MA ICPG Spotlight: Four Medicare Advantage Risk Areas Compliance Teams Should Review

Previously we wrote about some of the highlights in the HHS OIG’s newest compliance program guidance for the Medicare Advantage segment of healthcare. The guidance is often referred to as the MA ICPG and our prior posting can be found here.

This article is the second of two more detailed discussions regarding the seven specific risks identified by OIG in Section II of the MA ICPG. In our first article, we examined the risks related to (1) risk adjustment, (2) submission of accurate claims, and (3) quality of care.

In this second article, we will review the remaining four risks identified by OIG which include: (1) access to care and utilization management tools, including prior authorization, (2) marketing and enrollment, (3) oversight of third parties, and (4) compliance programs within vertically integrated organizations and other ownership structures.

Access to Care and Utilization Management Tools, Including Prior Authorization

One of the most significant areas of concern discussed in the MA ICPG relates to access to care. OIG makes clear that Medicare Advantage Organizations (MAOs) must ensure that enrollees receive medically necessary services in a timely manner and that utilization management practices do not improperly delay or deny care.

This focus should not be surprising. Over the past several years, CMS and OIG have repeatedly scrutinized MA plans regarding their use of prior authorization and other utilization management controls. OIG previously published reports finding that some MA plans improperly denied services that would have been covered under traditional Medicare. CMS has similarly issued guidance and finalized regulations intended to reduce inappropriate barriers to care.

MAOs often use utilization management tools, including prior authorization, concurrent review, and step therapy protocols, as methods to manage costs and ensure appropriate utilization of healthcare services. While these tools are permissible and common within managed care arrangements, OIG warns that they may create fraud and abuse concerns when they are used primarily to reduce expenditures rather than ensure medically appropriate care.

The ICPG emphasizes that MA plans must ensure utilization management decisions are based on applicable Medicare coverage rules and sound clinical criteria. OIG highlights concerns that MA plans may inappropriately deny or delay medically necessary services by using internal coverage rules that are more restrictive than Medicare requirements.

OIG also points out that prior authorization processes may create incentives that negatively impact patient care if not properly monitored. For example, plans or delegated entities may:

• Delay approval of medically necessary services in ways that discourage enrollees from pursuing care

• Use overly burdensome documentation requirements that make it difficult for providers or patients to obtain approvals

• Improperly apply clinical criteria that are inconsistent with Medicare coverage standards

• Rely excessively on automated systems or algorithms to make authorization decisions without appropriate clinical oversight

• Create financial incentives for employees, contractors, or providers to reduce utilization inappropriately

The ICPG also discusses concerns regarding the use of artificial intelligence and predictive technologies in utilization management processes. OIG cautions that MAOs should ensure that any automated decision-making tools are accurate, appropriately validated, and subject to human oversight. MAOs should not rely solely on algorithms or software programs to deny medically necessary care.

To address these concerns, OIG explains that compliance programs should include oversight mechanisms designed to ensure enrollees maintain appropriate access to healthcare services. Effective compliance measures may include:

• Auditing prior authorization denials and appeals to identify patterns of inappropriate denials

• Monitoring timeliness requirements for authorization determinations

• Reviewing utilization management criteria to ensure consistency with Medicare rules

• Implementing escalation procedures for urgent or complex cases

• Ensuring physicians and other qualified clinicians are involved in medical necessity determinations

• Tracking complaints and grievances related to access-to-care concerns

• Conducting oversight of delegated entities that perform utilization management functions

The ICPG further notes that MAOs are responsible for maintaining adequate provider networks to ensure beneficiaries can access medically necessary services. Network inadequacy may result in delays in care, limited specialist access, or unreasonable travel burdens for enrollees. Compliance programs should therefore monitor network adequacy metrics and address gaps in provider availability.

Ultimately, OIG’s discussion in this section reinforces the expectation that MA plans balance cost-management strategies with their fundamental obligation to provide medically necessary care to enrollees.

Marketing and Enrollment

Another major risk area identified in the MA ICPG involves marketing and enrollment practices. OIG notes that MA beneficiaries are often targeted through aggressive marketing efforts and may be particularly vulnerable to misleading or confusing information regarding plan options, benefits, and provider participation.

CMS has significantly increased oversight of MA marketing activities in recent years, particularly after receiving complaints involving misleading television advertisements, unsolicited communications, and inappropriate broker conduct. OIG’s inclusion of this topic in the ICPG demonstrates the continuing enforcement concern surrounding marketing practices within the MA industry.

The ICPG emphasizes that MA marketing materials and communications must be accurate, not misleading, and compliant with CMS requirements. MAOs and downstream entities should ensure that beneficiaries receive complete and understandable information regarding coverage options, costs, provider networks, and benefit limitations.

OIG highlights several marketing and enrollment activities that may create fraud and abuse risks, including:

• Using misleading or confusing advertisements that overstate benefits or fail to disclose important limitations

• Marketing benefits in a manner that causes beneficiaries to believe services are free when cost-sharing obligations still apply

• Engaging in high-pressure sales tactics or unsolicited contacts

• Enrolling beneficiaries without their full understanding or consent

• Targeting beneficiaries in inappropriate healthcare settings

• Using compensation structures that incentivize agents or brokers to prioritize enrollment volume over beneficiary suitability

• Providing inaccurate information regarding provider participation or drug coverage

The ICPG specifically notes concerns involving third-party marketing organizations (TPMOs), brokers, and agents who market MA products on behalf of MAOs. Because many plans rely heavily on external sales organizations, OIG expects MAOs to maintain meaningful oversight of these activities.

The guidance makes clear that MAOs may be held accountable for the actions of their agents, brokers, vendors, and other downstream entities. As a result, compliance programs should include controls designed to monitor marketing practices and identify problematic conduct early.

Examples of recommended compliance activities include:

• Reviewing marketing materials for CMS compliance before distribution

• Monitoring sales calls and enrollment interactions

• Auditing broker and agent activities

• Investigating complaints related to misleading marketing or enrollment practices

• Ensuring marketing compensation arrangements comply with CMS rules

• Training employees, agents, and contractors regarding permissible marketing practices

• Implementing disciplinary measures for noncompliant conduct

OIG also stresses the importance of maintaining accurate enrollment records and promptly correcting enrollment errors. Beneficiaries who are improperly enrolled may experience disruptions in care, unexpected costs, or confusion regarding coverage.

In many respects, OIG’s discussion reflects a broader concern that vulnerable Medicare beneficiaries may not fully understand the complexities of MA plan selection. Compliance oversight in this area is therefore intended not only to protect federal healthcare funds, but also to protect beneficiaries from deceptive or abusive conduct.

Oversight of Third Parties

OIG also dedicates significant attention in the MA ICPG to the oversight of third parties. This topic is particularly important because MAOs frequently delegate operational responsibilities to downstream entities, contractors, vendors, first-tier entities, pharmacy benefit managers (PBMs), provider groups, and other business partners.

Although MAOs may delegate functions, they cannot delegate ultimate responsibility for compliance with Medicare program requirements. OIG emphasizes throughout the ICPG that MAOs remain accountable for the actions of their contracted entities.

The use of delegated and subcontracted arrangements can create substantial compliance risk because these entities often perform critical operational functions including:

• Claims processing

• Utilization management

• Pharmacy administration

• Provider credentialing

• Marketing and enrollment activities

• Risk adjustment coding and data submission

• Customer service and grievance processing

Because third parties may have financial incentives that differ from those of the MAO or CMS, OIG warns that inadequate oversight can result in fraud, waste, abuse, or beneficiary harm.

The ICPG identifies several areas where third-party misconduct may occur, including:

• Submission of inaccurate diagnosis or encounter data

• Inappropriate denials of medically necessary services

• Misleading marketing activities

• Improper claims processing practices

• Failures to protect beneficiary information

• Inadequate compliance program implementation

• Conflicts of interest involving delegated entities

OIG strongly encourages MAOs to implement robust vendor oversight and monitoring activities. Effective compliance programs should include formal processes for evaluating third-party compliance performance both before contracting and throughout the contractual relationship.

The ICPG recommends several important compliance safeguards, including:

• Conducting due diligence before entering contractual relationships

• Clearly defining compliance obligations in written agreements

• Requiring downstream entities to comply with Medicare program requirements and applicable laws

• Auditing and monitoring delegated functions regularly

• Reviewing performance metrics and complaint data

• Ensuring vendors receive appropriate compliance training

• Establishing reporting mechanisms for potential misconduct

• Taking corrective action when deficiencies are identified

OIG also highlights the importance of maintaining visibility into subcontracting arrangements. In some cases, delegated entities may themselves subcontract important functions to additional downstream organizations. Compliance programs should therefore ensure that oversight extends throughout the entire contractual chain.

This section of the ICPG reinforces a longstanding enforcement principle frequently emphasized by both OIG and DOJ: organizations cannot avoid liability simply because problematic conduct was performed by a contractor or vendor acting on their behalf.

Compliance Programs Within Vertically Integrated Organizations and Other Ownership Structures

The final risk area addressed by OIG involves compliance challenges associated with vertically integrated organizations and complex ownership structures. This discussion reflects the increasing consolidation occurring throughout the healthcare industry.

Many MAOs now operate within large healthcare systems that may also own or control provider groups, pharmacies, pharmacy benefit managers, home health agencies, and other healthcare businesses. While vertical integration may create opportunities for improved coordination of care, OIG warns that these structures may also create conflicts of interest and compliance vulnerabilities.

The ICPG explains that vertically integrated arrangements can create financial incentives that improperly influence clinical decision-making, utilization management, referrals, or claims submission practices.

For example, organizations operating under shared ownership structures may have incentives to:

• Steer patients toward affiliated providers or services regardless of appropriateness

• Prioritize financial performance over patient care considerations

• Use utilization management practices to maximize profits across affiliated entities

• Share data across affiliated organizations in ways that create compliance or privacy concerns

• Inadequately oversee conflicts of interest among related entities

OIG also notes that compliance responsibilities may become blurred within large integrated organizations. Different subsidiaries or affiliated entities may operate under separate leadership structures, creating challenges regarding accountability, communication, and oversight.

The ICPG emphasizes that compliance programs within vertically integrated organizations should maintain clear lines of responsibility and independence. Compliance personnel must have sufficient authority, access, and autonomy to identify and address issues throughout the organization.

OIG recommends that integrated organizations ensure:

• Compliance functions are appropriately coordinated across affiliated entities

• Reporting structures allow compliance concerns to be elevated without interference

• Conflicts of interest are identified and managed

• Policies and procedures are standardized where appropriate

• Information sharing complies with applicable privacy and security requirements

• Auditing and monitoring activities address risks across the entire corporate structure

• Governing bodies maintain visibility into compliance risks affecting affiliated entities

The guidance also highlights the importance of board and executive oversight. Leadership within integrated organizations should understand how financial arrangements and ownership relationships may create incentives that impact compliance risk.

In addition, OIG stresses that compliance programs should not operate in silos. Risks arising in one affiliated entity may affect other components of the organization, particularly where data sharing, delegated functions, or common leadership structures exist.

Ultimately, OIG’s discussion in this section reflects the reality that Medicare Advantage has become increasingly interconnected with broader healthcare delivery systems. As organizational structures become more complex, compliance oversight must evolve accordingly.

Conclusion

This article is the second of two detailed discussions examining the seven major risks identified in the MA ICPG. In this article, we reviewed the remaining four risk areas identified by OIG which included: (1) access to care and utilization management tools, including prior authorization, (2) marketing and enrollment, (3) oversight of third parties and (4) compliance programs within vertically integrated organizations and other ownership structures.

Taken together, these four risks demonstrate OIG’s broad concern that Medicare Advantage organizations maintain effective compliance oversight not only over billing and coding activities, but also over patient access, beneficiary communications, delegated entities, and corporate governance structures. As Medicare Advantage enrollment continues to grow, OIG’s expectations surrounding compliance oversight will likely continue to expand as well.

To download this blog post as a pdf, fill out the form below.