United States Government Accountability Office Report to Congressional Requesters MEDICAID July 2018 MANAGED CARE Improvements Needed to Better Oversee Payment Risks GAO-18-528 July 2018 MEDICAID MANAGED CARE Improvements Needed to Better Oversee Payment Risks Highlights of GAO-18-528, a report to congressional requesters What GAO Found Why GAO Did This Study Under Medicaid managed care, managed care organizations (MCO) receive a periodic payment per beneficiary in order to provide health care services. Federal spending on services paid for Managed care has the potential to help states reduce Medicaid program costs under Medicaid managed care was and better manage the use of health care services. However, managed care $171 billion in 2017, almost half of the payments also have the potential to create program integrity risks. GAO total federal Medicaid expenditures for identified six types of payment risks associated with managed care, including that year. Federal and state program four related to payments that state Medicaid agencies make to MCOs, and two integrity efforts have largely focused on related to payments that MCOs make to providers. Of the six payment risks GAO Medicaid fee-for-service delivery where identified, state stakeholders responsible for ensuring Medicaid program integrity the state pays providers directly, rather more often cited the following two as having a higher level of risk: than managed care, where it pays MCOs. As a result, less is known about (1) incorrect fee-for-service payments from MCOs, where the MCO paid the types of payment risks under providers for improper claims, such as claims for services not provided; managed care. and GAO was asked to examine payment (2) inaccurate state payments to MCOs resulting from using data that are risks in Medicaid managed care. In this not accurate or including costs that should be excluded in setting report, GAO (1) identified payment payment rates. risks; (2) identified any challenges to state oversight and strategies to GAO also identified multiple challenges to program integrity oversight for address them; and (3) assessed CMS managed care programs. Stakeholders most frequently cited challenges related efforts to help states address payment to (1) appropriate allocation of resources, (2) quality of the data and technology risks and oversight challenges. To do used, and (3) adequacy of state policies and practices. Some stakeholders this work, GAO reviewed findings on offered strategies to address these challenges, including collaborating with other managed care payment risks and entities to identify problem providers and fraud schemes, as well as having oversight challenges from federal and effective data systems to better manage risks. state audits and other sources. GAO also interviewed 49 state program The Centers for Medicare & Medicaid Services (CMS), which oversees Medicaid, integrity stakeholders in 10 states has initiated efforts to assist states with program integrity oversight for managed selected based on size, the percent of care. However, some of these efforts have been delayed, and there are also population in managed care, and gaps in oversight. geography. Stakeholders included the • CMS’s planned Medicaid managed care guidance to states has been state Medicaid managed care office, delayed due to the agency’s internal review of the regulations; as of May state Medicaid program integrity unit, state auditor, Medicaid Fraud Control 2018, no issuance date had been set for the guidance. Unit, and an MCO. • CMS established a new approach for conducting managed care audits beginning in 2016. However, only a few audits have been conducted, with What GAO Recommends none initiated in the past 2 years. In part, this is due to certain impediments GAO recommends that CMS (1) identified by states, such as the lack of some provisions in MCO contracts. expedite issuing planned guidance on • CMS has updated standards for its periodic reviews of the state capitation Medicaid managed care program rates set for MCOs. However, overpayments to providers by MCOs are not integrity, (2) address impediments to consistently accounted for in determining future state payments to MCOs, managed care audits, and (3) ensure which can result in states’ payments to MCOs being too high. states account for overpayments in setting future MCO payment rates. The Lack of guidance and gaps in program integrity oversight are inconsistent with Department of Health and Human federal internal control standards, as well as with CMS’s goals to (1) improve Services concurred with these states’ oversight of managed care; (2) use audits to investigate fraud, waste, and recommendations. abuse of providers paid by MCOs; and (3) hold MCOs financially accountable. Without taking action to address these issues, CMS is missing an opportunity to View GAO-18-528. For more information, contact Carolyn L.Yocom at (202) 512-7114 or develop more robust program integrity safeguards that will help mitigate payment yocomc@gao.gov. risks in Medicaid managed care. United States Government Accountability Office Contents Letter 1 Background 4 Six Types of Payment Risks Exist for Managed Care, with Stakeholders Viewing Some Risks as Greater than Others 9 Multiple Challenges Exist for Effective Program Integrity Oversight and Stakeholders Identified Strategies to Address Them 13 CMS Has Assisted States in Addressing Payment Risks, but Some Efforts Have Been Delayed and There Are Gaps in Oversight 21 Conclusions 30 Recommendations For Executive Action 30 Agency Comments 31 Appendix I Risk Level Designations by Stakeholder Group 32 Appendix II Examples of Different Types of Payment Risks in Medicaid Managed Care 40 Appendix III Challenges to Effective Program Integrity Oversight in Medicaid Managed Care 45 Appendix IV Comments from the Department of Health and Human Services 48 Appendix V GAO Contact and Staff Acknowledgments 52 Tables Table 1: Examples of Program Integrity Oversight Responsibilities of State-Level Stakeholders in Medicaid Managed Care 7 Table 2: Examples of Types of Payment Risks in Medicaid Managed Care 12 Table 3: Stakeholder Examples of Oversight Challenges Related to Resource Allocation for Medicaid Managed Care 15 Page i GAO-18-528 Medicaid Managed Care Table 4: Stakeholder Examples of Oversight Challenges Related to Data and Technology for Medicaid Managed Care 16 Table 5: Stakeholder Examples of Oversight Challenges Related to State Policies and Practices for Medicaid Managed Care 17 Table 6: Stakeholder Examples of Oversight Challenges Related to Managed Care Organization (MCO) Management 18 Table 7: Health Care Providers and Services Most Frequently Identified by Stakeholders as Having the Highest Risk for Payment Error in Medicaid Managed Care 19 Table 8: Strategies Identified by Stakeholders to Address Selected Medicaid Managed Care Payment Risks 20 Table 9: CMS Steps to Increase Guidance on Oversight of Payment Risks in Medicaid Managed Care 24 Table 10: Examples of Improper State Capitation Payments for Medicaid Managed Care 40 Table 11: Examples of Inaccurate State Capitation Rates for Medicaid Managed Care 41 Table 12: Examples of State Payments to Noncompliant Medicaid Managed Care Organizations (MCO) 42 Table 13: Examples of Duplicate State Payments for Medicaid Managed Care 43 Table 14: Examples of Incorrect Medicaid Managed Care Organization Fee-for-Service Payments 43 Table 15: Example of Incorrect Medicaid Managed Care Organization Capitation Payments 44 Figures Figure 1: Medicaid Fee-for-Service and Managed Care Delivery Models 5 Figure 2: Payment Risks Related to State Medicaid Program Payments to Managed Care Organizations (MCO) 9 Figure 3: Payment Risks Related to Medicaid Managed Care Organization (MCO) Payments to Providers 10 Figure 4: Stakeholders’ Views of the Level of Risk Associated with Each Type of Medicaid Managed Care Payment Risk 11 Figure 5: Frequency of Stakeholder Citing of Six Challenges to Medicaid Managed Care Oversight 14 Figure 6: Stakeholders’ Views on the Level of Risk for Improper State Capitation Payments for Medicaid Managed Care 34 Page ii GAO-18-528 Medicaid Managed Care Figure 7: Stakeholders’ Views on the Level of Risk for Inaccurate State Capitation Rates for Medicaid Managed Care 35 Figure 8: Stakeholders’ Views on the Level of Risk for State Payments to Noncompliant Medicaid Managed Care Organizations (MCO) 36 Figure 9: Stakeholders’ Views of the Level of Risk for Duplicate State Payments for Medicaid Managed Care 37 Figure 10: Stakeholders’ Views of the Level of Risk for Incorrect Medicaid Managed Care Organization (MCO) Fee-for- Service Payments 38 Figure 11: Stakeholders’ Views of the Level of Risk for Incorrect Medicaid Managed Care Organizations (MCO) Capitation Payments 39 Figure 12: Number of Times Stakeholders Cited Each Challenge to Medicaid Managed Care Program Integrity Oversight, by Payment Risk 46 Page iii GAO-18-528 Medicaid Managed Care Abbreviations CMS Centers for Medicare & Medicaid Services HHS Department of Health and Human Services HHS-OIG Department of Health and Human Services’ Office of Inspector General MCO managed care organization MFCU Medicaid Fraud Control Unit UPIC Unified Program Integrity Contractor This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page iv GAO-18-528 Medicaid Managed Care Letter 441 G St. N.W. Washington, DC 20548 July 26, 2018 The Honorable Claire McCaskill Ranking Member Committee on Homeland Security and Governmental Affairs United States Senate The Honorable Thomas R. Carper Ranking Member Permanent Subcommittee on Investigations Committee on Homeland Security and Governmental Affairs United States Senate Federal spending on services delivered and paid for under Medicaid managed care totaled $171 billion in 2017, almost half of the total $364 billion in federal Medicaid expenditures for that year. 1 Under Medicaid managed care, states pay a set periodic amount per beneficiary to managed care organizations (MCO) for each enrolled beneficiary, and MCOs pay health care providers for the services delivered to enrollees. 2 Used effectively, managed care may help states reduce Medicaid program costs and better manage utilization of health care services. The Centers for Medicare & Medicaid Services (CMS)—an agency within the Department of Health and Human Services (HHS)—and the states have implemented program integrity policies and processes in an effort to address payment risks in Medicaid, such as those related to fraud, waste, and abuse. However, these program integrity efforts have remained largely focused on fee-for-service arrangements, where states pay health care providers directly for services rendered. Payments for these services provided under fee-for-service arrangements are audited by multiple 1 Medicaid is a joint federal-state program that finances health care coverage for low- income and medically needy individuals. 2 States may have different types of managed care arrangements in Medicaid, such as primary care case management, prepaid ambulatory health plans, or comprehensive managed care, some of which have a limited benefit package or do not assume financial risk for services provided. In this report, we are referring to comprehensive, risk-based managed care provided through MCOs, which is the most common managed care arrangement. An MCO contracts with a state to provide comprehensive health care services through its network of providers, is responsible for ensuring access to Medicaid services, and is at financial risk for the cost of providing these services. Page 1 GAO-18-528 Medicaid Managed Care entities and reviewed for incorrect or fraudulent patterns at the federal and state levels. In contrast, under managed care, states do not pay providers directly, but rather pay MCOs, which are responsible for providing services through their provider networks; MCOs are responsible for overseeing the appropriateness of the payments they make to providers. Less is known about the types of Medicaid payment risks and the program integrity process and challenges under managed care. We recently reported on certain payment risks in Medicaid managed care that are not adequately accounted for in determining the scope of Medicaid improper payments to MCOs. 3 This lack of knowledge is of particular concern, given the recent rapid growth in enrollment in Medicaid managed care. Between 2013 and 2016 (the most recent year for which data are available), Medicaid enrollment in comprehensive, risk-based managed care increased by 56 percent, or from 35.0 million beneficiaries to 54.6 million beneficiaries. You asked us to identify payment risks and oversight challenges associated with Medicaid managed care. In this report, we 1. identify any potential payment risks that exist in Medicaid managed care; 2. identify any potential oversight challenges associated with identified payment risks, and the strategies states use to address them; and 3. assess CMS’s efforts to assist states in addressing these payment risks and associated oversight challenges. To address the first two objectives, we first reviewed reports resulting from federal and state audits and investigations, regarding payment risks and improper payments in Medicaid managed care and managed care in general. Through a literature search and outreach to state auditing organizations, we identified and reviewed audit reports of Medicaid managed care programs—such as those issued by HHS’s Office of 3 See GAO, Medicaid: CMS Needs to Better Measure Program Risks in Managed Care, GAO-18-291 (Washington, D.C.: May 7, 2018). In this report, we recommended that CMS measure certain program risks that are not accounted for in its current oversight of Medicaid managed care. In addition, in another report, we found that CMS has not conducted a risk assessment for Medicaid or Medicare related to fraud in these programs. See GAO, Medicare and Medicaid: CMS Needs to Fully Align its Antifraud Efforts with the Fraud Risk Framework, GAO-18-88 (Washington, D.C.: Dec. 5, 2017). We recommended that CMS take steps to assess risks and create strategies to address them. CMS agreed with the recommendations in both of these reports. Page 2 GAO-18-528 Medicaid Managed Care Inspector General (HHS-OIG) and state audit agencies—as well as investigations involving payments to MCOs and MCO providers. We also reviewed our prior work and reports related to Medicaid program integrity. Based on this review, we identified different types of payment risks, as well as reported challenges to program integrity oversight of these risks. We next interviewed officials from a non-generalizable sample of 10 states regarding their views about the level of risk of each type of payment risk; the extent they experienced the challenges to oversight; and whether they had used any oversight strategies to address Medicaid managed care payment risks. We selected states that had a significant share of their Medicaid populations enrolled in MCOs, and to provide a mix of population sizes and geographic locations. 4 Within each state, we conducted structured interviews with a total of 49 stakeholders from the following five entities that have oversight responsibilities related to Medicaid program integrity: (1) the state Medicaid managed care office; (2) the state Medicaid program integrity unit; (3) the state auditor; (4) the state Medicaid Fraud Control Unit (MFCU); and (5) an MCO. 5 To assess CMS’s efforts to assist states in addressing these payment risks and associated oversight challenges, we reviewed CMS’s managed care regulations and guidance; current program integrity plan; and documents relating to training, technical assistance, monitoring and oversight. 6 We conducted interviews with CMS officials and CMS audit contractors regarding their roles, responsibilities, and oversight activities. Additionally, we reviewed our prior work related to program integrity risks in Medicaid managed care and identified applicable federal internal control standards—specifically those related to communicating guidance 4 Selected states included California, Florida, Georgia, Hawaii, Massachusetts, Michigan, Nevada, Oregon, Tennessee, and Wisconsin. These states accounted for 34 percent of total federal and state Medicaid managed care expenditures in all states in fiscal year 2017. 5 MCOs were identified by calculating the median enrollment of plans operating in each state in 2014 and selecting the plan with the median enrollment or next highest level of enrollment. 6 See Department of Health and Human Services, Centers for Medicare & Medicaid Services, Comprehensive Medicaid Integrity Plan, Fiscal Years 2014-2018. Page 3 GAO-18-528 Medicaid Managed Care and to conducting effective monitoring—that we could use to assess CMS’s efforts. 7 We conducted this performance audit from October 2016 to July 2018 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Medicaid is jointly financed by the federal government and the states, with Background the federal government reimbursing states for a share of their expenditures for Medicaid covered services provided to eligible beneficiaries. The federal share of spending is based on a statutory formula that determines a federal matching rate for each state. 8 Medicaid Service Delivery States may provide Medicaid services under either or both a fee-for- Models service model and a managed care model. Under a fee-for-service delivery model, states make payments directly to providers for services provided, and the federal government reimburses the state its share of spending based on these payments. Under a managed care service delivery model, states pay MCOs a capitation payment, which is a fixed periodic payment per beneficiary enrolled in an MCO—typically, per member per month. The federal government reimburses its share of spending based on the capitation payments states made to the MCO. In return for the capitated payment, each MCO is responsible for arranging for and paying providers’ claims for all covered services provided to Medicaid beneficiaries. For example, MCOs may pay providers on a fee- for-service basis or with a monthly capitation payment per beneficiary, or 7 See GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: Sept. 10, 2014). Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. 8 The federal government matches most state Medicaid expenditures for services on the basis of the Federal Medical Assistance Percentage formula, which, using per capita income, determines each state’s federal matching rate. The federal medical assistance percentage for a state can range from 50 percent to 83 percent; in fiscal year 2017, the federal share of Medicaid service expenditures was about 62 percent. Page 4 GAO-18-528 Medicaid Managed Care through some other payment approach in which the provider assumes some risk for providing covered services. In either case, MCOs are required to report to the states information on services utilized by Medicaid beneficiaries—information typically referred to as encounter data. Figure 1 illustrates these models. Figure 1: Medicaid Fee-for-Service and Managed Care Delivery Models Notes: States may have different types of managed care arrangements in their Medicaid programs, some of which have a limited benefit package or do not assume financial risk for services provided. In this report, we are referring to comprehensive, risk-based managed care provided through MCOs, which is the most common managed care arrangement. Managed care organizations may also pay providers through other payment approaches in which the provider assumes some risk for covered services. Page 5 GAO-18-528 Medicaid Managed Care State and MCO Program Program integrity refers to the proper management and function of the Integrity Responsibilities Medicaid program to ensure that quality and efficient care is being provided, while Medicaid payments are used appropriately and with minimal waste. Program integrity efforts encompass a variety of administrative, review, and law enforcement strategies. State stakeholders—Medicaid managed care offices, state Medicaid program integrity units, Medicaid Fraud Control Units (MFCUs), and in many cases state auditors—and MCO stakeholders—MCOs that contract with states to deliver Medicaid services—play important roles in the oversight of managed care payment risks and have a variety of program integrity responsibilities. A stakeholder’s program integrity responsibilities can be specialized—such as for MFCUs, which focus on fraudulent behavior—or varied—such as for state Medicaid managed care offices and MCOs, which are responsible for monitoring fraud and other issues, such as compliance with quality standards or ensuring MCOs meet contract requirements. (See table 1.) Page 6 GAO-18-528 Medicaid Managed Care Table 1: Examples of Program Integrity Oversight Responsibilities of State-Level Stakeholders in Medicaid Managed Care State-level stakeholder Examples of program integrity oversight responsibilities State Medicaid managed care offices State Medicaid managed care offices are responsible for reviewing MCO quality standard reports, and monitoring MCO compliance with contract requirements, such as those related to network adequacy, reporting overpayments to, or fraud by, providers, and reporting ineligible or deceased individuals. State program integrity units State program integrity units may have responsibility for program integrity for services delivered under both managed care and fee-for-service. These units are responsible for developing policies to prevent Medicaid improper payments, identify improper payments the Medicaid agency has made, and recover improper payments. They also may be responsible for ensuring that providers that engage in fraudulent or abuse activities do not enroll in the program and are reported as terminated providers. Medicaid Fraud Control Units (MFCU) MFCUs are responsible for investigating and prosecuting Medicaid fraud. MFCUs are generally located in state Attorney General offices. State program integrity units refer potential fraud cases to MFCUs for further investigation and legal action. State auditors State auditors are responsible for assessing financial management and accountability in state government agencies and programs. The extent to which state audit offices conduct audits of a state Medicaid program—and audits particularly of Medicaid managed care— can vary by state. Managed care organizations (MCO) MCOs are responsible for developing policies and implementing procedures to prevent incorrect payments to providers, monitoring providers to ensure they are complying with program requirements, reporting overpayments made to providers, reporting ineligible or deceased individuals, and reporting providers engaged in fraudulent activity. Source: GAO analysis of information from state auditors, the Medicaid and CHIP Payment and Access Commission, and the National Association of State Medicaid Fraud Control Units. I GAO-18-528 Note: States vary in the organizational structure of their Medicaid program. For example, in some states the program integrity unit may be within the managed care office, while in other states it may be separate. Two of the stakeholders—state Medicaid managed care offices and MCOs—have responsibilities for program operation in addition to program integrity oversight responsibilities. For example, state Medicaid managed care offices’ program operations responsibilities include enrolling beneficiaries, negotiating contracts with MCOs, developing capitation rates, and making monthly capitation payments to MCOs. MCOs’ program operation responsibilities include establishing contracts with providers, creating provider networks, ensuring that enrollees have an ongoing source of primary care and timely access to needed services, and processing and paying provider claims. In a previous report, we found that state Medicaid program integrity efforts focus primarily on payments and services delivered under fee-for- Page 7 GAO-18-528 Medicaid Managed Care service, and do not closely examine program integrity in managed care. 9 For example, officials from five of seven states that we spoke to for that report said that they primarily focused their program integrity efforts on fee-for-service claims. They also noted that program integrity in Medicaid managed care was more complex than for fee-for-service. CMS’s Program Integrity CMS’s program integrity responsibilities take a variety of forms. CMS Responsibilities issues program requirements for states through regulations and guidance; for example, regulations requiring states to establish actuarially sound capitation rates and to ensure that MCOs have an adequate network of providers, as well as to ensure that all covered services are available and accessible to beneficiaries in a timely manner. 10 CMS also requires states to submit MCO contracts and capitation rates to CMS for review and approval, and report key information such as encounter data collected from MCOs. The agency provides technical assistance and educational support to states, including having staff available to help states with specific issues or questions, and providing courses on program integrity issues. The agency also conducts periodic reviews to assess state program integrity policies, processes, and capabilities. In addition, CMS has engaged audit contractors to help states audit providers receiving Medicaid payments, including payments made by MCOs to providers. 9 See GAO, Medicaid Program Integrity: Increased Oversight Needed to Ensure Integrity of Growing Managed Care Expenditures, GAO-14-341 (Washington, D.C.: May 19, 2014). In this report we recommended that CMS require states to conduct audits of managed care payments, update its guidance on program integrity in managed care, and provide additional support to states. CMS implemented these recommendations. 10 In May 2016, CMS issued a final rule on Medicaid managed care to enhance regulatory provisions in a range of program integrity areas. In general, actuarially sound capitation rates are certified by an actuary as being appropriate for the populations and services covered. Rates are to be adequate for MCOs to meet requirements for ensuring availability and timely access to services, adequate networks, and coordination and continuity of care. See 42 C.F.R. §§ 438.4, 438.206, 438.207, 438.208 (2017). Page 8 GAO-18-528 Medicaid Managed Care We identified six types of payment risks through our review of Medicaid Six Types of Payment audit reports and other sources. Most of the stakeholders we spoke to Risks Exist for agreed that these payment risks exist in Medicaid managed care. Four of these risks relate to the payments state Medicaid agencies make to Managed Care, with MCOs, and two relate to payments that MCOs make to providers. (See Stakeholders Viewing figs. 2 and 3.) Some Risks as Figure 2: Payment Risks Related to State Medicaid Program Payments to Managed Greater than Others Care Organizations (MCO) a Examples of data issues include inaccurate encounter data, MCO reported costs that are not allowable, overpayments that are not adjusted, or data that do not reflect changes in care delivery practices that have affected MCO costs. b Examples of unfulfilled contract requirements may include an MCO not establishing an adequate provider network, reporting inaccurate encounter data for services, or not reporting the amount of overpayments the MCO made to providers. Page 9 GAO-18-528 Medicaid Managed Care Figure 3: Payment Risks Related to Medicaid Managed Care Organization (MCO) Payments to Providers a Incorrect MCO capitation payments may result from false claims submitted by providers, data that do not reflect changes in care delivery practices and related costs, or lack of assurance that providers are delivering all medically necessary services to beneficiaries. In terms of the relative importance of these payment risks, two payment risks were more frequently cited by stakeholders as having a higher level of risk than other types—incorrect MCO fee-for-service payments to providers and inaccurate state capitation rates. The remaining four payment risks were more frequently cited as having lower or unknown levels of risk: improper state capitation payments, state payments to noncompliant MCOs, incorrect MCO capitation payments, and duplicate state payments. (See fig. 4.) When we asked stakeholders to designate a level of risk, stakeholders whose primary responsibility is program integrity—state auditors, MFCU officials, and state Medicaid program integrity staff—were more likely to assign a higher level of risk for certain types of payment risks than state Medicaid managed care officials and MCO officials. (See app. I for additional information on risk level designation by stakeholder group.) Page 10 GAO-18-528 Medicaid Managed Care Figure 4: Stakeholders’ Views of the Level of Risk Associated with Each Type of Medicaid Managed Care Payment Risk Note: We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state Medicaid Fraud Control Unit, and a managed care organization. Some stakeholders occasionally said they did not have enough information to assign a level of risk (“Don’t know”) or that one of the payment risks did not apply in the state (“Not applicable”). Stakeholders provided the following examples of payment risks that they rated as having “some” or “high” risk in the state. (See table 2.) See Page 11 GAO-18-528 Medicaid Managed Care appendix II for further examples of payment risks identified as part of our review of audits and other reports. Table 2: Examples of Types of Payment Risks in Medicaid Managed Care Payment risk Examples cited by stakeholders Incorrect managed care • A Medicaid program integrity official said his state had experienced a range of cases relating to this organization (MCO) fee- payment risk, including in-home care and psychiatric providers who billed MCOs for services they for-service payments did not provide; providers giving excessive prescriptions and drug tests; billing for multiple services when only one was provided; providing services that were not medically necessary. • A Medicaid Fraud Control Unit (MFCU) official in one state noted that MCOs paid providers for certain ineligible services for several years before it became known, and a MFCU official in another state cited MCOs paying people who are not enrolled as Medicaid providers. • A state auditor described a case of a provider who was submitting upcoded bills—billing for more severe illnesses than what existed or for more expensive services than what was provided. Inaccurate state capitation • A Medicaid program integrity official said there was no verification that adjustments were made to rates the capitation rate for potentially fraudulent claims. • A Medicaid managed care official in another state said there were problems with encounter data accuracy that could affect rate-setting. • A MFCU official said there could be an appreciable amount of overpayments “baked into” the state’s capitation rates. • A Medicaid program integrity official in another state noted that it was unclear whether MCOs were reporting overpayments. Improper state capitation • A Medicaid program integrity official said that the state had been unable to access information on payments deceased individuals from the federal government for close to 2 months. • A state auditor said that the state had lost access to a key database, and that one tenth of their beneficiaries may be ineligible. • Another state auditor said that beneficiaries’ eligibility status changed frequently in their Medicaid population, and validating eligibility changes over time was challenging. State payments to • A state auditor explained that while there are lots of reporting requirements for MCOs, the state noncompliant MCO does not always do a good job of reviewing the MCOs’ reports and taking any necessary action. • A MFCU official expressed concern that MCOs were not meeting contract requirements to report fraud, because there were a relatively low number of referrals of possible fraud in managed care compared with referrals in fee-for-service. Incorrect MCO capitation • A state Medicaid managed care official said there was not much the state could do to mitigate this payments risk, because it is dependent on the MCO to monitor providers. • One of the MCO officials said there is some risk of this, because it is very resource intensive for a health plan to audit medical records to confirm that providers are providing needed services. Duplicate state payments • A MFCU official said that providers know this is a payment area they can easily abuse. • A state auditor explained that providers are “creatures of habit” and will continue to bill the state as long as they get paid. In those cases, it is the responsibility of the state agency to check the providers’ claims. Source: GAO analysis of information from interviews with program integrity stakeholders. | GAO-18-528 Note: We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state MFCU, and a managed care organization. Page 12 GAO-18-528 Medicaid Managed Care We identified six challenges to effective program integrity oversight in Multiple Challenges Medicaid managed care based on our review of Medicaid audit reports Exist for Effective and other sources. Among these six challenges, stakeholders most frequently cited allocation of resources, quality of data and technology, Program Integrity and adequacy of state policies and practices as key challenges. Some Oversight and stakeholders also described strategies to address these challenges. Stakeholders Identified Strategies to Address Them Key Challenges to Through our research on examples of payment risks in Medicaid Oversight Included managed care, we identified six areas that can present challenges to program integrity oversight, including (1) availability and allocation of Resource Allocation, the resources; (2) access to and quality of data and technology; (3) state Quality of Data and policies and practices; (4) provider compliance with program Technology, and the requirements; (5) MCO management of program integrity; and (6) federal Adequacy of State Policies regulations, guidance, and review. Allocation of resources, quality of data and Practices and technology, and state policies and practices were the three most commonly cited challenges to program integrity oversight by stakeholders. (See fig. 5.) Page 13 GAO-18-528 Medicaid Managed Care Figure 5: Frequency of Stakeholder Citing of Six Challenges to Medicaid Managed Care Oversight a These data are out of 228 total responses. We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state Medicaid Fraud Control Unit, and a managed care organization (MCO). Stakeholders were asked to state whether each challenge was present for each of the six payment risks. Stakeholder responses were not included in the total if the respondent either did not know enough to discuss a particular payment risk (answered “don’t know” for risk level and did not answer questions regarding challenges), or stated that the questions were not applicable for a payment type (answered “N/A” for risk level). Page 14 GAO-18-528 Medicaid Managed Care Stakeholders described the following examples of challenges to program integrity oversight they had observed. See appendix III for more information on the particular challenges for each of the payment risks. Availability and allocation of resources. Stakeholders who cited resource allocation as an oversight challenge to managed care cited several key issues, such as the number of staff allocated to an activity, the expertise needed, and the ability to retain and replace staff. (See table 3.) Some stakeholders identified resource issues within their own organizations, while some identified resource issues they said existed in other organizations. Table 3: Stakeholder Examples of Oversight Challenges Related to Resource Allocation for Medicaid Managed Care Type of resource challenge Examples of challenges cited Funds and staff • A state auditor said the state’s Medicaid applications have grown dramatically in recent years, but resources to determine eligibility have not. • Several stakeholders—including a managed care organization (MCO) official, two state program integrity officials, and two Medicaid Fraud Control Unit (MFCU) officials—noted that some MCOs lack sufficient staff resources to detect incorrect MCO payments to their providers. • A Medicaid managed care official said the state does not have enough staff to review data on deceased and ineligible individuals and therefore they rely on MCOs to do it. Expertise • One state auditor cited the lack of in-house expertise as a challenge. They explained that all expertise with information technology systems has become the purview of contractors, and that very few state employees are able to access the information resulting in extensive delays in identifying deceased and ineligible individuals. Additionally, even though the state relies on MCO encounter data in setting capitation rates, there are no staff at the state level with sufficient knowledge to look at the data without the use of consultants. • A Medicaid managed care official noted that they have been unable to fill several budgeted vacancies in the actuarial division, because the state has not found people with the right expertise. Retaining and • A state auditor said that the state was not timely in identifying risks of paying for ineligible or deceased replacing staff beneficiaries, because of personnel turnover and difficulty in filling vacancies in the eligibility determination and oversight and monitoring units. • A Medicaid managed care official said that, given the state pay scale, it has been hard to recruit staff with clinical training. Source: GAO analysis of information from interviews with program integrity stakeholders. I GAO-18-528 Note: We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state MFCU, and a managed care organization. Page 15 GAO-18-528 Medicaid Managed Care Access to and quality of data and technology. Stakeholders who cited the quality of data and technology as oversight challenges to managed care provided examples related to timely access to data, inaccurate and unreliable data, and problems with information systems and interfaces. (See table 4.) Table 4: Stakeholder Examples of Oversight Challenges Related to Data and Technology for Medicaid Managed Care Type of data and technology challenge Examples of challenges cited Access to data • Stakeholders in three states reported challenges in getting access to federal data on deceased individuals. • A Medicaid program integrity official said they could not access the state’s death records due to lack of agreement within the state over departmental responsibilities. Encounter data • Two Medicaid program integrity officials said they have had problems getting accurate and complete accuracy and encounter data from managed care organizations (MCO). reliability • A Medicaid managed care official said there were problems with the quality of data received from MCOs for providers of non-traditional services, such as transportation to medical appointments. • One Medicaid Fraud Control Unit (MFCU) official explained that MCOs report data in different formats, and another MFCU said that the data MCOs report to the state agency are not consistent with the data the MCOs provided to the MFCU. • An MCO official said that the state’s algorithm for calculating capitation rates did not incorporate all of the encounter data they submitted to the state, potentially affecting the accuracy of the rates in covering medical costs. Information systems • A Medicaid program integrity official said the state did not have a way to determine whether an individual is enrolled in more than one plan. • A state auditor reported problems with the interface between the state’s eligibility and claims processing systems, which affected their ability to ensure they were not paying for deceased individuals. • A MFCU official said that the risk of the state making duplicate payments is related to the lack of interface between eligibility and claims payment systems. Source: GAO analysis of information from interviews with program integrity stakeholders. I GAO-18-528 Note: We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state MFCU, and a managed care organization. Page 16 GAO-18-528 Medicaid Managed Care State policies and practices. Stakeholders who cited state policies and practices as an oversight challenge to managed care described insufficient contract requirements, lack of state monitoring, and problems with state oversight. (See table 5.) Stakeholders from the state program integrity office, the MFCU, and the state auditor’s office more frequently identified state policies and practices as a challenge than stakeholders from the state Medicaid managed care agency. Table 5: Stakeholder Examples of Oversight Challenges Related to State Policies and Practices for Medicaid Managed Care Type of state policy and practice challenge Examples of challenges cited State MCO contracts • A Medicaid Fraud Control Unit (MFCU) official noted a lack of fraud referrals from managed care and guidance organizations (MCO) and said this could be related to a lack of effective contract provisions related to MCO identification of overpayments. • A state managed care official said that MCOs reported minimal information to the state, because the state did not provide guidelines or a template of reporting requirements. • A state auditor said there is nothing in the contract about recovering capitation payments from MCOs for ineligible individuals. • MCO officials from two states said that with respect to inaccurate payments to providers, there has been a lack of consistent guidance from the state about what services are covered and what are not covered. Monitoring • Multiple stakeholders noted the lack of state efforts to monitor important information related to payment risks. For example, a state auditor said no one was validating the accuracy of MCO beneficiary eligibility. A Medicaid program integrity official said that no one in the state was monitoring whether overpayments were being reported by MCOs or if adjustments for overpayments are made in setting capitation rates. A state auditor conducted multiple audits that showed that the state was not checking claims and was making fee-for-service payments to providers for services that should be covered by the MCOs. • An MCO official said that because of state delays in reviewing beneficiary eligibility, the utilization data used by the state to set capitation rates reflected a different beneficiary population than was ultimately enrolled in the program. Oversight • A state auditor said that sanctions were used very infrequently, and even if the contract allowed for a penalty, the state did not exercise the right to enforce it. • An MCO official said that because the state does not get back to the MCO about reported cases of potential fraud in a timely manner, it becomes difficult not to pay the provider. Source: GAO analysis of information from interviews with program integrity stakeholders. I GAO-18-528 Note: We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state MFCU, and a managed care organization. MCO management of program integrity. Stakeholders who cited MCO management as an oversight challenge to managed care described how inadequate MCO oversight and monitoring—as well as incomplete MCO reporting to the state agency—can increase the risk of different types of payment risks. (See table 6.) Stakeholders from the state Medicaid Page 17 GAO-18-528 Medicaid Managed Care managed care agency, the state program integrity office, and the MFCU were more likely than MCO stakeholders to cite these issues as challenges. In particular, a few state officials noted that there was variation in size and resources among the MCOs in their respective states. Table 6: Stakeholder Examples of Oversight Challenges Related to Managed Care Organization (MCO) Management Type of MCO management challenge Examples of challenges Oversight and • An MCO official said smaller MCOs in the state do not do as good a job in oversight of certain monitoring subcontracted partners—such as dental care organizations—as other MCOs, and this may negatively affect other MCOs ability to oversee these organizations. • A Medicaid Fraud Control Unit (MFCU) official said MCOs in the state needed to do a better job of communicating state regulations to providers, and of monitoring provider claims. Reporting to the state • A Medicaid program integrity official said that MCOs do not investigate the accuracy of provider claims agency or report updated claims to the state, and therefore needed adjustments are not made to the capitation rate. • Two MFCU officials and a Medicaid managed care official said that MCOs do not report overpayments, because they want to maintain good relationships with providers. One explained that MCOs are under pressure to maintain an adequate network, so they will address problems internally rather than report and lose a provider who fills a key clinical need. Another official said that MCOs seek to avoid creating “provider abrasion.” The third said that MCOs may be likely to determine that a provider should be educated rather than referred for prosecution.a • Four officials said that MCOs lack financial incentives to identify and report inaccurate payments. A state auditor said that MCOs do not have an incentive to report inaccurate payments, because they get higher payments. A MFCU official said that MCOs in the state did not have the incentive to refer providers for prosecution, because they may not recover the money that is overpaid. Source: GAO analysis of information from interviews with program integrity stakeholders. I GAO-18-528 Note: We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state MFCU, and a managed care organization. a ”Provider abrasion” is a term used in the health care industry to refer to cases where providers express frustration due to delayed or rejected claims payments, or what they view as excessive oversight. Provider compliance with program requirements. Stakeholders who cited provider compliance as a challenge to oversight indicated that providers are the primary source of inaccurate payments, because of improper billing, which may include fraudulent billing. These stakeholders also stated that some types of providers presented a higher risk than others in their state. Several stakeholders pointed out that certain providers intentionally commit fraud, while others may be unaware of changes in policies or procedures and therefore unintentionally submit inaccurate claims. Several stakeholders noted that it is the responsibility Page 18 GAO-18-528 Medicaid Managed Care of providers to bill correctly, while a few others pointed out that because the payment process is complicated, MCOs and state agencies may not identify inaccurate payments. Stakeholders also selected from a list of 19 types of providers the 3 or 4 that in their view represented the highest payment risks in the state. The two most frequently mentioned health care providers or services were (1) durable medical equipment, and (2) psychiatric and behavioral health care providers. (See table 7.) Table 7: Health Care Providers and Services Most Frequently Identified by Stakeholders as Having the Highest Risk for Payment Error in Medicaid Managed Care Number of times identified as among the top four providers or services at risk for Type of provider or service payment errora Durable medical equipment 19 Psychiatric and behavioral health care 19 (including both mental illness and substance abuse Prescription drugs 13 Laboratory, x-ray, and imaging 12 Personal care or support 11 Pharmacy 10 Home health 9 Long term care services and supports in 8 the home and community generally Primary care physicians and related 8 licensed practitioners Source: GAO analysis of information from interviews with program integrity stakeholders. I GAO-18-528 Note: We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state Medicaid Fraud Control Unit, and a managed care organization. a Forty-three of 49 stakeholders answered this question, while the remaining 6 stakeholders said that they did not have enough information to make this determination. Other providers and services that four, five, or six stakeholders identified as presenting high risks included dental and other oral surgery services, inpatient hospitals, transportation and other accommodations, and long term care institutions, such as nursing homes and intermediate care facilities. Federal regulations, guidance, and review. Over half of the stakeholders who identified federal regulations, guidance, and review as oversight challenges to managed care cited the complexity of federal regulations and the lack of federal guidance as key issues. For example, one stakeholder said that there needed to be more clarity about the new regulations for setting capitation rates for MCOs, while another said that there was a lack of clarity about the respective roles of states and MCOs Page 19 GAO-18-528 Medicaid Managed Care in program integrity oversight. One stakeholder noted that most of the responsibility for operating the Medicaid program lies with the state, not with the federal government. Strategies Identified by Some stakeholders we interviewed identified strategies, controls, or best Stakeholders to Address practices to address the challenges to oversight of Medicaid managed care payment risks. As shown in table 8, they identified a variety of Managed Care Oversight strategies such as ensuring high quality data, collaboration among state Challenges Included agencies and MCOs, imposing sanctions on noncompliant MCOs, Ensuring High Quality enhancing contract requirements, and conducting regular monitoring. Data and Collaboration among State Agencies and MCOs Table 8: Strategies Identified by Stakeholders to Address Selected Medicaid Managed Care Payment Risks Strategy Examples Payment risks addressed Ensure high quality Conduct editing of encounter data sent by managed care organizations Inaccurate state capitation and useful data (MCO) to determine if it can be accepted. In one state, if too many rates through automated encounters are rejected, all of the data are sent back to the MCO. edit checks Implement a system edit that automatically recoups payments after an Improper state capitation individual has unenrolled. payments Implement edits in claims processing systems to prevent claims that Duplicate state payments should be covered by MCOs from being paid by the state through fee- for-service. Facilitate collaboration Collaboration among stakeholders to more easily identify common State payments to non- between state fraud schemes. Because each stakeholder may have limited data and a compliant MCOs agencies and MCOs narrowly defined role in the process, collaboration allows the Incorrect MCO fee-for-service stakeholders to share their data to more efficiently catch and prosecute payments fraudulent behavior. Meet with MCOs on a monthly or quarterly basis to facilitate in the State payments to reporting of information required by the contract. In one state, these noncompliant MCOs meetings lead to clarification of contract language. Regularly audit plans Conduct annual audits of plans’ quality performance, and review Incorrect MCO capitation and providers utilization against state and national averages in order to identify payments potential underutilization patterns. An MCO official reported that the MCO audited its capitated provider networks. Enhance contract Require MCOs to provide a daily electronic eligibility file to the state, Improper state capitation requirements and to inform the state if the MCO is aware that an enrollee’s eligibility payments should be terminated due to death or ineligibility. Regularly assess and Employ a risk assessment process to continually set priorities on where Improper state capitation prioritize resource to use staff and other resources. The official described this as an effort payments allocation to manage resource limitations. Page 20 GAO-18-528 Medicaid Managed Care Strategy Examples Payment risks addressed Regularly monitor Regularly monitor capitated networks for under- and over-utilization, Incorrect MCO capitation health care providers including review of utilization for common services and comparing them payments to state and national averages. Target reporting needs Require MCOs to submit on a quarterly basis the number of complaints, Incorrect MCO fee-for-service referrals, or inquiries that they’ve received, as well as overpayments payments identified, and providers that the MCO has unenrolled. Provide focused Educate MCOs and providers about what fraud, waste, and abuse are, Incorrect MCO fee-for-service education as well as benefit policies and coverage. payments Actively employ In one state, 95 percent of encounters must be submitted within a Inaccurate state capitation sanctions certain time frame to avoid sanction by the state, which allows the state rates time to review the data. Source: GAO analysis of information from interviews with program integrity stakeholders. I GAO-18-528 Note: We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state Medicaid Fraud Control Unit, and a managed care organization. CMS has taken important steps to address payment risks in Medicaid CMS Has Assisted managed care, issuing a final rule, increasing guidance, and conducting States in Addressing oversight activities. However, some efforts are incomplete, and there are gaps in key oversight activities. Payment Risks, but Some Efforts Have Been Delayed and There Are Gaps in Oversight Page 21 GAO-18-528 Medicaid Managed Care CMS Issued a Final Rule, In May 2016, CMS issued a final rule on Medicaid managed care. Provided Additional According to CMS, the rule is intended to enhance regulatory provisions related to program integrity and payment risks, among other things. 11 Guidance, and Updated These regulatory provisions varied in terms of when the requirements Certain Oversight were applicable. For example, for contracts beginning on or after July 1, Activities Related to 2017, the rule requires Managed Care Program Integrity • state contracts with MCOs to require MCOs to promptly report all overpayments made to providers, and to specify the overpayments due to potential fraud; 12 • states to account for overpayments when setting capitation payment amounts; 13 and • states to establish procedures and quality assurance protocols to ensure that MCOs submit encounter data that is complete and accurate. 14 These requirements have the potential to enhance MCO and state oversight of managed care, and address payment risks involving incorrect MCO payments to providers and inaccurate state capitation rates for MCOs. CMS is currently reviewing the rule for possible revision of its requirements and an announcement on the results of the review is expected in 2018. 15 Most stakeholders we spoke to identified ways in which the managed care rule could have a positive impact on managed care program integrity 11 The rule was issued to strengthen actuarial soundness payment provisions to promote accountability of Medicaid managed care program rates, promote the quality of care and strengthen efforts to reform delivery systems, and ensure beneficiary protections, in addition to enhancing policies related to program integrity. A number of the provisions of the rule were applicable for state contracts with MCOs for rating periods starting on or after July 1, 2017, while some were scheduled to take effect for later rating periods. 12 See 42 C.F.R. § 438.608(a)(2) (2017). 13 See 42 C.F.R. § 438.608(d)(4) (2017). 14 See 42 C.F.R. §§ 438.242(d), 438.818(a)(2). 15 CMS indicated it will issue a Notice of Proposed Rulemaking in 2018 to streamline Medicaid managed care regulations and reduce burden. See Department of Health and Human Services, Medicaid and CHIP Managed Care, Spring 2018 Unified Agenda of Federal Regulatory and Deregulatory Actions, (CMS-2480-P), RIN 0938-AT40, accessed May 14, 2018, http://www.reginfo.gov. Page 22 GAO-18-528 Medicaid Managed Care oversight. Of the 49 stakeholders we spoke to, 28 made positive statements about the rule’s potential impact on program integrity oversight of payment risks in managed care, 9 stakeholders said they were not familiar enough with the managed care rule to comment on it, and the remaining 12 stakeholders provided a range of comments about the rule. The 28 stakeholders with positive comments identified a variety of ways in which they said the managed care rule would help, including • reducing improper payments; • establishing transparency in setting state capitation rates; • providing clear guidelines for MCO reporting, and clear authority for states to require reporting; • obtaining information on overpayments identified and collected by MCOs; • holding MCO leadership accountable for meeting program requirements; and • reducing medical costs, despite additional short-term administrative costs. • Comments by the other 12 stakeholders who were familiar with the rule included statements that the rule • should have been more aggressive in requiring MCOs to implement efforts related to program integrity; • would have limited impact for them, because many of its requirements were already in place in their state; and • set time frames for implementation that were hard to meet. Page 23 GAO-18-528 Medicaid Managed Care In addition to issuing the rule, CMS has sought to increase guidance available to states through training, technical assistance, and other educational resources. (See table 9.) Table 9: CMS Steps to Increase Guidance on Oversight of Payment Risks in Medicaid Managed Care Type of guidance CMS steps Training In 2017, the Centers for Medicare & Medicaid Services (CMS) expanded the course offerings of the Medicaid Integrity Institute—a national training program for state program integrity officials—to include courses on vulnerabilities in Medicaid managed care, state enrollment of managed care contracted providers, and how to handle denials and terminations of ineligible providers. CMS officials told us that these courses, as well as other ongoing courses at the institute, cover multiple payment risks in Medicaid managed care through case studies and participant discussion. The Medicaid Fraud and Abuse Technical Advisory Group convened a Managed Care Audits & Overpayments subgroup from July to October 2017 to facilitate exchanges between CMS, the institute, and states on issues states are facing.a Technical assistance CMS officials told us that they have increased the availability of staff to provide technical assistance to states. Key topics that state officials raise with CMS include questions related to (1) overpayments that managed care organizations (MCO) make to providers; and (2) actuarial soundness issues associated with setting capitation rates for MCOs, including how to address overpayments in rate development, among other topics. Other educational In January 2017, the agency issued an information bulletin to facilitate state oversight of certain services for resources children and youth in Medicaid managed care.b In April 2017, CMS issued a toolkit for states to assess whether MCOs have an adequate number of c providers to serve beneficiaries. In June 2017, CMS issued an update to its Medicaid Provider Enrollment Compendium, which helps states ensure that their provider screening and enrollment will exclude ineligible providers and avoid making improper payments, among other things. The update includes guidance on the provider screening requirements for Medicaid managed care network providers.d In September 2017, CMS awarded a contract for the purpose of updating educational materials related to program integrity. CMS officials stated that they expected a shift in focus of educational tools toward managed care. In May 2018, CMS issued guidance about best practices that were identified through the agency’s program integrity reviews. The guidance was issued to states and to the agency’s Regional Information Sharing System. Source: CMS. I GAO-18-528 a The Medicaid Fraud and Abuse Technical Advisory Group has been working with CMS since 1997, and includes state program integrity directors representing every CMS region. The group is divided into workgroups charged with identifying and developing suggestions that can be shared during monthly calls with states, CMS, and the Medicaid Integrity Institute. b Department of Health and Human Services, Centers for Medicare & Medicaid Services, The Early and Periodic Screening, Diagnostic and Treatment (EPSDT) Benefit for Children and Youth in Managed Care, Informational Bulletin, Jan. 5, 2017. c Centers for Medicare & Medicaid Services, Promoting Access in Medicaid and CHIP Managed Care: A Toolkit for Ensuring Provider Network Adequacy and Service Availability, April 2017. d Centers for Medicare & Medicaid Services, Medicaid Provider Enrollment Compendium, updated June 2017. Page 24 GAO-18-528 Medicaid Managed Care Lastly, CMS efforts have included updating the requirements used in capitation rate setting reviews, contract oversight, and other types of audits and reviews, as described below. • Review of state capitation rates for Medicaid MCOs. CMS reviews states’ capitation rates at least once every year, and in 2017 made revisions to its rate review guidance to states, incorporating new requirements from the managed care rule. According to CMS officials, the agency typically conducts between 250 and 300 rate reviews annually to determine whether states’ rate development methodologies meet generally accepted actuarial principles, as well as federal laws and requirements. • Review of state Medicaid MCO contracts. CMS regularly reviews state contracts with MCOs to ensure that contract provisions meet federal requirements. In 2017, CMS updated its criteria for Medicaid managed care contract review and approval, and revised the guide that it provides to states to help them develop effective MCO contracts. 16 • CMS contracted audits. In 2016, CMS began to transition and consolidate audits of providers to a type of contractor called Unified Program Integrity Contractors (UPIC). This transition is intended to integrate contracted audit activities across CMS health care programs, such as Medicaid and Medicare, according to CMS. Additionally, UPIC audits can include health care providers who participate in multiple federal programs. Within the Medicaid program, UPICs may conduct audits with states interested in pursuing what are called “collaborative audits.” CMS’s contract with UPICs allows for audits of providers in MCO networks. 17 • Focused program integrity reviews. CMS officials said that in 2016, the agency updated the review guide used to conduct focused program integrity reviews of state Medicaid managed 16 See Centers for Medicare & Medicaid Services, State Guide to CMS Criteria for Medicaid Managed Care Contract Review and Approval, Jan. 20, 2017. 17 The UPIC statement of work indicates that they shall investigate suspected instances of fraud, waste, and abuse involving providers performing under Medicaid managed care; and maintain an ongoing dialogue with the appropriate personnel of units in managed care organizations, including Medicaid MCOs in their region, as well as coordinate with the state Medicaid agency to develop contacts at the Medicaid MCOs. The managed care rule requires that all state contracts with MCOs provide the state, CMS, and the HHS-OIG with access to any records or documents of the MCO or its subcontractors, and such access supports the ability to conduct such audits. Page 25 GAO-18-528 Medicaid Managed Care care programs. 18 CMS program integrity reviews have identified some common issues, such as a low number of investigations of overpayments conducted by managed care plans and a low amount of recoveries by plans. 19 However, CMS officials stated these reviews are not focused primarily on assessing specific payment risks. For example, these reviews do not involve an actual review or audit of MCO payments to providers to assess the extent that inaccurate payments were made. Instead, they review program integrity policies and processes, such as whether and how the state monitors overpayments, and whether MCOs comply with state requirements. CMS Efforts to Address Despite CMS’s efforts to improve oversight of program integrity in Payment Risks Have Been Medicaid managed care, there have been delays in issuing guidance, and gaps in key auditing and monitoring activities. These delays and gaps are Delayed and Gaps Exist in inconsistent with the agency’s current program integrity plan, which Key Oversight Activities. established goals for improving state oversight of program integrity in Medicaid managed care, as well as the financial accountability of Medicaid MCOs. 20 Delays in the Development and Publication of CMS guidance that would assist states in oversight of Issuance of Guidance payment risks has been delayed. CMS officials told us in April 2017 that they planned to issue a compendium of guidance related to the managed care rule’s program integrity regulations. The compendium is intended to provide guidance on (1) MCO program integrity requirements, (2) state audits of MCO encounter data that must be conducted at least every 3 years, and (3) MCO overpayments to providers. However, in September 2017, CMS officials told us that although they had a draft of the compendium, they did not have a timeline for issuing it, because the managed care rule was under review. As of May 2018, no issuance date 18 CMS officials said that program integrity reviews are conducted to assess the effectiveness of state program integrity efforts, including compliance with federal statutory and regulatory requirements. As we previously reported, in 2014, CMS shifted the emphasis of its reviews from a comprehensive approach to an approach that provided a more “focused review” on high risk areas of concern in each state, including managed care. See GAO-18-291. 19 See GAO, Medicaid Program Integrity: CMS Should Build on Current Oversight Efforts by Further Enhancing Collaboration with States, GAO-17-277 (Washington, D.C.: March 15, 2017). 20 See Department of Health and Human Services, Centers for Medicare & Medicaid Services, Comprehensive Medicaid Integrity Plan, Fiscal Years 2014-2018. Page 26 GAO-18-528 Medicaid Managed Care has been set for the guidance. Over half of the stakeholders we interviewed who identified federal responsibilities as an oversight challenge to managed care cited the complexity of federal regulations and the lack of federal guidance as key issues. The lack of available federal guidance resulting from delays in issuing such guidance is inconsistent with federal internal control standards that call for federal agencies to communicate quality information to those responsible for program implementation for the purposes of achieving program objectives and addressing program risks. 21 Until such guidance is issued, stakeholders’ ability to effectively address challenges to payment risks in Medicaid managed care will continue to be hindered. Gaps in Auditing Although audits of providers that bill and are paid by MCOs can provide important information about payment risks and are included in the UPIC statement of work, only 14 of the 762 audits initiated by CMS contractors during the period of fiscal year 2014 through 2017 were managed care audits. Our review of three CMS contracted managed care audits indicated that the amount of inaccurate MCO payments to providers—as well as MCO and provider noncompliance with contracts—can be significant. For example, one audit of an MCO’s payments to selected providers found that 8.94 percent of payments were in error, representing over $4 million in overpayments for a 6-month period. This audit also identified a lack of provider compliance with requirements to provide preventive care services and care coordination to members, and a lack of MCO compliance with requirements to monitor member enrollment, resulting in the MCO paying providers for individuals who were not enrolled. 22 CMS officials shared plans to increase collaborative audits in managed care in the future. CMS officials said the agency is in the early planning stages to pilot an audit of MCO providers in one state, with the goal of addressing challenges encountered in prior managed care audits. CMS is also in discussions with states and audit contractors to conduct potential audits and investigations in fiscal years 2018 and 2019. 21 See GAO-14-704G, Section 15.03. 22 Among 27 audits and investigations of Medicaid managed care programs we recently reviewed, 10 identified about $68 million in MCO overpayments to providers and other unallowable MCO costs, and 1 investigation resulted in a $137.5 million settlement to resolve allegations of false claims. See GAO-18-291. Page 27 GAO-18-528 Medicaid Managed Care However, CMS and audit contractor officials identified several circumstances related to states’ contracts with MCOs that they said have created gaps in their auditing activity. • According to CMS officials, states have reported a reluctance to conduct provider audits when states’ contracts with MCOs (1) allow the MCO to retain identified overpayments, or (2) do not explicitly discuss how identified overpayments are addressed. • Officials with the two operating UPICs told us that CMS’s general guidance to them was to restrict their audits to states with MCO contracts where the states can recoup overpayments from the MCOs. 23 According to one contractor, because few states have such contracts, the vast majority of the contractors’ audits are of providers paid on a fee-for-service basis. However, overpayments to providers can affect state and federal expenditures regardless of a state’s particular recoupment policy, because if they are not accounted for, they may increase future capitation rates paid to MCOs. 24 • Audit contractor officials also said the lack of access to MCO coverage and policy materials, and the inability to directly access encounter or claims data, prevent them from doing analyses to identify potential provider fraud, abuse, and waste for investigation. While CMS officials said they encourage states to participate in additional collaborative audits of managed care, they did not identify steps the agency is taking to address the circumstances that limit collaborative audits conducted. The lack of sufficient auditing in managed care is inconsistent with federal internal control standards that require federal agencies to identify risks through such activities as auditing. 25 Gaps in Monitoring CMS has incomplete information on the scope and extent of MCO overpayments to providers, which results in a gap in monitoring MCO payments. Gaps in monitoring also exist because CMS lacks a process for consistently collecting information about overpayments and 23 We spoke with the two UPICs that were operational at the time of our study, as well as one of the Medicaid Program Integrity Contractors that conducted audits prior to CMS contracts with UPICs. 24 See GAO-18-291. 25 See GAO-14-704G, Sections 7.02 and 7.04. Page 28 GAO-18-528 Medicaid Managed Care documenting that states account for overpayments when setting capitation rates. A few examples of these issues include the following: • While CMS regularly reviews states’ proposed capitation rates, it lacks a process to consistently ensure any overpayments are accounted for by the states. According to an official with CMS’s Office of the Actuary, their review of state capitation rates does not require documentation of the amount of overpayments that occurred the prior year, how they were determined, or how they were incorporated into setting capitation rates. According to this official, issues between states and MCOs—such as contractual issues related to how overpayments are handled—are beyond the scope of their review and responsibilities. However, such information could be important to program integrity oversight; for example, 11 stakeholders we interviewed said that state capitation rates did not account for overpayments, because they had observed that overpayments were not reported by MCOs, were not monitored by the state, or both. • Although some of CMS’s focused program integrity reviews have suggested that there is under-reporting of MCO overpayments to providers, CMS officials explained that these reviews are intended to assess state compliance with regulations, and not to determine the extent of under-reporting or why overpayments are under- reported. 26 • States’ and CMS’s contracted auditors have conducted only a few collaborative audits in managed care, even though such audits can identify overpayments made by MCOs to providers. These gaps in monitoring of overpayments are inconsistent with federal internal control standards that require federal agencies to monitor operating effectiveness through audits and reviews. 27 Without more complete information on the extent of overpayments and a process to ensure they are accounted for in state capitation rates, CMS is unable to ensure that MCOs are effectively identifying overpayments and documenting that they are accounted for when reviewing and approving state capitation rates. As a result, CMS cannot be sure that states are 26 In focused integrity reviews that CMS conducted in 27 states from 2014 to 2017, the agency found that MCOs in 17 states reported fewer overpayments to their state Medicaid agencies than CMS would expect. 27 See GAO-14-704G, Sections 16.06–16.08. Page 29 GAO-18-528 Medicaid Managed Care holding MCOs financially accountable for making proper payments, that states are paying accurate capitation payments to MCOs, or that the federal government’s share of Medicaid expenditures is accurate. Managed care has the potential to help states reduce Medicaid program Conclusions costs and better manage utilization of health care services. However, oversight of managed care is critical to achieving these goals. Payment risks are not eliminated under managed care; in fact, they are more complex and difficult to oversee. While CMS has taken important steps to improve program integrity in managed care—including strengthening regulations, developing guidance for states on provider enrollment in Medicaid managed care, and beginning to include managed care in the monitoring and auditing process—the efforts remain incomplete, because of delays and limited implementation. To date, CMS has not issued its planned compendium with guidance on program integrity in Medicaid managed care, taken steps to address known factors limiting collaborative audits, or developed a process to help ensure that overpayments to providers are identified by the states. Without taking actions to address these issues, CMS is missing an opportunity to develop more robust program integrity safeguards that will best mitigate payment risks in managed care. We are making the following three recommendations to CMS: Recommendations For Executive Action • The Administrator of CMS should expedite the planned efforts to communicate guidance, such as its compendium on Medicaid managed care program integrity, to state stakeholders related to Medicaid managed care program integrity. (Recommendation 1) • The Administrator of CMS should eliminate impediments to collaborative audits in managed care conducted by audit contractors and states, by ensuring that managed care audits are conducted regardless of which entity—the state or the managed care organization—recoups any identified overpayments. (Recommendation 2) • The Administrator of CMS should require states to report and document the amount of MCO overpayments to providers and how they are accounted for in capitation rate-setting. (Recommendation 3) Page 30 GAO-18-528 Medicaid Managed Care We provided a draft of this product to the Department of Health and Agency Comments Human Services for comment. HHS concurred with these recommendations, stating that it is committed to Medicaid program integrity. HHS also cited examples of activities underway to improve oversight of the Medicaid program, such as training offered through the Medicaid Integrity Institute, and guidance provided in the Medicaid Provider Enrollment Compendium. The full text of HHS’s comments is reproduced in appendix IV. HHS also provided technical comments, which we incorporated as appropriate. We are sending copies of this report to the Secretary of Health and Human Services and the Administrator of CMS. In addition, the report is available at no charge on the GAO website at http://www.gao.gov. If you or your staff members have any questions about this report, please contact me at (202) 512-7114 or at yocomc@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff that made key contributions to this report are listed in appendix V. Carolyn L. Yocom Director, Health Care Page 31 GAO-18-528 Medicaid Managed Care Appendix I: Risk Level Designations by Appendix I: Risk Level Designations by Stakeholder Group Stakeholder Group We asked stakeholders involved in program integrity oversight to assign a level of risk—either low, some, or high—to six types of payment risks in Medicaid managed care. 1 We interviewed officials in the following five organizations in each of 10 states: state Medicaid managed care office, state program integrity unit, Medicaid Fraud Control Unit (MFCU), state auditor’s office, and a managed care organization (MCO). 2 (See table 1 for a description of each of these entities.) Figures 6 through 9 below illustrate the risk level stakeholders assigned to the four types of payment risk that are associated with states’ periodic capitation payments to MCOs. Figures 10 and 11 illustrate the risk level stakeholders assigned the two types of payment risks associated with MCO payments to providers. In some cases, stakeholders said they did not have enough information to assign a level of risk (“Don’t know”) or that one of the payment risks did not apply in their state (“Not applicable”). For some payment risks, the stakeholders whose primary responsibility is program integrity—state auditors, MFCU officials, and state Medicaid program integrity staff—were more likely to assign a higher level of risk than state Medicaid managed care officials and MCO officials who have responsibilities both for program operation and program integrity. For example, some of the risk levels cited in our interviews by state auditors, MFCU officials, and state Medicaid program integrity staff included the following: • State auditors most frequently cited improper state capitation payments as high risk in the state. • Three state auditors identified duplicate state payments as high risk. 1 The six payment risks are (1) improper state capitation payments to MCOs for ineligible or deceased individuals; (2) inaccurate state capitation rate; (3) state payments to MCOs that have not fulfilled contract requirements; (4) state duplicate payment to MCOs and providers; (5) incorrect MCO fee-for-service payments to providers for improper claims, which may include fraudulent claims; and (6) incorrect MCO capitation payments to providers that have not complied with program requirements. 2 We interviewed a total of 49 stakeholders. One state auditor declined to participate. Selected states included California, Florida, Georgia, Hawaii, Massachusetts, Michigan, Nevada, Oregon, Tennessee, and Wisconsin. We selected states that had a significant share of their Medicaid populations enrolled in MCOs and to provide a mix of population sizes and geographic locations. Page 32 GAO-18-528 Medicaid Managed Care Appendix I: Risk Level Designations by Stakeholder Group • Just over half of all state auditors, MFCU officials, and state Medicaid program integrity staff identified inaccurate state capitation rates as some or high risk. In contrast, state Medicaid managed care officials and MCO officials were less likely to assign high risk to payment types. Some examples include the following: • No state Medicaid managed care officials cited a high level of risk for any of the six payment types. • Two MCO officials cited a high level of risk for incorrect MCO fee- for-service payments. No other MCO officials cited a high level of risk for any of the other payment types. Stakeholder views on the risk level of different payment risks are outlined in the figures that follow. Improper state capitation payments may occur when the state makes monthly capitation payments to an MCO for beneficiaries who are ineligible for or not enrolled in Medicaid, or who have died. (See fig. 6.) Page 33 GAO-18-528 Medicaid Managed Care Appendix I: Risk Level Designations by Stakeholder Group Figure 6: Stakeholders’ Views on the Level of Risk for Improper State Capitation Payments for Medicaid Managed Care Notes: Improper state capitation payments may occur when the state makes monthly capitation payments to a managed care organization for beneficiaries who are ineligible for or not enrolled in Medicaid, or who have died. We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state Medicaid Fraud Control Unit, and a managed care organization. Inaccurate state capitation rates occur when a state established a capitation rate that is inaccurate primarily due to issues with the data used to set the rates. Data issues could include inaccurate encounter data, unallowable costs, overpayments that are not adjusted for in the Page 34 GAO-18-528 Medicaid Managed Care Appendix I: Risk Level Designations by Stakeholder Group rate, or older data that do not reflect changes in care delivery practices that affect MCO costs. (See fig. 7.) Figure 7: Stakeholders’ Views on the Level of Risk for Inaccurate State Capitation Rates for Medicaid Managed Care Notes: Inaccurate state capitation rates occur when a state sets a capitation rate that is inaccurate, primarily due to issues with the data used to set the rates. We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state Medicaid Fraud Control Unit, and a managed care organization. State payments to noncompliant MCOs occur when a state pays MCOs a periodic capitation per beneficiary even though the MCO has not fulfilled state contract requirements. Examples of unfulfilled contract requirements Page 35 GAO-18-528 Medicaid Managed Care Appendix I: Risk Level Designations by Stakeholder Group include an MCO failing to establish an adequate provider network, reporting inaccurate encounter data for services, or failing to report the amount of overpayments the MCO has made to providers. (See fig. 8.) Figure 8: Stakeholders’ Views on the Level of Risk for State Payments to Noncompliant Medicaid Managed Care Organizations (MCO) Notes: State payments to noncompliant MCOs occur when a state pays MCOs a monthly capitation per beneficiary even though the MCO has not fulfilled state contract requirements. We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state Medicaid Fraud Control Unit, and a managed care organization. Page 36 GAO-18-528 Medicaid Managed Care Appendix I: Risk Level Designations by Stakeholder Group Duplicate state payments to an MCO occur when a health care provider submits a fee-for-service claim to the state Medicaid program for services that were covered under the MCO contract. (See fig. 9.) Figure 9: Stakeholders’ Views of the Level of Risk for Duplicate State Payments for Medicaid Managed Care Notes: Duplicate state payments to a managed care organization (MCO) occur when a health care provider submits a fee-for-service claim to the state Medicaid program for services that were covered under the MCO contract. We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state Medicaid Fraud Control Unit, and an MCO. Page 37 GAO-18-528 Medicaid Managed Care Appendix I: Risk Level Designations by Stakeholder Group Incorrect MCO fee-for-service payments occur when the MCO pays providers for improper claims, such as claims for services (1) not provided, or provided by ineligible providers; or (2) that represent inappropriate billing, such as billing individually for bundled services or for a higher intensity of services than needed. (See fig. 10.) Figure 10: Stakeholders’ Views of the Level of Risk for Incorrect Medicaid Managed Care Organization (MCO) Fee-for-Service Payments Notes: Incorrect MCO fee-for-service payments occur when the MCO pays providers for improper claims, such as claims for services not provided appropriately or that represent inappropriate billing. We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state Medicaid Fraud Control Unit, and a managed care organization. Page 38 GAO-18-528 Medicaid Managed Care Appendix I: Risk Level Designations by Stakeholder Group Incorrect MCO capitation payments occur when MCOs pay providers a periodic fixed payment without assurances they have provided needed services. (See fig. 11.) Figure 11: Stakeholders’ Views of the Level of Risk for Incorrect Medicaid Managed Care Organizations (MCO) Capitation Payments Notes: Incorrect MCO capitation payments occur when MCOs pay providers a periodic fixed payment without assurances they have provided needed services. We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state Medicaid Fraud Control Unit, and a managed care organization. Page 39 GAO-18-528 Medicaid Managed Care Appendix II: Examples of Different Types of Appendix II: Examples of Different Types of Payment Risks in Medicaid Managed Care Payment Risks in Medicaid Managed Care To identify examples of payment risks in Medicaid managed care, we reviewed Department of Health and Human Services’ (HHS) Office of Inspector General (HHS-OIG) publications and our prior work; obtained input from the National State Auditor’s Association; and conducted literature searches and key word searches of online databases, which identified additional state audits and investigations involving Medicaid managed care payment. We grouped these examples of payment risks into six broad categories or types based on similar key characteristics. Tables 10 through 15 provide examples of each of the six types of payment risks we identified: (1) improper state capitation payments, which are state capitation payments to MCOs for ineligible or deceased individuals; (2) inaccurate state capitation rates; (3) state payments to non-compliant managed care organizations (MCO); (4) duplicate state payments to MCOs and providers; (5) incorrect MCO fee-for-service payments to providers; and (6) incorrect MCO capitation payments to providers that have not complied with program requirements. Table 10: Examples of Improper State Capitation Payments for Medicaid Managed Care State Finding Report or source (descending order by date) Louisiana The Louisiana Legislative Auditor found that the state Department Louisiana Legislative Auditor. of Health paid $637,745 in improper capitation payments to Medicaid Audit Unit: Improper Payments for managed care organizations (MCO) for 203 deceased Medicaid Deceased Medicaid Recipients. Louisiana recipients over a 4-year period. Department of Health. November 29, 2017. Texas The Department of Health and Human Services, Office of the HHS-OIG. Texas Managed Care Organizations Inspector General (HHS-OIG) found that Texas Medicaid paid Received Medicaid Capitation Payments After $6.4 million for 8,496 capitation payments from 2013 through 2015 Beneficiary’s Death. Report A-06-16-05004. for beneficiaries with death dates reported as prior to this period. November 2017. New York The New York State Comptroller found that the state Medicaid New York State Office of the State Comptroller. agency made $72.6 million in capitated payments for disenrolled Inappropriate Premium Payments for Recipients and deceased individuals. No Longer Enrolled in Mainstream Managed Care and Family Health Plus. Report 2015-S-47. Albany, N.Y. July 2017. Florida HHS-OIG found that the Florida Medicaid agency paid an HHS-OIG. Florida Managed Care Organizations estimated $26 million over 5 years, from 2009 through 2014, to Received Medicaid Capitation Payments After Medicaid MCOs for coverage of people who had already died. Beneficiary’s Death. Report A-04-15-06182. November 2016. Arizona The State of Arizona Auditor General estimated that its Medicaid State of Arizona Office of the Auditor General. program was paying between approximately $3.5 and $4.8 million Medicaid Applicants Must Be Approved Through in monthly capitation payments for enrolled, but ineligible Eligibility Determination Process. Report No. 12- members. 02. June 2012. Source: GAO analysis of audit and other reports. I GAO-18-528 Note: Improper state capitation payments occur when the state makes monthly capitation payments to an MCO for beneficiaries who are ineligible for Medicaid, not enrolled in Medicaid, or who have died. Page 40 GAO-18-528 Medicaid Managed Care Appendix II: Examples of Different Types of Payment Risks in Medicaid Managed Care Table 11: Examples of Inaccurate State Capitation Rates for Medicaid Managed Care State Finding Report or source (descending order by date) Virginia The Virginia Joint Legislative Audit and Review Commission Commonwealth of Virginia Joint Legislative found that the state has paid managed care organizations Audit and Review Commission. Managing (MCO) for potentially avoidable health care services, and Spending in Virginia’s Medicaid Program. could have saved up to $36 million annually if it had reduced December 2016. capitation rates for inefficient health care spending. New York The New York State Comptroller found that an MCO claimed New York State Office of the State Comptroller. over $260,000 in unallowable administrative expenses, which Mainstream Managed Care Organizations – contributed to an increase in capitation rates across the Administrative Costs Used in Premium Rate state. In addition, the Department of Health overpaid more Setting. Report 2014-S-55. Albany, N.Y. than $18.9 million in premiums to MCOs, because it October 2016. improperly included certain unallowable costs in calculating premiums. Rhode Island The Rhode Island Office of the Auditor General found that Office of the Auditor General, State of Rhode Medicaid managed care organizations were overpaid more Island and Providence Plantations. Single Audit than $200 million due to overstated capitation rates for the Report Fiscal Year Ended June 30, 2015. Medicaid expansion population. March 2016. Washington The Washington State Auditor’s Office found that two MCOs Washington State Auditor. Performance Audit: made $17.5 million in overpayments to providers in 2010. Health Care Authority’s Oversight of the The auditor estimated that for every $1 million in Medicaid Managed Care Program. Audit No. overpayments in 2010, the state Medicaid agency potentially 1011450. April 14, 2014. paid an estimated additional $1.26 million in capitated payments to all MCOs statewide in 2013, because 2010 expenditures that included the overpayments were used to calculate premium rates for 2013. Multiple states The Department of Justice alleged that an MCO submitted United States Department of Justice. Florida- inflated expenditure information to the state Medicaid Based Wellcare Health Plans Agrees to Pay agencies in nine states. The MCO agreed to pay over $137.5 $137.5 Million to Resolve False Claims Act million in a settlement with the nine states and the federal Allegations. Washington, D.C. April 3, 2012. government to resolve these claims. Source: GAO analysis of audit and other reports. I GAO-18-528 Note: Inaccurate state capitation rates occur when a state established a capitation rate that is inaccurate, primarily due to issues with the data used to set the rates. Data issues could include inaccurate encounter data, unallowable costs, overpayments that are not adjusted for in the rate, or older data that do not reflect changes in care delivery practices that affect MCO costs. Page 41 GAO-18-528 Medicaid Managed Care Appendix II: Examples of Different Types of Payment Risks in Medicaid Managed Care Table 12: Examples of State Payments to Noncompliant Medicaid Managed Care Organizations (MCO) State Finding Report or source (descending order by date) Texas The Texas State Auditor found that an MCO reported payments Texas State Auditor. An Audit Report on The in its financial statistical report that were not allowed under its Health and Human Services Commission’s contract, and also that the Texas Health and Human Services Management of its Medicaid Managed Care Commission did not ensure that its own business practices and Contract with Superior HealthPlan, Inc. and oversight of MCOs aligned with the managed care contract. Superior HealthPlan Network, and Superior’s Compliance with Reporting Requirements. Report No. 18-015. Austin, Tex. January 2018. Oregon The State of Oregon Audits Division found that while MCOs State of Oregon Audits Division. Oregon Health were required to develop policies and procedures for detecting Authority Should Improve Efforts to Detect and fraud, waste, and abuse, some MCO policies lacked sufficient Prevent Improper Medicaid Payments. Report detail and some MCOs appeared to perform only limited 2017 – 25. Salem, Ore. November 2017. activities to detect improper payments. Texas The Texas State Auditor found that an MCO reported $3.8 Texas State Auditor. An Audit Report on million in unallowable expenses for advertising, company HealthSpring Life and Health Insurance events, gifts, and stock options; and an additional $34 million in Company, Inc., a Medicaid STAR+PLUS other questionable costs in 2015. Further, the MCO did not Managed Care Organization. Report No. 17- prepare required certifications and personnel activity reports, or 025. Austin, Tex. February 2017. adequately document financial reports, as required by the state’s Uniform Managed Care Manual. California The California State Auditor found that the California California State Auditor. California Department Department of Health Care Services did not verify that the of Health Care Services: Improved Monitoring provider network data it received from the MCOs were accurate. of Medi-Cal Managed Care Health Plans is The Medi-Cal managed care contract requires MCOs to Necessary to Better Ensure Access to Care. maintain a network of primary care providers that meets certain Report 2014-134. June 2015. location requirements. However, the auditor’s review of the provider directories of three MCOs found inaccuracies, including providers no longer participating in the network. Source: GAO analysis of audit and other reports. I GAO-18-528 Note: State payments to noncompliant MCOs occur when a state pays MCOs a periodic capitation per beneficiary even though the MCO has not fulfilled state contract requirements. Examples of unfulfilled contract requirements include an MCO failing to establish an adequate provider network, reporting inaccurate encounter data for services, or failing to report the amount of overpayments the MCO has made to providers. Page 42 GAO-18-528 Medicaid Managed Care Appendix II: Examples of Different Types of Payment Risks in Medicaid Managed Care Table 13: Examples of Duplicate State Payments for Medicaid Managed Care State Finding Report or source (descending order by date) Oregon The State of Oregon Audits Division found that the state State of Oregon Audits Division. Oregon Health Medicaid agency could not provide an inventory of carve- Authority Should Improve Efforts to Detect and out services not covered by managed care organizations Prevent Improper Medicaid Payments. Report (MCO). Without such an inventory, the division found that it 2017 – 25. Salem, Ore. November 2017. is difficult to detect or prevent potential duplicate payments to MCOs and to fee-for-service providers. The Audits Division analyzed both fee-for-service payments and capitated payments to MCOs and found 31,300 potential duplicate payments for a 15 month period. Massachusetts The Massachusetts state auditor identified $193 million in Commonwealth of Massachusetts Office of the improper payments, mostly duplicate payments, for State Auditor. Office of Medicaid (MassHealth) – behavioral health services that resulted from problems with Review of Fee-for-Service Payments for Services MassHealth’s system for identifying which claims it should Covered by the Massachusetts Behavioral Health cover in its fee-for-service program and which claims Partnership for the Period July 1, 2010 through should be covered through its capitated contract with a June 30, 2015. Official Auditor Report. April 3, behavioral health services MCO. 2017. Source: GAO analysis of audit and other reports. I GAO-18-528 Note: Duplicate state payments to an MCO occur when a health care provider submits a fee-for- service claim to the state Medicaid program for services that were covered under the MCO contract. Table 14: Examples of Incorrect Medicaid Managed Care Organization Fee-for-Service Payments State Finding Report or source (descending order by date) Louisiana The Louisiana Legislative Auditor found that managed care Louisiana Legislative Auditor. Medicaid Audit organizations (MCO) paid $2.4 million for 157,232 laboratory Unit. Improper Payments in the Medicaid claims where the provider did not have the appropriate Laboratory Program. Louisiana Department of certification to provide the level of service provided. Health. Baton Rouge, La. September 6, 2017. New Jersey The New Jersey Attorney General reported that a medical State of New Jersey Office of the Attorney supply provider pleaded guilty to submitting $100,000 in General. Owner of Hudson County Medical fraudulent claims to a MCO for durable medical equipment Equipment Supply Store Pleads Guilty To that was never distributed. $100,000 from Medicaid Fraud Scam. Trenton, N.J. August 21, 2017. West Virginia The Department of Justice found that a West Virginia MCO Department of Justice. Enforcement Actions. and state Medicaid program made over $700,000 in U.S. Attorney; Southern District of West Virginia: payments to a dentist who submitted exaggerated claims, Charleston. Charleston Dentist Pleads Guilty to claims for services not provided, and duplicate claims for a Health Care Fraud. Charleston, W.Va.: August single procedure. 21, 2017. New York The New York State Comptroller found that two MCOs made New York State Office of the State Comptroller. more than $6.6 million in payments to excluded and Medicaid Managed Care Organization Fraud and deceased providers, including almost $60,000 in payments Abuse Detection. Report 2014-S-51. Albany, to pharmacies for medications prescribed by deceased N.Y. July 15, 2016. providers. Page 43 GAO-18-528 Medicaid Managed Care Appendix II: Examples of Different Types of Payment Risks in Medicaid Managed Care State Finding Report or source (descending order by date) Texas The Department of Justice found that the Texas Medicaid Department of Justice. U.S. Attorney, Northern agency and MCOs made payments to two individuals who District of Texas. Ellis County Woman Sentenced were not licensed to provide psychotherapy services and to 105 Months in Federal Prison for Defrauding who submitted $7.1 million in false claims. Medicaid. Dallas, Tex. April 8, 2016. Multiple states The Department of Health and Human Services’ Office of HHS-OIG. Medicaid Managed Care: Fraud and Inspector General (HHS-OIG) found, in interviewing state Abuse Concerns Remain Despite Safeguards. officials in 13 states, that these officials expressed concerns OEI-01-09-00550. December 2011. about provider and beneficiary fraud and abuse including rendering services that are not medically necessary and upcoding by providers. Source: GAO analysis of audit and other reports. I GAO-18-528 Note: Incorrect MCO fee-for-service payments occur when the MCO pays providers for improper claims, such as claims for services (1) not provided, or provided by ineligible providers; or (2) that represent inappropriate billing, such as billing individually for bundled services or for a higher intensity of services than needed. Table 15: Example of Incorrect Medicaid Managed Care Organization Capitation Payments State Finding Report or Source (descending order by date) California The California Department of Health Care Services, in response State of California Health and Human Services to a whistleblower complaint within a utilization management Agency. Department of Health Care Services. company that subcontracted to managed care organizations SynerMed Corrective Action Plan. November 17, (MCO), found that Medicaid beneficiaries were in imminent 2017. danger of not receiving medically necessary health care services, because the company was not processing requests for health care services on a timely basis. Source: GAO analysis of audit and other reports. I GAO-18-528 Note: Incorrect MCO capitation payments occur when MCOs pay providers without assurances they have provided needed services. Page 44 GAO-18-528 Medicaid Managed Care Appendix III: Challenges to Effective Appendix III: Challenges to Effective Program Integrity Oversight in Medicaid Managed Care Program Integrity Oversight in Medicaid Managed Care We asked 49 stakeholders involved in program integrity oversight to consider the following six challenges to effective program integrity oversight: (1) availability and allocation of resources; (2) access to and quality of data and technology; (3) state policies and practices; (4) provider compliance with program requirements; (5) managed care organization (MCO) management of program integrity; and (6) federal regulations, guidance, and review. 1 Stakeholders were asked whether any of these presented a challenge to each of six types of payment risks in Medicaid managed care in their state, including (1) improper state capitation payments to MCOs for ineligible or deceased individuals; (2) inaccurate state capitation rates; (3) state payments to MCOs that have not fulfilled contract requirements; (4) state duplicate payments to MCOs and providers; (5) incorrect MCO fee-for-service payments to providers for improper claims; and (6) incorrect MCO capitation payments to providers that have not complied with program requirements. Figure 12 illustrates the number of times stakeholders cited a particular challenge for each of the payment risks. The frequency with which each of the challenges was identified differed to some extent for different payment risks. Some examples include the following: • Quality of data and technology was the most cited challenge for duplicate state payments. • State policies and practices was the most cited challenge for inaccurate state capitation rates. • Provider compliance with program requirements was the most cited challenge for two payment types: (1) incorrect MCO fee-for- service payments to providers, and (2) incorrect MCO capitation payments to providers. • Resource allocation was the second most cited challenge for five of the six payment risk types, although it was not the most cited challenge for any one payment risk type. 1 We interviewed 49 officials, including officials in the following five organizations in 10 states: state Medicaid managed care office, state program integrity unit, Medicaid Fraud control Unit, state auditor’s office, and a managed care organization. Selected states included California, Florida, Georgia, Hawaii, Massachusetts, Michigan, Nevada, Oregon, Tennessee, and Wisconsin. Page 45 GAO-18-528 Medicaid Managed Care Appendix III: Challenges to Effective Program Integrity Oversight in Medicaid Managed Care Figure 12: Number of Times Stakeholders Cited Each Challenge to Medicaid Managed Care Program Integrity Oversight, by Payment Risk Page 46 GAO-18-528 Medicaid Managed Care Appendix III: Challenges to Effective Program Integrity Oversight in Medicaid Managed Care Notes: Payment risks are described here. Improper state capitation payments occur when the state makes periodic capitation payments to an MCO for beneficiaries who are ineligible for or not enrolled in Medicaid, or who have died. Inaccurate state capitation rates occur when a state sets a capitation rate that is inaccurate, primarily due to issues with the data used to set the rates. State payments to noncompliant MCOs occur when a state pays MCOs a periodic capitation per beneficiary even though the MCO has not fulfilled state contract requirements. Duplicate state payments to an MCO occur when a health care provider submits a fee-for-service claim to the state Medicaid program for services that were covered under the MCO contract. Incorrect MCO fee-for-service payments occur when the MCO pays providers for improper claims, such as claims for services not provided appropriately or that represent inappropriate billing. Incorrect MCO capitation payments occur when MCOs pay providers without assurances they have provided needed services. We interviewed 49 stakeholders in 10 states, including the state Medicaid managed care office, the state Medicaid program integrity unit, the state auditor, the state Medicaid Fraud Control Unit, and a managed care organization. Page 47 GAO-18-528 Medicaid Managed Care Appendix IV: Comments from the Appendix IV: Comments from the Department of Health and Human Services Department of Health and Human Services Page 48 GAO-18-528 Medicaid Managed Care Appendix IV: Comments from the Department of Health and Human Services Page 49 GAO-18-528 Medicaid Managed Care Appendix IV: Comments from the Department of Health and Human Services Page 50 GAO-18-528 Medicaid Managed Care Appendix IV: Comments from the Department of Health and Human Services Page 51 GAO-18-528 Medicaid Managed Care Appendix V: GAO Contact and Staff Appendix V: GAO Contact and Staff Acknowledgments Acknowledgments Carolyn L. Yocom, (202) 512-7114 or yocomc@gao.gov GAO Contact In addition to the contact name above, Tim Bushfield (Assistant Director), Staff Mary Giffin (Analyst-in-Charge), Arushi Kumar, Julie Flowers, Drew Long, Acknowledgments Vikki Porter, Katie Thomson made key contributions to this report. Other staff who made contributions to the report were Jessica Broadus, Barbie Hansen and Erika Huber. (101194) Page 52 GAO-18-528 Medicaid Managed Care The Government Accountability Office, the audit, evaluation, and investigative GAO’s Mission arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no cost is Obtaining Copies of through GAO’s website (https://www.gao.gov). Each weekday afternoon, GAO GAO Reports and posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to https://www.gao.gov Testimony and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at https://www.gao.gov. Contact: To Report Fraud, Website: https://www.gao.gov/fraudnet/fraudnet.htm Waste, and Abuse in Automated answering system: (800) 424-5454 or (202) 512-7470 Federal Programs Orice Williams Brown, Managing Director, WilliamsO@gao.gov, (202) 512-4400, Congressional U.S. Government Accountability Office, 441 G Street NW, Room 7125, Relations Washington, DC 20548 Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 James-Christian Blockwood, Managing Director, spel@gao.gov, (202) 512-4707 Strategic Planning and U.S. Government Accountability Office, 441 G Street NW, Room 7814, External Liaison Washington, DC 20548 Please Print on Recycled Paper.