Georgia Medicaid Fraud, Waste, and Abuse and Program Integrity: A Complete Guide to Section 1128, the False Claims Act, and Georgia Implementation

::: hero Georgia Medicaid Fraud, Waste, and Abuse and Program Integrity

Program integrity is the federal compliance scaffolding that keeps Medicaid honest. Families rarely encounter it directly, but it shapes every claim that flows through Medicaid, every audit that lands on a nursing home, every exclusion that removes a bad-actor provider from the network, and every overpayment recovery letter that arrives in a mailbox.

When a parent's nursing home suddenly stops accepting Medicaid because the facility was excluded under Section 1128 of the Social Security Act, when a home health agency closes overnight because the Medicaid Fraud Control Unit raided it, or when a senior gets a letter demanding repayment of years of "improperly paid" benefits, the family is bumping up against program integrity.

This guide translates Georgia's program integrity framework for families. We walk through the federal statutory architecture, explain how the Department of Community Health Office of Inspector General and the Georgia Medicaid Fraud Control Unit operate, and show how program integrity decisions affect access to care. The goal is not to teach families how to commit or avoid fraud but to demystify a system that can otherwise feel arbitrary and frightening when it touches a family member's care.

If you have just received an overpayment notice, a provider exclusion notice, or a fair hearing summons related to program integrity, call DCH Member Services at 1-866-211-0950 and Georgia Legal Services Program at 1-833-457-7529 today. These are time-sensitive matters with strict appeal deadlines. :::

::: callout Key takeaways

1. Program integrity is federal. Sections 1902(a)(64), 1903(i), 1128, 1128A, 1128B, 1128C, 1128J, and 1936 of the Social Security Act, along with 42 CFR Part 455 and the federal False Claims Act, create the framework. Georgia implements it.
2. Two state agencies do the work. The Department of Community Health Office of Inspector General handles audits and overpayment recovery. The Medicaid Fraud Control Unit at the Attorney General's office handles criminal and civil prosecution of provider fraud.
3. Provider screening is risk-based. All Medicaid providers undergo enrollment screening. Moderate-risk providers get site visits; high-risk providers get fingerprint-based background checks.
4. Exclusion removes providers from the network. Section 1128 exclusions are listed on the HHS-OIG List of Excluded Individuals/Entities. Excluded providers cannot bill any federal or state Medicaid program.
5. The 60-day rule applies. Providers must report and return identified overpayments within 60 days. Failure triggers False Claims Act liability under Section 1128J.
6. Whistleblowers can sue on behalf of the government. The federal False Claims Act and the Georgia State False Medicaid Claims Act both have qui tam provisions allowing private relators to file fraud suits and share in recoveries.
7. Member overpayment notices are appealable. Many "fraud" cases against members are simple eligibility errors. Members have fair hearing rights through DCH.
8. Identity theft is reportable. Members whose Medicaid number is stolen can clear their records by reporting to DCH OIG and law enforcement. :::

The federal statutory foundation

By Brevy Care Team · Last verified May 12, 2026

Program integrity in Medicaid is one of the most heavily layered areas of federal law. Eight separate sections of the Social Security Act and multiple cross-cutting federal statutes combine to create the framework. Understanding the architecture matters because every Georgia program integrity action traces back to a specific federal authority.

Section 1902(a)(4): proper and efficient administration

The state-plan requirement at Section 1902(a)(4) says that each state Medicaid plan must provide methods of administration as the Secretary of Health and Human Services finds necessary for the proper and efficient operation of the plan. This catch-all administrative provision is the foundation on which CMS has built decades of program integrity guidance, audit requirements, and compliance expectations. When CMS tells Georgia it must do something about a particular fraud pattern, the legal authority is almost always traceable to Section 1902(a)(4).

Section 1902(a)(27): provider record-keeping

Providers must keep records as necessary fully to disclose the extent of services provided to Medicaid beneficiaries and to furnish information to the state agency upon request. This is the statutory basis for provider record retention. Georgia Medicaid requires providers to keep records necessary to document services and furnish information to the state agency, and providers must produce records on demand during audits.

Section 1902(a)(30)(A): payment integrity

Payments must be consistent with efficiency, economy, and quality of care. This is the payment integrity authority. When DCH challenges an excessive or inappropriate payment, the underlying authority is typically Section 1902(a)(30)(A).

Section 1902(a)(64): program integrity safeguards

Added by the Omnibus Budget Reconciliation Act of 1986, this section requires state plans to provide for safeguards against unnecessary utilization of care and services. It is the statutory basis for the surveillance and utilization review subsystems (SURS) that Georgia DCH runs to identify outlier providers.

Section 1903(i): denial of federal financial participation

This section authorizes denial of federal financial participation (FFP) for various improper payments, including payments to excluded providers, payments without required documentation, and payments for services rendered by unenrolled providers. This is the financial enforcement lever: if Georgia pays an improper claim, the federal government can refuse to match it, leaving Georgia on the hook for the state share plus the federal share.

Section 1903(q): MFCU funding

This section provides 90 percent federal matching funds for state Medicaid Fraud Control Unit operations, contingent on certification by the HHS Office of Inspector General. Georgia's MFCU is annually certified and receives this enhanced match.

Section 1124: provider ownership disclosure

Providers must disclose ownership and control information, including persons who own five percent or more of the provider entity. This disclosure is part of provider enrollment and revalidation.

Section 1128: exclusions

This is the centerpiece of federal program integrity. Section 1128 authorizes the Secretary, acting through HHS-OIG, to exclude individuals and entities from participation in federal health care programs (including Medicaid).

Mandatory exclusions under Section 1128(a) apply when an individual or entity has been convicted of:

• A criminal offense related to delivery of items or services under Medicare or any state health care program
• A criminal offense related to patient abuse or neglect
• A felony related to health care fraud
• A felony related to controlled substances

Mandatory exclusions carry a statutory minimum period for first offenses.

Permissive exclusions under Section 1128(b) apply for a range of conduct including:

• Misdemeanor convictions for health care fraud
• Misdemeanor convictions related to controlled substances
• License revocation or suspension
• Exclusion or suspension from any federal or state health program
• Submission of false claims
• Anti-kickback violations
• Default on Health Education Loan or scholarship obligation

Permissive exclusions are time-limited based on the conduct.

Section 1128A: civil monetary penalties

Authorizes HHS-OIG to impose civil monetary penalties (CMPs) for violations including false claims, kickbacks, employment of excluded individuals, and emergency room "patient dumping." Penalties are indexed for inflation and can include treble damages.

Section 1128B: criminal penalties

Establishes the federal criminal Medicaid fraud statute, the federal Anti-Kickback Statute (Section 1128B(b)), and other criminal provisions. The Anti-Kickback Statute is one of the most powerful federal fraud authorities; it prohibits knowingly and willfully soliciting, receiving, offering, or paying any remuneration in return for referrals.

Section 1128C: Medicaid Fraud Control Units

Establishes the MFCU program. Requires each state (with very limited exceptions) to operate a federally certified MFCU.

Section 1128J: overpayment reporting (the 60-day rule)

Added by Section 6402(a) of the Affordable Care Act of 2010 (P.L. 111-148), Section 1128J(d) requires providers to report and return identified overpayments within 60 days of identification. Failure to report and return an identified overpayment triggers False Claims Act liability with treble damages and per-claim penalties.

The 60-day rule has driven extensive compliance investment by providers, who must now actively look for and return overpayments. CMS issued a final rule in 2016 (81 FR 7654) implementing the Medicare side; an analogous Medicaid framework operates under Section 1128J directly.

Section 1936: Recovery Audit Contractors

Authorizes Recovery Audit Contractors to identify Medicaid overpayments and underpayments. RACs are paid on a contingency basis (a percentage of recoveries). Georgia's Medicaid RAC reviews claims and identifies improper payments for recovery.

The Deficit Reduction Act of 2005

Section 6034 of the DRA (P.L. 109-171) created the Medicaid Integrity Program (MIP), authorizing dedicated federal funding for Medicaid program integrity. Section 6035 created the Medicaid Integrity Group at CMS (now consolidated within the Center for Program Integrity). The DRA also incentivized states to adopt False Claims Acts that mirror the federal statute by offering enhanced state shares of recoveries; this is why Georgia and many other states have state FCAs.

The Affordable Care Act of 2010

Section 6402 of the ACA substantially enhanced federal program integrity:

• Section 6401 ACA (codified at Section 1902(a)(77) SSA): enhanced provider screening with risk-based categories
• Section 6402(a): added the 60-day overpayment rule at Section 1128J
• Section 6402(h) (codified at 42 CFR 455.23): suspension of payments pending credible allegation of fraud
• Section 6411 ACA (codified at Section 1936 SSA): expanded RACs to Medicaid
• Enhanced data-sharing between Medicare and Medicaid

These provisions collectively shifted Medicaid program integrity from a reactive posture (recovering identified overpayments) to a more proactive posture (preventing fraud through screening, suspending suspected fraudsters, and requiring providers to self-report).

The substantive fraud authorities

Beyond the program integrity statutes within Title XIX itself, federal and Georgia prosecutors use four substantive fraud authorities to pursue Medicaid wrongdoers.

Federal False Claims Act (31 U.S.C. §3729 et seq.)

The FCA is the primary civil fraud statute used to recover damages from those who submit false claims to the federal government. It provides:

• Treble damages (three times the actual damages)
• Per-claim penalties (indexed annually for inflation)
• Qui tam provisions allowing private relators (whistleblowers) to file suit on behalf of the United States

In a qui tam case, the relator files a sealed complaint that the Department of Justice investigates. DOJ may intervene and take over the case, in which event the relator receives a statutory share of any recovery. If DOJ declines, the relator may pursue the case alone, in which event the relator receives a higher statutory share of any recovery.

The FCA applies to Medicaid claims because federal funds are involved. Every false Medicaid claim submitted in Georgia is potentially actionable under the FCA.

Federal Anti-Kickback Statute (42 U.S.C. §1320a-7b(b))

The AKS prohibits knowingly and willfully soliciting, receiving, offering, or paying any remuneration in return for referrals for items or services reimbursable under a federal health care program. It is a criminal statute with substantial criminal penalties per violation and also triggers FCA liability through the ACA-codified "tainted claims" theory at Section 1128B(g) (which says a claim resulting from a kickback violation is a false claim under the FCA).

The AKS has numerous statutory exceptions and regulatory "safe harbors" at 42 CFR 1001.952. Compliance with a safe harbor protects the conduct.

Physician Self-Referral (Stark) Law (42 U.S.C. §1395nn)

The Stark Law prohibits physician self-referrals to entities with which the physician has a financial relationship for "designated health services" unless an exception applies. Designated health services include clinical lab, imaging, DME, home health, outpatient prescription drugs, and other categories.

Stark is a strict-liability statute: no intent is required. Either the physician structures the financial relationship within an exception, or the referral is prohibited. Stark primarily applies to Medicare but extends to Medicaid through Section 1903(s).

Federal health care fraud statute (18 U.S.C. §1347)

A general criminal statute prohibiting schemes to defraud health care programs, carrying substantial prison sentences. Often charged alongside the AKS, false statements (18 U.S.C. §1035), wire fraud (18 U.S.C. §1343), and money laundering (18 U.S.C. §1956).

Federal program integrity regulations

42 CFR Part 455: program integrity

This is the core federal regulation governing state Medicaid program integrity. It has six subparts:

• Subpart A (general): state agency obligations to maintain methods, criteria, and procedures for prevention, detection, and identification of fraud, waste, and abuse
• Subpart B (disclosures): provider ownership disclosure requirements
• Subpart C (screening): provider screening at enrollment and revalidation
• Subpart D: unused
• Subpart E: Medicaid Drug Use Review
• Subpart F (RACs): Recovery Audit Contractor requirements

42 CFR 455.23: payment suspension for credible allegation of fraud

This regulation, added pursuant to ACA Section 6402(h), requires state agencies to suspend Medicaid payments to providers against whom a credible allegation of fraud has been made. Suspension is mandatory unless good cause exists not to suspend.

Good cause exceptions include:

• Law enforcement requests that suspension not occur (because it would jeopardize the investigation)
• Lack of access to care for Medicaid beneficiaries (a provider serving an underserved population whose loss would compromise access)
• Suspension would damage the state's relationship with a provider beyond the value of the suspension

Payment suspension is severe because it predates conviction. A credible allegation alone triggers suspension. Providers may seek good-cause exception.

Provider screening risk categories (42 CFR 455.450)

CMS classifies Medicaid providers into three risk levels:

Limited risk: Most providers (physicians, hospitals, nurse practitioners, dentists). Screening includes license verification, LEIE check, SAM check, and database checks.

Moderate risk: DME suppliers, ambulance services, opioid treatment programs, home health agencies (revalidating), portable x-ray providers, IDTF (independent diagnostic testing facilities). All limited-risk screening plus unannounced site visits.

High risk: Newly enrolling home health agencies, newly enrolling DME suppliers, and any provider category that CMS designates as high risk. All moderate-risk screening plus fingerprint-based criminal background checks of all owners with five percent or more interest.

CMS may temporarily elevate risk levels (for example, in response to a fraud surge in a particular geographic area or provider type).

HHS-OIG exclusion regulations (42 CFR Part 1001)

Detail the exclusion process: investigation, notice, hearing, judicial review, length of exclusion, and reinstatement.

Civil monetary penalty regulations (42 CFR Part 1003)

Detail the CMP process: investigation, notice, hearing, judicial review, and collection.

MFCU regulations (42 CFR Part 1007)

Detail MFCU operations: 90 percent federal match, certification process, operational standards, and federal oversight.

Georgia program integrity infrastructure

Department of Community Health Office of Inspector General

The DCH OIG is housed within DCH and is the primary state program integrity entity. Its functions include:

• Provider audits and overpayment recovery. DCH OIG audits providers across all Medicaid service categories. Common audit targets include personal care services, home health, transportation, DME, dental, behavioral health, and pharmacy.
• Provider enrollment screening. DCH OIG coordinates enrollment screening and revalidation, including LEIE checks, SAM checks, license verification, site visits for moderate-risk providers, and fingerprint-based background checks for high-risk providers.
• Member eligibility audits. DCH OIG audits member eligibility determinations and can pursue overpayment recovery against members in cases of fraud or eligibility error.
• Surveillance and utilization review. DCH OIG runs SURS to identify outlier providers and members for further investigation.
• Coordination. DCH OIG coordinates with the Georgia MFCU (provider fraud prosecution), the federal UPIC (federal contractor audits), the federal RAC, and HHS-OIG.
• Provider exclusion administration. DCH OIG administers the Georgia provider exclusion list.

Georgia Medicaid Fraud Control Unit

The Georgia MFCU is housed at the Office of the Attorney General. Its jurisdiction includes:

• Criminal prosecution of Medicaid provider fraud. Prosecutes providers who submit false claims, accept kickbacks, or engage in other criminal conduct.
• Civil prosecution of Medicaid provider fraud. Pursues civil False Claims Act cases under federal and state law.
• Patient abuse and neglect in Medicaid facilities. Investigates and prosecutes abuse and neglect of residents in Medicaid-funded nursing homes, intermediate care facilities, and other settings.
• Recovery of misappropriated funds. Pursues recovery of Medicaid funds misappropriated by providers or by facility operators handling resident funds.
• Coordination. Coordinates with U.S. Attorney's offices, the federal HHS-OIG, federal contractors, DCH, and other states' MFCUs.

The MFCU does NOT investigate member fraud (eligibility fraud committed by beneficiaries). That falls to DCH OIG and DFCS.

Georgia State False Medicaid Claims Act

O.C.G.A. §49-4-168 et seq. is Georgia's state-level False Medicaid Claims Act. It mirrors the federal FCA with treble damages, per-claim penalties, and qui tam provisions. Because the federal Deficit Reduction Act of 2005 incentivized states to adopt FCAs that meet federal standards (the state receives an enhanced share of FCA recoveries if its state FCA is HHS-OIG certified), Georgia's State False Medicaid Claims Act is HHS-OIG certified and has been a significant recovery tool.

Coordination with federal contractors

UPIC Southeast. The federal Unified Program Integrity Contractor for the southeastern region (which includes Georgia) conducts audits, investigations, and case development. The UPIC operates under CMS direction and coordinates closely with DCH OIG and the Georgia MFCU.

Medicaid RAC. A federal contractor audits Georgia claims for improper payments under Section 1936 SSA. RACs are paid on contingency.

HHS-OIG Region IV. Atlanta is the headquarters of HHS-OIG Region IV, which includes Georgia. Region IV conducts audits, evaluations, and investigations affecting Georgia's Medicaid program. HHS-OIG audits have shaped much of how Georgia implements program integrity.

Georgia Composite Medical Board and other licensure intersection

Provider exclusions often follow license actions. When the Georgia Composite Medical Board revokes or suspends a physician's license, the physician becomes eligible for permissive exclusion under Section 1128(b)(4). The same dynamic applies to the Georgia Board of Nursing, the Georgia Board of Pharmacy, and other licensure boards.

Georgia Healthcare Facility Regulation Division

The Healthcare Facility Regulation Division of the Department of Public Health licenses nursing homes, hospitals, home health agencies, and other facilities. When HFR Division finds substandard care, that finding can trigger DCH OIG and MFCU investigation.

How provider audits work

DCH OIG, UPIC, RAC, and HHS-OIG all conduct provider audits. The typical sequence:

Step 1: Audit notification

The audit contractor sends the provider a notification letter identifying the audit period, the scope, and the records requested. Providers have a deadline (typically 30 to 45 days) to produce records.

Step 2: Record review

Auditors review medical records against billed claims. They look for:

• Missing documentation entirely
• Insufficient documentation (records that do not support the billed level of service)
• Documentation that does not support medical necessity
• Billing for services not rendered
• Upcoding (billing for a higher level of service than was rendered)
• Unbundling (separately billing services that should be bundled)
• Duplicate billing
• Services rendered by unenrolled or excluded providers
• Services rendered outside scope of practice

Step 3: Findings letter

The auditor sends a findings letter identifying errors and the dollar amount of the proposed recovery. For statistical sampling audits, the auditor extrapolates the error rate to the universe of claims, which can produce large dollar amounts from a small sample.

Step 4: Provider response

The provider may dispute the findings through informal review. The provider may supplement documentation, dispute medical necessity determinations, or challenge the statistical methodology.

Step 5: Administrative appeal

If the dispute is not resolved informally, the provider may request a formal administrative appeal. In Georgia, this typically goes through the Office of State Administrative Hearings (OSAH).

Step 6: Judicial review

After exhaustion of administrative remedies, the provider may seek judicial review in superior court.

Step 7: Repayment

If the provider does not prevail, the provider must repay the overpayment. DCH OIG can recover by direct collection, by offset against future claims, by withholding of payments, or by other means.

Step 8: Reporting to HHS-OIG and possible exclusion

Significant overpayment determinations are reported to HHS-OIG and can trigger consideration of permissive exclusion under Section 1128(b)(6) (claims for excessive charges or unnecessary services) or Section 1128(b)(7) (fraud, kickbacks, and other prohibited activities).

The 60-day overpayment rule

Section 1128J(d) SSA, added by ACA Section 6402(a), requires providers to:

1. Report any identified overpayment
2. Return the overpayment within 60 days of identification (or the date a corresponding cost report is due, if later)
3. Provide written notification of the reason for the overpayment

Failure to report and return an identified overpayment triggers False Claims Act liability. This has profoundly changed provider behavior: providers now must actively look for overpayments, and once identified, the clock is ticking.

"Identification" is a contested concept. CMS has taken the position that an overpayment is "identified" when a person has, or should through reasonable diligence have, determined that the person received an overpayment and quantified the amount. The Second Circuit's decision in United States ex rel. Kane v. Continuum Health Partners, Inc., 798 F. Supp. 2d 472 (S.D.N.Y. 2015) and subsequent guidance have emphasized that reckless disregard of red flags can constitute identification.

Civil monetary penalties

Section 1128A SSA authorizes HHS-OIG to impose CMPs for a range of violations. Examples include:

• False claims: significant per-claim penalties plus treble damages
• Kickbacks: significant per-violation penalties plus treble damages
• Employment of excluded individuals: significant penalties per item or service
• Patient dumping (EMTALA violations): significant per-violation penalties
• Failure to grant access to HHS-OIG: significant per-day penalties
• Solicitation of inducements from beneficiaries: significant per-violation penalties

All CMPs are indexed for inflation annually.

DCH also has authority under state law to impose state CMPs for various violations.

Exclusion under Section 1128

Exclusion is the most powerful federal program integrity remedy. An excluded individual or entity:

• Cannot be reimbursed by any federal or state Medicaid, Medicare, CHIP, VA, TRICARE, or other federal health care program
• Cannot be employed by, or contract with, any provider that bills federal health care programs
• Is listed on the HHS-OIG List of Excluded Individuals/Entities (LEIE)

Providers must check the LEIE before hiring or contracting with any individual. Failure to do so can trigger CMPs and additional exclusion of the hiring provider.

Length of exclusion

• Mandatory exclusions (Section 1128(a)): statutory minimum period for first offense, longer for repeat offenses
• Permissive exclusions (Section 1128(b)): time-limited based on the conduct, typically one to ten years
• Lifetime exclusions: certain very serious conduct (multiple convictions, conviction of patient harm offenses)

Reinstatement

After the exclusion period, the individual or entity must apply for reinstatement to HHS-OIG. Reinstatement is not automatic; HHS-OIG must affirmatively reinstate.

Georgia state exclusion

Georgia DCH maintains its own state exclusion list. State exclusions can be coordinated with federal exclusions or imposed independently for conduct that meets state but not federal standards.

Suspension of payment under 42 CFR 455.23

When DCH OIG receives a credible allegation of fraud, it must suspend Medicaid payments to the provider unless good cause exists not to suspend. A credible allegation comes from many sources:

• A fraud hotline tip
• A whistleblower complaint
• An audit finding
• A criminal indictment
• A referral from another agency
• Information developed in a separate case

Suspension is severe. The provider cannot receive Medicaid payment until the investigation resolves. For providers heavily dependent on Medicaid revenue, suspension can force closure within weeks.

Good-cause exceptions allow continued payment under specified conditions. The most common good-cause exception is access to care: if suspension would deprive Medicaid beneficiaries of necessary services with no alternative provider available, DCH may grant good cause to continue payment, often with enhanced monitoring.

Provider screening and enrollment

Georgia DCH screens all enrolling providers and revalidates periodically based on risk level.

Limited-risk screening

For most providers, screening includes:

• License verification with the relevant board
• LEIE check (federal exclusion list)
• SAM check (federal debarment/suspension list)
• State exclusion list check
• Death Master File check
• Application fee payment

Moderate-risk screening

For DME, ambulance, opioid treatment programs, revalidating home health, and certain other categories: all limited-risk screening plus unannounced site visits.

High-risk screening

For newly enrolling home health, newly enrolling DME, and certain other categories: all moderate-risk screening plus fingerprint-based criminal background checks of all owners with five percent or more interest.

CMS may temporarily elevate the risk level for specific provider types in specific geographic areas in response to fraud surges. The Atlanta metro area has periodically been subject to elevated screening for personal care services and home health.

Common program integrity actions

Personal care service fraud

Personal care services (PCS) are home and community-based services that help with activities of daily living. PCS fraud has been a major focus of Georgia MFCU and DCH OIG enforcement. Common fraud patterns include:

• Billing for services not rendered (the personal care assistant did not show up)
• Billing for services to deceased or hospitalized members
• Billing for services provided by an unauthorized person
• Billing for hours that exceed the authorized care plan
• Kickbacks for member referrals

The 2014 implementation of Electronic Visit Verification (EVV) under Section 12006 of the 21st Century Cures Act (P.L. 114-255) has reduced some PCS fraud by requiring electronic verification of visit times and locations, but fraud has continued in adapted forms.

Home health fraud

Home health agencies have been a major target. Common patterns include:

• Billing for visits not rendered
• Inflating the level of care
• Falsifying physician orders
• Kickbacks for physician referrals
• Patient brokering

Pharmacy fraud

Pharmacy fraud includes:

• Billing for prescriptions not dispensed
• Substituting cheaper generics while billing for brand name
• Kickbacks for prescribing physicians
• Doctor shopping facilitation
• Diversion of controlled substances

Durable medical equipment fraud

DME fraud has been particularly intense in metro Atlanta, focused on:

• Diabetic supplies (test strips, lancets)
• Compounded creams
• Power wheelchairs and scooters
• Orthotic braces
• CPAP supplies

Dental fraud

Pediatric dental fraud in Medicaid has been a significant enforcement focus. Patterns include:

• Billing for services not rendered
• Performing unnecessary procedures
• Kickbacks for transportation services
• Forged consent forms

Behavioral health fraud

Behavioral health (counseling, group therapy, intensive outpatient) fraud patterns include:

• Billing for therapy sessions not rendered
• Billing one-on-one when only group was provided
• Failing to maintain progress notes
• Using unqualified staff billed as licensed clinicians
• Kickbacks for referrals (particularly through sober living facilities)

Telehealth fraud

Post-pandemic expansion of telehealth has created new fraud opportunities:

• Billing for telehealth visits not rendered
• Billing for telephone calls as full video visits
• Patient solicitation through telemarketing followed by fictitious telehealth visits
• Cross-state schemes using unlicensed providers

Members and program integrity

Most program integrity activity targets providers, but members can also encounter program integrity:

Member eligibility audits

DCH OIG audits member eligibility determinations and can pursue overpayment recovery against members in cases of fraud or eligibility error. Common scenarios:

• Income misrepresentation
• Asset misrepresentation
• Household composition misrepresentation
• Failure to report changes
• Improper use of someone else's Medicaid number

In many cases, what looks like fraud is actually an eligibility error or a reporting failure that can be corrected through the fair hearing process.

Member fair hearing rights

Under 42 CFR Part 431 Subpart E, members are entitled to a fair hearing on any adverse action. Members who receive an overpayment notice or a disqualification notice can request a fair hearing within the deadline (typically 30 days from notice).

In the fair hearing, the member can:

• Challenge the factual basis for the adverse action
• Present evidence of eligibility
• Argue for exception or mitigation
• Be represented by counsel

Georgia Legal Services Program (1-833-457-7529) and Atlanta Legal Aid Society (404-524-5811) can represent members in fair hearings free of charge.

Identity theft

Medicaid identity theft is a growing problem. Members can encounter:

• Stolen Medicaid number used for prescription fraud
• Card sharing (sometimes pressured by family or acquaintances)
• Bogus claims billed in the member's name

Members whose Medicaid number is stolen should:

1. Report to DCH OIG immediately
2. File a police report
3. Contact credit reporting agencies
4. Cooperate with investigation

The member is generally not liable for fraudulent claims billed by others, but documentation matters.

Member compliance obligations

Members have ongoing compliance obligations:

• Report changes in income, assets, household, and address promptly
• Cooperate with eligibility redeterminations
• Use Medicaid card only for authorized purposes
• Cooperate with quality and utilization reviews
• Cooperate with fraud investigations

Failure to cooperate can result in eligibility termination and, in cases of fraud, prosecution.

Whistleblowers and qui tam relators

The federal False Claims Act and the Georgia State False Medicaid Claims Act both authorize private citizens (relators) to file fraud suits on behalf of the government.

How qui tam works

1. Relator files a sealed complaint in federal court (and in state court for state FCA cases) along with a disclosure statement to the Department of Justice (and the Georgia Attorney General for state cases).
2. Government investigates under seal. The seal period is initially 60 days but is routinely extended for years while DOJ investigates.
3. Government intervenes or declines. If DOJ intervenes, DOJ takes the lead. If DOJ declines, the relator may pursue the case alone.
4. Litigation or settlement. Most FCA cases settle.
5. Relator share. If DOJ intervened, the relator receives a statutory share of the recovery. If DOJ declined, the relator receives a higher statutory share.

Who are relators?

• Current or former employees who witness fraud
• Compliance officers who report internally and are rebuffed
• Competitors who observe fraud in the marketplace
• Patients or family members who observe billing fraud
• Subcontractors and vendors

Whistleblower protections

Both federal and state FCAs prohibit retaliation against employees who report or investigate fraud. Protections include:

• Reinstatement
• Double back pay
• Litigation costs and attorney fees
• Special damages

Whistleblower lawyers typically work on contingency, taking a percentage of any recovery.

How program integrity affects families

When a provider is excluded

When a provider is excluded under Section 1128, members served by that provider must transition to alternative providers. DCH and Medicaid managed care plans facilitate the transition. For nursing home residents, the long-term care ombudsman (1-866-552-4264) is critical because residents have federal transfer protections under 42 CFR 483.15.

When a provider closes after a raid or investigation

When the Georgia MFCU or federal authorities raid a provider, members may experience interruption. DCH coordinates with managed care plans (Amerigroup, Peach State, CareSource) to ensure continuity of care. Members should:

• Contact their managed care plan or PeachCare for help finding a new provider
• Request medical records before they become difficult to obtain
• Maintain receipts for any out-of-pocket spending during transition

When you receive an overpayment notice

Family members who receive Medicaid overpayment notices should:

1. Read the notice carefully and note the appeal deadline
2. Request a fair hearing within the deadline (typically 30 days)
3. Gather documentation of eligibility and circumstances
4. Consider legal representation through Georgia Legal Services Program (1-833-457-7529) or Atlanta Legal Aid Society (404-524-5811)
5. Do not ignore the notice; failure to respond results in default

When you suspect provider fraud

If a family member suspects fraud (for example, a personal care assistant who is billing for hours not worked), report to:

• Georgia MFCU complaint line: 404-656-3408
• DCH OIG
• HHS-OIG hotline: 1-800-447-8477

Reporting can be anonymous. The MFCU does not subject reporters to retaliation, and federal whistleblower laws protect employees who report.

When you witness elder abuse in a nursing home

Elder abuse and neglect in a Medicaid-funded nursing home is within MFCU jurisdiction (Section 1128C). Report to:

• Georgia MFCU complaint line: 404-656-3408
• Georgia Long-Term Care Ombudsman: 1-866-552-4264
• Georgia Adult Protective Services
• The state survey agency (Healthcare Facility Regulation Division)

Worked examples

These examples illustrate how program integrity operates in practice.

Eleanor, 78, Atlanta: nursing home Section 1128 exclusion

Eleanor has been a resident of a 120-bed Atlanta nursing home for two years. Her family receives a letter from the facility administrator stating that the facility has been excluded from Medicaid effective in 90 days and that all residents must transition to other facilities. The family is alarmed.

What happened: The facility's owner was convicted of health care fraud in connection with a separate facility owned in another state. That criminal conviction triggered a mandatory five-year exclusion under Section 1128(a)(1). The exclusion applies to the owner personally, and because the owner has more than five percent ownership in the Atlanta facility, the facility itself is also derivatively excluded (a provider that employs or contracts with an excluded person is itself subject to CMP and potential exclusion under Section 1128(b)(8)).

Family response: The family contacts the Georgia Long-Term Care Ombudsman (1-866-552-4264). The ombudsman explains Eleanor's federal transfer protections under 42 CFR 483.15: the facility must provide 30 days' notice, prepare a discharge summary, assist with relocation, and ensure that the receiving facility can meet Eleanor's needs. The family identifies three potential receiving facilities through the Georgia Medicaid nursing home directory. The ombudsman participates in the discharge planning. After 90 days, Eleanor relocates to a new facility that continues her Medicaid coverage seamlessly. The original facility's owner is barred from Medicaid for five years and must apply for reinstatement at the end of that period.

Marcus, 45, Macon: home health agency raided

Marcus has spinal cord injury and receives home health services through an agency. He depends on the agency for wound care twice a week and PT three times a week. One Tuesday morning, his scheduled nurse does not arrive. Marcus calls the agency and gets no answer. By afternoon, he sees on the news that the agency was raided by the Georgia MFCU.

What happened: The MFCU executed a search warrant at the agency in connection with a criminal investigation alleging that the agency had billed Medicaid for visits not rendered and had paid kickbacks to a referring physician. Under 42 CFR 455.23, DCH immediately suspended Medicaid payments to the agency pending investigation. The agency, dependent on Medicaid revenue, ceased operations.

Family response: Marcus calls Peach State Health Plan (his Medicaid managed care plan) member services. The plan's case manager Andrea identifies three alternative home health agencies in Macon that can take Marcus. Andrea expedites authorizations and coordinates transfer of orders from Marcus's physician to the new agency. Within four days, Marcus has a new nurse providing wound care. The new agency obtains Marcus's records from the old agency through a CMS-mandated continuity-of-care provision. The MFCU investigation proceeds; Marcus is not a target and is not personally affected beyond the temporary disruption.

Aisha, 32, Savannah: personal care provider overpayment recovery

Aisha receives 25 hours per week of personal care services for her chronic illness, provided through a small agency in Savannah. Aisha receives a letter from DCH OIG indicating that the agency has been audited and that there are overpayments dating back two years. Aisha is confused because she received the services.

What happened: DCH OIG audited the agency. The audit found that the agency had documented Aisha's care correctly but had billed at a higher level (level 2) than the level Aisha was authorized for (level 1). The overpayment is against the agency, not Aisha. DCH OIG is recovering from the agency, and the agency is fighting the audit findings.

Family response: The DCH OIG letter to Aisha is not a demand for repayment from Aisha; it is a notice that her care provider is under audit and that Aisha may continue to receive services normally. Aisha calls Disability Rights Georgia (404-885-1234) for guidance. They confirm that members are generally not financially liable for provider billing errors and that Aisha's services should continue uninterrupted. If the agency exits the Medicaid program as a result of the audit, Aisha will need to transition to another agency, and DCH will facilitate that transition.

Jamil's mother, 67, Atlanta: DCH OIG demanding repayment of years of benefits

Jamil's mother Sarah is 67 and has been on Medicaid for 18 months. She receives a letter from DCH OIG stating that she is liable for $42,000 in Medicaid benefits paid on her behalf because she failed to report a small monthly pension from her late husband's employer that began three months after her initial enrollment.

What happened: Sarah received an unsolicited pension distribution from her late husband's former employer. She did not understand that this needed to be reported to Medicaid. DCH OIG learned of the pension through the federal income data match. DCH OIG determined that Sarah had been over-income for Medicaid for most of the past 15 months and is demanding repayment of all benefits paid during that period.

Family response: Sarah contacts Atlanta Legal Aid Society (404-524-5811). A staff attorney reviews the case. The attorney determines that Sarah's pension was below the Medicaid income limit for several months and that DCH OIG's calculation includes months in which Sarah was actually eligible. The attorney requests a fair hearing within the 30-day deadline. At the hearing, the attorney presents pension statements showing the actual monthly amounts and demonstrates that DCH OIG's blanket assertion of over-income for 15 months was incorrect. The administrative law judge finds that Sarah was over-income for only 6 months and reduces the overpayment to $11,000. The attorney negotiates a payment plan that the legal aid attorney finds reasonable given Sarah's circumstances. Sarah's ongoing Medicaid eligibility is preserved going forward because she reports the pension correctly and applies the income to a spend-down.

Diana, 84, rural Bulloch County: Medicaid identity theft

Diana's family in rural Bulloch County receives a notice from DCH that Diana has been investigated for "suspicious" pharmacy claims. The investigation found that someone has been filling prescriptions for controlled substances at three Atlanta pharmacies using Diana's Medicaid number. Diana has never been to Atlanta and does not take controlled substances.

What happened: Diana's Medicaid number was stolen, possibly through a phishing scam or data breach. Someone (likely a person with a drug abuse problem) used the number to obtain controlled substances at multiple pharmacies. DCH OIG detected the pattern through SURS and opened an investigation.

Family response: Diana's daughter calls DCH OIG and reports that the prescriptions are fraudulent. DCH OIG instructs her to: file a police report; obtain a copy of her mother's pharmacy claims history; cooperate with the investigation. The police investigation identifies the person who has been using Diana's number, and the person is prosecuted for prescription fraud and identity theft. DCH OIG issues Diana a new Medicaid number and adjusts her claims history to remove the fraudulent entries. Diana's eligibility and ongoing care are not affected. The case takes 14 months from initial notice to final resolution but Diana is not personally liable for any of the fraudulent claims.

Tasha's father, 70, Albany: whistleblower call to MFCU leads to recovery

Tasha works as a billing clerk at a home health agency in Albany serving 200 Medicaid patients. Over six months, Tasha notices that the agency owner is instructing nurses to clock in for visits they did not make and is forging physician orders for skilled care that patients do not need. Tasha is uncomfortable and considers her options.

What Tasha does: Tasha consults with a whistleblower attorney in Atlanta. The attorney files a qui tam complaint in federal district court under the federal False Claims Act and the Georgia State False Medicaid Claims Act, alleging $4.2 million in fraudulent Medicaid billing over three years. The complaint is filed under seal. The U.S. Department of Justice and the Georgia Attorney General investigate jointly with the MFCU. After 18 months of investigation, DOJ and the Georgia AG intervene in the case. The agency settles for $2.8 million plus a corporate integrity agreement plus exclusion of the owner from Medicaid for ten years. The agency is sold to a new owner who continues operations. Tasha receives 18 percent of the recovery ($504,000) as her relator share. She is protected from retaliation under federal and state whistleblower statutes, and her attorney is paid through the FCA's fee-shifting provision.

Family aspect: Tasha's father, who has been a patient of the agency for skilled visits twice a week, transitions to a different agency during the investigation period. Continuity of care is preserved through the transition.

ACA Section 6402 program integrity enhancements

The Affordable Care Act of 2010 substantially enhanced federal program integrity in ways that affect Georgia.

Enhanced provider screening (Section 6401 ACA, codified at Section 1902(a)(77))

Provider screening before ACA was inconsistent across states. ACA required uniform federal screening including license verification, exclusion list checks, and (for moderate and high-risk providers) site visits and background checks. CMS issued implementing rules in 2011 (76 FR 5862). Georgia adopted the federal screening requirements.

Suspension of payment pending credible allegation of fraud (Section 6402(h), codified at 42 CFR 455.23)

Before ACA, states had discretionary authority to suspend payment. ACA required suspension absent good cause. This shifted the burden: the default became suspension, not continued payment. The change has been particularly significant in personal care and home health where credible allegations have been frequent.

60-day overpayment rule (Section 6402(a), codified at Section 1128J)

Before ACA, providers had no statutory deadline for returning overpayments. ACA imposed a 60-day rule and tied violation to FCA liability. This has driven extensive provider compliance investment.

Provider enrollment moratoria (Section 6401(a) ACA)

ACA authorized CMS to impose temporary enrollment moratoria when fraud risk is high in a particular geographic area or provider type. CMS has used this authority to impose moratoria on home health agencies in metro Atlanta and other high-fraud regions.

Expanded Medicaid RAC (Section 6411 ACA, codified at Section 1936)

ACA required all states to implement Medicaid RACs. Georgia did so. RACs are paid on contingency and audit a portion of state Medicaid claims for improper payments.

Enhanced data sharing

ACA enabled and required enhanced data sharing between Medicare and Medicaid, between states, and with federal agencies. The Healthcare Fraud Prevention Partnership and the Centers for Program Integrity have used this enhanced sharing to identify fraud patterns that cross programs.

HHS-OIG and Georgia

The HHS Office of Inspector General Region IV (headquartered in Atlanta) is one of OIG's most active regions. OIG audits, evaluations, and investigations affecting Georgia Medicaid have shaped how Georgia operates:

• OIG audits of Georgia personal care services have driven Georgia's adoption of EVV and additional verification requirements.
• OIG audits of Georgia home health have driven enhanced screening for home health agencies.
• OIG audits of Georgia DME have driven enhanced screening for DME suppliers.
• OIG audits of Georgia Medicaid managed care have driven enhanced encounter data validation.

Georgia DCH OIG, the Georgia MFCU, and HHS-OIG coordinate closely on case development and prosecution.

Family-facing implications

Program integrity is one of the least visible parts of Medicaid but one of the most consequential. Most families never encounter it. But for the families whose loved one is in a facility that gets excluded, whose home health agency gets raided, or who receive a notice demanding repayment of years of benefits, program integrity is sudden and disorienting.

The key takeaways for families:

1. Stay informed about your providers. Check the Georgia provider exclusion list periodically. Ask your providers about their compliance programs.
2. Respond promptly to notices. Overpayment notices, exclusion notices, and audit-related correspondence have short deadlines. Missing a deadline can mean losing the appeal.
3. Get legal help. Georgia Legal Services Program and Atlanta Legal Aid Society represent low-income members free of charge in fair hearings. Disability Rights Georgia represents members with disabilities.
4. Report fraud if you see it. Reporting protects other families and supports the program. The MFCU complaint line, DCH OIG, and HHS-OIG hotline all accept anonymous reports.
5. Cooperate with investigations. When DCH OIG, MFCU, or HHS-OIG contacts you as a witness or member affected by an investigation, cooperate. Cooperation protects your continued eligibility and care.
6. Don't share your Medicaid card or number. Identity theft is a growing problem. Treat your Medicaid number like a credit card number.

Frequently asked questions

::: accordion Q: What is the difference between fraud, waste, and abuse?

Fraud requires intent to deceive (knowingly submitting false claims). Abuse involves practices that are inconsistent with sound business or fiscal practices but do not necessarily involve intent (such as billing for services that are not medically necessary). Waste is the inefficient use of resources without abusive practices (such as overprescribing). The three categories are addressed through different program integrity tools.

Q: Who decides who gets excluded from Medicaid?

Federal exclusions are imposed by HHS-OIG under Section 1128. State exclusions are imposed by Georgia DCH under state authority and 42 CFR Part 1002. Both exclusions prevent the excluded person or entity from being reimbursed by Medicaid.

Q: What happens if my doctor or facility is excluded?

You must transition to a non-excluded provider. DCH and your Medicaid managed care plan will help facilitate the transition. For nursing home residents, federal transfer protections under 42 CFR 483.15 apply.

Q: I got a Medicaid overpayment notice. What should I do?

Read it carefully, note the appeal deadline (typically 30 days), and contact Georgia Legal Services Program (1-833-457-7529) or Atlanta Legal Aid Society (404-524-5811) for free legal representation. Request a fair hearing within the deadline. Do not ignore the notice.

Q: Can DCH come after me for benefits paid years ago?

Yes, within statutory limits. The federal False Claims Act has a statute of limitations that varies based on when the fraud was discovered. State fair hearings typically address shorter periods. Errors that span years can produce large overpayment demands.

Q: Does Medicaid investigate members or only providers?

DCH OIG investigates both. The Georgia MFCU investigates only providers (and patient abuse in Medicaid facilities). Most program integrity activity targets providers because that is where the money is. Member investigations are typically narrower in scope.

Q: Can I be prosecuted for Medicaid fraud as a member?

In serious cases, yes. Federal criminal statutes (18 U.S.C. §1347, §1035) and Georgia state statutes (O.C.G.A. §49-4-146.1) apply to members who commit fraud. Most member cases are handled administratively through eligibility termination and overpayment recovery, but criminal prosecution does occur for egregious cases.

Q: What is a credible allegation of fraud?

Under 42 CFR 455.2, a credible allegation is one that "has indicia of reliability" based on hotline tips, claims data mining, patterns identified through audits, allegations from other agencies, or other sources. The threshold is low; the state must suspend payment unless good cause exists.

Q: What is the 60-day rule?

Section 1128J(d) requires providers to report and return identified overpayments within 60 days of identification. Failure to do so triggers False Claims Act liability with treble damages and per-claim penalties.

Q: How does the False Claims Act apply to Medicaid?

Because federal funds are involved in Medicaid, the federal False Claims Act (31 U.S.C. §3729) applies. False Medicaid claims trigger FCA liability with treble damages and per-claim penalties. Many of the largest Medicaid fraud recoveries are FCA settlements.

Q: What is a qui tam relator?

A private citizen who files a False Claims Act suit on behalf of the government. The relator may receive a statutory share of any recovery. Federal and state whistleblower protections apply to relators.

Q: How do I report Medicaid fraud anonymously?

Call the Georgia MFCU complaint line (404-656-3408) or the HHS-OIG hotline (1-800-447-8477). You can report anonymously, or you can provide your name with confidentiality assurance. If you have information about a major fraud scheme, consider consulting a whistleblower attorney about a qui tam case.

Q: My personal care assistant has been billing for hours she didn't work. What should I do?

Report to the Georgia MFCU complaint line (404-656-3408) and to DCH OIG. The MFCU investigates personal care fraud regularly. Your care will not be interrupted; DCH will arrange for a substitute provider if your current one is excluded or shut down.

Q: Someone is using my Medicaid number. What should I do?

Report to DCH OIG immediately, file a police report, and request a new Medicaid number. Document everything. You are generally not liable for fraudulent claims billed by others, but documentation is critical.

Q: Can I lose Medicaid because of an investigation?

If the investigation finds that you committed fraud or that you were never eligible, yes. If the investigation finds that you were the victim of identity theft, no. Cooperation with the investigation and prompt response to notices protect your eligibility.

Q: Does the Georgia MFCU prosecute nursing home abuse?

Yes. Section 1128C SSA gives MFCUs jurisdiction over patient abuse and neglect in Medicaid facilities, including nursing homes, intermediate care facilities, and assisted living. The Georgia MFCU has prosecuted numerous nursing home abuse cases.

Q: What is the Recovery Audit Contractor program?

Authorized by Section 1936 SSA and Section 6411 ACA, the RAC program uses contingency-fee contractors to audit Medicaid claims and identify improper payments. RACs return identified overpayments to the state and federal government.

Q: How does provider screening work?

CMS classifies providers into limited, moderate, and high risk categories. Limited-risk providers undergo license verification and exclusion list checks. Moderate-risk providers also undergo site visits. High-risk providers also undergo fingerprint-based background checks. Georgia DCH applies these federal screening requirements at enrollment and revalidation.

Q: Where can I check if a provider is excluded?

The HHS-OIG List of Excluded Individuals/Entities is online and searchable: oig.hhs.gov/exclusions. The Georgia provider exclusion list is maintained by DCH. The federal System for Award Management (SAM) at sam.gov also lists debarred entities.

Q: What is Brevy's role here?

Brevy is a national eldercare resource. We translate complex federal and state policy frameworks like Medicaid program integrity into family-readable guides at brevy.com. We do not represent members in fair hearings or investigations; for that you need a lawyer (Georgia Legal Services Program, Atlanta Legal Aid Society, or private counsel). This guide is general information, not legal advice. :::

Key contacts

::: cta Georgia Medicaid program integrity contacts

For program integrity questions and reporting:

• DCH Medicaid Member Services: 1-866-211-0950
• DCH Office of Inspector General: through DCH main line
• Georgia MFCU complaint line: 404-656-3408
• Georgia Attorney General Consumer Protection: 404-651-8600
• HHS-OIG hotline (federal fraud reporting): 1-800-447-8477
• CMS Medicaid Integrity Group: through CMS

For legal help with overpayment notices, exclusions, and fair hearings:

• Georgia Legal Services Program: 1-833-457-7529
• Atlanta Legal Aid Society: 404-524-5811
• Disability Rights Georgia: 404-885-1234

For elder abuse in Medicaid facilities:

• Georgia Long-Term Care Ombudsman: 1-866-552-4264
• ADRC: 1-866-552-4464
• AARP Fraud Watch Network: 1-877-908-3360
• 211 Georgia: dial 211 :::

Find personalized help navigating Medicaid program integrity at brevy.com.

This article is for general information only and is not legal, tax, or medical advice. Program integrity rules change frequently. Verify current contact numbers, deadlines, and procedures directly with DCH, the Georgia MFCU, or qualified legal counsel before acting on any specific matter.