TITLE 1. ADMINISTRATION

PART 15. TEXAS HEALTH AND HUMAN SERVICES COMMISSION

CHAPTER 353. MEDICAID MANAGED CARE

SUBCHAPTER A. GENERAL PROVISIONS

1 TAC §353.6

The Executive Commissioner of the Texas Health and Human Services Commission (HHSC) adopts an amendment to §353.6, concerning Audit of Managed Care Organizations. The amendment to §353.6 is adopted with changes to the proposed text as published in the March 13, 2020, issue of the Texas Register (45 TexReg 1753). The rule will be republished.

BACKGROUND AND JUSTIFICATION

Texas Government Code §533.015(b), as amended by Senate Bill (S.B.) 200 and S.B. 207, 84th Legislature, Regular Session, 2015, directed the HHSC Executive Commissioner to issue rules defining the coordination between HHSC and HHSC-Office of Inspector General (HHSC-OIG) in conducting audits of managed care organizations (MCOs) participating in Medicaid.

To comply with Texas Government Code §533.015(b), HHSC adopted 1 Texas Administrative Code (TAC) §353.6 and §371.37, effective July 14, 2016. These rules assign authority to the HHSC Executive Commissioner for establishing policy outlining the roles and responsibilities of divisions, departments, and offices of HHSC in performing audits of MCOs. The HHSC Medicaid and CHIP Services Division, the Health and Human Services (HHS) Internal Audit Division, and HHSC-OIG are responsible for audits of MCOs and any entity with which an MCO contracts.

In 2017, the Sunset Advisory Commission reported to the 85th Legislature that HHSC and HHSC-OIG had defined their respective audit roles, jurisdiction, and frequency in the HHSC Circular C-054, but the details were not defined in rule, as required by S.B. 200 and S.B. 207. The Sunset Advisory Commission recommended that the policies be prescribed in rule.

The amendment to §353.6 is necessary to implement the Sunset Advisory Commission's recommendation by codifying in rule a more detailed description of the coordination between HHSC and HHSC-OIG in planning and conducting audits of MCOs. The adoption of the counterpart to this rule, §371.37, which concerns Audit of Managed Care Organizations by HHSC-OIG, is published elsewhere in this issue of the Texas Register.

COMMENTS

The 31-day comment period ended April 13, 2020. During this period, HHSC received comments regarding the proposed rule from the Texas Association of Health Plans, Superior HealthPlan, and Evolving Steps Counseling. A summary of comments relating to the rule, and HHSC responses, follows.

Comment: One commenter recommends not changing "MCO subcontractors" to "any entity with which an MCO contracts," as proposed in §353.6(b).

Response: HHSC made the change in §353.6(b) to make the rule consistent with how §371.37(b) refers to entities with which an MCO contracts.

Comment: Two commenters recommend that HHSC add language to §353.6 that would require HHSC to conduct each audit based on the standards outlined in the Generally Accepted Government Auditing Standards.

Response: Section 353.6 focuses on HHSC's roles and responsibilities in coordinating with HHSC-OIG when HHSC conducts audits of MCOs. Additionally, Texas Government Code §2102.011 already requires audits performed by HHS Internal Audit to conform to generally accepted governmental auditing standards. No change was made in response to this comment.

Comment: One commenter states that it is glad to see HHSC and HHSC-OIG making changes to rules to improve coordination and eliminate duplication, it agrees with language in the rules requiring HHSC and HHSC-OIG to coordinate audits to eliminate duplication of audit efforts, and it supports language in the rules requiring the development of audit plans.

Response: HHSC appreciates the supportive comment. No change was made in response to this comment.

Comment: One commenter states that, because HHSC uses old time periods for audits, policies and practices may have changed resulting in non-applicable or non-actionable audit findings. Therefore, this commenter believes it would be beneficial for HHSC to stay current on their audits and target more recent time periods.

Response: HHSC audits of MCOs, and resulting findings, are based on the statutory, regulatory, and contractual requirements in effect for the time period to be examined by the audit. Additionally, HHSC complies with all legal timeframes when choosing a particular time period to be examined by the audit. No change was made in response to this comment.

Comment: One commenter asserts that there is no benefit to multiple entities performing multiple financial audits each year, rather each entity should limit their audit to one of those types of audits per year.

Response: HHSC and HHSC-OIG strive, to the extent possible, to minimize duplication of oversight of managed care plans under Medicaid, as provided by Texas Government Code §533.015(a). No change was made in response to this comment.

Comment: One commenter states that MCOs should only be audited on existing statutory, regulatory, and contractual requirements. The commenter states further that, if during an audit, HHSC-OIG, HHSC, or any other entity believes an MCO should be conducting business in a manner that is not a current requirement either federally or by the State, that position should not be a finding, rather a discussion on potential policy changes. The commenter believes it is extremely important that findings in published audits are due to an MCO not following an existing policy and it is unreasonable to hold MCOs to a standard that is not in their contract or federally required.

Response: HHSC oversight of MCOs, and resulting findings, are based on the statutory, regulatory, and contractual requirements in effect for the time period to be examined by the review. HHSC may also identify control weaknesses or other risk factors that could contribute to future non-compliance and may offer recommendations to audited entities to address those issues. Additionally, HHSC complies with all legal timeframes when choosing a particular time period to be examined for an audit. No change was made in response to this comment.

Comment: One commenter recommends that HHSC also develop rules requiring coordination with the Texas Department of Insurance.

Response: HHSC appreciates the commenter's recommendation, however, the recommendation is beyond the scope of this rulemaking. The amendment to §353.6 implements the statutory requirements of Texas Government Code §533.015(b) by focusing on coordination between HHSC-OIG and HHSC in performing audits of MCOs. No change was made to the rule in response to this comment.

HHSC made a minor editorial change in §353.6(a) to replace "their subcontractors" with "any entity with which an MCO contracts" to make terminology in §353.6(a) consistent with §353.6(b).

STATUTORY AUTHORITY

The amendment is authorized by Texas Government Code §531.0055, which provides that the Executive Commissioner of HHSC shall adopt rules for the operation and provision of services by the health and human services agencies; §531.033, which provides the Executive Commissioner of HHSC with broad rulemaking authority; §533.015, which requires the Executive Commissioner, after consulting with HHSC-OIG, to adopt rules defining the coordination between HHSC and HHSC-OIG in the performance of audits of MCOs; and Texas Human Resources Code §32.021, which provides HHSC with the authority to administer the federal medical assistance (Medicaid) program in Texas and to adopt rules and standards for program administration.

§353.6.Audit of Managed Care Organizations.

(a) The Health and Human Services Commission (HHSC), through the Medicaid and CHIP Services Division, the Office of Inspector General (OIG), and Health and Human Services (HHS) Internal Audit Division, is responsible for audits of MCOs and any entity with which an MCO contracts.

(b) For purposes of this rule, "MCO" includes any entity with which an MCO contracts.

(c) HHSC conducts audits of MCOs, including financial audits, performance audits, compliance audits, and agreed upon procedures:

(1) with the scope and frequency necessary to provide information to allow for the effective oversight and control of the MCOs; and

(2) as necessary to comply with all federal and state laws.

(d) Medicaid and CHIP Services Division's roles and responsibilities for audits of MCOs include:

(1) determining, based on coordination with OIG about MCO audits, which audits to assign to contracted audit firms in order to eliminate duplication of audit effort and reduce the impact of potentially duplicative audits on the MCOs;

(2) coordinating with HHS Internal Audit Division to obtain delegated authority, from the State Auditor's Office (SAO), to procure audit services as required by Texas Government Code §321.020;

(3) facilitating and determining the extent of work to be performed in agreed upon procedures and audits of MCOs, through the use of contracted audit firms as part of the integrated business processes used to oversee and monitor MCOs;

(4) providing final reports of agreed upon procedures and audits to OIG, along with other information relevant to quantifying MCO performance under the contract with HHSC, including results of on-site monitoring visits, and other relevant MCO-related performance information;

(5) providing all deliverables, such as contracts, contract amendments, and audit reports, for contracted audit related engagements to HHS Internal Audit Division for delivery to the SAO; and

(6) ensuring actions planned to address audit recommendations are implemented, including actions planned by the Medicaid and CHIP Services Division or by an MCO.

(e) The OIG's roles and responsibilities, related to performing audits of MCOs, are as outlined in §371.37 of this title (relating to Audit of Managed Care Organizations).

(f) HHS Internal Audit Division's roles and responsibilities, related to audits of MCOs, are:

(1) auditing the Medicaid and CHIP Services Division and OIG, as part of its established audit authority and risk-based audit coverage, including auditing the effectiveness of coordination between the Medicaid and CHIP Services Division and OIG on the performance of MCO audits;

(2) notifying and conferring with the Medicaid and CHIP Services Division and OIG before initiating an audit of an MCO contained in the audit plan approved by the HHS Executive Commissioner;

(3) coordinating with Medicaid and CHIP Services Division when audit services need to be procured to ensure HHSC obtains the appropriate authority to procure audit services from the SAO; and

(4) coordinating with Medicaid and CHIP Services Division to ensure that all appropriate documents related to contracted audit services are obtained and provided to the SAO. These documents include executed contracts, contract amendments, and audit reports.

The agency certifies that legal counsel has reviewed the adoption and found it to be a valid exercise of the agency's legal authority.

Filed with the Office of the Secretary of State on July 28, 2020.

TRD-202003073

Karen Ray

Chief Counsel

Texas Health and Human Services Commission

Effective date: August 17, 2020

Proposal publication date: March 13, 2020

For further information, please call: (512) 491-4096


CHAPTER 371. MEDICAID AND OTHER HEALTH AND HUMAN SERVICES FRAUD AND ABUSE PROGRAM INTEGRITY

SUBCHAPTER B. OFFICE OF INSPECTOR GENERAL

1 TAC §371.37

The Executive Commissioner of the Texas Health and Human Services Commission (HHSC) adopts an amendment to §371.37, concerning Audit of Managed Care Organizations.

The amendment to §371.37 is adopted without changes to the proposed text as published in the March 13, 2020, issue of the Texas Register (45 TexReg 1755). The rule will not be republished.

BACKGROUND AND PURPOSE

Texas Government Code §533.015(b), as amended by Senate Bill (S.B.) 200 and S.B. 207, 84th Legislature, Regular Session, 2015, directed the HHSC Executive Commissioner to issue rules defining the coordination between HHSC and HHSC-Office of Inspector General (HHSC-OIG) in conducting audits of managed care organizations (MCOs) participating in Medicaid.

To comply with Texas Government Code §533.015(b), HHSC adopted 1 Texas Administrative Code (TAC) §353.6 and §371.37, effective July 14, 2016. These rules assign authority to the HHSC Executive Commissioner for establishing policy outlining the roles and responsibilities of divisions, departments, and offices of HHSC in performing audits of MCOs. The HHSC Medicaid and CHIP Services Division (MCSD), the Health and Human Services (HHS) Internal Audit Division, and HHSC-OIG are responsible for audits of MCOs and any entity with which an MCO contracts.

In 2017, the Sunset Advisory Commission reported to the 85th Legislature that HHSC and HHSC-OIG had defined their respective audit roles, jurisdiction, and frequency in the HHSC Circular C-054, but the details were not defined in rule, as required by S.B. 200 and S.B. 207. The Sunset Advisory Commission recommended that the policies be prescribed in rule.

The amendment to §371.37 is necessary to implement the Sunset Advisory Commission's recommendation by codifying in rule a more detailed description of the coordination between HHSC and HHSC-OIG in planning and conducting audits of MCOs. The adoption of the counterpart to this rule, §353.6, which concerns Audit of Managed Care Organizations by HHSC, is published elsewhere in this issue of the Texas Register.

COMMENTS

The 31-day comment period ended April 13, 2020. During this period, HHSC received comments regarding the proposed rule from the Texas Association of Health Plans, Superior HealthPlan, and Evolving Steps Counseling. A summary of comments relating to the rule, and HHSC responses, follow.

Comment: One commenter recommends that since HHSC-OIG is an office within HHSC it should keep the existing language in §371.37(a) and (b).

Response: While HHSC-OIG is an office within HHSC, the sentence added in the proposed amendment to §371.37(a) is based on the statutory requirements in Texas Government Code §531.102(a-5) and (a-6). The phrase "conducted independent of [HHSC]" is taken directly from Texas Government Code §531.102(a-6). In the proposed amendment to §371.37(a), HHSC also removed the reference to §353.6(d), which says "The HHSC Executive Commissioner establishes policy outlining the roles and responsibilities of the divisions and offices of HHSC [including OIG] in performing audits of participating MCOs" because the Executive Commissioner's policy establishing these roles and responsibilities is outlined in §371.37 and §353.6, as adopted in this issue of the Texas Register.

With respect to the proposed amendment to §371.37(b), OIG has broad regulatory authority to audit an MCO and the entities with which an MCO contracts to perform services under an MCO contract. HHSC-OIG has authority under 1 TAC §371.1603 to take administrative enforcement measures against any individual, partnership, corporation, professional entity, or other legal entity, based on an audit finding in the Medicaid or other HHS programs. HHSC-OIG's roles and responsibilities for coordinating with HHSC on audits of MCOs, as set forth in §371.37, apply to an HHSC-OIG audit of any entity with which an MCO contracts. Almost all of the language stricken in the amendment to §371.37(b) has been moved to other parts of the rule (see paragraphs (1), (3) and (9) in §371.37(c)). No change was made in response to this comment.

Comment: Two commenters recommend that HHSC add language to §371.37 that would require HHSC-OIG to conduct each audit based on the standards outlined in the Generally Accepted Government Auditing Standards.

Response: Section 371.37 focuses on HHSC-OIG's roles and responsibilities in coordinating with HHSC when HHSC-OIG conducts audits of MCOs. Additionally, 1 TAC §371.1719(b) already requires audits performed by HHSC-OIG to be "conducted and reported in accordance with Generally Accepted Governmental Auditing Standards or other appropriate standards recognized by the United States Government Accountability Office." No change was made in response to this comment.

Comment: One commenter states that it is glad to see HHSC and HHSC-OIG making changes to rules to improve coordination and eliminate duplication, it agrees with language in the rules requiring HHSC and HHSC-OIG to coordinate audits to eliminate duplication of audit efforts, and it supports language in the rules requiring the development of audit plans.

Response: HHSC appreciates the supportive comment. No change was made in response to this comment.

Comment: One commenter states that, because the State uses old time periods for audits, policies and practices may have changed resulting in non-applicable or non-actionable audit findings. Therefore, this commenter believes it would be beneficial for the State to stay current on their audits and target more recent time periods.

Response: HHSC-OIG audits of MCOs, and resulting findings, are based on the statutory, regulatory, and contractual requirements in effect for the time period to be examined by the audit. Additionally, HHSC-OIG complies with all legal timeframes when choosing a particular time period to be examined by the audit. No change was made in response to this comment.

Comment: One commenter asserts that there is no benefit to multiple entities performing multiple financial audits each year, rather each entity should limit their audit to one of those types of audits per year.

Response: HHSC and HHSC-OIG strive, to the extent possible, to minimize duplication of oversight of managed care plans under Medicaid, as provided by Texas Government Code §533.015(a). However, Texas Government Code §531.102(a) places responsibility on HHSC-OIG for the "prevention, detection, audit, inspection, review, and investigation of fraud, waste, and abuse in the provision and delivery of all health and human services in the state." Risk assessments, data mining, fraud referrals, or other factors may indicate an HHSC-OIG audit is necessary to fulfill its statutory responsibility in those specific circumstances, regardless of whether a more general financial audit was performed by others. No change was made in response to this comment.

Comment: One commenter states that MCOs should only be audited on existing statutory, regulatory, and contractual requirements. The commenter states further that, if during an audit, HHSC-OIG, HHSC, or any other entity believes an MCO should be conducting business in a manner that is not a current requirement either federally or by the State, that position should not be a finding, rather a discussion on potential policy changes. The commenter believes it is extremely important that findings in published audits are due to an MCO not following an existing policy and it is unreasonable to hold MCOs to a standard that is not in their contract or federally required.

Response: HHSC-OIG audits of MCOs, and resulting findings, are based on the statutory, regulatory, and contractual requirements in effect for the time period to be examined by the audit. HHSC-OIG may also identify control weaknesses or other risk factors that could contribute to future noncompliance and may offer recommendations to audited entities to address those issues. Additionally, HHSC-OIG complies with all legal timeframes when choosing a particular time period to be examined for an audit. No change was made in response to this comment.

Comment: One commenter recommends that HHSC also develop rules requiring coordination with the Texas Department of Insurance.

Response: HHSC appreciates the commenter's recommendation, however, the recommendation is beyond the scope of this rulemaking. The amendment to §371.37 implements the statutory requirements of Texas Government Code §533.015(b) by focusing on coordination between HHSC-OIG and HHSC in performing audits of MCOs. No change was made to the rule in response to this comment.

Comment: One commenter proposes adding the following language at the end of amended §371.37(a): "with a target goal of limiting the audits of the MCOs to one audit each year and with the goal of auditing recent time periods that cover a time span no greater than 18-24 months from the date that the audit is initiated."

Response: HHSC and HHSC-OIG strive, to the extent possible, to minimize duplication of oversight of managed care plans under Medicaid, as provided by Texas Government Code §533.015(a). However, Texas Government Code §531.102(a) places responsibility on HHSC-OIG for the "prevention, detection, audit, inspection, review, and investigation of fraud, waste, and abuse in the provision and delivery of all health and human services in the state." Risk assessments, data mining, fraud referrals, or other factors may indicate an HHSC-OIG audit is necessary to fulfill its statutory responsibility in those specific circumstances, regardless of whether another similar audit was performed recently. Additionally, HHSC-OIG complies with all legal timeframes when choosing a particular time period to be examined for an audit. No change was made in response to this comment.

Comment: One commenter recommends adding the following language at the end of amended §371.37(c)(1): "and determining, based on coordination with the HHS Internal Audit Division regarding MCO audits, which audits to perform in order to eliminate duplication of audit effort and reduce the impact of duplicative and multiple audits on the MCOs in a single year."

Response: HHSC and HHSC-OIG strive, to the extent possible, to minimize duplication of oversight of managed care plans under Medicaid, as provided by Texas Government Code §533.015(a). However, Texas Government Code §531.102(a) places responsibility on HHSC-OIG for the "prevention, detection, audit, inspection, review, and investigation of fraud, waste, and abuse in the provision and delivery of all health and human services in the state." Risk assessments, data mining, fraud referrals, or other factors may indicate an HHSC-OIG audit is necessary to fulfill its statutory responsibility in those specific circumstances, regardless of whether another similar audit was performed recently. No change was made in response to this comment.

Comment: One commenter recommends adding language to §371.37(c)(1) and (9) that would ensure audits are based on contractual requirements.

Response: HHSC-OIG's audit authority is not limited to audits based on contractual requirements. There are other legal requirements on MCOs in the delivery of health care, including federal and state statutes, regulation, and rules. No change was made in response to this comment.

Comment: One commenter recommends adding language to §371.37(c) that would require HHSC-OIG to (i) communicate preliminary results of MCO audits to the MCO for review and comment, (ii) consider MCO comments before finalizing MCO audit report recommendations, and (iii) share proposed audit findings with the MCO before issuing a final report to the MCO or to MCSD.

Response: Section 371.37 focuses on HHSC-OIG's roles and responsibilities in coordinating with HHSC when HHSC-OIG conducts audits of MCOs. Title 1 TAC §371.1719(b) - (d) specifically addresses HHSC-OIG audit procedures, notices, and due process requirements, including an auditee's right to receive a draft audit report and to provide a written management response to the draft audit report. No change was made in response to this comment.

Comment: One commenter submits comments, concerns and suggests a solution related to particular practices of MCOs located in the region where the commenter works.

Response: HHSC appreciates the thoughtful comment, however, it does not specifically address any proposed amendment to §371.37 and is beyond the scope of this rulemaking. These recommendations have been forwarded on to the relevant HHSC program area for review. No change was made in response to this comment.

STATUTORY AUTHORITY

The amendment is authorized by Texas Government Code §531.0055, which provides that the Executive Commissioner of HHSC shall adopt rules for the operation and provision of services by the health and human services agencies; §531.033, which provides the Executive Commissioner of HHSC with broad rulemaking authority; §533.015, which requires the Executive Commissioner, after consulting with HHSC-OIG, to adopt rules defining the coordination between HHSC and HHSC-OIG in the performance of audits of MCOs; and Texas Human Resources Code §32.021, which provides HHSC with the authority to administer the federal medical assistance (Medicaid) program in Texas and to adopt rules and standards for program administration.

The agency certifies that legal counsel has reviewed the adoption and found it to be a valid exercise of the agency's legal authority.

Filed with the Office of the Secretary of State on July 28, 2020.

TRD-202003074

Karen Ray

Chief Counsel

Texas Health and Human Services Commission

Effective date: August 17, 2020

Proposal publication date: March 13, 2020

For further information, please call: (512) 491-4096