U.S. Department of Health and Human Services Office of Inspector General Issue Brief April 2021, OEI-03-19-00432 Medicare Advantage Organizations Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity This issue brief summarizes results from our evaluation of Medicare Advantage organizations' (MAOs') use of National Provider Key Results Identifiers (NPIs) for physicians and nonphysician practitioners who Although many MAOs use order and/or refer high-risk services-i.e., durable medical identifiers for ordering providers equipment, prosthetics, orthotics, and supplies (DMEPOS); clinical to conduct oversight activities, laboratory services; imaging services; and home health services-for other MAOs are missing opportunities to safeguard Medicare Advantage (MA) enrollees. (In this issue brief, we refer to Medicare Advantage program these providers as ordering providers.) integrity. Why OIG Did This Review NPIs for ordering providers are essential for safeguarding the program integrity of high-risk services in Medicare. For these services, NPIs are critical for identifying patterns of inappropriate billing and ordering among providers and investigating fraud and abuse. Both the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) rely on ordering provider NPIs (hereafter ordering NPIs) to conduct oversight and pursue fraud investigations. However, prior OIG work found that these NPIs were largely absent from CMS's MA encounter data, despite evidence that many MAOs can-and do-already collect this information. (Encounter data are detailed information submitted by MAOs to CMS regarding each service provided to MA beneficiaries.) As a result, OIG recommended that CMS establish and enforce requirements for MAOs to submit ordering NPIs for high-risk services. Findings from this issue brief may be useful as CMS considers requiring MAOs to collect and use ordering NPIs for MAOs' program integrity oversight activities. How OIG Did This Review To determine the extent to which MAOs conducted program integrity oversight activities by using ordering NPIs submitted by providers and/or suppliers of high-risk services, we administered an online survey to a stratified random sample of 200 MAOs from February to March 2020. We received responses from 179 MAOs. This is the second OIG issue brief that analyzes data from this survey; the first was released in August 2020 and focused on the extent to which MAOs collected ordering NPIs and submitted these identifiers to CMS's MA Encounter Data System. What OIG Found Almost half of the MAOs that lack ordering NPIs on at least some MA encounter records raised concerns that this hinders their data analysis for program integrity. Among MAOs that collect any ordering NPIs, most use these NPIs to conduct oversight activities-such as analyses that detect potential fraud schemes-but one in five of these MAOs does not perform program integrity oversight using ordering NPIs, despite having the data to do so. Furthermore, when MAOs collect ordering NPIs on MA encounter records, most do not validate these NPIs against CMS's NPI registry. These findings indicate that there are unrealized opportunities for MAOs to use ordering NPIs to protect the MA program against fraud and abuse. What OIG Recommends This evaluation adds support for OIG's existing recommendations that CMS: • require MAOs to submit the ordering NPIs on encounter records for DMEPOS and for clinical laboratory, imaging, and home health services; and • establish and implement "reject edits" that (1) reject encounter records in which the ordering NPIs is not present when required and (2) reject encounter records that contain an ordering NPIs that is not a valid and active NPI in the CMS's NPI registry. On the basis of this evaluation, we are making a new recommendation that CMS should encourage MAOs to perform program integrity oversight using ordering NPIs. CMS neither concurred nor nonconcurred with this recommendation and stated that it would consider whether additional education is needed for MAOs regarding the role that ordering NPIs can play in program integrity oversight. BACKGROUND DMEPOS and clinical laboratory, imaging, and home health services are vulnerable to fraud DMEPOS and clinical laboratory, imaging, and home health services have a history of being vulnerable to fraud. (In this issue brief, we refer collectively to DMEPOS and these services as high-risk services.) In 2019, law enforcement identified DMEPOS suppliers that allegedly paid kickbacks to providers who ordered medically unnecessary DMEPOS for Medicare beneficiaries, potentially defrauding taxpayers out of $900 million. 1 In addition, a separate scheme involved a laboratory that allegedly paid kickbacks to ordering providers and fraudulently billed Medicare $1.7 billion for genetic tests that were not medically necessary. 2 For these high-risk services, ordering providers should act as gatekeepers against inappropriate payments, as they determine whether these services are medically necessary and appropriate for the patients they treat. Having access to identifiers for these ordering providers is essential for effective oversight of these services, and analysis of ordering NPIs is critical for identifying inappropriate billing and ordering patterns among providers. Both CMS and OIG rely on these identifiers to conduct oversight and enforcement work. CMS requires MAOs to safeguard MA program integrity Under MA, also known as Medicare Part C, CMS contracts with private insurance companies, known as MAOs, to provide coverage of Medicare Part A and B services through private health plan options. In 2020, 40 percent of Medicare beneficiaries -25 million beneficiaries-elected to enroll in the MA program rather than the Medicare fee-for-service program. 3 In fiscal year 2020, MA program expenses were $314 billion of the total $780 billion in Medicare benefit payments. 4 CMS requires MAOs to implement effective compliance programs that include measures to safeguard the MA program from fraud, waste, and abuse. 5 To implement an effective compliance program, MAOs may perform data analysis to identify unusual patterns suggesting potential errors and/or potential fraud and abuse. 6 CMS recommends that this data analysis should, in part, establish baseline data to enable the MAO to recognize unusual trends and provider referral patterns. In addition, as part of MAOs' monitoring of providers in their network, CMS suggests that MAOs review Prescribing and Referral Patterns by Physician Reports, which identify the numbers of referrals from particular providers. 7 CMS also requires MAOs to submit encounter records that contain detailed information regarding services provided to MA beneficiaries. However, CMS does not currently require MAOs to submit the ordering NPI on encounter records for any high-risk services. In January 2020, CMS issued a memo acknowledging that a lack of ordering Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Background | 1 provider information in encounter records for DMEPOS and clinical laboratory, imaging, and home health services hinders potential program integrity efforts. 8 As such, CMS encouraged MAOs to monitor, evaluate, and take measures to ensure appropriate submission of ordering provider identifiers for MA encounter records. Prior OIG work found that CMS's encounter data lacked ordering NPIs that MAOs have the ability to collect This issue brief builds on prior OIG work related to ordering NPIs in the MA program. In 2018, OIG found that ordering NPIs were absent from 63 percent of MA encounter records for high-risk services from the first quarter of 2014. 9 In 2020, OIG found that NPIs for ordering providers continued to be absent from 60 percent of MA encounter records for high-risk services from 2018, even though (1) almost all MAOs reported that their data systems can receive and store this information, and (2) the majority of MAOs reported that they collect ordering NPIs on at least half of their MA encounter records for DMEPOS, imaging services, and laboratory services. 10 As a result of these findings, OIG has recommended that CMS require MAOs to submit the ordering NPI on encounter records for high-risk services. In addition, OIG has recommended that CMS establish and implement what are known as "reject edits" for certain types of encounter records, such as those related to high-risk services. Such edits would (1) reject records in which the NPI and/or name for the ordering provider is not present; and (2) reject records that contain an ordering NPI that is not valid and active in CMS's NPI registry-the National Plan and Provider Enumeration System (NPPES). 11 CMS concurred with our first recommendation and is exploring implementation of a requirement for MAOs to submit the ordering NPI on encounter records for high-risk services. CMS did not concur with our second recommendation and stated that it would be premature to establish and implement reject edits until it had explored the requirement for MAOs to submit the ordering NPI on encounter records for high-risk services. Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Background | 2 FINDINGS The lack of ordering NPIs on some MA encounter records hinders program integrity oversight by MAOs Almost half of the MAOs that lack ordering NPIs on some MA encounter records stated that this hinders their data analysis for program integrity. Many of the MAOs that we "If the ordering surveyed (81 of 179) lacked NPIs on at least some of their encounter records. 12 Of these provider NPI is not MAOs, almost half (36 of 81) raised concerns that this lack of ordering NPIs hinders their present on the claim, analysis for Medicare performance of data analysis for program integrity oversight of high-risk services. Advantage Some MAOs indicated that their lack of ordering NPIs creates additional resource program integrity burdens and delays for safeguarding MA program integrity. For example, one MAO is more difficult and explained that "without the ordering physician NPI, medical records must be requested less timely." from the provider to determine who ordered the services." Another MAO explained, "If ordering NPI is not present or available in the data, [our] Special Investigation Unit will -MAO respondent manually search for NPI numbers for data analysis." MAOs generally did not collect-in place of NPIs-other identifiers for ordering providers that could be used for program integrity oversight In the absence of NPIs, Exhibit 1: MAOs whose lack of ordering NPIs MAOs could use other hindered their program integrity oversight also identifying information lacked other ordering provider identifiers about ordering providers-such as their names, their Employer Identification Numbers, or their medical license numbers-to identify patterns of questionable billing. However, among MAOs that reported that their lack of ordering NPIs hinders their program integrity efforts, most (27 of 36 MAOs) generally Source: OIG analysis of MAO responses to 2020 OIG survey. did not collect other identifiers for any of the high-risk services, as shown in Exhibit 1. 13 Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Findings | 3 Among MAOs that collect ordering NPIs, most but not all leverage this critical information to safeguard the MA program Seventy-nine percent of the MAOs that collect ordering NPIs use these NPIs to conduct program integrity oversight Of the MAOs that collected Exhibit 2: MAOs use ordering NPIs to ordering NPIs on any MA perform a variety of oversight activities encounter records, most (139 of 175) stated that they use these NPIs to perform program integrity activities for at least 1 of the 4 high-risk services. For example, MAOs may use ordering NPIs to detect potential fraud schemes, identify providers who are excessively ordering certain services or billing for medically unnecessary services, or to validate the identity of new, noncontracted providers. Other examples of oversight activities performed by MAOs are shown in Exhibit 2. Source: OIG analysis of MAO responses to 2020 OIG survey. The remaining 21 percent do not use ordering NPIs to conduct program integrity oversight In the Medicare Managed Care Manual, CMS states that MAOs must perform effective monitoring to prevent and detect fraud, waste, and abuse, and that they may accomplish this using data analysis. Specifically, CMS recommends that MAOs use data analysis to establish baseline data by which to recognize-among other things-unusual patterns of referrals. 14 Despite this guidance, 21 percent of MAOs that collected ordering NPIs for any of the high-risk services (36 of 175) did not perform program integrity oversight that used these NPIs. Ten of these 36 MAOs reported that providers submitted ordering NPIs on most of their MA encounter records for each of the high-risk services-yet these 10 MAOs still did not leverage the potential of these data for program integrity oversight. 15 An additional 14 of these 36 MAOs reported that providers submitted ordering NPIs on most of their MA encounter records for at least 1 of these high-risk services, and yet these 14 MAOs did not regularly use these data to perform program integrity oversight for that service. 16 Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Findings | 4 Most MAOs that collect ordering NPIs do not validate them against CMS's NPI registry Most MAOs do not verify that the ordering NPI is in CMS's NPI registry when they receive an MA encounter record for a high-risk service. In general, to provide services to Medicare beneficiaries, a provider should have a valid and active NPI in CMS's NPI registry. Among MAOs that collected at least some ordering NPIs for each of the four high-risk services, three-quarters did not verify for at least one service type that these NPIs were present in the NPI registry. 17 Within each individual service type, more than 70 percent of the MAOs that collected ordering NPIs did not verify that NPIs were present in the NPI registry, as shown in Exhibit 3. Exhibit 3: Most MAOs do not verify that the ordering NPI is present in CMS's NPI registry Source: OIG analysis of MAO responses to 2020 OIG survey. Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Findings | 5 CONCLUSION AND RECOMMENDATION CMS and OIG agree that ordering NPIs are critical for identifying patterns of questionable billing and pursuing fraud investigations for services that have a history of being vulnerable to fraud. However, previous OIG work found that these NPIs have been largely absent from CMS's MA encounter data, despite evidence that many MAOs can-and do -already collect this information. Therefore, OIG recommended that CMS establish and enforce requirements for MAOs to submit ordering NPIs for applicable services. In response to our previous work, CMS stated that it is exploring implementation of a requirement for MAOs to submit the ordering NPI on encounter records for high-risk services. Findings from our recent survey of MAOs may be useful as CMS continues to explore implementing this requirement. We found many MAOs acknowledge that the absence of ordering NPIs on even a small portion of encounter records can hinder their performance of data analysis for MA program integrity. Despite this hindrance, the landscape is promising in how MAOs are leveraging the NPI data that they do have. However, more widespread use is needed. While most MAOs are using their ordering NPIs to conduct program integrity oversight activities-such as analysis that detects potential fraud schemes-a fifth of MAOs are missing this opportunity completely. In addition, most MAOs do not verify that the ordering NPI is present in CMS's NPI registry when they receive this information on an MA encounter record. This creates a vulnerability by increasing the risk that invalid, inactive, or fraudulent providers are ordering high-risk services. Taken together, our findings indicate that (1) many MAOs agree that increased collection of ordering NPIs has the potential to strengthen their oversight of high-risk services and (2) there are unrealized opportunities for MAOs to use their existing data on ordering NPIs to safeguard the MA program against fraud and abuse. Therefore, this evaluation adds support to OIG's existing recommendations that CMS: • require MAOs to submit the ordering NPI on encounter records for DMEPOS and for clinical laboratory, imaging, and home health services and • establish and implement "reject edits" that (1) reject encounter records in which the ordering NPI is not present when required and (2) reject encounter records that contain an ordering NPI that is not a valid and active NPI in the NPPES registry. Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Conclusion and Recommendation | 6 We recommend that CMS: Encourage MAOs to perform program integrity oversight using ordering NPIs Federal regulations require MAOs to perform effective monitoring to prevent and detect fraud, waste, and abuse. 18 We found that MAOs did not always perform program integrity oversight that used these NPIs. Therefore, CMS should encourage MAOs to conduct oversight activities using ordering NPIs in order to safeguard the MA program from fraud and abuse. Such efforts may include, but are not limited to: • issuing clear and specific guidance about using ordering NPIs to conduct oversight, such as performing data analyses to detect potential fraud; • developing a best practices toolkit that outlines effective methods for data analyses that use ordering NPIs and highlights the benefits and return on investment in performing these analyses; • assessing MAOs' use of ordering NPIs to conduct oversight activities as part of Compliance Program Effectiveness audits or through other assessments; and/or • identifying MAOs that do not use ordering NPIs to conduct oversight and providing education and outreach to these MAOs. To assist CMS in identifying these MAOs, OIG will send CMS a list of the 36 MAOs from our sample that collected ordering NPIs on MA encounter records for high-risk services but did not perform any program integrity oversight that used these NPIs. Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Conclusion and Recommendation | 7 AGENCY COMMENTS AND OIG RESPONSE CMS neither concurred nor nonconcurred with our recommendation to encourage MAOs to conduct oversight activities using ordering NPIs in order to safeguard the MA program from fraud and abuse. Instead, CMS stated that it would consider whether additional education is needed for MAOs regarding the role that ordering NPIs can play in program integrity oversight. In addition, CMS noted that it released a memo in January 2020 encouraging MAOs to monitor, evaluate, and take measures to ensure appropriate submission of ordering provider identifiers in encounter records. We continue to recommend that CMS take additional steps, such as those we described in our recommendation, to promote MAOs' use of NPIs for program integrity activities. We also ask that CMS include any plans to do so in its Final Management Decision. Appendix A provides the full text of CMS's comments. Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Agency Comments and OIG Response | 8 APPENDIX A Agency Comments Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Appendix A | 9 Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Appendix A | 10 METHODOLOGY MAO Survey From February to March 2020, we administered an online survey to a stratified random sample of 200 MAOs. We selected MAOs that (1) provided active plans as of January 1, 2017, and continued to be active in 2020; 19 (2) offered coordinated care plans, medical savings accounts, or private fee-for-service plans; 20 and (3) submitted 2017 records to CMS's MA encounter data for DMEPOS, clinical laboratory services, imaging services, and/or home health services. 21 The first stratum included all 33 of the MAOs that did not have an ordering NPI on any of their 2017 records in CMS's MA encounter data. 22 We separated these 33 MAOs into their own stratum because we were particularly interested in learning about their procedures related to encounter records. The second stratum included 167 MAOs randomly selected from the 361 MAOs that had at least 1 ordering NPI on their 2017 records in CMS's MA encounter data. We analyzed survey responses from 179 MAOs, 29 from the first stratum and 150 from the second stratum. We reported our findings based on the responses of the sampled MAOs-we did not project our results to the sample population. This is the second OIG issue brief that analyzes data from this survey; the first was released in August 2020 and focused on the extent to which MAOs collect ordering NPIs and submit these identifiers to CMS's MA Encounter Data System. Limitations Most MAOs estimated the percentage of their MA encounter records on which providers submit ordering NPIs and other kinds of identifiers for each high-risk service. Standards We conducted this study in accordance with the Quality Standards for Inspection and Evaluation issued by the Council of the Inspectors General on Integrity and Efficiency. Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Methodology | 11 ACKNOWLEDGMENTS AND CONTACT Acknowledgments Maria Johnson served as the team leader for this study. Others in the Office of Evaluation and Inspections who conducted the study include Robert Kirkner. Office of Evaluation and Inspections headquarters staff who provided support include Joe Chiarenzelli, Althea Hosein, and Christine Moritz. Other Office of Inspector General staff who provided support include Marissa Baron and Julie Brown. This report was prepared under the direction of Linda Ragone, Regional Inspector General for Evaluation and Inspections in the Philadelphia regional office, and Joanna Bisgaier, Deputy Regional Inspector General. Contact To obtain additional information concerning this report, contact the Office of Public Affairs at Public.Affairs@oig.hhs.gov. OIG reports and other information can be found on the OIG website at oig.hhs.gov. Office of Inspector General U.S. Department of Health and Human Services 330 Independence Avenue, SW Washington, DC 20201 Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Acknowledgments and Contact | 12 ENDNOTES 1OIG, Media Materials: Nationwide Brace Scam, April 2019. Accessed at https://www.oig.hhs.gov/newsroom/media- materials/2019/bracescam/ on December 18, 2019. 2CMS, Operation Double Helix Takes Action in One of the Largest Health Care Fraud Schemes Ever Charged, September 2019. Accessed at https://www.cms.gov/About-CMS/Components/CPI/CPI-Spotlight-Archive on January 7, 2021. 3CMS, CMS Fast Facts, July 2020. Accessed at https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends- and-Reports/CMS-Fast-Facts on December 7, 2020. 4 CMS, Financial Report Fiscal Year 2020, November 2020, p. 53. Accessed at https://www.cms.gov/files/document/cms- financial-report-fiscal-year-2020.pdf on December 7, 2020. 5 42 CFR §422.503. 6CMS, Medicare Managed Care Manual, Pub. No. 100-16 (Rev. 110, 01-11-13), ch. 21, § 50.6.9. Accessed at https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/mc86c21.pdf on August 21, 2020. 7CMS, Medicare Managed Care Manual, Pub. No. 100-16 (Rev. 110, 01-11-13), ch. 21, § 50.6.6. Accessed at https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/mc86c21.pdf on August 21, 2020. 8 CMS, Referring Provider Identifiers for Medicare Part C Durable Medical Equipment (DME) Encounters, January 2020. 9OIG, Medicare Advantage Encounter Data Show Promise for Program Oversight, but Improvements Are Needed, OEI-03-15-00060, January 2018. OIG, CMS's Encounter Data Lack Essential Information that Medicare Advantage Organizations Have the Ability to Collect, 10 OEI-03-19-00430, August 2020. 11CMS uses the NPPES to assign NPIs, maintain information about health care providers with NPIs, and disseminate the NPI Registry and NPPES downloadable files. See CMS, Medicare Learning Network, NPI: What You Need to Know, December 2016. Accessed at https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/NPI- What-You-Need-To-Know.pdf on June 1, 2020. 12These 81 MAOs both (1) reported that providers and/or suppliers submitted ordering NPIs on less than 90 percent of their MA encounter records for DMEPOS, and clinical laboratory, imaging, and home health services and (2) responded to our survey question about whether their lack of ordering NPIs hinders their performance of data analysis for MA program integrity oversight. 13 By"generally did not collect," we mean that an MAO did not collect other kinds of ordering provider identifiers on more than 60 percent of encounter records for each high-risk service. 14CMS, Medicare Managed Care Manual, Pub. No. 100-16 (Rev. 110, 01-11-13), ch. 21, § 50.6.9. Accessed at https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/mc86c21.pdf on August 21, 2020. 15These 10 MAOs reported that providers and/or suppliers submitted ordering NPIs on 70 percent or more of their MA encounter records for DMEPOS and clinical laboratory, imaging, and home health services. 16These 14 MAOs reported that providers and/or suppliers submitted ordering NPIs on 70 percent or more of their MA encounter records for at least 1, but not all, of the 4 high-risk services. Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Endnotes | 13 17Of the 149 MAOs that (1) collect ordering NPIs on MA encounter records for DMEPOS, and clinical laboratory, imaging, and home health services and (2) responded to our survey questions about NPPES verification, 116 (78 percent) do not verify that ordering NPIs are present in the NPPES when they receive an encounter record. Two of these 116 MAOs indicated that -although they do not verify ordering NPIs are present in the NPPES when they receive an encounter record-they may verify this information at another time. 18 42 CFR § 422.503. 19We used the 2017 Contract Information Extract from CMS's Health Plan Management System to determine MAOs with contract dates effective as of January 1, 2017, and we used the 2020 Contract Information Extract to confirm which MAOs continued to be active in 2020. We then used the 2017 encounter data to stratify MAOs on the basis of their submission of ordering NPIs on 2017 encounter records. 20We did not include MAOs that offer cost plans, demonstration plans, or program of all-inclusive care for the elderly (PACE) organizations, as these may have different compliance program requirements. 21 For encounter records with dates of service in 2017, we identified DMEPOS records as records with claim type code 4800; clinical laboratory records as records with claim type code 4700 and at least one service line with Berenson-Eggers Type of Service (BETOS) codes T1A through T1H; imaging records as records with claim type code 4700 and at least one service line with BETOS codes I1A through I4B; and home health records as records with claim type codes 4032, 4033, or 4034. 22 Data elements for ordering NPIs are located in both the header and service-line portion of a service record. For DMEPOS, clinical laboratory, and imaging records, we considered an encounter record to be missing an ordering NPI if it was missing from the header as well as from all the service lines. For home health records, we considered an encounter record to be missing an ordering NPI if it was missing all of the three following data elements from the header and all service lines: (1) ordering NPI, (2) attending provider NPI, and (3) "other provider" NPI. Issue Brief: MAOs Are Missing Opportunities To Use Ordering Provider Identifiers To Protect Program Integrity OEI-03-19-00432 Endnotes | 14