Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

INSIGHT: Strategies for Compliance Oversight and Program Integrity in Medicaid Managed Care

Aug. 15, 2018, 1:00 PM

Program integrity and compliance activities are meant to ensure that federal and state taxpayer dollars are spent appropriately on delivering quality, necessary care and preventing fraud, waste and abuse in federal healthcare programs. In the past four months, the Government Accountability Office (GAO) and Office of Inspector General (OIG) have issued a barrage of reports scrutinizing Medicaid programs and their oversight of program expenditures. Specifically, they assert that, despite Medicaid’s significant shift in the past decade from a fee-for-service (FFS) to a managed care model, related oversight and compliance efforts have been slow to follow. A May 2018 GAO report and another GAO report released in July 2018 allege that the efforts of both the Centers for Medicare & Medicaid Services (CMS) and states with respect to providing proper program payment and integrity guidance have continued to focus on FFS while paying little attention to Medicaid managed care. On June 27, CMS Administrator Seema Verma announced the agency’s initiatives to strengthen Medicaid managed care program integrity to specifically address the GAO’s and OIG’s concerns.

I. Oversight and Program Integrity in Medicaid Managed Care

Generally, program integrity includes activities to prevent, detect and respond to fraud, waste, abuse and noncompliance with certain contractual or other regulatory requirements that results in improper payments. Medicaid’s Payment Error Rate Measurement (PERM) program annually calculates national improper payment rates for both Medicaid FFS and Medicaid managed care and estimates the improper payment rate in Medicaid managed care to be only 0.3%, or $500 million of Medicaid expenditures. However, the May 2018 GAO report found that the rate of improper payments for Medicaid managed care is significantly underestimated and may not be correctly quantified due to states’ noncompliance with oversight requirements, including errors in provider screening and enrollment. For example, the GAO identified $68 million in overpayments and unallowable managed care organization (MCO) costs in ten of the 27 federal and state MCO audits and investigations conducted between 2012 and 2017 that were not accounted for in the PERM improper rate estimate. The managed care component of the PERM calculation does not include reviews of MCO records or medical services provided to beneficiaries to determine their appropriateness, which prevents the identification of managed care overpayments and unallowable costs.

With the convergence of Medicaid program oversight and the growth of Medicaid managed care, CMS, the states, MCOs and providers all are working to mitigate risks in managed care and develop the best approaches to completely prevent fraud, waste and abuse. In the CMS 2016 Medicaid Managed Care final rule, CMS increased and standardized program integrity and other program oversight requirements by, for example, improving reporting and the quality of encounter data and requiring that MCO contract provisions apply to subcontractors. The rule provides that the provisions related to program integrity were to be implemented in phases primarily over three years, starting with rate periods for contracts that began on or after July 1, 2017. As state Medicaid agencies revise their contracts and programs to comply with these regulations, they are evaluating mechanisms not only to comply with these regulations, but also to employ best practices to prevent fraud, waste, abuse and noncompliance.

II. Medicaid Program Integrity: Key Federal Regulations

Program integrity requirements cover the broad range of activities reflected in the federal regulations, including monitoring and auditing, the reporting of fraud and overpayments, infrastructure development and training, provider screening and enrollment, provision of written disclosures, and the treatment of overpayment recoveries. The key provisions and requirements found in the regulations pertain primarily to states, Medicaid agencies and MCOs. A few of these provisions are highlighted below.

States and State Medicaid Agencies. States must have a monitoring system to address program integrity, methods and criteria for identifying fraud, and methods for verifying that billed services were provided. States must periodically audit MCOs’ encounter and financial data. To increase transparency, states are also required to make the results of these program integrity activities available online. States must also ensure that MCOs have procedures to detect and prevent fraud, waste and abuse, including a system of dedicated staff, sometimes referred to as the Special Investigations Unit (SIU), to routinely monitor, audit and correct compliance issues. In turn, Medicaid agencies must report fraud and abuse to the state, along with the number of complaints that warranted further investigation. Medicaid agencies must also have procedures for referring suspected fraud to law enforcement and must refer providers suspected of fraud to Medicaid Fraud Control Units (MFCUs).

MCOs. MCOs must have methods for verifying whether services were received as authorized and paid for by the MCO and must also promptly report identified fraud to both the state Medicaid agencies and the MFCUs. MCOs are required to report a significant amount of information to the state Medicaid agencies to demonstrate their oversight and overpayment recovery efforts and successes.

III. Program Integrity and Compliance Relationships and Risks in Medicaid Managed Care

As OIG Assistant Inspector General Ann Maxwell states in her testimony before the U.S. House of Representatives in January 2017, “[d]etecting problems is a shared responsibility for all actors in the Medicaid program: CMS, States, managed care contractors, and providers.” Each of these players has an integral role in ensuring and maintaining program integrity and compliance. Although all players share this goal, collaboration can sometimes be challenging given the difficulties of obtaining the necessary data, insufficient sharing of information among various oversight agencies and the lack of best practices to guide such efforts. For MCOs that operate in multiple states, simply trying to navigate each state’s requirements can be frustrating.

Federal Oversight. CMS has the most significant federal oversight responsibility, and its continued focus on FFS arrangements has made the agency the target of substantial criticism. Both the GAO and OIG have found fault with CMS’ oversight priorities, asserting that, despite the rapid growth of Medicaid managed care, “[l]ess is known about the types of Medicaid payment risks and the program integrity process and challenges under managed care.” CMS must ensure that states provide oversight of the contracted MCOs and comply with its own federal requirements. To do this, CMS is responsible for reviewing all state Medicaid-related documents, such as state plan amendments, waivers and MCO contracts and amendments. CMS also evaluates the capitation rates states pay to MCOs to ensure the rates are actuarially sound. In addition, CMS collects MCO encounter data from the states and is expected to review and audit the states’ Medicaid programs.

While acknowledging the growth of the Medicaid program and CMS’ “responsibility to ensure sound stewardship and oversight of our program resources,” Administrator Verma signaled that CMS will hold states to a higher level of accountability through more robust program integrity initiatives, which include the following:

  • Auditing states’ MCO financial reporting to ensure states’ claims experience matches what plans have been reporting.
  • Auditing state beneficiary eligibility determinations to assess how Medicaid expansion has affected the state’s Medicaid eligibility policy.
  • Strengthening data sharing and analytics tools to enable states to root out fraud, waste and abuse.

OIG oversees CMS’ program integrity role and MFCUs, and conducts audits and investigations of CMS and state Medicaid programs. OIG has played an important role in recent years in uncovering gaps related to fraud, waste and abuse in Medicaid managed care.

State Medicaid Agencies. State Medicaid agencies are the key players in state oversight of both the Medicaid FFS and managed care programs. As gatekeepers, state Medicaid agencies are responsible for the following:

  • Enroll and screen all Medicaid providers, and ensure that all prospective MCO network providers are enrolled in the Medicaid program.
  • Monitor MCOs’ compliance with contractual requirements, which involves reviewing, among other key reports, ownership and control information from the MCO and its subcontractors, audit encounter and financial data submitted by the MCO, and network adequacy.
  • Assist in investigating fraud, waste or abuse reported by whistleblowers, and take the appropriate action upon learning of an allegation of fraud.
  • Oversee program operations and set capitation rates.

Medicaid Fraud Control Units. Each state is required to establish a single identifiable entity, separate from the Medicaid program, to investigate and prosecute Medicaid fraud. All but one state has established MFCUs, which typically operate under the auspices of the attorney general’s office. The relationship between the Medicaid agencies, which refer fraud to the MFCU, and the MFCU is critical to the state’s oversight of Medicaid program integrity.

MCOs. States heavily rely on their MCOs as critical partners in overseeing program integrity activities. MCOs must develop policies and procedures to ensure correct payments to providers and monitor those providers, including through the use of data analytics, so that they can target any problems in real time and ensure that payments are made only for enrolled beneficiaries. MCOs are responsible for vetting their network providers, which includes credentialing, conducting criminal background checks and exclusion screenings, and collecting ownership information.

Program Integrity Risks Within Medicaid Managed Care. The growth of managed care requires each of the foregoing stakeholders to shift its mindset away from program integrity and noncompliance in an FFS environment to focus on the different risks that arise in Medicaid managed care. Although states in theory can partner with MCOs to address provider-related program integrity risks, in practice the features of Medicaid managed care may actually incentivize MCOs to engage in fraudulent, wasteful or abusive conduct. These features, which MCOs will need to mitigate in order to maintain program integrity, include the following:

  • State pays MCO a capitated payment. The state pays the MCO capitated payments for each beneficiary enrolled in the MCO. To maintain fiscal integrity, capitation payments must be set in a sound manner and sourced from accurate encounter data. States must also make sure they are not making payments to MCOs for non-enrolled or deceased individuals. Increasingly, states are also expected not to make capitation payments if the MCO engages in certain types of noncompliant behavior.
  • MCO processes claims. In a managed care environment, the MCO, not the Medicaid agency, pays its providers. The Medicaid agency plays a more removed role in ensuring that providers are providing accurate, timely and complete data to the MCO as the MCO is charged with ensuring that claims are paid correctly.
  • State oversight of MCO contract and MCO subcontracting. Although states use a standardized, CMS-approved contract to engage the MCOs, these contracts permit MCOs to subcontract many of their obligations, and many do, particularly with respect to claims processing and payment and administering dental, vision and behavioral health benefits. Even though (1) MCOs cannot subcontract their responsibility to the state, (2) states require MCOs to include certain provisions in any subcontract, and (3) many states actually require MCOs to obtain the state’s approval to subcontract, these subcontractor relationships may create an additional barrier to proper oversight of the MCOs. However, subcontractors also must engage in program integrity activities to the extent applicable to their subcontracted services, and states expect MCOs to hold their subcontractors accountable for noncompliance through the imposition of penalties and fines and to report noncompliance to the state.
  • MCO sub-capitation of providers and use of other incentives. Many MCOs enter into sub-capitation arrangements with providers — meaning the providers assume the risk for providing services to a certain set of enrolled members, further removing the MCOs and the state Medicaid agencies from the payments to providers. In addition, the increased focus on value-based payment is creating new issues with respect to program integrity oversight and requires analysis of claims and quality data.
  • MCO’s relationship with its provider network. The MCO must have an adequate provider network that can nimbly adapt to personnel changes stemming from provider misconduct. MCOs are often nervous about suspending provider payments and terminating or reporting providers believed to have engaged in fraud or other misconduct where the network may have a limited number of providers or the provider is high-profile and treats a large number of patients.

IV. State Approaches to Compliance Oversight and Program Integrity of Medicaid MCOs

Despite the GAO’s and OIG’s findings, state Medicaid agencies are becoming more sophisticated in strengthening their Medicaid managed care program integrity and oversight capabilities, as reflected in many of the states’ contracts that were amended to comply with the 2016 Medicaid managed care final rule. Recent trends in increased oversight include:

  • Detailed, often lengthy contracts (e.g., over 400 pages)
  • Increased quantity and frequency of reporting
  • Imposition of liquidated damages or fines for contractual noncompliance
  • Use of withholdings/incentives to drive contract compliance
  • Incentivizing program integrity-related recoveries by permitting MCOs to share in overpayment recoveries not related to criminal fraud or False Claims Act violations
  • Giving multiple state agencies the right to audit MCOs
  • Mandated trainings for MCOs, subcontractors and/or providers

Following are some examples of this increased oversight:

  • New Jersey. New Jersey dictates the specific number of full-time equivalent staff required to staff its SIU — at least one SIU investigator or specialist for each 60,000 members — and requires that the SIU staff be solely dedicated to detecting fraud and abuse under the New Jersey contract.
  • Texas. Texas’ contract includes detailed requirements regarding how fraud, waste and abuse must be investigated. It specifies that the suspected fraud, waste or abuse must be in relation to at least 50 Medicaid recipients or 15% of the providers’ claims. In addition, MCOs are required to submit annual written fraud, waste and abuse compliance plans to the Texas Office of Inspector General and must submit quarterly fraud and abuse reports. In their annual report, MCOs must reflect on the effectiveness of their anti-fraud plan.
  • Tennessee. Tennessee is touted for its strong program oversight. As a very experienced Medicaid managed care state, it has one of the most, if not the most, advanced liquidated damages provisions, which impose liquidated damages for noncompliance related to approximately 70 metrics. Damages are grouped into three categories: Levels A, B and C. Level A is for failures to perform specific responsibilities or requirements that are deemed to pose a significant threat to patient care or the continued viability of the TennCare program; Level B is for failures that pose a threat to the integrity of the TennCare program, which do not necessarily impair all patient care; and Level C failures represent threats to the smooth and efficient operation of TennCare. The dollar amounts of these liquidated damages range from $100 to $25,000 per occurrence per day.
  • New York. New York reduced its MCO capitation payments by $40 million in the aggregate, requiring MCOs to earn back their capitation through overpayment recoveries. As appropriate, MCOs may be eligible to share in 1% to 10% of any overpayments recovered based on the extent to which the MCOs substantially contributed to the investigation and recovery.

V. Continuing Challenges: States and MCOs Coordination of Program Integrity Activities

Despite state Medicaid agencies’ increased attention to program integrity, several challenges to implementing effective program integrity oversight remain, due in part to constrained resources of states and MCOs.

Administrative Challenges

  • Oversight responsibilities. States that have only partially transitioned to Medicaid managed care and still have considerable FFS program integrity oversight obligations must split their limited program integrity resources between FFS and managed care oversight, which have substantially different requirements. The result is compromised oversight of both programs. In states that have more fully transitioned to Medicaid managed care, the state Medicaid agencies have significant responsibilities beyond oversight of the MCOs — including directly enrolling and screening all new providers; investigating information received from whistleblowers related to program integrity concerns and noncompliance of providers, MCOs and subcontractors; and ensuring disclosure of ownership and conflict-of-interest information. Consequently, the time they can devote to oversight is limited.
  • Access to data. Access to timely quality encounter data may be limited, particularly when states are transitioning to managed care or when new populations are being transitioned into managed care. Encounter and quality data are needed to ensure that MCOs are paying providers timely and that beneficiaries are receiving high-quality care. State Medicaid agencies face technical and process challenges with respect to receiving accurate, consistent encounter data from MCOs.
  • Increased program integrity expectations. Increased program integrity and compliance expectations are administratively and financially burdensome for both states and MCOs. Meeting these expectations requires a sufficient number of staff who are well-trained to assess and oversee program integrity, and experienced staff are in short supply given the increased focus in this area (discussed further in next section). Meeting these expectations also often requires a significant investment in technology and reporting capabilities. MCOs operating in multiple states have the added burden of having to report in different formats based on varying state requirements.

Financial Challenges

  • Provider Overpayments. Providers that keep recovered overpayments must account for them in the rate-setting process. Overpayments that are not identified as such will inflate the MCO’s expenditures and potentially increase the MCO’s rates in future years. On the other hand, MCOs that do recoup and report overpayments may feel penalized by the reduced rates when other MCOs are not actively recouping overpayments. These discrepancies are exacerbated by the fact that some states require MCOs to return overpayments to the state, while others allow MCOs to keep the recoveries, provided they report them. Whether either rate-setting approach effectively incentivizes MCOs to invest in program integrity and pursue recoveries is unknown.
  • Calculation of the MCOs’ Medical Loss Ratio (MLR). The MLR reports how much of an insurer’s healthcare premiums are spent on medical expenses versus how much are spent on administration, fees and profits. In short, it’s the incurred claim amounts (plus quality improvement expenses) divided by the earned premium (less certain taxes and fees). Under the Medicaid managed care final rule, MCOs must report certain fraud prevention and reduction expenses in the numerator of the MLR, which should incentivize MCOs to invest in program integrity and compliance-related interventions. However, all other program integrity activities expenses are considered an administrative expense and, as such, are not counted in the numerator of the MLR. With more rigorous MLR reporting and rebate requirements emerging in states, these policies may impact how plans invest in fraud and abuse prevention activities.
  • Training and Appropriate Staffing. According to the May 2018 GAO report, both states and MCOs have struggled to find qualified, well-trained staff to oversee program integrity activities. Despite focusing on increasing program integrity oversight, states need additional resources to train their own staff to use the technology and review the reports necessary to effectively perform oversight. States have to train and retrain staff, hire new staff, and deliberately refocus the agency to take on more of an oversight as opposed to a program implementation role. Similarly, MCOs have constrained resources and have difficulty recruiting highly qualified staff to perform oversight functions, especially in their SIUs. Because all MCOs are looking to expand their capabilities in this area, there is a shortage of qualified compliance officers and SIU staff.
  • Need for Adequate Resources. In many cases, states need to recognize that MCOs have to account for adequate resources in setting their rates in order to develop an effective program integrity oversight system.

Additional Challenges

  • State focus on punitive action. States tend to focus on taking punitive action against MCOs (e.g., imposing monetary fines) for inadequate provider compliance and improper oversight. This approach may undermine the positive state-MCO partnership needed to properly execute their Medicaid program. On the other hand, there may not be a better way to hold MCOs accountable for proper program oversight.
  • Complexity of political relationships. MCOs often have both strong political capital in the state and relatively ready access to the governor’s office or to state legislators to advocate against particular program integrity or other requirements, such as the imposition of penalties. MCOs also use these relationships to influence Medicaid agencies and often have dedicated departments and resources for that purpose. These factors can make holding all MCOs equally accountable for noncompliance challenging.
  • Coordinating program integrity roles. In most states, both the Medicaid program integrity unit (PIU) and the MFCU share primary responsibility for protecting the integrity of the Medicaid program. Both agencies often express frustration at the difficulty of maintaining lockstep activity in identifying, addressing and preventing fraud, waste and abuse — especially in relation to referring credible allegations of fraud. Although federal regulations require states to refer instances of suspected credible allegations of fraud to the MFCU, many states over the years have had difficulty in interpreting and applying the regulations — potentially leading to a divergence in understanding of the evidence needed to accurately identify certain behaviors as fraudulent. MFCUs frequently report they do not receive the number of referrals from the PIU that they believe are warranted, and when they do receive referrals, the cases often lack any substantial evidence of criminal misconduct. Meanwhile, some Medicaid PIUs, which have the primary responsibility of prosecuting Medicaid fraud, have expressed concerns that MFCU investigators often lack program experience, especially in interpreting program regulations or in knowing key individuals in the Medicaid agency responsible for various functions and program operations. Close coordination of efforts through regular meetings and collaboration, in addition to MCO partnerships, may facilitate the identification of new fraud trends, which likely will increase accountability and generally improve the productivity of the two agencies.

Enhanced Oversight of MCOs Will Challenge Providers, Having Direct and Immediate Impact

With the increased focus on program integrity requirements and the roles of CMS, OIG and states, providers also will face increased scrutiny from MCOs and states, as well as increased administrative burdens. Providers should anticipate increased auditing from both state Medicaid agencies and multiple MCOs, more stringent reporting requirements that may follow state reporting timelines, and increased requests for data. MCOs are also likely to saddle providers with the responsibility of handling more program integrity and compliance requirements, such as criminal background screening, self-reporting of metrics, developing corrective action plans, training, self-certification, ownership disclosure submission and overpayment reporting.

VI. Looking Ahead: Compliance and Oversight in Medicaid Managed Care

Looking into the future, states are likely to be held more accountable for the noncompliance of their MCOs, especially as more money flows through Medicaid managed care. The federal government will likely increase its oversight role and, ideally, will begin to standardize expectations across states. CMS’ recently announced Medicaid program integrity initiative includes stronger audit functions, enhanced oversight of state contracts with MCOs, increased beneficiary eligibility oversight, and stricter enforcement of state compliance with federal rules.

Medicaid Managed Care Zero-Tolerance Activity. We expect CMS and states to focus on low-hanging fruit — that is, areas that are easily identified, through data analytics or less laborious auditing, as being noncompliant within Medicaid managed care. MCOs should expect that state Medicaid agencies will have zero tolerance for MCOs that:

  • Engage in prohibited relationships (e.g., hiring an excluded person or contracting with an excluded provider).
  • Make payments to providers who are not enrolled in the Medicaid program.
  • Submit incomplete or inaccurate data.
  • Fail to act timely on a fraud referral.
  • Make payments for deceased beneficiaries.
  • Report unallowable expenses in calculating their MLR.

Striking a Balance Between Holding Providers Accountable and Allowing Them to Focus on Service Delivery. Providers need to be engaged in this process, as they should be held accountable for noncompliance. But states and MCOs will need to listen and pay close attention to providers to assess whether they are being overburdened by data collection requirements, reporting requirements, duplicative ownership and disclosure submission requirements, and audits. The primary responsibility of providers should be to provide quality care to patients. It would behoove states and MCOs to develop and use standardized data platforms to enable providers to more easily submit information, which will in turn allow states to more easily share data. MCOs may attempt to impose liquidated damages downstream on their providers to hold them financially accountable for their own noncompliance.

Outlook for Oversight Concerns: Lessons from Medicare. The Medicaid managed care program can likely learn lessons from the Medicare Advantage (MA) program with respect to program integrity issues. In the MA program, CMS has learned that mistakes and risk score up-coding often lead to improper (higher) payments to MCOs. As a result, CMS has focused some of its oversight efforts on risk adjustment data validation (RADV), which has identified concerning behavior (although CMS has not recovered significant funds through these efforts). As states become more sophisticated, they will increase their oversight of risk score and its impact on rate setting. As MCOs become more sophisticated, the risk of them exploiting these rate-setting practices likewise increases.

MCOs Also Must Be Alert to National Public Health Priorities

  • Overprescribing of opioids. Opioid fraud encompasses a broad range of criminal activity, from prescription drug diversion to addiction treatment schemes to less complex schemes related to physicians’ prescribing patterns and beneficiary doctor shopping. MCOs likely will be required to step up their efforts to educate pharmacies and physicians on how to identify and report potentially noncompliant prescriber or beneficiary activities, and state Medicaid agencies will hold MCOs accountable for helping to reduce fraud in this area.
  • Ensuring access to substance use treatment. States also may increase their scrutiny of MCOs to ensure that beneficiaries have sufficient access to substance abuse treatment programs and providers.
  • Addressing the social determinants of health through managed care. Where an MCO contracts with providers and community-based agencies devoted primarily to addressing social determinants of health (i.e., nonmedical concerns such as housing insecurity or parenting skills), which typically have not had to comply with Medicaid or other managed care requirements, MCOs may need to provide additional oversight to ensure these providers expend funds appropriately. In addition because these services are truly value-add and have been previously prohibited from being provided as there was a concern that they could be inappropriate inducements prohibited under federal and state laws, Medicaid agencies must ensure that these services are being provided to those who qualify and not merely to induce increased enrollment in the plan.

VII. Conclusion

Federal scrutiny of program integrity and compliance within Medicaid managed care continues to increase, with the OIG recently urging CMS and states to take advantage of opportunities to improve MCO efforts to protect Medicaid and ensure that taxpayer dollars are spent appropriately. Increased scrutiny is expected with the growth of Medicaid managed care. The Majority Staff of the Committee on Homeland Security and Governmental Affairs also recently released a report criticizing CMS for inadequate oversight and allowing too much fraud: “CMS … has vast authority granted by a 2005 law to police Medicaid fraud, but it has largely failed to do so. GAO and other watchdogs have warned CMS for the past 15 years that Medicaid is uniquely vulnerable to fraud and overpayments.”

Despite increased scrutiny and having to work with limited resources, not one actor within Medicaid managed care wants the Medicaid program to collapse or to be weighed down by fraud, waste and abuse. As recent oversight reports recommend, states should look to share program integrity best practices with and increase collaboration among each other. Over time, with more collaboration among states, testing and sharing of best practices, program integrity and compliance in Medicaid managed care undoubtedly will improve.

States are encouraged to continue measuring the return of investment on program activities and should share best practices with one another — such as information on which program integrity practices work best for certain managed care populations and programs. State requirements will need to take heed of downstream impacts on MCOs and providers. As MCOs respond to increased requirements in state contracts, they will need to recognize the impact on providers to prevent overburdening providers. Greater partnership and collaboration between actors will require improved technology and data platforms that allow for easy sharing of encounter data, which ideally will lead to standardized information technology standards across states.

Overall, the relationship between states, MCOs and providers should be a partnership in upholding program integrity and compliance in Medicaid managed care. This seamless collaboration will provide quality of care to Medicaid patients, ensure the appropriate use of limited Medicaid funding, and encourage continued innovation and value-oriented care delivery.


Randi Seigel is a partner with Manatt Health, a business strategy and consulting arm of Manatt Phelps and Phillips in New York. She can be reached at Anthony Fiori is Manatt Health’s managing director in New York. He can be reached at Thomasina Anane is a consultant with Manatt Health in Washington who can be reached at