Allowing Insurers to Withhold Data on Enrollees’ Health Status Could Undermine Key Part of Health Reform
Data Collection Needed to Ensure Insurer Accountability and Reduce Risk of Error and Fraud
Risk adjustment is one of the critical elements of health reform (i.e., the Affordable Care Act, or ACA) that’s designed to encourage insurers to compete based on price and quality — not on attracting the healthiest enrollees and deterring those in poorer health, as they typically do today in the individual and small-group insurance markets.
Under the ACA’s risk adjustment provision, insurers in the individual and small-group markets with sicker-than-average overall enrollment will receive payments to compensate them for their resulting higher costs. The payments will come from plans that enroll healthier-than-average people who do not cost as much to cover. By compensating insurers that enroll people in poorer health, risk adjustment reduces the incentive for insurers to “cherry pick” the healthy and avoid enrolling people with chronic illnesses and other serious health conditions.
To implement this “risk adjustment” provision, the federal government proposes that the entities administering risk adjustment — states or the U.S. Department of Health and Human Services (HHS) — determine the health status of plan enrollees based on data that insurers submit to them, which is similar to how risk adjustment in Medicare works today. But some insurance companies, as well as some House Republicans, are urging the federal government to allow insurers to measure the health status of their enrollees themselves without submitting any data.
This approach would place the ACA’s risk adjustment system at substantially greater risk of widespread error and outright fraud. Because states or HHS would lack the underlying data used to measure enrollee health status, they would be far less able to ensure that they are calculating risk adjustment correctly and that insurance companies are not gaming the system. That, in turn, would undermine the credibility of the risk adjustment system among all insurers and threaten the long-term viability of the new health insurance exchanges and major insurance market reforms that take effect starting in 2014. That is why some other insurers such as Kaiser Permanente strongly support having states and the federal government determine the health status of plan enrollees based on the data they submit.
Insurance companies that want the federal government to let them withhold data on the health status of their enrollees claim that requiring them to provide such data would endanger enrollees’ privacy. But their claims do not withstand scrutiny. Medicare already collects, uses, and protects such data for tens of millions of beneficiaries. In addition, strong privacy protections would apply to risk adjustment data collection under the ACA, and the entities administering risk adjustment would not collect personal identifiers like names, addresses, and Social Security numbers. Policymakers should not weaken risk adjustment by depriving states and the federal government of the data they will need to administer it effectively.
Risk Adjustment Under the Affordable Care Act
Section 1343 of the Affordable Care Act requires all states to establish risk adjustment systems by 2014, when the health insurance exchanges and other major market reforms for the individual and small-group markets (such as a ban on charging higher premiums to people in poorer health or denying them coverage entirely) take effect. These risk adjustment systems will apply both inside the exchanges and to plans offered in individual and small-group markets that operate outside the exchanges (except for grandfathered plans or self-insured employer plans). The U.S. Department of Health and Human Services (HHS) will administer risk adjustment in states that do not elect to administer risk adjustment themselves.
To calculate which plans have sicker-than-average enrollees and thus would receive risk adjustment payments and which plans have healthier-than-average enrollees (and thus would make risk adjustment payments), “risk scores” are assigned to each enrollee; a person of average health is assigned a score of 1.0, while a person in poorer-than-average health is assigned a score of greater than 1.0 and an individual in better-than-average health is assigned a score of less than 1.0. These scores are typically based on patient diagnoses (i.e., what kind of condition they had that required treatment) as well as other factors (such as demographic characteristics like age and gender). To ensure that the diagnoses used are correct, diagnoses are usually determined based on claims and encounter data related to that enrollee. Insurers typically submit these data in specified formats to the entity administering risk adjustment.
That is how risk adjustment works in both Medicare Advantage and the Medicare Part D prescription drug benefit, as well as in some state Medicaid managed care programs. To ensure that risk scores are calculated accurately and to ensure credibility of the risk adjustment system for insurers, HHS proposes to similarly require that insurers subject to risk adjustment submit the claims and encounter data needed to calculate their plan risk scores to the entity administering risk adjustment in a given state (or to HHS, if HHS is administering risk adjustment in that state).
Proposed Alternative Would Leave System Vulnerable to Error and Fraud
Some insurance companies are mounting strong opposition to the HHS proposal on risk adjustment data submission. (As noted below, other insurers support the HHS approach.) Instead, they are pushing HHS to adopt a “distributed” approach to the collection of risk adjustment data.
Under a distributed approach, insurers would standardize their data (according to federal and state specifications), themselves apply the risk adjustment methodology and calculate their own risk scores and then simply submit those scores to the entity administering risk adjustment. Insurance companies would not provide the risk adjustment entity with any of the underlying claims and encounter data needed to determine whether the data are reliable and valid and whether the risk scores have been accurately calculated. (Insurers would be expected to make a sample of that data available after the fact for retrospective audits.)
The insurance companies promoting the distributed approach claim it would better ensure the privacy of patient data and allow insurers to protect proprietary plan information. Some House Republicans, led by Representatives Tim Huelskamp (R-KS) and Denny Rehberg (R-MT), have even argued that requiring insurers to submit these data to the states or HHS would give the government access to patient medical records. Supporters of the distributed approach argue that it would still ensure an accurate and effective risk adjustment system.
Such claims, however, do not withstand scrutiny, and the distributed approach carries a significant risk of undercutting the effectiveness of the ACA’s risk adjustment system.
- The distributed approach would likely make the risk adjustment system highly vulnerable to risk-score calculation errors by insurers. This would particularly be the case for insurers in the individual and small-group markets that lack experience with risk adjustment (i.e., insurers that do not currently contract with Medicare or Medicaid). In a number of cases, they would not have the expertise and administrative systems needed to collect valid and reliable data and format it correctly and to calculate risk scores. It would also make it exceedingly difficult for states and HHS to identify coding or other data problems and calculation errors on a timely basis. Instead, states and HHS would have to rely on the use of retrospective audits, which may not be completed for as much as three years after the relevant plan year, according to the proposed HHS regulations.
- The distributed approach would place the ACA’s risk adjustment system at significant risk of pervasive “upcoding” — the common phenomenon of risk scores increasing over time without actual changes in the health status of plan enrollees. Upcoding has been a persistent problem in the Medicare Advantage program. For example, both the Congressional Budget Office (CBO) and the Centers for Medicare and Medicaid Services, which administers Medicare, have found that risk scores increased over time due to changes in the diagnoses assigned to Medicare Advantage enrollees, even though there appeared to be no corresponding change in their health status. This has resulted in Medicare overpayments to plans. Only by comprehensively analyzing claims and encounter data that Medicare Advantage plans are required to share with the federal government was the Medicare program able to identify this problem, and Medicare now adjusts payments to Medicare Advantage plans to partially account for it, despite strong opposition by insurers to such adjustments. This analysis also helped Medicare periodically refine its risk adjustment system in order to improve its reliability and accuracy.
- The distributed approach would likely leave the system vulnerable to fraud and abuse if some insurance companies that “cherry pick” healthy individuals skewed their risk scores to lower how much they had to pay under risk adjustment. (Insurers that have a sicker-than-average enrollment could also make their enrollment appear even sicker to increase the risk adjustment payments they receive.)
- Without the underlying claims and encounter data, the entities administering risk adjustment would be unable to establish a clear audit trail, under which they could compare the data originally used to calculate risk scores with the data samples examined in retrospective audits.
- Lack of access to the data would also make it more difficult for HHS and states to refine their risk adjustment methodologies over time in order to improve their accuracy and effectiveness. Such refinements are critical. This new risk adjustment system will apply to the individual and small-group markets through which millions of people with whom insurers have had little experience will be gaining coverage; the newly insured population may differ from current enrollees in the individual and small-group markets in ways that the initial risk adjustment system may not be able to anticipate. As the American Academy of Actuaries notes, data “[c]ollection by the entity administering the risk-adjustment mechanism provides greater opportunity for audit controls and quality review as well as allowing for other uses of the data in analyzing the effectiveness of the risk-adjustment mechanism and updating the risk-assessment model.”
The greater likelihood of coding errors, upcoding, and fraud under a distributed data approach means that the risk adjustment system would almost certainly be less effective under that approach than it otherwise would be; some insurers would be overcompensated for their actual risks, while others would be significantly undercompensated. (Even if insurers submit these data as HHS has proposed, risk adjustment will still be imperfect, as the experience with Medicare Advantage’s risk adjustment system demonstrates.)
The distributed approach also would likely undercut the system’s credibility among insurers, especially in its early years, which could discourage some insurers from participating in the exchanges. In addition, it likely would lead to higher premiums in the individual and small-group markets inside and outside the exchanges, because insurers would build additional “risk charges” into their premiums to take into account the fact that risk adjustment was not working adequately. That, in turn, would likely lower exchange participation among eligible individuals and families and could compromise the viability of the exchanges over time.
In fact, that is likely why other insurers, such as Kaiser Permanente and other non-profit members of the Alliance of Community Health Plans, support HHS’ proposed data collection approach. They want to make sure that their competitors are submitting accurate data for purposes of risk adjustment and not inappropriately gaming the system.
Lack of access to the underlying risk adjustment data would also make it more difficult to enforce other important exchange requirements and insurance market reforms in the ACA. Under the “single risk pool” requirement, for example, insurers must base their premiums on the overall risk of all of their enrollees in all plans they offer inside and outside the exchanges, in order to discourage them from using certain plans to “cherry pick” healthy enrollees. Claims and encounter data would be invaluable in ensuring that insurers comply with the single risk pool requirement.
To participate in the exchange, insurers will also have to demonstrate that they are not employing marketing practices or benefit designs that discourage enrollment by individuals with significant health needs. Analysis of underlying risk adjustment data can help ensure more effective enforcement of this requirement, as well. States can carefully monitor changes in the relative health of enrollees in a plan over time using risk adjustment data to see if a plan’s marketing practices or benefit design changes have produced favorable selection over time by deterring enrollment among those in poorer health.
For all of these reasons, consumer health groups such as the American Heart Association and the American Cancer Society Cancer Action Network also strongly support the HHS approach over the distributed data approach.
HHS Approach Can Appropriately Address Privacy Concerns
While insurance companies and House Republicans who support the distributed approach argue that it is necessary to protect enrollees’ privacy, this claim ignores several fundamental facts.
- States and HHS will not be collecting any patient medical records as part of the risk adjustment system.
- HHS has announced that entities administering risk adjustment would not collect personal identifiers like names, addresses, and Social Security numbers. (The risk adjustment data used in Medicare do not include such information.) To further protect patient privacy, the final regulations could also require the specific use of “hashing” techniques, which have the effect of de-identifying claims and encounter data while still maintaining discrete data for enrollees and allowing tracking of changes in enrollee data over time.
- Under the HHS approach, privacy protections would apply to the risk adjustment data that are collected. For example, the proposed HHS regulations require that states administering risk adjustment provide administrative, physical, and technical safeguards for all data and establish privacy standards. The final regulations could also make clear that risk adjustment data must be encrypted when the claims and encounter data are submitted and stored. HHS could also work with consumer privacy advocacy groups to identify other privacy protections that could be applied to the risk adjustment data that is collected.
- Medicare already collects, uses, and successfully protects claims and encounter data for tens of millions of beneficiaries for purposes of risk adjustment under Medicare Advantage and Medicare Part D. Some state Medicaid programs do the same in setting risk-adjusted payments for managed care plans serving beneficiaries. It may be noted that the current risk adjustment systems used in Medicare Advantage and Medicare Part D, which rely on claims and encounter data being submitted by insurers, were enacted by Republican Congresses in 1997 and 2003, and implemented in large part by the Bush Administration.
Risk adjustment is an essential element of the Affordable Care Act. Letting insurers calculate their own risk scores without having to submit the underlying data needed to make sure those calculations are accurate would place the health reform law’s risk adjustment system at substantial risk of error, upcoding, and fraud, threatening the long-term success of the exchanges and the major health insurance market reforms scheduled to take effect in 2014.
Requiring insurers to submit the relevant claims and encounter data is consistent with how Medicare Advantage, Medicare Part D, and some Medicaid managed care programs work today and can be done in a way that protects patient privacy while also ensuring an accurate risk adjustment system that is credible to all insurers. That, in turn, would help to achieve a key goal of the Affordable Care Act, which is to ensure that insurers compete on the basis of price and quality, not just on whether they can attract the healthy and avoid enrolling those in poorer health.
 HHS will administer risk adjustment in states that do not elect to operate their own exchange or in states that elect to establish a state-based exchange but opt not to administer risk adjustment in their state.
 See the preamble to HHS’s proposed risk adjustment regulations at 76 Fed. Reg. 41930 (July 15, 2011).
 See, for example, Aetna, “Proposed Rule Related to Reinsurance, Risk Corridors and Risk Adjustment,” October 31, 2011; America’s Health Insurance Plans, “Proposed Rule — Standards Related to Reinsurance, Risk Corridors and Risk Adjustment (CMS-9975-P) — AHIP Comments,” October 31, 2011; and Blue Cross and Blue Shield Association, “Proposed Rules for Standards Related to Reinsurance, Risk Corridors and Risk Adjustment (CMS-9975-P),” October 31, 2011, available at regulations.gov. The Blue Cross and Blue Shield Association supports a variant of the distributed approach under which the state risk adjustment entity or HHS would request, through a web-based interface that insurers conduct certain calculations based on insurers’ claims and encounter data, including risk score calculations. But the risk adjustment entity would lack direct access to the underlying data under this variant, as under the basic distributed approach.
 See Representative Tim Huelskamp, “Obamacare HHS rule would give government everybody’s health records,” September 23, 2011, http://washingtonexaminer.com/opinion/op-eds/2011/09/obamare-hhs-rule-would-give-government-everybody-s-health-records and Representative Denny Rehberg, “Chairman Rehberg Investigates Possible Violations of Private Health Care Information Under President Obama’s Health Care Plan,” October 13, 2011, http://pressrehberg.congressnewsletter.net/mail/util.cfm?gpiv=2100078808.1461.269&gen=1. Representative Larry Bucshon (R-IN) has also introduced legislation (H.R. 3218) barring HHS from accessing data in individually identifiable form for purposes of risk adjustment.
 The insurers supporting the distributed model cite several examples of systems they believe successfully use a distributed data approach, but notably, none of them are risk adjustment systems. They point to systems for FDA medical product safety surveillance, medical research, vaccine safety, and provider quality measurement. In fact, even in the case of the FDA medical product safety surveillance system (currently under development), the FDA recently indicated that a distributed model may be insufficient in some cases and direct access to some data may be required. Food and Drug Administration, “Report to Congress: The Sentinel Initiative — A National Strategy for Monitoring Medical Product Safety,” August 19, 2011.
 See Congressional Budget Office, “Designing a Premium Support System for Medicare,” December 2006; Centers for Medicare and Medicaid Services, “Medicare Advantage Risk Adjustment Data Validation CMS-HCC Pilot Study: Report to Medicare Advantage Organizations,” July 24, 2004; Centers for Medicare and Medicaid Services, “Announcement of Calendar Year 2008 Medicare Advantage Capitation Rates and Payment Policies,” April 2, 2007; Centers for Medicare and Medicaid Services, “Advance Notice of Methodological Changes for Calendar Year 2009 for Medicare Advantage Capitation Rates and Part D Payment Policies,” February 22, 2008; Centers for Medicare and Medicaid Services, “Advance Notice of Methodological Changes for Calendar Year (CY) 2010 for Medicare Advantage (MA) Capitation Rates and Part C and Part D Payment Policies,” February 20, 2009.
 January Angeles and Edwin Park, “Upcoding Problem Exacerbates Overpayments to Medicare Advantage Plans,” Center on Budget and Policy Priorities, revised September 14, 2009.
 CMS was required by the Deficit Reduction Act of 2005 to modify the Medicare Advantage risk adjustment system to adjust for upcoding for plan years 2008-2010. Despite this statutory requirement, the Bush Administration did not address the issue due to strong opposition from the insurance industry. The Obama Administration, however, began to account for upcoding starting in the 2010 plan year. In addition, under the ACA, CMS is required to adjust for upcoding on an ongoing basis.
 American Academy of Actuaries, “Proposed rule on standards related to reinsurance, risk corridors, and risk adjustment,” October 28, 2011, available at regulations.gov.
 See, for example, Paul Van de Water, “Converting Medicare to Premium Support Would Likely Lead to Two-Tier Health Care System,” Center on Budget and Policy Priorities, September 26, 2011.
 Kaiser Permanente, “Proposed rule: Patient Protection and Affordable Care Act: Standards Related to Reinsurance, Risk Corridors and Risk Adjustment, File Code CMS-9975-P,” October 31, 2011 and Alliance for Community Health Plans, “Patient Protection and Affordable Care Act: Standards Related to Reinsurance, Risk Corridors and Risk Adjustment (CMS-9975-P),” October 20, 2011, available at regulations.gov.
 Section 1312(c) of the Affordable Care Act.
 Section 1311(c)(1)(A) of the Affordable Care Act.
 See, for example, American Cancer Society Cancer Action Network, American Heart Association, Center on Budget and Policy Priorities, Georgetown University Center for Children and Families, and Timothy Jost, “File Code CMS-9975-P (Patient Protection and Affordable Care Act; Standards Related to Reinsurance, Risk Corridors and Risk Adjustment),” October 21, 2011 (not yet available at regulations.gov) and Consumers Union, “CMS-9975-P Patient Protection and Affordable Care Act: Standards Related to Reinsurance, Risk Corridors and Risk Adjustment,” October 28, 2011, available at regulations.gov.
 A hash algorithm takes a set of data and condenses it into a representation comprised of alphanumeric characters but does not modify the original data.
 One leading consumer privacy group has also recommended that in contrast to the distributed approach, insurers be allowed to physically retain claims and encounter data but place them on dedicated “edge” servers that are fully accessible to state entities administering risk adjustment or HHS. The intent is to ensure accountability for plans and the accuracy of the underlying data while lessening the risk and severity of data breaches. This approach would have to be carefully evaluated to determine whether it would actually allow states or HHS to perform all needed functions such as ensuring that the claims and encounter data placed on the server are reliable and valid, identifying errors and upcoding on a timely basis, having a clear audit trail (i.e., ensuring that the original data placed on the edge server controlled by the insurer have not been subsequently modified), and enforcing other key exchange and market reform provisions under the Affordable Care Act. Center for Democracy and Technology, “CDT Comments to CMS-9975-P,” October 31, 2011, available at regulations.gov.