Strategic Perspectives: Government Rekindles Concerns about CMS’ MAO Overpayments

May 22, 2017

By: Pamela Coyle Brecht

CMS estimated improper payments to Medicare Advantage Organizations (MAOs) to be 9.5 percent or $14.1 billion based on a national audit that reviewed 2013 payments. Of those improper payments, CMS estimated that 73 percent were the result of insufficient medical documentation submitted to support the diagnoses the MAOs submitted, according to an April 2016 Government Accountability Office (GAO) report.

Over the past few years, in addition to several GAO reports on its audits of CMS’ risk adjustment process, the issue of CMS overpayments made to MAOs has received the attention of Senate Judiciary Committee Chairman, Sen. Charles Grassley (R-Iowa), the Center for Program Integrity (CPI), the Kaiser Family Foundation (KFF), and other news media. More recently, Grassley sent a letter on April 17, 2017, to CMS Administrator Seema Verma seeking answers regarding MAO overpayments and the status of CMS audits and the Department of Justice (DOJ) has announced its intervention in qui tam False Claims Act (31 U.S.C. §3729) suits.

This Strategic Perspective explains CMS’ risk adjustment process and the GAO’s findings about that process, includes details of CPI’s investigation of CMS overpayments to MAOs, describes Grassley’s concerns related to the overpayments, and identifies recent lawsuits. In addition, Wolters Kluwer interviewed an expert to provide insight from a legal perspective of the issues that CMS and MAOs are facing and what each needs to do to address the overpayment issue.

The Risk Adjustment Process

As explained in a January 2017 GAO report to Congress, Medicare pays MAOs a predetermined, fixed monthly amount per enrollee. Unlike fee-for-service, the payment does not vary on the basis of the number or cost of health care services an enrollee uses. Instead, CMS uses a risk adjustment process to account for differences in enrollees’ expected health care costs relative to an average beneficiary. MAOs are required to submit detailed information, known as “encounter data,” about the care and health status of MA enrollees to determine payments to MAOs. To make proper payments, the risk adjustment process requires complete and accurate encounter data from MAOs, according to the GAO report (see GAO says CMS made limited progress validating MA encounter data, January 20, 2017).

MAOs must submit diagnosis codes for each enrollee for a particular calendar year to CMS (42 U.S.C. §1395w-23(a)(3); 42 C.F.R. Sec. 422.310). CMS uses the codes to create Hierarchical Condition Category (HCC) risk scores to adjust the capitated payment rates it pays to each MAO, increasing payment rates to MAOs with patient populations with more severe illnesses and decreasing payments to MAOs with patient populations with less severe illnesses. MAOs typically submit data to CMS and then perform a retrospective review of medical charts to ensure that the charts support the claims submitted (see U.S. intervenes in UnitedHealth billing scheme suit, May 3, 2017). CMS conducts two types of risk adjustment data validation (RADV) audits, national RADV activities and contract-level RADV audits, to determine whether the diagnosis codes submitted by MAOs are supported by the beneficiary’s medical record documentation, and to correct MAO improper payments.

Beginning in 2004, CMS used an abbreviated set of MAO diagnostic data collected through the Risk Adjustment Processing System (RAPS) to calculate Medicare Advantage (MA) enrollee risks scores. CMS relied on diagnosis information in RAPS data along with fee-for-service claims data to determine the relative cost for treating beneficiaries with various diagnoses. In 2012, CMS began collecting data from MAOs replacing RAPS data.

The Center for Public Integrity Investigation

The CPI reported in a March 15, 2015, article that documents released to it under the Freedom of Information Act (FOIA) indicated that officials were made aware, as early as 2009, that some health plans overstate how sick their patients are. CPI’s investigation into MA overpayments culminated in a FOIA lawsuit captioned Schulte v. HHS , with a CPI reporter obtaining a court order requiring the agency to produce MA records (see HHS sued for failure to release Medicare Advantage billing information, May 28, 2014).

According to CPI, the documents released included an unpublished study, commissioned by CMS that tracked growth in risk scores starting in 2004. The study, dated September 29, 2009, found that “risk scores for Medicare Advantage enrollees grew twice as fast between 2004 and 2008 as they would have had the same person remained in standard Medicare” and concluded that it was “‘extremely unlikely’ that people who enrolled in the plans actually got sicker and noted that coding inflation ‘results in inappropriate payment levels.’”

Although CMS, since 2008, has suspected certain privately run MA plans of overcharging the federal government, the agency only completed 30 in-depth financial audits each year to recover overpayments, CPI said, adding that CMS has resources for up to 80 yearly in-depth audits, despite completing less than half that number. The result is a failure to recover tens of millions of dollars in overpayments (see No honor among thieves: MA ‘honor system’ costs taxpayers billions, December 18, 2015).

In an August 29, 2016, article, CPI revealed that of the 37 MA plan audits for 2007 it obtained from the federal officials through the lawsuit, CMS found that all but two of the MA plans overcharged the government by overstating the severity of the medical conditions of patients they treated and were overpaid. According to CPI, “none of the plans faced closer scrutiny following the audits,” which collected a total of $12 million in overpayments. “Officials said unconfirmed diagnoses could be caused by ‘incorrect’ coding by the health plan’s doctors or ‘incorrect diagnostic data’ submitted to the government by the health plan,” CPI said.

On January 6, 2017, Kaiser Health News (KHN) reported that government documents that were released in response the CPI lawsuit indicated that although “an initial round of audits found that Medicare had potentially overpaid five of the health plans $128 million in 2007 alone,” officials never recovered most of the money. CMS backed off its payment demands and settled for just under $3.4 million. The plans disputed the findings.

Reports on CMS Audits

In July 2014, the GAO reported that CMS had taken some appropriate actions to ensure the completeness and accuracy of MAO encounter data but concluded that CMS had not fully developed its plans for using the MA encounter data. CMS said it would begin using the encounter data to determine payments to MAOs in 2015. The GAO recommend that CMS develop requirements for completeness and accuracy, including performing statistical analyses to detect more complex validity issues and reviewing medical records to verify diagnoses and services within the data (see Encounter data must be verified before use in risk adjustment, September 3, 2014).

On March 3, 2016, Benefits Pro reported that CMS was preparing to enlarge its auditing program of MA patient billing records to better determine the extent to which some health plans exaggerate patients’ medical conditions by intentionally miscoding patients’ diagnosis to charge more for services. According to Benefits Pro, CMS requested information from interested contractors to help carry out its initiative.

In an April 2016 report, the GAO concluded that CMS’ RADV process needed “fundamental improvements.” CMS’ RADV process did not yield a selection of MA contracts that “have the greatest potential for recovery of improper payments” and experienced substantial delays. The GAO also found that CMS “lacks a timetable to annually conduct and complete audits” of payments made to MAOs to ensure the recovery of improper payments from MAOs that resulted from the submission of beneficiary diagnoses that were unsupported by the records. Furthermore, as of the date of the report, CMS had failed to expand the recovery audit contractor (RAC) program to include oversight of MA payments by the end of 2010 as mandated by Section 6411(b) of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) (see Audit of auditing reveals five areas that can be improved, May 10, 2016).

In its January 2017 report, the GAO determined that CMS made limited progress to validate the completeness and accuracy of its MA encounter data and use it for risk adjustment and concluded that CMS had not yet undertaken activities that fully address encounter data accuracy, such as reviewing medical records and failed to specify plans and time frames for most other purposes, such as conducting program evaluations and supporting public health initiatives. “[T]o the extent that CMS is making payments based on data that have not been fully validated for completeness and accuracy, the soundness of billions of dollars in Medicare expenditures remains unsubstantiated,” the GAO said (see GAO says CMS made limited progress validating MA encounter data, January 20, 2017).

Grassley’s Pursuit

Grassley reignited his concerns of whether the taxpayers are overpaying insurers in Medicare Advantage, seeking updates and answers from CMS on what the agency is doing to prevent insurance company risk score gaming to get higher payments. In the April 2017 letter to CMS Administrator Verma, Grassley requested an explanation as to why CMS collected only $13.7 million of a recovery assessment of $128 million in potential overpayments from two audits of MA organizations conducted in 2007. The recovery arose from CMS’ pilot audit in 2007 that included five plans ($43.4 million recovered), and a “Targeted Audit” that focused on 32 plans ($10.4 million recovered). In addition, Grassley noted that CPI reported that $70 billion in risk score overpayments between 2008 and 2013.

Stating that there are “billions of dollars of taxpayer money…at stake,” Grassley urged CMS to “aggressively use the tools at its disposal to ensure that it is efficiently identifying fraud and subsequently implementing timely and far remedies.” He stressed his concern that the overpayment for 2007 of $128 appears low and that MA organization risk score gaming is not going away. Among the questions Grassley posed was (1) what steps will CMS take to ensure that insurance companies are not fraudulently altering risk scores; (2) in the last two years, how many MA audits have been performed; and (3) why did the Obama Administration recover only $3.4 billion from the CMS pilot audit rather than $128 billion.

Grassley sent a letter to then-acting CMS Administrator Andrew Slavitt on May 19, 2015, requesting details about Medicare Advantage fraud controls in response to the CPI articles, including steps CMS has taken, whether CMS was working with the DOJ, the number of risk score audits CMS has conducted, and the amount of money CMS allocates for audits targeting MAO fraud. Grassley received a response from Slavitt on July 31, 2015, describing the work CMS had done and planned to do to reduce improper payments associated with MAO diagnosis data, including the RADV audit initiative. In terms of working with the DOJ and OIG, Slavitt noted that CMS (1) supports investigations of risk score fraud; (2) provides training on MA policies, payment rules, and risk adjustment methodologies; and (3) shares documentation and data in support of False Claims Act investigations.

In a second letter to then-Attorney General Loretta Lynch, Grassley asked Lynch to tighten scrutiny of Medicare Advantage health plans suspected of overcharging the government by “risk score gaming.” At that time, Grassley, asked Lynch what steps the DOJ was taking to ensure MAOs were not fraudulently altering risk scores, whether the DOJ was working with CMS to investigate risk score fraud and how many investigations the DOJ has conducted in the past five years.

Current FCA Lawsuits

Whistleblower lawsuits filed under the FCA alleging that MAOs submitted inflated risk scores are not new. In April 2015, the CPI addressed the increasing numbers of lawsuits against MAOs and reported that federal court records showed at least a half dozen whistleblower lawsuits alleging billing abuses related to risk scores filed since 2010. CPI noted that lawyers predicted that more would be filed.

On May 1, 2017, the DOJ announced that it had intervened and filed a complaint in a qui tam lawsuit against United Health Group, Inc. (UHG) (U.S. ex rel. Swoben v. Secure Horizons) alleging that UHG entities and MAOs with which it contracted, including HealthCare Partners, deliberately ignored information from chart reviews about invalid diagnoses and, therefore, submitted bills to Medicare that were not supported by medical documentation.

The MAO’s thus received inflated risk adjustment payments that were never repaid to CMS (see U.S. intervenes in UnitedHealth billing scheme suit, May 3, 2017).

On May 16, 2017, the DOJ announced that it had filed a complaint intervening in a related lawsuit against UHG, U.S.ex rel. Poehling v. UnitedHealth Group, Inc., which also alleged that UHG knowingly defrauded the Medicare program. The DOJ alleged that UHG disregarded information about beneficiaries’ medical conditions after conducting chart reviews and physicians’ medical records that included patient diagnoses that increased the risk adjustment payment UHG received from Medicare (see Government intervenes in UnitedHealth fraud suit, alleges $1 billion in damages, May 17, 2017).

Addressing MAO Overpayment Issues

Pamela Coyle Brecht, Partner, Pietragallo Gordon Alfano Bosick & Rampant, LLP, provided the following responses to questions addressing the overpayment issues facing both CMS and MAOs posed by Wolters Kluwer (WK).

WK: How are Medicare Advantage organizations responding to the most recent reports related to CMS overpayments?

Brecht: The FCA litigation, in which the United States has now intervened, should send a strong message to MAOs—the Government is taking the certifications made by MAOs when submitting risk adjustment and encounter data seriously. On the other hand, if you consider the case United Healthcare filed against HHS in 2016 (United Healthcare Insurance Co. v. Price), the MAOs appear to be fighting back (seePart C insurers avoid ‘procedural quagmire,’ proceed with Final rule challenge, April 3, 2017).

Under the ACA, MAOs are required to report or return overpayments they discover. In May 2014, CMS published a rule to clarify that an “overpayment” included payments that a MAO discovered, or should have discovered, that it should not have paid a claim. United Healthcare sued HHS in February 2016, alleging that CMS’ rule violates the requirement that MAOs are treated the same as other insurers by CMS and argued that the 2014 rule created new obligations. On March 31, 2017, the district court denied the government’s motion to dismiss, concluding that United had constitutional standing to challenge it, and finding that the insurer could be harmed by complying with the regulation. The central issue is whether the rule imposed new obligations on insurers or restated existing obligations. The court noted that United Healthcare lacked an avenue for administrative review of the CMS rule and had statutory standing to challenge it through the courts.

WK: What do you see as the biggest issues for CMS when it comes to Medicare Advantage overpayments? What are the biggest issues for Medicare Advantage organizations?

Brecht: The biggest issue for CMS is having the ability (access and resources) to identify Medicare Advantage overpayments. CMS lacks the resources to monitor the underlying patient records that support (or expose the lack of foundation for) risk adjustment scores. The biggest issue for MAOs is probably convincing their shareholders or Boards to dedicate significant resources to robust auditing and, where appropriate, self-reporting of overpayments.

WK: Will the introduction of recovery audit contractors (RACs) to identify overpayments improve CMS ability to recover Medicare Advantage overpayments? If so, in what ways? If not, why not?

Brecht: There are two types of audits: comprehensive audits that involve all patients and HCCs in an MAO contract, and condition-specific audits, which involve focused documentation reviews for specific HCCs. The need for the second type of audit can be determined by analyzing upticks in HCCs submitted to CMS by MAOs in a particular region or health care system. CMS can then focus on certain conditions associated with suspected overpayments. There are challenges to CMS’ ability to recover identified overpayments, as evidenced by the paucity of CMS’ recovery ($3.4 million) when compared to the potential overpayments for 2007 alone ($128 million). Thus, RACs can assist in identifying overpayments, particularly when there are spikes in specific diagnoses/HCCs, and when on closer review, these diagnoses are not supported by patient records. However, first, CMS must be committed to funding robust RAC audits, and second, to actually recouping these funds from MAOs. The most recent intervention in the FCA case against United Healthcare certainly sends a strong signal that CMS is taking the issue seriously.

WK: What advice would you give MAOs to avoid overpayments by ensuring that the diagnosis codes submitted to CMS for risk adjustment scores are accurate and supported by medical documentation?

Brecht: MAOs should develop robust compliance and auditing programs geared toward uncovering upcoding for diagnoses that relate to reimbursable HCCs. MAOs also should ensure that they are monitoring the diagnoses submitted by providers. For example, if a provider has a long history with a particular population of patients and, suddenly, those patients are being diagnosed with conditions that lead to higher reimbursements, this should be a signal that an audit of the underlying patient records is in order.

A couple of years ago, while speaking on a panel focused on Medicare managed care fraud, I had suggested that MAOs could issue a notice to patients each time they were given a new diagnosis, with an invitation to the patient to report to the MAO that they are not being treated for that condition. This would be another opportunity for MAOs to ensure that the medical record, the diagnosis, and the treatment are in line with data related to payment that is submitted to CMS. The response I received from an industry consultant was that that was somehow dangerous – for the patient to know precisely what their diagnoses are.


MAOs must provide the sufficient medical documentation to support the diagnoses it submits for CMS to establish risk scores. In addition, they need to develop robust compliance and auditing programs to uncover upcoding for diagnoses before submitting the diagnoses to CMS. If not, MAOs may continue to face challenges from the government and lawsuits alleging FCA violations.

As recommended by the GAO, CMS must be able to ensure that: (1) its risk adjustment process and audits confirm the completeness and accuracy of MAO encounter data; (2) it is performing statistical analyses to detect more complex validity issues; and (3) it is timely reviewing medical records to verify diagnoses and services within the data. Furthermore, as mandated by the ACA, CMS should engage RACs to review MA payments. Finally, CMS must provide assurances that it will recover MAO overpayments.

Article was originally published in Wolters Kluwer Health Law Daily on Friday, May 19, 2017. © CCH Incorporated and its affiliates and licensors. All rights reserved.

Related Information:

News & Events

Related News

Marc Raspanti and Pamela Coyle Brecht’s WOLEP Presentation Released
November 28, 2023
Marc Raspanti and Pamela Coyle Brecht‘s presentation “A Practitioner’s Guide to American Whistleblower Programs” is now available through World Online Lawyers With Excellent Practice (WOLEP). Read More
28 Pietragallo Lawyers Named in 2024 The Best Lawyers in America® and Ones to Watch
August 17, 2023
Pietragallo Gordon Alfano Bosick & Raspanti, LLP is pleased to announce that 28 lawyers have been named as 2024 The Best Lawyers in America® and Ones to Watch.  Read More

Upcoming Events

Scott Coffina to speak at Police Assisted Addiction and Recovery Initiative 2023 National Law Enforcement Summit
December 4, 2023
Pietragallo partner Scott Coffina will present “How to Run an Effective and Ethical Diversion Program” at the Police Assisted Addiction and Recovery Initiative (PAARI) 2023 National Law Enforcement Summit held in Boston, MA on December 4-5, 2023. Read More
Michael Morse to present at the American Bar Association’s 21st Annual Washington Health Law Summit
December 11, 2023
Pietragallo partner Michael Morse will be presenting at the American Bar Association’s 21st Annual Washington Health Law Summit, on December 11-12, 2023 in Washington D.C.. Read More
View More News & Events