Connect with us

Latest

The 2022 Proposed Payment Notice, Part 3: Risk Adjustment

Avatar

Published

on

The 2022 Proposed Payment Notice, Part 3: Risk Adjustment

On November 25, 2020, the Centers for Medicare and Medicaid Services (CMS) released its proposed 2022 Notice of Benefit and Payment Parameters rule. The proposed rule was accompanied by a fact sheet, and a press release. The “payment notice” is issued on an annual basis to adopt a variety of major changes that CMS intends to implement for the next plan year in areas such as the marketplaces, the risk adjustment program, and the market reforms.

A first post addressed changes that generally apply to the exchanges. A second post addressed changes regarding medical loss ratio (MLR) requirements, the coverage of essential health benefits, special enrollment periods, and reporting of prescription drug information by pharmacy benefit managers. This post considers the proposed changes to the risk adjustment program related to user fees, recalibration of the risk adjustment models, the model itself, enrollment duration factors, and changes to risk adjustment data validation (RADV) requirements, among others. CMS would also let states request multi-year reductions for risk adjustment transfers, instead of annual reduction requests.

Overview

The ACA included three premium stabilization programs: risk corridors, reinsurance, and risk adjustment. The risk corridor and reinsurance programs lasted from 2014 to 2016 while the risk adjustment program continues. The risk adjustment program transfers funds from lower-risk, non-grandfathered plans in the individual and small group markets to higher-risk, non-grandfathered plans, both in and out of the exchange. The purpose of the program is to discourage cherry picking: plans that end up with healthier populations must compensate plans that have more costly enrollees. CMS will operate the risk adjustment program in all states in 2022.

The risk adjustment model predicts plan liability for an average enrollee based on risk scores. These risk scores are based on each enrollee’s age, sex, and diagnoses. Diagnoses are also referred to as hierarchical condition categories (HCCs). The risk adjustment methodology uses separate models for adults, children, and infants to account for cost differences. In the adult and child models, each person’s age, sex, and diagnoses are added together to produce an individual risk score. For adults, CMS has added data over time, such as enrollment duration factors and prescription drug categories (RXCs).

Where applicable, risk scores are multiplied by a cost-sharing reduction adjustment, recognizing that enrollees with lower cost-sharing use more services. CMS has maintained the same cost-sharing reduction adjustments since 2019 and proposes to do the same for 2022. The enrollment-weighted average risk score of all enrollees in a particular risk adjustment-covered plan within a geographic area is an input into the risk adjustment payment transfer formula, which determines the payment or charge an insurer will receive or have to pay under the program.

Unlike, say, the risk corridor program, risk adjustment had been relatively low-profile. Parts of the risk adjustment methodology were challenged in court, leading CMS to briefly suspend risk adjustment transfers. But that litigation was resolved in late 2019 after an appellate court upheld the challenged part of the methodology.

Risk Adjustment User Fee

The proposed risk adjustment user fee for 2022 is $0.25 per member per month, unchanged from 2021. CMS estimates that it will cost about $60 million in benefit year 2022 to operate the risk adjustment program.

Recalibration

CMS proposes to continue to use enrollee-level EDGE data from 2016, 2017, and 2018 to calibrate the risk adjustment models for 2022—instead of using data from 2017, 2018, and 2019. This is because the 2019 EDGE data is not yet available, and commenters are concerned that this lack of data could delay the final risk adjustment coefficients. In response, CMS proposes to use the three most recent consecutive years of enrollee-level EDGE data that are available in time to be included in the proposed rule. For 2022, that happens to be data from 2016, 2017, and 2018; these are the same three years of data as used for the 2021 plan year. CMS does not anticipate dramatic changes to risk scores; the use of the same data will maintain year-to-year stability in risk scores. If CMS does not finalize this proposal, it will publish final coefficients for the 2022 benefit year in guidance after the final rule is published.

With the goal of improving the accuracy of its risk adjustment models, CMS transitioned to only EDGE data for recalibration beginning with the 2021 payment rule (although this transition had been a long time coming as CMS incorporated enrollee-level EDGE data over time). CMS proposes to continue using blended, or averaged, coefficients from the three years of separately solved models for 2022 recalibration.

Risk Adjustment Model Updates

CMS proposes updates to its risk adjustment model specifications and enrollment duration factors. CMS would also continue Hepatitis C pricing adjustments.

Model Specifications

CMS has long acknowledged concerns that the risk adjustment models slightly under-predict risk for low-cost enrollees (those without HCCs) and slightly over-predict risk for high-cost enrollees (those with the highest HCC counts). The models also slightly over-predict for enrollees with low HCC counts. This discrepancy affects the risk scores of plans that enroll healthier individuals and plans that enroll the sickest individuals. To address this issue, CMS outlined various options—such as a constrained regression approach, an adjusted risk scores approach, and non-linear and count model specifications—in the 2021 payment rule but did not settle on a new approach.

Here, CMS proposes to combine a two-stage specification and add interacted HCC count factors beginning with the 2022 benefit year. These changes are quite technical and not discussed here. CMS asks for comment on whether it should pursue both the two-state specification and interacted HCC counts factors beginning with the 2022 benefit year, whether it should implement one or the other for the 2022 benefit year, or whether the changes should be delayed until the 2023 benefit year. CMS also proposes removing current severity illness indicators in the adult models beginning with the 2022 benefit year.

Enrollment Duration Factors

CMS proposes changes to enrollment duration factors in the adult model. Preliminary GFN of 2017 EDGE data showed that partial year enrollees with HCCs had higher expenditures on average compared to full-year enrollees with HCCs. At the same time, expenditures for partial year enrollees without HCCs did not differ compared to full-year enrollees without HCCs. Enrollment timing (e.g., the beginning or end of the year) also did not affect expenditures. CMS reassessed enrollment duration factors using 2018 EDGE data and reached similar conclusions. It also found that current enrollment duration factors underpredict plan liability for partial year adult enrollees with HCCs and overpredict plan liability for partial year adult enrollees without HCCs.

With this data, CMS now proposes to remove the current 11 enrollment duration factors of up to 11 months for all enrollees in the adult models and add new monthly enrollment duration factors of up to 6 months only for enrollees with HCCs. There would be no enrollment duration factors for adults without HCCs. These changes would begin with the 2022 benefit year. CMS seeks comment on whether these changes should be delayed until the 2023 benefit year and whether it should create enrollment duration factors for different lengths of time (e.g., up to 9 months).

Hepatitis C Pricing Adjustments

Consistent with prior years, CMS is concerned that the RXC for Hepatitis C does not fully account for pricing changes due to costly new Hepatitis C drugs and therefore does not accurately reflect the average cost of Hepatitis C treatments. CMS is also aware that insurers may try to influence providers’ prescribing patterns if a drug claim can trigger an increase in the enrollee’s risk score, resulting in a more favorable risk adjustment transfer.

To address these concerns, CMS proposes to continue applying a market pricing adjustment to plan liability associated with Hepatitis C drugs. Since CMS proposes relying on the same three years of EDGE data as for 2021, the market pricing adjustment here would be prior solving for coefficients for the 2022 benefit year models. This policy was first adopted in the 2020 benefit year risk adjustment models. CMS intends to reassess this pricing adjustment using EDGE data in the future.

Payment Transfer Formula

CMS proposes to continue to use the state payment transfer formula that was finalized in the 2021 payment rule. It also proposes not to republish the formula in future payment notices unless changes are being proposed. Once it has calculated the risk scores for each plan’s enrollees, CMS feeds these into its payment transfer formula to determine, for each geographic area in a state, per member per month amounts to be transferred among plans as payments or charges based on each plan’s total member months for the plan year.

Transfers are based on the statewide average premium and would be reduced by 14 percent to account for administrative costs that do not vary with claims. CMS would exclude the costs of enrollees whose claims exceed $1 million when calculating enrollee-level plan liability risk scores. Plans would be compensated directly for 60 percent of costs above the $1 million threshold. These parameters are consistent with prior years.

Future Premium Credits

Consistent with proposed changes to medical loss ratio requirements, CMS would codify its recent temporary policy of relaxed enforcement and interim final rule regarding temporary premium credits. Under this policy, insurers in the individual and small group markets can temporarily reduce monthly premiums for 2020 coverage so long as they meet certain requirements.

CMS proposes to extend this option and permit insurers to offer temporary premium credits during a declared public health emergency in the 2021 benefit year and beyond. This option would only be available when permitted by CMS. Consistent with the interim final rule, insurers with risk adjustment-covered plans would have to report the lower “adjusted plan premium” to the EDGE server. This refers to the premium amounts that are actually billed to enrollees (including any reduction in premiums because of a premium credit). The calculation of risk adjustment transfers, then, would be based on these reported premiums and statewide average premiums that reflect adjusted plan premiums. These changes would not otherwise affect the state payment transfer formula or methodology.

State-Specific Adjustments

In the 2019 payment rule, CMS gave states the flexibility to request a reduction to their risk adjustment transfers by up to 50 percent of the premium used in the applicable plan year. The goal of state-specific adjustments is to allow for risk adjustment transfers that more precisely account for differences in the risk in a state’s market.

States must demonstrate that state-specific factors warrant an adjustment and that an adjustment would have a de minimis effect on premium increases. States must submit their requests and supporting data to CMS by August 1 of each year. CMS will publish whether state reduction requests were approved or denied and can approve a reduction that is lower than what a state requested, if warranted.

For 2020 and 2021, CMS approved requests from Alabama—the only state to make such a request—to reduce risk adjustment transfers in its small group market by 50 percent. Alabama made the same request for 2022 and was, again, the only state to do so. But Alabama additionally asks to reduce transfers in its individual market by 50 percent, after previously withdrawing a similar request. State regulators continue to believe the risk adjustment program is not working as precisely as it should because Alabama has a dominant carrier in its individual and small group markets. CMS asks for comment on this proposal and will release additional documentation for public review and comment.

In lieu of annual requests and approvals, CMS proposes to allow states to request adjustments for up to three years at a time beginning with the 2023 benefit year. The process would remain the same: states would submit evidence and GFN for all years on state-specific factors, the percentage reduction requested, and a justification for the reduction. For multi-year requests, states would have to confirm no anticipated significant changes to risk pool for the relevant benefit years.

Given the new multi-year option, CMS proposes some additional procedural standards. As proposed, CMS could authorize a reduction for a shorter duration than the state requested, although states would still have the option to make another annual or multi-year request in the future. CMS could require states to submit supplemental evidence in subsequent years of a multi-year reduction request. CMS could also terminate or modify its approval at any time during an approved multi-year request if the state’s reduction request is no longer warranted. By the same token, a state could withdraw its request before the end of its approved reduction request.

RADV

To ensure that risk adjustment transfers are accurate, risk adjustment data collected from insurers must be validated, first by an independent validation auditor retained by the insurer and then by CMS. The insurer provides the auditor with demographic, enrollment, and medical record documentation for a sample of enrollees selected by CMS. The proposed 2022 payment rule includes several proposed RADV changes and complements RADV updates included in a recently finalized rule.

RADV Schedule

CMS would overhaul its timeline to collect RADV payments and charges in the same calendar year in which the RADV results are released. This schedule had been updated in the 2020 payment rule, but CMS now proposes to go back to the previous schedule. This switch is designed to accommodate stakeholder concerns about the complexity of the existing timeline, a potential conflict with state financial accounting requirements, and negative impacts on MLRs.

Beginning with the 2019 benefit year RADV, CMS would collect RADV payments and charges in the calendar year in which RADV results are released. The RADV summary report would be issued no later than early summer, and insurers would have to report those amounts in MLR reports that year. CMS would then collect and disburse RADV adjustments and default charges or allocations in the summer or fall of the year when RADV results are released.

In case clearer, here is an example for 2021 RADV payments and charges. The collection and disbursement of 2021 RADV payments and charges would begin in 2023. The summary report on 2021 RADV adjustments and default charges would be released by early summer 2023, and insurers would report those amounts in the 2022 MLR reporting year, which is due by July 31, 2023. CMS would then collect and disburse 2021 RADV payments and charges in the summer or fall of 2023.

(Though CMS proposes to update the timeline beginning with 2019 RADV, it acknowledges that the 2019 RADV process has been delayed due to the pandemic. So, if finalized, CMS would publish the 2019 and 2020 RADV reports in early summer 2022. Insurers would have to account for any payments or charges (and risk adjustment transfers for 2021) in their 2021 MLR reports due July 31, 2022. Then, CMS would begin collecting both the 2019 and 2020 RADV adjustments to transfers and disbursing payments in late summer or early fall of 2022.)

RADV Exemptions

CMS would codify a series of previously established RADV exemption for insurers. An exemption would be allowed for an insurer who only offers coverage in the small group market and exits that market but still has enrollees through the next benefit year (i.e., “carry-over” coverage). That insurer would be treated as an exiting insurer and thus exempt from RADV for the benefit year when it has carry-over coverage. An exemption would also be available for sole insurers in a state risk pool. This is because there are no risk adjustment transfers in states with only one insurer in the market.

Conflict Of Interest Standards For IVA Entities

CMS would prohibit entities that conduct initial validation audits (IVA) for RADV from doing so if the entity had a prior role regarding that insurer’s risk adjustment or EDGE server data submission process. To demonstrate that the entity is reasonably free from conflicts, the IVA entity could not have had a role in advising the insurer or establishing internal controls related to risk adjustment or the EDGE server data submission process. For example, the IVA entity could not serve as an insurer’s IVA entity and third-party administrator for these functions during the same benefit year.

Appeals And Validation

CMS would clarify requirements for RADV administrative appeals and disputes over the findings of a second validation audit. CMS previously established a three-level administrative appeals process for insurers to seek reconsideration of risk adjustment charges, payments, and user fee calculations.

CMS proposes to shorten the timeframe—from 30 days to 15 calendar days—that insurers have to confirm the findings of the second validation audit or the calculation of the risk score error rate. This change would be effective beginning with the 2020 benefit year RADV. The goal of this change is to help CMS resolve as many issues as possible ahead of releasing the RADV summary report.

Audits And Compliance Reviews

CMS proposes bolstering its audit and compliance authority and requirements related to the reinsurance and risk adjustment programs. Even though the reinsurance program ended in 2016, CMS feels the need to bolster its authority after facing significant challenges in performing reinsurance-related audits from the 2014 benefit year. Although CMS primarily uses the RADV process to audit the risk adjustment program, CMS intends to begin audits to ensure the proper payment of high-cost risk pool payments and confirm compliance with other risk adjustment requirements.

The proposed changes in this area are detailed and not fully summarized here. But the new standards generally explain the audit process, how to comply with an audit, and the consequences for failing to comply. This includes notice and conference requirements, timelines, and obligations for downstream and delegated entities. CMS would enforce audit requirements if needed by recouping unsubstantiated reinsurance or risk adjustment payments made to an insurer.

EDGE Discrepancy Materiality Threshold

Following submission of EDGE data by insurers, CMS issues a final EDGE server report and provides insurers with an opportunity to confirm that the data is accurate or identify any discrepancies. CMS then has a process to address incorrect EDGE data submissions that materially impact risk adjustment transfers. Currently, this materiality threshold is at least $10,000 or one percent of the total estimated transfer amount in the applicable state market risk pool, whichever is less.

Here, CMS proposes to codify a materiality threshold for EDGE discrepancies of at least $100,000 or one percent of the total estimated transfer amount in the applicable state market risk pool, whichever is less. If the discrepancy is non-material, CMS would take no action. Further, CMS would only take action to address material discrepancies that harm other insurers in the same state market risk pool. If the discrepancy negatively affects the insurer that submitted it (but not other insurers in the market), the submitting insurer would have to accept the consequences—even if there is a substantial monetary impact for that insurer.

As proposed, this threshold would go into effect beginning with the 2020 benefit year. This change would not affect other reasons why CMS might correct an EDGE discrepancy (such as a mathematical error or incorrect methodology, among other reasons).

Latest

Vermont Health Connect had 10 data breaches last winter

Avatar

Published

on

By

Vermont Health Connect had 10 data breaches last winter
Vermont Health Connect has set up a special enrollment period in response to the coronavirus outbreak. VHC photo

In mid-December, a Vermont Health Connect user was logging in when the names of two strangers popped up in the newly created account.

The individual, who was trying to sign up for health insurance, deleted the information that had suddenly appeared.

“It was super unsettling to think that someone is filing in my account with my information,” the person, whose name is redacted in records, wrote in a complaint to the Department of Vermont Health Access. “Just seems like the whole thing needs a big overhaul.”

It was one of 10 instances between November and February when Vermont Health Connect users reported logging to find someone else’s information on their account.

The data breaches included names of other applicants and, in some cases, their children’s names, birth dates, citizenship information, annual income, health care plans, and once, the last four digits of a Social Security number, according to nearly 900 pages of public records obtained by VTDigger. On Dec. 22, the department’s staff shut down the site to try to diagnose the problem.

While officials say the glitches have been resolved, it’s the most recent mishap for a system that has historically been plagued by security and technical issues. The breaches could be even more widespread: Administrators of Vermont Health Connect can’t tell if other, similar breaches went unreported.

“We don’t know what we don’t know,” said Jon Rajewski, a managing director at the cybersecurity response company Stroz Friedberg. Regardless of whether there are legal ramifications for the incidents, they should be taken “very seriously,” he said.

“If my data was being stored on a website that was personal, — maybe it contains names or my Social Security number, like my status of insurance… — I would expect that website to secure it and keep it safe,” he said.

“I wouldn’t want someone else to access my personal information.”

Andrea De La Bruere, executive director of the Agency of Human Services, called the data breaches “unfortunate.” But she downplayed the severity of the issues. Between November and December, 75,000 people visited the Vermont Health Connect website for a total of 330,000 page views, she said. The 10 incidents? “It’s a very uncommon thing to have happen,” she said.

De La Bruere said the issue was fixed on Feb. 17, and users had reported no similar problems since. The information that was shared was not protected health information, she added, and the breaches didn’t violate the Health Insurance Portability and Accountability Act, or HIPAA.

“No matter what the law says technically, whether it’s HIPAA-related or just one’s personal information, it’s really concerning,” said Health Care Advocate Mike Fisher.

The timing of the issue is less than ideal, he added. Thousands of Vermonters will be logging into Vermont Health Connect in the coming weeks to take advantage of discounts granted by the American Rescue Plan. “It’s super important that people can access the system, and that it’s safe and secure,” Fisher said.

A ‘major issue

The issues first arose on Nov, 12, when at least two Vermonters logged in and found information about another user, according to records obtained by VTDigger.

Department of Vermont Health Access workers flagged it as a “major issue” for their boss, Kristine Fortier, a business application support specialist for the department.

Similar incidents also occurred on Nov. 17 and 18, and later on multiple days in December.

Department of Vermont Health Access staff members appeared alarmed at the issues, and IT staff escalated the tickets to “URGENT.”

“YIKES,” wrote a staff member Brittney Richardson. While the people affected were notified, the data breaches were never made public.

State workers pressed OptumInsights, a national health care tech company that hosts and manages Vermont Health Connect, for answers. The state has contracted with the company since 2014. It has paid about $11 million a year for the past four years for maintenance and operations, with more added in “discretionary funds.”

Optum appeared unable to figure out the glitch. “It is hard to find root cause of issue,” wrote Yogi Singh, service delivery manager for Optum on Dec. 10. Optum representatives referred comments on the issues to the state.

By Dec. 14, Grant Steffens, IT manager for the department, raised the alarm. “I’m concerned on the growing number of these reports,” he wrote in an email to Optum.

The company halted the creation of new accounts on Dec, 14, and shut down the site entirely on Dec, 22 to install a temporary fix. “It’s a very complex interplay of many many pieces of software on the back end,” said Darin Prail, agency director of digital services. The complexity made it challenging to identify the problem, and to fix it without introducing any new issues, he said.

In spite of the fixes, a caller reported a similar incident on Jan. 13.

On Feb. 8, a mother logged in to find that she could see her daughter’s information. When she logged into her daughter’s account, the insurance information had been replaced by her own.

“Very weird,” the mother wrote in an emailed complaint.

Optum completed a permanent fix on Feb. 17, according to Prail. Vermont Health Connect has not had a problem since, he said.

Prail said the state had reported the issues to the Centers for Medicaid and Medicare Services as required, and had undergone a regular audit in February that had no findings. The state “persistently pressured Optum to determine the root cause and correct the issue expeditiously but at the same time, cautiously, so as to not introduce additional issues/problems,” he wrote in an email to VTDigger.

“We take reported issues like this very seriously,” he said.

A history of glitches

The state’s health exchange has been replete with problems, including significant security issues and privacy violations, since it was built in 2012 at a cost of $200 million.

The state fired its first contractor, CGI Technology Systems, in 2014. A subcontractor, Exeter, went out of business in 2015. Optum took over for CGI, and continued to provide maintenance and tech support for the system.

Don Turner
Don Turner, right, then the House minority leader, speaks in 2016 about the need to fix the state’s glitch-ridden Vermont Health Connect website. With him are Phil Scott, left, then the lieutenant governor, and Sen. Joe Benning. Photo by Erin Mansfield/VTDigger

In 2018, when Vermont Health Connect was less than 6 years old, a report dubbed the exchange outdated and “obsolete.”

Officials reported similar privacy breaches in 2013, when Vermonters saw other people’s information.

An auditor’s report in 2016 found a slew of cybersecurity flaws, and officials raised concerns again during a  2018 email breach.

It wasn’t the first time that Vermont Health Connect users had been able to view other people’s personal information. Three times since October 2019, individuals had logged in to see another individual’s insurance documents. Prail attributed those incidents to human error, not to system glitch; a staff member uploaded documents to the wrong site, he said.

In spite of the issues, Prail said he and other state officials have been happy with Optum. After years of technical challenges with Vermont Health Connect, “Optum has really picked up the ball and improved it and been running it pretty well,” he said.

Glitches are inevitable, he added, and Optum has addressed them quickly. “They took a really difficult-to-manage site and made it work pretty well,” he said. “Optum is generally quite responsive to any issues we have.”

“I find any privacy breach to be concerning,” said Scott Carbee, chief information security officer for the state. He noted that the state uses “hundreds of software systems.” “While the scope of the breaches can be mitigated, true prevention is a difficult task,” he wrote in an email to VTDigger.

Optum spokesperson Gwen Moore Holliday referred comments to the state, but said the company was “honored” to work with Vermont Health Connect “to support the health care needs of Vermont residents.”

Prail said the Agency of Human Services had no plans to halt its contract with the company. “I don’t have a complaint about Optum,” he said. “They took a really difficult-to-manage site and made it work pretty well.”

Don’t miss a thing. Sign up here to get VTDigger’s weekly email on Vermont hospitals, health care trends, insurance and state health care policy.

Help us get halfway to our Spring Drive goal. When we reach 1,5000 members, we will unlock a $10,000 match, plus 1,500 Vermont kids get a new book!

Filed under:

Health Care

Tags: data breaches, Optum, Vermont Health Connect

Katie Jickling

About Katie

Katie Jickling covers health care for VTDigger. She previously reported on Burlington city politics for Seven Days. She has freelanced and interned for half a dozen news organizations, including Vermont Public Radio, the Valley News, Northern Woodlands, Eating Well magazine and the Herald of Randolph. She is a graduate of Hamilton College and a native of Brookfield.