Medicaid program integrity transformation: PwC

Key takeaways:

Fight fraud and protect access simultaneously. States can run program integrity as one connected operation instead of separate functions.
Prevention can be more effective than recovery. Stopping improper payments before they go out the door is critical to address market needs.
Actions your agency can take today to support your federal response and have program integrity be at the helm of your organization.

State Medicaid directors (SMDs) occupy one of the most demanding roles in American public administration, and the complexity of the position is increasing as fiscal pressures mount following Medicaid changes enacted in the One Big Beautiful Bill Act (OBBBA) and federal oversight of state Medicaid program integrity intensifies. The federal fraud, waste, and abuse (FWA) playbook is undergoing a fundamental shift from reactive to proactive enforcement, with the government now wielding a new lever: halting payments before disbursement. This dual challenge of constrained financial resources and heightened oversight is the direct responsibility of SMDs, who are being asked to do more with less while the standards they are measured against grow more demanding.

The scale of the Medicaid program elevates the stakes associated with program integrity oversight. Medicaid covers more than 70 million Americans, while its provider networks serve as both a critical component of the nation’s healthcare safety net and a focal point for program integrity. ¹ CMS reported $37.4 billion in Medicaid improper payments in fiscal year 2025, a 20% increase from $31.1 billion the prior year. ² Seventy-seven percent of those improper payments were the result of insufficient documentation, highlighting administrative vulnerabilities that place increasing pressure on states to strengthen oversight, improve compliance, and confirm responsible stewardship of public funds. Additionally, with managed care now covering roughly 85 percent of Medicaid beneficiaries, program integrity cannot be designed around fee-for-service claims alone. Managed care organizations are co-accountable for fraud detection, network adequacy, and beneficiary access, and the program integrity functions that perform best are the ones where MCOs sit at the table for oversight design rather than receiving requirements after the fact.

Federal efforts to strengthen Medicaid program integrity have accelerated significantly in the past 12 months in speed and scale. Following a White House executive order focused on eliminating FWA in government programs, CMS has withheld and deferred millions in Medicaid payments and directed all 50 states to submit provider revalidation plans within 30 days. ^3,4 Together, these actions are raising expectations for state Medicaid agencies to identify risk, strengthen oversight, and demonstrate effective stewardship of program resources.

While there is a need to act now, moving in the wrong direction has serious consequences. Provider terminations without proper due diligence can have significant consequences in rural communities and specialty shortage markets, where a limited supply of clinicians makes network stability critical. The fraud findings may be sound, but the access damage will likely be highly visible and long lasting. States can best navigate these competing priorities through a risk-based approach that combines data analytics to identify risk, investigative intelligence to distinguish bad actors from strained but legitimate providers, and governance and program integrity infrastructure that lets states act with confidence.

5 Principles that Distinguish High-Performing Medicaid Programs

1. Program integrity thrives when it operates as an interconnected system.

Program integrity delivers the greatest value when enrollment, claims, analytics, and investigations operate as an interconnected system. Leading states share data across functions and are moving toward proactive, pre-payment strategies that strengthen prevention efforts. The evidence supporting this approach is unambiguous: the Medicare Fraud Prevention System has saved roughly $13 billion over a decade through pre-payment intervention, while Medicaid Fraud Control Units (MFCU) returned $4.64 for every dollar invested in FY 2025. ⁵ Analytics become most effective when integrated into the daily work of adjudicators and investigators, embedding program integrity into operational workflows and strengthening program delivery, with the opportunity for AI to assist here being tremendous.

2. Program integrity requires coordination across state government.

The SMDs who succeed treat program integrity (PI) as a strategic management lever rather than a standalone function. PI strategy should be set in the same room as network adequacy, managed care organization (MCO) oversight, and rate-setting. It requires structured coordination with the MFCU, the Attorney General and Inspector General, county and tribal administrators, managed care organizations, the Governor's office, and the legislature.

3. Providers are partners in program integrity.

The states that consistently extract PI value while preserving their provider networks treat providers as compliance partners. Many of the providers most exposed to enforcement, including those in home and community-based services, behavioral health, and personal care, often operate with fewer billing systems, compliance resources, and documentation infrastructure typically available to larger institutional providers. Personal care attendants accounted for 326 fraud convictions in FY2025, the highest of any provider category, while operating with the most limited compliance infrastructure of any provider type. ⁵ Closing the related capability gaps is itself a PI intervention. States that achieve stronger recoveries while sustaining provider participation invest in accessible documentation technology, written guidance issued in advance of revalidation cycles, voluntary self-correction pathways, defined-timeline appeal and reinstatement pathways, and structured provider input during the development of PI policy. Providers who view the state agency as a fair and equipped counterparty are more likely to flag misconduct in their own networks and remain engaged when enforcement intensifies.

4. The organizational foundation determines whether technical capabilities produce results.

The organizational foundation determines whether PI investments translate into measurable results. Governance, workforce, culture, and accountability form the foundation that enables technology, analytics, and operational processes to deliver value. A single accountable leader, clear decision rights, and a dedicated workforce create the conditions for sustained PI performance.

5. Lasting reform is anchored in legislation.

Approaches anchored in statutory authority and established governance structures, including MCO partners formally at the table for oversight design, provide continuity across administrations and budget cycles. This foundation supports lasting transformation that benefits Medicaid programs for years to come.

A practical path forward

A phased approach designed for the constraints state Medicaid agencies operate under with change management built in from the start.

State Medicaid agencies do not need to address every PI challenge at once. Successful states typically move from reactive to established operations. The right starting point depends on where an assessment of the current state shows the biggest exposure and the most achievable gains.

The greatest challenge often lies in execution. Analysis delivers value when it is translated into practice, making change management an essential component of sustained success.

The immediate priority is visible, measurable actions that demonstrate seriousness to CMS and builds internal credibility needed for systematic change.

Governance and accountability

Appoint a single accountable PI leader with authority that spans divisions and is responsible for leading strategy and external communication.
Establish a standing cross-agency coordination body with defined membership, meeting cadence, and documented decision authority.
Conduct a structured capability assessment across provider network management, enrollment integrity, technology workflow integration, and managed care oversight to establish a quantified baseline and inform the phases that follow.
Publish baseline PI performance metrics.
Initiate data-sharing agreements connecting Medicaid claims data to MFCU investigation records, provider licensing databases, and other PI partners.
Establish an access-impact protocol that reviews provider revalidation strategy, moratoria, and large-scale termination plans against network adequacy data and sole-community-provider status before execution.

Federal response

Submit the provider revalidation strategy to CMS on time, prioritizing providers without a National Provider Identifier and those in high-risk service categories.
Designate high-risk Medicaid service categories and implement targeted prepayment review.
Standardize managed care fraud reporting by defining required metrics, reporting format, and submission timelines across all plans.

Change management:

Frame PI publicly as protecting beneficiary access and taxpayer resources. Engage the legislative branch on the urgency.

Build the foundation that makes analytics and detection possible with connected data, dedicated people, and enforceable oversight.

Data and workforce

Integrate fee-for-service claims, managed care encounter data, provider enrollment, and investigation records into one analytical environment. Encounter data quality and vendor data standardization are often the binding constraints.
Build a dedicated workforce of investigators, data analysts, and PI specialists.
Tighten vendor governance by ensuring performance transparency and contractual accountability for any vendor performing claims processing or PI functions.
Integrate network adequacy data into the PI analytical environment, so that risk scoring can be cross-referenced against access consequence before enforcement action.

Oversight and authorities

Initiate a provider network integrity review targeting service categories that operate outside traditional claims infrastructure.
Formalize managed care oversight with measurable performance standards, defined escalation paths, and contractual consequences.
Explore federal funding strategies for PI investments, including enhanced match opportunities for qualified systems and analytics work.
Begin legislative groundwork where statutory authority is needed for moratorium authority, prepayment review, or provider exclusion.

Change management:

Engage county administrators, tribal programs, and managed care leadership as partners in the transformation. Extend PI training beyond investigators to eligibility workers, claims processors, and provider relations staff.

With data infrastructure and workforce in place, the focus shifts to running analytics at scale and building the statutory and reporting foundation that makes the transformation last.

Analytics and detection

Deploy predictive analytics, network analysis, and continuous risk monitoring calibrated to the state’s fraud risk profile.

Build toward AI and machine learning capabilities: anomaly detection, natural language processing on clinical documentation, and continuous model retraining on investigation outcomes.

Operationalize cross-program detection by building data-sharing and analytics that span Medicaid, SNAP, childcare, and housing program boundaries.

Durability

Codify governance in statute or regulation so that moratorium authority, prepayment review authority, and provider exclusion authority do not depend on executive discretion alone.

Publish quarterly performance reports to the legislature and the public, including recoveries, cost avoidance, and return on investment by enforcement type.

Change management:

Embed fraud prevention in organizational culture through sustained reinforcement, visible leadership engagement, staff training, and published outcomes.

Three mistakes to avoid

The phases above are designed to avoid three common mistakes that derail PI transformation:

No single owner. When accountability is distributed across divisions without a designated leader, coordination happens informally, or not at all. The first six months address this directly through a single PI leader with cross-divisional authority, a standing coordination body, and written agreements that define roles, responsibilities, and decision rights.
Tools without workflows. Analytics platforms that are deployed but never connected to claims adjudication or investigator triage. Managed care oversight standards exist on paper but are not enforced. Vendors are contracted without performance transparency. Programs sequence data integration before analytics, enforceable standards before voluntary coordination, and change management alongside every operational change rather than after it.
Reforms that do not survive transitions. When governance lives in policy memos rather than statute, and performance results are tracked internally rather than published, the work is vulnerable to the next budget cycle or leadership change. Statutory codification, published quarterly reporting, and legislative accountability are built into every phase for this reason.

The states that will lead are the ones that will likely treat PI as an enterprise operating model integrated with the rest of the payer function. Connected data, strong coordination, accountable governance, a dedicated workforce, enforceable managed care oversight, network adequacy protection, and the statutory durability to survive political transitions are threaded into a high functioning program. No single capability, whether analytics, investigations, or organizational restructuring, is enough on its own. State Medicaid directors set the direction, but lasting change depends on whether the program operates as one integrated system in service of the people it exists to serve.