Skip to content
Quick Start for:

Section IV: Detection of Fraud and Abuse in Medicaid Managed Care

History

In response to rising health care costs and to an interest in providing high quality, cost-effective health care, states and private payors have turned to managed care as an alternative to the traditional fee-for-service health care delivery system. Managed care relies on a primary care physician to provide medical services and serve as a “gatekeeper” who approves patients’ visits to specialists. Managed care is designed to control health care costs by reducing unnecessary care and by effectively using case management techniques.

Managed care arrangements were once seen as a way to deliver cost-effective health care and as a way to eliminate the incentive for fraud and abuse found in the fee-for-service system.

Between 1993 and 1998, the number of managed care plans participating in state Medicaid programs more than doubled in the nation, until they reached a total of 585 managed care plans in June 1998. With the exception of Alaska and Wyoming, most states have begun or are in the process of pursuing, some form of managed care program for their Medicaid population.

As of June 1998, 43 states and Washington D.C. had more than 25 percent of the national Medicaid population enrolled in managed care and more than 25 percent of the Medicaid population in 12 of these states was covered by managed care.[1]

As of fiscal 2000, 29 percent of the Texas Medicaid clients are participants in managed care plans.[2] These accounted for more than $ 873 million in fiscal 2000 Medicaid spending for just the Health Maintenance Organization (HMO) contracts. [3]

Despite its growth, managed care has not eliminated incentives to commit fraud and abuse in the Medicaid program. It has only influenced the way in which fraud and abuse is perpetrated. It is up to those who monitor of managed care systems to meet the challenge to prevent and detect managed care fraud and abuse.


Payment Methods

In contrast to fee-for-service plans where providers bill individuals, commercial insurers or the state in the case of Medicaid for services, managed care plans are paid a prospective capitated payment that covers comprehensive medical services for an enrollee. Each of these payment methods can lead to different types of fraud and abuse requiring special detection methods.

Under the traditional fee-for-service arrangements, health care providers submitted individual claims to the state’s Medicaid claims processor. This claim submission process created a trail of paperwork that was useful for detecting trends in fraudulent billing.

A common abuse found in fee-for-service payment methods is known as “upcoding.” Upcoding occurs when a provider charges for a procedure or office visit that is more complicated than the one actually provided and means a higher reimbursement. This type of abuse can be detected by analyzing the claims data. In this instance, profiling an individual provider’s procedure codings is contrasted with the normal procedure coding patterns for that type of provider. This type of analysis is part of the routine review of claims data conducted by surveillance and utilization review (SURS) units in state agencies that administer the Medicaid program or their contractors.

To provide managed care, states use their Medicaid funds to contract with Health Maintenance Organizations. These HMOs then contract with health care providers such as physicians and hospitals to deliver health care services to clients. (See Section I, page 5 for more information about types of managed care plans.)

Under these managed care arrangements, HMOs reimburse providers through either a capitated reimbursement or fee-for-service basis. Generally, the primary care physician receives a capitated payment, while a specialist receives a fee-for-service. Hospitals usually receive payments based on negotiated contracts with the HMOs.

With capitated reimbursement, providers do not file individual claims for reimbursement. The only data available that details the actual services received by Medicaid clients is called “encounter data.” Any medical service provided under managed care is referred to as an “encounter.” For example, a visit to a primary care physician’s office for an immunization would be an “encounter.”

One example of an abuse in a managed care system would be the underutilization of services by clients because of the difficulty in obtaining an appointment. However, in the case of managed care, review processes and systems do not exist that would easily detect underutilization. The lack of claims data makes investigation of potential fraud and abuse in managed care difficult. This issue is the crux of the challenge facing Medicaid programs to develop appropriate and effective methods of detecting this and other types of fraud and abuse.


The Challenge of Managed Care Fraud and Abuse Detection

How to detect fraud and abuse in managed care systems has been a perplexing problem in both the federally administered Medicare program and the state-administered Medicaid programs. Various federal government entities and task forces have focused on seeking solutions to these issues and have published those findings. Texas and other states have begun to address the detection of managed care fraud and abuse in Medicaid programs through legislative and administrative actions.

The discussion below summarizes the findings of the federal government studies as well as the status of Texas’ and other states’ Medicaid fraud and abuse detection programs. Recommendations for improvements are also provided.


Federal Agency Oversight

Various federal agencies are responsible for maintaining the integrity of both the federal Medicare and the state-administered Medicaid programs through their administrative and law enforcement authority. Along with their general responsibilities, each agency has recognized the need for more prevention, detection and enforcement in the area of managed care fraud and abuse.

The U.S. Department of Health and Human Services (HHS) Health Care Financing Administration (HCFA) is responsible for the overall administration of the federal Medicare program and the state-administered Medicaid programs. The U.S. Department of Health and Human Services Office of the Inspector General (OIG) audits programs administered by the department as well as reports on significant issues such as Medicaid managed care fraud.

The OIG also plans additional reviews of managed care programs during fiscal 2001. For Medicaid managed care, the OIG intends to conduct studies on the marketing and enrollment practices of Medicaid managed care contractors, the prevalence of duplicate payments in Medicaid fee-for-service programs for those clients enrolled in managed care and the payment of emergency health services for managed care clients. [4]

The U.S. Department of Justice (DOJ) works closely with the HHS to bring civil and criminal actions against those who commit health care fraud and abuse. The DOJ established the Health Care Fraud and Abuse Control Program in 1996 as a result of federal legislation. The purpose of the program is to combat fraud and abuse in both public and privately funded health care. Through this program, the DOJ and HCFA and the OIG of the HHS work together and with state agencies such as the Texas Health and Human Services Commission (HHSC) and the Office of the Attorney General (OAG) and local law enforcement on preventing, detecting and prosecuting health care fraud.

The Civil Division within the DOJ continues to chair the Managed Care Fraud Working Group that coordinates the managed care enforcement activities of federal agencies, national associations and state Medicaid Fraud Control Units (MFCU), such as the one at the OAG.[5]


HCFA Guidelines Published

In response to increased national concern about Medicaid managed care fraud and abuse, HCFA assembled a National Medicaid Fraud and Abuse Initiative in 1997 to create draft guidelines for effective methods to detect and report cases of Medicaid fraud and abuse. The HCFA work group published its final report entitled Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care in August 2000. The report provides ideas and guidance to help states and other stakeholders to prevent, identify, investigate, report and prosecute fraud and abuse in capitated managed care programs.

Some of the common types of potential managed care fraud and abuse cited in the report are:

• Enrollment by a HMO of beneficiaries that do not exist, do not meet the eligibility requirements, or failure to notify the state when members die.[6]

• Deceptive or unfair marketing or sales practices to enroll beneficiaries, for example, to discourage individuals who are not healthy from enrolling or to charge an enrollment fee when there is actually no charge. [7]

• Encouraging underutilization of services, for example, restricting access to preventive care, limiting office hours to inconvenient times for patients or creating excessively long waiting times for an appointment.[8]

• Falsely inflating capitation rates that states pay HMOs by filing false cost reports, which may include costs and services that are not provided or filing false information to obtain increases in capitation rates.[9]

• Discouraging members from seeking referrals for specialty care from their primary care physicians.[10]

• Problematic contractual relationships between HMOs and third parties, such as falsifying subcontractor services, or providing low quality goods and services.[11]

The report identifies five key components for an effective managed care fraud and abuse prevention and detection program: formal plans, coordination activities, prevention strategies, detection strategies and enforcement strategies.

The Guidelines suggest that the state agency in charge of administering the Medicaid program should have a formal, written plan detailing its fraud and abuse prevention and detection activities, including those in managed care.

The HMO also should commit to preventing and detecting fraud and abuse through the establishment of a formal plan and operational policies and procedures. The plan could be an ongoing compliance plan used by the HMO or a plan approved by the Medicaid state agency. Some of the operational policies and procedures instituted by the HMO should include: conducting regular reviews and audits of operations, educating all stakeholders about fraud and abuse prevention, establishing a reporting procedure for fraud and abuse and monitoring service delivery patterns of providers and subcontractors.

Medicaid agencies should establish prevention activities, such as using contract provisions to require using contract provisions that require HMOs to report fraud and abuse to the Medicaid agency, educating clients about fraud detection and reporting, providing telephone hotlines for complaints and implementing a continuous review process to detect program weaknesses.[12]

State Medicaid agencies should ensure all governmental agencies and contractors have established systems for communicating areas at risk for fraud and abuse and occurrences of fraud and abuse.[13]

To detect managed care fraud and abuse, the Guidelines recommend states conduct:

1) comparative analysis of HMO utilization, performance, outcomes, referrals and disenrollment;

2) routine reviews of problem areas such as transportation, home health care, pharmacy and durable medical equipment;

3) managed care service data validation for encounter data, provider qualifications and the size of an HMO’s network;

4) random review and beneficiary interviews to identify possible errors, enrollment fraud and contract provisions; and

5) unannounced site visits.[14]

To perform a comparative analysis, which may be the most useful detection activity, the availability of accurate, timely and reliable data is critical. A comparative analysis is similar to a surveillance and utilization review of fee-for-service claims. The data that is gathered from multiple sources could be enrollment data, encounter data, financial data or complaint reports. (See Section I, page 9 for a further discussion of surveillance and utilization reviews)

Of the different types of data, access to encounter data is necessary for performing a comparative analysis. The Guidelines point out, however, that not all encounter data are defined and reported in uniformly, and states should chose a definition that works for them.

Some encounters are described as unique services such as a physical exam and an injection, which is counted individually. In this instance, the total encounters reported are two. Other encounters are defined as a unique encounter with a health care provider. Under this definition, the exam and the injection is counted as one encounter. [15]

The Guidelines emphasize the importance of collecting accurate and complete data. To achieve this goal, the state Medicaid agency could require the HMOs to certify their submitted data as accurate and complete. Another way is to validate the data by checking for errors and omissions. Finally, the state Medicaid agency could assess penalties against HMOs for providing inaccurate data.[16]

Enforcement activities should include cooperation between the Medicaid agency and the Medicaid Fraud Control Unit as well as formal procedures for all stakeholders to report suspected cases of fraud and abuse. Penalties could include monetary fines, recoupment of prior payments, suspension or exclusion from the Medicaid program and, ultimately, criminal prosecution and conviction.[17]


Other States’ Experiences

Before the publication of issuing the Guidelines, the U.S. Department of Health and Human Services Office of Inspector General published the findings of an investigation of ten states’ efforts to prevent and detect fraud and abuse in Medicaid managed care programs. The investigation focused on those states in which a significant portion of Medicaid clients receive services through managed care.[18]

The results of this report illustrate that confusion and disagreement exist among the various Medicaid program officials over how to combat fraud and abuse and that efforts to pursue cases of Medicaid managed care fraud and abuse are limited. In summary, this study revealed that only two of the ten states investigated, Arizona and Tennessee, had proactive programs to detect and report Medicaid managed care fraud and abuse. None of the ten states’ Medicaid Fraud Control Units had staff designated specifically to investigate Medicaid managed care. Six of the ten states’ officials believed that Medicaid states agencies did not focus on managed care fraud and abuse. Moreover, some of the states did not include specific contractual provisions requiring HMOs to report potential fraud and abuse to the proper state authorities.[19]

Findings in a 1997 U.S. General Accounting Office report also noted that all of the four states studied—Arizona, Wisconsin, Tennessee and Pennsylvania—had different ways to collect Medicaid managed care encounter data. Furthermore, the report found that the states’ use of encounter data to identify problems with client care was minimal.[20]

Some of the proactive initiatives undertaken by Arizona and Tennessee include training for the managed care organizations as well as regular meetings to discuss fraud and abuse prevention. Arizona also conducts a public awareness campaign about health care fraud and abuse detection. [21]

Of particular interest is Arizona’s fraud and abuse detection program. In the Texas Comptroller’s December 1998 Health Care Claims Study, Arizona’s Medicaid Managed Care Program was noted for its innovative efforts for the prevention and detection of fraud and abuse in a managed care system.[22]

Two years later, Arizona is still considered at the forefront. For instance, the Arizona Health Care Cost Containment Commission’s Office of Program Integrity spends time on training, education and outreach, both for their staff as well as with their HMOs.

Arizona’s Office of Program Integrity’s (OPI) policies, which were finalized in 1996,mandate that all Medicaid managed care organizations comply with the following requirements:

• Include contract language that requires the reporting suspected fraud and abuse to the Arizona OPI and permits the Arizona Health Care Cost Containment Commission to monitor and audit HMOs.

• Create a fraud and abuse control program with activities in place to detect, prevent and facilitate reporting fraud and abuse.

• Appoint a fraud and abuse coordinator at the HMO.

• Develop and provide to the OPI a written plan explaining how the health plan identifies and combats fraud and abuse

Most importantly, Arizona also collects encounter data. While Arizona believes its encounter data is fairly complete and accurate, there are still problems with the encounter data submitted by the HMOs. For example, the encounter data is not available as soon as traditional fee-for-service claims data. HMOs have 240 days to report encounters to the OPI. It may then take up to one year before the encounter data is validated and considered “clean.” In addition, no monetary incentives are tied to HMOs’ reporting encounter data because the HMOs are paid on a capitated basis. There is no reason for them to compile encounter data and submit it to the state any earlier than contractually required.[23]


The Texas Medicaid Managed Care Program

The Texas Medicaid managed care program began as a pilot program in 1993 in two regions of Texas. As of fiscal 2000, 29 percent of Texas Medicaid clients are participants in managed care plans.[24] These participants accounted for more than $873 million in fiscal 2000 Medicaid spending.[25] As stated previously in this report, the term “managed care” can refer to different delivery models like primary care case management, prepaid health plans and capitated risk-based contracts with Health Maintenance Organizations.

Claims for the primary care case management and prepaid health plans are paid through the existing fee-for-service claims processing system. Therefore, those claims are subject to the existing controls for fraud and abuse prevention. However, the administration of the Medicaid managed care contracts with HMOs are outside of the existing system. Therefore, fraud and abuse control for these plans present special challenges and are the focus of the following discussion.

At the state level, the Texas Health and Human Services Commission’s (HHSC) is responsible for operating the entire Texas Medicaid program, which is administered by state agencies such as the Texas Department of Health (TDH). HHSC’s Office of Investigation and Enforcement (OIE) is responsible for investigating fraud and abuse in the Medicaid program as well as enforcing state law.[26] The Texas Attorney General’s Office’s (OAG) Medicaid Fraud Control Unit (MFCU) conducts criminal investigations relating to fraud in the Texas Medicaid program. The MFCU refers cases for prosecution by federal and local law enforcement.[27] In fact, the OAG and the HHSC have a formal Memorandum of Understanding relating to their roles. [28] These agencies’ responsibilities in fraud and abuse prevention, detection and enforcement also extends to Medicaid managed care.

State legislation passed in 1997 requires Medicaid managed care organizations to report all information required to detect fraud and abuse to HHSC. The HMOs must have a written fraud and abuse control plan that conforms to guidelines developed by TDH, HHSC and OAG. The plan must have requirements that the HMOs report any suspected cases of fraud and abuse to TDH. [29] HMOs also have a designated person at the executive level who is responsible for the HMOs’ compliance with the fraud and abuse control plan.[30]

OIE worked with the HMOs to develop the guidelines for the HMOs’ fraud and abuse plan and has developed a model plan that the HMOs may use.[31] Moreover, the HHSC makes presentations about fraud and abuse control at the quarterly meetings of the TDH staff and HMO chief executive officers.

Before an HMO can begin delivering services under its contract, TDH makes sure that the HMOs’ internal claims processing system performs automated screening of improper claims submissions on prepayment basis, which should be similar to those used by a fee-for–service system to check for appropriate coding of office visits, etc.

Other operational features of the managed care program include a requirement for HMOs to have a member services department to communicate with a plan’s clients, a requirement that physicians post notice of the appeals process for denial of services, and the automatic assignment of a primary care physician if none is selected by the client. TDH is also implementing an automated contract compliance program to monitor contracts with HMOs. [32]

The most significant challenge that remains in an effective fraud and abuse control system for Medicaid HMOs is ensuring the complete and timely reporting of encounter data. A study published by the Texas Comptroller in 1998 found that TDH was unable to collect comprehensive encounter data from the Medicaid HMOs.[33] In August 2000, the Texas State Auditor’s Office reported an increase in the completeness and accuracy of encounter data for fiscal 1998, although that increase is up to an overall level of 50 percent accuracy.[34] Problems with the reporting of encounter data was also noted in a November 2000 HHSC report on Medicaid managed care.[35]

Furthermore, neither TDH or HHSC has any automated system to analyze encounter data that could detect such abuses as over or underutilization of services. This lack of an automated review system is a critical weakness in the state’s overall efforts to control Medicaid fraud and abuse, which ultimately leaves more than $ 800 million in annual Medicaid spending at risk of fraud and abuse.


Recommendations

A. State law should be changed to require HHSC and TDH to develop a formal plan for reporting and using encounter data.

Legislation should be enacted to require HHSC OIE and TDH to develop a formal plan that will identify all outstanding issues concerning the collection, validation and automated analysis of encounter data. This formal plan should include strategies for resolving these issues and a target date for completion.

B. The Comptroller should conduct a pilot study to measure potential fraud and abuse in Medicaid managed care plans

As part of the next required fraud measurement study, the Comptroller should develop and pilot new ways to sample Medicaid managed care data from HMOs so that the level of potential fraud and abuse in the state’s Medicaid managed care HMO contracts can be measured.


Fiscal Impact

Using HMOs to provide Medicaid services does not relieve oversight agencies such as HHSC from the responsibility for preventing and detecting fraud and abuse. Therefore, HHSC should develop a plan and resolve the issues relating to encounter data within its current appropriations.

The Comptroller is already required to conduct a biennial study, so adding a pilot study of Medicaid managed care would only modify the study’s scope. The pilot can be conducted within the Comptroller’s current appropriations.


[1] The Henry J. Kaiser Family Foundation, “Medicaid and Managed Care,” June 1999, Washington, D.C., p. 1. (Fact sheet.)

[2] Texas Health and Human Services Commission, Medicaid Managed Care Report (Austin, Texas, November 2000), Chapter 1, p. 1 (http://www.hhsc.state.tx.us/medicaid/mmc_pdf/C1_Exec_Summary.pdf). (Internet document.)

[3] Texas Comptroller of Public Accounts, data extract from the Uniform Statewide Accounting System, Austin, Texas, October 2000. (Computer printout.)

[4] US Department of Health and Human Services, Office of Inspector General, Work Plan Fiscal Year 2001 (Washington, DC), pp. 27-28 (http://www.os.dhhs.gov/oig/wrkpln/2001/wp2001.pdf). (Internet document.)

[5] US Department of Health and Human Services and US Department of Justice, Health Care Fraud and Abuse Control Program Annual Report For FY 1999, “Monetary Results” (Washington, DC, January 2000) (http://www.usdoj.gov/80/dag/pubdoc/hipaa99ar21.htm%23c). (Internet document.)

[6] US Health Care Financing Administration, National Medicaid Fraud and Abuse Initiative, Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care (Washington, D.C., August 2000), pp. 18-20 (http://www.hcfa.gov/medicaid/fraudgd.pdf). (Internet document.)

[7] US Health Care Financing Administration, National Medicaid Fraud and Abuse Initiative, Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care, pp. 17 and 19.

[8] US Health Care Financing Administration, National Medicaid Fraud and Abuse Initiative, Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care, p. 21.

[9] US Health Care Financing Administration, National Medicaid Fraud and Abuse Initiative, Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care, p. 25.

[10] US Health Care Financing Administration, National Medicaid Fraud and Abuse Initiative, Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care, pp. 22-23.

[11] US Health Care Financing Administration, National Medicaid Fraud and Abuse Initiative, Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care, pp. 14-15.

[12] US Health Care Financing Administration, National Medicaid Fraud and Abuse Initiative, Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care, pp. 38-40.

[13] US Health Care Financing Administration, National Medicaid Fraud and Abuse Initiative, Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care, pp. 40-41.

[14] US Health Care Financing Administration, National Medicaid Fraud and Abuse Initiative, Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care, pp. 42-43.

[15] US Health Care Financing Administration, National Medicaid Fraud and Abuse Initiative, Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care, pp. 34-35.

[16] US Health Care Financing Administration National Medicaid Fraud and Abuse Initiative, Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care, pp. 35-37.

[17] US Health Care Financing Administration, National Medicaid Fraud and Abuse Initiative, Guidelines for Addressing Fraud and Abuse in Medicaid Managed Care, pp. 44-46.

[18] US Department of Health and Human Services, Office of Inspector General , Medicaid Managed Care Fraud and Abuse (Washington, DC, June 1999), p. i (http://oig.hhs.gov/oei/reports/a375.pdf). (Internet document.)

[19] US Department of Health and Human Services, Office of Inspector General , Medicaid Managed Care Fraud and Abuse, pp. i-ii, 9-10.

[20] US General Accounting Office, Medicaid Managed Care: Challenge of Holding Plans Accountable Requires Greater State Effort (Washington, D.C., May 1997), pp. 13-15 (http://gao.gov). (Internet document.)

[21] US Department of Health and Human Services, Office of Inspector General, Medicaid Managed Care Fraud and Abuse, p. 8.

[22] Texas Comptroller of Public Accounts, Final Staff Draft Report on Health Care Claims Study and Comments from Affected State Agencies (Austin, Texas, December 1998), p. 54.

[23] Telephone interview with Pete Francis, director of the Office of Program Integrity, Arizona Health Care Cost Containment System, Phoenix, Arizona, June 8, 2000.

[24] Texas Health and Human Services Commission, Medicaid Managed Care Report, Chapter 1, p. 1.

[25] Texas Comptroller of Public Accounts, data extract from the Uniform Statewide Accounting System.

[26] Texas Health and Human Services Commission, Office of Investigation and Enforcement, 3rd and 4th Quarters, FY 2000: Semi-Annual Report to the Legislative Budget Board, Governor, Lt. Governor, and other members of the Legislature (Austin, Texas, October 2000), p. 1 (http://www.hhsc.state.tx.us/OIE/Reports/FY002ndSemiAnnualRpt.pdf). (Internet document.)

[27] Texas Office of the Attorney General, “Agency Divisions and Contacts,” Austin, Texas (http://www.oag.state.tx.us/agency/criminal.htm#MedicaidFraud ). (Internet document.)

[28] Texas Office of the Attorney General and the Texas Health and Human Services Commission, Joint Semi-Annual Coordination Report September 1, 1999 – February 29, 2000 (Austin, Texas), p. 1 (http://www.oag.state.tx.us/AG_Publications/pdfs/jointrpt.pdf). (Internet document.)

[29] V.T.C.A., Government Code §531.114 (Texas Legislative Council text online at http://www.capitol.state.tx.us/statutes/go/go)53200.html#go)18.532.114).

[30] Interview with Sue Milam, bureau chief, Texas Department of Health Bureau of Managed Care, Austin, Texas, September 28, 2000.

[31] Texas Health and Human Services Commission, Office of Investigation and Enforcement, 3rd and 4th Quarters, FY2000: Semi-Annual Report to the Legislative Budget Board, Governor, Lt. Governor, and other members of the Legislature, p. 11.

[32] Interview with Sue Milam.

[33] Texas Comptroller of Public Accounts, Final Staff Draft Report on Health Care Claims Study and Comments from Affected State Agencies, p. 53.

[34] Texas State Auditor’s Office, A Follow-Up Audit of Medicaid Managed Care at the Department of Health (Austin, Texas, August 2000) (http://www.sao.state.tx.us/Reports/report.cfm?report=2000/00-039). (Internet document).

[35] Texas Health and Human Services Commission, Medicaid Managed Care Report, Chapter 6, pp. 1-2.