Key Takeaways

  • CMS proposes mandatory reporting by managed care entities of improper payments identified or recovered, and of “potential fraud, waste, or abuse.”
  • Managed care entities must have a process by which network providers report and repay within 60 days any overpayment identified.
  • Prior to making a submission to a state, a managed care entity would be required to certify that it conducted a “reasonably diligent review” of certain data, documentation and information, in addition to certifying to the completeness, accuracy and truthfulness of the submission.
  • Several proposals borrow from existing concepts in other federal health care programs and would promote consistency with MA and Part D program integrity requirements.

In its proposed rule for the Medicaid Managed Care Program (Proposed Rule), the Centers for Medicare & Medicaid Services (CMS) proposes several major program integrity-related changes that affect Medicaid managed care organizations and sponsors of pre-paid ambulatory health plans and pre-paid inpatient health plans (collectively, Sponsors), as well as providers and other contractors, and state agencies administering their Medicaid program and Children’s Health Insurance Program (CHIP). In addition to addressing the 60-day overpayment requirements, which apply to Sponsors and their network providers, CMS proposes to require Sponsors to develop and maintain a compliance program and undertake mandatory reporting to enhance efforts to improve compliance and combat fraud, waste and abuse.

Comments on the Proposed Rule are due to CMS no later than 5 pm EDT on July 27, 2015.

New Compliance Program and Fraud, Waste and Abuse Requirements

Mandatory Disclosure of “Potential” Fraud, Waste and Abuse

Under the Proposed Rule, states would require Sponsors to implement fraud, waste and abuse procedures providing “for the prompt referral of any potential fraud, waste, or abuse that the [Sponsor] identifies to the State Medicaid program integrity unit or any potential fraud directly to the State Medicaid Fraud Control Unit” (80 Fed. Reg. at 31287) (emphasis added). This proposal appears to apply not only to any potential fraud, waste or abuse by providers, subcontractors and other third parties, but also to potential fraud, waste and abuse by the Sponsor itself. 

Comparison to Other Federal Health Care Programs 

This mandatory reporting obligation reflects some of the same challenges identified for a proposal issued by CMS for the Medicare managed care programs in 2004. At that time, CMS was developing compliance program requirements for Medicare Advantage (MA) Organizations and Part D Plan Sponsors, and proposed to require reporting of “misconduct related to payment or delivery of health benefits under the contract” that “may violate criminal, civil or administrative law” (69 Fed. Reg. 46866, 46974 (Aug. 3, 2004)). CMS ultimately withdrew the proposal, in part because of comments that the proposal “was vague and overbroad, with no basis in statute” (70 Fed. Reg. 4588 (Jan. 28, 2005)).

Similar concerns could be said for the mandatory reporting requirement set out in the Proposed Rule. The proposal is broadly crafted, potentially applying to Sponsors as well as their providers and other contractors, and thus could be interpreted as imposing a self-disclosure obligation on Sponsors. There is no statutory basis for such a requirement, and it is possible that Sponsors could become ineligible for the protections available under other statutory schemes for those who voluntarily self-report issues. Moreover, CMS provides no guidance as to what constitutes “potential fraud, waste, or abuse” or the steps a Sponsor would take in order to “identify” such potential fraud, waste or abuse. 

Practical Implications

  • The requirement to disclose potential fraud, waste or abuse would be difficult for states and Sponsors to implement. What constitutes “potential” fraud, waste or abuse? At what point is a Sponsor considered to have “identified” such potential issues? The proposals seem unworkable, in addition to raising fundamental questions regarding the appropriateness of a reporting mandate that seems to encompass a self-disclosure obligation.
  • Employees of Sponsors and Sponsors’ providers and contractors may be more reticent to come forward or seek correction of errors if raising “potential” issues may result in a report to the state. This could exacerbate minor compliance issues that might otherwise have been addressed earlier—in effect, the proposal could hinder compliance efforts.

Compliance Program Requirements

The Proposed Rule would require states to impose new compliance program requirements on Sponsors. Several components reflect existing standards under the MA and Part D Programs, albeit with some nuanced differences. For example, under the MA and Part D Programs, the compliance officer must be an employee of the contract holder or an affiliate, and must periodically report directly to the governing body. Under the Proposed Rule, a Sponsor would be required to designate a compliance officer who reports directly the chief executive officer and the board, but there is no explicit requirement that the compliance officer be an employee of the Sponsor or an affiliate.

The Proposed Rule also would establish obligations around compliance training and education for the compliance officer, senior management and employees, but there does not appear to be a requirement that these education and training activities “flow downstream” to providers or vendors. Other proposals are unique, including the requirement for a “dedicated staff” for internal monitoring and auditing, “verification” that services billed by providers were actually provided to members, and various other reporting and notification requirements.

Implementation of Statutory Overpayment Reporting Requirement

CMS also has proposed a regulatory provision that would require a Sponsor to “report[] to the State within 60 calendar days when it has identified [that] the capitation payments or other payments [are] in excess of amounts specified in the contract” (80 Fed. Reg. at 31287). This regulation is based on Section 1128J(d) of the Social Security Act, which relates to reporting and returning of overpayments, and seems to be the first time CMS has proposed regulations to implement the overpayment reporting obligation in the Medicaid managed care context. 

Additionally, the Proposed Rule would require Sponsors to establish “a mechanism for a network provider to report to the [Sponsor] when it has received an overpayment, to return the overpayment . . . and notify the [Sponsor] in writing of the reason for the overpayment.” The MA and Part D overpayment regulations are limited in scope, applying only to payments by CMS to the contracting entity, and there is no regulatory requirement that contracted providers abide by the same reporting and returning obligations. Under the Proposed Rule, CMS seems to be taking a different approach, suggesting an expectation that contracted providers would make such a report and return such overpayment. The proposed regulation does not, however, apply directly to providers.

Comparison to Other Federal Health Care Programs

Similar to the overpayment regulations CMS implemented for MA Organizations and Part D Plan Sponsors in May 2014, under the Proposed Rule, the 60-day timeframe begins upon “identification” of the payment at issue, but there is no discussion as to what constitutes “identification.” The Proposed Rule does not include a corresponding requirement to return the overpayment within 60 days. The requirement to return overpayments still exists in the statutory language, so there may be confusion regarding how Sponsors should proceed once they have identified and reported an overpayment to the state. 

Practical Implications

  • Sponsors and providers alike should consider the overpayment obligations’ potential effect on their operations and contractual relationships.
  • The Proposed Rule is silent as to when or how a Sponsor or provider has “identified” an overpayment that must be reported, and there is a similar vagueness for providers, for whom Sponsors must establish a mechanism for reporting and returning overpayments “received.” These terms of art create a degree of flexibility for organizations to make their own determinations, but also can create challenges to the extent a government agency has a different perspective on a determination of when an overpayment is identified or received. The False Claims Act implications associated with a failure to report and return an overpayment raise the stakes in these circumstances.

Revisions to Data Certification and Audit Requirements

The Proposed Rule revises the certification standard applicable to data, documents and information that Sponsors submit to a state. Contractors currently must certify, based on best knowledge, information and belief, as to the accuracy, completeness and truthfulness of the submission. The proposed standard would require Sponsors to certify that they have conducted a reasonably diligent review of the data, documentation and information submitted, in addition to certifying that the data is accurate, complete and truthful (80 Fed. Reg. at 31287).

Comparison to Other Federal Health Care Programs 

The “reasonably diligent review” standard seems to be new for Medicaid managed care, although not necessarily for managed care within federal health care programs. The MA and Part D overpayment regulations link identification of an overpayment to an MA Organization or Part D Plan Sponsor having “determined, or should have determined through the exercise of reasonable diligence” that an overpayment was received (42 C.F.R. §§ 422.326(d) and 423.360(c)). 

In the preamble to the Proposed Rule, CMS borrows from this MA and Part D standard, stating that “reasonable diligence” should be defined as it was in the preamble to the final MA and Part D overpayment rule:

At minimum, reasonable diligence would include proactive compliance activities conducted in good faith by qualified individuals. However, conducting proactive compliance activities does not mean that the person has satisfied the reasonable diligence standard in all circumstances. In certain circumstances, for example, reasonable diligence might require an investigation conducted in good faith and in a timely manner by qualified individuals . . .

(79 Fed. Reg. at 29923).

Practical Implications

  • This data certification standard, including conducting a reasonably diligent review, as applied to data prepared by third parties, such as encounter data, may be particularly problematic for Sponsors that have minimal control over this third-party data. 
  • The Proposed Rule indicates that states must conduct audits of encounter and financial data submitted by Sponsors at least once every three years. Although state auditing is not a new concept, it is not clear whether the federal requirements surrounding encounter data audits would result in the states holding Sponsors responsible for the accuracy of the encounter data submitted by providers.

Program Integrity Changes Affecting Plans and Their Providers

Mandatory Enrollment of Network Providers

The Proposed Rule includes new program integrity measures that may affect Sponsors’ relationships with network providers. Currently, providers participating in a Sponsor’s network are not required to be enrolled in the state Medicaid program. The Proposed Rule would make enrollment an obligation for Sponsors and their contracted providers. 

Comparison to Other Federal Health Care Programs 

CMS previously issued a regulation implementing statutory requirements regarding provider enrollment in state Medicaid programs, but excluded providers contracting with Sponsors from the scope of the regulation. In the Proposed Rule, CMS acknowledges that it did not previously interpret the statute to require the enrollment of Medicaid managed care network providers, but has elected to propose this requirement because states and the Office of the Inspector General have identified the inconsistency in provider screening and enrollment requirements as an area of vulnerability from a program integrity perspective.

Practical Implications

  • This change would impose an additional administrative burden on both state agencies and providers that are not currently enrolled with the state agency. Sponsors would have to update contracting and credentialing processes to account for this new requirement.
  • Although the preamble to the Proposed Rule indicates that this new enrollment requirement would eliminate the need for Sponsors to conduct their own credentialing and screening of providers, Sponsors may need to consider how this approach would work in practice.
  • Importantly for providers, the Proposed Rule clearly states that enrollment with the state Medicaid program would not obligate a provider to provide services to Medicaid fee-for-service enrollees.

Considerations and Next Steps

Although some of CMS’s proposed program integrity provisions promote consistency with other federal health care program requirements, others seem to extend beyond these established standards or incorporate nuances that differentiate the requirements from others with which Sponsors may be familiar. These changes, if finalized, could alter the legal standards governing disclosure of fraud, waste and abuse, as well as certification of data accuracy, resulting in a significant impact on the potential legal exposure of Sponsors and other stakeholders. Industry stakeholders should pay close attention to the ways in which CMS seeks to shift legal risks to state contractors and may consider commenting on the Proposed Rule to make any concerns known to CMS prior to final rulemaking.