Key Legislative Milestones and Statutory Provisions in Program Integrity

Legislative Milestones in Medicaid Program Integrity

1965 Medicaid was enacted as Title XIX of the Social Security Act (the Act, P.L. 89-97) to provide health coverage for certain groups of low-income people. The law established Medicaid as an individual entitlement with federal-state financing; it also enacted Medicare under Title XVIII of the Act. During its first decade, Medicaid operated with few fraud controls and did not specify any state or federal law enforcement agencies to monitor criminal activity within the program.
1977 The Medicare-Medicaid Anti-Fraud and Abuse Amendments (P.L. 95-142) provided special federal funding to establish state Medicaid Fraud Control Units (MFCUs).

The Mental Health Systems Act (P.L. 96-398) required most states to develop a computerized Medicaid Management Information System (MMIS).

The Medicare and Medicaid Amendments of 1980 (P.L. 96-400) provided the authority under Section 1128 of the Act to exclude individuals and entities from participation in Medicare and Medicaid for fraud against the programs.

The Omnibus Reconciliation Act of 1980 (P.L. 96-499) provided permanent federal funding for MFCUs beyond the initial three-year start-up period.

1981 The Omnibus Budget Reconciliation Act of 1981 (P.L. 97-35) provided the authority to impose civil money penalties as an intermediate sanction for fraud or abuse.
1986 The False Claims Act Amendments (P.L. 99-562) made significant changes to the False Claims Act (FCA), including rewards for whistleblowers and fines for fraudulent activity.
1987 The Medicare and Medicaid Patient and Program Protection Act of 1987 (P.L. 100-93) strengthened authorities to sanction and exclude providers from the program and established criminal penalties for fraud against Medicare, Medicaid, and other federal health care programs.
1989 The Omnibus Budget Reconciliation Act of 1989 (P.L. 101-239) placed limitations on physician self-referrals. The physician self-referral provisions are commonly referred to as the Stark law.
1993 The Omnibus Budget Reconciliation Act of 1993 (P.L. 103-66) significantly amended the Stark law, with rules commonly referred to as Stark II, and required each state to have a MFCU unless the state could demonstrate to the satisfaction of the Secretary of the U.S. Department of Health and Human Services (HHS) that its Medicaid program sustained a minimal amount of fraud and could protect Medicaid enrollees from abuse and neglect.
1996 The Health Insurance Portability and Accountability Act of 1996 (HIPAA, P.L. 104-191) defined numerous offenses relating to health care and set civil and criminal penalties for them. It also created several programs to control fraud and abuse within the health care system, including Health Care Fraud and Abuse Control (HCFAC) Program and the Medicare Integrity Program (which was the model for the Medicaid Integrity Program (MIP) that was created through the Deficit Reduction Act of 2005, described below).
1997 The Balanced Budget Act of 1997 (P.L. 105-33) allowed states to contract with a limited number of managed care plans; applied federal conflict-of-interest standards to state officials involved in Medicaid managed care contracting; required prior approval by HHS of all Medicaid managed care contracts over $1 million; and added conditions of participation for managed care regarding fraud and abuse, quality assurance, protections against patient billing, information and disclosure, and marketing.
2002 The Improper Payments Information Act of 2002 (P.L. 107-300) required every federal agency to report on improper payments and efforts to combat them. The Centers for Medicare & Medicaid Services (CMS) created the Payment Error Rate Measurement (PERM) program to comply with the statute.
2005 The Deficit Reduction Act of 2005 (P.L. 109-171) established the Medicaid Integrity Program (MIP) and the Medicare-Medicaid data match program, strengthened third-party liability, and included provisions encouraging states to enact their own False Claims Acts.

The Fraud Enforcement and Recovery Act (P.L. 111-21) further strengthened the FCA by broadening the range of conduct that can be subject to false claims prosecution by including presentation of a false claim (even if not paid) and the knowing use of false records or statements related to a false claim.

The Children’s Health Insurance Program Reauthorization Act of 2009 (P.L. 111-3) provided states with the option to verify U.S. citizenship through data matches with the Social Security Administration, simplified enrollment, and required coordination of Medicaid Eligibility Quality Control (MEQC) and PERM program efforts, as well as substitution of data between these two programs.


The Patient Protection and Affordable Care Act (ACA, P.L. 111-148, as amended) established provider screening requirements, an integrated data repository for Medicare and Medicaid, and the Medicaid Recovery Audit Contractors (RACs). The ACA also contained provisions addressing provider terminations, credible allegations of fraud, reporting managed care data in MMIS, participation in the National Correct Coding Initiative, the Stark law, and FCA actions.

The Small Business Jobs Act of 2010 (P.L. 111-240) mandated that CMS implement a predictive analytics system to analyze Medicare claims to detect patterns that present a high risk of fraudulent activity and report to the Congress in 2014 on the cost effectiveness and feasibility of expanding the use of predictive analytics to Medicaid and CHIP in the future.

2013 The Bipartisan Budget Act of 2013 (P.L. 113-67) allowed state Medicaid agencies to recover any payments by a third party, rather than payments made solely for health care items or services. It also created an exception to Medicaid’s anti-lien statute for third-party liability.
2015 Consolidated Appropriations Act, 2016 (P.L. 114-113) provides additional funding for Medicaid and CHIP program integrity activities and limits state Medicaid durable medical equipment payment to Medicare payment rates.
2016 21st Century Cures Act (P.L. 114-255) includes provisions addressing a range of different Medicaid issues, including several designed to enhance access to mental health services and improve program integrity:

  • establishes a new requirement for states to screen and enroll all providers participating in Medicaid or CHIP managed care (who are not already enrolled) in the state’s fee-for-service program;
  • requires states to submit additional information to the Secretary about terminated providers, and requires the Secretary to create and maintain a centralized and uniform database of terminated Medicaid and CHIP providers with the reasons for termination;
  • prohibits FFP for items and services furnished by terminated providers (including those delivered through a managed care organization);
  • directs states to require the use of electronic visit verification systems for Medicaid-provided personal care by January 1, 2019 and home health services by January 1, 2023.

Comprehensive Addiction and Recovery Act of 2016 (CARA, P.L. 114-198) excludes certain abuse-deterrent drug formulations from the definition of line-extension drugs in the Medicaid drug rebate program. Additionally, the statute:

  • prohibits states from using or disclosing analytic technologies to identify improper Medicaid claims (including predictive modeling systems), except for the purposes of administering a state Medicaid or CHIP program (as long as a state has adequate data security and control policies).

Key Program Integrity Provisions in the Social Security Act

Section 1893(g) Medicare-Medicaid Data Match program
Section 1902(a)(4) and Section 1903(u) Medicaid Eligibility Quality Control (MEQC) program
Section 1902(a)(4)(C) Conflict-of-interest standards
Section 1902(a)(25) Third-party liability
Section 1902(a)(30)(A) Payment methods and procedures to safeguard against unnecessary utilization, consistent with efficiency, economy, and quality, and to provide access equal to the general population
Section 1902(a)(37) Procedures for prepayment and postpayment claims review, including review of appropriate data with respect to the recipient and provider of a service and the nature of the service for which payment is claimed, to ensure the proper and efficient payment of claims and management of the program
Section 1902(a)(39) Termination of provider participation under Medicaid if this provider has been terminated under Medicare or another state’s Medicaid program
Section 1902(a)(42)(B) Recovery Audit Contractors for the Medicaid program
Section 1902(a)(46)(A) State Income and Eligibility Verification System (also in Section 1137)
Section 1902(a)(46)(B) Citizenship documentation
Section 1902(a)(61) A state must effectively operate a Medicaid Fraud Control Unit, unless it can show that such efforts would not be cost-effective because minimal fraud exists and enrollees will be protected from abuse and neglect without such a unit
Section 1902(a)(77) State compliance with provider screening, oversight, and reporting requirements in Section 1902(kk)
Section 1902(a)(79) Requires billing agents, clearinghouses, and other alternate payees that submit claims on behalf of a provider to register with the state and HHS
Section 1902(a)(80) Prohibits payment for items and services to any financial institution or entity located outside the United States
Section 1902(e)(13) Express lane eligibility
Section 1902(ee) Provides states with the option to verify citizenship through the Social Security Administration data match
Section 1902(kk) Provider and supplier screening, oversight, and reporting requirements
Section 1903(a)(6) Federal match for Medicaid Fraud Control Unit expenses
Section 1903(d)(2) Allows states one year to return the federal share of most overpayments
Section 1903(i)(2) Prohibits payments to an individual or entity excluded from the program
Section 1903(q) Requirements Medicaid Fraud Control Units must meet
Section 1903(r)(1)(B)(iv) National Correct Coding Initiative
Section 1903(r)(1)(F) Requires states to report expanded set of data elements under MMIS to detect fraud and abuse
Section 1903(x) Citizenship documentation
Section 1909 State False Claims Act requirements for increased state share of recoveries
Section 1921 Information reporting requirements concerning sanctions taken by state licensing authorities against health care practitioners and providers
Section 1927(g) Drug use review
Section 1932(d) Protections against fraud and abuse in managed care
Section 1936 Medicaid Integrity Program
Section 1124 Disclosure of ownership and related information
Section 1126 Disclosure by institutions, organizations, and agencies of owners and certain other individuals who have been convicted of certain offenses
Section 1128 Exclusion of certain individuals and entities from participation in Medicare and state health care programs
Section 1128A Civil monetary penalties
Section 1128B Criminal penalties for acts involving federal health care programs
Section 1128C Fraud and Abuse Control Program
Section 1128D Guidance regarding application of health care fraud and abuse sanctions
Section 1128E Health Care Fraud and Abuse Data Collection Program
Section 1128F Coordination of Medicare and Medicaid surety bond provisions (applies only to home health agencies)
Section 1128G Transparency reports and reporting of physician ownership or investment interests
Section 1128H Reporting information relating to drug samples
Section 1128I Accountability requirements for facilities (skilled nursing facilities and nursing facilities)
Section 1128J Medicare and Medicaid program integrity provisions
Section 1137 Requirements for state income and eligibility verification systems (also in Section 1902(a)(46)(A))
Section 1156 Obligations of health care practitioners and providers of health care services, sanctions and penalties, hearings and review