Reprinted with AIS Health permission from the 4/4/24 issue of Radar on Medicare Advantage

Thanks to a final rule published just one year ago, Medicare Advantage plans as of Jan. 1 were expected to meet new constraints when it comes to applying their utilization management (UM) policies, including prior authorization. CMS has said it aims to assess UM-related performance of plans serving 88% of beneficiaries this year, and it intends to accomplish this through both routine program audits and “focused audits.” According to compliance experts, the volume of audit activity since CMS began sending engagement letters in late February suggests the agency is eager to meet its goal, but it may not like what it finds.

That’s partly because of the tight timeline CMS gave plans to comply with multiple requirements, such as establishing a dedicated UM committee that must meet certain membership criteria and conducting an annual review of plans’ medical coverage policies. The new requirements also needed a certain level of “system configuration, payment configuration, [and in some cases] contract amendments with providers,” observes Tina Dueringer, vice president of clinical and quality at Rebellis Group. “I think people get caught up on, ‘Well, we have a committee and we’re doing what we need to to be compliant.’ But that’s just a single piece. Having a UM committee review and approve the medical policies using the new CMS requirements is what that committee is supposed to be doing.”

In the final 2024 MA and Part D rule published in April 2023, CMS clarified the traditional, fee-for-service Medicare criteria insurers must follow before applying their own UM criteria. In the preamble to that rule, CMS advised MA plans not to rely on an “algorithm or software that doesn’t account for an individual’s circumstances” — something that has been the subject of recent lawsuits charging insurers with using artificial intelligence to wrongfully deny patients’ care. In a 14-page frequently asked questions document issued in February, CMS clarified that “an algorithm or software tool can be used to assist MA plans in making coverage determinations,” but it also emphasized that plans must base coverage decisions “on the individual patient’s circumstances.”

Dueringer says that document provided a new level of detail on CMS’s expectations for compliance, yet plans’ level of awareness around the new UM requirements seems to vary.

“It’s going to be interesting to see how [CMS meets] the 88%,” she says. “I do tell plans, be prepared because this is what they anticipated, and I think it’ll be more through [focused] audits that are going to be targeted at denials,” looking back at denials that were processed as of Jan. 1 to determine if the medical policy informing those decisions was appropriate. And CMS will collect that information as it would with the Part C Organization Determinations, Appeals, and Grievances (ODAG) portion of the program audits, in which the volume of UM samples reviewed varies by plan size, as will the length of time it takes to complete that review.

Transparency Is Mission Critical

To Steve Arbaugh, managing principal and CEO of ATTAC Consulting Group, CMS is clearly focused on ensuring transparency for beneficiaries. “As an example, CMS has always been concerned when they reviewed denials in their ODAG universes that the explanations were detailed and clear to the beneficiary. The added portion of this — and this was outlined in the memo — is that they want plans to make sure that they are all following appropriate [National Coverage Determinations and Local Coverage Determinations] so that why a denial is being made is very explicit and, if they’re using internal guidelines or criteria to make that denial, that those are outlined in the letters.” That way, the beneficiaries can appropriately file appeals or discuss with their providers why the denial was made. “This is just much more detailed and making sure that the focus is that all the criteria used are transparently communicated.”

CMS is also seeking a new level of detail with a brand-new Table 7, which is tracking whether denials were sent to quality improvement organizations (QIOs) for review. That table was not mentioned in CMS’s December memo and in recent weeks, some plans undergoing the focused audits have not received the table, so it appears CMS’s approach is evolving, says Cheryl Wasserman, senior health plan services consultant and compliance lead with BluePeak Advisors.

At the same time, CMS is assessing whether plans have taken the appropriate steps across various departments before and after Jan. 1 that were undertaken to ensure compliance with the new regulation, points out Wasserman. And that involves standard tracer reviews, whereby plans are having to walk CMS through the process of implementation, she adds.

“The plans are trying to implement all the things that are involved, but it’s a lot and I think it is a new level of involvement, probably from the compliance side in UM,” which has been subject to internal monitoring and reporting to compliance, she explains. “But there seems to be an expectation that compliance is much more involved in that.”

New UM Committee Poses Stumbling Block

To that end, CMS has been very focused on the implementation of the UM committee, which was required to be established by plans effective Jan. 1. For one, the agency is looking to confirm that the UM committee meets the membership requirements laid out in the final rule, but it also wants to ensure that the committee reviewed all the internal policies. And that expectation may be unrealistic considering that some plans have “hundreds” of internal criteria and had to make all of those publicly available to comply with the rule, such as posting those policies to a website so that anyone can view them. So regardless of whether the policy itself was appropriate or made publicly available, one important factor will be whether it was reviewed by the new UM committee.

Dueringer says in some cases, it could be thousands of internal policies, depending on the plan and whether it has adopted a third-party vendor’s policies or belongs to an association with a core set of policies. “Understand that the first problem that actually drove some of this was the expansive medical management process in which it was important for plans to control costs and…one of the easy levers was to put in a very strong prior authorization process, and that became the explosion of those policies,” she says.

“What Medicare is trying to do is say look at all those policies, review all of those policies, review them manually, put them through your committee, your UM committee, and demonstrate to us that those policies have substantive reasoning and rationale,” she adds. 

It will also require more oversight of delegated entities, says Arbaugh. “I think one of the challenges for all the health plans, especially plans in markets where they’ve contracted with IPAs and delegated entities to perform many of the decision-making processes around these activities, is that many of these IPAs contract with multiple entities,” adds Arbaugh. “And so, making sure that these plans are following your guidelines and your guidelines are communicated to your downstream entities that are performing this activity, that’s a real area for plan oversight. And that’s nothing new — it’s always been a challenge for plans and a focus of CMS — but with the level of detail they’re focused on here, plans need to take more scrutiny in that area.”

Who We Are

ATTAC Consulting Group is a healthcare consulting firm specializing in insurance plan compliance, audit, operations and networks.

Learn more about how we can help your health plan with a UM-focused audit.