[Federal Register Volume 73, Number 188 (Friday, September 26, 2008)]
[Rules and Regulations]
[Pages 55765-55772]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-22693]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Part 455

[CMS-2271-F]
RIN 0938-AO97


Medicaid Integrity Program; Eligible Entity and Contracting 
Requirements for the Medicaid Integrity Audit Program

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: Section 1936 of the Social Security Act (the Act) (as added by 
section 6034 of the Deficit Reduction Act of 2005 (DRA) established the 
Medicaid Integrity Program to promote the integrity of the Medicaid 
program by requiring CMS to enter into contracts with eligible entities 
to: (1) Review the actions of individuals or entities furnishing items 
or services (whether on a fee-for-service, risk, or other basis) for 
which payment may be made under an approved State plan and/or any 
waiver of such plan approved under section 1115 of the Act; (2) audit 
claims for payment of items or services furnished, or administrative 
services rendered, under a State plan; (3) identify overpayments to 
individuals or entities receiving Federal funds; and (4) educate 
providers of services, managed care entities, beneficiaries, and other 
individuals with respect to payment integrity and quality of care.
    This final rule will provide requirements for an eligible entity to 
enter into a contract under the Medicaid integrity audit program. The 
final rule will also establish the contracting requirements for 
eligible entities. The requirements will include procedures for 
identifying, evaluating, and resolving organizational conflicts of 
interest that are generally applicable to Federal acquisition and 
procurement; competitive procedures to be used; and procedures under 
which a contract may be renewed.

DATES: This final rule is effective October 27, 2008.

FOR FURTHER INFORMATION CONTACT: Barbara Rufo, 410 786-5589 or Crystal 
High, 410-786-8366.

SUPPLEMENTARY INFORMATION:

I. Background

A. Current Law

    States and the Federal government share in the responsibility for 
safeguarding Medicaid program integrity. States must comply with 
Federal requirements designed to ensure that Medicaid funds are 
properly spent (or recovered, when necessary). CMS is the primary 
Federal agency responsible for providing oversight of States' Medicaid 
activities and facilitating their program integrity efforts.

B. Medicaid Integrity Program

    Section 6034 of the Deficit Reduction Act (DRA) of 2005 (Pub. L. 
109-171, enacted on February 8, 2006) added a new section 1936 to the 
Act that established the Medicaid Integrity Program, referenced as the 
``Program'' hereafter, to combat Medicaid fraud and abuse. The Program 
is intended to identify, recover, and prevent Medicaid overpayments. It 
is also intended to support the efforts of the State Medicaid agencies 
through a combination of support and technical assistance.
    Although individual States work to ensure the integrity of their 
respective Medicaid programs, the Program represents CMS' first 
national strategy to detect and prevent Medicaid fraud and abuse. The 
Program will provide CMS with the ability to more directly ensure the 
accuracy of Medicaid payments and to deter those who would exploit the 
program.
    Section 6034 of the DRA amended title XIX of the Act by 
redesignating the former section 1936 as section 1937; and adding the 
new 1936 ``Medicaid Integrity Program.'' The new section 1936 states 
the Secretary will promote the integrity of the Medicaid program by 
entering into contracts with eligible entities to carry out the 
following activities:
     Review of actions of individuals or entities furnishing 
items or services (whether on a fee-for-service, risk, or other basis) 
for which payment may be made under the State plan approved under title 
XIX (or under any waiver of such plan approved under section 1115 of 
the Act) to determine whether fraud, waste, or abuse has occurred, or 
is likely to occur, or whether such actions have a potential for 
resulting in an expenditure of funds under title XIX in a manner which 
is not intended under the provisions of title XIX.
     Audit of claims for payment for items or services 
furnished, or administrative services rendered, under a State plan 
under title XIX, including cost reports, consulting contracts, and risk 
contracts under section 1903(m) of title XIX.
     Identification of overpayments to individuals or entities 
receiving Federal funds under title XIX.
     Education of providers of services, managed care entities, 
beneficiaries, and other individuals with respect to payment integrity 
and quality of care.
    Section 1936 of the Act also mandates that the Secretary will, by 
regulation, establish procedures which will include the following:
     Procedures for identifying, evaluating, and resolving 
organizational conflicts of interest that are generally applicable to 
Federal acquisition and procurement.
     Competitive procedures to be used when entering into new 
contracts under this section; when entering into contracts that may 
result in the elimination of responsibilities under section 202(b) of 
the Health Insurance Portability and Accountability Act of 1996; and 
any other time considered appropriate by the Secretary.
     Procedures under which a contract under this section may 
be renewed without regard to any provision of law requiring competition 
if the contractor has met or exceeded the performance requirements 
established in the current contract.
    CMS has determined not to address in this final rule the above 
bullet that references the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA). We have determined that section 
202(b) of HIPAA addressed certain Medicare contracting issues which, 
because of structural differences between the Medicare and Medicaid 
programs, such as the fact that the Federal Government does not utilize 
carriers or fiscal intermediaries in the Federal administration of the 
Medicaid program, do not pertain to the Medicaid contracting 
environment. Moreover, we have also determined that the provisions of 
the Act established by section 202(b) of HIPAA have since been repealed 
by section 911 of the Medicare Prescription Drug, Improvement, and 
Modernization Act of 2003.

[[Page 55766]]

C. Medicaid Integrity Audit Program Contract Overview

    The Medicaid Integrity Audit Program will use three separate 
Indefinite-Delivery Indefinite Quantity (IDIQ) contracts to achieve the 
goals identified above. These contracts include the following: Audit 
and Identification of Overpayment Medicaid Integrity Contractor (Audit 
MIC), Review or Provider MIC (Review MIC) to five contractors, and 
Education MIC.
    CMS has awarded two of the three IDIQ contracts to Medicaid 
Integrity Contractors (MICs) to carry out the Secretary's mandated 
activities described above. In December 2006, CMS awarded Audit MIC 
IDIQ contracts to five contractors and awarded the Review MIC IDIQ 
contracts to five contractors. The Education MIC is yet to be awarded. 
The IDIQ contracts will be managed by task orders. Each of the MIC IDIQ 
contractors will have the opportunity to bid for task orders 
authorizing specific work within the scope of the appropriate IDIQ 
contract. To date, one task order has been awarded to an Audit MIC and 
one to a Review MIC. In addition to the requirements described in the 
IDIQ contract, the task order statement of work provides further 
clarification and specifics as to the work to be performed.
    CMS is planning to release individual task orders for five 
jurisdictions, which are comprised of two CMS Regions, as well as for 
identified special initiatives. When requesting task order proposals, 
CMS provided protocols to the Audit MICs to use during the course of an 
audit. The protocols, which were developed by contractor, provide 
specific guidelines and audit steps that each Audit MIC will follow 
during an audit. This will help ensure that audits are conducted in a 
uniform manner among the Audit MICs and across the five jurisdictions. 
In an effort to ensure that the protocols concisely and accurately 
describe the auditing process, CMS had the protocols reviewed and 
tested by a separate CMS contractor. Having a separate CMS contractor 
review the protocols eliminated the potential of conflict of interest 
that may have occurred had the development contractor reviewed and 
tested the protocols.
    Auditing is scheduled to begin in mid-June 2008 with the Atlanta 
jurisdiction which is comprised of CMS Regions II and IV. With the 
first task order, the Review MIC will initially concentrate on CMS' 
Region IV, the Atlanta Region; the Audit MIC will concentrate on CMS' 
Region III and IV, the Atlanta and Philadelphia Region.

II. Provisions of the Proposed Regulations and Responses to Comments

Eligible Entity and Contracting Requirements for the Medicaid Integrity 
Audit Program

    Section 6034 of the DRA of 2005 (DRA) amended title XIX of the Act 
by establishing, under the new section 1936, the Medicaid Integrity 
Program to promote the integrity of the Medicaid program by requiring 
CMS to enter into contracts with eligible entities to: (1) Review the 
actions of individuals or entities furnishing items or services 
(whether on a fee-for-service, risk, or other basis) for which payment 
may be made under an approved State plan and/or any waiver of such plan 
approved under section 1115 of the Act; (2) audit claims for payment of 
items or services furnished, or administrative services rendered, under 
a State plan; (3) identify overpayments to individuals or entities 
receiving Federal Medicaid funds; and (4) educate providers of 
services, managed care entities, beneficiaries, and other individuals 
with respect to payment integrity and quality of care.
    In the proposed rule we provided requirements for which an entity 
is eligible to enter into a contract under the Medicaid integrity audit 
program. The requirements would include procedures for identifying, 
evaluating, and resolving organizational conflicts of interest that are 
generally applicable to Federal acquisition and procurement; 
competitive procedures to be used; and procedures under which a 
contract may be renewed.
    In the November 23, 2007 Federal Register (72 FR 65686), we 
published the proposed rule entitled ``Medicaid Integrity Program; 
Eligible Entity and Contracting Requirements for the Medicaid Integrity 
Audit Program,'' and provided for a 30 day public comment period. We 
received a total of 3 timely comments from State government agencies 
and a health care association. Brief summaries for each proposed 
provision, a summary of the public comments we received, and our 
responses to comments are set forth below.
General Comments
    Comment: One commenter indicated that although they support the 
provisions of this proposed rule, they believe the rule does not 
sufficiently establish requirements for the MICs to ensure their work 
is carried out in an efficient, effective, and defensible manner. The 
commenter also stated that the proposed rule does not address methods 
of assuring coordination between the Medicaid integrity functions and 
existing programs already on-going in the States. In addition, the 
commenter notes that the proposed rule does not address how to prevent 
duplication of efforts or prevent multiple audits related to the same 
time period or same claims.
    Response: The Medicaid Integrity Group (MIG), a component within 
CMS which has been created in order to carry out the Medicaid Integrity 
Program, will coordinate and communicate with its stakeholders in an 
effort to prevent duplication of efforts. In addition, the MIG will 
closely monitor the performance of the MICs. The roles and 
responsibilities of the MICs are further defined within the IDIQ 
contract as well as each task order. In addition, the MICs have been 
provided with protocols to help guide them through the audit process. 
The Audit MICs are responsible for performing comprehensive and focused 
audits. The goal of the audits is to examine payments to individuals or 
entities providing items or services under title XIX of the Act for the 
purposes of identifying potential overpayments to those individuals or 
entities. The Review MICs are responsible for performing reviews of 
providers furnishing Medicaid items or services to determine whether 
Medicaid fraud, waste, or abuse has occurred, is likely to occur, or 
whether Medicaid provider actions have the potential of causing 
inappropriate or incorrect expenditure of Medicaid funds. The Review 
MICs are also responsible for analyzing data and performing risk 
assessments of Medicaid data including, but not limited to, claims for 
payment under title XIX of the Act. The Education MICs will be 
responsible for promoting the integrity of the Medicaid program by 
educating providers of services, managed care entities, and other 
individuals with respect to Medicaid payment and quality of care.
Subpart C--Medicaid Integrity Audit Program
Section 455.200 Basis and Scope
    In the proposed Sec.  455.200 we set forth the statutory basis, 
section 1936 of the Act, for promulgating this rule. We proposed, in 
subpart C, Sec.  455.200(b), Basis and Scope, additional language 
stating that part of the Medicaid Integrity Program's scope is to carry 
out the Medicaid integrity audit functions. CMS also published a final 
rule in the Federal Register on November 30, 2007 (72 FR 67653), 
entitled ``Limitation on Contractor Liability'' that finalized the 
portion of our proposed rule addressing

[[Page 55767]]

the limitation on a contractor's liability to carry out a contract 
under the Medicaid Integrity Program. In addition, subpart C would 
apply to entities that seek to compete for, or receive an award of, a 
contract under section 1936 of the Act.
    Comment: A commenter expressed concern that the proposed rule fails 
to recognize the respective roles of State Medicaid Agencies and 
Medicaid Fraud Control Units. The commenter additionally stated the 
proposed rule is silent on the respective roles of the States and the 
new contractors and silent on any coordination of effort between the 
eligible entities and the States. The commenter recommended that the 
rule be expanded to clarify the relationship between the States and any 
contracted entities, including the plan for coordination of effort and 
addressing individual State plan provisions.
    Response: This final rule is not designed to discuss the roles of 
State Medicaid Agencies and Medicaid Fraud Control Units. There are 
however, regulations set forth in 42 CFR part 455--Program Integrity: 
Medicaid, that address the relationships with States. These 
regulations, which will remain in effect, at Sec.  455.21, describe the 
cooperation with State Medicaid Fraud Control Units and the provisions 
at Sec.  455.12 address State plan requirements. In addition, when 
conducting the audits, the Audit MICs will utilize established 
protocols that provide guidance on how the MICs are to coordinate with 
the individual States.
Section 455.230 Eligibility Requirements
    In Sec.  455.230 we described that an eligible entity may enter 
into a Medicaid integrity audit program contract if it:
     Has demonstrated the capability to carry out the 
contractor activities;
     In carrying out such activities, agrees to cooperate with 
the Inspector General of the Department of Health and Human Services, 
the Attorney General, and other law enforcement agencies, as 
appropriate, in the investigation and deterrence of fraud and abuse in 
relation to title XIX and in other cases arising out of such 
activities;
     Maintains an appropriate written code of conduct and 
compliance policies that include, without limitation, an enforced 
policy on employee conflicts of interest;
     Complies with such conflict of interest standards are 
generally applicable to Federal acquisition and procurement; and,
     Meets other requirements the Secretary may impose.
    It would not be possible to identify in this rule every possible 
contractor requirement that may appear in a future solicitation. In 
order to permit maximum flexibility to tailor our contractor 
eligibility requirements to specific solicitations while satisfying 
section 1936 of the Act, any additional requirements would be contained 
in the applicable solicitation.
    Comment: A commenter strongly recommended that the MIC utilize 
medical directors from the outset of claims reviews and that complex 
medical decisions made by physician specialists and specialized mid-
level providers be reviewed by a physician from a like specialty.
    Another commenter suggested that this section be amended by 
clarifying the categories of entities eligible to perform the audit 
functions. For example, the commenter inquired as to whether State 
Medicaid agencies would qualify, and addressed the potential conflict 
of interest that may arise if a MIC already acts as a fiscal agent in 
one or more States and/or performs key Medicaid administrative 
functions including, but not limited to, claims adjudication, provider 
enrollment, pharmacy benefits management, etc.
    Response: The Audit MICs are required, as described in the IDIQ 
contract, to have as key personnel a medical director. The Audit MICs 
are to ensure that questions of medical necessity are reviewed by 
physicians with appropriate expertise.
    A State Medicaid Agency will not be able to operate as a MIC. We 
adhered to the requirements of the Federal Acquisition Regulation (FAR) 
organizational conflict of interest requirements found at 48 CFR 
subpart 9.5 when soliciting contracts for the Medicaid Integrity 
Program.
Section 455.232 Medicaid Integrity Audit Program Contractor Functions
    In Sec.  455.232 we identified the functions of the Medicaid 
integrity audit program contractor as follows:
     Review of the individual actions or entities furnishing 
items or services (whether on a fee-for-service, risk, other basis) for 
which payment may be made under a State Plan approved under title XIX 
(or under any waiver of such plan approved under section 1115 of the 
Act) to determine whether fraud, waste, or abuse has occurred, is 
likely to occur, or whether such actions have the potential for 
resulting in an expenditure of funds under title XIX in a manner which 
is not intended under the provisions of title XIX.
     Audit of claims for payment for items or services 
furnished or administrative services rendered, under a State plan under 
title XIX, including cost reports; consulting contracts; and risk 
contracts under section 1903(m) of the Act.
     Identification of overpayments to individuals or entities 
receiving Federal funds under title XIX.
     Educating providers of service, managed care entities, 
beneficiaries, and other individuals with respect to payment integrity 
and quality of care.
    Comment: Several commenters indicated there is no direction on how 
the contractors should coordinate with existing State Medicaid 
integrity programs and Medicaid Fraud Control Units. They expressed 
concern that this will result in duplication of efforts and possible 
interference with State program integrity investigations. One commenter 
recommended that we add a bullet to read: Coordinate any provider 
specific action outlined above including but not limited to, claim 
audits, other audits, overpayment recoveries and provider education 
with appropriate State Medicaid agency, before, during and after the 
action. Another commenter questioned how the contractors will 
coordinate with the State surveillance and utilization review (SUR) 
functions; how the contractors will be assigned their integrity cases; 
how the source data will be used by contractors to determine audit 
targets; whether the contactors be allowed to access the Medicaid 
Management Information Systems (MMIS); who will perform the data 
analysis; and to whom the contractor will refer suspicion of fraud 
cases.
    Response: As previously stated under the Background section C. 
Medicaid Integrity Program Contract Overview, CMS has awarded two IDIQ 
contracts each of which are managed by task orders. When CMS released 
the request for task order proposal for the Audit MICs, CMS issued 
protocols to which the Audit MICs must adhere to when performing 
audits. The protocols provide specific guidance as to how the Audit 
MICs are to coordinate and communicate with State agencies. The task 
order instructs the Audit MICs to refer any instances of potential 
cases of fraud to the CMS as well as to the Department of Health and 
Human Services, Office of Inspector General (OIG). The task order 
further defines the Audit MIC roles and responsibilities for 
coordinating with law enforcement. The Review MICs will be responsible 
for performing reviews of providers furnishing Medicaid items or 
services to determine whether Medicaid fraud, waste, or abuse has 
occurred, is likely to occur, or whether provider actions

[[Page 55768]]

have the potential of causing inappropriate or incorrect expenditure of 
Medicaid funds. After performing these reviews, the Review MICs will 
provide their findings to CMS. CMS will provide the Audit MICs with the 
specific providers to be audited. The Review MICs will not perform 
audits.
    Comment: A commenter suggested that the MICs should allow providers 
to track electronically the status of claims. The commenter indicated 
that they have experienced frustration with the Recovery Audit 
Contractors (RAC) demonstration contractor and the lack of 
communication between the RAC and provider regarding the status of 
claims under review and therefore suggested that providing this 
information to the providers will enable them to plan accordingly.
    Response: It is important to note that the RAC is a separate 
program from the Medicaid Integrity Audit Program. The RAC operates 
under different statutory authority and is associated with Medicare and 
not Medicaid. While it is not feasible to implement a system as 
suggested by the commenter, States and providers will have an 
opportunity to comment on the findings of a provider audit before the 
audit is completed and an overpayment is finally and formally 
identified. To minimize the likelihood of duplication of effort, before 
the MIG communicates audit targets to the Audit MICs, the MIG will 
communicate with the State program integrity offices and State Medicaid 
Fraud Control Units, among others, to ensure that a proposed audit does 
not interfere with an ongoing investigation.
    Comment: A commenter stated that the language of the proposed rule 
describing the functions of the contractors was broad and ambiguous. 
The commenter further noted that this language failed to provide 
sufficient guidance by which the intent of the statute can be 
determined, and appears to leave the contractors in a policy-making 
role. The commenter recommended the language be removed or modified to 
make clear the responsibility of the contractors. The commenter 
questions whether there are standard criteria for the contractors to 
use to determine that an action is likely to result in fraud, waste or 
abuse and whether there are specific audit standards that must be 
followed.
    Response: MICs are not policy-making entities. We have outlined the 
MICs' roles and responsibilities not only in the proposed rule, but 
also in the MICs IDIQ contracts as well as in the task orders. The 
Audit MICs have been provided audit protocols, which provide guidance 
on how to conduct audits and which set forth audit standards.
    Comment: A commenter suggested the proposed rule is silent on the 
qualifications of the potential contractors. The commenter also 
questioned whether there will be minimum education and training 
requirements; how performance will be measured; whether there will be 
evaluations and whether the criteria on which they are based will be 
made public; and whether they will be required to show a better return 
on investment than the States.
    Response: The IDIQ contracts specify minimum qualifications that 
the MICs must meet. CMS evaluated the qualifications information 
bidders submitted in selecting the MICs. The MICs are not required to 
show a better return on investment than the States. Although individual 
States work to ensure the integrity of their respective programs, the 
Medicaid Integrity Audit Program provides CMS with the ability to set 
in place a national strategy to ensure the accuracy of Medicaid 
payments and to deter those exploiting the program. This advances goals 
that are shared by the States and Federal government.
    Comment: A commenter expressed concern that it is unclear what 
entity is responsible for collecting the overpayments and defending the 
audit findings, and what appeal process will be followed.
    Response: Pursuant to existing regulations at part 433, Subpart F, 
once CMS formally identifies a Medicaid overpayment, CMS will collect 
the federal share of the overpayment from a State. The individual 
States will be responsible for collecting overpayments from providers. 
Providers may utilize the laws and procedures of the State, including 
State appellate procedures, to challenge findings concerning an 
overpayment. A determination by a State administrative or judicial 
proceeding altering or dismissing a finding of, or relating to, a 
provider overpayment, however, will not necessarily relieve a State of 
the obligation to refund the federal share of CMS' determined 
overpayment. During the audit process, CMS, Audit MIC, and the State 
will confer and discuss the audit findings before CMS formally 
identifies an overpayment.
Section 455.234 Awarding of a Contract
    Section 455.234 would specify that a Medicaid integrity audit 
contract will be awarded in accordance with 48 CFR chapters 1 and 3 
(the Federal Acquisition Regulation (FAR) and the Health and Human 
Services Acquisition Regulation, respectively), this subpart, and all 
other applicable laws and regulations. In accordance with section 1936 
of the Act, we would specify that these competitive procedures and 
requirements will be used as follows:
     When entering into new contracts under this section.
     At any other time considered appropriate by the Secretary. 
In addition, we proposed to specify in Sec.  455.234 that an entity 
must meet the eligibility requirements established in proposed Sec.  
455.230 to become eligible to be awarded a Medicaid integrity audit 
program contract.
    Comment: A commenter stated that although the DRA does not require 
that the contractor be retained on a contingency-fee basis, they would 
caution CMS from using such a compensation scheme. The commenter 
believed tying a contractor's payment to the volume of claims denied 
creates a perverse incentive irrespective of the claims' merits. The 
commenter also suggested that CMS should allow providers to retain 
funds recouped as part of the MIC's work until all avenues of appeal 
are exhausted. The commenter recognized this is not common practice, 
but believes it is within the Secretary's authority to administer the 
recovery program under section 1885 of the Act.
    Response: The Audit MICs will not be compensated on a contingency 
fee basis.
    In response to the comment indicating CMS should allow providers to 
retain monies recouped during the course of appeals, it is important to 
note that the recoupment of overpayments is not the responsibility of 
the MIC, but will remain the responsibility of the State. Whether the 
provider is allowed to retain recouped funds until the appellate 
process is complete will depend on State law. CMS will, however, 
recover from States the Federal share of an overpayment consistent with 
the existing statutory and regulatory requirements. Section 1885 is a 
provision of the Medicare statute, title XVIII of the Act. Section 1885 
does not apply to the Medicaid Integrity Program. The Medicaid statue 
is at title XIX of the Act.
Section 455.236 Renewal of a Contract
    In Sec.  455.236, we proposed that an initial contract term would 
be defined in the Medicaid integrity audit program contract and a 
renewal clause may be included in the contract. We also proposed that 
we may, but are not required to, renew the Medicaid integrity audit 
program contracts without regard to any provision of law requiring 
competition if the contractor

[[Page 55769]]

has met or exceeded the performance requirements established in the 
current contract.
    In accordance with sections 1936(c)(2) and (3) of the Act, we 
proposed in Sec.  455.236(b) that we may renew a Medicaid integrity 
audit program contract without competition if the contractor continues 
to meet all requirements of the proposed subpart C, the contractor 
meets or exceeds the performance requirements established in its 
current contract, and it is in the best interest of the Federal 
Government.
    At Sec.  455.236(a) we proposed that if CMS does not renew a 
contract, the contract would end in accordance with its terms. We also 
proposed that the contractor would not have a right to a hearing or 
judicial review regarding our renewal decision.
    We did not receive public comments on our proposed provision. 
Therefore, we adopt the provisions as proposed.
Section 455.238 Conflict of Interest
    We proposed to establish at Sec.  455.238 the process for 
identifying, evaluating, and resolving conflicts of interest as 
mandated by section 1936(c)(2) and (3) of the Act. We adhered to the 
requirements of the FAR's organizational conflict of interest 
requirements found at 48 CFR subpart 9.5 when soliciting contracts for 
the Medicaid integrity audit program. Due to the sensitive nature of 
the work to be performed under the contract, the need to preserve 
public trust, and the history of fraud and abuse in the Medicaid 
program, we would maintain the presumption that each prospective 
contract involves a significant potential organizational conflict of 
interest.
    Prior to awarding a Medicaid integrity audit program contract, the 
contracting officer will draft an organizational conflict of interest 
clause specific to the contractor for inclusion in the contract. In 
general we would not enter into a Medicaid integrity audit program 
contract with an offeror or an existing Medicaid integrity audit 
program contractor that has been determined to have, or that has the 
potential for, an unresolved organizational conflict of interest.
    We did not receive public comments on our proposed provision. 
Therefore, we adopt the provisions as proposed.
Section 455.238(a)
    At Sec.  455.238(a), we proposed that an offeror for a Medicaid 
integrity audit program contract is, and the Medicaid integrity audit 
program contractors are, subject to the conflict of interest standards 
and requirements of the FAR organizational conflict of interest 
guidance found at 48 CFR subpart 9.5, and the requirements and 
standards that are contained in each individual contract awarded to 
perform the functions described under section 1936 of the Act.
    We did not receive public comments on our proposed provision. 
Therefore, we adopt the provisions as proposed.
Section 455.238(b)
    In Sec.  455.238(b), we proposed to include post award discussions 
in which the contactor will present any later occurring or identified 
conflict of interest to CMS for resolution. We proposed that we would 
consider a post award conflict of interest resolution discussion if, 
during the term of the contract, the contractor or any of its 
employees, agents, or subcontractors received, solicited, or arranged 
to receive any fee, compensation, gift, payment of expenses, offer of 
employment, or any other thing of value from any entity that is 
reviewed, audited, investigated, or contacted during the normal course 
of performing activities under a Medicaid integrity audit program 
contract. We incorporated the definition of ``gift'' from the Standards 
of Ethical Conduct for Employees of the Executive Branch [5 CFR 
2635.203(b)].
    We did not receive public comments on our proposed provision. 
Therefore, we adopt the provisions as proposed.
Section 455.238(c)
    In Sec.  455.238(c) we proposed that if CMS has determined that a 
contractor's activities are creating a conflict, then a conflict of 
interest has occurred during the term of the contract. We proposed if 
such an event has occurred, among other actions, we may, as we deem 
appropriate:
     Not renew the contract for an additional term;
     Modify the contract; or
     Terminate the contract.
    The proposed rule did not describe all of the information that may 
be required under each task order, or the level of detail that would be 
required. Therefore, we proposed to have the flexibility to tailor the 
requirements to each individual procurement.
    Because potential offerors may have questions about whether 
information submitted in response to a solicitation, including 
information regarding potential conflicts of interest, may be 
redisclosed under the Freedom of Information Act (FOIA), we provided 
the following information. To the extent that a proposal containing 
information is submitted to us as a requirement of a competitive 
solicitation under 41 U.S.C. Chapter 4, Subchapter IV, we proposed to 
withhold the proposal when requested under the FOIA. This withholding 
is based upon 41 U.S.C. 253b(m). However, we proposed one exception to 
this policy. It involves any proposal that is set forth or incorporated 
by reference in the contract awarded to the proposing offeror. Such a 
proposal may not receive categorical protection. Rather, we would 
withhold, under 5 U.S.C. 552(b)(4), information within the proposal 
that is required to be submitted that constitutes trade secrets or 
commercial or financial information that is privileged or confidential, 
provided the criteria established by National Parks & Conservation 
Association v. Morton, 498 F.2d 765 (D.C. Cir 1974), as applicable, are 
met. For any such proposal, we proposed to follow pre-disclosure 
notification procedures set forth at 45 CFR 5.65(d).
    We proposed that proposal containing the information submitted to 
us under an authority other than 41 U.S.C. Chapter 4, Subchapter IV, 
and any information submitted independent of a proposal would be 
evaluated solely on the criteria established by National Parks & 
Conservation Association v. Morton and other appropriate authorities to 
determine if the proposal in whole or in part contains trade secrets or 
commercial or financial information that is privileged or confidential 
and protected from disclosure under 5 U.S.C. 552(b)(4). Again, for any 
such proposal, we proposed to follow pre-disclosure notification 
procedures set forth at 45 CFR 5.65(d) and will also invoke 5 U.S.C. 
552(b)(6) to protect information that is of a highly sensitive personal 
nature. It should be noted that the protection of proposals under FOIA 
does not preclude us from releasing contractor proposals when 
necessitated by law, such as in the case of a lawful subpoena.
    We did not receive public comments on our proposed provision. 
Therefore, we adopt the provisions as proposed.
Section 455.240 Conflict of Interest Resolution
    We described at Sec.  455.240(a) how a conflict of interest may be 
resolved. We stated that a Conflicts of Interest Review Board may be 
established and convened at any time during the term of the contract, 
as well as during the procurement process, to evaluate and assist the 
contracting officer in resolving conflicts of interest. We proposed to 
determine when or if the Board will be convened.
    We proposed, at Sec.  455.240(b), to specify that a resolution of 
an

[[Page 55770]]

organizational conflict of interest is a determination by the 
contracting officer that:
     The conflict is mitigated;
     The conflict precludes award of a contract to the offeror;
     The conflict requires that we modify an existing contract;
     The conflict requires that we terminate an existing 
contract; or
     It is in the best interest of the Federal Government to 
contract with the offeror or contractor even though the conflict of 
interest exists.
    We discussed an offeror's or contractor's method of mitigating 
conflicts of interest will be evaluated on a case by case basis. We 
provided examples of methods an offeror or contractor may use to 
mitigate organizational conflicts of interest. The examples are not an 
all-inclusive list of possible methods of mitigation nor are we 
obligated to approve a mitigation method that uses one of the provided 
examples. Possible methods of mitigation include:
     Divestiture, or reduction in the amount, of the financial 
relationship the organization has in another organization to a level 
acceptable to us and appropriate for the situation.
     If shared responsibilities create the conflict, a plan, 
subject to our approval, to separate lines of business and management 
or critical staff from work on the Medicaid integrity audit program 
contract.
     If the conflict exists because of the amount of financial 
dependence upon the Federal Government, negotiating a phasing out of 
other contracts or grants that continue in effect at the start of the 
Medicaid integrity audit program contract.
     If the conflict exists because of the financial 
relationships of individuals within the organization, divestiture of 
the relationships by the individual involved.
     If the conflict exists because of an individual's indirect 
interest, divestiture of the interest to levels acceptable to us or 
removal of the individual from the work under the Medicaid integrity 
audit program contract.
    By providing a process for the identification, evaluation, and 
resolution of conflicts of interest, we not only protect the 
government's interests but help to ensure that the contractors do not 
hinder competition in their service areas by misusing their position as 
a Medicaid integrity audit program contractor.
    We did not receive public comments on our proposed provision. 
Therefore, we adopt the provisions as proposed.

III. Provisions of the Final Regulations

    The comments received required no substantive revisions to the 
proposed rule. The comments did, however, ask specific questions or 
asked for clarification on the CMS Medicaid Integrity Audit Program 
processes. We provided responses to the questions and provided 
clarification to other comments. In addition, we inserted, under the 
preamble, ``Section C. Medicaid Integrity Audit Program Contract 
Overview'' in an effort to provide additional clarification to the 
comments. In this final rule we are adopting all of the provisions as 
set forth in the November 23, 2007 proposed rule with the exception of 
several minor editorial changes which that did not result in any policy 
changes.

IV. Regulatory Impact Statement

    We have examined the impact of this rule as required by Executive 
Order 12866 (September 1993, Regulatory Planning and Review), the 
Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354), 
section 1102(b) of the Social Security Act, the Unfunded Mandates 
Reform Act of 1995 (Pub. L. 104-4), and Executive Order 13132.
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts, and equity). A regulatory impact 
analysis (RIA) must be prepared for major rules with economically 
significant effects ($100 million or more in any 1 year). This rule 
will not reach the economic threshold and thus is not considered a 
major rule.
    The RFA requires agencies to analyze options for regulatory relief 
of small businesses. For purposes of the RFA, small entities include 
small businesses, nonprofit organizations, and small governmental 
jurisdictions. Most hospitals and most other providers and suppliers 
are small entities, either by nonprofit status or by having revenues of 
$6.5 million to $31.5 million in any 1 year. Individuals and States are 
not included in the definition of a small entity. We are not preparing 
an analysis for the RFA because we certify that this rule will not have 
a significant economic impact on a substantial number of small 
entities.
    In addition, section 1102(b) of the Act requires us to prepare a 
regulatory impact analysis if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. This 
analysis must conform to the provisions of section 603 of the RFA. For 
purposes of section 1102(b) of the Act, we define a small rural 
hospital as a hospital that is located outside of a Core-Based 
Statistical Area and has fewer than 100 beds. We are not preparing an 
analysis for section 1102(b) of the Act because we certify that this 
rule will not have a significant impact on the operations of a 
substantial number of small rural hospitals.
    Section 202 of the Unfunded Mandates Reform Act of 1995 also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule whose mandates require spending in any 1 year of $100 
million in 1995 dollars, updated annually for inflation. That threshold 
level is currently approximately $120 million. This final rule will not 
exceed this established threshold level. This rule will not have a 
significant impact on State, local, or tribal governments or on the 
private sector.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a final rule (and subsequent final 
rule) that imposes substantial direct requirement costs on State and 
local governments, preempts State law, or otherwise has Federalism 
implications. Since this regulation will not impose any costs on State 
or local governments, the requirements of E.O. 13132 are not 
applicable.
    In accordance with the provisions of Executive Order 12866, this 
regulation was reviewed by the Office of Management and Budget.

V. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995, we are required to 
provide 30-day notice in the Federal Register and solicit public 
comment before a collection of information requirement is submitted to 
the Office of Management and Budget (OMB) for review and approval. In 
order to fairly evaluate whether an information collection should be 
approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act 
of 1995 requires that we solicit comment on the following issues:
     The need for the information collection and its usefulness 
in carrying out the proper functions of our agency.
     The accuracy of our estimate of the information collection 
burden.
     The quality, utility, and clarity of the information to be 
collected.
     Recommendations to minimize the information collection 
burden on the

[[Page 55771]]

affected public, including automated collection techniques.
    Therefore, we are soliciting public comment on each of these issues 
for the following sections of this document that contain information 
collection requirements:
Section 455.230 Eligibility Requirements
    Section 455.230(c) requires that each entity that has entered into 
a contract with CMS to perform the activities described at 455.232, 
maintain an appropriate written code of conduct and compliance policies 
that include, without limitation, an enforced policy on employee 
conflicts of interest.
    The burden associated with this requirement is the time and effort 
put forth by the entity to prepare and maintain such policies. While 
there is burden associated with this requirement, we believe that the 
burden is exempt from the PRA in accordance with 5 CFR 1320.3(b)(2) 
because the time, effort, and financial resources necessary to comply 
with these requirements would be incurred by persons in the normal 
course of their activities.
    If you comment on these information collection and recordkeeping 
requirements, please mail copies directly to the following:

Centers for Medicare & Medicaid Services, Office of Strategic 
Operations and Regulatory Affairs, Regulations Development and 
Issuances Group, Attn: Melissa Musotto (CMS-2271-F), Room C5-14-03, 
7500 Security Boulevard, Baltimore, MD 21244-1850; and
Office of Information and Regulatory Affairs, Office of Management and 
Budget, Room 10235, New Executive Office Building, Washington, DC 
20503, Attn: OIRA Desk Officer for CMS, (CMS-2271-F), [email protected]. Fax (202) 395-6974.

List of Subjects in Part 455

    Fraud, Grant programs-health, Health facilities, Health 
professions, Investigations, Medicaid, Reporting and recordkeeping 
requirements.


0
For the reasons set forth in the preamble, the Centers for Medicare & 
Medicaid Services amends 42 CFR Chapter IV as set forth below:

PART 455--PROGRAM INTEGRITY; MEDICAID

0
1. The authority citation for part 455 continues to read as follows:

    Authority: Sec. 1102 of the Social Security Act (42 U.S.C. 
1302).


0
2. Section 455.200 is revised to read as follows:


Sec.  455.200  Basis and scope.

    (a) Statutory basis. This subpart implements section 1936 of the 
Social Security Act that establishes the Medicaid Integrity Program, 
under which the Secretary will promote the integrity of the program by 
entering into contracts with eligible entities to carry out the 
activities under this subpart C.
    (b) Scope. This subpart provides for the limitation on a 
contractor's liability to carry out a contract under the Medicaid 
Integrity Program and to carry out the Medicaid integrity audit program 
functions.

0
3. New Sec. Sec.  455.230, 455.232, 455.234, 455.236, 455.238 and 
455.240 are added to read as follows:


Sec.  455.230  Eligibility Requirements.

    CMS may enter into a contract with an entity to perform the 
activities described at Sec.  455.232, if it meets the following 
conditions:
    (a) The entity has demonstrated capability to carry out the 
activities described below.
    (b) In carrying out such activities, the entity agrees to cooperate 
with the Inspector General of the Department of Health and Human 
Services, the Attorney General, and other law enforcement agencies, as 
appropriate, in the investigation and deterrence of fraud and abuse in 
relation to Title XIX of the Social Security Act and in other cases 
arising out of such activities.
    (c) Maintains an appropriate written code of conduct and compliance 
policies that include, without limitation, an enforced policy on 
employee conflicts of interest.
    (d) The entity complies with such conflict of interest standards as 
are generally applicable to Federal acquisition and procurement.
    (e) The entity meets such other requirements the Secretary may 
impose.


Sec.  455.232  Medicaid Integrity Audit Program Contractor functions.

    The contract between CMS and a Medicaid integrity audit program 
contractor specifies the functions the contractor will perform. The 
contract may include any or all of the following functions:
    (a) Review of the actions of individuals or entities furnishing 
items or services (whether on a fee-for-service, risk, or other basis) 
for which payment may be made under a State Plan approved under title 
XIX of the Act (or under any waiver of such plan approved under section 
1115 of the Act) to determine whether fraud, waste, or abuse has 
occurred, is likely to occur, or whether such actions have the 
potential for resulting in an expenditure of funds under title XIX in a 
manner which is not intended under the provisions of title XIX.
    (b) Auditing of claims for payment for items or services furnished, 
or administrative services rendered, under a State Plan under title XIX 
to ensure proper payments were made. This includes: cost reports, 
consulting contracts, and risk contracts under section 1903(m) of the 
Act.
    (c) Identifying if overpayments have been made to individuals or 
entities receiving Federal funds under title XIX.
    (d) Educating providers of service, managed care entities, 
beneficiaries, and other individuals with respect to payment integrity 
and quality of care.


Sec.  455.234  Awarding of a Contract.

    (a) CMS awards and administers Medicaid integrity audit program 
contracts in accordance with acquisition regulations set forth at 48 
CFR chapters 1 and 3, this subpart, and all other applicable laws and 
regulations. These competitive procedures and requirements for awarding 
Medicaid integrity audit program contracts are to be used as follows:
    (1) When entering into new contracts under this section.
    (2) At any other time considered appropriate by the Secretary.
    (b) An entity is eligible to be awarded a Medicaid integrity audit 
program contract only if meets the eligibility requirements established 
in Sec.  455.202, 48 CFR chapter 3, and all other applicable laws and 
requirements.


Sec.  455.236  Renewal of a Contract.

    (a) CMS specifies the initial contract term in the Medicaid 
integrity audit program contract. CMS may, but is not required to, 
renew a Medicaid integrity audit program contract without regard to any 
provision of law requiring competition if the contractor has met or 
exceeded the performance requirements established in the current 
contract.
    (b) CMS may renew a Medicaid integrity audit program contract 
without competition if all of the following conditions are met:
    (1) The Medicaid integrity audit program contractor continues to 
meet the requirements established in this subpart.
    (2) The Medicaid integrity audit program contractor meets or 
exceeds the performance requirements established in its current 
contract.
    (3) It is in the best interest of the government.
    (c) If CMS does not renew a contract, the contract will end in 
accordance with

[[Page 55772]]

its terms. The contractor will not have a right to a hearing or 
judicial review regarding CMS's renewal or non-renewal decision.


Sec.  455.238  Conflict of Interest.

    (a) Offerors for Medicaid integrity audit program contracts, and 
Medicaid integrity audit program contractors, are subject to the 
following requirements:
    (1) The conflict of interest standards and requirements of the 
Federal Acquisition Regulation organizational conflict of interest 
guidance, found under 48 CFR subpart 9.5.
    (2) The standards and requirements that are contained in each 
individual contract awarded to perform activities described under 
section 1936 of the Act.
    (b) Post-award conflicts of interest: CMS considers that a post-
award conflict of interest has developed if, during the term of the 
contract, one of the following occurs:
    (1) The contractor or any of its employees, agents, or 
subcontractors received, solicited, or arranged to receive any fee, 
compensation, gift (defined at 5 CFR 2635.203(b)), payment of expenses, 
offer of employment, or any other thing of value from any entity that 
is reviewed, audited, investigated, or contacted during the normal 
course of performing activities under the Medicaid integrity audit 
program contract.
    (2) CMS determines that the contractor's activities are creating a 
conflict of interest.
    (c) If CMS determines that a conflict of interest exists during the 
term of the contract, among other actions, CMS may:
    (1) Not renew the contract for an additional term.
    (2) Modify the contract.
    (3) Terminate the contract.


Sec.  435.240  Conflict of Interest Resolution.

    (a) Review Board: CMS may establish a Conflicts of Interest Review 
Board to assist in resolving organizational conflicts of interest.
    (b) Resolution: Resolution of an organizational conflict of 
interest is a determination by the contracting officer that:
    (1) The conflict is mitigated.
    (2) The conflict precludes award of a contract to the offeror.
    (3) The conflict requires that CMS modify an existing contract.
    (4) The conflict requires that CMS terminate an existing contract.
    (5) It is in the best interest of the government to contract with 
the offeror or contractor even though the conflict of interest exists 
and a request for waiver is approved in accordance with 48 CFR 9.503.

(Catalog of Federal Domestic Assistance Program No. 93.778, Medical 
Assistance Program)

    Dated: June 18, 2008.
Kerry Weems,
Acting Administrator, Centers for Medicare & Medicaid Services.
    Approved: July 29, 2008.
Michael O. Leavitt,
Secretary.
[FR Doc. E8-22693 Filed 9-25-08; 8:45 am]
BILLING CODE 4120-01-P