State Medicaid Programs Need to be Audit-Ready Now

Medicaid is hyper-focused on accountability like never before. States have always prioritized program integrity and responsibility, but the recent impacts of spending cuts and other policy updates have elevated oversight to a whole new level. The pressure is on to demonstrate that homecare funds are being used correctly and effectively.

Impact of Program Changes Puts a Spotlight on Spending and Accuracy 

When the 21st Century Cures Act was introduced to help curb fraud, waste, and abuse (FWA) and ensure that services billed were actually delivered, the focus was on implementation. That crucial first step — onboarding providers and getting systems live — required a lot of attention and resources. But with the initial phase’s conclusion, CMS’ scrutiny shifted from implementation to enforcement, and hasn’t subsided since. 

Audits have become a certainty rather than a possibility, and will likely increase in frequency due to this year’s Medicaid policy reform and funding reductions. The changes put pressure on states and providers, making the accurate and compliant use of every dollar even more critical. It’s clearly time to get audit-ready. 

Recent Audits Reveal Significant Compliance Gaps

Auditors are finding significant gaps in compliance across the country. Recent reports from the OIG and state comptrollers emphasize that simply implementing an EVV system is not enough. States must also prove that the system is being used correctly to deny improper claims.

Recent high-profile audits are a clear signal that states across the country need to prepare:

• Kansas: While Kansas implemented an EVV system, the OIG found it did not require all in-home personal care services to be recorded and verified within that system. The audit recommended implementing pre-pay validation to ensure strict Cures Act compliance.

• New Mexico: The audit focused on the qualifications of caregivers. The OIG estimated that 69% of personal care attendants did not meet state qualification requirements, raising major questions about quality of care and program integrity.

• New York: The state comptroller discovered the state spent more than $14 billion on Medicaid homecare services that did not have matching EVV records.

• Ohio: A state auditor found that the Ohio Department of Medicaid utilized EVV for only 44% of provider-paid claims in 2022 — meaning approximately 56% of all services paid were not processed in the EVV system.

The True Cost of Noncompliance is Immeasurable

Though audit failure is seen as an administrative headache, it’s actually a full-blown fiscal crisis. The Medicaid improper payment rate for 2024 stands at 5.09%, representing billions of dollars in potential waste. When state programs fail to align claims with EVV data, the consequences are severe and include:

• Repayment of funds: States may have to repay federal matching funds for services that cannot be verified. 
• Reputational damage: Audit findings are public. Reports that reveal unverified payments erode public trust and damage the credibility of Medicaid programs and their MCO partners.
• Loss of trust: Compliance failures can lead to tighter federal oversight, mandating strict corrective action plans that reduce state flexibility. 

Audit readiness is a fiscal stewardship issue. And to ensure that every dollar spent goes toward verified care for members who need it, states should be audit-ready at all times. To pass one, though, it’s important to understand the grading rubric.

Auditors are drilling down into specific data points to verify program integrity. Instead of simply confirming the presence of an EVV vendor, they’re asking about:

• Data completion: Are all six required EVV elements (date, location, service type, provider, member, and time) included and accurate? 
• Visit verification accuracy: Does every paid claim have a corresponding, verified EVV record?
• Timeliness and location alignment: Were any visits recorded outside of approved timeframes or locations?
• Evidence of oversight and provider follow-up: Can the state prove it is actively monitoring compliance and following up on exceptions?
• Documented correction or remediation actions: Are providers manually editing visit data without justification? High rates of manual overrides are a major red flag for fraud.

Build a Culture of Audit Readiness

Waiting for an audit notification letter is not a strategy. Readiness requires proactive, continuous internal monitoring and collaboration between program integrity and IT teams. Too often, they work in silos with IT managing vendors and program integrity teams managing fraud investigations. However, when teams coordinate to proactively review and analyze data, trends and patterns are easier to spot.

It’s imperative that states identify and fix vulnerabilities before the OIG does, so keep teams aligned and attuned to potential discrepancies. This approach also supports CMS’ push for data-driven oversight, which demonstrates active risk management.

HHAeXchange’s EVV HealthCheck Secures Compliance

Self-auditing is essential, but independent validation provides the certainty states need. Deploying a comprehensive, objective audit-readiness process often proves invaluable. Services like HHAeXchange’s EVV HealthCheck are designed to mirror the scrutiny of federal inspectors using a mock audit to pinpoint and help close vulnerabilities before they become public findings.

EVV HealthCheck evaluates all six required EVV elements and conducts a thorough comparison of paid claims against state aggregator EVV data. To quantify the financial impact of any findings, users receive a report detailing payments that aren’t backed by verified EVV records. The process also includes change-log reviews, provider interviews, and an assessment of state-level monitoring activities and controls 

States that leverage an independent third party to validate data demonstrate a commitment to transparency and compliance that aligns with CMS and OIG expectations. Acting now also signals recognition that the era of EVV leniency has ended. The adjustment period isn’t a defense against the cost of inaction, which — as seen with recent audits in New York, Ohio and New Mexico — is measured in billions.

State Medicaid programs should set standards that exceed basic compliance requirements and take a proactive stance on data integrity. Identifying gaps now can protect your state’s funding, reputation, and the vulnerable populations that rely on your services.

Learn how HHAeXchange partners with states and MCOs to strengthen EVV oversight and prepare for upcoming audits.