Hannah Bassett
Arizona Center for Investigative Reporting
March 14, 2024
In the 10 months since Arizona officials announced an investigation into massive Medicaid billing fraud, they’ve maintained the abuse was mostly limited to a small share of the Arizona Health Care Cost Containment System: behavioral health providers that exploited the agency’s fee-for-service plans.
But the agency acknowledged this week that fraud also spread into its managed care organizations, which oversee 90% of AHCCCS services—meaning the crisis ultimately affected the agency’s entire provider ecosystem, not just those highlighted as the epicenter of the scandal.
Gov. Katie Hobbs’ office told AZCIR this week that similarities in suspected fraud patterns exist across both fee-for-service and managed care, but that “it is still hard to determine the full scope of this crisis.”
The revelations follow a series of AZCIR inquiries to better understand AHCCCS decisions to quietly waive key provider screening requirements and other safeguards during the pandemic, several of which the agency did not disclose for the nearly two years they were in effect.
The changes relaxed standard protocols to vet AHCCCS providers, allowing a host of provider types beyond behavioral health operators to get taxpayer-funded reimbursements without undergoing standard screenings like fingerprint checks and site visits, according to documents obtained by AZCIR. AHCCCS also opted to halt routine audits and license verifications to detect and remove unqualified providers.
Fraudulent billing has cost Arizona taxpayers at least $2 billion, with the scandal—and the state’s response—harming more than 7,000 people and disproportionately affecting Indigenous communities. The true breadth remains unclear, however, in part because state leaders managing the response have not been forthcoming with the public, including lawmakers.
Officials’ lack of transparency raises questions about how effectively they are addressing the root causes of what Attorney General Kris Mayes has dubbed one of the largest scandals in state history. It also undercuts confidence in a system that is designed to support the state’s most vulnerable populations.
Since state officials launched investigations in May 2023, agency leader Carmen Heredia has publicly stated that she does not believe managed care had been compromised. When addressing state lawmakers as recently as this January, she made no reference to fraud within managed care or COVID-era changes that may have contributed to the crisis.
The Attorney General’s Office declined to comment on the policy changes or their impact, citing its ongoing investigation.
A meaningful accounting of the crisis and its origins is urgently needed, according to Alan Johnson, chief assistant state attorney for the 15th Judicial Circuit in Florida. Johnson has spent eight years grappling with corrupt addiction treatment operators and state neglect alongside his colleagues.
“I can recognize a mess when I see one,” he said, urging policymakers to examine where licensing and regulation systems broke down. “It’s a mess in Arizona.”
Medicaid agencies use screening measures like site visits and fingerprint checks to guard against bad actors, particularly when it comes to provider types considered prone to fraud, waste or abuse. These issues were a primary driver of improper Medicaid payments nationally in the years leading up to the pandemic, costing taxpayers an extra $10 billion.
When the federal government declared COVID a public health emergency in March 2020, it allowed AHCCCS and Medicaid programs nationwide to waive certain pre-enrollment screenings.
AHCCCS adjusted its provider enrollment portal accordingly that June, meaning moderate- to high-risk providers—from hospice and behavioral health facilities to attendant care and non-emergency medical transport—no longer needed to undergo site visits or fingerprint checks. The agency also disabled a feature that terminated providers with expired licenses within 180 days.
Internal documents obtained by AZCIR show that AHCCCS chief information officer Dan Lippert, who signed off on the portal changes, was aware the tweaks would allow minimally vetted providers entering the system to remain there “for a long time” unless the agency intervened.
Yet AHCCCS failed to fully detail the changes to managed care organizations, which account for the vast majority of its member services. By May 2022, when it finally circulated a “messaging toolkit” that alluded to the agency’s nearly two-year suspension of provider terminations, AHCCCS had already resumed standard provider screening and enrollment protocols.
That meant almost two years passed before AHCCCS informed managed care organizations of changes that allowed nefarious providers to more easily enter and remain active within AHCCCS’ provider portal. Had they been fully briefed on the policy changes, they could have considered employing additional fraud-prevention measures, such as more frequent audits.
Key internal divisions of AHCCCS—such as the agency’s Office of Inspector General or the Division of Member Provider Services—also could have implemented extra checks, such as prepayment reviews. But despite repeated pressing from AZCIR, the agency would not say whether it had alerted staff in those offices to the changes.
AHCCCS’ decision to pause screenings, audits and other safeguards coincided with a surge in enrollment, as a federal law barred Medicaid programs from dropping members during the public health emergency.
At the time, public health officials believed the benefits of increasing access to health care outweighed the possible harms of temporarily relaxing rules. Connecting vulnerable populations to care was particularly urgent in Arizona in the early months of the pandemic, when local tribal communities were among the hardest-hit in the United States.
“It was a tradeoff that we had to make at that point,” said Naomi Fener, director of population health at Families USA, a nonprofit health advocacy group that has supported Medicaid expansion. “We had to make a lot of really tough decisions with very little information.”
The scale of Arizona’s behavioral health crisis became evident in May 2023, when state and federal leaders gathered to announce a sweeping investigation into Medicaid fraud. Scammers had exploited the American Indian Health Plan, they said, and used the fee-for-service plan’s unique reimbursement structure to reap outsized profits under the guise of treatment.
From 2020 to 2022, AHCCCS member rolls increased by more than 30% to 2.5 million people, with behavioral health claims skyrocketing from $132 million to $668 million over the same period. Agency staffing levels remained flat, however, leaving AHCCCS without the personnel to investigate fraudulent claims in a timely manner, according to a 2022 Auditor General report.
The massive fraud schemes perpetuated by bad actors are “the largest that have targeted a single demographic population in recent U.S. history,” according to Melissa Rumley, spokesperson for the Office of Inspector General at the U.S. Department of Health and Human Services.
Though the state has suspended payments to nearly 300 behavioral health providers facing credible allegations of fraud, AZCIR previously found that leaders failed to anticipate the full impact of the resulting closures, which have put members of an already susceptible population at further risk of relapse, abuse, homelessness and even death.
Given that Arizona funnels more general fund dollars toward AHCCCS than anything other than education, it’s not surprising that fraudsters targeted the agency, said Dr. Dan Derksen, a professor of public health, medicine and nursing at the University of Arizona.
Combined with COVID-era health care trends, such as a shift toward telemedicine, the policy changes created an environment “where folks could fill-in-the-blank for services” that were never rendered, Derksen said.
“It’s a big program, and there’s a lot of money,” Derksen added. “It’s kind of like, why rob banks? It’s where the money is.”
The rapid expansion of AHCCCS’ member rolls made the agency even more susceptible to abuse, according to Gary Alexander, a director at the Paragon Health Institute, a health policy research group founded by a former Trump administration official.
“The bigger something gets and the more complex something gets, the greater the chance for fraud,” Alexander said, adding that while the flexibilities were in effect AHCCCS “should have gone in with a scalpel” to monitor for improper billing.
In June 2021, one year after the waiver went into effect, the Centers for Medicare and Medicaid Services (CMS) issued a bulletin outlining how states should step up monitoring and oversight of managed care organizations and provider screening protocols. The guidance followed a report by the Government Accountability Office calling on CMS to better coordinate with states to implement the requirements.
AHCCCS’ provider screening requirements remained relaxed for the next 10 months.
Officials are still contending with the fallout of the COVID-era decision to relax enrollment and screening protocols.
When AHCCCS returned to pre-pandemic policies in April 2022, it had identified 13,702 providers that did not have an active license on file, according to agency spokesperson Heidi Capriotti. The agency has since removed more than 44,000 providers that failed to revalidate their enrollment in the provider portal.
To stem improper payments, AHCCCS has halted new registrations for four of the 17 provider types that were able to enroll without undergoing site visits, including behavioral health outpatient clinics and residential facilities. The freeze for those providers will continue through June 8, 2024.
Though officials have publicly held that fraud is largely limited to AHCCCS’ division of fee-for-service, managed care organizations last year reported the highest number of suspected fraud, waste and abuse incidents since at least 2016, agency data obtained by AZCIR shows.
The trend started its climb in 2019, three years after AHCCCS assumed oversight of behavioral health services from the Arizona Department of Health Services. Capriotti said AHCCCS does not have data that would indicate the interagency move directly contributed to increased fraud.
Arizona lawmakers introduced new legislation in 2024 that aims to strengthen oversight and enforcement of behavioral health providers by revising how some are defined, and increasing penalties for violations. But Alan Johnson, the chief assistant state attorney in Florida who dealt with similar fraud, cautioned against enacting reforms before there is a complete understanding of the crisis and its origins.
“If you do it in a way that’s haphazard, you will have unintended consequences,” Johnson said. “You will have (treatment providers) that will tamp down the effectiveness of the legislation.”
It’s likely that AHCCCS and federal public health experts will begin examining the impact that provider screening and enrollment flexibilities had on program integrity once agencies finish updating their member rolls, said Natasha Murphy, director of health policy at the Center for American Progress.
Some efforts are already underway. In late 2022, the Government Accountability Office published a report exploring risks posed by provider enrollment waivers and flexibilies. It found that CMS should maintain, rather than waive, fingerprint-based criminal background checks during future public health emergencies.