Centers for Medicare and Medicaid Services Response to Public Comments Received for CMS-10913
The Centers for Medicare and Medicaid Services (CMS) 53 public submissions from Medicare Advantage (MA) organizations (MAOs), healthcare providers, professional organizations, and individuals on the proposed CMS-10913 issued September 10, 2024. This is the reconciliation of the comments. We combined the public submissions into comment summaries based on topics and provided responses in the document below. Comments are categorized first by those that are general in nature, then by those specific to the collection instruments, and finally, by those that pertain to burden.
General Comments
Comment: Some commenters were fully supportive of this data collection and the proposed auditing of utilization management (UM) in MA. Of these commenters, some indicated concerns with MAOs inappropriately denying services such as inpatient hospitalizations and skilled nursing services. Some commenters noted that some MAOs had increasing rates of denials in recent years, and that MAOs continued to deny services covered in traditional Medicare. These commenters expressed particular concern with inpatient hospital admission denials and post-acute care denials, such as Skilled Nursing Facilities (SNFs), Inpatient Rehabilitation Facilities (IRFs), Long-Term Acute Care Hospitals (LTACHs), and Home Health (HH). These commenters expressed appreciation for CMS’s efforts to oversee organizations with this new UM audit protocol and data collection.
Response: We appreciate support from commenters on this package.
Comment: Some commenters commended CMS oversight efforts and encouraged CMS to take appropriate enforcement actions including civil money penalties (CMPs), sanctions and terminations when appropriate upon identified non-compliance. These commenters stated that MAOs continue to be non-compliant with the regulation following the Medicare Program; Contract Year 2024 Policy and Technical Changes to the Medicare Advantage Program, Medicare Prescription Drug Benefit Program, Medicare Cost Plan Program, and Programs of All-Inclusive Care for the Elderly (hereinafter referred to as the 2024 Final Rule). These commenters indicated CMS should take clear actions in response to non-compliance and make the consequences of non-compliance transparent to the public. In addition to sanctions, CMPs and terminations, commenters asked if CMS would require organizations to ensure the beneficiaries or providers are made whole when inappropriate denials are discovered.
Response: We appreciate the suggestion. The consequences of non-compliance may differ based on the individual organization, impacted services, and scope of non-compliance. When non-compliance is identified, organizations are required to correct the non-compliance, and CMS considers what, if any, additional actions need to be taken. Although the types of actions and when they may occur is outside the scope of this data collection, CMS would refer commenters to its Part C and Part D Enforcement Actions webpage for any updates on compliance or enforcement actions.
Comment: CMS received multiple comments from MAOs requesting that the term “internal coverage criteria” be defined more narrowly than how it was written in the proposed data collection. Commenters requested that CMS determine a consistent and standardized definition for internal coverage criteria to be used industry-wide. A commenter suggested CMS consider aligning the definition of internal coverage criteria with the Code of Federal Regulations (CFR) and provide examples of specific situations to clarify what constitutes internal coverage criteria. A few commenters asked if third-party vendors that provide industry-standard criteria are considered internal coverage criteria. One commenter supported CMS’s proposed broad definition of internal coverage criteria for the purposes of the collection to include any policy, tool, guidelines, or information used by the MAO, including any first tier, downstream or related entity (FDR), to render medical necessity determinations that is not a CMS source, including CMS statute, regulation, manual, national, or local coverage decision.
Response: CMS thanks commenters for their suggestions. We agree with commenters that an industry-wide definition of internal coverage criteria is helpful, but that our PRA package is not the best place for that definition. We are therefore removing the internal coverage criteria definition from our collection documents and redirect commenters to a proposed rule from CMS, the Medicare and Medicaid Programs: Contract Year 2026 Policy and Technical Changes to the Medicare Advantage Program, Medicare Prescription Drug Benefit Program, Medicare Cost Plan Program, and Programs of All-Inclusive Care for the Elderly (hereinafter referred to as the 2026 Proposed Rule), which solicits comment on a potential definition of internal coverage criteria. While we are removing the definition of internal coverage criteria, CMS audit activities include steps to ensure MAOs submit appropriate materials inclusive of various formats where internal coverage criteria may be included. While internal coverage criteria may be published in a policy to ensure it is publicly available, we understand that MAOs will operationalize criteria by creating decision trees within their electronic health systems, guidance documents, or other tools to assist reviewers in making medical necessity decisions. CMS will collect and review MAO tools and internal operational controls to assess whether implementation of internal coverage criteria is appropriate and consistent with the publicly posted criteria. Additionally, if an MAO utilizes third-party vendors to develop or update criteria, such as Milliman Care Guidelines (MCG) or InterQual we would expect those to be reported as a part of this data collection.
Comment: Multiple commenters requested either policy clarification or recommended policy revisions related to UM and internal coverage criteria. One commenter requested more clarity on the meaning of “explicit flexibility.” The commenter provided examples of specific services where the language in National Coverage Determinations (NCDs) and Local Coverage Determinations (LCDs) is unclear on whether the development of internal coverage criteria is permitted. Some commenters requested CMS clarify that inpatient admissions are fully established under 42 C.F.R. § 412.3 (the “two-midnight rule”). Other commenters requested CMS clarify that level of care reviews such as decisions to downgrade an inpatient hospital stay to an observation stay is an organization determination. Another commenter asked if CMS will make exceptions to the public availability of data for criteria that is proprietary and cannot be accessed by non-members, such as InterQual. One commenter specifically requested policy clarification on LCD L33394, which related to drugs and biologicals, and asked for clarification on how this LCD should be interpreted and applied in MA. A few commenters requested policy revisions to define internal coverage criteria. A few other commenters requested that CMS strengthen the regulations that require MAOs to publicly post internal coverage criteria due to MAOs continuing to make criteria difficult to find and access.
Response: Comments requesting policy clarification or recommending policy revisions are out of scope for this data collection.
Comment: Some commenters noted that MAOs do not follow regulatory requirements when processing organization determinations, level of care decisions, or appeals. These commenters noted concerns with how MAOs classify both initial determinations and appeals and how MAOs process these types of decisions.
Response: We appreciate the comments, but compliance with 42 C.F.R. § 422 Subpart M requirements is outside the scope of this PRA package.
Comment: CMS received multiple comments requesting CMS collect additional data and develop additional metrics as part of this data collection package. Specifically, commenters requested CMS collect plan-level data on the total number and percentage of medical necessity determinations that are made using internal coverage criteria and to compare that data to traditional Medicare to determine where internal coverage criteria may be misapplied. A commenter requested that CMS gather data on MAOs’ level of care determinations, specifically when the level of care is downgraded from inpatient to observation, and length of stay for observation cases. The same commenter requested that CMS gather data on MAOs oversight of reporting appeal measures, including plan compliance with reporting appeal measures to the CMS Independent Review Entity (IRE), reporting the number of appeals that were determined to be invalid due to a service being completed, and reporting on the MAO’s standard operating procedures how the MAO handles appeals for inpatient hospital admissions where services have been completed. Additionally, the commenter requested CMS collect data on MAOs’ requests for additional information (RFAI) as the commenter expressed concerns that the MAOs misuse of the RFAI process to delay authorizations or claims processing. Two commenters requested CMS include metrics highlighting discrepancies in post-acute care provided to MA patients versus traditional Medicare. A commenter requested that CMS collect emergency department utilization and readmission data for MAO beneficiaries seeking post-acute care and compare the data to traditional Medicare.
Response: We appreciate the comments regarding additional data collection related to numbers of medical necessity determinations that utilize internal coverage criteria. In the Part C UM Audit Protocol and Data Request we included an impact analysis collection intended to get high level information about the application of internal coverage criteria in medical necessity decisions. Additionally, we will consider and utilize all other data collections relevant to this work collected by CMS, including but not limited to the program audit data collected by the Division of Audit Operations (DAO) within the Medicare Parts C and D Oversight & Enforcement Group (MOEG). However, beneficiary level data is collected through other mechanisms within CMS, and this collection is not intended for that type of data.
Comment: CMS received several comments requesting that CMS clarify that internal coverage criteria also applies to MAO internal criteria for payment policies, and that criteria used to render payment determinations should be included in this data collection. One commenter noted that often MAOs argue that reimbursement policies are payment issues over which the MAO has sole discretion to determine how contracted providers are paid for these services. Another commenter pointed to the 2024 Final Rule as support that payment criteria should be included. A few commenters requested clarification on what was meant by a payment medical necessity decision.
Response: We appreciate the opportunity to provide clarification. All internal coverage criteria used to make medical necessity decisions, as described in 42 C.F.R. § 422.101(c), are subject to both the annual and audit data collections. This is true regardless of whether the internal coverage criteria apply to medical necessity determinations for coverage or payment. As noted in the 2024 Final Rule, “When deciding whether an item or service is reasonable and necessary for an individual patient, we expect the MA plan to make this medical necessity decision in a manner that most favorably provides access to services for the beneficiary and align with CMS's definition of reasonable and necessary as outlined in the Medicare Program Integrity Manual, Chapter 13 , section 13.5.4. CMS's expectation, as previously outlined, applies to coverage determinations made before the item or service is provided (pre-certification/prior authorization), during treatment (case management), or after the item or service has been provided (claim for payment).” While we understand that not all payment reviews will utilize criteria to determine the medical necessity of a service, to the extent that criteria are applied during the decision of whether to pay for a service, it would be applicable in this audit.
Comment: CMS received a comment requesting that, in addition to collecting data on MAO internal coverage criteria policies, CMS also require MAOs to explain the criteria used and the decision made in terms of medical necessity as defined in the Medicare Program Integrity Manual Chapter 13 – Local Coverage Determinations: 13.5.4 – Reasonable and Necessary Provision in an LCD. The commenter expressed concern that MAOs are denying prior authorization requests to long-term care hospitals despite the patient meeting the requirements for admission applicable in traditional Medicare Fee-for-Service.
Response: CMS thanks the commenter for the suggestion. The proposed annual and audit data collections are limited to the evaluation of compliance with the requirements in 42 C.F.R. § § 422.101(b)(6) and 422.137. In addition to the proposed data collections in this protocol, CMS also conducts program audits of MAOs which include a review of the application of internal coverage criteria and medical decision making. As a result, we do not believe that it is necessary to evaluate medical necessity or medical decision making as part of this protocol.
Comment: Some commenters requested clarification on how this UM audit process would work in conjunction with the Part C program audits conducted by CMS. Some of these commenters asked if the audits would be conducted together, and some commenters asked if the audits would be done in the same calendar year. Another commenter asked if these UM audits would replace the focused audits that DAO conducted in 2024. One commenter asked if these UM audits would be conducted using the same schedule of March to July that program audits use. Commenters were concerned about the potential burden associated with having both these audits done either at the same time or within the same year. Lastly, a few commenters noted areas where these UM audits and the program audits duplicated efforts and asked if that duplication would stop once these UM audits were underway.
Response: The UM audits that will be conducted using these data collection tools are separate and distinct from the program audits conducted by DAO. These UM audits are focused on reviewing internal coverage criteria at a more granular level, including ensuring that internal coverage criteria are based on acceptable evidentiary standards and that the criteria are publicly accessible. Program audits, through the review of organization determinations and appeals, are focused on the application of criteria when rendering medical necessity decisions. We understand commenters’ concerns regarding the potential burden of having both audits conducted within a single calendar year and we will try to avoid scheduling an organization for both a program audit and a UM audit within a single calendar year. However, we would note that there may be circumstances where we determine it is necessary to do both audits within a short period of time, and we reserve the right to schedule audits that allow us to adequately follow up on potential non-compliance concerns. As for duplication in the audits, once the UM audits commence, we will eliminate duplication with program audits where feasible. While we will work to eliminate duplication in compliance standards, these two reviews are closely related and both may assess internal coverage criteria through different methods, and as such, information may be shared across audits to ensure a comprehensive assessment is done relating to both the development and use of internal coverage criteria.
Comment: Multiple commenters requested clarification on the intended implementation date for this collection. Most commenters requested that the implementation not begin until January 2026 in order to allow sufficient time for programming systems. A few commenters requested an implementation date of January 2027. A few commenters requested an earlier implementation date of January 2025 given their concerns related to MA organizations inappropriately denying necessary care for beneficiaries.
Response: We want to confirm the intended implementation date for this package would be January 2026. Therefore, the first annual reporting of data would be due January 31, 2026.
Comment: One commenter requested that instructions for these different data collections and the audits be contained in a single document for ease of the MAO. This commenter noted that instructions were currently in multiple places including the individual documents and the supporting statement.
Response: We agree and are committed to posting an overview of the audit process and how these documents work together similarly to how DAO does for program audits using the Program Audit Process Overview. While we will create a single reference document we can post publicly on our webpage, we are not removing instructions from any of the protocols or data collection tools. We reviewed all the documents, including the supporting statement to make sure any instructions were noted in the appropriate documents and were consistent across documents. Additionally, we consolidated the Instructions on Entering and Submitting Criteria and Standardized Formatting of Internal Criteria documents into one document, the Analysis of Coverage Criteria document.
Comment: CMS received multiple comments requesting that other data sources be considered to enhance oversight and/or reduce burden. Several commenters requested that CMS consider using existing data sources rather than requesting new data. One commenter also noted that CMS recently proposed and/or finalized other data reporting such as the requirement for MAOs to report the percentages of prior authorization requests approved and denied for both standard and expedited requests which goes into effect in 2026.
Response: When determining what data to collect, we carefully considered other sources of data and noted distinct differences between what is currently collected and our proposal. Other CMS data collection efforts focus on service level information (prior authorization and denial information), while our proposal is focused on assessing what services have internal coverage criteria associated with them. We have made changes to remove as much duplication as possible, which is discussed in more detail in the sections related to the individual documents.
Comment: Multiple commenters requested CMS create a pathway for providers to submit complaints to CMS related to the performance and/or non-compliance of MAOs.
Response: This request is outside the scope of this data collection package.
Comment: A few commenters requested clarification on the types of services and the types of UM processes included in this data collection package. Some commenters requested clarification on whether to include drugs in this package. One commenter referenced the definition of services in 42 C.F.R. § 400.202 and indicated that definition was very broad and asked if CMS intended to be that expansive. Another commenter asked for clarification on whether to include different types of UM processes such as prior authorizations, step therapy requests, and quantity limits. Another commenter asked if supplemental benefits should be included. One commenter asked if this only impacted Medicare services and not Medicaid only covered services. One commenter asked if non-Medicare covered services such as eye exams or dental benefits would be included.
Response: We appreciate the opportunity to provide clarification. We intend this package to be all-inclusive of internal coverage criteria as it relates to Part C services. We appreciate the commenter citing to the definition in 42 C.F.R. § 400.202 and we have included this definition in both the annual data collection and the CMS List of Targeted Services to ensure CMS’s intention to be encompassing of all service types is apparent. Additionally, we are including Part B drugs that may have internal coverage criteria associated with them, with the exception of any step therapy policies for Part B drugs. This clarification was also added into the documents where applicable. Lastly, we would confirm that organizations do not need to submit supplemental benefit policies in response to this data collection, or criteria related to Medicaid only services, or non-Medicare covered services.
Comment: One commenter requested CMS add "Field Type” and “Field Length” into the record layouts, and to format date fields with CCYY/MM/DD, to be consistent with DAO’s program audit formatting.
Response: We appreciate the suggestion but are not inclined to add those fields at this time. However, we did format date fields to reflect CCYY/MM/DD.
Comment: One commenter requested clarification on whether special characters were allowed and indicated that removing special characters from PDF documents or other instruments may be time consuming and difficult.
Response: We do not intend to restrict special characters, especially when they are submitted as a part of a PDF document.
Comment: In addition to substantive comments, some commenters noted minor typos in different data collection documents.
Response: We appreciate the input and have fixed all typos that were either pointed out by commenters, or identified by CMS as we re-reviewed the package.
Medicare Part C Utilization Management Annual Data Submission
Comment: Multiple commenters were concerned with the inclusion of the “Current Procedural Terminology (CPT) and/or Healthcare Common Procedure Coding System (HCPCS) codes” field in the Utilization Management Annual Submission (UMAS) universe. Some commenters expressed concerns that this field would increase burden since these codes would have to be manually extracted from their internal coverage criteria policies. Some commenters indicated that some internal coverage criteria policies, such as those from InterQual, did not contain CPT and HCPCS codes. These commenters requested that CMS not collect CPT and/or HCPCS codes for the data collection. Other commenters were worried that asking for CPT and HCPCS codes, and not International Classification of Diseases (ICD-10) and/or Diagnosis Related Group (DRG) codes, would potentially cause MAOs to only report some services and not all services that utilize internal coverage criteria. These comments requested that CMS consider adding other code types such as ICD-10 codes, DRG codes, and National Drug Identifiers (NDI), to the data collection universes. One commenter suggested we ask organizations to submit their universe data by Major Diagnostic Categories (MDC) codes.
Response: We carefully considered all comments on this issue. We understand commenters’ concerns that by only requesting CPT and HCPCS codes, which are not applicable to all services, we may unintentionally signal that we would not need information on services not associated with a CPT or HCPCS code. However, we think that adding ICD-10, DRG, MDC or NDIs would potentially be a significant burden for MAOs, since this collection is not meant to capture specific claims, but rather broad policies that could be applicable to numerous diagnoses or drugs. We also recognize that requesting CPT and HCPCS codes may already be burdensome on MAOs, and therefore we are removing this field from the annual data submission. Additionally, in order to ensure the full scope of services is considered we added the “service” definition from 42 C.F.R. § 400.202 and included examples of services that should be considered when populating this universe.
Comment: Multiple commenters asked why this annual data submission was necessary since CMS requires internal coverage criteria to be publicly available. One commenter argued that the annual data submission was unnecessary for CMS to determine MAO compliance, and that CMS could use only the audits to accomplish this. Multiple other commenters were fully supportive of this annual data submission, noting that MAOs’ attempts to make internal coverage criteria publicly available are often difficult to find and navigate and unclear to enrollees and providers. A few commenters noted that while the annual reporting was critical for CMS to understand the landscape of internal coverage criteria, it would not help CMS assess compliance with regulatory requirements and therefore audits would also be necessary.
Response: We appreciate both perspectives on this collection. We agree with commenters that based on our oversight experience, the internal coverage criteria that is publicly posted often is difficult to find, not always complete, and can require multiple steps to navigate. Even then, we have discovered multiple instances where the webpage takes us to a link with thousands of criteria policies of which only a few apply to that particular MAO. In other instances, we have seen policies make conflicting statements regarding whether that particular policy is used for the Medicare population. Given these issues, we believe this annual data submission is necessary to understand exactly when MAOs are developing and adopting internal coverage criteria related to Medicare services. If the public availability of this data continues to improve, we will reconsider the necessity of this request. We also are not persuaded to eliminate the annual data submission, as we believe this information is necessary to see how MAOs are interpreting and supplementing Medicare rules in order to operationalize the benefit. We agree that we cannot assess compliance with all requirements with this annual data submission, which is why we also intend to implement an audit protocol that will review internal coverage criteria through a more focused effort.
Comment: A few commenters requested clarification on what CMS meant by “locality code” in the annual collection. Other commenters indicated that this code would require organizations to manually look up localities for all policies, which would be a significant burden. One commenter mentioned that there were numerous locality codes, and that some locality codes crossed multiple states, and questioned whether this data would be useful to CMS.
Response: We agree with commenters that this field may cause unintended burden. We are changing the locality field to instead reflect Medicare Administrative Contractor (MAC) jurisdiction which we think better aligns with how internal coverage criteria is operationalized by organizations. Submitters will be instructed to use the jurisdiction code that starts with a J when populating this field. We also made the same change to the audit protocol record layout.
Comment: Multiple commenters expressed support for CMS’s collection of a specific website link that takes people to the internal coverage criteria. These commenters again expressed that finding criteria publicly is challenging and time consuming. Other commenters asked for clarification regarding how direct the link needs to be. These commenters requested clarification on whether the link needs to take CMS directly to the specific internal coverage criteria or whether it could take users to a landing page where they could then access the specific policy. A few commenters requested that CMS publish the annual collection of internal coverage criteria, including the website links, to ensure providers and beneficiaries can easily find and navigate to the criteria. One of these commenters noted that there shouldn’t be privacy concerns with CMS publishing the data, and it would benefit providers and beneficiaries to have a central CMS location where they could find and navigate to criteria, especially given the difficulty in finding internal coverage criteria currently.
Response: We appreciate the support for this field and agree it’s necessary to ensure the criteria is publicly available. We recognize that it may not always be possible to provide a link that takes users directly to a specific policy, especially when a third-party vendor may be involved. At a minimum, we would expect an MAO to provide a link that allows CMS to easily navigate to the associated criteria. We have updated that field in the record layout to reflect that clarification. We will continue to consider the best way to share information gathered through these oversight activities. While generally we do not directly share audit data publicly due to proprietary or sensitive information, we would solicit comment on whether we should publish the annual collection of data as a way of assisting organizations, providers and beneficiaries of finding and navigating to internal coverage criteria policies.
Comment: A few commenters were concerned with how much data was being requested during the annual collection. Some of these commenters recommended that CMS only collect website links, or only collect internal coverage criteria that does not include criteria from vendors such as MCG or InterQual. One commenter asked CMS not to include Plan Benefit Packages (PBPs) in the record layout because there could be hundreds of PBPs and it would greatly increase the burden. Other commenters requested that CMS target a few services for the annual submission rather than requesting a full scope of internal coverage criteria. One commenter recommended that CMS modify the data collection to obtain general information about organizations’ use of internal coverage criteria but requested that CMS eliminate data points related to specific criteria since that information is publicly available. A few commenters also expressed some concern with how they would report criterion when it can be formatted in bullets, or other special characters, and some commenters expressed concern with how to pull these criteria out of PDF policies for reporting.
Response: We appreciate commenters suggestions. We are not inclined to limit this annual collection at this time as it is meant to give CMS a full view into all the internal coverage criteria being applied in MA, while placing as little burden on MAOs as possible. In response to comments submitted, we have further streamlined some of the fields in this collection. First, as stated above, we removed CPT and HCPCS codes. Second, we removed the field related to PBPs to eliminate unnecessary burden. Third, we re-ordered the first two columns to streamline how the criteria are submitted. Now, the first column is the individual criteria policy or document name or identifier. The second column will be the applicable Medicare service or item. Additionally, we recognize that some internal policies may cover multiple services, so we modified that field to allow for multiple services to be entered in a single row, rather than repeated multiple times in different rows. Lastly, we would remind commenters that this collection is high-level and meant to identify the name or identifier of the internal coverage criteria policy or document used but is not meant to capture the individual criterion associated with the service. Individual criterion will be collected and assessed during audit fieldwork.
Comment: A few commenters expressed concern with the due date of January 31st, and asked CMS to consider allowing more time for the annual submission. One commenter suggested a due date in quarter two of each year. These commenters expressed concerns with how busy January can be for organizations with new enrollees. A few other commenters also asked if the annual submission was on past data (from the previous calendar year) and indicated that this could take more time to pull all the criteria used in the previous calendar year.
Response: We do not believe extending the due date past January 31st is appropriate. First, this collection is not meant to be based on the internal coverage criteria that was used in the previous year, but instead is meant to reflect the criteria an MAO determines may be used in the current calendar year. Therefore, a review of what was actually implemented is not necessary; instead, all policies that are adopted and intended for use in the calendar year would be included in the universe. Since the UM committee must review and approve criteria before it is implemented, we would expect this information to be largely collected prior to the start of the year in which the criteria would be used. Lastly, we believe that with the changes made to the collection, we have removed fields that would be overly burdensome which should alleviate the complexity of submitting this data.
Comment: One commenter asked if there was a specific naming convention that should be used for the column where the service or item is identified, and whether services needed to be identified by brand or generic. Additionally, this commenter asked if the service or item name could potentially be the same as the name of the internal coverage criteria policy.
Response: We do not have a specific naming convention for services, and we are leaving that to the MAOs to fill out the information in the way that makes the most sense given their internal coverage criteria documents. As long as there is sufficient detail to understand what service is being referenced, it will be acceptable. As for the similarity in names between services and the internal coverage criteria, we agree that in some instances there may be either similarity or duplication between the names, which is acceptable. For example, for a policy named Clinical guidelines for Computed Tomography (CT) of the Head, the service would be CT scan, or CT of the Head. However, we have seen other internal coverage criteria policies that have a more general naming convention such as “Imaging” where the services may include multiple unique names, such as CT, Magnetic Resonance Imaging (MRI), and Positron Emission Tomography (PET) scan.
Comment: One commenter requested examples of what CMS was expecting in the record layout for the annual submission. This commenter indicated that examples would help organizations understand CMS expectations.
Response: We agree that examples are often helpful to show CMS expectations on data submissions. Rather than put examples in the record layouts directly, which might cause them to be overly long and confusing, we created Excel templates for both the annual data collection and audit protocol universe, the Utilization Management Annual Submission (UMAS) Record Layout with Examples and Utilization Management Criteria (UMC) Record Layout with Examples, respectively. These Excel templates directly align with the record layout column requests. We included within the Excel spreadsheets a few examples of how information may be submitted to CMS. MAOs may use these templates to populate and submit their annual reporting of internal coverage criteria.
Comment: One commenter asked if there should be multiple rows included in the universe if one internal coverage criteria policy had multiple versions within the lookback period.
Response: We do not anticipate there being multiple versions for a single policy for the annual collection. The annual collection is intended to capture the approved internal coverage criteria that the MAO (or their FDRs) intend to use within that calendar year. Since the information is due in January, we do not believe that MAOs will have different versions of the same policy.
Comment: One commenter asked if organizations should not include commas in names when submitting record layouts, since many fields ask for comma separated lists and commas could skew analyses.
Response: We agree with this commenter and added that instruction at the top of the universe for the annual submission.
Comment: One commenter requested clarification on how they should populate the column relating to whether the organization or a vendor developed internal coverage criteria. This commenter asked how they should populate that field when an FDR developed the criteria and whether the FDR would be considered the organization. Another commenter asked CMS to revise the field instructions to allow for situations where another vendor or FDR didn’t fully develop the criteria but may have assisted with development.
Response: We appreciate these comments and modified the column to allow for entities other than the organization or vendor to be populated. If an FDR also developed internal coverage criteria, the organization should enter the name of the FDR in that field. Additionally, we modified instructions to capture situations where an entity or vendor assists with development of criteria.
Comment: One commenter requested CMS collect the annual universe at the parent organization level, indicating that if there are differences in contracts the parent organization can note that.
Response: We appreciate the comment and want to affirm that we will be collecting this information at the parent organization level, inclusive of all contracts and PBPs. However, while we are collecting this at the parent organization level, we still expect organizations to consider all internal coverage criteria that is applicable, including criteria utilized by FDRs, and criteria developed by third-party vendors, such as MCG or InterQual. We know based on our oversight efforts in 2024, some delegated entities use criteria that is different from the parent organization. In order to capture this appropriately, we added a column to collect information on whether the criteria is used by an FDR (rather than the organization).
Comment: One commenter asked if CMS approved formulary criteria should be included in the annual data submission. Another commenter requested clarification on whether Part B drugs should be included in the annual data submission, and whether step therapy criteria for Part B drugs should be included.
Response: The annual data submission is only intended to collect internal coverage criteria applicable to MA services (Part C services), and while this would include both services, items and drugs covered under Part A and Part B; it would not include any criteria related to Part D drugs or approved formularies. Additionally, we have revised the instructions that precede the UMAS Record Layout to explain that, while internal coverage criteria related to Part B drugs should be included, the UMAS universe would exclude step therapy criteria which is governed by a different regulatory requirement in § 422.136.
Comment: One commenter requested clarification on how organizations should populate the universe if they use vendors such as InterQual or MCG. This commenter asked if it would be sufficient to just say that they utilize InterQual for internal coverage criteria, without identifying the policies they intend to use.
Response: We understand that some vendors may have numerous coverage criteria policies, but part of the rationale in collecting this information annually, is that organizations are not typically identifying the specific policies they are relying on from these vendors. Through this collection we would expect the MAO to identify all criteria policies that they intend to use during the year and label each one in a new row within the universe. For organizations that adopt and use all policies from a vendor, that would include the full listing of criteria documents (i.e., the names of the different policies), but for organizations that may only utilize a portion of a vendor’s criteria, that organization would only submit the specific internal criteria policies they intend to use. However, while we would want the names of the individual criteria policies or documents that are intended for use, we are not asking for the underlying criterion within those policies during this annual collection.
Comment: One commenter requested clarification on what CMS intends with the UMAS Record Layout column asking for information on States. Another commenter asked if there was a specific response format CMS wanted for that field.
Response: For each individual coverage criteria policy or document, we are asking for the states where they are used to make utilization management determinations (by the organization or an FDR). For example, we have seen that for the same organization and service, a delegated entity in one state may use different internal coverage criteria than a delegated entity in a different state. As for formatting, we clarified in the instructions for the UMAS Record Layout that MAOs may enter the State information using the two-digit United States Postal Service (USPS) code.
Comment: One commenter requested that smaller organizations, specifically Institutional Special Needs Plan (ISNPs) with limited and specific membership, should only be required to provide the annual data submission based on the internal coverage criteria that was used in the previous year since smaller organizations often purchase internal coverage criteria to use in the absence of guidelines by CMS.
Response: As we noted above, the annual data submission is intended to capture any internal coverage criteria that the MAO has adopted or approved for use in the calendar year the data is submitted. However, to the extent a smaller plan has approved a smaller subset of criteria for use based on an analysis of past decisions and the population they serve, that is acceptable to submit.
CMS List of Targeted Services
Comment: Some commenters asked for clarification regarding the CMS List of Targeted Services, including whether the list would be provided to all MAOs at the beginning of the year or at least with “ample advance notice”, and whether the services would be the same from organization to organization. Several commenters asked CMS to consider a variety of data sources and types, such as prior authorization information and the data from the annual data submission, when selecting services for the CMS Targeted Services List and audit. One commenter asked CMS to clarify whether CMS will use the annual submission information to target services for audit purposes.
Response: We revised the CMS List of Targeted services instructions to clarify that CMS will provide the list to MAOs at the time the MAO receives their UM audit engagement letter. The list will include up to 50 services that the MAO will use to populate the audit protocol universe. While some targeted services may be consistent from organization to organization, CMS may select different services across audited MAOs based on other data available or complaints received. Lastly, as currently stated in the Medicare Part C UM Annual Data Submission, CMS will utilize the information collected for the annual data submission to select a number of MAOs each year for a UM audit, and may also impact the services selected for inclusion in the CMS List of Targeted Services.
Comment: Multiple commenters requested CMS target specific services when requesting information from MAOs and to oversample “high risk” service categories for the list and audit. Some commenters requested that CMS consider targeting inpatient admissions due to increasing denials by MAOs in recent years. Some commenters requested CMS target post-acute care admissions, including SNF, IRF and LTACH admissions, due to concerns about inappropriate denials and recent interest from the Office of the Inspector General (OIG) and the U.S. Senate. One commenter also recommended that CMS target durable medical equipment (DME), Part B drugs, and inpatient psychiatric services during audits.
Response: We appreciate the questions and suggestions from commenters. We are committed to using all available data, including complaints, and outside reports to target services for inclusion. No changes were made to the CMS List of Targeted Services in response to these comments.
Comment: Some commenters requested clarification on how many services CMS would select for the CMS List of Targeted Services. Some commenters asked if there would only be 20 services selected, and some asked if there would only be seven services selected since there were only seven rows in the Targeted Services table.
Response: We appreciate the request for clarification and revised the CMS List of Targeted Services document with additional instructions as well as additional rows. We may include up to 50 services, items or Part B drugs in the CMS List of Targeted Services. MAOs will then use the list of up to 50 services to populate the Utilization Management Criteria (UMC) universe as described in the audit protocol. While we may include up to 50 services on the list, we are committed to being thoughtful in how we roll out these audits and may request fewer services, especially in the first year of implementing the new audit protocol. Additionally, we would remind commenters that the services identified on the Target Services list will only be used to populate the universe in the audit protocol, and we would not expect internal coverage criteria policies to be submitted for all 50 services.
Comment: One commenter requested clarification on how CMS would populate the service name and brief description fields in the Targeted Services table. One commenter recommended that CMS populate the CMS List of Services service information based on high level service categories like SNF, DME types, etc.
Response: CMS will populate a name of the service with as much specificity as necessary, however, the level of specificity may change based on the service. For example, the service name may be “Inpatient admission criteria” and the brief description may be “Criteria used to determine whether an inpatient hospital stay is medically necessary and/or covered”. In some cases, the service name may be explicit enough that a description is not needed, for example “CT scan of the head”. However, the description field will be used anytime additional details are needed. We modified the brief description field to note that it will only be used if applicable.
Comment: One commenter requested clarification on whether any additional information needed to be submitted if the MAO did not adopt or use internal coverage criteria for a targeted service.
Response: We appreciate the opportunity to clarify the data request when a targeted service on the CMS List of Targeted Services does not have internal coverage criteria. While the annual data submission will only include a collection of services with internal coverage criteria, CMS may include a range of services on the CMS Targeted List of Services for the purposes of the UM audit, some of which may or may not have internal coverage criteria. For the CMS Targeted List of Services, the MAO must submit a response for each service identified when populating the Utilization Management Criteria (UMC) universe in the audit protocol. If the MAO does not have internal coverage criteria for that service, the organization would note that as part of the universe submission. No changes were made to the CMS List of Targeted Services in response to these comments.
Comment: One commenter indicated that one internal coverage criteria policy may encompass multiple services, and that depending on how CMS asks for service information, the MAO may have to manually review their policies to ensure the correct information is submitted in response.
Response: We appreciate this concern and we understand that many MAOs have very different methods for developing internal coverage criteria. Since there is no one method for developing internal coverage criteria, CMS will need to populate the CMS List of Targeted Services at the service level and rely on MAOs to identify the applicable internal coverage criteria policies. We recognize there will not always be a one-to-one ratio between the services listed on the CMS List of Targeted Services and MAO internal coverage criteria policies. One internal coverage criteria policy may cover multiple unique items and/or services, and one service may have multiple unique internal coverage criteria policies. No changes were made to the CMS List of Targeted Services in response to these comments.
Medicare Part C Audit Protocol Data Request
Comment: Multiple commenters requested clarification on whether CMS would audit the same 20 services for all organizations, or if the services selected for the audit would differ between organizations. If CMS’s intention is to select the same services each year for all organizations’ audits, commenters also requested that CMS share those services at the beginning of the calendar year so organizations can prepare in advance for the audit.
Response: In reference to the 20 services selected from the UMC universe for further review, and as with the services selected for the CMS List of Targeted Services, while there may be some overlap in services reviewed across organizations, we do not intend to review the same 20 services for all organizations during every audit in a given year. Each MAO selected for audit will be asked to submit the UMC universe, which will include up to 50 targeted services identified by CMS. The 20 services selected by CMS for further review during fieldwork will depend on the information contained in the universe. Because these services will be selected based on individual universe submissions, the list cannot be shared in advance.
Comment: Multiple commenters requested CMS consider a variety of factors in picking both organizations that should receive an audit as well as what services should be audited. When selecting organizations, some commenters suggested considering other available data sources available to CMS, including any information regarding denials of care. Commenters also indicated any organizations that are determined to be outliers for certain services, such as hospital observation stays, should be selected for audit. One commenter also recommended expanding the number of organizations CMS is proposing to audit annually, requesting CMS audit as many as possible. Commenters recommended CMS consider public reports such as OIG and U.S. Senate reports, as well as services that are experiencing higher denial rates in MA such as post-acute care services. Many commenters recommended that CMS target inpatient hospital stays during audit, noting continued frustration with MAO denials of inpatient admissions and a deviation from traditional Medicare in these types of decisions.
Response: As with our response to similar comments related to the CMS List of Targeted Services, we agree with commenters that both organizations and services should be selected thoughtfully and with deliberation. We intend to use many factors when selecting organizations for audit, as well as when selecting services for further review on audit, including but not limited to, other available CMS data, provider complaints, annual submissions of internal coverage criteria, external reports related to concerns in MA, and any other factors that may be appropriate. We removed the CPT and/or HCPCS codes field from the UMC record layout because we want to make clear that all services, not only services with relevant CPT or HCPCS codes, are within the scope of these audits. This includes hospital inpatient admissions, hospital observation stays, LTACH admissions, IRF admissions, SNF admissions, other post-acute care, behavioral health services (including inpatient admissions for behavioral health), and all other Medicare services for which medical necessity decisions are made.
Comment: Multiple commenters requested clarification on how the audit process would flow and what would happen during the different stages of the audit. One commenter asked if the process would be that CMS would send the CMS List of Targeted Services to the organization, the organization would submit the requested universe, CMS would sample 20 services from that universe, the organization would submit the requested criteria, and then CMS may conduct a validation of that criteria through a review of denial letters.
Response: We want to confirm that the process stated here aligns with our intended approach to these UM audits. We will submit the CMS List of Targeted Services to selected organizations at the time we issue the engagement letter. The CMS List of Targeted Services may include up to 50 services. To clarify, for purposes of this protocol, the term “services” refers to all Medicare covered services, items, and Part B drugs. The MAO will then submit the UMC universe in the audit protocol which will include information for all services identified on the CMS List of Targeted Services. From that universe submission, CMS will then identify up to 20 services for review during audit fieldwork, although CMS may select less services especially in the first year of audit implementation. Upon selection of the 20 services, CMS would begin audit fieldwork, and the MAO will be asked to submit the documentation identified in the section “Documentation Submissions for Selected Services.”
Comment: A commenter asked if the audits would be conducted at the parent organization level, and whether organizations would need to differentiate between contracts and PBPs during the audit. Another commenter asked if Medicare-Medicaid Plans (MMPs) would be included.
Response: Similar to the annual data submission, the audits will be conducted at the parent organization level. These audits will be inclusive of all contracts and PBPs unless otherwise noted by CMS in the audit engagement letter. MAOs will be asked to submit information at the parent organization and not by contract or PBP. We also intend to include MMPs in this collection.
Comment: A few commenters suggested CMS include a review of service requests and denials in this UM audit. These commenters indicated that reviewing these decisions would allow CMS to conduct a more comprehensive review rather than focusing on the internal coverage criteria policies themselves. Some commenters also requested that CMS ensure that concurrent reviews and retrospective reviews are included in the audits. Another commenter requested CMS audit peer to peer discussions to ensure that the reviewer from the MAO has the requisite training and licensure.
Response: We appreciate the suggestion, but as we stated above, the review of beneficiary level cases is conducted through the DAO program audits. These UM audits are intended to review the internal coverage criteria and determine compliance with the requirements at § 422.101 and § 422.137. The DAO program audits are intended to review the application of criteria (Medicare coverage criteria and internal coverage criteria) through the review of services and denials, and program audits would also assess individual medical necessity decisions and any applicable peer review criteria. In order to avoid duplication, the UM audits will limit any beneficiary level review to a review of denial letters as discussed in the validation section of the protocol. However, to the extent there is internal coverage criteria used in any level of care decisions relating to medical necessity (e.g., concurrent review, retrospective review, prior authorization or payment), we would include that coverage criteria into these audits. Also, we are committed to ensuring that we share audit data internally to ensure that both efforts are coordinated effectively, both in scheduling but also in the data we review and non-compliance we cite.
Comment: CMS received multiple comments regarding the compliance standards in the Medicare Part C UM Audit Protocol Data Request Document. A commenter expressed concerns that compliance standards 1.2 and 1.3 require plans to review the wording in each denial rationale which would entail a manual review process. This commenter stated that MAO systems are not equipped to capture such detailed information for an accurate response and would require manual research of available medical literature and clinical studies. One commenter requested clarification on how CMS will assess “fully established” and stated that determining whether something is “fully established” is the right of the MAO per the regulation. Another commenter requested CMS confirm that CMS would be the final arbiter of what is considered fully established. One commenter requested CMS remove compliance standard 1.5 because they stated the language “clinical benefits that are highly likely to outweigh any clinical harms” is subjective, unclear, and not supported by regulatory standards. Some commenters argued that CMS should review all internal coverage criteria to ensure that the clinical benefit is clear and supported by evidence. Another commenter requested CMS modify compliance standard 1.7 to remove the redundant use of “publicly.” Finally, a commenter requested that CMS add a compliance standard to conduct level-of-care reviews to ensure that any refusal by an MAO to provide or pay for services, including downgrades of inpatient care to observation status, is reviewed as an organization determination by the plan subject to requirements under § 422.566(b)(3).
Response: Compliance standards are intended to ensure that CMS is providing transparency in how we intend to review submitted data for purposes of evaluating regulatory compliance. Compliance standards 1.2 and 1.3 will not require organizations to review individual denial letters. Instead, these standards will be assessed based on the analysis of the internal coverage criteria and a comparison of the internal coverage criteria with CMS requirements applicable to a specific service. For compliance standard 1.3, we will use the definition of fully established in 42 C.F.R. § 422.101(b)(6)(i) and have the organization explain how they determined a service was not fully established through the use of that regulation. If CMS finds that the organization did not correctly interpret or apply the regulatory requirements relating to services being fully established, the organization may be found non-compliant. Following an analysis of comments and the compliance standards we have removed the two compliance standards related to assessing whether the clinical criteria have benefits that are highly likely to outweigh the harm (1.5 and 1.7). Additionally, we are not adding a new compliance standard related to level of care determinations. Internal coverage criteria associated with level of care determinations, including criteria for hospital admissions, IRF admissions, and LTACH admission, are subject to the UM audit process however, beneficiary-level determinations will not be evaluated since those are typically reviewed through DAO’s program audits. We believe that the existing compliance standards will allow CMS to effectively evaluate regulatory compliance with internal coverage criteria pertaining to level of care determinations. Lastly, we added language into the audit protocol that we may expand the scope of our audit to criteria outside of the specified compliance standards, when necessary, to conduct comprehensive reviews.
Comment: A few commenters asked what methodology or standards CMS will use to assess compliance with the requirements regarding widely used treatment guidelines and evidence-based standards.
Response: This audit is intended to assess compliance with the requirements in the regulation, including requirements related to the appropriate evidentiary sources used in creating criteria per § 422.101(b)(6) requirements.
Comment: A few commenters asked what would be considered non-compliant for internal coverage criteria.
Response: The compliance standards identify how CMS will assess the criteria, using the regulation as the benchmark. Internal coverage criteria will be determined non-compliant if the MAO violates any part of § 422.101(b)(6) or § 422.137.
Comment: One commenter asked for clarification on the instructions for populating the audit universe. Specifically, this commenter asked what was meant by “populate this information based on the current status of the service within the organization”. This commenter requested clarification if current meant “at the time of the engagement letter” or “at the time of compiling the universe”. Another commenter requested CMS provide examples showing how the information should be populated and submitted.
Response: We agree clarification is needed and updated the instructions for this universe accordingly. We modified instructions to reflect that the information should be based on current information at the time the universe is submitted. Since this is not a collection of requests, but rather policy information that should not change significantly day to day, we think this will provide CMS the most up to date information without unduly burdening organizations. We have also created an Excel template that aligns with the UMC record layout. The Excel template includes examples showing how we would expect organizations to populate this information based on record layout instructions. Additionally, we modified the instructions to indicate that the universe must be submitted in Microsoft Excel format. We believe that this will reduce overall burden by simplifying how the data is submitted to CMS.
Comment: One commenter requested clarification on column A and whether this would be at a service level or a CPT level.
Response: This field will be populated with the services identified in the CMS List of Targeted Services. CMS may identify services on that list broadly (e.g., CT scans) or narrowly (e.g., CT of Head). The MAO will use the name entered by CMS to populate Column A in the audit universe.
Comment: Multiple commenters requested CMS remove CPT and HCPCS codes from the audit universe indicating it would be burdensome to identify the codes by service. These commenters indicated this column would need to be populated manually and it would increase time and cost. Other commenters argued including only CPT and HCPCS codes would not encompass all services such as inpatient admissions, post-acute care, and drugs.
Response: As indicated in a previous response related to the annual data collection, we are removing CPT and HCPCS codes from this record layout because we want to make clear that all services, not only services with a relevant CPT or HCPCS codes, are within the scope of these audits. We also decided not to add any additional service identifiers (e.g., ICD-10 codes, DRGs, etc.) because they increase burden without adding significant value.
Comment: One commenter asked if the audit universe columns C “fully established” and E “No applicable coverage rules” were the same thing, and asked if one of them could be removed. Another commenter requested clarification on how column C should be filled out when there is an applicable LCD, but the organization created internal criteria to expand coverage beyond the LCD.
Response: Commenters should fill out column C based on their determination of whether a service is fully established within any of their operating jurisdictions under the requirements in § 422.101(b)(6)(i). Column E is one of the ways an organization can determine a service is not fully established, by determining there are no applicable Medicare rules for that service. Since there are multiple ways to determine whether a service is not fully established, and column E is only one of these ways, these fields are not duplicative of each other.
Comment: A few commenters requested clarification on whether selected services would always be services that have internal coverage criteria, and if so, wouldn’t column C always be “No, the service is not fully established”. These commenters noted that if services are selected that do not have internal coverage criteria, the burden of some other columns would increase, including Columns F, G and H, because MAOs would have to spend time researching those in response to the audit engagement letter. Other commenters asked if column F “Applicable Medicare Rules” was intended to ensure an organization understood the rules that apply to a particular service. These commenters argued these fields are not necessary since CMS should already know the rules that apply for a particular service. One commenter asked how to submit data in column H when there is no LCD but there is a Local Coverage Article (LCA). A few commenters agreed with all recommended data collection elements in the universe and recommended CMS keep them all, including the proposed columns designated F, G and H related to Medicare regulations, NCDs, and LCDs.
Response: While CMS may select services that have internal coverage criteria, we may also select services in the initial CMS List of Targeted Services without internal coverage criteria. We appreciate the concerns raised by commenters regarding these particular fields, and agree the burden outweighs the benefit. We are therefore removing columns F, G, and H in this record layout. However, we appreciate the commenters who saw the value in these fields, and we intend to review this information during audit fieldwork for the 20 services selected for a more in-depth review.
Comment: One commenter requested clarification regarding the two-digit locality code requested in the formerly proposed column D. Another commenter stated that the two-digit locality code may not be sufficient to identify the locality since one locality code may be used to identify multiple zip codes in multiple states.
Response: We agree that a two-digit locality may not be adequate to accurately identify where a particular internal criteria policy is applicable. Additionally, we recognize that identifying all of the applicable localities where a particular internal criteria policy is applicable may be burdensome. As a result, we changed this column from “Fully Established Localities” to “Fully Established Medicare Administrative Contractor (MAC) Jurisdictions” and provided additional instructions and resources for identifying the applicable MAC jurisdiction(s). We also revised columns D-G, to include “jurisdiction” since the applicable jurisdiction(s) could impact how MAOs respond to these fields.
Comment: One commenter requested clarification on the formerly proposed column L, Total Number of Coverage Criteria Policies, Tools, and Guidelines, and what CMS meant by “outside of CMS statute.” This commenter noted that any non-Medicare criteria used is within the rules.
Response: We modified this column to try and clarify our intention. Specifically, in the revised column now titled Total Number of Internal Coverage Criteria Policies and Documents, and redesignated column H, we are asking organizations if they use internal coverage criteria for the specific service referenced. We streamlined the instructions in this column to eliminate confusion.
Comment: One commenter requested clarification on what information should be entered into the formerly proposed column L and indicated they thought the instructions were unclear.
Response: Column L was meant to obtain the number of internal coverage criteria documents or policies that may apply to a particular service. We know from reviewing internal coverage criteria in 2024 that some organizations and vendors may have multiple distinct policies containing coverage criteria for any one service. For example, coverage criteria for MRIs may be present in multiple policy documents that each address a specific body part. We understand from other comments that the proposed definition of internal coverage criteria confused some people, and we removed it from this package. We also modified the wording in this column to clarify that we are asking for how many distinct policies or documents containing coverage criteria apply to the service. Therefore, an MAO will identify the number of distinct policies that apply to a particular service in this column. As noted previously, column L has also been redesignated to column H.
Comment: Multiple commenters asked for clarification on how to populate column R with the website link when the link is to a third-party vendor or FDR (such as a pharmacy benefit manager (PBM)). They asked if it would be sufficient to provide a link that takes you to the vendor page where the criteria is searchable.
Response: Similar to the column in the annual reporting collection, we are clarifying instructions related to the website link. While we would appreciate a direct link to internal coverage criteria, we know that is not always possible. Therefore, as long as the link takes CMS to a page where we can easily identify and open the specific internal coverage criteria policies, that is sufficient for this column.
Comment: One commenter supported the inclusion of the formerly proposed column N field for Vendor in the UMC record layout and stated that verifying the vendors that create internal coverage criteria used by the MAO is a critical piece of information.
Response: We thank the commenter for their support and agree that identifying the sources of internal coverage criteria are an important step in evaluating compliance with regulatory requirements. As such, we modified column N to include any entity, including third-party vendors and the MAO, that creates internal coverage criteria. This column has also been renamed and redesignated as Organization or Vendor, column J.
Comment: One commenter requested that CMS remove any duplicate columns from the annual reporting and the audit protocol. This commenter specifically mentioned the columns regarding Coverage Criteria and Guidelines, Vendor, UM Committee Review, and Website Links.
Response: We appreciate this suggestion but disagree that this information is truly duplicative. In the annual reporting, the MAO is reporting by individual criteria policy, and in the audit protocol this information is collected by the service level. The fields in the audit protocol relating to the Coverage Criteria are intended to determine if the MAO uses internal criteria for that service, and if they do, how many unique policies are applicable. However, it does not ask the names of the policies which is collected under the annual reporting. Similarly, while the vendor and website fields map directly to a specific criteria policy in the annual reporting, when reported at the service level, there may be multiple vendors and multiple websites. We deleted the column regarding UM committee approval in the audit protocol since we agree that is better collected during the granular annual reporting, and then tested during audit fieldwork. In addition to these columns, we also removed column Q, which asked if the criteria policy is publicly available. Column Q was removed to reduce burden and avoid duplication since the information in that column will be reported in the annual (UMAS) record layout.
Comment: One commenter noted that the instructions in the section titled “Supporting Documentation Submissions” was unclear. This commenter requested clarification on when items such as the Standardized Formatting would need to be submitted to CMS. We also received multiple questions about the selected services and when information must be submitted, indicating there may be some confusion about what information must be provided when the universe is submitted versus what information must be submitted during audit fieldwork.
Response: Based on these comments (and others received and discussed in this document), we believe it would be helpful to provide additional clarification regarding when documentation must be submitted. Therefore, we revised the instructions in the Audit Field Work Phase “Documentation Submissions” section to clarify a number of items. First, we re-titled the section “Documentation Submission for Selected Services”. Second, we clarified that the documentation in this section only relates to the 20 targeted services selected following the review of the submitted audit universe. Third, in an effort to reduce burden for MAOs, we split the documentation requests into different stages. To do this, we created a section titled “Initial Submission” where we identify the documentation requested in the first stage of audit fieldwork. In that initial submission section, we clarified the information and documentation that must be submitted for services that have internal coverage criteria, and what documentation needs to be submitted for all services (regardless of whether the organization has internal coverage criteria). Once that initial information is provided to CMS, we will review and validate the data submitted. In order to clarify the timing of this validation, we moved the data validation instructions and methods into a new header titled “CMS Review and Data Validation.” This validation is intended to ensure that the MAO accurately submitted all internal coverage criteria. Following the validation, CMS will request a second data submission which is detailed in the new section, “Evidentiary Sources Submission”. Due to comments regarding the potential burden associated with completing the Standardized Formatting of Internal Coverage Criteria, which are discussed in more detail below, we made significant changes to reduce potential burden in that document. One of the changes is that we will no longer request evidentiary sources for every single criterion in each internal coverage criteria policy. Instead, we will select specific criterion following the initial submission of documentation, and then request evidentiary sources to be provided for only those selected criterion. Due to this change in process, we included instructions in the protocol related to this new process and identified a timeframe of 10 business days for the submission of evidentiary source information. Additionally, we noted that extensions may be granted based on the quantity and complexity of the requested criteria.
Comment: CMS received a comment requesting that CMS monitor MAO use of artificial intelligence (AI) in claims processing and denials and recommended strengthening AI related regulations.
Response: We appreciate the commenter’s suggestion, however it is outside the scope of this PRA package.
Comment: One commenter asked if CMS plans on providing a template for the bullet in the supporting documentation section that related to notes, meeting minutes, and documentation from the UM committee. This commenter asked if a template wasn’t provided, could the supplemental questionnaire be used to provide this information.
Response: We do not intend to provide a template for this request. During audit fieldwork the MAO will be asked to provide documentation that shows specific internal coverage criteria policies were discussed and approved prior to being implemented. Because each organization may have different methods of documenting their meeting minutes or notes, we feel creating a template for this request would greatly increase the burden on organizations. Additionally, the supplemental questionnaire would not be an appropriate replacement as that information is related to higher level processes and not individual documents.
Comment: A few commenters noted concerns with allowing MAOs to self-report this data, and suggested CMS need to validate information prior to determining compliance.
Response: We plan on validating information submitted through the audit universe during audit fieldwork. We also made a few minor changes to the wording in the audit protocol around validation to clarify that our intent is to validate information submitted by MAOs for the 20 selected services, and to explain how the validation will be conducted.
Comment: A few commenters asked how CMS would review denial letters and noted that there was no information in the protocol on how denial letters would be selected. One commenter suggested CMS use other CMS data sources, including the Service Level Data Collection for Initial Determinations and Appeals requirement (CMS-10905), to select denials to review and validate. Another commenter asked if CMS would require the MAO to report all denial rationales to CMS for review.
Response: We have added additional information into the data validation section, which we have renamed to CMS Review and Data Validation under the Audit Fieldwork Phase section of the audit protocol. The revised description of the data validation increases transparency about how we will select denials for review. First, we want to clarify that we will not ask MAOs to submit the rationales included in denial letters as part of this effort as we know it would require a manual effort to extract that information. Instead, we intend to review denial letters live within the MAO’s system to assess the criteria used in a denial. In an effort to reduce burden whenever feasible, we will attempt to select these denials during a by searching the MAO’s (or their FDR’s) electronic systems during a live webinar. if the MAO or FDR’s systems are able to search for services by name or some other similar parameter. If their systems are unable to search by service, CMS may request reports of denials by service. If reports are necessary, CMS will not require specific formatting, and will only require enough information to identify some denials for validation purposes. We would also attempt to limit the report timeframe to two months unless we need to expand it in order to identify relevant denials. We also agree with the commenter suggesting that we consider and use other data sources to the extent possible, and if we determine we can select and review denials without requesting a report of denials from the organization, we will do that.
Comment: Multiple commenters indicated support for CMS’s impact analysis proposal within the audit protocol. These commenters noted that this is a valuable tool in assessing the impact of internal coverage criteria policies. A few commenters recommended that in addition to the information proposed by CMS, the impact analysis also collect the total dollar amount of services denied, including both beneficiary costs and provider costs, to show the true impact of these policies, and to determine an appropriate enforcement action in response to non-compliance. Some commenters also recommended that CMS add health outcomes into the impact analysis, noting that denying inpatient or post-acute care stays can also lead to beneficiaries not receiving the right level of care and experiencing repeat admissions or other negative outcomes.
Response: We appreciate support for this impact analysis. While we recognize cost can be an important factor in determining impact to providers, we are not adding these fields at this time. Additionally, while we understand the effect a denial may have on a beneficiary, since this collection is meant to be an aggregate count of denials, we do not think it would be feasible to add financial or health outcomes into this analysis.
Comment: Multiple commenters expressed concern with the impact analysis, noting that in order to populate some of the information, such as the number of denials based on inappropriate internal coverage criteria, the organization would have to undertake a manual review of denial letters which would be time consuming and costly.
Response: We appreciate concerns related to this impact analysis. While we believe that gathering this information is important to understand the impact to beneficiaries, we recognize that it could also be time consuming especially for services that may be requested often. In order to be sensitive to potential burden, while still trying to assess impact to beneficiaries, we have modified the instructions for the impact analysis to indicate that CMS will attempt to limit the timeframe of the request. Specifically, CMS will consider both the size of the organization, and the type of service impacted when selecting a timeframe. We also added a new column C to account for this timeframe in the impact analysis.
Comment: One commenter asked if CMS would fill out columns A and B in the impact analysis before submitting it to the organization.
Response: CMS will populate columns A, B and the newly added C prior to requesting an impact analysis.
Comment: One commenter asked for clarification on whether “reconsiderations” in the impact analysis referred to Level 1 reconsiderations only.
Response: We agree that MAOs should only enter Level 1 reconsiderations for this impact analysis and have clarified that in the instructions for the impact analysis.
Comment: One commenter asked if dismissals should be captured in the impact analysis. Another commenter requested clarification on whether all denials should be captured in the impact analysis or whether the organization should exclude denials for non-members, duplicate requests, or other parameters.
Response: Because this impact analysis is meant to collect aggregate data and not individual beneficiary level data, we appreciate the chance to clarify the collection. First, we would like to clarify that any field that requests a count of all determinations (organization determinations or reconsiderations), must be inclusive of all requests regardless of how it was decided (including dismissals). For the fields that are requesting a count of denials only, do not include dismissals, but do include anything that is denied or partially denied. While we think there is value in MAOs removing cases that are duplicates, we think that might increase burden. For the fields where we ask for denials based on the internal coverage criteria, those should be a more targeted subset, which will require the organization to exclude some denials that do not fit within the required field parameters.
Comment: One commenter asked for clarification on the types of payment denials that should be included in the impact analysis, and whether they should only include payment denials associated with prior authorization requests.
Response: Payment requests must be included similar to how other requests are populated. Do not report a subset of payment request data unless specified in the instructions.
Comment: One commenter requested clarification between columns C and D in the impact analysis, noting they weren’t sure of how these fields were different. This commenter also suggested we clarify that the reconsideration fields in J, K and L would exclude payment reconsiderations.
Response: The Impact Analysis Total Initial Determinations related to Service field, or Column D (formerly column C), is intended to capture a total number of initial determination requests for a particular service, inclusive of all types of requests. Column D is a sub-set of the initial determinations in column C and only includes non-payment organization determinations. As for the reconsideration fields, we believe the distinction between columns J, K, and L (non-payment) and columns M, N, and P (payment) are clear.
Comment: One commenter requested more time to conduct the impact analysis due to some of the manual review that would need to be done. This commenter suggested 10 business days would not be sufficient.
Response: In addition to shortening the timeframes for the impact analysis request (based on service and size of organization), we are also adding to the protocol that extensions to the 10 business day timeframe will be considered and granted when determined appropriate by CMS.
Comment: A few commenters asked when the audit protocol would be implemented and indicated concerns with this data collection starting before January 1, 2026. Commenters recommended that if the audits did begin before 2026, that CMS consider auditing a smaller scope or conducting a pilot audit first.
Response: We do not intend to begin these audits until January 1, 2026. Additionally, while we may select up to 50 services in the CMS Targeted List of Services, and sample up to 20 services during audit fieldwork, we will carefully consider how many services are actually selected for the first year of this audit protocol in order to ensure that MAOs and their FDRs have an appropriate amount of time to prepare and adjust.
Comment: One commenter requested CMS conduct training or a user group call to help prepare MAOs for this new audit process.
Response: We appreciate the suggestion and are committed to being as transparent in our auditing approach as possible. We will consider the best avenues for providing information and training to organizations regarding this new audit process.
Comment: CMS received multiple comments regarding the public sharing of data collected by CMS. Some commenters requested that audit data collected in this package be made publicly available. Multiple commenters requested that CMS share aggregated data via reports on CMS’s website because it would allow providers and patients the ability to meaningfully access the aggregated reported data and it would provide crucial transparency. A commenter requested CMS make impact analyses that are out of compliance publicly accessible to allow providers, beneficiaries, and other stakeholders to better evaluate health plans. A few commenters suggested that the aggregated data should not only be publicly available, but should also factor into quality reporting programs, such as Star Ratings. One commenter requested CMS consider developing a central, CMS-supported, consumer facing website that would allow people to access internal coverage criteria and audit data similar to a plan compare. Other commenters also requested that CMS make other data available publicly, including any service level data collected by the agency, and the information gathered through the Complaints Tracking Module (CTM). One commenter asked CMS to publish information on when CMS determines a service is fully established so that all organizations and providers can access that information.
Response: We will consider the best ways to share information gathered and learned through these audits. At this time, it is not our intention to share specific underlying audit data, including impact analyses, publicly but rather report non-compliance at an aggregated level across MAOs. However, we will continue to contemplate these suggestions. Requests for publishing data not collected within this package is outside the scope of this PRA package.
Analysis of Internal Coverage Criteria (Previously named Standardized Formatting of Internal Criteria)
Comment: CMS received several comments on the Standardized Formatting of Internal Criteria document regarding internal coverage criteria that is already publicly available. These commenters noted that internal coverage criteria is already required to be publicly available, and therefore requiring internal coverage criteria to be submitted via the standardized format developed by CMS would be duplicative and adds to MAO’s administrative burden. Another commenter requested that the Standardized Formatting of Internal Criteria be removed because along with being duplicative, the document also lacks critical clinical information.
Response: As we stated in a previous response, we have found MAO websites are often difficult to navigate, criteria applicable to Medicare members is not always clearly identified, and criteria used by FDRs are not always accessible or visible on parent organization websites. This observation is supported by multiple responses to this protocol. We have also found that when internal coverage criteria are interpreting or supplementing an existing Medicare rule, and the criteria can be located, the general provisions being interpreted or supplemented are not always clearly identified. Since this information is not always readily accessible and it is necessary to evaluate regulatory compliance, we believe that the information should be collected. We would also note that this collection only impacts organizations undergoing audits and will not impact all organizations every year. When CMS first created this document, our intention was to create a document that aligned with the requirements in 42 C.F.R § 422.101(b)(6)(ii) relating to the information that must be provided to the public. That way, an MAO could choose to use the standardized formatting not only for submitting to CMS for audit, but also in how they publicly display their criteria. However, based on the comments received, we are changing the document significantly which is discussed in more detail below. Additionally, since this document will no longer be intended as an optional standardized format, and instead will only serve as an analysis of the internal coverage criteria, we are changing the name of the document to avoid confusion. The document will now be titled “Analysis of Internal Coverage Criteria” and herein referred to by that name in the remaining comment and responses.
Comment: CMS received a comment expressing concern over the burden involved in gathering and submitting the data requested in the Analysis of Internal Coverage Criteria. The commenter stated that submitting the criteria in report form is overly burdensome because the data must be extracted manually from PDFs.
Response: We understand the commenter’s concerns and have worked to reduce burden wherever possible. As noted in the previous response, we created this template with the plan that organizations could chose to use it as a template for their publicly accessible criteria, however, that would have required MAOs to copy and paste criteria into the document. Therefore, we significantly modified and streamlined the document to only require information needed to analyze the criteria and compare it with the regulatory requirements. Specific changes are discussed in the comments and responses below.
Comment: CMS received a comment requesting clarification on whether supplemental benefits must be submitted in the Analysis of Internal Coverage Criteria document.
Response: We clarify that supplemental benefits do not need to be submitted in the Analysis of Internal Coverage Criteria document.
Comment: CMS received several comments on Part 1 of the Analysis of Internal Coverage Criteria document. One commenter asked for clarification on how to populate the “Coverage Criteria Unique Weblink” field when there is not a direct link available and asked if a link to the searchable pharmacy formulary is sufficient. This same commenter asked CMS to clarify how to populate the “Explicit Flexibility for Additional Coverage” field when an LCD is used as the basis for internal coverage criteria by removing restrictions in the LCD to expand accessibility to members. Another commenter had several modification requests. Specifically, the commenter requested that an “all” option be added to the “Applicable Service Area” field and that it be renamed the “Applicable Coverage Area” for consistency with the instructions form. The commenter also requested a typo be corrected in the “Medicare Coverage Included or Excluded” field to ensure consistency with the row name. This same commenter requested that CMS use the words “criteria” and “criterion” consistently in both the Part 1 and Part 2. Another commenter requested that CMS modify the instructions in order to clarify the information CMS was seeking. Lastly, several commenters noted the duplication of information between this section and the publicly available information in their internal coverage criteria policies.
Response: Based on the feedback from commenters CMS made significant modifications to the Analysis of Internal Coverage Criteria document. In order to streamline data entry and reduce burden we converted the tool from a Word document to an Excel workbook. Next, we re-reviewed all the information in Part 1 and removed as much duplication as possible. The intention for this document will be that it is submitted in addition to whatever internal coverage criteria policy is being submitted. For example, an MAO would submit their PDF version of their internal coverage criteria policy related to CT scans, and they would simultaneously submit the Analysis of Internal Coverage Criteria document which analyzes the policy. In addition to these changes, we also renamed the field "Applicable Service Area” to “Applicable MAC Jurisdiction,” however we did not update the instructions for this field since they already indicated that “all” should be entered if the criteria are applicable nationally. The “Coverage Criteria Unique Weblink,” “Medicare Coverage Included or Excluded,” and “Explicit Flexibility for Additional Coverage” fields were removed from the revised document because we determined this information will be collected through the UMC universe or during CMS’s review of the internal coverage criteria. In addition to simplifying Part 1, we also clarified how to submit information by revising instructions.
Comment: CMS received a few comments regarding Part 2. A couple of commenters requested that CMS add a column requiring MAOs to explain how they determined Medicare rules are not fully established. Another commenter requested that CMS clarify why the instructions for Part 2 state “for informational purposes only.” The commenter asked whether the information requested in Part 2 was optional and under what circumstances the information was required. Another commenter requested that CMS remove columns D, which ask organizations to identify the citation associated with the applicable Medicare language, and column E, which asks organizations to provide a statement explaining how the criterion provide benefits that outweigh clinical harms. The commenter believes this information is duplicative of information provided in response to Part 4.
Response: CMS appreciates the commenters’ suggestions. After careful consideration we decided not to add a column in Part 2 asking the MAO to explain their rationale for determining that a Medicare rule is not fully established. We believe there will be times the MAO’s rationale will be clear, however, to the extent the MAO’s rationale is not clear, CMS will engage with the MAO during audit fieldwork to determine why the criteria were created. In order to clarify the instructions for Part 2, we struck “for informational purposes only” and also added additional instructions. In the instructions we clarify that Part 2 is meant to be an analysis of the applicable policy containing internal coverage criteria. In Part 2, the MAO will analyze their policy and pull out each individual internal coverage criterion and place it into the table. We also clarified in the instructions for that table that we do not want individual criterion that either don’t apply to the Medicare population or that are CMS requirements. We know based on our oversight experience that sometimes criteria policies contain coverage criteria that are applicable to multiple lines of business, or that are direct reiterations of CMS requirements. Since this analysis is intended to only review the internal coverage criteria applicable in Medicare, both of those types of criteria can be excluded. In an effort to reduce burden further, we also removed column E, which asked organizations to provide a statement explaining how each criterion provide clinical benefits that outweigh any clinical harms. We will however be retaining column D which asks the MAO to cite the applicable Medicare language because we believe this information is necessary, at a criterion level, to effectively evaluate regulatory compliance.
Comment: CMS received multiple comments on Part 3: Evidentiary Support for Internal Coverage Criteria in the Analysis of Internal Coverage Criteria document. A few commenters requested CMS either change the formatting requirement from Modern Language Association (MLA) to American Medical Association (AMA) style or allow the MAO to use the formatting it prefers. A commenter requested that CMS waive the single reference source requirement as there are times when there is more than one source for a specific criterion. Another commenter asked for clarification on what “all sources” meant, and asked if CMS intended to only ask for sources that were actually relied on when creating the criteria. This same commenter also indicated that it was not always feasible or clinically possible to have a source that meets CMS evidentiary standards for every criterion; and indicated that there were times when guidance is necessary, but no published evidence exists. This commenter asked for clarification on CMS intention in those situations. Another commenter requested clarification on the “for informational purposes only” language in the instructions. Finally, a commenter asked CMS to clarify why the Part 3 table was not included as a column in the Part 2 table.
Response: In response to comments, we have incorporated Part 3 into the Part 2 table. Additionally, we have clarified that multiple evidentiary sources may be entered into a single cell for a single criterion and the citations associated with each criterion may be entered in any format (including AMA) so long as the citation leads directly to the applicable evidentiary source. We also clarified that we are expecting only the sources that were relied upon to create the individual criterion. To the extent that there are no sources available that directly support the criterion, MAOs should submit NA in that column. We added this instruction into the document. We have also removed the language that stated, “for informational purposes only.” Finally, we have added a column that will allow CMS to select a subset of criteria for which evidentiary source information must be provided. By adding this additional column, which will be populated by CMS, we hope to reduce the burden associated with this data collection by limiting how much evidentiary source information must be provided. We clarified in the audit protocol, under the audit fieldwork section, that this change will require a multiple submission approach during audit from the MAO. The initial submission will include a breakdown of the internal coverage criteria and the relevant Medicare requirements the criteria is associated with; and the second submission will be a limited subsection of that internal coverage criteria with the evidentiary sources identified. Even though this has been broken out into two submissions, we believe this change will greatly reduce the burden since MAOs will not need to directly source every single internal coverage criterion.
Comment: CMS received a couple of comments regarding Part 4: Summary of Evidence/Rationale for Criteria in the Analysis of Internal Coverage Criteria document. Both commenters requested CMS modify Part 4 to require an expanded clarification of the rationale used for each criterion where an MAO has determined internal guidelines are needed.
Response: We have removed Part 4 from the Analysis of Internal Coverage Criteria because the information originally requested in this section should be included in the policy that is submitted to CMS.
Instructions on Entering and Submitting Criteria (now incorporated into the Analysis of Internal Coverage Criteria document)
Comment: One commenter recommended that CMS make multiple modifications to the instructions for Part 1 to clarify the instructions, including recommendations on fixing typos, clarifying the service area field, clarifying the weblink field, and aligning the columns that appear in other documents with the same names when feasible.
Response: We have revised the instructions for the “Service Name” field, “Criteria Name or Identifier” field, and “Applicable MAC Jurisdiction” field (previously the “Applicable Coverage Area” field). We have also added instructions for the “MA Organization and/or FDR Name(s)” field and for the “Services Selected by CMS” tab. Instructions for the “Coverage Criteria Unique Weblink,” “Coverage Criteria Applicable to Medicare Members,” “Applicable Medicare Rules,” “Medicare Coverage Included or Excluded,” and “Explicit Flexibility for Additional Coverage” fields were removed since those fields were removed from the Analysis of Internal Coverage Criteria document. A “General” section was also added to clarify that organizations must use a new tab for each policy or document entered into the Excel workbook and to clarify the information that must be entered into Part 2. Lastly, in response to another comment requesting that all instructions be located in a single place when feasible (summarized above), we incorporated the instructions for the Analysis of Internal Coverage Criteria directly into the document itself on the first tab.
Comment: Two commenters requested modifications to Part 2 and Part 3 of the instructions. The first commenter requested CMS correct multiple typos and clarify instructions. The other commenter requested that we modify the instructions in Part 3 to allow American Psychological Association (APA) style citations instead of MLA citations.
Response: All instructions for Part 2 were revised to be consistent with revisions made to Part 2 of the Analysis of Internal Coverage Criteria document. When making revisions, we corrected typos as recommended by the commenter. We carefully considered the one commenter’s recommendation to modify the instructions to allow APA style citations, however we ultimately decided, based on requests from multiple other commenters, to modify the instructions and format in the Analysis of Internal Coverage Criteria document to say that evidentiary source citations may be entered in AMA format or any format (including APA) that leads directly to the applicable evidence.
Comment: One commenter requested CMS remove LCAs from the instructions as they are not applicable in MA.
Response: We agree with the commenter and have removed references to LCAs.
Utilization Management Supplemental Questions
Comment: Several commenters supported the questions asked in the UM Supplemental Questions, specifically the steps a member, non-member, and provider must take to navigate to the internal coverage criteria. These commenters indicated it is often difficult to find the publicly available internal coverage criteria from an MAOs’ webpage.
Response: We appreciate the support for these questions.
Comment: One commenter requested that CMS use consistent terminology between beneficiary and member in the supplemental questionnaire.
Response: We have made all questions consistent using the terminology member, non-member and provider.
Comment: One commenter was prompted by the content of the UM Supplemental Questions to request clarification on what is meant by “publicly available” and could it include requiring members or non-members to have to call and request coverage policies.
Response: Requests for policy clarification are outside the scope of this data collection package.
Comment: One commenter asked for clarification on when the UM Supplemental Questions document was due to CMS citing a discrepancy between the Supporting Statement A which indicated a due date of 15 days and the actual template which indicated a due date of five business days.
Response: We have updated all collection references to the UM Supplemental Questions due date to clarify that the questionnaire is due within 5 business days of the audit engagement letter date. Additionally, we added a reference to the UM Supplemental Questions due date in the Audit Engagement and Universe Submission Phase section of the audit protocol.
Burden Estimate
Comment: CMS received several comments concerning the burden this proposed data collection would have on MAOs. Many commenters discussed how providing the data requested in the proposed protocol would require manual collection, which would be costly and put a strain on MAO resources. These same commenters discussed how the internal coverage criteria are posted on MAO websites as required by the 2024 Final Rule. A couple of commenters recommended that CMS access the information requested through current and future means, such as via annual Part C data submissions, publicly accessible information on MAOs’ websites, program audits, and through the data required by the Interoperability and Prior Authorization final rule (89 FR 8758). A few commenters expressed concerns about including FDRs in the data set because they believe that doing so may create a significant burden for MAOs and FDRs. Instead of including all FDRs, one commenter suggested that only FDRs that have a material impact on the population the MAO serves should be included in the dataset. Another commenter requested that CMS eliminate data that would require manual review or collection because doing so would alleviate burden for MAOs while still allowing CMS to meet its goals. Finally, one commenter recommended that CMS collect the minimum amount of data possible for sufficient oversight and recommended CMS ensure that data have a specific, clear, and legitimate purpose.
Response: CMS thanks commenters for their feedback. In response to previous comments, we noted that we have found MAO websites are often difficult to navigate, criteria applicable to Medicare members is not always clearly identified, and criteria used by FDRs are not always accessible or visible on parent organization websites. Therefore, while we acknowledge that organizations will need time to implement strategies for reporting the requested data, submission of internal coverage criteria data, including data from FDRs, is necessary for CMS to conduct effective and meaningful monitoring and oversight. We have carefully considered commenters’ recommendations and have modified the proposed protocol and data collection tools (based on comments) to significantly reduce burden whenever possible. The changes made in response to comments include reducing the data collected, removing duplicate data requests, and limiting the scope of data requests, when possible. At this time, we do not believe that the data collection should be modified based on organization size since the regulatory requirements pertaining to internal coverage criteria are applicable to all MAOs. We believe that the revised protocol represents the minimum data that can be collected while still permitting effective oversight and monitoring. As we gain experience implementing this protocol, we will continually evaluate the value of all data collected and determine whether it continues to provide relevant and necessary information. Likewise, if data becomes available and/or readily accessible through other means in the future, we will take that into account when revising future iterations of this protocol.
Comment: CMS received several comments on the burden estimates in Supporting Statement A. A couple of commenters stated that they believed CMS underestimated the number of hours it would take to assemble and submit the requested information. A commenter estimated it would take over 60 additional hours for the annual data submission and several weeks for the audit requirements.
Response: Based on feedback received from commenters, we’ve made a number of significant changes to both the annual and audit data collections that we believe will adjust burden to align with our original estimates.
Comment: One commenter indicated that CMS must ensure the burden of audits remains on the MAO and not the providers. This commenter noted that MAOs sometimes shift the burden of audits to providers by requesting documentation and other deliverables.
Response: This data collection is specific to MAOs and their coverage criteria. Therefore, we do not anticipate increased provider burden based on this collection.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 0000-00-00 |