Data misreporting risks for Medicare Advantage and prescription drug plans

May 1, 2015

Misreporting of data to the Centers for Medicare and Medicaid Services exposes MCOs to civil litigation and administrative penalties.

As the managed care industry continues to grow, Medicare Advantage (MA) organizations and Medicare prescription drug plans (PDPs) have seen a noticeable uptick in enforcement activity aimed at combating fraud and abuse in these programs. One of the biggest enforcement risks for these entities stems from the misreporting of data to the Centers for Medicare and Medicaid Services (CMS). Data misreporting can lead to significant consequences, including exposure to civil litigation and administrative penalties, and therefore managed care plans should be aware of the specific sources of liability to avoid becoming a target.

CMS pays managed care plans a monthly capitated amount instead of reimbursing these entities on a fee-for-service basis. Under the capitated method of payment, plans submit an annual “bid”-or information showing how sickly its patient population is to determine the value of the capitated payment per month-which CMS then compares to a benchmark. As a condition for receiving payment from Medicare, plans must certify that the information in their bid submissions is accurate, complete, and truthful. Therefore, it is crucial that managed care plans do not misreport data to avoid allegations of overbilling the government.

Within the realm of data misreporting, risk adjustment presents a growing area of enforcement. Risk adjustment is the process by which CMS adjusts a health plan’s monthly payments based on the health status of plan enrollees. Plans that have sicker members receive higher Medicare payments to offset the costs of enrolling a riskier patient population, and vice versa. Consequently, one of the challenges MA plans face is that there is a great deal of reliance on the accuracy of physicians’ documentation because the data initially comes from providers.

In the past several years, a handful of civil False Claims Act (“FCA”) actions alleging that MA organizations submitted inaccurate risk adjustment data to inflate their Medicare premiums have been filed in federal courts. Some of these actions have resulted in settlements in the millions of dollars. For instance, in United States v. Janke, the owners of an MA plan and its primary care provider agreed in November 2010 to pay $22.6 million to the federal government to resolve allegations that they submitted false diagnosis codes, thereby inflating their risk scores and causing Medicare overpayments.

Another emerging enforcement trend under the umbrella of data reporting is Prescription Drug Event (PDE) data. A PDE is a record of a specific drug transaction, which CMS uses to reconcile its advance payments to a PDP sponsor with the actual costs the sponsor incurred.

At least one federal court has held that FCA liability arises when a PDP falsely certifies that it has submitted accurate and complete PDE data. The court, in a case against CVS Caremark Corporation and its pharmacy benefits manager, SilverScript, held that “a PDE is a claim or demand for payment under the FCA” because it is a “prerequisite to obtaining additional payments and to reconcile the accuracy of any previous payments already made.”  Therefore, PDE data that has been falsely certified as accurate by either the Part D sponsor or the sponsor’s subcontractor (like a pharmacy benefits manager) may give rise to an FCA claim.

Managed care plans’ exposure to liability with respect to information reporting continues to expand as CMS issues new regulations. For example, a recently promulgated “60-day refund rule”-issued on May 19, 2014, for contract year 2015-requires MA organizations and PDPs to report and return overpayments within 60 days of having “identified” the existence of an overpayment, which is defined as “when the MA organization has determined, or should have determined through the exercise of reasonable diligence, that the MA organization or PDP has received an overpayment.” A proposed rule issued on May 12, 2014, recommends civil monetary penalties of $10,000 for each day that an MA organization or PDP fails to return overpayments.

In all of these ways, data misreporting exposes managed care plans to significant enforcement risks, including civil litigation and administrative sanctions. These entities should therefore keep a close watch on liability risks and develop strategies for staying out of the government’s line of fire.

John Kelly and Matt Curley are members of Nashville-based Bass, Berry & Sims PLC in the firm’s Healthcare Fraud & Abuse practice group, based in Washington D.C. and Nashville, respectively. Shuchi Parikh is an associate in the Healthcare Fraud & Abuse practice of Nashville-based Bass, Berry & Sims PLC and based in Washington D.C.