Sunday, September 08, 2024

CMS cracks down on agent fraud

Note: All xpostfactoid subscriptions are now through Substack alone (still free), though I will continue to cross-post on this site. If you're not subscribed, please visit xpostfactoid on Substack and sign up.

In my last post, I recounted that after months of apparent passivity in response to a rising tide of agent fraud in the federal ACA marketplace (HealthCare.gov, used by 32 states), CMS dropped a hammer in July. To quell unauthorized plan-switching by agents assigning existing enrollees to themselves, CMS required agents seeking to act on an existing account with a different Agent Of Record or with no AOR to either conduct a three-way call with the client and the marketplace center, in which the client authorizes the new agent to act on her behalf, or have the client click the final button after an agent makes changes to the account on a commercial Enhanced Direct Enrollment (EDE) platform.

(For background on the plan-switching scandal see the initial KHN coverage. For background on the role of EDE platforms in marketplace enrollment and agent fraud, see this post.)


In practice, the latter option meant using a workaround deployed by HealthSherpa, the dominant EDE platform, whereby an agent would text a link to the new client’s phone number, enabling the client to execute the changes input by the agent. After that procedure had been operative for a few days, however, CMS shut it down, apparently concerned that some agents might be faking the phone number to which the link was sent. Reportedly, a revised HealthSherpa workaround will go live in September, or at least before Open Enrolment begins on November 1, requiring client i.d.-proofing rather than just a client phone number. While CMS had long resisted deploying the relatively simple two-factor authorization required by Covered California and other state-based exchanges before an agent could be newly assigned to an existing account, CMS has now created a system with more intrusive security measures.


Now it appears that enforcement action against agents suspected of fraud or lesser noncompliant practice may be following the same pattern: a long period of passivity followed by a sudden crackdown.

As I noted in my last post, as recently as late July Ronnell Nolan, president and CEO of Health Agents for America (HAFA), complained that the 200 agents CMS had reported suspending as of July 19 was a “very low” total. In a prior post, I cited a former CMS official who noted that existing due process procedures require several months before an agent can be de-registered from HealthCare.gov. To change administrative procedure quickly would require “White House-level intervention,” this former official speculated.


Perhaps that intervention happened — or perhaps pressure from both sides of the aisle in Congress has had a similar effect. According to HAFA’s Nolan, CMS is suddenly suspending agents on suspicion of fraud — and, she claims, “they’re pulling certifications for innocent people, going after good agents.” As described by Nolan, CMS suspends a flagged agent for 30 days and demands documentation — e.g., client consent forms — for enrollments deemed suspect, without telling the client why the enrollments are deemed suspect — “and they’re guilty until proven innocent.”

While client consent has always nominally been required for an agent to act on an account, the form such consent must take was all but undefined until publication in 2023 of the National Benefit and Payment Parameters for 2024 (the new requirements are summarized in this CMS FAQ released last September). Nolan claims that agents are being asked for consent documentation from 2021 and 2022 — “prior to when you actually had to have consent” (or document it in specified ways). She says that CMS is identifying suspect cases by algorithm — for example, if an agent has a cluster of enrollments submitted with no social security number. While CMS frowns on applications with no SS number, it does permit them, and some types of legally present noncitizens eligible for marketplace coverage (e.g., international students) do not have them. Once the agent has submitted required documents, Nolan says, CMS has 45 days to review them and make a determination, “and there’s no appeals process.” If found ‘guilty,’ agents lose their licenses for a year.


The heart of the HAFA complaint here is that CMS is flagging agents deemed suspect primarily by algorithm, and that the process by which the agency determines whether an agent should be suspended is opaque.


In a somewhat different context, with respect to HAFA’s prior proposals that CMS use some form of two-factor authorization to prevent unauthorized agent activity, Nolan says she was told “be careful what you wish for.” The same principle seems to apply to CMS oversight of suspect activity.

No comments:

Post a Comment