Monday, June 03, 2024

What is CMS doing to quell agent/broker fraud in the ACA marketplace?

Note: All xpostfactoid subscriptions are now through Substack alone (still free), though I will continue to cross-post on this site. If you're not subscribed, please visit xpostfactoid on Substack and sign up.

Sen. Wyden puts the heat on CMS


In response to the explosion of unauthorized ACA plan switching and plan enrollment in by rogue agents in the 32 states using the federal exchange (HealthCare.gov), CMS has vowed not only to step up enforcement but to “add new technological protections to prevent such unauthorized activities from occurring.”

The core “technological” problem is pretty simple, as explained by KFF’s Julie Appleby in her story breaking the news of the escalating fraud. To enter an enrollee’s account and make any changes, such as switching her from one plan to another, an agent registered with HealthCare.gov needs only the enrollee’s name, date of birth, and state of enrollment. As Appleby pointed out, the sixteen state-based marketplaces (SBMs) that license agents (MA and RI don’t) “require more information before the account can be accessed” — usually some form of two-factor authorization — and don’t appear to be suffering from large-scale unauthorized broker activity.

CMS is not moving fast enough for Senator Ron Wyman, who this week sent a letter to CMS administrator Chiquita Brooks-LaSure expressing “outrage with reports that agents are submitting plan changes and enrollments in the Federal marketplace without the consent of the people who rely on these plans” and admonishing, “CMS must do more and you must do it now.”

Commercial web-brokers under the microscope

A primary focus of Wyden’s outrage is commercial “web-brokers” — enrollment platforms that use Enhanced Direct Enrollment (EDE) to execute enrollments in HealthCare.gov states without visibly switching the applicant (or agent submitting the application) away from the web-broker’s site. EDE entities, according to CMS, “build and host a version of the HealthCare.gov eligibility application directly on their websites that securely integrates with a back-end suite of FFE application programing interfaces (APIs) to support application, enrollment and more.” They are an “enhanced” version of the predecessor Direct Enrollment (DE), which allowed web-brokers to start and complete an application, with a redirect to HealthCare.gov to determine eligibility in between. DE has been in operation since early 2014.

Wyden writes:

Reports of bad actor agents and deceptive marketing practices are not new.1 The Trump Administration’s focus on privatizing the ACA marketplace introduced these enhanced web-broker platforms allowing brokers to bypass the benefits and protections of the ACA marketplace.2* Stakeholders have informed my staff that this problem has become widespread and more sophisticated in the ACA marketplace as bad actors with access to a consumer’s eligibility information through web-broker platforms can make plan and agent-of-record changes while keeping people and their legitimate brokers in the dark.

It’s true that unauthorized plan-switching probably could not be executed at high volume without web-brokers enabled by EDE (or DE), which provides registered agents with access to existing enrollee accounts without direct input from the enrollee — e.g., without one of the various forms of two-factor authorization required by most SBMs. DE/EDE platforms depend on and integrate with HealthCare.gov’s back end, however; an enrollment change in one platform appears in all. There should be workable security fixes to HealthCare.gov that would extend to the EDEs.

An enrollment on HealthCare.gov itself requires that the enrollee establish an account that the enrollee alone is authorized to access; EDEs do not require this. To get access and make changes to enrollment on an EDE platform, agents need provide only the aforementioned client name, DOB and state of enrollment. For an agent to get access to an existing account on HealthCare.gov and make changes is, first of all, unauthorized: agents are not authorized to log into an existing consumer account on HealthCare.gov itself (see slide 12 here). To hack in, the agent would have to provide user name and password. To create a new account on HealthCare.gov itself without authorization, an agent would have to provide not only name, DOB and state to enroll in, but a street address and email address (created easily enough) as well.

While CMS lists about 60 entities approved to use EDE, most of them are insurers licensing other platforms’ technology. There are 12 listed web-brokers and three “DE technology providers.” The vast majority of EDE-executed enrollments — about 80% — are through HealthSherpa, the dominant platform that claims to be used by 45,000 agents. In 2024, more than half of all active enrollments* in HealthCare.gov states — just shy of 7 million — were executed on HealthSherpa. But a significant number were executed on other EDE platforms — including via three web-brokers that allegedly, according to a putative class action lawsuit (discussed in this post), are owned by a pair of brokerages engaged together in massive unauthorized plan-switching.

It’s true, as Wyden asserts, that the Trump administration denigrated and defunded nonprofit “navigator” enrollment assistance program and enthusiastically supported and promoted both agents and EDE (and its predecessor, a less streamlined “Direct Enrollment” or DE). But the Obama administration and the Biden administration also both supported and fostered commercial brokerage. The Obama administration licensed five web-brokers in July 2013, before the marketplace launched, and encouraged their development of EDE’s predecessor, Direct Enrollment. HealthSherpa was executing enrollments via DE — and streamlining the HealthCare.gov process — by early 2014.

CMS was under Trump administration leadership when it developed and promoted EDE, which cut out the redirect to HealthCare.gov. But the Biden administration has gone full steam ahead with it. In January 2021 CMS asserted, “The successful full-scale implementation of Enhanced Direct Enrollment (EDE) over the past two years has yielded outstanding results for the Federally-facilitated Marketplace.” All three administrations recognized that marketplace enrollment at scale depends on agents and brokers, who executed 71% of active enrollments in HealthCare.gov states in 2023, according to a CMS presentation. And agents and brokers in turn depend on commercial platforms: 81% of broker-assisted enrollments in HealthCare.gov states were via DE or EDE, according to the same presentation.

To date, DE and EDE only work in the federal exchange, though some SBMs are considering implementing it, and CMS has accordingly updated rules for authorizing and supervising it. EDE has eased and probably stimulated broker participation in HealthCare.gov states, and may be a significant factor in the much faster enrollment growth in HealthCare.gov states than in SBM states in the past few years. (As discussed here and here, enrollment growth from 2020-2023, in states that have had SBMs in place since 2014 was 3.8%, compared to 43.3% in all states.)

In the large-scale fraud outlined in the lawsuit that’s called attention to unauthorized agent activity, EDE plays a key role. But that’s because the pair of defendant agencies allegedly executing the fraud outlined in the suit own the EDE platforms used to execute the plan switches. For at least two years, according to the complaint, the two agencies, TrueCoverage and its “downstream” partner Enhance Health, have used a web-broker, BenefitAlign, developed by TrueCoverage’s parent company, Speridian. More recently, Enhance Health bought its own EDE web-broker, Jet Health Solutions, and Speridian bought Inshura, which it deploys for other downline agencies. That’s not to suggest that the bulk of agent fraud that’s come to the surface will be traced to the defendants in this case. But owning proprietary EDEs certainly facilitates high-speed high-volume fraud.

About 80% of EDE enrollment is via HealthSherpa, which has dominated from the start and executes about half of active enrollments in HealthCare.gov states. HealthSherpa claims to serve 45,000 agents, whereas CMS says (via response to a query of mine) that 83,000 agents are registered with HealthCare.gov (up from 49,000 in 2018). When the agent of record changes on an account, HealthSherpa notifies the broker who’s been switched away from, enabling that broker to check with the client whether the change was intentional and pursue redress if it wasn’t. Presumably other EDEs — those not owned by fraudsters — do the same. But when the agent/broker effecting a plan switch uses a different EDE, the switch is invisible to the EDE where the enrollment was previously executed. Proprietary EDEs do allow agents doing unauthorized plan-switching to cover their tracks — as would, in most cases, simply using an EDE other than HealthSherpa. Then too, a significant if perhaps unsurprising amount of fraud is conducted on HealthSherpa, which reports that 0.5% of enrollments trigger a complaint. That suggests about 35,000 complaints stemming from OEP 2024, when HealthSherpa enrolled 7 million people. Of course, not all complaints are fraud, and not all fraud triggers complaints.

Security fixes: “Careful what you wish for.”

One would think that CMS could plug the security hole by adopting the form of 2-factor authorization required by the California exchange. If a Covered California enrollee opts to switch agents, the new broker hits a button on the application that sends a code to the client, who must send it back to the broker. Seems simple, and that kind of control is ubiquitous in applications generally — e.g., if you opt for 2FA in your bank account.

The intimation I’ve picked up from more than one industry participant (e.g., an agent, a web-broker, and an insurance executive) is that CMS is reluctant to implement a tech fix of this kind, because the agency does not want to slow the enrollment growth train that’s been steaming ahead as a result of a cluster of Biden-era measures. These include enhanced premium subsidies (rendering coverage free for millions of low income enrollees); year-round enrollment at low incomes (with plan-switching allowed monthly); requiring insurers to pay agents the same commissions outside of Open Enrollment as during it; and relaxed data matching requirements at low incomes. In addition to making plans far more affordable via the American Rescue Plan, which boosted subsidies, the administration has worked hard to reduce enrollment friction — which, as with U.S. government benefits generally, is widely understood to inhibit takeup by low-income, low-information enrollees.

As discussed in my first post on this issue, some forms of 2FA do provide real problems for good agents, who often must work at speed with low-income clients who can be hard to reach and not tech-savvy. As Ronnell Nolan, president and CEO of HAFA, told KHN’s Julie Appleby about CMS, “We’ve given them a whole host of ideas…They say, ‘Be careful what you wish for.’ But we don’t mind going an extra step if you can stop this fraud and abuse, because clients are being hurt.”

Sheron Sidbury, an independent broker who works in Maryland and Virginia, both now SBM states (though Virginia just left the federal exchange last year), says, "There is no logical reason why CMS will not close the backdoor to the agent access portal.

To get access to an enrollee's account in the SBMs she’s worked with, Sidbury explains, the broker must "ask [the client] for specific information from a list of official government documents. You pick one. It could be the SSN, Green Card number, driver's license, passport number, etc. In most cases the consumer gives us the SSN. That along with the D.O.B. and checking the consent box within the application allows us to gain access to the application. Without the one extra piece of data an agent cannot access the consumer's application nor become their agent." 

Sidbury adds in a followup, however, “CMS has waited so long that it is to the point the fraudsters are perfecting their craft. They are now asking for SSNs so even if CMS makes the SSN field to search for an application mandatory it will not be enough. The only thing that will work is putting protections in on the client side of the website like they do in the state based exchanges. Only the consumer can give access to their account and only the consumers can designate an AOR. It does not slow down the process once an agent is used to it.”

With regard to the argument that requiring 2FA or equivalent would inhibit low-income enrollment, Norris, who with her husband Jay operates a health insurance brokerage in Wellington, Colorado, writes, “I heard the arguments about needing it to be more open-access to help lower-income folks or those who aren't web-savvy. But Colorado has a broker portal that the agents use. They just have to set up the enrollee's account one time, and then the broker attached to the account can take care of whatever needs to be done via the broker portal. I can't see how that wouldn't work with any demographic.”

Norris adds, “If a person wants to change their broker of record, that has to be initiated by the client, via their own account. Jay can go in through the broker portal and remove himself from an existing client's account. But he can't add himself to someone's account and wouldn't be able to access someone's account via the broker portal until after he was assigned as the broker. So if someone was a DIY enrollee and then they call him looking for help, he has to walk them through the process of going into their account and adding him as a broker, and then he can provide whatever assistance they need via the broker portal. Given those parameters, it would be tough for anyone to pull off the FFM scam in CO without the client knowing anything was going on.”

Walking the client through the process of adding the broker is the kind of sometimes painstaking intervention that some who work extensively with low-income people argue may never get completed. There are tradeoffs involved in getting the right mix of security and access.

Nolan of HAFA tells me that she has discussed several tech fixes to CMS — . two-factor authorization; requiring that the agent provide SS# or immigration status equivalent to get access to the account; or sending the enrollee a “did you authorize this?” email or text message any time someone tries to access the account. Nolan suggested, however, that while CMS will likely announce new antifraud initiative soon, “there is no thought that this will be stopped by Open Enrollment. They say they’re going to do something soon, and do something bigger later.” A former CMS employee seconds this. “They don’t want to push through something half-baked.”

It’s worth noting that a variant of one Nolan’s proposals — the “someone is trying to access your account” alert — is currently being piloted by HealthSherpa. At present about 25% of new agent-assisted enrollees in HealthSherpa receive a message spelling out that an agent (identified by name) has submitted an application on the recipient’s behalf for enrollment in a specific plan issue. The message prompts the enrollee to review the application and report fraud (by clicking a prompt in the message) if she did not authorize the agent to act on her behalf. Controls of this sort only work if the purported client receives the message or pays any attention to it. Still, when fully operative, it could detect a significant proportion of fraud, and so perhaps serve as an effective deterrent.

Regulatory and enforcement measures

HAFA, according to Nolan, is working with CMS and state insurance departments both to streamline the process by which enrollees can support fraud and to crack down on bad actors — which according to Nolan are concentrated in Florida — more quickly.

The former CMS official I spoke to also urges swifter action against agents who violate client consent requirements or show evidence of unauthorized plan-switching or enrollment. At present, due process procedures require several months before HealthCare.gov an agent can be de-registered. To change administrative procedure quickly, however, requires outside pressure — “it would take a White House-level intervention to get OGC (the HHS Office of General Counsel) to reconsider some of this stuff.”

Another regulatory step that could inhibit unauthorized plan-switching is to repeal a part of the rule granting a monthly “Special Enrollment Period” (effectively year-round open enrollment) to any subsidy-eligible applicant with an income below 150% FPL (for whom benchmark silver coverage is available for zero premium). The same rule also allows monthly plan-switching for anyone with income below that threshold — creating open season for unscrupulous agents. The plan-switching option could be limited to allowing under-150% FPL enrollees to switch from bronze plans to silver, which thanks to the Cost Sharing Reduction (CSR) that attaches only to silver plans, would reduce their out-of-pocket exposure by thousands of dollars.

* * *

In the article that broke the news of this scandal, KHN’s Julie Appleby wrote … that the rash of unauthorized plan-switching “casts a shadow on what otherwise has been a record year for ACA enrollment.” That is true. CMS has acknowledged detecting 40,000 unauthorized plan switches and 50,000 unauthorized enrollments by agents and brokers in the first months of 2024. That’s out of some 16 million enrollments — but incidence is surely higher than detected incidence. CMS may not want to act precipitously in adding friction to the current system, and they may be chary of killing the golden goose of multi-year dramatic enrollment growth. But if they don’t get a handle on this scandal, public perceptions of the trustworthiness and usability of marketplace coverage may suffer severe damage.

- - -

*The footnote to Wyden’s assertion that EDEs “allo[w] brokers to bypass the benefits and protections of the ACA marketplace” goes to a 2019 Center for Budget and Policy Priorities brief by Tara Straw that deals with problems other than unauthorized agent activity. Writing after the Trump administration stood up a market for medically underwritten, ACA-noncompliant “short term” plans (allowing those plans full-year terms), Straw warned that some entities deploying EDE (as the EDE platforms allow agents and agencies to privately brand their technology) were steering site visitors to the ACA-noncompliant plans. Such plans could not be sold on an EDE platform, but broker sites that include an EDE platform could divert visitors. The brief also warned that agents deploying EDE in some cases would not show all carriers and plans available in the visitor’s region, and also might obscure a visitor’s eligibility for Medicaid. None of these potential problems pertain to unauthorized plan switching or unauthorized enrollment.

A note on terminology: In the trade, the terms “agent” and “broker” appear to be used interchangeably, and those who sell insurance seem to refer to themselves more commonly as agents, so I’ve used “agent” as the default term. It was my prior understanding that an agent worked for one insurer and a broker worked for many, but that distinction doesn’t seem to be in current usage, at least in health insurance.


No comments:

Post a Comment