CMS estimated improper payments to Medicare Advantage Organizations (MAOs) to be 9.5 percent or $14.1 billion based on a national audit that reviewed 2013 payments. Of those improper payments, CMS estimated that 73 percent were the result of insufficient medical documentation submitted to support the diagnoses the MAOs submitted, according to an April 2016 Government Accountability Office (GAO) report.

Over the past few years, in addition to several GAO reports on its audits of CMS’ risk adjustment process, the issue of CMS overpayments made to MAOs has received the attention of Senate Judiciary Committee Chairman, Sen. Charles Grassley (R-Iowa), the Center for Program Integrity (CPI), the Kaiser Family Foundation (KFF), and other news media. More recently, Grassley sent a letter on April 17, 2017, to CMS Administrator Seema Verma seeking answers regarding MAO overpayments and the status of CMS audits and the Department of Justice (DOJ) has announced its intervention in qui tam False Claims Act (31 U.S.C. §3729) suits.

This Strategic Perspective explains CMS’ risk adjustment process and the GAO’s findings about that process, includes details of CPI’s investigation of CMS overpayments to MAOs, describes Grassley’s concerns related to the overpayments, and identifies recent lawsuits. In addition, Wolters Kluwer interviewed an expert to provide insight from a legal perspective of the issues that CMS and MAOs are facing and what each needs to do to address the overpayment issue.

The Risk Adjustment Process

As explained in a January 2017 GAO report to Congress, Medicare pays MAOs a predetermined, fixed monthly amount per enrollee. Unlike fee-for-service, the payment does not vary on the basis of the number or cost of health care services an enrollee uses. Instead, CMS uses a risk adjustment process to account for differences in enrollees’ expected health care costs relative to an average beneficiary. MAOs are required to submit detailed information, known as “encounter data,” about the care and health status of MA enrollees to determine payments to MAOs. To make proper payments, the risk adjustment process requires complete and accurate encounter data from MAOs, according to the GAO report (see GAO says CMS made limited progress validating MA encounter data, January 20, 2017).

MAOs must submit diagnosis codes for each enrollee for a particular calendar year to CMS (42 U.S.C. §1395w-23(a)(3); 42 C.F.R. Sec. 422.310). CMS uses the codes to create Hierarchical Condition Category (HCC) risk scores to adjust the capitated payment rates it pays to each MAO, increasing payment rates to MAOs with patient populations with more severe illnesses and decreasing payments to MAOs with patient populations with less severe illnesses. MAOs typically submit data to CMS and then perform a retrospective review of medical charts to ensure that the charts support the claims submitted (see U.S. intervenes in UnitedHealth billing scheme suit, May 3, 2017). CMS conducts two types of risk adjustment data validation (RADV) audits, national RADV activities and contract-level RADV audits, to determine whether the diagnosis codes submitted by MAOs are supported by the beneficiary’s medical record documentation, and to correct MAO improper payments.

Beginning in 2004, CMS used an abbreviated set of MAO diagnostic data collected through the Risk Adjustment Processing System (RAPS) to calculate Medicare Advantage (MA) enrollee risks scores. CMS relied on diagnosis information in RAPS data along with fee-for-service claims data to determine the relative cost for treating beneficiaries with various diagnoses. In 2012, CMS began collecting data from MAOs replacing RAPS data.

The Center for Public Integrity Investigation

The CPI reported in a March 15, 2015, article that documents released to it under the Freedom of Information Act (FOIA) indicated that officials were made aware, as early as 2009, that some health plans overstate how sick their patients are. CPI’s investigation into MA overpayments culminated in a FOIA lawsuit captioned Schulte v. HHS , with a CPI reporter obtaining a court order requiring the agency to produce MA records (see HHS sued for failure to release Medicare Advantage billing information, May 28, 2014).

According to CPI, the documents released included an unpublished study, commissioned by CMS that tracked growth in risk scores starting in 2004. The study, dated September 29, 2009, found that “risk scores for Medicare Advantage enrollees grew twice as fast between 2004 and 2008 as they would have had the same person remained in standard Medicare” and concluded that it was “‘extremely unlikely’ that people who enrolled in the plans actually got sicker and noted that coding inflation ‘results in inappropriate payment levels.’”

Although CMS, since 2008, has suspected certain privately run MA plans of overcharging the federal government, the agency only completed 30 in-depth financial audits each year to recover overpayments, CPI said, adding that CMS has resources for up to 80 yearly in-depth audits, despite completing less than half that number. The result is a failure to recover tens of millions of dollars in overpayments (see No honor among thieves: MA ‘honor system’ costs taxpayers billions, December 18, 2015).

In an August 29, 2016, article, CPI revealed that of the 37 MA plan audits for 2007 it obtained from the federal officials through the lawsuit, CMS found that all but two of the MA plans overcharged the government by overstating the severity of the medical conditions of patients they treated and were overpaid. According to CPI, “none of the plans faced closer scrutiny following the audits,” which collected a total of $12 million in overpayments. “Officials said unconfirmed diagnoses could be caused by ‘incorrect’ coding by the health plan’s doctors or ‘incorrect diagnostic data’ submitted to the government by the health plan,” CPI said.

On January 6, 2017, Kaiser Health News (KHN) reported that government documents that were released in response the CPI lawsuit indicated that although “an initial round of audits found that Medicare had potentially overpaid five of the health plans $128 million in 2007 alone,” officials never recovered most of the money. CMS backed off its payment demands and settled for just under $3.4 million. The plans disputed the findings.

Reports on CMS Audits

In July 2014, the GAO reported that CMS had taken some appropriate actions to ensure the completeness and accuracy of MAO encounter data but concluded that CMS had not fully developed its plans for using the MA encounter data. CMS said it would begin using the encounter data to determine payments to MAOs in 2015. The GAO recommend that CMS develop requirements for completeness and accuracy, including performing statistical analyses to detect more complex validity issues and reviewing medical records to verify diagnoses and services within the data (see Encounter data must be verified before use in risk adjustment, September 3, 2014).

On March 3, 2016, Benefits Pro reported that CMS was preparing to enlarge its auditing program of MA patient billing records to better determine the extent to which some health plans exaggerate patients’ medical conditions by intentionally miscoding patients’ diagnosis to charge more for services. According to Benefits Pro, CMS requested information from interested contractors to help carry out its initiative.

In an April 2016 report, the GAO concluded that CMS’ RADV process needed “fundamental improvements.” CMS’ RADV process did not yield a selection of MA contracts that “have the greatest potential for recovery of improper payments” and experienced substantial delays. The GAO also found that CMS “lacks a timetable to annually conduct and complete audits” of payments made to MAOs to ensure the recovery of improper payments from MAOs that resulted from the submission of beneficiary diagnoses that were unsupported by the records. Furthermore, as of the date of the report, CMS had failed to expand the recovery audit contractor (RAC) program to include oversight of MA payments by the end of 2010 as mandated by Section 6411(b) of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) (see Audit of auditing reveals five areas that can be improved, May 10, 2016).

Grassley sent a letter to then-acting CMS Administrator Andrew Slavitt on May 19, 2015, requesting details about Medicare Advantage fraud controls in response to the CPI articles, including steps CMS has taken, whether CMS was working with the DOJ, the number of risk score audits CMS has conducted, and the amount of money CMS allocates for audits targeting MAO fraud. Grassley received a response from Slavitt on July 31, 2015, describing the work CMS had done and planned to do to reduce improper payments associated with MAO diagnosis data, including the RADV audit initiative. In terms of working with the DOJ and OIG, Slavitt noted that CMS (1) supports investigations of risk score fraud; (2) provides training on MA policies, payment rules, and risk adjustment methodologies; and (3) shares documentation and data in support of False Claims Act investigations.

In a second letter to then-Attorney General Loretta Lynch, Grassley asked Lynch to tighten scrutiny of Medicare Advantage health plans suspected of overcharging the government by “risk score gaming.” At that time, Grassley, asked Lynch what steps the DOJ was taking to ensure MAOs were not fraudulently altering risk scores, whether the DOJ was working with CMS to investigate risk score fraud and how many investigations the DOJ has conducted in the past five years.

Current FCA Lawsuits

Whistleblower lawsuits filed under the FCA alleging that MAOs submitted inflated risk scores are not new. In April 2015, the CPI addressed the increasing numbers of lawsuits against MAOs and reported that federal court records showed at least a half dozen whistleblower lawsuits alleging billing abuses related to risk scores filed since 2010. CPI noted that lawyers predicted that more would be filed.

On May 1, 2017, the DOJ announced that it had intervened and filed a complaint in a qui tam lawsuit against United Health Group, Inc. (UHG) (U.S. ex rel. Swoben v. Secure Horizons) alleging that UHG entities and MAOs with which it contracted, including HealthCare Partners, deliberately ignored information from chart reviews about invalid diagnoses and, therefore, submitted bills to Medicare that were not supported by medical documentation.

WK: What do you see as the biggest issues for CMS when it comes to Medicare Advantage overpayments? What are the biggest issues for Medicare Advantage organizations?

Brecht: The biggest issue for CMS is having the ability (access and resources) to identify Medicare Advantage overpayments. CMS lacks the resources to monitor the underlying patient records that support (or expose the lack of foundation for) risk adjustment scores. The biggest issue for MAOs is probably convincing their shareholders or Boards to dedicate significant resources to robust auditing and, where appropriate, self-reporting of overpayments.

WK: Will the introduction of recovery audit contractors (RACs) to identify overpayments improve CMS ability to recover Medicare Advantage overpayments? If so, in what ways? If not, why not?

Brecht: There are two types of audits: comprehensive audits that involve all patients and HCCs in an MAO contract, and condition-specific audits, which involve focused documentation reviews for specific HCCs. The need for the second type of audit can be determined by analyzing upticks in HCCs submitted to CMS by MAOs in a particular region or health care system. CMS can then focus on certain conditions associated with suspected overpayments. There are challenges to CMS’ ability to recover identified overpayments, as evidenced by the paucity of CMS’ recovery ($3.4 million) when compared to the potential overpayments for 2007 alone ($128 million). Thus, RACs can assist in identifying overpayments, particularly when there are spikes in specific diagnoses/HCCs, and when on closer review, these diagnoses are not supported by patient records. However, first, CMS must be committed to funding robust RAC audits, and second, to actually recouping these funds from MAOs. The most recent intervention in the FCA case against United Healthcare certainly sends a strong signal that CMS is taking the issue seriously.

WK: What advice would you give MAOs to avoid overpayments by ensuring that the diagnosis codes submitted to CMS for risk adjustment scores are accurate and supported by medical documentation?

Brecht: MAOs should develop robust compliance and auditing programs geared toward uncovering upcoding for diagnoses that relate to reimbursable HCCs. MAOs also should ensure that they are monitoring the diagnoses submitted by providers. For example, if a provider has a long history with a particular population of patients and, suddenly, those patients are being diagnosed with conditions that lead to higher reimbursements, this should be a signal that an audit of the underlying patient records is in order.

A couple of years ago, while speaking on a panel focused on Medicare managed care fraud, I had suggested that MAOs could issue a notice to patients each time they were given a new diagnosis, with an invitation to the patient to report to the MAO that they are not being treated for that condition. This would be another opportunity for MAOs to ensure that the medical record, the diagnosis, and the treatment are in line with data related to payment that is submitted to CMS. The response I received from an industry consultant was that that was somehow dangerous – for the patient to know precisely what their diagnoses are.

Conclusion

MAOs must provide the sufficient medical documentation to support the diagnoses it submits for CMS to establish risk scores. In addition, they need to develop robust compliance and auditing programs to uncover upcoding for diagnoses before submitting the diagnoses to CMS. If not, MAOs may continue to face challenges from the government and lawsuits alleging FCA violations.

As recommended by the GAO, CMS must be able to ensure that: (1) its risk adjustment process and audits confirm the completeness and accuracy of MAO encounter data; (2) it is performing statistical analyses to detect more complex validity issues; and (3) it is timely reviewing medical records to verify diagnoses and services within the data. Furthermore, as mandated by the ACA, CMS should engage RACs to review MA payments. Finally, CMS must provide assurances that it will recover MAO overpayments.

Article was originally published in Wolters Kluwer Health Law Daily on Friday, May 19, 2017. © CCH Incorporated and its affiliates and licensors. All rights reserved.