Skip to main content

Medicaid Managed Care: Additional CMS Actions Needed to Help Ensure Data Reliability

GAO-19-10 Published: Oct 19, 2018. Publicly Released: Nov 19, 2018.
Jump To:

Fast Facts

States collect data on Medicaid services to help the Centers for Medicare & Medicaid Services (CMS) oversee the managed care program. For example, this data can help set managed care payment rates, identify inappropriate billing patterns, and ensure access to services.

But what if the data isn’t reliable?

CMS started requiring states to have independent audits of their data to help ensure reliability, but hasn't fully informed states on how to conduct these audits—which could lead to inconsistent results.

We recommended that CMS give states more information on the audits and how it will enforce the new data reliability requirements.

 

Photo of a stethoscope on a computer keyboard.

Photo of a stethoscope on a computer keyboard.

Skip to Highlights

Highlights

What GAO Found

The Centers for Medicare & Medicaid Services (CMS) requires states to collect service utilization data—known as encounter data—from Medicaid managed care organizations (MCO). GAO found that, in 2017, all eight selected states it reviewed checked MCO-submitted encounter data for reasonableness—that is, they checked that the data contained valid values, were submitted in a timely manner, and reflected historical trends. Three of the selected states used an additional oversight practice—comparing encounter data with an external data source—which could involve comparing encounter data with a sample of medical records. Such comparisons are recommended by CMS and other experts, such as actuaries, to help ensure data reliability (i.e., accuracy, completeness, and timeliness). Five of the eight selected states reported using mechanisms—such as penalties—to enforce encounter data reporting requirements in 2017.

Oversight Practices for Encounter Data Used by Selected States, 2017

 

Selected states

Oversight practice

CA

NE

NH

NY

OH

TX

UT

WV

Conducted reasonableness checks

Compared to external data sources

Required corrective action plans, assessed penalties, or provided performance incentives

Legend: ● = used practice; ○ = did not use practice

Source: GAO analysis of state reported information | GAO-19-10

GAO found that CMS has provided states with limited information on how to fulfill new regulatory requirements related to encounter data reliability. For example, CMS has provided states with limited information on

  • the required scope and methodology for the required independent audits of state encounter data; and
  • the required content of annual assessments of encounter data reporting that states must submit to the agency.

Because of the limited information from CMS, the agency will not have the information it needs to perform effective oversight of encounter data reliability.

States report encounter data to CMS's Transformed Medicaid Statistical Information System (T-MSIS). However, CMS has not provided states with information on the circumstances under which the agency will determine whether to defer or disallow federal matching funds in response to T-MSIS data submissions that do not comply with the agency's standards. In 2016, CMS indicated that it would provide this information before taking such actions. Until CMS provides this information to states, the effectiveness of deferring or disallowing funds as a potential enforcement tool to ensure state compliance is diminished, thus potentially hampering its efforts to ensure the reliability of encounter data.

Why GAO Did This Study

Questions have been raised about the reliability of states' Medicaid managed care encounter data, which are often used to set rates paid to MCOs. States collect the data from the Medicaid MCOs they contract with and then submit the data to CMS through T-MSIS. With managed care comprising nearly half of the total federal Medicaid expenditures in 2017, the importance of reliable encounter data is paramount to ensuring that rates are appropriate and beneficiaries in Medicaid managed care are receiving covered services.

GAO was asked to examine Medicaid managed care encounter data reliability. In this report, GAO examined (1) states' oversight practices, and (2) CMS's actions for helping to ensure encounter data reliability. GAO reviewed documents on oversight practices, and interviewed Medicaid officials from eight states, selected based on enrollment and geography; and collected information from two MCOs (one with low and one with high enrollment) in each of the eight states. GAO also reviewed relevant federal regulations and guidance; and interviewed CMS officials.

Recommendations

The Administrator of CMS should provide states information on (1) scope and methodology requirements for encounter data audits; (2) required content of the annual assessments; and (3) circumstances for deferring or disallowing matching funds in response to noncompliant T-MSIS data submissions. The Department of Health and Human Services agreed with the first two recommendations and neither agreed nor disagreed with the third recommendation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Centers for Medicare & Medicaid Services The Administrator of CMS should provide states with more information on how to fulfill the requirement for independent encounter data audits, including information on the required audit scope and methodology, and what should be described in the resulting report. (Recommendation 1)
Closed – Implemented
HHS agreed with our recommendation and noted that CMS would provide states with additional information on how to fulfill the requirement for independent encounter data audits. In September 2023, CMS issued guidance to states on how to fulfill this requirement in a new version of its encounter data toolkit. Specifically, the updated toolkit clarifies the required elements of the periodic encounter data audit that must be conducted by an independent auditor, including the types of analyses that should be conducted and the components that should be included in the resulting summary report. By issuing this updated toolkit clarifying the requirements of the independent encounter data audit process, state Medicaid programs now have the guidance they need from CMS to conduct and report on independent encounter data audits and our recommendation has been addressed.
Centers for Medicare & Medicaid Services The Administrator of CMS should provide states information on the required content of the annual assessment of encounter data reporting. (Recommendation 2)
Closed – Implemented
HHS agreed with our recommendation, noting that CMS would provide states further information on the required content of the annual assessment. On June 28, 2021, CMS began requiring state Medicaid managed care programs to submit, no later than 180 days after each contract year ends, annual encounter data reporting assessments according to specified instructions on the assessment's content and format. Specifically, in an information bulletin CMS issued to state Medicaid programs on June 28, 2021, CMS provided states with a series of tools to improve the monitoring and oversight of managed care programs, including new guidance setting the content and format of the Annual Managed Care Program Report, which is the annual encounter data assessment report required by CMS regulations at 42 CFR ? 438.66(e)(1)(i). In addition, CMS released a template for states to submit the required encounter data assessment information. With the issuance of the new guidance and template, state Medicaid programs now have the information they need from CMS to fulfill the requirement for annual encounter data assessments, as we recommended.
Centers for Medicare & Medicaid Services The Administrator of CMS should provide states with information on the circumstances under which CMS would defer or disallow matching funds in response to noncompliant encounter data submissions. (Recommendation 3)
Closed – Implemented
HHS, in commenting on our draft report in September 2018, neither agreed nor disagreed with our recommendation. However, CMS subsequently implemented our recommendation through its actions in March and December of 2019. Specifically, in March 2019, CMS issued an informational bulletin that identifies criteria states must meet to be in compliance with Transformed Medicaid Statistical Information System (T-MSIS) data quality requirements, including encounter data, and notes that CMS may reduce matching funds for state Medicaid data systems that cannot produce timely, accurate, and complete data. The information bulletin included a timeline for states to bring their data into compliance with these criteria. CMS also provided support that the agency informed a state in December 2019 that its T-MSIS data were not compliant with the informational bulletin criteria and when CMS would begin reducing the state's matching funds, if the state did not address the identified issues. Thus, CMS implemented our recommendation by informing states of the criteria they must meet for compliance with T-MSIS data quality requirements, including of encounter data, as well as the timeline for enforcement and potential funding reductions that CMS may take in response to noncompliant data submissions. CMS has provided the information states need to understand the enforcement tool, and therefore the agency is better equipped to use this process to improve the reliability of Medicaid encounter data.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Compliance oversightData collectionData elementsData integrityData qualityData reliabilityManaged health careMedicaidMedicaid servicesReporting requirements