The Medicaid Managed Care Final Rule aims to align Medicaid regulations with those of other health coverage programs, modernizing the post-Affordable Care Act healthcare landscape. Among other goals, the Final Rule seeks to bolster the transparency, accountability, and integrity of Medicaid managed care by imposing and clarifying requirements meant to reduce fraud, waste, and abuse. The rule finalizes a number of changes that address two types of program integrity risks: fraud committed by Medicaid managed care plans and fraud by network providers. It also tightens standards for managed care organization (MCO) submission of certified data, information, and documentation used for program integrity oversight by state and federal agencies.

First, the Final Rule places new responsibilities on both states and managed care plans. State Medicaid programs will now be required to screen and enroll all network providers that order, refer, or furnish services to beneficiaries under the state plan unless a network provider is otherwise enrolled with the state to provide services to fee-for-service (FFS) Medicaid beneficiaries.[1] This requirement, which will take effect in July 2018, may delay the growth of provider networks; to address this concern the Final Rule allows programs to execute network provider agreements pending the outcome of the screening process of up to 120 days. However, upon notification from the state that a provider’s enrollment has been denied or terminated, or the expiration of the 120 day period without enrollment, the plan must terminate the network provider immediately and notify affected enrollees. In addition, the Final Rule requires states to periodically, but no less frequently than once every 3 years, audit patient encounter data and financial reports for accuracy, truthfulness, and completeness. States must also post on their website or otherwise publicize a range of programmatic data, including the results of past audits and information related to entity contracts.[2]

Second, beginning July 2017, managed care plans will also have to submit and certify a range of data—including data related to rate setting, compliance with Medical Loss Ratio (MLR) standards, accessibility of services, and recoveries of overpayments—to their respective states. In order to comply with this requirement, the Final Rules permits the executive leadership of an MCO to delegate the certification to an employee who reports directly to the plan’s CEO or CFO.[3]

Third, the Final Rule requires managed care plans to strengthen program integrity by implementing and maintaining programs and procedures to detect fraud, waste, and abuse. For example, managed care plans must maintain a system with dedicated staff charged with monitoring, promptly responding to, investigating, and correcting internal compliance issues beginning July 2017.[4] As part of this system, the plan must identify a compliance officer, establish a regulatory compliance committee, and provide for employee compliance training. In the event of a credible allegation of fraud, the Final Rule requires that payments to a network provider be suspended.

Fourth, the Final Rule imposes a number of mandatory reporting requirements beginning July 2017. For instance, changes in provider or enrollee circumstances bearing on continued Medicaid eligibility must be reported, and the plan must inform the state of all overpayments, specifying which may be linked to potential fraud.[5] However, states retain flexibility in establishing procedures for the treatment of overpayments recovered by managed care plans. Those procedures must be established in state contracts with managed care plans.

Fifth and finally, the Final Rule clarifies when federal financial participation (FFP) may be disallowed. The rule provides that states may be disallowed from FFP if the final capitation rates in the state contract are not actuarially sound according to federal standards. The disallowance of FFP for expenditures under an MCO contract will continue to apply to all payments under the contract at issue, not simply to a particular service category that fails to meet the federal standard. In addition, FFP will be prohibited if a managed care plan has a relationship with an excluded entity or individual as defined in § 438.610(b), which also expands the list of entities subject to this rule.[6]

The Final Rule adopts a number of procedures and standards designed to strengthen the program integrity of Medicaid managed care. As a result, it’s important for Medicaid managed care contractors to stay abreast of these changes in order to ensure compliance and avoid sanctions and/or penalties. MCOs risk civil monetary penalties of up to $25,000 or other intermediate sanctions (e.g., appointment of a temporary manager) for failure to comply with certain program integrity guidelines. For additional coverage of the Medicaid Managed Care Final Rule, click here.

*The authors thank Crowell & Moring Summer Associate Will Pellett for his assistance with this blog post.


[1] 42 C.F.R. § 438.602 (b).

[2] 42 C.F.R. § 438.602(g).

[3] 42 C.F.R. §§ 438.604 (a) and (b).

[4] 42 C.F.R. § 438.608 (a)(1)(vii).

[5] 42 C.F.R. § 438.608 (a)(8).

[6] 42 C.F.R. § 438.808.