Compliance Oversight and Program Integrity in Medicaid Managed Care

Health Highlights

Editor’s Note: In the past four months, the Government Accountability Office (GAO) and Office of the Inspector General (OIG) have issued a barrage of reports scrutinizing Medicaid programs and their oversight of program expenditures. They assert that, despite Medicaid’s shift from a fee-for-service (FFS) to a managed care model, related oversight and compliance efforts have been slow to follow. On June 27, Centers for Medicare & Medicaid Services (CMS) Administrator Seema Verma announced initiatives to strengthen Medicaid managed care program integrity to address the GAO’s and OIG’s concerns.

In a new article for Bloomberg Law, summarized below, Manatt Health examines compliance oversight and program integrity in Medicaid managed care. Click here to download the full article free of charge. The content was based on Manatt’s recent webinar, “Strategies for Compliance Oversight and Program Integrity in Medicaid Managed Care.” Click here to view the webinar free on demand, and here to download a free copy of the webinar presentation.    


Program integrity includes activities to prevent, detect and respond to fraud, waste, abuse and noncompliance with certain contractual or other regulatory requirements that result in improper payments. Medicaid’s Payment Error Rate Measurement (PERM) program estimates the improper payment rate in Medicaid managed care to be only 0.3% or $500 million of Medicaid expenditures. The May 2018 GAO report, however, found that the rate of improper payments for Medicaid managed care is significantly underestimated.

With the convergence of Medicaid program oversight and the growth of Medicaid managed care, CMS, the states, managed care organizations (MCOs) and providers are all working to develop the best approaches to preventing fraud, waste and abuse. In the CMS 2016 Medicaid Managed Care final rule, CMS increased and standardized program integrity and other program oversight requirements.

Medicaid Program Integrity: Key Federal Regulations

Program integrity requirements cover the broad range of activities reflected in the federal regulations, including monitoring and auditing, the reporting of fraud and overpayments, infrastructure development and training, provider screening and enrollment, provision of written disclosures, and the treatment of overpayment recoveries. Key provisions and requirements include:

States and State Medicaid Agencies. States must have a monitoring system to address program integrity, methods and criteria for identifying fraud, and methods for verifying that billed services were provided. States also are required to periodically audit MCOs’ encounter and financial data and make the results of program integrity activities available online. States also must ensure that MCOs have procedures to detect and prevent fraud, waste and abuse, including dedicated staff. In turn, Medicaid agencies must report fraud and abuse to the state, along with the number of complaints that warranted further investigation. Medicaid agencies also must have procedures for referring suspected fraud to law enforcement and must refer providers suspected of fraud to Medicaid Fraud Control Units (MFCUs).

MCOs. MCOs must have methods for verifying whether services were received as authorized and paid for by the MCO, and promptly report identified fraud to both the state Medicaid agencies and the MFCUs. MCOs are required to report a significant amount of information to state Medicaid agencies to demonstrate their oversight and overpayment recovery efforts and successes.

Program Integrity and Compliance Relationships and Risks in Medicaid Managed Care

Federal Oversight. CMS has the most significant federal oversight responsibility, and its continued focus on FFS arrangements has drawn substantial criticism. Administrator Verma signaled that CMS will hold states to a higher level of accountability through more robust program integrity initiatives, including:

  • Auditing states’ MCO financial reporting to ensure states’ claims experience matches what plans have been reporting
  • Auditing state beneficiary eligibility determinations to assess how Medicaid expansion has affected the state’s Medicaid eligibility policy
  • Strengthening data sharing and analytics tools to enable states to root out fraud, waste and abuse

OIG oversees CMS’s program integrity role and MFCUs, and has played an important part in uncovering gaps related to fraud, waste and abuse in Medicaid managed care.

State Medicaid Agencies. The key players in state oversight, state Medicaid agencies, are responsible for:

  • Enrolling and screening all Medicaid providers, and ensuring that all prospective MCO network providers are enrolled in the Medicaid program
  • Monitoring MCOs’ compliance with contractual requirements
  • Assisting in investigating fraud, waste or abuse reported by whistleblowers, and taking the appropriate action upon learning of an allegation of fraud
  • Overseeing program operations and setting capitation rates

Medicaid Fraud Control Units. Each state is required to establish a single identifiable entity, separate from the Medicaid program, to investigate and prosecute Medicaid fraud.

MCOs. States rely on MCOs as critical partners in overseeing program integrity activities. MCOs must develop policies and procedures to ensure correct payments to providers and must monitor those providers, so they can target problems in real time and ensure that payments are made only for enrolled beneficiaries. MCOs also are responsible for vetting their network providers.

Program Integrity Risks Within Medicaid Managed Care. According to certain oversight bodies, some features of Medicaid managed care may actually incentivize MCOs to engage in fraudulent, wasteful or abusive conduct. These features, which MCOs will need to mitigate, include the following:

  • State Pays MCO a Capitated Payment. The state pays the MCO capitated payments for each enrolled beneficiary. To maintain fiscal integrity, capitation payments must be set in a sound manner and sourced from accurate encounter data. States must also make sure they are not making payments to MCOs for non-enrolled or deceased individuals. Increasingly, states are expected not to make capitation payments if the MCO engages in certain types of noncompliant behavior.
  • MCO Processes Claims. In managed care, the MCO, not the Medicaid agency, pays its providers. Therefore, the Medicaid agency plays a more removed role in ensuring that providers are providing accurate, timely and complete data to the MCO.
  • State Oversight of MCO Contracts and MCO Subcontracting. Although states use a standardized, CMS-approved contract to engage MCOs, the contracts permit MCOs to subcontract many of their obligations. These subcontractor relationships may create an additional barrier to proper oversight of MCOs. However, subcontractors also must engage in program integrity activities, and states expect MCOs to hold their subcontractors accountable for noncompliance.
  • MCO Sub-Capitation of Providers and Use of Other Incentives. Many MCOs enter into sub-capitation arrangements with providers—meaning providers assume the risk for providing services to a set of enrolled members, further removing the MCOs and state Medicaid agencies from the payments to providers. In addition, the increased focus on value-based payment is creating new issues with respect to program integrity oversight.
  • MCO’s Relationship With Its Provider Network. MCOs must have adequate provider networks that can adapt to personnel changes stemming from provider misconduct.

State Approaches to Compliance Oversight and Program Integrity of Medicaid MCOs

Many states amended their Medicaid managed care contracts to comply with the 2016 Medicaid managed care final rule. Recent trends in increased oversight include:

  • Detailed, often lengthy contracts (e.g., more than 400 pages)
  • Increased quantity and frequency of reporting
  • Imposition of liquidated damages or fines for contractual noncompliance
  • Use of withholdings/incentives to drive contract compliance
  • Incentivizing program integrity-related recoveries by permitting MCOs to share in overpayment recoveries not related to criminal fraud or False Claims Act violations
  • Giving multiple state agencies the right to audit MCOs
  • Mandated trainings for MCOs, subcontractors and/or providers

Examples of increased oversight include:

  • New Jersey. New Jersey dictates the specific number of full-time equivalent staff required to staff its special investigative unit (SIU) and requires that the SIU staff be dedicated to detecting fraud and abuse.
  • Texas. Texas’ contract includes detailed requirements regarding how fraud, waste and abuse must be investigated. In addition, it requires MCOs to submit annual written fraud, waste and abuse compliance plans to the Texas Office of Inspector General; submit quarterly fraud and abuse reports; and reflect the effectiveness of their anti-fraud plans in their annual reports.
  • Tennessee. Tennessee has one of the most, if not the most, advanced liquidated damages provisions, which imposes liquidated damages for noncompliance related to approximately 70 metrics. The dollar amounts of these liquidated damages range from $100 to $25,000 per occurrence per day.
  • New York. New York reduced its MCO capitation payments by $40 million in the aggregate, requiring MCOs to earn back their capitation through overpayment recoveries.

Continuing Challenges: States’ and MCOs’ Coordination of Program Integrity Activities

1. Administrative Challenges

  • Oversight Responsibilities. States that have only partially transitioned to Medicaid managed care must split their limited program integrity resources between FFS and managed care oversight. The result may be compromised oversight of both programs. In states that have more fully transitioned to Medicaid managed care, state Medicaid agencies have significant responsibilities beyond oversight of the MCOs. Consequently, the time they may be able to devote to oversight may be limited.
  • Access to Data. Access to timely quality encounter data may be limited, particularly when states are transitioning to managed care or when new populations are being transitioned into managed care. 
  • Increased Program Integrity Expectations. Increased program integrity and compliance expectations are administratively and financially burdensome for both states and MCOs. 

2. Financial Challenges 

  • Provider Overpayments. MCOs that retain the recovered overpayments must account for them in the rate-setting process. Overpayments that are not identified will inflate the MCO’s expenditures and potentially increase the MCO’s rates in future years.
  • Calculation of MCOs’ Medical Loss Ratio (MLR). The MLR reports how much of an insurer’s healthcare premiums is spent on medical expenses versus how much is spent on administration, fees and profits. Under the Medicaid managed care final rule, MCOs must report certain fraud prevention and reduction expenses in the numerator of the MLR, which should incentivize MCOs to invest in program integrity and compliance-related interventions. However, all other program integrity activities are considered an administrative expense so are not counted in the numerator. These policies may impact how plans invest in fraud and abuse prevention activities.
  • Training and Appropriate Staffing. Both states and MCOs have struggled to find qualified, well-trained staff to oversee program integrity activities. Similarly, MCOs have difficulty recruiting qualified staff to perform oversight functions.
  • Need for Adequate Resources. States that have not already done so need to recognize that MCOs have to account for adequate resources in setting their rates to develop effective program integrity oversight systems.

3. Additional Challenges

  • State Focus on Punitive Action. States tend to focus on taking punitive action against MCOs for inadequate compliance and oversight, which may undermine the state-MCO partnership needed to properly execute Medicaid programs.
  • Complexity of Political Relationships. MCOs often have both strong political capital in the state and access to the governor’s office or to state legislators to advocate against particular program integrity or other requirements. Some MCOs may also use these relationships to influence Medicaid agencies. These factors can make holding all MCOs equally accountable for noncompliance challenging.
  • Coordination of Program Integrity Roles. In most states, the Medicaid program integrity unit (PIU) and the MFCU share primary responsibility for protecting the integrity of the Medicaid program. Both agencies express frustration at the difficulty of maintaining lockstep activity in identifying, addressing and preventing fraud, waste and abuse. 

Enhanced Oversight of MCOs Will Challenge Providers, Having Direct and Immediate Impact

Due to increased oversight of the MCOs by federal agencies, providers should anticipate increased auditing from both state Medicaid agencies and multiple MCOs, more stringent reporting requirements, and increased requests for data. MCOs may also be likely to saddle providers with the responsibility of handling more program integrity and compliance requirements.

Looking Ahead: Compliance and Oversight in Medicaid Managed Care

Medicaid Managed Care Zero-Tolerance Activity. MCOs should expect that state Medicaid agencies will have zero tolerance for MCOs that:

  • Engage in prohibited relationships
  • Make payments to providers who are not enrolled in the Medicaid program
  • Submit incomplete or inaccurate data
  • Fail to act in a timely manner on a fraud referral
  • Make payments for deceased beneficiaries
  • Report unallowable expenses in calculating their MLR

Striking a Balance Between Holding Providers Accountable and Allowing Them to Focus on Service Delivery. Providers need to be engaged in this process—but states and MCOs must assess whether providers are being overburdened by data collection requirements, reporting requirements, duplicative ownership and disclosure submission requirements, and audits.

Outlook for Oversight Concerns: Lessons From Medicare. Looking forward, we believe that the Medicaid managed care program may want to take note of the Medicare Advantage (MA) program’s program integrity issues in order to avoid similar risk areas in the future. In the MA program, CMS has learned that mistakes and risk score up-coding often lead to improper (higher) payments to MCOs. As a result, CMS has focused some of its oversight efforts on risk adjustment data validation (RADV), which has identified concerning behavior.   

MCOs Also Must Be Alert to National Public Health Priorities. Key priorities include addressing overprescribing of opioids, ensuring access to substance use treatment and addressing the social determinants of health through managed care.


Federal scrutiny of program integrity and compliance within Medicaid managed care continues to increase. Despite growing scrutiny and having to work with limited resources, most participants in the Medicaid program do not want the program to be weighed down by fraud, waste and abuse. As recent oversight reports recommend, states should share program integrity best practices and increase collaboration. Over time, with more collaboration and sharing of best practices, program integrity and compliance in Medicaid managed care undoubtedly will improve. Overall, the relationship between states, MCOs and providers should be a partnership in upholding program integrity and compliance in Medicaid managed care. Seamless collaboration will provide quality of care to Medicaid patients, ensure the appropriate use of limited Medicaid funding, and encourage continued innovation and value-oriented care delivery.



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved