University of Texas System 2014 OIG Work Plan and 2014 CMS ... › sites › default › files › ... · 3/26/2014 · OIG Work Plan - 2014 6 Highlights Evaluation and Management

University of Texas System2014 OIG Work Plan and 2014 CMS Focus Areas

F. Lisa Murtha, Partner, CHC, [email protected]

March 26, 2014

2Compliance Risks Affecting Universities and Hospital Systems

Introduction• Hospital organizations are subject to complex laws and regulations that affect all

aspects of the business.

• Those laws and regulations span a continuum from state and Federal patient care standards, documentation, coding and billing rules, privacy requirements, environmental health and safety regulations, conflict of interest protections, and fraud and abuse mandates that dictate arrangements between hospitals and physicians.

• In the case of an organization such as the University of Texas System, which includes numerous research offices and IRBs, the legal and regulatory requirements are expansive.

– Research-related laws and regulations cover everything from conflicts of interest reporting, accounting for Federally sponsored research studies, billing for routine care costs associated with research studies, off-label use concerns governed by FDA regulations and Office for Human Research Protection requirements for research involving human participants.

3

DHHS Office of the Inspector General

• The OIG has provided the health care community with specific, identified risk areas that should be considered in any compliance program.

• The OIG's annual Work Plan is widely regarded as being among the core tools available to compliance officers so that they may anticipate the priorities of the Federal government.

• The OIG Work Plan signals the nature and focus of the audits that the OIG's 1600+ agents will undertake in the coming year.

• The risks, based on years of audits, investigations, and evaluations, provide a solid starting point for an organization's initial risk assessment efforts.

• The 2014 OIG Work Plan was published on January 31, 2014.

• With regard to UT, the OIG's documented set of priorities could have broad impact. The list of major focus areas follows.

4

The OIG Work Plan

• The Work Plan highlighted the priorities that the OIG’s more than 1,700 employees will have as they:

1. Conduct audits, evaluations, investigations;

2. Provide guidance; and

3. Impose civil monetary penalties, assessment and administrative sanctions.

• Familiarity with the focus of the OIG is crucial. The OIG reported FY 2013 exclusions of 3,214 individuals and entities.

• For FY 2013, the OIG reported expected recoveries of over $5.8 Billion consisting of nearly $850 Million in audit receivables and about $5 Billion in investigative receivables, which include about $1 Billion in non-HHS investigative receivables resulting from its work in areas such as State’s shares of Medicaid restitution.

• The OIG also identified about $19.5 Billion in savings estimated for FY 2013 on the basis of prior period legislative, regulatory, or administrative actions that were supported by OIG recommendations.

5OIG Work Plan - 2014Highlights

Two Midnight Rule• Evaluations are ongoing to determine the impact of new inpatient admission criteria

on hospital billing, Medicare payments, and beneficiary payments.• The "Two Midnight Rule" directs Medicare's contractors to assume hospital

admissions are reasonable and necessary for patients who stay in a hospital through two consecutive midnights.

– Many feel that this policy undermines the medical judgment of physicians.– CMS finalized this shift in policy last August within its rule for 2014 inpatient services.– Since then, the policy has confused patients, clinicians, hospital administrators and compliance

officers. CMS has delayed enforcement through March 31, 2014.– Additional delays in deployment are being sought by the health care community.

• Hospital nurses, medical residents and physician assistants can all write the orders to admit Medicare beneficiaries to a hospital. But, newly clarified CMS rules say that a physician must sign off on the admitting paperwork and “accept responsibility” for the decision before the patient is discharged.

• UT could face meaningful compliance (and financial) risk if it is not operating in accordance with this policy. Enforcement efforts and audits are likely to be intensive.


Evaluation and Management ("E/M") Coding Reviews of New Patients• Medicare payments associated with E/M services are significantly different

depending upon whether or not a patient is a "new" (i.e., not registered as an inpatient or outpatient of the hospital in the past 3 years). The OIG will be evaluating billing for E/M services to confirm the appropriateness of payments for those billed at the new-patient rate. Pending the outcomes of its work, the OIG may recommend recovery of overpayments.

Cardiac Caths and Heart Biopsies• The OIG has a new initiative to confirm that Medicare payments were accurately

made for right heart catheterizations ("RHCs") and heart biopsies that occurred in the same operative session. Apparently, some hospitals have been paid for separate RHCs when the services are included in payments for the biopsies. A billing review is likely and it could impact certain of UT's cardiology groups.

Emergency Preparedness• Hurricane Sandy placed a new focus on the preparation and response readiness of

hospitals to deal with natural disasters.• The Hurricane is mentioned in the OIG Work Plan at least a half a dozen times and

the OIG will be confirming that CMS's Conditions of Participation in this regard are being met.


GME Payments• The OIG will be reviewing data and carrying out audits to determine whether or not

they have been overpaying based on whether an intern or resident has been counted as more than one full time equivalent ("FTE").

• The OIG is also prioritizing a look at indirect medical education payments which are based on the ratio of resident FTEs to available beds.

• For UT's teaching hospitals, the ability to produce clean data in this regard is vital to passing such audits.

Overpayments• The OIG will review Medicare payments to acute care hospitals to determine

compliance with billing requirements. The objective is to recover monies connected to situations in which CMS was overbilled and subsequently "overpaid" on a claim.

• This initiative in the OIG's 2014 Work Plan also implies that efforts to root out such activity will include interviews with hospital executives and compliance officers. The implication is that compliance programs themselves may be reviewed.


Medical Staff Credentialing• Hospitals and other licensed providers may be reviewed by the OIG to confirm the

adequacy of a hospital's privileging program and whether or not the National Practitioner Databank is being reviewed in this context.

Inpatient Rehab Facilities (“IRFs”) and Adverse Events• Rehabilitation hospitals may be subject to a review to evaluate the incidence of and

any contributing factors to adverse or temporary harm events for Medicare beneficiaries who are receiving post-acute care in IRFs.

9OIG Work Plan - 2014Other Initiatives That Could Affect UT Entities

• Diagnostic Radiology: Focus on medical necessity.

• E/M services: Focus on the prevalence of identical documentation across services.

• Place of Service Coding Errors: Review of Part B claims for services taking place in ambulatory surgical centers.

• Security Controls Medical Devices: Evaluation of hospital security controls in place to manage data (including PHI) moving through both portable and networked medical devices.

• Meaningful Use: Ongoing review of the accuracy and appropriateness of Medicare incentive payments to eligible health care professionals and hospitals that demonstrate meaningful use of certified electronic health records ("EHR") technology.

• EHR Security: Those that received incentive payments under the "meaningful use" program may have their systems audited to determine if they adequately protect PHI.

• Research Focus Areas: Extramural construction grants, Medicare costs associated with defective medical devices, college and university compliance with cost principles, and use of grant funds for lobbying activities, are also subject to OIG review.

10

OIG Work Plan: Research

Hospitals:• Medicare costs associated with defective

medical devices: • The OIG will review claims to identify costs

resulting from additional utilization of medical services associated with defective medical devices and determine the impact of the cost on the Medicare Trust Fund.

11


• The Centers for Disease Control and Prevention– The OIG will assess whether the CDC’s

oversight of HIV/AIDS prevention and research grants was conducted in accordance with Federal Regs and HHS policies.

– The CDC awarded more than $3.6 Billion in Grants for HIV/AIDS prevention and research.

12


• The Food and Drug Administration• Inspections of generic drug manufacturers. The FDA

typically inspects drug manufacturing facilities prior to generic drug approval and also conducts routine inspections of both foreign and domestic manufacturers to monitor compliance with current good manufacturing practices.

• The OIG will describe the extent to which FDA conducts inspections of generic drug manufacturers as well as the results of such inspections and the enforcement actions taken by FDA in response to deficiencies.

13


• National Institutes of Health– 1. Extramural Construction Grants: OIG will

perform reviews at facilities that received extramural construction grants to determine whether the funds were spent in accordance with Federal requirements.

• Extramural construction grants are awarded to build, renovate, or repair non-Federal biomedical and behavioral research facilities.

14


• Colleges’ and Universities’ Compliance With Cost Principles– Grantee Compliance: OIG will assess colleges’

and universities’ compliance with selected cost principles issued by OMB in Circular A-21, Cost Principles for Educational Institutions.

– OIG will specifically conduct reviews at selected colleges and universities on the basis of dollar value of Federal grants received and on input from HHS operating divisions.

15


• NIH (cont.)– 2. Grants Management: The OIG will examine

the NIH’s oversight of the grants administration processes implemented by the 24 institutes and centers (IC) that award extramural grants.

– OIG will also examine NIH’s oversight of each IC’s compliance with regulations, department directives, and agency policies.

16


• Other HHS-Related Issues– 1. HHS Efforts to Address Grantee Risks: The OIG will

determine how HHS awarding agencies mitigate grantee risks and whether HHS awarding agencies receive and/or share information on grantees for which they have concerns regarding performance expectations and/or accountability requirements.

– 2. HHS Efforts to Prevent Use of HHS Grant Funds for Lobbying Activities: OIG will determine the extent to which HHS agencies notify grantees of lobbying prohibitions. They will examine the extent to which HHS grantees are aware of lobbying prohibitions.

17

Centers for Medicare and Medicaid Services ("CMS")

Background

• While the OIG's Work Plan ostensibly outlines the priority risk areas associated with CMS's various programs that it will review, CMS also publishes a Quarterly Provider Update ("QPU") and a Quarterly Provider Compliance Newsletter.

• The QPU provides a listing of Agency regulations and meeting notices. Non-regulatory changes to the Medicare and Medicaid programs, consisting of manual instructions, are also included in this listing.

• The Newsletters are designed to help providers understand the major findings identified by Medicare administrative contractors ("MACs"), recovery audit contractors ("RACs"), program safeguard contractors ("PSCs"), zone program integrity contractors ("ZPICs"), and other governmental organizations, such as the OIG.

• What follows is a summary of the core CMS priorities as determined by reviewing QPUs, the Newsletters, and recent enforcement activities carried out by CMS‘s Program Integrity agents.

18

Centers for Medicare and Medicaid Services

Modifier 25• Defined as a “significant, separately identifiable E/M service” by the same physician

on the day of a procedure, this issue was prominent on the OIG's Work Plan in 2013.– For patients that are seen for routine procedures but, on the same day, undergo a significant,

separately identifiable service in addition to the routine services, CMS will allow Modifier 25 to be appended to the E/M.

– The procedure, however, must be classified as medically necessary.– The modifier indicates that the service was above and beyond the routine procedure for which the

patient made the appointment.

• In November, 2005, the OIG produced a comprehensive report on the misuse of Modifier 25. The OIG concluded in that report that in the sample claims in its review, some 35% of the claims for Modifier 25 did not meet program requirements. Consequently, Modifier 25 compliance has been a priority for some time.

• CMS continues to work with the OIG to monitor incorrectly paid claims in an attempt to recoup this money from providers.

– Example: Georgia Cancer Specialists I, PC, agreed to pay $4.1 million to settle claims that it violated the False Claims Act by billing Medicare for evaluation and management services that were not permitted by Medicare rules regarding Modifier 25.

19


Modifier 25• Some private payors are sending warning letters to providers who bill E/M codes

with modifiers significantly more than their peers. Carriers/MACs do not pay for an E/M service reported with a procedure having a global fee period without a modifier appended to the E/M service.

• Inadvertent or occasional misuse of Modifier 25 might simply result in a program overpayment recovery request.

• Routine or frequent misuse of Modifier 25 can be considered willful and in violation of the False Claims Act, subjecting the provider to penalties of up to $11,000 per claim in addition to the refunded amounts.

• Increasing claim denials, wasted follow-up time, revenue loss, and OIG investigations are some of the potential consequences of inappropriate use of modifiers such as Modifier 25.

20


Place of Service ("POS")• Pressure to comply with this requirement is increasing. As reimbursement rates

vary based on where health care services may have been delivered, confirmation that the coding is accurate is a priority for CMS.

• Electronic claim transactions must include a POS code from the POS code set maintained by CMS.

• Under Medicare, the correct POS code assignment is also required on the paper CMS 1500 Claim Form (or its electronic equivalent).

• Improper billing is particularly problematic, from CMS's perspective, when physicians and other suppliers furnish services in outpatient hospitals and in Ambulatory Surgical Centers.

– CMS has discovered through audits and sampling that claims are often paid at the non-facility rate --rather than the lower facility payment rate assigned to the POS codes for outpatient hospitals and Ambulatory Surgery Centers.

• Additional audit pressure is likely in the coming year.

21


Physician Payments Sunshine Act• Administered by CMS, the Sunshine Act could mean significant penalties in the

event that there is any misreporting of data by applicable manufacturers of medical products.

• This should result in the biopharmaceutical and/or biotech industry developing sophisticated tracking systems that, in an effort to avoid penalties, will publicize all payments and other transfers of value furnished to physicians and teaching hospitals (‘‘covered recipients’’) over $10.

• The adequacy of UT's Conflict of Interest ("COI") disclosure process may be tested should there be major discrepancies between what was disclosed by UT physicians and what is publicized on publicly viewable websites.

• The Sunshine Act is designed to encourage transparency in relationships between manufacturers and physicians. The expectation is that the Act will result in the following:

– Increase accountability and tracking;– Enable consumers to identify potential sources of bias;– Facilitate government’s identification of potential kickbacks or other impermissible financial

relationships; and – Deter manufacturers from paying amounts in excess of fair market value to referral sources.

22


Recovery Audit Contractors• CMS's RAC Program has had a profound impact on UT's hospital entities.

• It is among CMS's most notable and "headline grabbing" programs.

• The management of document requests and the appeals process has been a significant burden for compliance professionals within the UT hospital entities.

• Most UT hospitals have RAC Response Teams to triage requests. Whichever department leads a RAC Solutions Team should help facilitate data reviews and provide Corporate guidance on RAC mitigation efforts and initiatives.

• CMS's RAC Program remains an ongoing and major compliance challenge for UT's hospital entities and diversified businesses.

23


Recovery Audit Contractors• As CMS's RAC teams make findings, it is incumbent on providers to proactively

assess their own billing processes. Among the most recent findings of the RACs are the following:

January 2014– Anesthesia—Certified Registered Nurse Anesthetist (CRNA) Overpaid– Zoledronic acid, (Zometa)─Dose vs. Units Billed– MRI Scans– Annual Wellness Visits

– Adenosine - Dose vs. Units Billed

October 2013 – Inappropriate Payment for Vertebral Augmentation Procedure– Office Visits Billed for Hospital Inpatients – Evaluation and Management Services with Allergy Services – Source of Admission Code for Inpatient Psychiatric Facilities (IPFs)– Metastasis As Secondary Diagnosis MS-DRGs 820-825, 840-842

24


Recovery Audit Contractors• Recent RAC Findings (continued):

July 2013– Infusion Pump Denied/Accessories and Drug

Codes Should Be Denied– Overutilization of Nebulizer Medications – Post-Acute Transfer - Underpayments– Co-Surgery Not Billed with Modifier 62– Pre-admission Diagnostic Testing Review – Duplicate Claims– Add-on HCPCS/CPT Codes Without Primary

Codes – Dose versus Units Billed - Bevacizumab

(HCPCS J9035) and Rituximab (HCPCS J9310)– Mohs Surgery Pathology Billed by Separate

Provider– Cataract Removal, Part B Number of Units

Incorrectly Billed– Pulmonary Procedures and E/M Services

The RAC Program has been very successful for CMS. The scale of the Program has grown and its impact is

being felt.

It has forced hospital systems like UT to proactively deploy top

organizational leaders - including compliance officers, CFOs, HIM

Directors, VPMAs and many others (at all levels) throughout UT - to help

mitigate risk.

Ongoing improvement of UT's internal processes in these areas will be

critical to manage these risks in FY15 and beyond.

25


Comprehensive Error Rate Testing ("CERT") Program• The CERT Program was implemented to measure improper payments in the Medicare

Fee-for-Service ("FFS") program.

• CERT selects a stratified random sample of approximately 40,000 claims submitted to Part A/B Medicare Administrative Contractors ("MACs") and Durable Medical Equipment MACs ("DMACs") during each reporting period.

• This sample size allows CMS to calculate a national improper payment rate as well as contractor- and service-specific improper payment rates.

• The CERT Program ensures a statistically valid random sample; therefore, the improper payment rate calculated from this sample is considered to reflect all claims processed by the Medicare FFS program during the reporting period.

26


Comprehensive Error Rate Testing Program• Recent findings of the CERT Program are used by many health care providers to

focus their own compliance efforts. By monitoring CERT findings, compliance programs are designing initiatives to bolster areas flagged by the CERT audit teams.

• Many compliance executives expect that trends and data emanating from the CERT Program will lead to further audits from Federal regulators. So, "readiness" programs and self-audits are not uncommon among providers aiming to prepare the possibility of such intervention.

• Among the most recent CERT findings are the following:– Split/Shared E/M Services, particularly among physicians and mid level NPPs;– Underpayments due to poor, ineffective, or inaccurate coding (including delays);– Unbundling specific parts of a beneficiary's total inpatient care and sending separate claims to

Medicare for those tests or treatments is a violation of statute and applicable regulations;– Glucose monitoring supplies;– Home Health certification;– Clinic ESRD; and– Immunosuppressive drugs.

27


Mid Level Billing - Split/Shared Services• Among the items that are most prominent among the CERT Program's recent

findings are improper payments and billing irregularities for mid-level professionals or non-physician practitioners(“NPPs”), including physician assistants (“PAs”), clinical nurse specialists, nurse practitioners, and certified nurse midwifes.

• Billing at 100% of the physician fee schedule may be initiated if the mid-level’s service is "incident to" a physicians professional service. But, this implies that the following conditions are being met:

– The NPP must be eligible;– A plan of care established by the physician must be being followed;– Physician must perform initial service and be involved in subsequent services of a “frequency which

reflect active participation and management”;– Must be billed under the physician's number;– Occurs in the physician's practice and is occurring under the physician's direct supervision; and– The services being furnished must be carried out by an individual who qualifies as an employee –

either W-2 employee or contracted employee.

CMS is focused on confirming that physicians are accurately documenting their involvement in certain clinical services. Billing according to a physician fee schedule

for services actually carried out by an NPP or mid level practitioner is a major compliance risk.

28

Office for Civil Rights ("OCR")

• The Office for Civil Rights has broad jurisdiction in the area of privacy, security and patient safety.

• OCR is the enforcement authority for the following:– HIPAA Privacy Rule, which protects the privacy of individually identifiable health information;– HIPAA Security Rule, which sets national standards for the security of electronic protected health

information;– HIPAA Breach Notification Rule, which requires covered entities and business associates to provide

notification following a breach of unsecured protected health information; and– The confidentiality provisions of the Patient Safety Rule, which protect identifiable information being

used to analyze patient safety events and improve patient safety.

• The 2014 OIG Work Plan specifically outlines a plan for determining the effectiveness of OCR's oversight of covered entities compliance with HIPAA and HITECH. This could result in an uptick in OCR enforcement activities and related audits.

29

Office for Civil Rights

• OCR has published those issues that it has investigated most frequently so that health care organizations can take steps to bolster compliance:

– Impermissible uses and disclosures of protected health information;– Lack of safeguards of protected health information;– Lack of patient access to their protected health information;– Uses or disclosures of more than the minimum necessary protected health information; and– Lack of administrative safeguards of electronic protected health information.

• The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

– Private Practices;– General Hospitals;– Outpatient Facilities;– Health Plans (group health plans and health insurance issuers); and,– Pharmacies.

30


• Today, the OCR is primarily focused on confirming that the Omnibus Rule has been effectively implemented.

• The Omnibus Rule took effect on March 26, 2013, though affected parties had until September 23, 2013, to come into compliance with most of its provisions. Primary areas of focus:

– Business Associate (“BA”) Relationships• Health information organizations, e-prescribing gateways, and entities that provide data

transmission services for protected health information (“PHI”) to a covered entity and that require access to PHI on a routine basis;

• Entities that offer personal health records to individuals on behalf of a covered entity; and• Subcontractors that create, receive, maintain, or transmit PHI on behalf of another business

associate.– BA HIPAA Obligations

• BAs are now subject to civil monetary penalties for violations.• Legally required to implement certain administrative, physical, and technical safeguards to

protect the confidentiality, integrity, and availability of PHI that they create, receive, maintain, or transmit.

• This has forced a broad redrafting of Business Associate Agreements ("BAAs").• But, many organizations have struggled to successfully inventory all BAAs and have been

scrambling to manage this process.

31


• Omnibus Rule primary areas of focus (continued):– Update Notices of Privacy Practices

• Covered entities to provide additional information in their Notices of Privacy Practices as to how PHI will (and will not) be used and disclosed.

– Policy Updates:• Procedures for using PHI for Fundraising• Marketing • Access

– Direction given about how to determine breaches of unsecured PHI• New definition of “breach of unsecured PHI”

– Covered entities and BAs are encouraged to update training.

32Additional Trend Area that UT Should MonitorThe Patient Protection and Affordable Care Act (PPACA)

• The planned changes to the health care system in the wake of the PPACA, are likely to have several anticipated (and unanticipated) implications for hospitals, provider organizations and health care systems like UT.

– Compliance with this new law will necessitate support from the Compliance.

• There is a possibility of higher insurance deductibles and more co-insurances which could impact patient behaviors, affect patient access, and influence financial results.

• It is expected that there will be a much greater emphasis on quality, patient satisfaction and other performance metrics.

– More reimbursement is likely to be tied to incentive programs.

• Considerable new regulations must be monitored.– Efforts and initiatives to comply with PPACA could impact compliance programs and could strain

resources.

• The expansion of Medicaid under PPACA could result in more denials and a shifting payor mix.

33Additional Trend Area that UT Should MonitorThe Patient Protection and Affordable Care Act

• Most experts expect some form of overcrowding in anticipation of the nearly 34 million uninsured that will enter the market in 2014 under the PPACA insurance mandate.

– This may place additional emphasis on care delivery in ambulatory settings.

• To address the potential for substantially increased patient volumes, organizational changes may be necessary ranging from differing intake procedures based on severity of care needed to more efficient use of bed space to redoubling efforts to lower readmission rates.

• The severity of audit and/or regulatory pressure (according to most experts) is likely to be gradually increased with many anticipating a grace period early on in the adoption of PPACA provisions.

34Compliance Risks Affecting Hospital SystemsRegulatory Framework and Environmental Survey

Summary• A recent survey of senior executives from major health care systems was focused on

gathering their opinions of pressing risk areas facing their organizations in the near to intermediate-term future.

• Not all of the identified risks would be considered "compliance" risks but those compliance risks mentioned were telling. The compliance risks outlined in the survey results included:

– Physician relationships– Preparedness for clinical automation including oversight of privacy and security of electronic

medical records– Increased enforcement initiatives and governmental challenge of overpayment for services (e.g.,

RAC, MIC, and ZPIC audits, Stark and Anti-kickback statutes, false claims, antitrust, etc.)– HITECH Act and HIPAA compliance

• While these resources and events provide context and perspective as to why certain areas might be considered “high-risk”, they are only a guide.

35Compliance Risks Affecting Hospital SystemsRegulatory Framework and Environmental Survey

Conclusion• The DOJ and the OIG continue to investigate and often prosecute individuals and

hospital organizations that have violated health care laws and regulations.

• Many of these cases involve fraudulent billing of Federal and state health care programs, as well as inappropriate relationships between physicians and hospitals, which may have violated the Anti-kickback statute and the Stark Law.

• A scan of the external environment can help signal issues that the DOJ, the OIG, and others (including OCR, NIH, and CMS) are prioritizing.

• An understanding of the external pressures, enforcement activities and planned audits of Federal and state regulators is vital to understanding the risk environment today.

36Dentons Locations

37Dentons Offices

Key Canada United States Europe Central and Eastern Europe Africa Middle East Asia Pacific

Offices Associate offices FacilitiesAssociate firms+ Special alliance firms

Calgary Edmonton Montréal Ottawa Toronto Vancouver

Atlanta Boston ChicagoDallas Kansas CityLos AngelesMiamiNew Orleans New York Phoenix San Francisco Short Hills Silicon Valley St. Louis Washington, DC

Barcelona Berlin Brussels Frankfurt Madrid ParisZurich

Bratislava Bucharest Budapest Istanbul Prague Warsaw

AccraAlgiersBissauBujumbura CairoCape TownCasablancaDar Es SalaamJohannesburgKampalaKigali+ LagosLuandaLusakaMaputoNairobiNouakchottPort LouisPraiaSão ToméTripoli

Abu Dhabi AmmanBeirut Doha Dubai Kuwait City Manama Muscat Riyadh

Beijing Hong Kong Shanghai Singapore

United Kingdom Russia and CIS Central Asia

London Milton Keynes

Kyiv Moscow St. Petersburg

AlmatyAshgabat Baku Tashkent

Documents

University of Texas System 2014 OIG Work Plan and 2014 CMS ... › sites › default › files › ... · 3/26/2014 · OIG Work Plan - 2014 6 Highlights Evaluation and Management