State Medicaid Fraud Control Units; Data Mining, 29055-29061 [2013-11735]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Office of Inspector General

[Federal Register Volume 78, Number 96 (Friday, May 17, 2013)]
[Rules and Regulations]
[Pages 29055-29061]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-11735]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General

42 CFR Part 1007

[OIG-1203-F]


State Medicaid Fraud Control Units; Data Mining

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule amends a provision in HHS regulations 
prohibiting State Medicaid Fraud Control Units (MFCU) from using 
Federal matching funds to identify fraud through screening and 
analyzing State Medicaid data, known as data mining. To support and 
modernize MFCU efforts to effectively pursue Medicaid provider fraud, 
we finalize proposals to permit Federal financial participation (FFP) 
in costs of defined data mining activities under specified 
circumstances. In addition, we finalize requirements that MFCUs 
annually report costs and results of approved data mining activities to 
OIG.

DATES: These regulations are effective on June 17, 2013.

FOR FURTHER INFORMATION CONTACT: Richard Stern, Department of Health 
and Human Services, Office of Inspector General, (202) 619-0480.

SUPPLEMENTARY INFORMATION: 

I. Background and Statutory Authority

    In 1977, the Medicare-Medicaid Anti-Fraud and Abuse Amendments 
(Pub. L. 95-142) were enacted to strengthen the capability of the 
Government to detect, prosecute, and punish fraudulent activities under 
the Medicare and Medicaid programs. Section 17(a) of the statute 
amended section 1903(a) of the Social Security Act (the Act) to provide 
for Federal participation in the costs attributable to establishing and 
operating a MFCU. The requirements for operating a MFCU appear at 
section 1903(q) of the Act. Promulgated in 1978, regulations 
implementing the MFCU authority appear at 42 CFR part 1007.
    Section 1903(a)(6) of the Act requires the Secretary of Health and 
Human Services (the Secretary) to pay FFP to a State for MFCU costs 
``attributable to the establishment and operation of a MFCU'' and 
``found necessary by the Secretary for the elimination of fraud in the 
provision and administration of medical assistance provided under the 
State plan.'' Under the section, States receive 90 percent FFP for an 
initial 3-year period for the costs of establishing and operating a 
MFCU, including the costs of training, and 75 percent FFP thereafter. 
Currently, all States with MFCUs receive FFP at a 75-percent rate. In 
accordance with section 1903(q) of the Act, MFCUs must be separate and 
distinct from the State's Medicaid agency. For a State Medicaid agency, 
general administrative costs of operating a State Medicaid program are 
reimbursed at a rate of 50 percent, although enhanced FFP rates are 
available for certain activities specified by statute, including those 
associated with Medicaid management information systems (MMIS).

[[Page 29056]]

    To increase MFCU effectiveness in eliminating Medicaid fraud, this 
final rule modifies an existing regulatory prohibition on the payment 
of FFP for activities generally known as data mining. We discuss the 
reasons for this modification below.

II. Provisions of the Proposed Regulation

    We published a proposed rule in the Federal Register on March 17, 
2011 (76 FR 14637), that would permit use of Federal matching funds by 
MFCUs, under specified conditions, for identification of potential 
Medicaid fraud through data mining activities.
    Current Federal regulations at 42 CFR 1007.19 specify that State 
MFCUs are prohibited from using Federal matching funds to conduct 
``efforts to identify situations in which a question of fraud may 
exist, including the screening of claims, analysis of patterns of 
practice, or routine verification with beneficiaries of whether 
services billed by providers were actually received.'' The prohibition 
on Federal matching for ``screening of claims [and] analysis of 
patterns of practice'' is commonly interpreted as a prohibition on 
Federal matching for the costs of data mining by MFCUs. We proposed to 
amend Sec.  1007.19(e) to provide for an exception to this general 
prohibition on FFP. We proposed to add a new Sec.  1007.20, that would 
describe the conditions under which the Federal share of data mining 
costs would be available to MFCUs. We also proposed to amend Sec.  
1007.1 (``Definitions'') by adding a definition of data mining for the 
purposes of this rule. Finally, we proposed to amend Sec.  1007.17 
(``Annual Report'') to include additional reporting requirements by 
MFCUs to capture costs associated with data mining activities, the 
outcome and status of those cases, and monetary recoveries resulting 
from those activities.
    For the purposes of the proposed rule, we used the term ``data 
mining'' to refer specifically to the practice of electronically 
sorting Medicaid claims through statistical models and intelligent 
technologies to uncover patterns and relationships in Medicaid claims 
activity and history to identify aberrant utilization and billing 
practices that are potentially fraudulent.
    Data mining has historically been the responsibility of each State 
Medicaid agency, which analyzes Medicaid data as part of its routine 
program-monitoring activities. This practice of relying on the State 
Medicaid agency has placed the sole burden of identifying potentially 
fraudulent practices using data mining on the State Medicaid agencies 
and has required the MFCUs to remain highly dependent on referrals from 
State Medicaid agencies and other external sources.
    For many years, we understand that many MFCUs have had online 
access to Medicaid claims information for purposes of individual case 
development, but have been prohibited by regulation from receiving FFP 
for using claims data for identifying other potential cases. Since the 
1978 rule was promulgated, highly advanced tools and methods have 
become available that allow law enforcement and other oversight 
entities to analyze claims information and other data. This includes 
the detection of aberrant billing patterns and the development of 
predictive models. These tools and methods have been extremely 
effective in identifying potential fraud cases, and they are routinely 
used by other law enforcement agencies. We believe that allowing MFCUs 
to receive funding for data mining will enable them to marshal their 
resources more effectively and take full advantage of their expertise 
in detecting and investigating Medicaid fraud vulnerabilities.
    At the same time, we recognized in the proposed rule that three 
elements are critical to ensuring the effective use of data mining by 
MFCUs.
    First, MFCUs and State Medicaid agencies must fully coordinate the 
MFCUs' use of data mining and the identification of possible provider 
fraud. For example, MFCUs should consult with the State Medicaid 
agencies in considering data mining priorities that may also be subject 
to program integrity and audit reviews. Similarly, State Medicaid 
agencies and MFCUs should coordinate data mining projects with 
activities of other organizations, such as ``review contractors'' that 
are selected by the Centers for Medicare & Medicaid Services (CMS) and 
are responsible for identifying providers subject to audits or program 
administrative actions.
    Second, while MFCUs are experienced in pursuing Medicaid fraud, it 
is the State Medicaid agencies that set the policies governing the 
appropriate activities of Medicaid providers. The MFCUs may be unaware 
of recent changes in reimbursement policy, making data appear aberrant 
when they are not. To avoid wasting resources and pursuing data mining 
projects without adequate basis, the MFCUs must coordinate their 
efforts closely with the State Medicaid agency, confirming that the 
results obtained from data mining are interpreted correctly, consistent 
with current policy and practice.
    Third, MFCU staff should be properly trained in data mining 
techniques. Although tools and methods for data mining may be widely 
available, appropriate training is necessary.
    For these reasons, we proposed in new 42 CFR 1007.20 that as a 
condition for claiming FFP in costs of data mining, a MFCU must 
identify methods for addressing these three critical elements in its 
agreements with the State Medicaid agency: Coordination with the State 
Medicaid agency, programmatic knowledge, and training. We further 
proposed that OIG must provide specific approval of that agreement to a 
MFCU that wants to engage in data mining. OIG will consult with CMS in 
approving data mining requests, given the CMS role in overseeing the 
activities of State Medicaid agencies and the critical importance of 
MFCU coordination with those agencies.
    We also proposed to require that MFCUs approved to receive FFP for 
data mining include the following information in their annual reports 
to OIG: Costs associated with data mining activities, the number of 
cases generated from data mining activities, the outcome and status of 
those cases, and monetary recoveries resulting from those activities. 
This information will be used by OIG in overseeing and monitoring of 
MFCUs.

III. Analysis of and Responses to Public Comments

    We received 13 sets of timely comments on the March 17, 2011, 
proposed rule (76 FR 14637) from a national anti-fraud association, 
groups of health care providers and beneficiaries, State Attorneys 
General, individual MFCUs, a State Medicaid agency, a managed care 
entity, and information technology health services companies. Most 
commenters supported our proposal to provide Federal reimbursement for 
data mining activities by MFCUs, citing potential cost savings through 
earlier identification of Medicaid fraud, the benefit of conserving 
administrative resources by better targeting of anti-fraud 
investigations, and the potential for increased effectiveness in 
finding and eliminating fraud and abuse. Commenters supported the 
addition of data mining as an optional tool for MFCUs that wish to 
employ it, but not as a requirement for all MFCUs. Supporting 
commenters also noted that the results of data mining activities should 
not be viewed as proof of provider fraud or abuse, but as information 
that assists state officials in targeting anti-fraud monitoring and 
investigations.

[[Page 29057]]

    We reviewed each set of comments and grouped them into related 
categories based on subject matter. Below we set forth summaries of the 
public comments received, our responses to those comments, and changes 
we are making in this final rule as a result of the comments received.

A. Modifications to the Data Mining Prohibition

    Comment: One commenter recommended that OIG eliminate the 
prohibition on paying FFP for data mining that is in 42 CFR 
1007.19(e)(2), rather than establishing an approval mechanism for data 
mining as we have proposed in a new Sec.  1007.20. The commenter noted 
the technological advances that have occurred since the rule was 
originally published in 1978 and that data mining is viewed by the 
MFCUs as a ``supplemental investigative tool.'' The commenter stated 
its belief that the existing oversight authority in the regulation 
would provide adequate monitoring of data mining activities.
    Response: We do not believe that a wholesale elimination of the 
prohibition on data mining is appropriate. To be effective, data mining 
requires unique coordination of the resources and expertise of both the 
MFCU and the State Medicaid agency, as well as properly trained staff. 
In the absence of an approval process, we believe that a MFCU might 
undertake a data mining program without trained staff, might duplicate 
data mining activities of the Medicaid agency, or might pursue projects 
that rely upon a misunderstanding of program rules or policy.
    However, to reflect technological advances in the use of data, we 
are modifying the proposed definition of data mining to emphasize the 
wider range of the possible uses of data, including the use of 
``statistical models and intelligent technologies'' as well as other 
means of electronically sorting Medicaid data that are conducted for 
the purpose of detecting circumstances that might involve fraud. We are 
therefore adding the phrase ``including but not limited to the use of'' 
before ``statistical models and intelligent technologies'' in the 
definition that appears in section 1007.1 to emphasize the range of 
methods in which data could be used to identify potential fraud cases.

B. Use of Data Mining in the Course of an Investigation

    Comment: One commenter suggested that we add the word 
``randomized'' before the word ``practice'' in defining data mining and 
that we add a sentence to clarify that the definition is not intended 
to prohibit the MFCUs from conducting other types of Medicaid data 
analysis in the normal course of their investigations.
    Response: We agree that the intent of the regulation is not to 
limit other types of Medicaid data analysis being conducted in the 
normal course of an investigation. Units may analyze relevant Medicaid 
data as part of the evidence-gathering process while investigating a 
particular possible fraud. In some instances, this data analysis 
conducted as part of a particular investigation might allow the Unit to 
identify other potential targets, which would result in opening new 
fraud cases. Such data analysis is an accepted part of a MFCU's 
investigative function and does not implicate the prohibition contained 
in section 1007.19(e)(2) on paying FFP for ``expenditures attributable 
to . . . [e]fforts to identify situations in which a question of fraud 
may exist, including the screening of claims [or] analysis of patterns 
of practice. . . .'' Further, analysis of Medicaid data to support an 
investigation of a particular provider is not subject to the data 
mining approval process under new Sec.  1007.20. However, we do not 
believe the text of the regulation itself needs to state this. We are 
also concerned that adding the word ``randomized'' may limit the 
statistical techniques employed by a MFCU when conducting data mining. 
Therefore, we are not adding the word ``randomized'' as part of our 
modifications to the proposed language.
    Comment: One commenter expressed concern that the definition of 
data mining includes only ``Medicaid claims'' as the type of data 
subject to analysis and suggested expanding the definition to include 
managed care encounter data and capitation payments.
    Response: We agree that the proposed definition should be expanded. 
We recognize that managed care constitutes a significant and growing 
proportion of the national Medicaid program and that the reference to 
``claims data'' may be too limited.
    We also recognize that MFCUs may find it useful to mine other types 
of data. For example, section 2701 of the Patient Protection and 
Affordable Care Act, Public Law 111-148 (2010), enacted new 
requirements for States to collect and provide quality data on health 
care furnished to Medicaid eligible adults. These data could prove 
fruitful in identifying providers that may be submitting Medicaid 
billings for services that are of substandard quality or pose harm to 
beneficiaries. There are also bundled payments and other evolving 
payment methods where MFCUs might determine that data could be 
successfully mined to identify potential fraud. Finally, there may be 
relevant non-Medicaid data that would be useful to data mining, such as 
information from other Federal or State programs or from commercial 
payers.
    Therefore, in this final rule, we have removed the reference to 
claims data and revised the definition of data mining to broadly 
encompass Medicaid and other relevant data that may be used to identify 
aberrant utilization, billing, or other practices that are potentially 
fraudulent.

C. Annual Report

    Comment: One commenter expressed support for the proposal to 
include data mining information as part of the existing annual report 
rather than as a separate document. The commenter opposed requiring 
MFCUs to separately report costs and indicate the return on investment 
from data mining. The commenter asserted that data mining activities 
could be adequately monitored through the agreement between the MFCU 
and the State Medicaid agency. The commenter also said that providing 
information about costs and return on investment does not further the 
three elements we identified as necessary for data mining to be 
effective: Coordination with the State Medicaid agency, programmatic 
knowledge, and training.
    Response: We believe that providing information about data mining 
costs and rate of return is an appropriate and necessary addition to 
the annual report. We proposed to amend our regulations to permit 
Federal reimbursement for data mining because we believe that the use 
of such modern technologies can help MFCUs more effectively identify, 
investigate, and prosecute Medicaid fraud. We believe that collecting 
basic cost and performance information will be critical to carrying out 
our oversight responsibilities and to determining whether MFCUs are 
using the additional Federal funds to increase their effectiveness and 
efficiency in pursuing fraud. We are therefore finalizing our 
requirement that MFCUs approved to receive FFP in costs for data mining 
must provide specific information on their activities in their annual 
reports to OIG.

D. Requirements for the MFCU Agreement With the State Medicaid Agency

    Comment: A commenter expressed concern that requiring a description 
of the duration of the MCFU activity and staff time might be 
appropriate for a

[[Page 29058]]

demonstration project but is an inefficient use of MFCU time and 
resources. Another concern raised by the commenter is that establishing 
a set duration and staff time may not meet the needs of fraud 
investigations, particularly if duration and staff time are treated as 
minimums that the MFCU would be expected to meet. Finally, the 
commenter noted that requiring a defined duration and staff time does 
not address any of the three elements identified by OIG as critical to 
effective data mining.
    Response: We agree that defining duration and staffing before 
undertaking data mining activities may not be efficient or reasonable 
for an activity that MFCUs expect to continue for an extended period 
and expect to yield investigative leads that were not anticipated at 
the outset. We are concerned that MFCUs may be reluctant to invest time 
and resources in data mining if they believe that an estimate of 
resources will become an inflexible limitation. Therefore, the final 
rule eliminates a requirement in the proposed rule that MFCUs define 
duration and staff time as part of their respective agreements with 
State Medicaid agencies.
    However, we are mindful of our responsibility to monitor MFCUs' 
effective and efficient operation. We have therefore included in the 
final rule a requirement that staff time and other costs devoted to 
data mining activities be reported in a section of the annual report 
provided to OIG. We will review annual reports carefully to determine 
whether MFCUs are effectively using their resources to carry out their 
functions, including identifying potential fraud through data mining 
and other activities.
    In addition, we are establishing a 3-year duration for each 
approval of FFP for data mining by a MFCU. We believe a 3-year period 
will allow OIG to evaluate whether a MFCU is using its data mining 
resources effectively. We also believe that 3 years will be sufficient 
for MFCUs and State agencies to implement their data mining activities, 
assess their operations, and determine any changes that would increase 
their effectiveness. At the end of the 3-year period, the MFCU may 
request renewal of its approval by submitting an updated agreement with 
the State agency. In considering renewal, OIG will review any changes 
to the agreement and will consider the information provided on data 
mining activities in annual reports and from other sources.
    Comment: Another commenter suggested that OIG obtain further 
information, including the amount of outside support that MFCUs receive 
in conducting data mining.
    Response: We do not agree that we should further require MFCUs to 
identify the amount of outside support for conducting data mining. We 
believe that expecting a MFCU to include such information in its 
agreement with the State agency at the start of the activity would be 
burdensome. We have asked only for information that will facilitate 
essential coordination between the MFCU and the State Medicaid agency 
and that will permit OIG, in consultation with CMS, to determine 
whether Federal reimbursement for data mining activities should be 
expected to increase a MFCU's effectiveness in investigating and 
prosecuting Medicaid fraud. We will not require any further information 
on outside support to be provided to OIG.
    Comment: A commenter expressed a concern that naming a primary 
point of contact is not advisable because personnel may change 
frequently.
    Response: We agree with the comment and will instead require in 
this final rule that the agreement identify both the individual who 
will serve as the principal point of contact in each agency, as well as 
the contact information, title, and office of such individuals.

E. Approval by OIG in Consultation With CMS

    Comment: A commenter stated that approval of data mining by OIG, in 
consultation with CMS, is unnecessary if the data mining proposal has 
been approved by the State Medicaid agency as part of the review of the 
memorandum of understanding. The commenter also requested that, if OIG 
approval is included, the regulation identify the number of days in 
which OIG will make an approval decision.
    Response: OIG is responsible for overseeing the efficiency and 
effectiveness of the MFCU program. We believe that OIG would not be 
properly carrying out this responsibility if it did not review and 
approve the data mining agreement between the State MFCU and the State 
Medicaid agency. As part of that review, OIG will examine whether MFCUs 
have both the technical infrastructure and adequate staffing to conduct 
data mining and whether they have procedures in place to coordinate 
data mining projects with State Medicaid agency staff. Also, because of 
the role and experience of CMS in overseeing the State Medicaid 
agencies, we believe that consultation with CMS is necessary.
    We agree that OIG should review data mining requests in an 
expeditious manner. We are therefore adding to the final regulation a 
90-day period during which OIG will review and respond to a MFCU's 
request for data mining approval or the request will be considered 
approved if OIG fails to respond within the 90-day review period. This 
review period is comparable to the timeframes that CMS follows for 
Medicaid State plan approvals and would provide sufficient time for OIG 
to review and consult with CMS on the proposed data mining plan. Should 
OIG need additional information, a written request by OIG to the MFCU 
would extend the review period for another 90 days, beginning on 
receipt by OIG of the MFCU's response. We will finalize the requirement 
that OIG, in consultation with CMS, must approve a MFCU's data mining 
agreement with the State Medicaid agency and add a 90-day period for 
OIG to respond to the MFCU's request for approval, with an extension of 
90 additional days if OIG sends a written request for further 
information.

F. Burden on State Medicaid Agency Staff

    Comment: A commenter expressed concern that the wording of the 
background to the proposed rule was vague regarding involvement by 
State Medicaid agencies, and it suggested that undue burdens might be 
imposed on Medicaid agency staff. The commenter was concerned that data 
mining by MFCUs will place undue burdens on already strapped State 
resources and will inhibit current program integrity efforts. The 
commenter proposed alternative wording to emphasize that data mining 
projects would be conducted entirely by MFCU staff and that Medicaid 
agency staff would operate in a support role.
    Response: We do not believe that MFCU data mining should burden 
State Medicaid agency staff or interfere with their independent program 
integrity efforts. The commenter did not suggest changes to the 
proposed regulation itself. The text of the final regulation will 
require a MFCU that engages in data mining to describe in its 
negotiated agreement with the State Medicaid agency both the methods of 
coordination with the Medicaid agency as well as how the MFCU will 
obtain training in data mining techniques.
    We agree that MFCU data mining will be conducted entirely by MFCU 
staff and that State agency staff will operate in a supporting role. 
MFCU data mining will not inhibit current program integrity efforts 
since the MFCU's

[[Page 29059]]

activities will be separate from current program integrity efforts and 
should not interfere with ongoing efforts by the Medicaid agency to 
identify aberrant payments. Moreover, consistent with the agreement 
between the MFCU and State agency, the Medicaid agency's supporting 
role should not impose an undue burden on State agency resources. The 
Medicaid agency should already work closely with the MFCU in 
coordinating administrative actions and in providing programmatic and 
policy information to the MFCU. The Medicaid agency may serve as a 
source of training for the MFCU in data mining techniques, but there 
are other sources of such training so this should also not present an 
undue burden on the Medicaid agency. Finally, we note that if the 
Medicaid agency and the MFCU are not currently working in a 
collaborative and efficient manner, this could be the basis for denying 
a MFCU's request to conduct data mining.

G. Effects of Data Mining on Providers

    Comment: One commenter noted that OIG should require State Medicaid 
programs to describe how providers may challenge the results of data 
mining. The commenter also asked that OIG allow FFP for provider 
outreach and education by MFCU staff.
    Response: OIG does not establish requirements for State Medicaid 
agencies, and we do not agree that a MFCU should set up a special 
process to permit providers to question or challenge a fraud 
investigation undertaken as a result of data mining. A provider would 
have the same legal ability to defend himself or herself in an 
investigation or prosecution undertaken by a MFCU whether it was the 
result of data mining or another source of referrals to the MFCU. 
Moreover, we do not believe that it is within the scope of this 
regulation, or within our general oversight authority, to dictate to 
States how their legal systems would allow for providers to challenge a 
particular investigation or case.
    OIG recognizes that provider outreach and education may be useful 
and important and that many State Medicaid agencies have established 
provider education and outreach programs for which FFP is available. We 
would encourage MFCU staff to assist State Medicaid agencies, as part 
of their coordinating efforts, in outreach and education directed 
toward fraud detection and prevention.
    Comment: Another commenter raised a concern about overlap and 
duplication among Medicare and Medicaid entities, such as CMS 
contractors, which may audit and investigate some of the same providers 
and situations. The commenter asked that OIG carefully monitor data 
mining activities to safeguard Federal programs and avoid unduly 
burdening providers.
    Response: It is outside the scope of this regulation to establish 
monitoring requirements for audit activities of State Medicaid programs 
or of Federal entities, such as CMS contractors, mentioned by the 
commenter. In the final rule implementing the Medicaid Recovery Audit 
Contractor (RAC) program (76 FR 57808 (September 16, 2011)), CMS noted 
that State Medicaid agencies are required to coordinate auditing 
efforts and to make referrals of suspected fraud and/or abuse to the 
MFCU or other appropriate law enforcement agency. In this final rule, 
OIG has provided that State MFCUs must coordinate data mining 
activities with State Medicaid agencies to ensure that Medicaid 
policies are well understood by the MFCU, that data mining strategies 
are not duplicative, and that MFCUs are aware of any program integrity 
reviews by State agencies that may involve the same provider or 
category of providers. However, we want to again make clear that we do 
not intend that this coordination will interfere with MFCUs' 
investigative independence. Audits or administrative reviews by a State 
Medicaid agency, or a State or Federal audit or program integrity 
contractor, may not prevent a MFCU from initiating, carrying out, or 
completing a fraud investigation or prosecution that may result from 
data mining.

H. Coordination With Managed Care Organizations

    Comment: Several commenters recommended that the regulation be 
expanded to require that MFCUs coordinate their data mining activities 
with Medicaid managed care organizations, if appropriate, for a 
particular State.
    Response: Our general approach to data mining by MFCUs is to give 
each MFCU the autonomy to choose how to operate its programs based on 
the needs and priorities of each State. While we have required each 
MFCU to describe its coordination with its State Medicaid agency if the 
MFCU intends to conduct data mining, we regard this coordination as an 
indispensable element for data mining to be successful. Coordination 
with managed care plans may be an effective practice in certain States. 
However, we believe this determination should be made by the MFCU, in 
consultation with the State Medicaid agency and in the context of other 
data mining priorities, and we will therefore not require it of all 
MFCUs.

I. Experience With Health Care Data Mining

    Comment: A commenter recommended that OIG require data miners to 
have experience and expertise with health care claims data mining and 
recommended certain data elements and data mining techniques to enhance 
effectiveness of MFCU activities.
    Response: We agree that MFCU staff engaged in data mining should 
have the requisite training to effectively conduct data mining 
projects. For this reason, we have established in the regulation a 
condition that MFCU employees engaged in data mining receive 
specialized training in data mining techniques. To the extent that the 
commenter is suggesting that MFCUs employ specific individuals with a 
particular background in data mining, we are not imposing this as a 
requirement. We believe that MFCUs can determine their own staffing 
needs as they do for the other professional activities in which they 
engage.
    With respect to data mining techniques, we believe that data mining 
approaches should be selected by the MFCU, in consultation with the 
State Medicaid agency and in light of the particular needs, priorities, 
and systems in that State. We will therefore not require the use of any 
specific data mining technologies or approaches.

IV. Regulatory Impact Statement

A. Regulatory Analysis

    We have examined the impact of this final rule as required by 
Executive Orders 12866 and 13563, the Unfunded Mandates Reform Act of 
1995, and the Regulatory Flexibility Act of 1980 (RFA) (Pub. L. 96-
354).
Executive Orders 12866 and 13563
    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, when 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health, and safety effects; distributive impacts; and equity). 
Executive Order 13563 emphasizes the importance of quantifying both 
costs and benefits, of reducing costs, of harmonizing rules, and of 
promoting flexibility. A regulatory impact analysis must be prepared 
for major rules with economically significant effects ($136 million or 
more in any given year). We believe that the aggregate impact of this

[[Page 29060]]

rule does not reach this ``economically significant'' threshold, and 
thus, is not considered a major rule.
1. Estimated Impact on Medicaid Program Expenditures
    We estimate below the impact of this rule on Medicaid expenditures 
over the next 10 years, including both Federal and State expenditures. 
These estimates are based on the following: MFCU grant award amounts, 
expenditures and recoveries from FY 2007-2012 reported to OIG; 
information from a Florida MFCU project that commenced in 2010 under 
which the Unit conducts data mining as part of a demonstration waiver 
approved by the Secretary; State Program Integrity Assessment provided 
to CMS from FY 2007 to FY 2010; and results from a 2009 National Health 
Policy Forum presentation ``Prevention and Early Detection of Health 
Care Fraud, Waste, and Abuse'', which reported data from Independence 
Blue Cross's use of data mining for their benefit plans.
    Based on analysis of the information and data described above, we 
estimated the potential rate of return on MFCU data mining activities. 
Table 1 contains the estimates for the total cost of data mining, total 
recoveries as a result of data mining, and net total impact. Table 1 
also includes costs, recoveries, and net impact for both Federal and 
State levels. We refined our estimates to account for the likelihood 
that data mining would not provide any recoveries in the first year and 
a limited amount of recoveries in the second year. Table 1 assumes a 
medium rate of State MFCU participation in data mining activities 
(40%), a medium rate of return on data mining activities ($6.90 per $1 
spent), and 33% of recoveries in the second year. The net Federal 
impact is savings of $34.3 million from FY 2014-FY 2023.

                            Table 1--Estimated Impact on Medicaid Expenditures and Recoveries for MFCU Data Mining Activities
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                           2014      2015      2016      2017      2018      2019      2020      2021      2022      2023     2014-2023
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total Cost.............................      $1.1      $1.1      $1.2      $1.2      $1.2      $1.2      $1.3      $1.3      $1.3      $1.4        $12.3
Total Recoveries.......................      $0.0     -$2.6     -$8.0     -$8.2     -$8.4     -$8.6     -$8.8     -$8.9     -$9.1     -$9.3       -$71.9
Net Total Impact.......................      $1.1     -$1.5     -$6.9     -$7.0     -$7.2     -$7.3     -$7.5     -$7.7     -$7.8     -$8.0       -$59.8
Federal Cost...........................      $0.8      $0.9      $0.9      $0.9      $0.9      $0.9      $1.0      $1.0      $1.0      $1.0         $9.3
Federal Recoveries.....................      $0.0     -$1.6     -$4.9     -$5.0     -$5.1     -$5.2     -$5.3     -$5.4     -$5.5     -$5.6       -$43.6
Net Federal Impact.....................      $0.8     -$0.7     -$4.0     -$4.1     -$4.2     -$4.3     -$4.3     -$4.4     -$4.5     -$4.6       -$34.3
State Cost.............................      $0.3      $0.3      $0.3      $0.3      $0.3      $0.3      $0.3      $0.3      $0.3      $0.3         $3.0
State Recoveries.......................      $0.0     -$1.0     -$3.2     -$3.2     -$3.3     -$3.4     -$3.5     -$3.6     -$3.6     -$3.7       -$28.5
Net State Impact.......................      $0.3     -$0.8     -$2.9     -$2.9     -$3.0     -$3.1     -$3.2     -$3.2     -$3.3     -$3.4       -$25.5
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: all figures in millions of dollars; totals may not add due to rounding.

2. Estimated Impact on Industry
    We estimate that MFCU data mining will likely have a limited impact 
on the health care industry. We believe that the total number of fraud 
investigations of providers would increase only to the extent that the 
MFCUs receive additional budget authority from the States to seek an 
expansion of their operations. Therefore, to the extent that there is 
any economic impact, we believe that potential costs to the health care 
industry will be minimal and will be surpassed by savings of Federal 
and State dollars.
3. Unfunded Mandates Reform Act
    Title II of the Unfunded Mandates Reform Act of 1995 (UMRA) (2 
U.S.C. 1531-1538) establishes requirements for Federal agencies to 
assess the effects of their regulatory actions on State, local, and 
tribal governments and the private sector. Under UMRA, agencies must 
assess a rule's anticipated costs and benefits before issuing any rule 
that may result in aggregate costs to State, local, or tribal 
governments, or the private sector, of greater than $100 million in 
1995 dollars (currently adjusted to $139 million). This final rule does 
not impose any Federal mandates on any State, local, or tribal 
government or the private sector within the meaning of UMRA, and thus a 
full analysis under UMRA is not necessary.
4. Regulatory Flexibility Act
    The Regulatory Flexibility Act (RFA) (5 U.S.C. 601 et seq.) 
generally requires an agency to conduct a regulatory flexibility 
analysis of any rule subject to notice and comment rulemaking 
requirements unless the agency certifies that the rule will not have a 
significant economic impact on a substantial number of small entities. 
For the purposes of RFA, small entities include small businesses, 
certain nonprofit organizations, and small government jurisdictions. 
Individuals and States are not included in this definition of a small 
entity. This final rule would revise regulations that prohibit State 
MFCUs from using Federal matching funds to conduct ``efforts to 
identify situations in which a question of fraud may exist, including 
the screening of claims, analysis of patterns of practice, or routine 
verification with beneficiaries of whether services billed by a 
provider were actually received.'' These revisions impose no 
significant economic impact on a substantial number of small entities. 
Therefore, the undersigned certifies that this rule will not have a 
significant impact on a substantial number of small entities.
5. Executive Order 13132
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a final rule that imposes 
substantial direct requirement costs on State and local Governments, 
preempts State law, or otherwise has Federalism implications. Since 
this regulation does not impose any costs on State or local 
Governments, preempt State or local law, or otherwise have Federalism 
implications, the requirements of Executive Order 13132 are not 
applicable.

B. Paperwork Reduction Act

    In the proposed rule, pursuant to the Paperwork Reduction Act, we 
solicited public comments for 60 days on each of the following issues 
regarding information collection requirements (ICRs). No comments were 
received on these issues. For the purpose of this final rule, we are 
soliciting public comment for 30 days for the following sections of 
this rule regarding ICRs:
     The need for the information collection and its usefulness 
in carrying out the proper functions of our agency;
     the accuracy of our estimate of the information collection 
burden;
     the quality, utility, and clarity of the information to be 
collected; and
     recommendations to minimize the information collection 
burden on the

[[Page 29061]]

affected public, including automated collection techniques.
1. ICRs Regarding the Annual Report (Sec.  1007.17)
    Section 1007.17 states that all costs expended in a given year by 
MFCUs attributed to data mining activities must be included as part of 
their existing annual report, including the amount of staff time 
devoted to data mining activities; the amount of staff time devoted to 
data mining activities; the number of case generated from those 
activities; the outcome and status of those cases, including the 
expected and actual monetary recoveries (both Federal and non-Federal 
share); and any other relevant indicia of return on investment from 
such activities.
    The burden associated with the requirements in 1007.17 is expected 
to be minimal because MFCUs have existing systems in place to track 
their activities, including costs, staff time, and status and outcomes. 
The burden associated with this requirement is the time and effort 
necessary to track and calculate information to be included in their 
annual report. We estimate that it will take each state approximately 
one additional hour per year to comply with these requirements. We 
arrived at this estimate after consulting with Florida's MFCU, which 
since 2010 has a waiver to conduct data mining. We estimate that MFCU 
participation in data mining activities will be at a ``medium'' level, 
or at about 20 units. The burden associated with the existing annual 
report requirement contained in Sec.  1007.17 is approved under 
existing OMB Control Number (OCN) 0990-0162.
    Table 2 indicates the paperwork burden associated with the 
requirements of this final rule.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                                Burden per                       Hourly labor     Total labor
                   Regulation section                     OMB Control No.    Respondents     Responses per       response       Total annual       cost of          cost of       Total cost ($)
                                                                                               respondent        (hours)      burden  (hours)   reporting  ($)     reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1007.17.................................................       0990-0162               20                1               88             1760            23.39          102,916          102,916
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Please submit any comments you may have on these information 
collection and recordkeeping requirements to the Office of Information 
and Regulatory Affairs, Office of Management and Budget, Attention: OIG 
Desk Officer, [OIG-1203-F], Fax: (202) 395-5806; or Email: OIRA-submission@omb.eop.gov.

List of Subjects in 42 CFR Part 1007

    Administrative practice and procedure, Fraud, Grant programs--
health, Medicaid, Reporting and recordkeeping requirements.

    For the reasons set forth in the preamble, OIG amends 42 CFR part 
1007, as set forth below:

PART 1007--[AMENDED]

0
1. Revise the authority citation to part 1007 to read as follows:

    Authority:  42 U.S.C. 1396b(a)(6), 1396(b)(3), 1396b(q), and 
1302.

0
2. In Sec.  1007.1, add in alphabetical order, the definition for 
``data mining'' to read as follows:


Sec.  1007.1  Definitions.

* * * * *
    Data mining is defined as the practice of electronically sorting 
Medicaid or other relevant data, including but not limited to the use 
of statistical models and intelligent technologies, to uncover patterns 
and relationships within that data to identify aberrant utilization, 
billing, or other practices that are potentially fraudulent.
* * * * *

0
3. In Sec.  1007.17, add paragraph (i) to read as follows:


Sec.  1007.17  Annual report.

* * * * *
    (i) For those MFCUs approved to conduct data mining under Sec.  
1007.20, all costs expended that year by the MFCU attributed to data 
mining activities; the amount of staff time devoted to data mining 
activities; the number of cases generated from those activities; the 
outcome and status of those cases, including the expected and actual 
monetary recoveries (both Federal and non-Federal share); and any other 
relevant indicia of return on investment from such activities.

0
4. In Sec.  1007.19, revise paragraph (e)(2) to read as follows:


Sec.  1007.19  Federal financial participation (FFP).

* * * * *
    (e) * * *
    (2) Routine verification with beneficiaries of whether services 
billed by providers were actually received, or, except as provided in 
Sec.  1007.20, efforts to identify situations in which a question of 
fraud may exist, including the screening of claims and analysis of 
patterns of practice that involve data mining as defined in Sec.  
1007.1;
* * * * *

0
5. Add Sec.  1007.20 to read as follows:


Sec.  1007.20  Circumstances in which data mining is permissible and 
approval by HHS Office of Inspector General.

    (a) Notwithstanding Sec.  1007.19(e)(2), a MFCU may engage in data 
mining as defined in this part and receive Federal financial 
participation only under the following conditions:
    (1) The MFCU identifies the methods of coordination between the 
MFCU and State Medicaid agency, the individuals serving as primary 
points of contact for data mining, as well as the contact information, 
title, and office of such individuals;
    (2) MFCU employees engaged in data mining receive specialized 
training in data mining techniques;
    (3) The MFCU describes how it will comply with paragraphs (a)(1) 
and (2) of this section as part of the agreement required by Sec.  
1007.9(d); and
    (4) The Office of Inspector General, Department of Health and Human 
Services, in consultation with the Centers for Medicare & Medicaid 
Services, approves in advance the provisions of the agreement as 
defined in paragraph (a)(3) of this section.
    (i) OIG will act on a request from a MFCU for review and approval 
of the agreement within 90 days after receipt of a written request or 
the request shall be considered approved if OIG fails to respond within 
90 days after receipt of the written request.
    (ii) If OIG requests additional information in writing, the 90-day 
period for OIG action on the request begins on the day OIG receives the 
information from the MFCU.
    (iii) The approval is for 3 years.
    (iv) A MFCU may request renewal of its data mining approval for 
additional 3-year periods by submitting a written request for renewal 
to OIG, along with an updated agreement with the State Medicaid agency.
    (b) [Reserved]

    Dated: January 2, 2013.
Daniel R. Levinson,
Inspector General.
    Dated: January 17, 2013.
 Kathleen Sebelius,
Secretary, Department of Health and Human Services.
[FR Doc. 2013-11735 Filed 5-16-13; 8:45 am]
BILLING CODE 4152-01-P