Report: Many High-Risk Medicaid Providers Not Undergoing Critical Background Checks

Eighteen states failed to properly screen high-risk providers before allowing them to receive Medicaid payments by the July 2018 deadline and 13 of those states had not yet complied by Jan. 1, 2019. Those are the findings from a recently released report by the U.S. Department of Health and Human Services Office of Inspector General.

Federal law requires states to screen Medicaid providers according to the risk they pose. This risk-based screening is to take place at the time of enrollment and periodically throughout their enrollment.

States are to place providers into one of three risk categories: high-, moderate-, or limited-risk. States are required to verify licenses and conduct checks of numerous databases. States also much conduct fingerprint-based criminal background checks.

These requirements are nothing new. In fact, CMS initially set a June 2016 deadline for criminal background checks. Because states were having difficulty implementing the requirement, CMS pushed it up to July 2017, at which point as many as 40 states had not yet complied. CMS pushed up the requirement again, this time to July 1, 2018, when the mandate went into effect.

Even after the requirement went into effect, 18 states missed the deadline and 13 of those states had not implemented the checks as of Jan. 1, 2019, according to the report.

The OIG found two loopholes:

  • CMS allows states in certain circumstances to forgo conducting criminal background checks for high-risk providers that Medicare has already enrolled, even though Medicare has not conducted checks on some providers.
  • States’ reliance on high-risk providers to accurately report their ownership information.

With regard to the first loophole, CMS reported that Medicare has yet to conduct criminal background checks on approximately 1,000 high-risk providers, and will not conduct these checks until 2020 or later. And, by allowing states to rely on self-reporting, it’s possible for unscrupulous providers to conceal owners with criminal histories and avoid detection.

“If high-risk providers conceal owners and states have no way to detect these owners, a provider with an owner who has a disqualifying criminal history could enroll in Medicaid,” the report notes.

Despite the fact that CMS has twice extended the deadline for implementation, states continue to report challenges. They include:

Lack of authority at the state level – Three of the states that had not collected fingerprints reported they needed executive or legislative authority before they could move forward.

Lack of resources – One of the states indicated that it lacked resources, i.e. additional staff, to implement background checks.

Delays in determining disqualifying criminal histories – One of the states cited delays in determining which criminal convictions and histories should disqualify providers from enrolling.

OIG noted that while states have made some progress in implementing fingerprint-based criminal background checks, with 35 states now in compliance, problems remain.

The watchdog group made three recommendations as a result:

  • Ensure that all states fully implement fingerprint-based criminal background checks for high-risk Medicaid providers.
  • Amend its guidance so that states cannot forgo conducting criminal background checks on high-risk providers applying for Medicaid that have already enrolled in Medicare, unless Medicare has conducted the checks.
  • Compare high risk Medicaid providers’ self-reported ownership information to Medicare’s provider ownership information to help states identify discrepancies.

CMS concurred with the first recommendation noting that its technical assistance and guidance has resulted in most states implementing fingerprint-based criminal background checks. However, CMS did not concur with the second and third recommendations.

With regard to the second recommendation, CMS stated that it allows states to forgo fingerprint-based background checks on providers that Medicare has enrolled as high-risk, even if Medicare has not completed those checks. CMS said it’s in the process of hiring a contractor to conduct those checks on all remaining providers and believes this is the most effective and least burdensome strategy.

With regard to the second recommendation, CMS stated that many states collect providers’ self-reported ownership information using paper records and that exchanging paper records to implement this recommendation would be a burden on the state and CMS. However, CMS went on to state it would request states with electronic records to use the data matching service that CMS offers which would identify discrepancies in providers’ self-reported ownership information between Medicare and Medicaid.

Medicaid fraud continues to run rampant. According to an OIG report issued in March 2019, Medicaid Fraud Control Units, which are responsible for investigating and prosecuting Medicaid fraud, made $314 million in criminal fraud recoveries and another $545 million in civil recoveries in 2018. OIG says fraud convictions accounted for 73 percent of all convictions between 2014 and 2018 and OIG excluded 974 individuals and entities from participating in federal healthcare programs as a result of those convictions. The OIG maintains a list of those providers who have been excluded.

The Health Law Offices of Anthony C. Vitale can assist providers who have been improperly categorized in terms of risk and who suffer economic hardship as a result. For more information give us a call at 305-358-4500, or send an email to and let’s discuss how we might be able to assist you.

Posted in

The Health Law Offices of Anthony C. Vitale