How does cms ensure plans are compliant with medicare regulations

Managed Care

In order to receive federal Medicaid funds, states must meet numerous requirements regarding the proper and efficient administration of their Medicaid programs, including the use of managed care in Medicaid. Over time, as Congress has amended federal Medicaid law to provide new flexibilities for states’ use of managed care, it has also added provisions to ensure that the federal government holds states accountable—and that states hold managed care plans accountable—for the services they have agreed to provide to enrollees. The requirements related to the federal oversight of full-risk Medicaid managed care programs can be found in Section 1932 of the Social Security Act (the Act) as well as in implementing regulations (42 CFR 438).

The statute establishes a broad oversight role for the Centers for Medicare & Medicaid Services (CMS), with few specific federal responsibilities. Section 1932 of the Act prescribes the managed care enrollment process, beneficiary protections, and requirements governing information and communication, but establishes in subsection (c) only two direct oversight and monitoring requirements for CMS and for states:

(1) A state must develop, implement and update a managed care quality assessment and improvement strategy (i.e., a state quality strategy) that includes access standards and procedures for monitoring and evaluating the quality and appropriateness of care and services, meets the standards set by CMS, and is subject to monitoring by CMS;

(2) A state must conduct an annual external independent review of the quality of and access to services under each managed care contract.

Federal regulations that implement Section 1932 define state and federal oversight responsibilities in much greater detail, but states have considerable flexibility in how they operationalize these requirements and determine how the plans meet them. The federal rules at 42 CFR 438 specify:

• the standard provisions that must be incorporated in all contracts between states and managed care organizations (MCOs);
• capitation rate development standards;
• enrollment and disenrollment requirements;
• network adequacy standards;
• enrollee rights and protections;
• MCO requirements relating to the delivery of services;
• quality measurement and improvement standards;
• program integrity safeguards; and
• conditions for federal financial participation.

Historically, CMS has focused most of its oversight and monitoring resources on the review of documents such as waivers and plan contracts that require federal approval prior to a state’s implementation of a managed care program, to ensure that managed care programs, as proposed, will comply with federal statutes and regulations. However, differences in managed care program design among states and the use of multiple federal authorities has made it challenging for CMS to implement a consistent federal managed care oversight approach once the programs are implemented. In 2016, CMS updated the federal rules for Medicaid managed care to expand the federal oversight role, standardize the expectations for states across all managed care authorities, and update program standards to reflect the current scope of Medicaid managed care programs. Below is a summary of the key federal managed care accountability requirements, reflecting the changes that will be implemented under the new regulations.

Waiver and state plan amendment review

As noted above, states can implement managed care in their Medicaid programs using one or more federal authorities. CMS is responsible for reviewing and approving state requests to implement managed care under these authorities. All Medicaid managed care programs, regardless of authority, are subject to the provisions of Section 1932 and 42 CFR 438 unless specifically waived.

There are different state application and CMS approval processes depending on the authority that is used. For example, the Section 1932 state plan amendment (SPA) application form (also referred to as the preprint) requires the state to indicate key programmatic features, such as which populations are being enrolled in managed care, the enrollment process, and covered benefits. The Section 1915(b) waiver template requests similar programmatic information with significantly greater level of detail than the Section 1932 template and requires the state to provide extensive information regarding its monitoring process. When these waivers are renewed, the state submits the results of its monitoring efforts to CMS. Section 1115 waiver applications are often unique to each state and can contain varying amounts of detail. States with 1115 demonstrations are also required to submit periodic monitoring reports and formal waiver evaluations.

The policies that the state and CMS agree to are ultimately codified in approval documents. CMS’s ability to place conditions on approvals, and the specificity of those conditions, also vary by type of authority. Approval of SPAs is quite general in nature, and is typically conveyed in a brief letter to the state. In contrast, approval of Section 1915(b) requests includes standard terms and conditions (STCs). For Section 1115 demonstrations, CMS’sagreement with the state is codified in a set of specific authorities that are accompanied by an approval letter and STCs that detail the specific expectations for the operation of the demonstration that CMS has negotiated with the state. The variation in the level of detail in some respects reflects the policies under different authorities. Sections 1915(b) and 1115 waive statutory requirements and the terms and conditions enumerate specific conditions under which those waivers are being granted. In the case of Section 1115 waivers, the STCs are detailed and state specific, and also establish evaluation requirements, reflecting that waivers under Section 1115 are for demonstration purposes.

Contract review

States provide Medicaid managed care services through contracts with MCOs. Each contract constitutes a legal agreement between the state and MCO for the delivery of services to enrollees and functions as a mechanism to enforce the standards specified by states and the federal government. MCO contract terms vary among states in the level of specificity of plan requirements, but all include a basic set of activities and specific requirements mandated by federal law and regulation.

Federal law stipulates that states can receive federal Medicaid reimbursement for their payments to Medicaid managed care entities only if their contracts include the following provisions in Section 1903 of the Act. The U.S. Department of Health and Human Services (HHS) and the state shall have the right to audit and inspect any books and records of the entity.

• The plan may not discriminate on the basis of enrollees’ health status.
• Individuals can disenroll within the first 90 days without cause and then at least every 12 months thereafter.
• Either the plan or state must provide reimbursement for medically necessary services provided out-of-network due to an unforeseen illness, injury, or condition.
• The plan must make required ownership disclosures.
• The plan must pay federally-qualified health centers or rural health clinics no less than it pays other providers for the same services.
• Any physician incentive plan that directly or indirectly has the effect of reducing or limiting services provided with respect to enrollees must meet certain requirements.
• The plan must provide patient-level encounter data as required by HHS.
• Outpatient prescription drugs provided by the plan must be provided under the same terms (including rebate and reporting requirements) as apply to fee for service Medicaid.
• The plan must comply with the applicable requirements of Section1932 of the Act.

In addition to these requirements, CMS regulations outline a number of other requirements that must be contained in plan contracts, such as compliance with federal and state contracting rules, inspection and audit of financial records, and prohibition of enrollment discrimination (42 CFR 438.6). States typically include state-specific and detailed operational requirements in contracts that go beyond the minimum federal contract standards. For example, state Medicaid managed care contracts will typically include customer service requirements, detailed provider network standards, state-specific financial solvency requirements, data collection and reporting requirements, claims processing and payment standards, and corrective actions. For additional information on Medicaid managed care contract provisions, see Comprehensive Risk-based Contract Requirements.

CMS reviews and approves each plan contract in a state, as well as contract amendments. This requirement is established in CMS’s managed care regulations (42 CFR §438.6(a)) and applies to all plan contracts, regardless of program authority. Through this review, CMS ensures that a state’s plan contract provisions comply with regulatory and, if applicable, waiver requirements. For states that select plans through a competitive procurement process, the contract approval process begins with the state submitting its proposed request for proposal (or other solicitation document) to CMS for approval. Procurements for contracts that are funded with federal dollars are subject to the requirements of 45 CFR 74, including that they be conducted, to the maximum extent practical, in a manner that provides free and open competition.

Readiness review

CMS and states have typically conducted pre-implementation readiness reviews to ensure that MCOs are prepared to comply with program and contract requirements and ready to deliver services to enrollees prior to enrollment. Readiness reviews assess the ability and capacity of the MCO to perform satisfactorily in all major operational areas, including oversight of subcontractors, enrollee and provider communications, grievance and appeal procedures, member services and outreach, provider network management, program integrity and compliance, case management, utilization review, quality improvement, financial management, claims processing, reporting, and encounter data. Readiness reviews can include a desk review of documents and an on-site review, including interviews with MCO staff.

While readiness review was not an explicit requirement in federal statute or regulation before 2016, CMS has imposed terms and conditions requiring readiness reviews as part of the waiver approvals for many states operating managed care under 1915(b) or 1115 waiver authority. As part of the updated federal regulation that went into effect in 2016, states are now required to conduct MCO readiness reviews when implementing a new managed care program, contracting with a new MCO, or expanding an MCO contract to include new eligibility groups or additional covered benefits (42 CFR 438.66). The readiness review must be started at least three months before the effective date of the program or contract, completed in time to ensure a smooth implementation, and submitted to CMS for consideration as part of the contract review process described above.

Payment review

A key aspect of federal oversight is ensuring that state payments to providers comply with federal rules. For managed care payments, the fundamental payment principle is that capitation rates be actuarially sound. This means that they are certified by an actuary that meets the standards set forth in 42 CFR 438.6, appropriate for the covered population and services for the period that the rates are effective, and have been developed in accordance with generally accepted actuarial practices and principles.

States are required to submit the capitation rates that correspond to the populations and services covered in the managed care program, actuarial certifications for those rates, and data and documentation to support the rate certifications for federal review. CMS publishes annual guidance for states to assist them in developing rates and the accompanying documentation (CMS 2015). CMS then conducts a review of the capitation rates for each Medicaid managed care program to determine whether:

• the capitation rates are reasonable and comply with all applicable laws and regulations;
• the rate development process complies with all applicable laws and regulations, including but not limited to eligibility, benefits, financing, any applicable waiver or demonstration requirements, and program integrity; and
• the documentation is sufficient to demonstrate that the rate development process meets generally accepted actuarial practices and principles.

As part of the contract review described above, CMS reviews the final capitation rates for each MCO. For more information on the capitation rate-setting process, see Medicaid Managed Care Payment.

State monitoring system

The 2016 rule requires states to have a formal monitoring system for all managed care programs. These standards at 42 CFR 438.66 require states to have a monitoring system that addresses administration and management; appeal and grievance systems; claims management; enrollee materials and customer services; finance, including medical loss ratio reporting; information systems, including encounter data reporting; marketing; medical management, including utilization management; program integrity; provider network management including provider directories; quality improvement; the delivery of LTSS; and other items of the contract as appropriate. In conducting these monitoring activities, states are expected to collect and review a variety of program data including enrollment and disenrollment data, grievance and appeal logs, external quality review organization (EQRO) findings, surveys, quality measures, MCO annual quality improvement plans, financial reports, and medical loss ratio summary reports.

While federal regulations require states with Medicaid managed care programs to have a monitoring system, the regulations do not describe how CMS, the federal oversight agency, will monitor state compliance with this requirement.

Quality strategy

States are required to have a quality strategy for assessing and improving the quality of health care and services furnished by MCOs (§ 1932(c)(1) of the Act). Detailed requirements for the state quality strategy can be found in regulation and in subregulatory guidance.

States operating Medicaid managed care programs under any authority must have a written quality strategy that includes the following components, at a minimum (42 CFR 438.340):

• the state’s standards for access to care, structure and operations, and quality measurement and improvement;
• procedures for regularly monitoring and evaluating plan compliance with state standards;
• national performance measures identified and developed by the Centers for Medicare & Medicaid Services (CMS);
• arrangements for external independent reviews of quality outcomes and access to services;
• intermediate sanctions for plans;
• a state information system that supports operation and review of the state’s quality strategy;
• state-defined network adequacy and availability of services standards for managed care;
• measurable goals and objectives for continuous quality improvement, taking into account population health status;
• performance targets, performance measures, quality measures, and performance outcomes that will be measured and reported;
• performance improvement projects and other interventions proposed to improve access, quality, or timeliness of care;
• description of the state’s care transition policy;
• description of the state’s plan to address health care disparities; and
• mechanisms to identify persons who need long term services and supports or persons with special health care needs.

States must make the quality strategy available for public comment and obtain input from the its medical care advisory committee, beneficiaries, and other stakeholders before submitting the draft strategy to CMS for review. States must also conduct an evaluation of the effectiveness of the quality strategy and update the strategy as needed, but no less than once every three years. The quality strategy must also be made available online to the public.

Access standards

The statutorily required state quality strategy that every state Medicaid managed care program must develop must also include access standards and procedures for monitoring and evaluating the quality and appropriateness of care and services that meet the standards set by CMS.

State Medicaid programs must comply with federal statute and regulations for access and capacity in managed care. The primary requirement in statute is that each Medicaid managed care organization must provide assurances that it (a) offers an appropriate range of services and access to preventive and primary care services for the population expected to be enrolled in each service area and (b) maintains a sufficient number, mix, and geographic distribution of providers.

States must establish standards for access to care so that covered services are available within reasonable timeframes and in a manner that ensures continuity of care and adequate primary care and specialized services capacity. Specifically, states are required to develop and make publicly available time and distance network adequacy standards for primary care (adult and pediatric), OB/GYN, behavioral health, adult and pediatric specialist, hospital, pharmacy, and pediatric dental providers, and for additional provider types as determined by CMS (42 CFR 438.68). In setting these standards, states are required to consider a number of factors including the ability of providers to communicate with limited English proficient enrollees, accommodation of disabilities, and the availability of triage lines or screening systems, as well as the use of telemedicine, e-visits, and/or other evolving and innovative technological solutions. If states create exceptions from network adequacy standards, they must monitor enrollee access on an ongoing basis (42 CFR 438.68).

States must develop standards for all geographic areas of the state covered by the managed care program, but may allow capitated plans to meet different standards in different parts of the state. Thus, a state could require plans to provide primary care within 10 miles or 15 minutes in urban areas of the state, but within 30 miles or 45 minutes in rural areas. States may allow plans to obtain an exception to its time distance standards, as long as the exceptions process is set forth in the plan contract, and is based on the number of providers in the relevant specialty area who are practicing in the plan’s service area. State time and distance standards must be published on the state’s website and available in hard copy and accessible formats upon request.

External quality review

The second statutory oversight requirement for state Medicaid managed care programs is the requirement that states conduct an annual external independent review of the quality of and access to services under each managed care contract (§ 1932(c)(1) of the Act). States must contract with an external EQRO, an independent organization that meets specific requirements described in regulation, to analyze and evaluate information on the quality, timeliness, and access to care a plan furnishes to Medicaid beneficiaries.

The regulations require four mandatory external quality review activities:

• validate MCO performance improvement projects;
• validate MCO performance measures or performance measures calculated by the state;
• review MCO compliance with federal regulations regarding availability of services, capacity, coordination and continuity of care, coverage and authorization of services, provider selection, confidentiality, grievance and appeal systems, subcontractor oversight, practice guidelines, health information systems, and quality assessment and performance improvement requirements; and
• validate MCO network adequacy.

Optional activities that a state could have an EQRO conduct include:

• validate encounter data reported by the MCO;
• administer or validate beneficiary or provider surveys;
• calculate additional performance measures;
• conduct additional performance improvement projects;
• conduct quality studies that focus on a particular aspect of clinical or nonclinical services; and
• Assist with developing quality ratings for MCOs.

The EQRO must provide a detailed technical report that summarizes findings on access and quality of care, including a description of the data obtained, conclusions drawn from the data, an assessment of each MCO’s strengths and weaknesses for the quality, timeliness, and access to health care services furnished to Medicaid beneficiaries, an assessment of the degree to which each MCO addressed any  recommendations for quality improvement made during the previous review, and recommendations for improving the quality of health care services furnished by each MCO, including how the State can target goals and objectives in the quality strategy. The report should also provide comparative information about all MCOs. The reports must be made available on the web.

While the requirement for external quality review is a federal accountability requirement for Medicaid managed care programs, the regulations do not describe how CMS will use the findings from the reviews. CMS has used external quality review reports as a source of monitoring and oversight information about state and plan compliance with federal managed care regulatory requirements. CMS has cited these reports as a key tool for identifying concerns and to demonstrate progress and regression on outcomes. CMS also uses external quality review reports in reviewing requests for waiver renewals, and uses some data from the external quality review reports in submissions to Congress regarding adult and child quality measures.

Annual program report

The new regulation creates a requirement that states must produce an annual program report for all managed care programs. While states already produce a variety of data and reports (e.g., encounter data, external quality review reports), there have not previously been any standardized comprehensive reports required of all state Medicaid managed care programs. CMS will develop guidance on the content and form of the report, and then states will be required to begin submitting reports the contract year following the release of the guidance.

Under the new requirement at 42 CFR 438.66, each state must submit to CMS no later than 180 days after each contract year a report on each managed care program, regardless of the authority under which the program operates. However, states that that operate their managed care program under a Section 1115 waiver may be able to substitute the annual report required by the waiver special terms and conditions, if it contains the same information.

The program report must provide information on and an assessment of the operation of the managed care program on, at a minimum, the financial performance of each MCO (including medical loss ratio experience), the quality and timeliness of encounter data reporting by each MCO, any enrollment or service area expansions or benefit changes under the contract, a summary of grievance, appeals, and state fair hearings, information on network adequacy standards and the availability and accessibility of covered services, performance on quality measures and other outcomes measures, the results of any sanctions, corrective action plans, or other performance improvement actions, a summary of the activities and performance of the beneficiary support system, and other relevant information about the delivery of LTSS not otherwise addressed. The annual program report must also be made available to the public via the web.