Selvadas Govind

Medicaid managed care organization oversight

CPAs can help states mitigate risks in Medicaid cost-containment efforts.

June 11, 2012
By Selvadas Govind, CPA

Medicaid, the joint federal-state program that provides health care to low-income Americans, is causing considerable fiscal strain for states. Medical inflation, certain incentives in the Patient Protection and Affordable Care Act, P.L. 111-148, and higher levels of unemployment since 2008 have left many states looking for ways to contain the cost of Medicaid programs, which generally account for the largest component of a state’s budget. 

The most common Medicaid cost-containment method among states is the use of managed care. Under Medicaid managed care programs, the states pass on the risk of providing Medicaid services to managed care organizations (MCOs), which accept fixed monthly capitated payments in return for providing Medicaid services to beneficiaries. Requiring that Medicaid services be attained through an MCO also reduces the number of health care providers a state oversees.

The structure of a Medicaid managed care environment, though, is still complex. The various private vendors to a state could include MCOs, fiscal intermediaries, electronic benefits transfer contractors, insurance companies, third-party administrators, and external quality-control organizations.   

Due to the amount of dollars flowing through the Medicaid program to those vendors, states must exercise oversight of managed care operations to ensure that services that are contracted for are being delivered. However, states have not been immune to the economic downturn and have laid off staff or are making employees assume additional duties. As a result, various state governments are emphasizing third-party audits of MCOs. Certain state governments want assurance that Medicaid funds are being used efficiently and properly. State governments are also taking steps to recover funds or impose liquidated damages when MCO inefficiencies or improprieties are discovered, or if an MCO is not complying with the terms of its contract. States also require corrective action plans to address noncompliance findings.

Many CPAs work for governmental units, health care organizations, or firms that have a stake in such audits. Understanding the factors surrounding such audits enables CPAs to better meet the needs of disparate stakeholders.

State expectations of MCOs

Since the late 1990s, more and more states have contracted with MCOs to provide Medicaid-funded services. Medicaid beneficiaries are assigned to an MCO and then seek medical care from the MCO’s network of providers. 

Within those contractual relationships, states have various expectations of MCOs, including:

  • Sufficient staffing levels for doctors and other health care professionals, as well as sufficient numbers of clinics for providing services.
  • Contract compliance and performance measurement and reporting.
  • Accurate and complete reporting of financial and statistical data.
  • Quality of care to beneficiaries.
  • Timeliness and accuracy of processing claims payments to providers.
  • Adherence to regulatory standards such as those for protected health information (PHI).

Risks to states

Conventional wisdom says that under a Medicaid managed care regime, MCOs are assuming the risk. That is only partially true. While MCOs bear significant financial risk, the state still retains a large risk because it bears the public responsibility for failings and shortcomings of an MCO’s performance. 

Some of the specific risks to states include the possibility of overpayment, inability to hold the MCO accountable because of complex organizational structures, safeguarding of PHI, inadequacy of utilization management systems, excessive administrative costs, and network adequacy. This list is by no means exhaustive.

Medicaid agencies also face considerable media scrutiny and federal government oversight. Governors and state legislators face reelection, among other political considerations.

If an audit of an MCO uncovers troublesome circumstances, certain state governments may recover millions of dollars through litigation or the imposition of liquidated damages. The state government, though, is ultimately responsible for oversight and is primarily responsible for returning federal matching funds that have been improperly spent.

Methods states use to provide independent oversight of MCOs

States are increasingly engaging CPA firms to mitigate their risks and provide independent oversight of MCOs. These engagements are generally performance audits, examinations, and, occasionally, agreed-upon procedures. The oversight objectives typically address:

  • Related-party transactions where administrative costs are used to pad the costs of the transaction. 
  • Accuracy of performance reporting by the MCO and its subcontractors.
  • Provider network adequacy.
  • Vulnerability of IT systems.
  • Marketing practices.
  • Necessity of health care services provided and utilization management.
  • Proper safeguarding of protected health information (PHI) and compliance with the Health Insurance Portability and Accountability Act, P.L. 104-191.
  • Responsiveness to member complaints.
  • Financial solvency.

What MCOs can expect from independent oversight

The Medicaid managed care industry has boomed in recent years. In many instances, the growth of MCOs has outpaced the development and implementation of adequate control and compliance structures. Independent audits should be viewed as a valuable tool to aid the MCO in managing its own risks, and in correcting shortcomings that could snowball into much bigger problems.

Some of the items found in past audits that led to corrective actions that eventually aided MCOs included:

  • Policies and procedures that were in conflict with the contract with a state.
  • Low provider reimbursement, which led to difficulties in establishing an adequate provider network.
  • Ineffective compliance with HIPAA privacy and security rule standards to safeguard PHI.
  • Use of third-party administrators (TPA) that did not separate PHI from other MCOs using the same TPA.
  • Lack of review of system logs.
  • Lack of review to ensure backup tapes are properly maintained or tracked.
  • Incorrect or incomplete disaster recovery plans.

CPAs may work on behalf of an auditing entity or an MCO. In either instance, being aware of the MCO compliance factors helps them assure that vital health care services are delivered efficiently and properly.

Selvadas Govind, CPA, MPA, CIA, CICA, is senior manager for health care assurance services for Weaver, an independent accounting firm with offices throughout Texas.