Program integrity activities are meant to ensure that federal and state taxpayer dollars are spent appropriately on delivering quality, necessary care and preventing fraud, waste, and abuse. Like other Medicaid administrative activities, program integrity responsibilities are shared between states and the federal government. Contracted managed care organizations also have specific program integrity responsibilities.
Federal program integrity activities
The CMS Center for Program Integrity is responsible for the Medicaid Integrity Program, a comprehensive federal strategy to reduce Medicaid provider fraud, waste, and abuse. Managed care is a component of many initiatives including periodic reviews of state program integrity operations, training, and technical assistance for states (CMS 2015). CPI publishes information on noteworthy practices to address fraud and abuse in Medicaid managed care and provides state staff with training on managed care program integrity. CPI has also developed a managed care plan compliance toolkit with guidance to assist Medicaid managed care plans in preventing, detecting, and reporting Medicaid fraud, waste, and abuse (CMS 2016a).
As noted earlier, managed care program integrity also includes many broader program oversight elements that, at the federal level, is the responsibility of the Center for Medicaid and CHIP Services (CMCS) within CMS. CMCS reviews state documents (e.g., waivers and MCO contracts) to ensure that managed care programs comply with federal statutes and regulations. For example, CMCS annually reviews and approves each MCO contract and any contract amendments to ensure they include all required provisions, including those relating to program integrity (described in detail below).
Federal efforts have primarily focused on oversight and accountability for the accuracy of the payments made by states to MCOs. For managed care payments, the fundamental payment principle is that capitation rates be actuarially sound (42 CFR 438.4). States are required to submit for federal review the capitation rates that correspond to the populations and services covered in the managed care program, actuarial certifications for those rates, and data and documentation to support these certifications. CMCS reviews the capitation rates for each Medicaid managed care program to determine whether the payments are actuarially sound and support the necessary contract terms to deliver high-value, high-quality services to enrollees.
CMCS also collects managed care encounter data (information relating to the receipt of any items or services by an enrollee under an MCO contract) from the states, which are required to collect them from the MCOs. It uses these data to measure state and plan performance, monitor compliance with federal rules, and support program integrity efforts. The federal government has statutory authority to disallow Medicaid matching payments if states fail to submit complete and accurate data, although to date it has not exercised this authority (section 1903(i)(25) and (m)(2)(A)(xi) of the Social Security Act).
Other offices within CMS also have responsibilities relating to Medicaid managed care program integrity. For example, as required by federal law, the Office of Financial Management measures the rate of improper payments for all CMS programs. This includes a review of a random sample of capitation payments made by state Medicaid programs to MCOs to determine whether they were made in accordance with the relevant contracts and capitation rate schedules (CMS 2016b). The improper payment rate does not include an estimate of erroneous provider payments made by Medicaid MCOs.
Lastly, while not within CMS, the HHS OIG is responsible for overseeing the integrity of all HHS programs, including Medicaid. The OIG conducts audits and investigations of both state Medicaid programs and CMS and evaluates aspects of the Medicaid program in order to make recommendations focused on improving efficiency and reducing fraud, waste, and abuse. The OIG also oversees the state-based Medicaid Fraud Control Units (MFCUs).
State program integrity activities
All state Medicaid programs, regardless of delivery system design, must comply with federal Medicaid program integrity requirements. For example, states must have mechanisms to identify, investigate, and refer suspected fraud and abuse cases to appropriate state and federal law enforcement and cooperate with federal program integrity initiatives including the Medicaid Integrity Program and the Payment Error Rate Measurement (PERM) program (42 CFR Part 455). In addition, all states have a MFCU (which operates independently from the Medicaid program) to investigate and prosecute Medicaid provider fraud, including fraud committed by providers under contract to Medicaid managed care plans.
States with managed care programs have two additional program integrity responsibilities: conducting program integrity activities for the managed care program and making sure MCOs maintain effective program integrity programs of their own. For example, states must periodically, but no less than every 3 years, conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO; directly enroll and conduct all applicable screening and disclosure reviews and database checks for all MCO network providers (beginning in January 2018); investigate information received from whistleblowers relating to the integrity of the MCO, subcontractors, or network providers; and ensure that MCOs disclose certain information, such as personal and financial conflicts of interest, for each person with at least a 5 percent ownership or controlling interest in the entity and ensure that MCOs agree to provide information related to business transactions upon request.
States are required by federal rules to put specific program integrity requirements in their contracts with Medicaid health plans. For example, each contract must require MCOs to implement and maintain arrangements or procedures that are designed to detect and prevent fraud, waste, and abuse; ensure that all network providers are enrolled with the state as Medicaid providers consistent with the provider disclosure, screening and enrollment requirements; and provide written disclosure of any prohibited affiliation and information on ownership and control.The contract must also specify the retention policies for the treatment of recoveries of all overpayments from the MCO to a provider, including specifically the retention policies for the treatment of recoveries of overpayments due to fraud, waste, or abuse.
State Medicaid managed care programs are also required to comply with a number of other federal requirements relating to transparency and accountability; these program oversight activities also strengthen program integrity. For example, the state must validate that MCOs have adequate provider networks and review encounter data to guard against underutilization. States must provide oversight of MCO administrative requirements, such as marketing and enrollment rules. States must also develop mechanisms for appropriate payments such as ensuring that capitation rates are correct and actuarially sound, that MCOs are not paid for non-enrolled individuals, and that the FFS program does not pay claims for services that are the responsibility of the MCOs.
States may also choose to conduct additional program integrity activities beyond those required by federal law, including encounter data analysis and joint program integrity investigations with MCOs. Many states periodically convene staff from the between state managed care and program integrity units, MCO program integrity department, and MFCU to discuss information about potential fraud, waste, and abuse. These opportunities to share information on program integrity practices can also help strengthen state knowledge and oversight of MCO operations.
Managed care plans’ program integrity activities
Medicaid MCOs conduct a variety of program integrity activities, including those required by federal rule, those required as a condition of contracting with a state, and those initiated by the health plan itself to minimize improper provider payments.
As noted above, federal rules require Medicaid managed care plans to comply with many specific requirements relating to program integrity, which are enforced through contracts with the states. For example, as part of its contractually required policies and procedures to detect and prevent fraud, waste, and abuse, each Medicaid MCO must have a formal compliance program with written policies, procedures, and standards of conduct; a designated compliance officer and regulatory compliance committee; a program integrity training program to educate MCO staff; disciplinary guidelines that enforce compliance program policies; a system for routine internal monitoring and auditing of compliance risks and responding to compliance issues as they are raised or investigating and correcting potential compliance problems as identified in the course of self-evaluation and audits; and a method to periodically verify whether billed services were received by enrollees.
MCOs must cooperate with the state and law enforcement agencies on program integrity activities. For example, MCOs must promptly report to the state all overpayments identified or recovered, specifying the overpayments due to potential fraud, and must promptly refer any potential fraud, waste, or abuse to the state Medicaid program integrity unit or directly to the state MFCU, as applicable. MCOs must also notify the Medicaid agency if they receive information regarding changes to enrollee or provider eligibility. They must also suspend payments to a network provider if the state has determined that there is a credible allegation of fraud against that provider.
Medicaid MCOs must also comply with other state and federal requirements that support program integrity and ensure that taxpayer dollars are spent appropriately. For example, MCOs must provide audited financial reports, complete and accurate encounter data for all services provided to enrolled members, and documentation demonstrating compliance with network adequacy requirements.
Medicaid MCOs may also engage in a variety of program integrity activities beyond those required by federal rule or specified in contracts with the state. For example, MCOs may implement additional pre-payment and post-payment reviews of provider claims to detect patterns of fraud or conduct data matching with other insurers to identify unreported third-party liability.