15 February 2024 • 7 minute read
CMS issues FAQ to Medicare Advantage organizations on new utilization management requirements and upcoming audits
On February 6, 2024, the Centers for Medicare & Medicaid Services (CMS) issued a “Frequently Asked Questions” (FAQ) memorandum regarding its updated coverage criteria and utilization management (UM) requirements for Medicare Advantage (MA) organizations and Medicare-Medicaid Plans (referred to here collectively as “MAOs”).
Implemented as part of an April 5, 2023 final rule, these requirements became effective on January 1, 2024, with CMS recently finalizing additional UM requirements that will become effective over the next several years.
While much of the FAQ repeats other guidance from CMS in the Federal Register commentary and other memoranda, the following highlights some key insights into CMS’s interpretation and application of these coverage criteria and UM requirements.
Algorithms and artificial intelligence for coverage decisions
The FAQ includes cautionary guidance from CMS regarding MAOs’ use of predictive and other algorithms, as well as artificial intelligence, as part of their coverage determination process. In particular, CMS reminds MAOs of their obligation to use those technologies in compliance with the MA rules, including the rule to make medical necessity determinations based on the individual patient’s circumstances. For example, CMS states that an MAO would not be in compliance with the MA rules if it were to base a medical necessity determination on a larger data set rather than on an individual patient’s medical history, a physician’s recommendation, or clinical notes. The FAQ includes additional examples of how the use of algorithms and artificial intelligence by MAOs may run afoul of the MA rules.
CMS also expresses concern about the potential of such technologies to perpetuate or exacerbate discrimination and bias, and reminds MAOs to safeguard against those adverse impacts.
MAOs may continue to make use of such technologies, but they must implement them in a manner that meets the MA rules and avoids improper discrimination and bias.
Denials of care settings or redirecting to different settings
In its FAQ, CMS clarifies that MAOs must cover settings of care when such settings would be covered by traditional Medicare. MAOs may not deny admission to a covered setting or otherwise redirect the care to a different setting. By way of example, if a patient is discharged from an acute care hospital to a post-acute care facility, and the patient’s attending physician orders the care in the post-acute facility, the MAO must cover care in that setting if the care would have been covered under traditional Medicare. MAOs may only deny care in a particular setting or redirect to another setting if it determines traditional Medicare’s coverage criteria are not satisfied or consistent with the MAO’s own internal coverage criteria, when applicable.
Local coverage determinations from another service area
CMS confirmed that an MAO may only rely on a local coverage determination (LCD) from another service area if the MAO is permitted to apply its own internal coverage criteria. In such case, that LCD would be viewed as the MAO’s internal coverage criteria under the MA rules.
Publicly accessible internal coverage criteria
Finalized as part of the April 2023 final rule, MAOs are required to make their internal coverage criteria “publicly accessible.” The final rule, however, did not specify how this must be done.
CMS’s guidance on this topic is now available in the FAQ. CMS suggests following the model established by Medicare Administrative Contractors (MACs) and confirms that CMS expects MAOs to make their internal coverage criteria available on a website – such as the MAO’s required website – or via links to third-party websites. Under no circumstance may the criteria be behind a paywall or require a subscription access. However, an MAO may be permitted to require some limited information prior to granting access to the criteria.
CMS will monitor MAOs’ reliance on third-party vendors’ websites to provide access to the criteria, and it will evaluate whether that approach makes it too difficult for the public to access and analyze the criteria.
Assessing when Medicare coverage criteria are binding criteria, non-binding instructions, or payment policies
The FAQ analyzes the application of traditional Medicare’s “two-midnight rule” and “interrupted stay” policy as they apply to MAOs. This portion of the FAQ highlights the pitfalls for MAOs as they seek to maintain compliance with the MA UM rules. Not all presumptions, policies, and instructions that MACs follow will be binding on MAOs, which could result in significantly different coverage decisions. Understanding which coverage criteria applies will be vital for MAOs to remain compliant and avoid adverse enforcement actions by CMS, as discussed below.
Post-claim audits
CMS instructs that MAOs may continue to conduct post-claim reviews but must remain in compliance with the reopening rules and restrictions on revising existing prior authorization approvals. Importantly, guidance in the FAQ indicates that CMS will treat post-claim review audits and examinations as organization determinations, and not merely as payment reviews. Given past CMS enforcement action with respect to the treatment of organization determinations, MAOs are encouraged to carefully assess how they apply and treat their post-claim reviews, including whether they are involving a physician or other appropriate healthcare professional when required.
Prior authorization
Guidance in the FAQ indicates that MAOs may continue use prior authorization (or pre-certification). However, it reviews the limitations on such use, and sets out the timeframes for making decisions.
Supplemental benefits
The FAQ continues to reflect CMS’s policy that MAOs may use prior authorization in the context of supplemental benefits (which are not Medicare “basic benefits” covered by Medicare Parts A and B). Given the nature of supplemental benefits, CMS expects MAOs to apply a “clinically appropriate” standard as opposed to “medically necessary.” This guidance does not change the general rule that supplemental benefits must be medically necessary. However, it acknowledges that certain supplemental benefits are subject to different standards. CMS further confirms in the FAQ that traditional Medicare’s coverage criteria do not apply to supplemental benefits because they are neither Medicare Part A nor Part B benefits.
Compliance and enforcement actions
The FAQ also outlines CMS’s options for enforcement against MAOs found to be out of compliance with the UM rules. As we noted in a prior client alert, CMS intends to actively audit MAOs with a specific focus on compliance with the UM rules. This expanded audit activity means that MAOs are at high risk of being subject to enforcement action if they are out of compliance.
The FAQ and other recent CMS guidance sheds light on the specific UM rules and issues on which CMS appears to be particularly focused. For example, CMS will likely evaluate whether MAOs are properly categorizing certain post-claim audit reviews as organization determinations, whether AI or other algorithms are resulting in improper denials of coverage or prohibited shifting to alternative care settings, and whether MAOs’ coverage and payment decisions are diverging from traditional Medicare coverage.
As noted above, the latter area warrants particular attention by MAOs as such organizations must identify which traditional Medicare rules, guidance, and instructions, among others, apply to them – as well as identify areas in which the MAOs may have the discretion to rely on their own internal coverage criteria. Likewise, MAOs may expect CMS to take a closer look at any innovative technologies being employed to support UM activities, including whether such technologies improperly discriminate, diverge from the requirements of the MA UM rules, or otherwise operate in a non-compliant way (eg, by failing to include a licensed healthcare professional when required).
According to the FAQ, MAOs should expect CMS to employ any or all of its well-established tools for addressing non-compliance. These tools include not only compliance actions (eg, notices of non-compliance, warning letters, and requiring corrective action plans) but also enforcement actions (eg, civil monetary penalties and enrollment and marketing sanctions).
Other FAQ matters
The above surveys only some of the FAQ’s key aspects. The FAQ document addresses issues and includes important nuances and discussions not necessarily captured above. In addition, CMS has issued comments to the April 2023 final rule and subsequent sub-regulatory guidance – with this, MAOs are encouraged to carefully assess a broad range of interpretive guidance from CMS in crafting their UM compliance plans and otherwise preparing for the ongoing and upcoming audits.
Please contact the authors for more information regarding this alert, CMS audits, or the new UM rules.
Implemented as part of an April 5, 2023 final rule, these requirements became effective on January 1, 2024, with CMS recently finalizing additional UM requirements that will become effective over the next several years.
While much of the FAQ repeats other guidance from CMS in the Federal Register commentary and other memoranda, the following highlights some key insights into CMS’s interpretation and application of these coverage criteria and UM requirements.
Algorithms and artificial intelligence for coverage decisions
The FAQ includes cautionary guidance from CMS regarding MAOs’ use of predictive and other algorithms, as well as artificial intelligence, as part of their coverage determination process. In particular, CMS reminds MAOs of their obligation to use those technologies in compliance with the MA rules, including the rule to make medical necessity determinations based on the individual patient’s circumstances. For example, CMS states that an MAO would not be in compliance with the MA rules if it were to base a medical necessity determination on a larger data set rather than on an individual patient’s medical history, a physician’s recommendation, or clinical notes. The FAQ includes additional examples of how the use of algorithms and artificial intelligence by MAOs may run afoul of the MA rules.
CMS also expresses concern about the potential of such technologies to perpetuate or exacerbate discrimination and bias, and reminds MAOs to safeguard against those adverse impacts.
MAOs may continue to make use of such technologies, but they must implement them in a manner that meets the MA rules and avoids improper discrimination and bias.
Denials of care settings or redirecting to different settings
In its FAQ, CMS clarifies that MAOs must cover settings of care when such settings would be covered by traditional Medicare. MAOs may not deny admission to a covered setting or otherwise redirect the care to a different setting. By way of example, if a patient is discharged from an acute care hospital to a post-acute care facility, and the patient’s attending physician orders the care in the post-acute facility, the MAO must cover care in that setting if the care would have been covered under traditional Medicare. MAOs may only deny care in a particular setting or redirect to another setting if it determines traditional Medicare’s coverage criteria are not satisfied or consistent with the MAO’s own internal coverage criteria, when applicable.
Local coverage determinations from another service area
CMS confirmed that an MAO may only rely on a local coverage determination (LCD) from another service area if the MAO is permitted to apply its own internal coverage criteria. In such case, that LCD would be viewed as the MAO’s internal coverage criteria under the MA rules.
Publicly accessible internal coverage criteria
Finalized as part of the April 2023 final rule, MAOs are required to make their internal coverage criteria “publicly accessible.” The final rule, however, did not specify how this must be done.
CMS’s guidance on this topic is now available in the FAQ. CMS suggests following the model established by Medicare Administrative Contractors (MACs) and confirms that CMS expects MAOs to make their internal coverage criteria available on a website – such as the MAO’s required website – or via links to third-party websites. Under no circumstance may the criteria be behind a paywall or require a subscription access. However, an MAO may be permitted to require some limited information prior to granting access to the criteria.
CMS will monitor MAOs’ reliance on third-party vendors’ websites to provide access to the criteria, and it will evaluate whether that approach makes it too difficult for the public to access and analyze the criteria.
Assessing when Medicare coverage criteria are binding criteria, non-binding instructions, or payment policies
The FAQ analyzes the application of traditional Medicare’s “two-midnight rule” and “interrupted stay” policy as they apply to MAOs. This portion of the FAQ highlights the pitfalls for MAOs as they seek to maintain compliance with the MA UM rules. Not all presumptions, policies, and instructions that MACs follow will be binding on MAOs, which could result in significantly different coverage decisions. Understanding which coverage criteria applies will be vital for MAOs to remain compliant and avoid adverse enforcement actions by CMS, as discussed below.
Post-claim audits
CMS instructs that MAOs may continue to conduct post-claim reviews but must remain in compliance with the reopening rules and restrictions on revising existing prior authorization approvals. Importantly, guidance in the FAQ indicates that CMS will treat post-claim review audits and examinations as organization determinations, and not merely as payment reviews. Given past CMS enforcement action with respect to the treatment of organization determinations, MAOs are encouraged to carefully assess how they apply and treat their post-claim reviews, including whether they are involving a physician or other appropriate healthcare professional when required.
Prior authorization
Guidance in the FAQ indicates that MAOs may continue use prior authorization (or pre-certification). However, it reviews the limitations on such use, and sets out the timeframes for making decisions.
Supplemental benefits
The FAQ continues to reflect CMS’s policy that MAOs may use prior authorization in the context of supplemental benefits (which are not Medicare “basic benefits” covered by Medicare Parts A and B). Given the nature of supplemental benefits, CMS expects MAOs to apply a “clinically appropriate” standard as opposed to “medically necessary.” This guidance does not change the general rule that supplemental benefits must be medically necessary. However, it acknowledges that certain supplemental benefits are subject to different standards. CMS further confirms in the FAQ that traditional Medicare’s coverage criteria do not apply to supplemental benefits because they are neither Medicare Part A nor Part B benefits.
Compliance and enforcement actions
The FAQ also outlines CMS’s options for enforcement against MAOs found to be out of compliance with the UM rules. As we noted in a prior client alert, CMS intends to actively audit MAOs with a specific focus on compliance with the UM rules. This expanded audit activity means that MAOs are at high risk of being subject to enforcement action if they are out of compliance.
The FAQ and other recent CMS guidance sheds light on the specific UM rules and issues on which CMS appears to be particularly focused. For example, CMS will likely evaluate whether MAOs are properly categorizing certain post-claim audit reviews as organization determinations, whether AI or other algorithms are resulting in improper denials of coverage or prohibited shifting to alternative care settings, and whether MAOs’ coverage and payment decisions are diverging from traditional Medicare coverage.
As noted above, the latter area warrants particular attention by MAOs as such organizations must identify which traditional Medicare rules, guidance, and instructions, among others, apply to them – as well as identify areas in which the MAOs may have the discretion to rely on their own internal coverage criteria. Likewise, MAOs may expect CMS to take a closer look at any innovative technologies being employed to support UM activities, including whether such technologies improperly discriminate, diverge from the requirements of the MA UM rules, or otherwise operate in a non-compliant way (eg, by failing to include a licensed healthcare professional when required).
According to the FAQ, MAOs should expect CMS to employ any or all of its well-established tools for addressing non-compliance. These tools include not only compliance actions (eg, notices of non-compliance, warning letters, and requiring corrective action plans) but also enforcement actions (eg, civil monetary penalties and enrollment and marketing sanctions).
Other FAQ matters
The above surveys only some of the FAQ’s key aspects. The FAQ document addresses issues and includes important nuances and discussions not necessarily captured above. In addition, CMS has issued comments to the April 2023 final rule and subsequent sub-regulatory guidance – with this, MAOs are encouraged to carefully assess a broad range of interpretive guidance from CMS in crafting their UM compliance plans and otherwise preparing for the ongoing and upcoming audits.
Please contact the authors for more information regarding this alert, CMS audits, or the new UM rules.
