State Medicaid Fraud Control Units; Data Mining

Federal Register, Volume 78 Issue 96 (Friday, May 17, 2013)

Federal Register Volume 78, Number 96 (Friday, May 17, 2013)

Rules and Regulations

Pages 29055-29061

From the Federal Register Online via the Government Printing Office www.gpo.gov

FR Doc No: 2013-11735

=======================================================================

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General

42 CFR Part 1007

OIG-1203-F

State Medicaid Fraud Control Units; Data Mining

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule amends a provision in HHS regulations prohibiting State Medicaid Fraud Control Units (MFCU) from using Federal matching funds to identify fraud through screening and analyzing State Medicaid data, known as data mining. To support and modernize MFCU efforts to effectively pursue Medicaid provider fraud, we finalize proposals to permit Federal financial participation (FFP) in costs of defined data mining activities under specified circumstances. In addition, we finalize requirements that MFCUs annually report costs and results of approved data mining activities to OIG.

DATES: These regulations are effective on June 17, 2013.

FOR FURTHER INFORMATION CONTACT: Richard Stern, Department of Health and Human Services, Office of Inspector General, (202) 619-0480.

SUPPLEMENTARY INFORMATION:

1. Background and Statutory Authority

   In 1977, the Medicare-Medicaid Anti-Fraud and Abuse Amendments (Pub. L. 95-142) were enacted to strengthen the capability of the Government to detect, prosecute, and punish fraudulent activities under the Medicare and Medicaid programs. Section 17(a) of the statute amended section 1903(a) of the Social Security Act (the Act) to provide for Federal participation in the costs attributable to establishing and operating a MFCU. The requirements for operating a MFCU appear at section 1903(q) of the Act. Promulgated in 1978, regulations implementing the MFCU authority appear at 42 CFR part 1007.

   Section 1903(a)(6) of the Act requires the Secretary of Health and Human Services (the Secretary) to pay FFP to a State for MFCU costs ``attributable to the establishment and operation of a MFCU'' and ``found necessary by the Secretary for the elimination of fraud in the provision and administration of medical assistance provided under the State plan.'' Under the section, States receive 90 percent FFP for an initial 3-year period for the costs of establishing and operating a MFCU, including the costs of training, and 75 percent FFP thereafter. Currently, all States with MFCUs receive FFP at a 75-percent rate. In accordance with section 1903(q) of the Act, MFCUs must be separate and distinct from the State's Medicaid agency. For a State Medicaid agency, general administrative costs of operating a State Medicaid program are reimbursed at a rate of 50 percent, although enhanced FFP rates are available for certain activities specified by statute, including those associated with Medicaid management information systems (MMIS).

   Page 29056

   To increase MFCU effectiveness in eliminating Medicaid fraud, this final rule modifies an existing regulatory prohibition on the payment of FFP for activities generally known as data mining. We discuss the reasons for this modification below.

2. Provisions of the Proposed Regulation

   We published a proposed rule in the Federal Register on March 17, 2011 (76 FR 14637), that would permit use of Federal matching funds by MFCUs, under specified conditions, for identification of potential Medicaid fraud through data mining activities.

   Current Federal regulations at 42 CFR 1007.19 specify that State MFCUs are prohibited from using Federal matching funds to conduct ``efforts to identify situations in which a question of fraud may exist, including the screening of claims, analysis of patterns of practice, or routine verification with beneficiaries of whether services billed by providers were actually received.'' The prohibition on Federal matching for ``screening of claims and analysis of patterns of practice'' is commonly interpreted as a prohibition on Federal matching for the costs of data mining by MFCUs. We proposed to amend Sec. 1007.19(e) to provide for an exception to this general prohibition on FFP. We proposed to add a new Sec. 1007.20, that would describe the conditions under which the Federal share of data mining costs would be available to MFCUs. We also proposed to amend Sec. 1007.1 (``Definitions'') by adding a definition of data mining for the purposes of this rule. Finally, we proposed to amend Sec. 1007.17 (``Annual Report'') to include additional reporting requirements by MFCUs to capture costs associated with data mining activities, the outcome and status of those cases, and monetary recoveries resulting from those activities.

   For the purposes of the proposed rule, we used the term ``data mining'' to refer specifically to the practice of electronically sorting Medicaid claims through statistical models and intelligent technologies to uncover patterns and relationships in Medicaid claims activity and history to identify aberrant utilization and billing practices that are potentially fraudulent.

   Data mining has historically been the responsibility of each State Medicaid agency, which analyzes Medicaid data as part of its routine program-monitoring activities. This practice of relying on the State Medicaid agency has placed the sole burden of identifying potentially fraudulent practices using data mining on the State Medicaid agencies and has required the MFCUs to remain highly dependent on referrals from State Medicaid agencies and other external sources.

   For many years, we understand that many MFCUs have had online access to Medicaid claims information for purposes of individual case development, but have been prohibited by regulation from receiving FFP for using claims data for identifying other potential cases. Since the 1978 rule was promulgated, highly advanced tools and methods have become available that allow law enforcement and other oversight entities to analyze claims information and other data. This includes the detection of aberrant billing patterns and the development of predictive models. These tools and methods have been extremely effective in identifying potential fraud cases, and they are routinely used by other law enforcement agencies. We believe that allowing MFCUs to receive funding for data mining will enable them to marshal their resources more effectively and take full advantage of their expertise in detecting and investigating Medicaid fraud vulnerabilities.

   At the same time, we recognized in the proposed rule that three elements are critical to ensuring the effective use of data mining by MFCUs.

   First, MFCUs and State Medicaid agencies must fully coordinate the MFCUs' use of data mining and the identification of possible provider fraud. For example, MFCUs should consult with the State Medicaid agencies in considering data mining priorities that may also be subject to program integrity and audit reviews. Similarly, State Medicaid agencies and MFCUs should coordinate data mining projects with activities of other organizations, such as ``review contractors'' that are selected by the Centers for Medicare & Medicaid Services (CMS) and are responsible for identifying providers subject to audits or program administrative actions.

   Second, while MFCUs are experienced in pursuing Medicaid fraud, it is the State Medicaid agencies that set the policies governing the appropriate activities of Medicaid providers. The MFCUs may be unaware of recent changes in reimbursement policy, making data appear aberrant when they are not. To avoid wasting resources and pursuing data mining projects without adequate basis, the MFCUs must coordinate their efforts closely with the State Medicaid agency, confirming that the results obtained from data mining are interpreted correctly, consistent with current policy and practice.

   Third, MFCU staff should be properly trained in data mining techniques. Although tools and methods for data mining may be widely available, appropriate training is necessary.

   For these reasons, we proposed in new 42 CFR 1007.20 that as a condition for claiming FFP in costs of data mining, a MFCU must identify methods for addressing these three critical elements in its agreements with the State Medicaid agency: Coordination with the State Medicaid agency, programmatic knowledge, and training. We further proposed that OIG must provide specific approval of that agreement to a MFCU that wants to engage in data mining. OIG will consult with CMS in approving data mining requests, given the CMS role in overseeing the activities of State Medicaid agencies and the critical importance of MFCU coordination with those agencies.

   We also proposed to require that MFCUs approved to receive FFP for data mining include the following information in their annual reports to OIG: Costs associated with data mining activities, the number of cases generated from data mining activities, the outcome and status of those cases, and monetary recoveries resulting from those activities. This information will be used by OIG in overseeing and monitoring of MFCUs.

3. Analysis of and Responses to Public Comments

   We received 13 sets of timely comments on the March 17, 2011, proposed rule (76 FR 14637) from a national anti-fraud association, groups of health care providers and beneficiaries, State Attorneys General, individual MFCUs, a State Medicaid agency, a managed care entity, and information technology health services companies. Most commenters supported our proposal to provide Federal reimbursement for data mining activities by MFCUs, citing potential cost savings through earlier identification of Medicaid fraud, the benefit of conserving administrative resources by better targeting of anti-fraud investigations, and the potential for increased effectiveness in finding and eliminating fraud and abuse. Commenters supported the addition of data mining as an optional tool for MFCUs that wish to employ it, but not as a requirement for all MFCUs. Supporting commenters also noted that the results of data mining activities should not be viewed as proof of provider fraud or abuse, but as information that assists state officials in targeting anti-fraud monitoring and investigations.

   Page 29057

   We reviewed each set of comments and grouped them into related categories based on subject matter. Below we set forth summaries of the public comments received, our responses to those comments, and changes we are making in this final rule as a result of the comments received.

   1. Modifications to the Data Mining Prohibition

      Comment: One commenter recommended that OIG eliminate the prohibition on paying FFP for data mining that is in 42 CFR 1007.19(e)(2), rather than establishing an approval mechanism for data mining as we have proposed in a new Sec. 1007.20. The commenter noted the technological advances that have occurred since the rule was originally published in 1978 and that data mining is viewed by the MFCUs as a ``supplemental investigative tool.'' The commenter stated its belief that the existing oversight authority in the regulation would provide adequate monitoring of data mining activities.

      Response: We do not believe that a wholesale elimination of the prohibition on data mining is appropriate. To be effective, data mining requires unique coordination of the resources and expertise of both the MFCU and the State Medicaid agency, as well as properly trained staff. In the absence of an approval process, we believe that a MFCU might undertake a data mining program without trained staff, might duplicate data mining activities of the Medicaid agency, or might pursue projects that rely upon a misunderstanding of program rules or policy.

      However, to reflect technological advances in the use of data, we are modifying the proposed definition of data mining to emphasize the wider range of the possible uses of data, including the use of ``statistical models and intelligent technologies'' as well as other means of electronically sorting Medicaid data that are conducted for the purpose of detecting circumstances that might involve fraud. We are therefore adding the phrase ``including but not limited to the use of'' before ``statistical models and intelligent technologies'' in the definition that appears in section 1007.1 to emphasize the range of methods in which data could be used to identify potential fraud cases.

   2. Use of Data Mining in the Course of an Investigation

      Comment: One commenter suggested that we add the word ``randomized'' before the word ``practice'' in defining data mining and that we add a sentence to clarify that the definition is not intended to prohibit the MFCUs from conducting other types of Medicaid data analysis in the normal course of their investigations.

      Response: We agree that the intent of the regulation is not to limit other types of Medicaid data analysis being conducted in the normal course of an investigation. Units may analyze relevant Medicaid data as part of the evidence-gathering process while investigating a particular possible fraud. In some instances, this data analysis conducted as part of a particular investigation might allow the Unit to identify other potential targets, which would result in opening new fraud cases. Such data analysis is an accepted part of a MFCU's investigative function and does not implicate the prohibition contained in section 1007.19(e)(2) on paying FFP for ``expenditures attributable to . . . efforts to identify situations in which a question of fraud may exist, including the screening of claims or analysis of patterns of practice. . . .'' Further, analysis of Medicaid data to support an investigation of a particular provider is not subject to the data mining approval process under new Sec. 1007.20. However, we do not believe the text of the regulation itself needs to state this. We are also concerned that adding the word ``randomized'' may limit the statistical techniques employed by a MFCU when conducting data mining. Therefore, we are not adding the word ``randomized'' as part of our modifications to the proposed language.

      Comment: One commenter expressed concern that the definition of data mining includes only ``Medicaid claims'' as the type of data subject to analysis and suggested expanding the definition to include managed care encounter data and capitation payments.

      Response: We agree that the proposed definition should be expanded. We recognize that managed care constitutes a significant and growing proportion of the national Medicaid program and that the reference to ``claims data'' may be too limited.

      We also recognize that MFCUs may find it useful to mine other types of data. For example, section 2701 of the Patient Protection and Affordable Care Act, Public Law 111-148 (2010), enacted new requirements for States to collect and provide quality data on health care furnished to Medicaid eligible adults. These data could prove fruitful in identifying providers that may be submitting Medicaid billings for services that are of substandard quality or pose harm to beneficiaries. There are also bundled payments and other evolving payment methods where MFCUs might determine that data could be successfully mined to identify potential fraud. Finally, there may be relevant non-Medicaid data that would be useful to data mining, such as information from other Federal or State programs or from commercial payers.

      Therefore, in this final rule, we have removed the reference to claims data and revised the definition of data mining to broadly encompass Medicaid and other relevant data that may be used to identify aberrant utilization, billing, or other practices that are potentially fraudulent.

   3. Annual Report

      Comment: One commenter expressed support for the proposal to include data mining information as part of the existing annual report rather than as a separate document. The commenter opposed requiring MFCUs to separately report costs and indicate the return on investment from data mining. The commenter asserted that data mining activities could be adequately monitored through the agreement between the MFCU and the State Medicaid agency. The commenter also said that providing information about costs and return on investment does not further the three elements we identified as necessary for data mining to be effective: Coordination with the State Medicaid agency, programmatic knowledge, and training.

      Response: We believe that providing information about data mining costs and rate of return is an appropriate and necessary addition to the annual report. We proposed to amend our regulations to permit Federal reimbursement for data mining because we believe that the use of such modern technologies can help MFCUs more effectively identify, investigate, and prosecute Medicaid fraud. We believe that collecting basic cost and performance information will be critical to carrying out our oversight responsibilities and to determining whether MFCUs are using the additional Federal funds to increase their effectiveness and efficiency in pursuing fraud. We are therefore finalizing our requirement that MFCUs approved to receive FFP in costs for data mining must provide specific information on their activities in their annual reports to OIG.

   4. Requirements for the MFCU Agreement With the State Medicaid Agency

      Comment: A commenter expressed concern that requiring a description of the duration of the MCFU activity and staff time might be appropriate for a

      Page 29058

      demonstration project but is an inefficient use of MFCU time and resources. Another concern raised by the commenter is that establishing a set duration and staff time may not meet the needs of fraud investigations, particularly if duration and staff time are treated as minimums that the MFCU would be expected to meet. Finally, the commenter noted that requiring a defined duration and staff time does not address any of the three elements identified by OIG as critical to effective data mining.

      Response: We agree that defining duration and staffing before undertaking data mining activities may not be efficient or reasonable for an activity that MFCUs expect to continue for an extended period and expect to yield investigative leads that were not anticipated at the outset. We are concerned that MFCUs may be reluctant to invest time and resources in data mining if they believe that an estimate of resources will become an inflexible limitation. Therefore, the final rule eliminates a requirement in the proposed rule that MFCUs define duration and staff time as part of their respective agreements with State Medicaid agencies.

      However, we are mindful of our responsibility to monitor MFCUs' effective and efficient operation. We have therefore included in the final rule a requirement that staff time and other costs devoted to data mining activities be reported in a section of the annual report provided to OIG. We will review annual reports carefully to determine whether MFCUs are effectively using their resources to carry out their functions, including identifying potential fraud through data mining and other activities.

      In addition, we are establishing a 3-year duration for each approval of FFP for data mining by a MFCU. We believe a 3-year period will allow OIG to evaluate whether a MFCU is using its data mining resources effectively. We also believe that 3 years will be sufficient for MFCUs and State agencies to implement their data mining activities, assess their operations, and determine any changes that would increase their effectiveness. At the end of the 3-year period, the MFCU may request renewal of its approval by submitting an updated agreement with the State agency. In considering renewal, OIG will review any changes to the agreement and will consider the information provided on data mining activities in annual reports and from other sources.

      Comment: Another commenter suggested that OIG obtain further information, including the amount of outside support that MFCUs receive in conducting data mining.

      Response: We do not agree that we should further require MFCUs to identify the amount of outside support for conducting data mining. We believe that expecting a MFCU to include such information in its agreement with the State agency at the start of the activity would be burdensome. We have asked only for information that will facilitate essential coordination between the MFCU and the State Medicaid agency and that will permit OIG, in consultation with CMS, to determine whether Federal reimbursement for data mining activities should be expected to increase a MFCU's effectiveness in investigating and prosecuting Medicaid fraud. We will not require any further information on outside support to be provided to OIG.

      Comment: A commenter expressed a concern that naming a primary point of contact is not advisable because personnel may change frequently.

      Response: We agree with the comment and will instead require in this final rule that the agreement identify both the individual who will serve as the principal point of contact in each agency, as well as the contact information, title, and office of such individuals.

   5. Approval by OIG in Consultation With CMS

      Comment: A commenter stated that approval of data mining by OIG, in consultation with CMS, is unnecessary if the data mining proposal has been approved by the State Medicaid agency as part of the review of the memorandum of understanding. The commenter also requested that, if OIG approval is included, the regulation identify the number of days in which OIG will make an approval decision.

      Response: OIG is responsible for overseeing the efficiency and effectiveness of the MFCU program. We believe that OIG would not be properly carrying out this responsibility if it did not review and approve the data mining agreement between the State MFCU and the State Medicaid agency. As part of that review, OIG will examine whether MFCUs have both the technical infrastructure and adequate staffing to conduct data mining and whether they have procedures in place to coordinate data mining projects with State Medicaid agency staff. Also, because of the role and experience of CMS in overseeing the State Medicaid agencies, we believe that consultation with CMS is necessary.

      We agree that OIG should review data mining requests in an expeditious manner. We are therefore adding to the final regulation a 90-day period during which OIG will review and respond to a MFCU's request for data mining approval or the request will be considered approved if OIG fails to respond within the 90-day review period. This review period is comparable to the timeframes that CMS follows for Medicaid State plan approvals and would provide sufficient time for OIG to review and consult with CMS on the proposed data mining plan. Should OIG need additional information, a written request by OIG to the MFCU would extend the review period for another 90 days, beginning on receipt by OIG of the MFCU's response. We will finalize the requirement that OIG, in consultation with CMS, must approve a MFCU's data mining agreement with the State Medicaid agency and add a 90-day period for OIG to respond to the MFCU's request for approval, with an extension of 90 additional days if OIG sends a written request for further information.

   6. Burden on State Medicaid Agency Staff

      Comment: A commenter expressed concern that the wording of the background to the proposed rule was vague regarding involvement by State Medicaid agencies, and it suggested that undue burdens might be imposed on Medicaid agency staff. The commenter was concerned that data mining by MFCUs will place undue burdens on already strapped State resources and will inhibit current program integrity efforts. The commenter proposed alternative wording to emphasize that data mining projects would be conducted entirely by MFCU staff and that Medicaid agency staff would operate in a support role.

      Response: We do not believe that MFCU data mining should burden State Medicaid agency staff or interfere with their independent program integrity efforts. The commenter did not suggest changes to the proposed regulation itself. The text of the final regulation will require a MFCU that engages in data mining to describe in its negotiated agreement with the State Medicaid agency both the methods of coordination with the Medicaid agency as well as how the MFCU will obtain training in data mining techniques.

      We agree that MFCU data mining will be conducted entirely by MFCU staff and that State agency staff will operate in a supporting role. MFCU data mining will not inhibit current program integrity efforts since the MFCU's

      Page 29059

      activities will be separate from current program integrity efforts and should not interfere with ongoing efforts by the Medicaid agency to identify aberrant payments. Moreover, consistent with the agreement between the MFCU and State agency, the Medicaid agency's supporting role should not impose an undue burden on State agency resources. The Medicaid agency should already work closely with the MFCU in coordinating administrative actions and in providing programmatic and policy information to the MFCU. The Medicaid agency may serve as a source of training for the MFCU in data mining techniques, but there are other sources of such training so this should also not present an undue burden on the Medicaid agency. Finally, we note that if the Medicaid agency and the MFCU are not currently working in a collaborative and efficient manner, this could be the basis for denying a MFCU's request to conduct data mining.

   7. Effects of Data Mining on Providers

      Comment: One commenter noted that OIG should require State Medicaid programs to describe how providers may challenge the results of data mining. The commenter also asked that OIG allow FFP for provider outreach and education by MFCU staff.

      Response: OIG does not establish requirements for State Medicaid agencies, and we do not agree that a MFCU should set up a special process to permit providers to question or challenge a fraud investigation undertaken as a result of data mining. A provider would have the same legal ability to defend himself or herself in an investigation or prosecution undertaken by a MFCU whether it was the result of data mining or another source of referrals to the MFCU. Moreover, we do not believe that it is within the scope of this regulation, or within our general oversight authority, to dictate to States how their legal systems would allow for providers to challenge a particular investigation or case.

      OIG recognizes that provider outreach and education may be useful and important and that many State Medicaid agencies have established provider education and outreach programs for which FFP is available. We would encourage MFCU staff to assist State Medicaid agencies, as part of their coordinating efforts, in outreach and education directed toward fraud detection and prevention.

      Comment: Another commenter raised a concern about overlap and duplication among Medicare and Medicaid entities, such as CMS contractors, which may audit and investigate some of the same providers and situations. The commenter asked that OIG carefully monitor data mining activities to safeguard Federal programs and avoid unduly burdening providers.

      Response: It is outside the scope of this regulation to establish monitoring requirements for audit activities of State Medicaid programs or of Federal entities, such as CMS contractors, mentioned by the commenter. In the final rule implementing the Medicaid Recovery Audit Contractor (RAC) program (76 FR 57808 (September 16, 2011)), CMS noted that State Medicaid agencies are required to coordinate auditing efforts and to make referrals of suspected fraud and/or abuse to the MFCU or other appropriate law enforcement agency. In this final rule, OIG has provided that State MFCUs must coordinate data mining activities with State Medicaid agencies to ensure that Medicaid policies are well understood by the MFCU, that data mining strategies are not duplicative, and that MFCUs are aware of any program integrity reviews by State agencies that may involve the same provider or category of providers. However, we want to again make clear that we do not intend that this coordination will interfere with MFCUs' investigative independence. Audits or administrative reviews by a State Medicaid agency, or a State or Federal audit or program integrity contractor, may not prevent a MFCU from initiating, carrying out, or completing a fraud investigation or prosecution that may result from data mining.

   8. Coordination With Managed Care Organizations

      Comment: Several commenters recommended that the regulation be expanded to require that MFCUs coordinate their data mining activities with Medicaid managed care organizations, if appropriate, for a particular State.

      Response: Our general approach to data mining by MFCUs is to give each MFCU the autonomy to choose how to operate its programs based on the needs and priorities of each State. While we have required each MFCU to describe its coordination with its State Medicaid agency if the MFCU intends to conduct data mining, we regard this coordination as an indispensable element for data mining to be successful. Coordination with managed care plans may be an effective practice in certain States. However, we believe this determination should be made by the MFCU, in consultation with the State Medicaid agency and in the context of other data mining priorities, and we will therefore not require it of all MFCUs.

1. Experience With Health Care Data Mining

   Comment: A commenter recommended that OIG require data miners to have experience and expertise with health care claims data mining and recommended certain data elements and data mining techniques to enhance effectiveness of MFCU activities.

   Response: We agree that MFCU staff engaged in data mining should have the requisite training to effectively conduct data mining projects. For this reason, we have established in the regulation a condition that MFCU employees engaged in data mining receive specialized training in data mining techniques. To the extent that the commenter is suggesting that MFCUs employ specific individuals with a particular background in data mining, we are not imposing this as a requirement. We believe that MFCUs can determine their own staffing needs as they do for the other professional activities in which they engage.

   With respect to data mining techniques, we believe that data mining approaches should be selected by the MFCU, in consultation with the State Medicaid agency and in light of the particular needs, priorities, and systems in that State. We will therefore not require the use of any specific data mining technologies or approaches.

4. Regulatory Impact Statement

   1. Regulatory Analysis

      We have examined the impact of this final rule as required by Executive Orders 12866 and 13563, the Unfunded Mandates Reform Act of 1995, and the Regulatory Flexibility Act of 1980 (RFA) (Pub. L. 96-

      354).

      Executive Orders 12866 and 13563

      Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health, and safety effects; distributive impacts; and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. A regulatory impact analysis must be prepared for major rules with economically significant effects ($136 million or more in any given year). We believe that the aggregate impact of this

      Page 29060

      rule does not reach this ``economically significant'' threshold, and thus, is not considered a major rule.

      1. Estimated Impact on Medicaid Program Expenditures

         We estimate below the impact of this rule on Medicaid expenditures over the next 10 years, including both Federal and State expenditures. These estimates are based on the following: MFCU grant award amounts, expenditures and recoveries from FY 2007-2012 reported to OIG; information from a Florida MFCU project that commenced in 2010 under which the Unit conducts data mining as part of a demonstration waiver approved by the Secretary; State Program Integrity Assessment provided to CMS from FY 2007 to FY 2010; and results from a 2009 National Health Policy Forum presentation ``Prevention and Early Detection of Health Care Fraud, Waste, and Abuse'', which reported data from Independence Blue Cross's use of data mining for their benefit plans.

         Based on analysis of the information and data described above, we estimated the potential rate of return on MFCU data mining activities. Table 1 contains the estimates for the total cost of data mining, total recoveries as a result of data mining, and net total impact. Table 1 also includes costs, recoveries, and net impact for both Federal and State levels. We refined our estimates to account for the likelihood that data mining would not provide any recoveries in the first year and a limited amount of recoveries in the second year. Table 1 assumes a medium rate of State MFCU participation in data mining activities (40%), a medium rate of return on data mining activities ($6.90 per $1 spent), and 33% of recoveries in the second year. The net Federal impact is savings of $34.3 million from FY 2014-FY 2023.

         Table 1--Estimated Impact on Medicaid Expenditures and Recoveries for MFCU Data Mining Activities

         --------------------------------------------------------------------------------------------------------------------------------------------------------

         2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2014-2023

         --------------------------------------------------------------------------------------------------------------------------------------------------------

         Total Cost............................. $1.1 $1.1 $1.2 $1.2 $1.2 $1.2 $1.3 $1.3 $1.3 $1.4 $12.3

         Total Recoveries....................... $0.0 -$2.6 -$8.0 -$8.2 -$8.4 -$8.6 -$8.8 -$8.9 -$9.1 -$9.3 -$71.9

         Net Total Impact....................... $1.1 -$1.5 -$6.9 -$7.0 -$7.2 -$7.3 -$7.5 -$7.7 -$7.8 -$8.0 -$59.8

         Federal Cost........................... $0.8 $0.9 $0.9 $0.9 $0.9 $0.9 $1.0 $1.0 $1.0 $1.0 $9.3

         Federal Recoveries..................... $0.0 -$1.6 -$4.9 -$5.0 -$5.1 -$5.2 -$5.3 -$5.4 -$5.5 -$5.6 -$43.6

         Net Federal Impact..................... $0.8 -$0.7 -$4.0 -$4.1 -$4.2 -$4.3 -$4.3 -$4.4 -$4.5 -$4.6 -$34.3

         State Cost............................. $0.3 $0.3 $0.3 $0.3 $0.3 $0.3 $0.3 $0.3 $0.3 $0.3 $3.0

         State Recoveries....................... $0.0 -$1.0 -$3.2 -$3.2 -$3.3 -$3.4 -$3.5 -$3.6 -$3.6 -$3.7 -$28.5

         Net State Impact....................... $0.3 -$0.8 -$2.9 -$2.9 -$3.0 -$3.1 -$3.2 -$3.2 -$3.3 -$3.4 -$25.5

         --------------------------------------------------------------------------------------------------------------------------------------------------------

         Note: all figures in millions of dollars; totals may not add due to rounding.

      2. Estimated Impact on Industry

         We estimate that MFCU data mining will likely have a limited impact on the health care industry. We believe that the total number of fraud investigations of providers would increase only to the extent that the MFCUs receive additional budget authority from the States to seek an expansion of their operations. Therefore, to the extent that there is any economic impact, we believe that potential costs to the health care industry will be minimal and will be surpassed by savings of Federal and State dollars.

      3. Unfunded Mandates Reform Act

         Title II of the Unfunded Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 1531-1538) establishes requirements for Federal agencies to assess the effects of their regulatory actions on State, local, and tribal governments and the private sector. Under UMRA, agencies must assess a rule's anticipated costs and benefits before issuing any rule that may result in aggregate costs to State, local, or tribal governments, or the private sector, of greater than $100 million in 1995 dollars (currently adjusted to $139 million). This final rule does not impose any Federal mandates on any State, local, or tribal government or the private sector within the meaning of UMRA, and thus a full analysis under UMRA is not necessary.

      4. Regulatory Flexibility Act

         The Regulatory Flexibility Act (RFA) (5 U.S.C. 601 et seq.) generally requires an agency to conduct a regulatory flexibility analysis of any rule subject to notice and comment rulemaking requirements unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. For the purposes of RFA, small entities include small businesses, certain nonprofit organizations, and small government jurisdictions. Individuals and States are not included in this definition of a small entity. This final rule would revise regulations that prohibit State MFCUs from using Federal matching funds to conduct ``efforts to identify situations in which a question of fraud may exist, including the screening of claims, analysis of patterns of practice, or routine verification with beneficiaries of whether services billed by a provider were actually received.'' These revisions impose no significant economic impact on a substantial number of small entities. Therefore, the undersigned certifies that this rule will not have a significant impact on a substantial number of small entities.

      5. Executive Order 13132

         Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a final rule that imposes substantial direct requirement costs on State and local Governments, preempts State law, or otherwise has Federalism implications. Since this regulation does not impose any costs on State or local Governments, preempt State or local law, or otherwise have Federalism implications, the requirements of Executive Order 13132 are not applicable.

   2. Paperwork Reduction Act

      In the proposed rule, pursuant to the Paperwork Reduction Act, we solicited public comments for 60 days on each of the following issues regarding information collection requirements (ICRs). No comments were received on these issues. For the purpose of this final rule, we are soliciting public comment for 30 days for the following sections of this rule regarding ICRs:

      The need for the information collection and its usefulness in carrying out the proper functions of our agency;

      the accuracy of our estimate of the information collection burden;

      the quality, utility, and clarity of the information to be collected; and

      recommendations to minimize the information collection burden on the

      Page 29061

      affected public, including automated collection techniques.

      1. ICRs Regarding the Annual Report (Sec. 1007.17)

         Section 1007.17 states that all costs expended in a given year by MFCUs attributed to data mining activities must be included as part of their existing annual report, including the amount of staff time devoted to data mining activities; the amount of staff time devoted to data mining activities; the number of case generated from those activities; the outcome and status of those cases, including the expected and actual monetary recoveries (both Federal and non-Federal share); and any other relevant indicia of return on investment from such activities.

         The burden associated with the requirements in 1007.17 is expected to be minimal because MFCUs have existing systems in place to track their activities, including costs, staff time, and status and outcomes. The burden associated with this requirement is the time and effort necessary to track and calculate information to be included in their annual report. We estimate that it will take each state approximately one additional hour per year to comply with these requirements. We arrived at this estimate after consulting with Florida's MFCU, which since 2010 has a waiver to conduct data mining. We estimate that MFCU participation in data mining activities will be at a ``medium'' level, or at about 20 units. The burden associated with the existing annual report requirement contained in Sec. 1007.17 is approved under existing OMB Control Number (OCN) 0990-0162.

         Table 2 indicates the paperwork burden associated with the requirements of this final rule.

         ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

         Burden per Hourly labor Total labor

         Regulation section OMB Control No. Respondents Responses per response Total annual cost of cost of Total cost ($)

         respondent (hours) burden (hours) reporting ($) reporting

         ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

         1007.17................................................. 0990-0162 20 1 88 1760 23.39 102,916 102,916

         ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

         Please submit any comments you may have on these information collection and recordkeeping requirements to the Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: OIG Desk Officer, OIG-1203-F, Fax: (202) 395-5806; or Email: OIRA-submission@omb.eop.gov.

         List of Subjects in 42 CFR Part 1007

         Administrative practice and procedure, Fraud, Grant programs--

         health, Medicaid, Reporting and recordkeeping requirements.

         For the reasons set forth in the preamble, OIG amends 42 CFR part 1007, as set forth below:

         PART 1007--AMENDED

         0

      1. Revise the authority citation to part 1007 to read as follows:

         Authority: 42 U.S.C. 1396b(a)(6), 1396(b)(3), 1396b(q), and 1302.

         0

      2. In Sec. 1007.1, add in alphabetical order, the definition for ``data mining'' to read as follows:

         Sec. 1007.1 Definitions.

         * * * * *

         Data mining is defined as the practice of electronically sorting Medicaid or other relevant data, including but not limited to the use of statistical models and intelligent technologies, to uncover patterns and relationships within that data to identify aberrant utilization, billing, or other practices that are potentially fraudulent.

         * * * * *

         0

      3. In Sec. 1007.17, add paragraph (i) to read as follows:

         Sec. 1007.17 Annual report.

         * * * * *

         (i) For those MFCUs approved to conduct data mining under Sec. 1007.20, all costs expended that year by the MFCU attributed to data mining activities; the amount of staff time devoted to data mining activities; the number of cases generated from those activities; the outcome and status of those cases, including the expected and actual monetary recoveries (both Federal and non-Federal share); and any other relevant indicia of return on investment from such activities.

         0

      4. In Sec. 1007.19, revise paragraph (e)(2) to read as follows:

         Sec. 1007.19 Federal financial participation (FFP).

         * * * * *

         (e) * * *

         (2) Routine verification with beneficiaries of whether services billed by providers were actually received, or, except as provided in Sec. 1007.20, efforts to identify situations in which a question of fraud may exist, including the screening of claims and analysis of patterns of practice that involve data mining as defined in Sec. 1007.1;

         * * * * *

         0

      5. Add Sec. 1007.20 to read as follows:

         Sec. 1007.20 Circumstances in which data mining is permissible and approval by HHS Office of Inspector General.

         (a) Notwithstanding Sec. 1007.19(e)(2), a MFCU may engage in data mining as defined in this part and receive Federal financial participation only under the following conditions:

         (1) The MFCU identifies the methods of coordination between the MFCU and State Medicaid agency, the individuals serving as primary points of contact for data mining, as well as the contact information, title, and office of such individuals;

         (2) MFCU employees engaged in data mining receive specialized training in data mining techniques;

         (3) The MFCU describes how it will comply with paragraphs (a)(1) and (2) of this section as part of the agreement required by Sec. 1007.9(d); and

         (4) The Office of Inspector General, Department of Health and Human Services, in consultation with the Centers for Medicare & Medicaid Services, approves in advance the provisions of the agreement as defined in paragraph (a)(3) of this section.

         (i) OIG will act on a request from a MFCU for review and approval of the agreement within 90 days after receipt of a written request or the request shall be considered approved if OIG fails to respond within 90 days after receipt of the written request.

         (ii) If OIG requests additional information in writing, the 90-day period for OIG action on the request begins on the day OIG receives the information from the MFCU.

         (iii) The approval is for 3 years.

         (iv) A MFCU may request renewal of its data mining approval for additional 3-year periods by submitting a written request for renewal to OIG, along with an updated agreement with the State Medicaid agency.

         (b) Reserved

         Dated: January 2, 2013.

         Daniel R. Levinson,

         Inspector General.

         Dated: January 17, 2013.

         Kathleen Sebelius,

         Secretary, Department of Health and Human Services.

         FR Doc. 2013-11735 Filed 5-16-13; 8:45 am

         BILLING CODE 4152-01-P