New Audits and Penalties on Medicaid Plans and Providers Related to Encounter Data in Value-Based Payment Models

Health Care and Life Sciences Client Alert

Executive Summary

For value-based payments, encounter data[1] provides valuable information in much the same way that claims data does for fee-for-service arrangements. With the growing prevalence of value-based payments, especially in the Medicaid programs, the focus on encounter data is growing. The federal government and many states are currently tying the timely submission of complete and accurate encounter data to federal payments, and are requiring states to audit Medicaid managed care plans’ encounter data. In turn, Medicaid managed care plans may be penalized financially for failing to maintain and submit such data. Plans and providers should not only be aware of this trend, but should also consider how penalties might be passed downstream. Plans and providers should also take this opportunity to ensure that their encounter data collection and submission processes are robust, accurate, and compliant with federal and state laws and regulations.


The False Claims Act (“FCA”) has long been a tool for government enforcement of health care compliance. With the general movement away from fee-for-service payments, federal and many state governments are paying fewer claims, and are increasingly making payments to plans that operate managed care programs on the government’s behalf. Changes in the payment structure, combined with the recent increased movement towards value-based payment to providers, signifies that providers do not necessarily need to submit claims to plans. As a result, the lack of claims limits the efficacy of the FCA as a fraud enforcement tool.

Along with the lack of direct claims, the shift in payments away from fee-for-service towards value-based reimbursement incentivizes a new type of potential health care fraud. In response to these concerns, the federal government has implemented requirements for the submission of encounter data, and threatens to penalize states by withholding federal matching funds for a state’s failure to accurately submit encounter data. States, in turn, may flow these penalties down to plans offering Medicaid managed care products (“MMCP”). Furthermore, while neither federal nor state laws place requirements on individual providers, plans may impose responsibilities, in addition to potential penalties, on downstream participating providers.

Federal Medicaid Managed Care Rule

On May 6, 2016, the Centers for Medicare and Medicaid Services (“CMS”) released its final rule “moderniz[ing] the Medicaid managed care regulations to reflect changes in the usage of managed care delivery systems.”[2] The rule (the “Medicaid Managed Care Rule”) introduced sweeping regulatory changes to the Medicaid and the Children’s Health Insurance Program programs. Among the imposed changes brought on by the Medicaid Managed Care Rule was the requirement that individual states require, through contract, each managed care organization (“MCO”) (as well as prepaid ambulatory health plans and prepaid inpatient health plans) to collect data on enrollee and provider characteristics, including data on all services furnished to enrollees.[3] The regulation further requires that state contracts with MCOs provide for the collection and maintenance of enrollee encounter data and the submission of such data to the state in accordance with the requirements of the regulations, CMS, and the state.[4] The new provisions apply to the rating period for contracts with MCOs beginning on or after July 1, 2017.[5]

In addition to the encounter data collection and reporting requirements, the Medicaid Managed Care Rule imposes requirements on states to monitor MCOs’ compliance with the new regulations. These compliance and monitoring requirements are “intended to address two types of program integrity risks that were of particular concern: fraud committed by Medicaid managed care plans and fraud by network providers.”[6] Amongst the new requirements is the addition of a responsibility for each state to conduct periodic audits—no less frequently than once every three years—to independently verify the “accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO . . . .”[7] States that fail to perform such audits or otherwise fail to meet the encounter data submission and review requirements contained in 42 C.F.R. § 438.242 may, after being informed of such noncompliance and failing to remedy it, have its federal financial participation withheld or deferred on “all or part of an MCO . . . contract in a manner based on the enrollee and specific service type of the noncompliant data.”[8]

While the threat of withdrawing federal financial participation is a significant cudgel for the federal government to enforce state compliance with the regulations, the Trump administration (“Administration”) has equivocated on its enforcement of Medicaid Managed Care Rule generally. During her confirmation hearings, for example, Seema Verma, the Administrator of CMS, suggested she might intervene prior to the Medicaid Managed Care Rule going into effect.[9] Many states had asked that parts of the rule be delayed due to administrative burdens. There is also discussion of a replacement to the Medicaid Managed Care Rule that would undo many of the changes.[10] The rule is, however, currently in effect. Even though the Administration has not indicated a willingness to withhold any federal financial participation, it has the authority to do so if it is so inclined.

State Regulation and the Impact on Plans

Whether or not the federal government uses the Medicaid Managed Care Rule and its associated penalties to ensure the collection of complete and accurate encounter data, many states have already enacted their own requirements for the submission of encounter data. Oftentimes, states have implemented their own penalties for noncompliance. For example:

New York:  The model contract between the state’s Department of Health and MCOs providing MMCP requires the monthly transmission of encounter data, and lays out the state’s audit rights regarding such data.[11] New York statutes, in turn, impose a penalty of 1.5 percent of an MCO’s Medicaid premiums for failure to submit the data required by the model contract on time, or for the submission of data that is incomplete, inaccurate, or causes an excessive rejection rate.[12]      

Illinois: The standard form of contract between the state’s Department of Healthcare and Family Services and MCOs contains requirements to submit encounter data, along with penalties on plans for the failure to do so, including fines and the suspension of automatic enrollment in the plan. Public records indicate that Illinois has levied fines on MCOs that fail to comply with the encounter data transmission requirements in the contract.[13]

New Jersey: The state model contract contains encounter data submission requirements, and violations can result in sanctions including the suspension of enrollment, the transfer of current enrollees to another MCO, or liquidated damages.[14]

Oregon: For many years, the state has withheld 1 percent of capitation payments to MCOs pending the satisfactory submission of encounter data.[15]

While the Medicaid Managed Care Rule may be prompting states to add requirements for the submission of encounter data, and stiffen penalties for the failure to do so, a state’s use of its respective enforcement mechanisms is not tied to the Medicaid Managed Care Rule. In spite of the equivocation on the federal level, states can levy—and some already have levied—penalties on MCOs that fail to meet the state’s requirements for the submission of encounter data.

Potential Penalties for Providers

The Medicaid Managed Care Rule imposes requirements on states to collect, and maintain encounter data from their Medicaid MCOs.  As a result, many states have imposed requirements and potential penalties on MCOs that offer MMCP. While federal and state laws and regulations do not pass any of the responsibility down to individual providers participating in Medicaid managed care plans, plans may pass the responsibility—and potential penalties—downstream to providers.

In some instances, existing agreements may already include provisions passing down to providers any penalties that are incurred by a contracted MCO.  Even if an existing agreement does not address the submission of encounter data, both providers and plans may desire to address the submission of encounter data issue when they revisit their agreement.

When the submission of encounter data issue does arise, providers and plans should consider the level of responsibility that they each have in amassing and transmitting encounter data.  It is in the best interest of all parties involved to ensure that the entity that ultimately has control over a particular aspect of encounter data (e.g., accuracy, completeness, accurate aggregation, timely reporting), also shoulders the burden of penalties for failing to meet its responsibilities.

Stakeholder Takeaway

MCOs should consider whether newly implemented regulations that have come into effect in the states in which they operate allow for penalties related to the collection of encounter data, or whether existing regulations provide vehicles for states to impose such penalties. Providers should review existing agreements with MCOs, and assess the potential passing on of such penalties, whether explicitly, or through general clauses. In addition, MCOs and providers should consider the renegotiation of both upstream and downstream agreements, due to the increased focus on encounter data, coupled with the potential penalties that are associated with its incomplete and/or inaccurate reporting.

*   *   *

This Client Alert was authored by Jackie Selby and Gregory R. Mitchell. For additional information about the issues discussed in this Client Alert, please contact one of the authors or the Epstein Becker Green attorney who regularly handles your legal matters.



[1] “Encounter data” means “information relating to the receipt of any item(s) or service(s) by an enrollee” in a managed care organization health plan. See 42 CFR § 438.2.

[3] See 42 C.F.R. § 438.242(b).

[4] See 42 C.F.R. § 438.242(c). Medicare Advantage plans are also required to submit encounter data, through the Encounter Data System maintained by CMS, and may also be penalized for a failure to timely report complete and accurate encounter data. Because, however, Medicare Advantage plans contract directly with CMS to provide Medicare Advantage products, the pass-through of penalties from the federal government to state governments, then onto plans, as discussed in this article, is not relevant because CMS has the power to directly impose penalties on plans through their contract.

[5] See 42 C.F.R. § 438.242(e).

[7] See 42 C.F.R. § 438.602(e).

[8] See 42 C.F.R. § 438.818.

[11] New York State Department of Health, Medicaid Managed Care/Family Health Plus/HIV Special Needs Plan Model Contract (Mar. 1, 2014), available at:

[12] N.Y. Soc. Serv. Law § 364-j(32)(c).

[13] See, e.g., Letter from Illinois Department of Healthcare and Family Services to BlueCross BlueShield of Illinois, April 21, 2017, available at:

[14] New Jersey Department of Human Services, Contract Between State of New Jersey Department of Human Services Division of Medical Assistance and Health Services and Contracts (Jan 2017), available at:

[15] Oregon Health Authority, Oregon Health Plan Services Contract Coordinated Care Organization (Sep. 1, 2012), available at: