AHA Urges CMS to Rigorously Enforce New Policies to Safeguard MA Coverage

Meena Seshamani, M.D.
Deputy Administrator and Director
Center for Medicare
Centers for Medicare & Medicaid Services
7500 Security Blvd.
Baltimore, MD 21244

Dear Dr. Seshamani:

On behalf of our nearly 5,000 member hospitals, health systems and other health care organizations and our clinician partners, the American Hospital Association (AHA) appreciates the policies codified in the calendar year (CY) 2024 Medicare Advantage (MA) final rule, including the important protections for MA beneficiaries and the increased oversight of Medicare Advantage Organizations (MAOs). The AHA strongly supports these regulatory changes intended to improve how coverage works for enrollees, promote more timely access to care, ensure better alignment and coverage parity between Traditional Medicare and Medicare Advantage, and reduce the administrative burden of health plan requirements on health care providers and their patients.

As you know, hospitals and health systems nationwide are increasingly concerned about certain MAO policies that restrict or delay patient access to care, while adding cost and burden to the system. These concerns are enumerated in our recent letters to the Centers for Medicare & Medicaid (CMS) in August 2022 and February 2023. We believe the new rules will go a long way in ensuring Medicare beneficiaries have equal access to medically necessary care and that those enrolled in MA plans will not continue to be unfairly subjected to more restrictive rules and requirements. However, while the new rules are a critical step forward in advancing patient access and holding MAOs accountable for adhering to federal rules, we believe a heightened level of enforcement and oversight is needed to facilitate meaningful change. We urge the agency to conduct rigorous oversight to enforce the policies and safeguards included in the rule and to ensure that appropriate action is taken in response to any violations.

In the following sections, we enumerate our concerns about plans’ efforts to comply with the new rules taking effect Jan. 1, 2024, the challenges providers face in escalating and resolving violations of federal rules, and our specific recommendations for opportunities to strengthen enforcement and oversight of the MA program.

COMPLIANCE WITH NEW RULES

While we recognize the new rules do not apply to coverage years before Jan. 1, 2024, we are concerned by reports from our members that certain MAOs may not comply with the new regulations. Specifically, as a result of interactions with MAO partners, hospital leaders have heard from some MAOs that they either do not plan to make any changes to their protocols as a result of the new rules or, in contrast, have made changes to their denial letter terminology or procedures in a way that appears to circumvent the intent of the new rules.

Given the broad and far-reaching changes finalized in the CY 2024 MA rule, it is striking that several large, national MAOs would report to our members that they do not intend to make any modifications to their utilization management protocols in response. In the proposed and final rules, CMS thoughtfully articulates and seeks to address a variety of circumstances in which existing rules are not being followed or services that would have been covered under Traditional Medicare that are being routinely denied by MAOs. We are troubled that certain MAOs may interpret the final rule as to not require them to make any changes to their practices. At least one plan reports that they still do not believe the Two-Midnight rule applies to them as an MAO, which directly contradicts our understanding and reading of the CY 2024 final rule.

In other cases, we have observed changes in certain MAO denial letters (shared with us by members) that appear to directly contradict CMS’ stated intent in the final rule that MAOs must adhere to the Traditional Medicare coverage criteria for inpatient admissions (e.g., the Two-Midnight rule, the Inpatient Only List, or the case-by-case exception). Specifically, members have reported that certain plans are retroactively reviewing inpatient stays that received prior authorization citing that they are not doing so as a medical necessity audit but rather under a short stay audit that is performed on any inpatient Medicare stay that is less than two days. We understand that the Two-Midnight presumption does not apply but the criteria by which the plan is required to review the inpatient stay retroactively should be against the Traditional Medicare criteria for inpatient admission (specifically, the Two-Midnight rule) — not the criteria of a short stay policy of the plan’s own making. This appears to us as a direct contraction of the requirements included in the CY 2024 MA final rule. As a result, we encourage CMS to provide further direction and guidance to MAOs leading up to implementation.

In some cases, terminology changes in certain MAO denial letters are causing concern among our members. Specifically, the use of language stating that denials of inpatient care are payment reviews and not level of care reviews, medical necessity audits or organizational determinations — even when the audit is explicitly evaluating whether the inpatient level of care was appropriate and results in the care delivered being downgraded to observation status and payment. Some MAO denial letters for short stay audits on an inpatient admission now specifically indicate that “short stay DRG audits are not medical necessity audits” and refer to medical necessity denials as “payment integrity administrative reviews.”

For example, a member hospital received a denial letter from an MAO, on behalf of a third-party vendor, for a short stay audit for inpatient care noting that they conducted a “payment integrity administrative review, not a level of care or a medical necessity review, focused on payment of services.” The letter goes on to say that the plan “is not denying the services provided, rather the review is focused on the payment of services documented in the medical record.” It is unclear to us how such an audit — which is determining whether inpatient care was appropriate — would not be a level of care or medical necessity review, which by definition would constitute an organizational determination subject to CMS rules.

We are concerned these terminology changes and the language of “payment integrity administrative review” is intended to circumvent CMS rulemaking under the auspice that this is a payment issue not subject to CMS interference, as opposed to a coverage determination. We understand this to be the precise type of circumstance CMS was trying to protect against in the CY 2024 MA final rule where the agency states that coverage and payment are intrinsically linked and that CMS has interpreted § 422.101(a) to require MA organizations to “provide coverage of, by furnishing, arranging for, or making payment for Part A or Part B items and services.”

As noted above, we recognize that the new rules are not yet in effect, but we want to raise these concerns on behalf of our members given the level of concern among hospitals and health systems that the new rules may not be meaningfully followed by certain plans — and that there are limited pathways available for them to escalate or resolve these types of issues once the rules are in effect (as discussed below). With this in mind, we urge CMS to issue clarifying directives to MAOs regarding the applicability of the Two-Midnight rule and the obligation for MAOs to provide payment for covered services. We also urge CMS to close loopholes in terminology or practice that allow MAOs to deny services or payment in a way that circumvents established processes for adjudicating adverse organizational determinations.

PATHWAYS FOR ESCALATION AND RESOLUTION OF VIOLATIONS

Hospitals and health systems that are contracted with MAOs have no streamlined mechanisms for providers to report suspected violations of federal rules to CMS or other appropriate oversight entities. In fact, many provider-MAO contracts require disputes to be decided in closed-door arbitration, so neither CMS nor the public will ever learn about suspected violations. We recognize the non-interference clause expressly prohibits CMS from intervening in matters related to payment or contracts. However, violations of federal policy are not just a contractual issue, and therefore, private dispute resolution is not the appropriate oversight mechanism to address broader issues of non-compliance with federal laws or regulations. The absence of a streamlined way to address violations of federal rules leaves providers without adequate mechanisms to resolve issues that impact patient access to care and payment for services that are covered by Medicare.

For example, we provided a member hospital example in the appendix of our February 2023 letter to CMS regarding an MA plan with a substantial backlog in appeals cases. The MAO has a published, publicly available policy of responding to appeals within 60 days of a provider filing a dispute after receiving an adverse benefit or payment determination. In February, the health system reported 140 outstanding appeals with this MAO alone — all of which are for MA beneficiaries — that are greater than 60 days old where they have not yet received a response from the plan. The MAO has acknowledged that they are behind but has not made any tangible progress in addressing the backlog of cases despite the health system’s efforts to escalate. As of September 2023, not only has the backlog of appeals not been addressed, but it has grown to 189 cases that are over 60 days old, approximately 50% of which are from 2022. In the meantime, the MAO withholds payment for the services in question, even when historical appeal success rates evidence that the denials are likely to be overturned.¹

This unnecessarily delays adjudication of the claim for the patient and their provider while unfairly creating barriers to timely resolution of appeals. It also demonstrates the challenges providers face in escalating issues for resolution — even when the plan is admittedly violating its own rules or policies. This issue would generally be classified as a contractual dispute for which CMS would be barred from involvement, and yet the provider has no effective mechanism to address it as evidenced by the problem continuing to worsen. Meanwhile, patients are being denied their timely right to appeal without any accountability on the part of the plan, and once appeals are resolved it may be months or years after the patient’s services were received before the beneficiary receives a statement from the facility. It is also worth noting that providers must adhere to strict regulatory timeline requirements for submitting claims and appeals or risk foregoing payment or reconsideration, but there is limited external accountability for plans if they don’t adhere to their comparable contractual timeframe commitments, including failing to review provider or member appeal requests for over a year.²

In another example of insufficient dispute resolution processes and challenges escalating issues with a large, national MA plan, a member hospital recently shared data with AHA about an MAO issue affecting 175 inpatient stays dating back to 2020, which remain fully unpaid by the MAO as a result of pre-payment clinical validation audits. Not only are these unpaid accounts for services rendered to patients, but these cases are really denials (for which the hospital received $0 of payment) that are disguised as contractual adjustments. In other words, the MAO system adjusted the entire balance of these accounts to zero as a contractual write-off and did not identify any amounts as denials. This prevented these claims from hitting the hospital’s denial workflow, leaving them undiscovered for several months. Additionally, it results in these claims not appearing as denials in any reporting, which precludes appropriate and transparent oversight.³

The inability to resolve 175 claims for services provided to patients that have gone entirely unpaid by an MAO for nearly three years suggests that current dispute resolution mechanisms are inadequate to ensure appropriate oversight of MAOs. After a year and a half of chasing the MAO and trying to resolve the issue with the plan directly, including written communications demonstrating that payment was supported for each account after the plan’s DRG reduction recommendation, the hospital was successful in securing partial payment for only two of the 175 accounts, without any interest. The hospital subsequently sought to escalate further and submitted a complaint to the CMS Regional Office in July 2023 but was quickly referred to the plan as CMS is barred from intervening in contractual disputes. This process represents an endless loop of frustration for many providers who experience similar problems without any real authority or opportunity to resolve the issues, while plans benefit from the cost and resource-intensive processes providers must go through to chase down payment they are owned for services delivered to patients. For this one midsize hospital, the denials disguised as adjustments amount to $1.5 million owed by a single contracted MAO.⁴

As evidenced by these examples, more oversight and accountability are needed to uphold CMS rules, as well as MAO policies, and more streamlined pathways are needed to report cases where a plan is consistently circumventing rules and responsibilities. To date, the non-interference clause has limited CMS involvement in many aspects of MAO compliance that are broadly considered contractual issues, as was the case in the preceding example. However, we increasingly believe this approach has allowed certain MAOs to circumvent CMS rules without accountability on issues that are not, in fact, contractual in nature, but directly and detrimentally affect patient care and access. As a result, we encourage CMS to take a more active role, where statutory authority permits, to investigate and sanction MAOs for consistent violations of CMS rules, especially those discussed in the CY 2024 MA Final Rule, which have a history of being violated.

Our specific recommendations follow.

RECOMMENDATIONS FOR ENFORCEMENT AND OVERSIGHT

The AHA has a series of recommendations for improving oversight of the MA program. We recognize that many of the policies finalized in the CY 2024 MA Final Rule govern operational processes related to authorization, claims processing and payment, which are difficult to meaningfully oversee without rigorous monitoring including plan-level data collection and reporting, regular auditing, pathways for stakeholders to report suspected violations and penalties for non-compliance. Each of these elements will be critical in ensuring these important changes become standard operating procedures for MAOs and have the intended effects on beneficiary protection and access to care.

That said, we recognize that not all MAOs are bad actors; many have active partnerships with providers in service of their shared patients and members and consistently act in good faith in trying to follow the rules. To this end, we believe that enforcement actions should be targeted, to the extent possible, to MAOs who have a history of suspected or actual violations or whose performance metrics related to appeals, grievances and denials could be indicative of a broader problem warranting investigation. Every effort should be made in carrying out enforcement activities to ensure that undue burden is not placed upon MAOs who consistently act in good faith and adhere to CMS rules.

With this in mind, the AHA recommends that CMS take the following actions to increase oversight of the MA program and bolster enforcement and compliance efforts pursuant to the CY 2024 MA Final Rule.

1. Data Collection and Reporting: There are limited data reporting mechanisms available to provide CMS with information about plan-level coverage denials, appeals and grievances, or delays in care resulting from plan administrative processes. These are important indicators of beneficiary access and are necessary for meaningful oversight of MAOs. For example, plans with excessively high service and payment denial rates compared to other plans, or plans with unreasonably high beneficiary grievance rates, may be indicative of inappropriate behavior that warrants further inquiry or audit. The HHS-OIG made a recommendation in 2014 for CMS to identify whether outlier data values reflect inaccurate reporting or atypical performance, and to use reporting requirements data as part of its reviews of MA organizations’ performance. We believe this could be a useful approach to conducting data-driven enforcement activity.
   
   In addition, we recommend that existing MAO data, which is submitted to CMS annually and must be audited by an outside organization, be used to a greater extent to guide oversight and enforcement activities. It appears to us that CMS uses MAO determination data in a relatively limited manner; the determination data are not used in Star Ratings and there is no documentation to suggest that this specific data drives oversight decisions like identifying which MAOs to audit. CMS could consider using existing data to identify MAOs for program audits to determine if the plan is correctly applying plan terms or medical necessity criteria; increase the frequency of plan-reported data to quarterly; publish a public list of MAOs that are subject to a Corrective Action Required (CAR) plan; or consider incorporating organizational determination data into Star Ratings.
    
2. Routine Auditing: CMS conducts routine audits for some aspects of the MA program, such as for the purpose of risk adjustment data validation. We believe that additional auditing is necessary to ensure compliance with CMS rules, especially those around medical necessity criteria, which are needed to achieve the intended alignment between Traditional Medicare and MA. Such audits should be focused on MAOs that are outliers in reported plan performance data or have a history of suspected or actual CMS rule violations on their record. With these factors in mind, we recommend that CMS regularly audit a sample of MAO denials, using a similar methodology as the 2022 HHS-OIG report, to review MAO determinations for the appropriate application of Medicare coverage rules and criteria. Without this level of detailed auditing, there will be ample opportunity for certain MAOs to continue circumventing federal rules without detection, rendering the proposed beneficiary protections ineffective.
    
3. Pathways to Report Suspected Violations: Patients and health care providers have a high degree of interaction with MAOs as users and providers of health care services and are therefore well-positioned to identify suspected violations of CMS rules that warrant further investigation. In fact, hospitals and health systems often act on behalf of their patients when working with insurers to obtain approval and coverage for medically necessary care, making them especially capable of identifying faulty or outdated program rules or bad actors. Unfortunately, there currently is no streamlined or direct way for providers to report such concerns to CMS. And as described above, when issues are raised, they are frequently labeled as “contractual disputes” and therefore not subject to agency intervention. However, what may appear to be a contractual dispute may be evidence of a violation of federal policy, including systemic issues with the potential for negatively affecting patient care. Without a way for providers to report issues, CMS has no ability to establish a fact pattern needed to engage in enforcement activity. Accordingly, we encourage CMS to establish a process for health care providers to submit complaints to CMS for suspected violation of federal rules as part of its enforcement strategy.
    
4. Enforcement Penalties: Penalties are a necessary part of enforcement to ensure there is accountability for complying with CMS rules. Given CMS’ acknowledgement in the final rule that many of the included provisions are restatements of existing CMS policy, enforcement is critical to ensure meaningful change. We recommend that based on the results of audits and plan-reported data, CMS be prepared to initiate issuing warning letters and Corrective Action Requirements to non-compliant MAOs. If the non-compliance persists, we recommend that CMS impose intermediate sanctions (e.g., suspension of marketing and enrollment activities), civil monetary penalties or terminate the contract.

Thank you for your attention to the comments and concerns we have raised. We strongly support and appreciate CMS’ efforts to improve the MA program and increase patient access and consumer protections. The AHA is pleased to be a resource on these issues and would welcome the opportunity to provide any additional information that would be helpful to the agency as you plan for future oversight and enforcement activity once the new rules take effect. Please feel free to contact me if you have any questions or have a member of your team contact Michelle Kielty Millerick, AHA’s senior associate director of health insurance coverage policy, at mmillerick@aha.org.

Sincerely,

/s/

Ashley Thompson
Senior Vice President
Public Policy Analysis and Development

__________

¹ https://oig.hhs.gov/oei/reports/oei-09-16-00410.pdf
² 42 CFR 422.562(d) specifically excludes MAOs from the Traditional Medicare requirements and timeframes to respond to provider appeals, resulting in limited external accountability for plans if they do not adhere to contractual commitments.
³ This example raises concerns that are consistent with the findings of a February 2023 report from the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) titled “The Inability to Identify Denied Claims in Medicare Advantage Hinders Fraud Oversight.” The report highlights that MA encounter records containing payment adjustments are imprecise and not sufficient to definitely identify whether adjustments are payment denials. The HHS-OIG recommends that CMS require MAOs to definitively identify payment denials on encounter records submitted for MA services to enhance program oversight.
⁴ The hospital notes this issue is limited to MA members, and the payer does not systemically behave in a similar manner to withhold payments on claims outside of the MA program, which raises questions about the incentives and level of oversight in MA if these practices are not occurring in other lines of business.
⁵ https://oig.hhs.gov/oei/reports/oei-03-11-00720.pdf