WASHINGTON — In yet another blistering report on the Centers for Medicare and Medicaid Services, the Government Accountability Office found that 84.3 percent of the contract awards and modifications made by CMS in 2008 did not include a "key control" that would be a barrier to fraud, waste, abuse and mismanagement.

"We found pervasive deficiencies in internal control over contracting and payments to contractors … The contract-level and overall control environment weaknesses we found significantly increase CMS' vulnerability to improper or wasteful contract payments," the GAO said in its report, "Centers for Medicare and Medicaid Services: Deficiencies in Contract Management Internal Control Are Pervasive," released Nov. 24.

The report added: "CMS also needs to strengthen its overall contract management control environment, including developing strategic workforce plans, establishing appropriate contract management oversight procedures and maintaining reliable management information." The study was based on a sample of 102 contract actions totaling $140.7 million in fiscal 2008.

In its report, the GAO said that among other things, CMS had failed to audit costs, maintain sufficient oversight of contractors, certify invoices and maintain adequate documentation.

The report springs off a 2007 study by the GAO that cited numerous deficiencies in CMS' internal controls. That study recommended several steps to remedy the problems, but in its new report, the GAO noted that CMS had satisfactorily completed only two of the nine proposed actions.

The report also said that in 37.2 percent of the CMS contracts studied, three or more key controls — described as methods and procedures to prevent and detect fraud and errors, such as reviewing an invoice prior to payment — were lacking.

"We found that many of our findings in this review could be, at least in part, attributed to CMS management's lack of attention given to resolving the control deficiencies," the GAO said. Consequently, the agency recommended another 10 actions CMS should take to address the deficiencies, among them monitoring the results of contract audits and evaluations and documentation of the resolution of issues identified during contract reviews.

"The continuing weaknesses in contracting activities and limited progress in addressing known deficiencies raise questions concerning whether CMS management has established an appropriate 'tone at the top' regarding contracting activities," the report concluded. "Until CMS management addresses our previous recommendations in this area, along with taking action to address the additional deficiencies identified in this report, its contracting activities will continue to pose significant risk of improper payments, waste, and mismanagement…

"It is imperative that CMS take immediate action to address its serious contract-level control deficiencies and take action on our previous recommendations to improve contract-level and overall environment controls or CMS will continue to place billions of taxpayer dollars at risk of fraud, or otherwise improper contract payments."

CMS and HHS concurred with the recommendations, the GAO reported, and described steps to implement them. However, CMS disagreed with the GAO's assessment of its actions on the previous report's recommendations and "stated that a reasonable amount of time had not yet elapsed since the issuance of our November 2007 report to allow for corrective actions to have taken place."


The report bolstered the home medical equipment industry's long-held position that CMS has allowed its contractors to be lax in their actions, thus permitting unscrupulous operators to obtain supplier numbers and commit fraud.

Wayne Stanfield, president and CEO of the National Association of Independent Medical Equipment Suppliers, said recently that the answer to fraud in the HME sector is simple: "Don't give supplier numbers to crooks," he said, noting that without a supplier number no one can bill Medicare, let alone get paid by the agency.

Yet, he pointed out, CMS' contractor for issuing supplier numbers persists in giving them to those who do not even have locations or adhere to the other federal standards governing HME providers. "Why is the contractor still issuing supplier numbers after 16 years when every single report that has come out has said that they have failed [to curb fraud and abuse from the front end]?" he asked.

View the full GAO report as a PDF, including the list of corrective actions recommended for CMS to take.