The New Medicaid Managed Care Rule and Its Effects on Compliance Programs

Kaitlin Lavin
Executive Editor
Loyola University Chicago School of Law, JD 2017


The Centers for Medicare and Medicaid Services (CMS) recently published a new rule for state contracts with Medicaid Managed Care Organizations (MCO). Medicaid MCOs provide comprehensive services to beneficiaries for capitated payments. The effective date of the rule was July 5, 2016. States will need to modify contracts with MCOs to comply with the new rule. For rating periods of MCO contracts beginning before July 1, 2017, CMS will not deem states non-compliant with the rule as long as they remain in compliance with corresponding sections of 42 CFR § 438, revised as of October 1, 2015.

The rule has expanded the inspection and audit rights for the state and federal government. It will expand the existing standard to include access to premises, physical facilities, and equipment of contractors or subcontractors where Medicaid-related activities or work is conducted. CMS and states will also be able to conduct inspections or audits at any time. CMS will have the right to audit for 10 years after the date on which a violation is committed, consistent with the False Claims Act at 31 U.S.C. § 3731(b)(2). CMS clarified that the phrase “at any time” means the specified entities may inspect and audit records and access facilities of MCOs or subcontractors outside of regular business hours. Access will not be conditioned on the reasonable possibility of fraud. Initially, CMS proposed that MCOs retain records for at least 6 years. However, CMS revised the final rule to require record retention for 10 years, consistent with the False Claims Act, as well as record retention requirements for the Medicare Advantage program.

Furthermore, the new rule requires managed care plans to implement administrative and managerial procedures to prevent fraud and abuse. The requirements have also been extended to the MCO subcontractors. CMS emphasized the importance of this regulatory structure, especially in states that rely on heavily sub-delegated arrangements. These procedures require compliance officers to begin reporting directly to both the CEO and board of directors of an MCO. Additionally, MCOs will need to establish a Regulatory Compliance Committee on the board of directors and at the senior management level charged with oversight of the compliance program. MCOs will need to establish a training and education system for the compliance officer, organization’s senior management, and the organization’s employees for the federal and state requirements under the contract. Compliance officers must develop an effective system of communication with employees. The compliance program will be responsible for routine internal monitoring and auditing of compliance risks, prompt response to compliance issues as they are raised, investigation of potential compliance problems as identified in the course of self-evaluation and audits, correction of such problems promptly and thoroughly to reduce the potential for recurrence, and ongoing compliance with the requirements under the state contract. States will have flexibility to set the parameters for a measure of “promptness” in their contracts, and to establish more stringent standards for defining and reporting on fraud and improper payments. In the contract, states may also prescribe a particular sampling method or other method when conducting audits.

The new rule will also affect payment to MCOs because overpayments represent state and federal Medicaid funds that were paid to an excluded or fraudulent providers by the MCO; states are expected to take such recoveries into account in developing actuarially sound capitation rates for the reimbursement of MCOs. This will incentivize MCOs to oversee the billing practices of network providers and undertake monitoring efforts on a proactive basis. State contracts now must all require MCOs to disclose any prohibited affiliations in writing. MCOs are prohibited from having affiliations with excluded individuals or entities, whether or not the relationship is known to the MCO. Failure to report such affiliations will result in sanctions, in addition to consequences for failure to comply with a condition of payment. As a result of this new rule, MCOs will need to start working on developing effective compliance programs and start reading state contracts a little more closely.