CMS estimated improper payments to Medicare Advantage Organizations (MAOs) to be 9.5 percent or $14.1 billion based on a national audit that reviewed 2013 payments. Of those improper payments, CMS estimated that 73 percent were the result of insuﬃcient medical documentation submitted to support the diagnoses the MAOs submitted, according to an April 2016 Government Accountability Oﬃce (GAO) report.
Over the past few years, in addition to several GAO reports on its audits of CMS’ risk adjustment process, the issue of CMS overpayments made to MAOs has received the attention of Senate Judiciary Committee Chairman, Sen. Charles Grassley (R-Iowa), the Center for Program Integrity (CPI), the Kaiser Family Foundation (KFF), and other news media. More recently, Grassley sent a letter on April 17, 2017, to CMS Administrator Seema Verma seeking answers regarding MAO overpayments and the status of CMS audits and the Department of Justice (DOJ) has announced its intervention in qui tam False Claims Act (31 U.S.C. §3729) suits.
This Strategic Perspective explains CMS’ risk adjustment process and the GAO’s ﬁndings about that process, includes details of CPI’s investigation of CMS overpayments to MAOs, describes Grassley’s concerns related to the overpayments, and identiﬁes recent lawsuits. In addition, Wolters Kluwer interviewed an expert to provide insight from a legal perspective of the issues that CMS and MAOs are facing and what each needs to do to address the overpayment issue.
The Risk Adjustment Process
As explained in a January 2017 GAO report to Congress, Medicare pays MAOs a predetermined, ﬁxed monthly amount per enrollee. Unlike fee-for-service, the payment does not vary on the basis of the number or cost of health care services an enrollee uses. Instead, CMS uses a risk adjustment process to account for diﬀerences in enrollees’ expected health care costs relative to an average beneﬁciary. MAOs are required to submit detailed information, known as “encounter data,” about the care and health status of MA enrollees to determine payments to MAOs. To make proper payments, the risk adjustment process requires complete and accurate encounter data from MAOs, according to the GAO report (see GAO says CMS made limited progress validating MA encounter data, January 20, 2017).
MAOs must submit diagnosis codes for each enrollee for a particular calendar year to CMS (42 U.S.C. §1395w-23(a)(3); 42 C.F.R. Sec. 422.310). CMS uses the codes to create Hierarchical Condition Category (HCC) risk scores to adjust the capitated payment rates it pays to each MAO, increasing payment rates to MAOs with patient populations with more severe illnesses and decreasing payments to MAOs with patient populations with less severe illnesses. MAOs typically submit data to CMS and then perform a retrospective review of medical charts to ensure that the charts support the claims submitted (see U.S. intervenes in UnitedHealth billing scheme suit, May 3, 2017). CMS conducts two types of risk adjustment data validation (RADV) audits, national RADV activities and contract-level RADV audits, to determine whether the diagnosis codes submitted by MAOs are supported by the beneﬁciary’s medical record documentation, and to correct MAO improper payments.
Beginning in 2004, CMS used an abbreviated set of MAO diagnostic data collected through the Risk Adjustment Processing System (RAPS) to calculate Medicare Advantage (MA) enrollee risks scores. CMS relied on diagnosis information in RAPS data along with fee-for-service claims data to determine the relative cost for treating beneﬁciaries with various diagnoses. In 2012, CMS began collecting data from MAOs replacing RAPS data.
The Center for Public Integrity Investigation
The CPI reported in a March 15, 2015, article that documents released to it under the Freedom of Information Act (FOIA) indicated that oﬃcials were made aware, as early as 2009, that some health plans overstate how sick their patients are. CPI’s investigation into MA overpayments culminated in a FOIA lawsuit captioned Schulte v. HHS , with a CPI reporter obtaining a court order requiring the agency to produce MA records (see HHS sued for failure to release Medicare Advantage billing information, May 28, 2014).
According to CPI, the documents released included an unpublished study, commissioned by CMS that tracked growth in risk scores starting in 2004. The study, dated September 29, 2009, found that “risk scores for Medicare Advantage enrollees grew twice as fast between 2004 and 2008 as they would have had the same person remained in standard Medicare” and concluded that it was “‘extremely unlikely’ that people who enrolled in the plans actually got sicker and noted that coding inﬂation ‘results in inappropriate payment levels.’”
Although CMS, since 2008, has suspected certain privately run MA plans of overcharging the federal government, the agency only completed 30 in-depth ﬁnancial audits each year to recover overpayments, CPI said, adding that CMS has resources for up to 80 yearly in-depth audits, despite completing less than half that number. The result is a failure to recover tens of millions of dollars in overpayments (see No honor among thieves: MA ‘honor system’ costs taxpayers billions, December 18, 2015).
In an August 29, 2016, article, CPI revealed that of the 37 MA plan audits for 2007 it obtained from the federal oﬃcials through the lawsuit, CMS found that all but two of the MA plans overcharged the government by overstating the severity of the medical conditions of patients they treated and were overpaid. According to CPI, “none of the plans faced closer scrutiny following the audits,” which collected a total of $12 million in overpayments. “Oﬃcials said unconﬁrmed diagnoses could be caused by ‘incorrect’ coding by the health plan’s doctors or ‘incorrect diagnostic data’ submitted to the government by the health plan,” CPI said.
On January 6, 2017, Kaiser Health News (KHN) reported that government documents that were released in response the CPI lawsuit indicated that although “an initial round of audits found that Medicare had potentially overpaid ﬁve of the health plans $128 million in 2007 alone,” oﬃcials never recovered most of the money. CMS backed oﬀ its payment demands and settled for just under $3.4 million. The plans disputed the ﬁndings.
Reports on CMS Audits
In July 2014, the GAO reported that CMS had taken some appropriate actions to ensure the completeness and accuracy of MAO encounter data but concluded that CMS had not fully developed its plans for using the MA encounter data. CMS said it would begin using the encounter data to determine payments to MAOs in 2015. The GAO recommend that CMS develop requirements for completeness and accuracy, including performing statistical analyses to detect more complex validity issues and reviewing medical records to verify diagnoses and services within the data (see Encounter data must be veriﬁed before use in risk adjustment, September 3, 2014).
On March 3, 2016, Beneﬁts Pro reported that CMS was preparing to enlarge its auditing program of MA patient billing records to better determine the extent to which some health plans exaggerate patients’ medical conditions by intentionally miscoding patients’ diagnosis to charge more for services. According to Beneﬁts Pro, CMS requested information from interested contractors to help carry out its initiative.
In an April 2016 report, the GAO concluded that CMS’ RADV process needed “fundamental improvements.” CMS’ RADV process did not yield a selection of MA contracts that “have the greatest potential for recovery of improper payments” and experienced substantial delays. The GAO also found that CMS “lacks a timetable to annually conduct and complete audits” of payments made to MAOs to ensure the recovery of improper payments from MAOs that resulted from the submission of beneﬁciary diagnoses that were unsupported by the records. Furthermore, as of the date of the report, CMS had failed to expand the recovery audit contractor (RAC) program to include oversight of MA payments by the end of 2010 as mandated by Section 6411(b) of the Patient Protection and Aﬀordable Care Act (ACA) (P.L. 111-148) (see Audit of auditing reveals ﬁve areas that can be improved, May 10, 2016).
In its January 2017 report, the GAO determined that CMS made limited progress to validate the completeness and accuracy of its MA encounter data and use it for risk adjustment and concluded that CMS had not yet undertaken activities that fully address encounter data accuracy, such as reviewing medical records and failed to specify plans and time frames for most other purposes, such as conducting program evaluations and supporting public health initiatives. “[T]o the extent that CMS is making payments based on data that have not been fully validated for completeness and accuracy, the soundness of billions of dollars in Medicare expenditures remains unsubstantiated,” the GAO said (see GAO says CMS made limited progress validating MA encounter data, January 20, 2017).
Grassley reignited his concerns of whether the taxpayers are overpaying insurers in Medicare Advantage, seeking updates and answers from CMS on what the agency is doing to prevent insurance company risk score gaming to get higher payments. In the April 2017 letter to CMS Administrator Verma, Grassley requested an explanation as to why CMS collected only $13.7 million of a recovery assessment of $128 million in potential overpayments from two audits of MA organizations conducted in 2007. The recovery arose from CMS’ pilot audit in 2007 that included ﬁve plans ($43.4 million recovered), and a “Targeted Audit” that focused on 32 plans ($10.4 million recovered). In addition, Grassley noted that CPI reported that $70 billion in risk score overpayments between 2008 and 2013.
Stating that there are “billions of dollars of taxpayer money…at stake,” Grassley urged CMS to “aggressively use the tools at its disposal to ensure that it is eﬃciently identifying fraud and subsequently implementing timely and far remedies.” He stressed his concern that the overpayment for 2007 of $128 appears low and that MA organization risk score gaming is not going away. Among the questions Grassley posed was (1) what steps will CMS take to ensure that insurance companies are not fraudulently altering risk scores; (2) in the last two years, how many MA audits have been performed; and (3) why did the Obama Administration recover only $3.4 billion from the CMS pilot audit rather than $128 billion.
Grassley sent a letter to then-acting CMS Administrator Andrew Slavitt on May 19, 2015, requesting details about Medicare Advantage fraud controls in response to the CPI articles, including steps CMS has taken, whether CMS was working with the DOJ, the number of risk score audits CMS has conducted, and the amount of money CMS allocates for audits targeting MAO fraud. Grassley received a response from Slavitt on July 31, 2015, describing the work CMS had done and planned to do to reduce improper payments associated with MAO diagnosis data, including the RADV audit initiative. In terms of working with the DOJ and OIG, Slavitt noted that CMS (1) supports investigations of risk score fraud; (2) provides training on MA policies, payment rules, and risk adjustment methodologies; and (3) shares documentation and data in support of False Claims Act investigations.
In a second letter to then-Attorney General Loretta Lynch, Grassley asked Lynch to tighten scrutiny of Medicare Advantage health plans suspected of overcharging the government by “risk score gaming.” At that time, Grassley, asked Lynch what steps the DOJ was taking to ensure MAOs were not fraudulently altering risk scores, whether the DOJ was working with CMS to investigate risk score fraud and how many investigations the DOJ has conducted in the past ﬁve years.
Current FCA Lawsuits
Whistleblower lawsuits ﬁled under the FCA alleging that MAOs submitted inﬂated risk scores are not new. In April 2015, the CPI addressed the increasing numbers of lawsuits against MAOs and reported that federal court records showed at least a half dozen whistleblower lawsuits alleging billing abuses related to risk scores ﬁled since 2010. CPI noted that lawyers predicted that more would be ﬁled.
On May 1, 2017, the DOJ announced that it had intervened and ﬁled a complaint in a qui tam lawsuit against United Health Group, Inc. (UHG) (U.S. ex rel. Swoben v. Secure Horizons) alleging that UHG entities and MAOs with which it contracted, including HealthCare Partners, deliberately ignored information from chart reviews about invalid diagnoses and, therefore, submitted bills to Medicare that were not supported by medical documentation.
The MAO’s thus received inﬂated risk adjustment payments that were never repaid to CMS (see U.S. intervenes in UnitedHealth billing scheme suit, May 3, 2017).
On May 16, 2017, the DOJ announced that it had ﬁled a complaint intervening in a related lawsuit against UHG, U.S.ex rel. Poehling v. UnitedHealth Group, Inc., which also alleged that UHG knowingly defrauded the Medicare program. The DOJ alleged that UHG disregarded information about beneﬁciaries’ medical conditions after conducting chart reviews and physicians’ medical records that included patient diagnoses that increased the risk adjustment payment UHG received from Medicare (see Government intervenes in UnitedHealth fraud suit, alleges $1 billion in damages, May 17, 2017).
Addressing MAO Overpayment Issues
Pamela Coyle Brecht, Partner, Pietragallo Gordon Alfano Bosick & Rampant, LLP, provided the following responses to questions addressing the overpayment issues facing both CMS and MAOs posed by Wolters Kluwer (WK).
WK: How are Medicare Advantage organizations responding to the most recent reports related to CMS overpayments?
Brecht: The FCA litigation, in which the United States has now intervened, should send a strong message to MAOs—the Government is taking the certiﬁcations made by MAOs when submitting risk adjustment and encounter data seriously. On the other hand, if you consider the case United Healthcare ﬁled against HHS in 2016 (United Healthcare Insurance Co. v. Price), the MAOs appear to be ﬁghting back (seePart C insurers avoid ‘procedural quagmire,’ proceed with Final rule challenge, April 3, 2017).
Under the ACA, MAOs are required to report or return overpayments they discover. In May 2014, CMS published a rule to clarify that an “overpayment” included payments that a MAO discovered, or should have discovered, that it should not have paid a claim. United Healthcare sued HHS in February 2016, alleging that CMS’ rule violates the requirement that MAOs are treated the same as other insurers by CMS and argued that the 2014 rule created new obligations. On March 31, 2017, the district court denied the government’s motion to dismiss, concluding that United had constitutional standing to challenge it, and ﬁnding that the insurer could be harmed by complying with the regulation. The central issue is whether the rule imposed new obligations on insurers or restated existing obligations. The court noted that United Healthcare lacked an avenue for administrative review of the CMS rule and had statutory standing to challenge it through the courts.
WK: What do you see as the biggest issues for CMS when it comes to Medicare Advantage overpayments? What are the biggest issues for Medicare Advantage organizations?
Brecht: The biggest issue for CMS is having the ability (access and resources) to identify Medicare Advantage overpayments. CMS lacks the resources to monitor the underlying patient records that support (or expose the lack of foundation for) risk adjustment scores. The biggest issue for MAOs is probably convincing their shareholders or Boards to dedicate signiﬁcant resources to robust auditing and, where appropriate, self-reporting of overpayments.
WK: Will the introduction of recovery audit contractors (RACs) to identify overpayments improve CMS ability to recover Medicare Advantage overpayments? If so, in what ways? If not, why not?
Brecht: There are two types of audits: comprehensive audits that involve all patients and HCCs in an MAO contract, and condition-speciﬁc audits, which involve focused documentation reviews for speciﬁc HCCs. The need for the second type of audit can be determined by analyzing upticks in HCCs submitted to CMS by MAOs in a particular region or health care system. CMS can then focus on certain conditions associated with suspected overpayments. There are challenges to CMS’ ability to recover identiﬁed overpayments, as evidenced by the paucity of CMS’ recovery ($3.4 million) when compared to the potential overpayments for 2007 alone ($128 million). Thus, RACs can assist in identifying overpayments, particularly when there are spikes in speciﬁc diagnoses/HCCs, and when on closer review, these diagnoses are not supported by patient records. However, ﬁrst, CMS must be committed to funding robust RAC audits, and second, to actually recouping these funds from MAOs. The most recent intervention in the FCA case against United Healthcare certainly sends a strong signal that CMS is taking the issue seriously.
WK: What advice would you give MAOs to avoid overpayments by ensuring that the diagnosis codes submitted to CMS for risk adjustment scores are accurate and supported by medical documentation?
Brecht: MAOs should develop robust compliance and auditing programs geared toward uncovering upcoding for diagnoses that relate to reimbursable HCCs. MAOs also should ensure that they are monitoring the diagnoses submitted by providers. For example, if a provider has a long history with a particular population of patients and, suddenly, those patients are being diagnosed with conditions that lead to higher reimbursements, this should be a signal that an audit of the underlying patient records is in order.
A couple of years ago, while speaking on a panel focused on Medicare managed care fraud, I had suggested that MAOs could issue a notice to patients each time they were given a new diagnosis, with an invitation to the patient to report to the MAO that they are not being treated for that condition. This would be another opportunity for MAOs to ensure that the medical record, the diagnosis, and the treatment are in line with data related to payment that is submitted to CMS. The response I received from an industry consultant was that that was somehow dangerous – for the patient to know precisely what their diagnoses are.
MAOs must provide the suﬃcient medical documentation to support the diagnoses it submits for CMS to establish risk scores. In addition, they need to develop robust compliance and auditing programs to uncover upcoding for diagnoses before submitting the diagnoses to CMS. If not, MAOs may continue to face challenges from the government and lawsuits alleging FCA violations.
As recommended by the GAO, CMS must be able to ensure that: (1) its risk adjustment process and audits conﬁrm the completeness and accuracy of MAO encounter data; (2) it is performing statistical analyses to detect more complex validity issues; and (3) it is timely reviewing medical records to verify diagnoses and services within the data. Furthermore, as mandated by the ACA, CMS should engage RACs to review MA payments. Finally, CMS must provide assurances that it will recover MAO overpayments.
Article was originally published in Wolters Kluwer Health Law Daily on Friday, May 19, 2017. © CCH Incorporated and its affiliates and licensors. All rights reserved.