Listen to this post

Last month, the U.S. Department of Health and Human Services’ Office of Inspector General (“OIG”) published Medicare Advantage Industry Segment-Specific Compliance Program Guidance (“Guidance”). OIG described the Guidance as “OIG’s updated and centralized source of voluntary compliance program guidance for Medicare Advantage.”[1] The impetus for creating the Guidance was “the growing popularity” and OIG’s “granular understanding” of the Medicare Advantage (“MA”) program along with the “fraud, waste, and abuse risks within it.” OIG noted that “managed care oversight is a top OIG priority” and that it was seeking to “improve the usefulness, timeliness, accessibility, and usability of [its] compliance program guidance for MA Parties.”

 Included within the Guidance is a section titled “Compliance Risk Areas and Recommendations for Mitigation.”[2] OIG identified the following “key risk areas relevant to the MA program”:

  1. Access to Care (Network Adequacy and Prior Authorization)
  2. Marketing and Enrollment
  3. Risk Adjustment
  4. Quality of Care
  5. Oversight of Third Parties
  6. Compliance Programs within Vertically Integrated Organizations and Other Ownership structures
  7. Submission of Accurate Claims

Access to Care refers to the failure of MA organizations (“MAOs”) to ensure that enrollees can access all covered and relevant supplemental services through the failure to maintain adequate provider networks and accurate directories or failure to maintain access to services by employing utilization management tools (e.g., prior authorization) in a manner that inappropriately limits or impedes access to medically necessary covered services.

Marketing and Enrollment refers to deceptive marketing practices and potential improprieties around payments designed to generate new enrollments. According to OIG, “[t]hese schemes involve questionable payments and referrals between MA plans, health care professionals and third-party marketers such as agents and brokers” which “can mislead Medicare enrollees into choosing specific health plans or health care providers that may not meet the enrollees’ needs.” Improper financial incentives can lead to administrative sanctions, False Claims Act liability or criminal liability under the federal Anti-Kickback Statute. Misleading marketing practices can violate regulations prohibiting MAOs from engaging in such conduct.

Risk Adjustment refers to the reimbursement methodology utilized by CMS to pay MAOs for care rendered to enrollees. CMS pays a capitated per member per month (PMPM) rate that is based, in part, on the beneficiary’s health status from the prior year, with sicker patients generally receiving higher risk scores and, hence, higher PMPM payments. OIG has noted that the risk adjustment process is subject to fraud and abuse and has raised concerns that MAOs may be using chart reviews and in-home health risk assessments inappropriately to increase risk adjustment payments. This can be done by adding, or prompting providers to add, risk-adjusting diagnoses that are unsupported or that do not affect the care, treatment or management of the patient, and also by failing to remove unsupported diagnosis codes from the medical record.

Quality of Care refers to MA program requirements designed to ensure enrollee access to high-quality care, including quality bonus payments to MAOs based on a 5-star rating system. To achieve those bonus payments, MAOs must submit data to CMS that measures health outcomes and other quality measures. OIG notes that “[e]nsuring the integrity of the data used for Star Ratings’ quality and performance measures is a key component for MA Parties’ quality-of-care compliance oversight.”

Oversight of Third Parties refers to MAO oversight of third parties, including providers, marketers and vendors. OIG notes that “[f]raud and abuse risks associated with MAO interactions with third parties are not limited to interactions with FDRs [i.e., First Tier Downstream Related Entities], because liability under fraud and abuse laws does not turn on any entity’s status as an FDR.” Further, OIG cautions that when delegating functions to third parties, MAOs “may be liable for the actions of those third parties beyond MAOs’ accountability to CMS for delegated functions” and that “[t]hird parties themselves also could be vulnerable to liability under certain fraud and abuse laws for their own conduct or for the actions of downstream entities.”

Compliance Programs Within Vertically Integrated Organizations and Other Ownership Structures refers to the increasing number of large and complex partnerships and arrangements involving MAOs and providers, including MAOs that own health care providers and health systems, health systems that own MAOs, and MAOs that own related entities such as data analytics firms and utilization review entities. OIG cautions that the compliance challenges in such integrated organizations can be unique and that the compliance requirements of one component may be different from those of another. Additionally, OIG notes that in any organization that includes MA functions, “organization-wide compliance risk assessments, audit plans and other compliance planning should consider risks arising from MA-related functions, even if those represent a small part of the larger organization.” If the integrated organization involves private equity funds or other investors, OIG warns that “[i]nvestors lacking experience in health care may be unfamiliar with fraud, waste, and abuse risks and the need for a vigorous compliance program.”

Submission of Accurate Claims is fairly self-explanatory. As noted by OIG, “[a]s a condition of receiving payment, MAOs must submit certifications that the data submitted to CMS are accurate” and the “[f]ailure to submit accurate payment data may result in administrative actions or, if fraud is involved, civil liability.” (Of course, if fraud is involved, there is always the possibility of criminal liability as well.) In the MA context, fraudulent conduct could mean knowingly submitting false risk adjustment information to CMS in order to elicit higher PMPM reimbursement amounts for enrollees and/or knowingly failing to withdraw inaccurate and invalid diagnosis codes from patient charts.

The Guidance includes compliance recommendations for mitigating risk in each of the above areas, which may be adopted by “MA Parties,” defined as “the wide range of entities and individuals participating in or engaged with” the MA program. Rivkin Radler’s Health Services Group can offer legal support to any individual or organization requiring assistance in understanding and/or implementing the new Guidance.

Sign up to receive Rivkin Rounds at www.RivkinRounds.com.

[1] OIG stated that the new Guidance “updates prior guidance OIG issued in its 1999 Compliance Program Guidance for Medicare+Choice Organizations Offering Coordinated Care Plans (1999 CPG).”

[2] OIG stated that “[t]he absence of a previously identified risk area or consideration in the [Guidance] does not signal that a risk no longer exists, has become irrelevant, or is otherwise inapplicable” and that “[i]ndividuals and entities may still wish to address the risk area or consideration in their compliance programs.” To that end, the 1999 CPG will remain an archived resource on the OIG website.