, an agency from promulgating a 
regulation that has federalism implications and either imposes 
substantial direct compliance costs on State and local governments and 
is not required by statute, or preempts State law, unless the relevant 
requirements of section 6 of the Executive Order are met. This rule 
does not have federalism implications and does not impose substantial 
direct compliance costs on State and local governments or preempt State 
law within the meaning of the Executive Order.

B. Paperwork Reduction Act

    Under the Paperwork Reduction Act (PRA) of 1995, before a 
collection-of-information requirement is submitted to Office of 
Management and Budget (OMB) for review and approval, we are required to 
provide a 60-day notice in the Federal Register and solicit public 
comment. We propose to require that MFCUs report annually on the costs 
of data mining and the outcomes of cases identified, including monetary 
recoveries. In order to evaluate fairly whether this information 
collection should be approved by OMB, section 3506(c)(2)(A) of the PRA 
requires that we solicit comment on the following issues:
     The need for the information collection and its usefulness 
in carrying out the proper functions of our agency;
     The accuracy of our estimate of the information collection 
burden;
     The quality, utility, and clarity of the information to be 
collected; and
     Recommendations to minimize the information collection 
burden on the affected public, including automated collection 
techniques.
    Under the PRA, the time, effort, and financial resources necessary 
to meet the information collection requirements referenced in this 
section are to be considered. We explicitly seek, and will consider, 
public comment on our assumptions as they relate to the PRA 
requirements summarized in this section. Comments on these information 
collection activities should be sent to the following address within 60 
days following the Federal Register publication of this proposed rule: 
OIG Desk Officer, Office of Management and Budget, Room 10235, New 
Executive Office Building, 725 17th Street, NW., Washington, DC 20053.

IV. Public Inspection of Comments and Response to Comments

    Comments will be available for public inspection beginning May 16, 
2011, in Room 5541, Office of External Affairs, Office of Inspector 
General, at 330 Independence Avenue, SW., Washington, DC 20201, from 
Monday through Friday of each week (Federal holidays excepted) between 
the hours of 10 a.m. and 5 p.m., (202) 619-1368.
    Because of the large number of items of correspondence we normally 
receive on Federal Register documents published for comment, we are not 
able to acknowledge or respond to them individually. We will consider 
all comments we receive by the date and time specified in the DATES 
section of this preamble, and will respond to the comments in the 
preamble of the final rule.

[[Page 14641]]

List of Subjects in 42 CFR Part 1007

    Administrative practice and procedure, Fraud, Grant programs--
health, Medicaid, Reporting and recordkeeping requirements.

    Accordingly, 42 CFR part 1007 is proposed to be amended as set 
forth below:

PART 1007--[AMENDED]

    1. Revise the authority citation to part 1007 to read as follows:

    Authority:  42 U.S.C. 1396b(a)(6), 1396b(b)(3), 1396b(q), and 
1302.

    2. In Sec.  1007.1, add in alphabetical order the definition for 
``data mining'' to read as follows:


Sec.  1007.1  Definitions.

* * * * *
    Data mining is defined as the practice of electronically sorting 
Medicaid claims through statistical models and intelligent technologies 
to uncover patterns and relationships contained within the Medicaid 
claims activity and history to identify aberrant utilization and 
billing practices that are potentially fraudulent.
* * * * *
    3. In Sec.  1007.17, add paragraph (i) to read as follows:


Sec.  1007.17  Annual report.

* * * * *
    (i) All costs expended that year attributed to data mining 
activities under Sec.  1007.20; the number of cases generated from 
those data mining activities; the outcome and status of those cases, 
including the expected and actual monetary recoveries (both Federal and 
non-Federal share); and any other relevant indicia of return on 
investment from such activities.
* * * * *
    4. In Sec.  1007.19, revise paragraph (e)(2) to read as follows:


Sec.  1007.19  Federal financial participation (FFP).

* * * * *
    (e) * * *
    (2) Routine verification with recipients of whether services billed 
by providers were actually received, or, except as provided in section 
1007.20, efforts to identify situations in which a question of fraud 
may exist, including the screening of claims and analysis of patterns 
of practice that involve data mining as defined in section 1007.1;
* * * * *
    5. Add Sec.  1007.20 to read as follows:


Sec.  1007.20  Conditions under which data mining is permissible and 
approval by HHS Office of Inspector General.

    (a) Notwithstanding Sec.  1007.19(e)(2), a unit may engage in data 
mining and receive Federal Financial Participation only under the three 
following conditions:
    (1) The activity has a defined duration and staff time devoted to 
the activity is described;
    (2) The MFCU identifies the methods of cooperation between the MFCU 
and State Medicaid agency as well as a primary point of contact for 
data mining at the two agencies; and
    (3) MFCU employees engaged in data mining receive specialized 
training in data mining techniques.
    (b) The MFCU shall describe how it will comply with each of the 
conditions described in paragraph (a) of this section as part of the 
agreement required by Sec.  1007.9(d).
    (c) The Office of Inspector General, Department of Health and Human 
Services, in consultation with the Centers for Medicare & Medicaid 
Services, approves in advance the provisions of the agreement as 
defined in paragraph (b) of this section.

    Dated: May 14, 2010.
Daniel R. Levinson,
Inspector General.
    Dated: October 15, 2010.
Kathleen Sebelius,
Secretary, Department of Health and Human Services.

    Editorial Note: This document was received in the Office of the 
Federal Register on March 10, 2011.
[FR Doc. 2011-6012 Filed 3-16-11; 8:45 am]
BILLING CODE 4152-01-P