Next Generation ACO Beneficiary Protections and Risks Explained

Over 359,000 clinicians are confirmed to participate in four of the Centers for Medicare & Medicaid Services’ (CMS) Alternative Payment Models (APMs) [The Medicare Shared Savings Program (Shared Savings Program), Next Generation Accountable Care Organization (ACO) Model, Comprehensive End-Stage Renal Disease (ESRD) Care Model (CEC) and Comprehensive Primary Care Plus (CPC+)]. Also:

  • More than 12.3 million Medicare and Medicaid beneficiaries served
  • 562 ACOs across the Shared Savings Program, Next Generation ACO Model, and CEC Model, of which 58 are Next Generation.
  • 121 ACOs in a risk-bearing track, including in the Shared Savings Program, Next Generation ACO Model, and CEC Model
  • 2,893 primary care practices participating in Comprehensive Primary Care Plus

These APMs are active in 50 states, the District of Columbia, and Puerto Rico.[1]

The ACO structure is a new approach to patient care and comes with its own set of risks and conflicts that have to be addressed in your compliance program. This article focuses on Next Generation. However, the guidance contained within may prove helpful for compliance programs overseeing other shared service programs.

The high-risk areas that are associated with federal fraud laws are discussed in my Fraud and Abuse Risks Raised by Next Generation ACO Structure article. They include things like inaccurate quality data reporting implicating the False Claims Act; improperly structured gainsharing triggering the Civil Monetary Penalties, Anti-Kickback, and Stark laws; and upcoding and other billing issues violating the False Claims Act. Read the Fraud and Abuse Risks Raised by Next Generation ACO Structure article for more information on this topic.

ACOs are also at risk of conflicting with rules related to beneficiary protections, such as:

  • Cherry Picking and Lemon Dropping
  • Withholding Medically Necessary Care
  • Interfering with Provider Clinical Decisions
  • Interfering with a Beneficiary’s “freedom of choice”
  • Pressuring or inducing beneficiaries to stay within the ACO or misrepresenting their ability to use non-ACO providers
  • Beneficiary Notification – Failing to provide beneficiary notification of ACO participation and ability to opt-out of data-sharing
  • Prohibited Marketing – Inaccurate or descriptive materials, material that has not been approved by CMS or discriminatory marketing activities
  • Violating Privacy and Security Laws and Agreements

Below is a brief overview of the beneficiary protections of which the ACO is required to adhere.[2]

Cherry Picking and Lemon Dropping

ACOs are prohibited from discriminating against beneficiaries based on health. ACOs may have an incentive to either get rid of sick patients or to not accept new sick patients and pursue relatively healthy patients in an attempt to lower expenditures compared to the benchmark. This practice is known as cherry picking and lemon dropping. Because the sickest patients stand to benefit the most from integrated, coordinated care, it is vital that these people not be excluded from ACOs.

ACOs compliance programs should monitor its ACO’s patient population and watch for drastic changes in the population to ensure that the ACO is not engaging in cherry picking. The compliance department should also ensure that the ACO avoids using algorithms that induce cherry-picking or using practices that drive sicker patients away.

Withholding Medically Necessary Care

ACO are prohibited from withholding medically necessary care. They may have an incentive to withhold care to lower their expenditures from year to year, especially if the service category establishes the benchmark. For example, if the ACO has a benchmark for inpatient care, the ACO may seek to limit the number of inpatient stays, even though it might be medically necessary for the patients to receive more inpatient care. As such, ACOs should monitor the care that is delivered by ACO providers to ensure that patients receive the care they need, when they need, and where they need it.

Interfering with Provider Clinical Decisions

Next Generation ACOs, their Participants, and Preferred Providers cannot take any action to limit the ability of a Next Generation Participant or Preferred Provider to make decisions in the best interests of the Beneficiary, including the selection of devices, supplies, and treatments used in the care of the Beneficiary. Compliance should review provider agreements and communications to ensure that they do not anyway restrict the provider’s ability to make decisions in the best interests of the Beneficiary.

Interfering in Beneficiary’s Freedom of Choice

ACOs cannot require that Next Generation beneficiaries be referred only to Next Generation Participants or Preferred Providers or to any other provider or supplier. Again, nor can an ACO pressure or induce beneficiaries to stay within the ACO or misrepresenting their ability to use non-ACO providers. Compliance should also review provider agreements and communications to ensure that they do not encourage providers to only refer beneficiaries to Next Generation Participants or Preferred Providers. Providers should be educated not to pressure or induce beneficiaries to stay within the ACO. Compliance should likewise review members communications to confirm that materials do not suggest or require beneficiaries to only use ACO providers.

Beneficiary Notification

ACO Involvement

ACO providers must notify beneficiaries at the point of care, that their ACO providers are participating in the Shared Savings Program and of the opportunity to decline data sharing to the ACO. Notification is carried out when an ACO provider posts signs in its facilities, and in settings in which beneficiaries receive primary care services, by making standardized written notices available upon request. Primary care physicians, upon request of beneficiary, must also provide a copy of a standardized letter with the information provided in the poster. ACOs should monitor for compliance with the notification requirements.

Data Sharing

CMS offers ACOs an opportunity to request specific data and reports, to improve care integration and to support efforts to be a patient-centered organization. The data and reports provided to the ACO will omit:

  • Individually identifiable data for Next Generation beneficiaries who have opted out of data sharing with the ACO
  • Substance abuse data for any Next Generation beneficiaries who have not opted into substance abuse data sharing

As stated above, the beneficiaries must have the opportunity to opt-out of sharing PHI among ACO providers. Next Generation beneficiaries who inquire about and wish to modify their preferences regarding claims data sharing for care coordination and quality improvement purposes must be provided with information about how to modify their data sharing preferences via 1-800-MEDICARE. The ACO should periodically audit the list of members who opted-out of data sharing and provide the call center staff with the necessary training regarding the requirement to provide beneficiaries with instructions on how to opt out.

Violating Privacy and Security Laws and Agreements

The ACO is required to maintain the privacy and security of all ACO related information that identifies individual beneficiaries in accordance with The Health Insurance Portability and Accountability (HIPAA) Privacy and Security Rules, applicable state laws and regulations, and Data Sharing Agreement entered into with CMS.

An ACO may not disclose, use or reuse the data except as specified in the ACO Model Agreement or except as CMS authorizes in writing or as otherwise required by law. ACO may not sell, rent, lease, loan, or otherwise grant access to the data. CMS data sharing can only be used as a tool to deliver seamless, coordinated care for patients with Original Medicare to promote better care, better health, and lower growth in expenditures.

Next Generation ACOs MUST report, within one hour, any breach of personal health information (PHI) or personally identifiable information (PII) from or derived from the CMS data files. They must also report loss of these data or improper use or disclosure of such data to the CMS Action Desk by telephone at (410) 786-2850 or by email notification at Also, the ACO must cooperate fully in any federal incident security process that results from such improper use or disclosure.

Next Generation ACOs are required to provide ACO specific compliance training. Be sure to education workforce members that the ACO MUST report breaches within one hour.

Descriptive Materials and Activities – Marketing

Descriptive Next Generation ACO materials are general audience materials such as brochures, advertisements, outreach events, letters to beneficiaries, web pages, mailings, social media, or other activities conducted by or on behalf of the ACO or its Next Generation Participants or Preferred Providers, when used to educate, notify, or contact beneficiaries about the Next Generation ACO Model.

Descriptive Next Generation ACO Materials and Activities Do Not Include:

  • Communications that do not directly or indirectly reference the Next Generation ACO Model (for example, information about care coordination generally would not be considered Descriptive ACO Materials and Activities)
  • Materials that cover Beneficiary-specific billing and claims issues
  • Educational information on specific medical conditions
  • Referrals for health care items and services
  • Any other materials that are excepted from the definition of “marketing” under the HIPAA Privacy Rule (45 CFR Part 160 & Part 164, subparts A & E)

Risk areas related to Descriptive Materials include things like the use of materials that have not been approved by CMS, or materials that are misleading or that contain prohibited language and terms.

Descriptive Materials Approval Process

The ACO, its Next Generation Participants and Preferred Providers cannot use Descriptive ACO Materials or Activities until reviewed and approved in their entirety by CMS. Descriptive ACO Materials or Activities are considered approved ten business days following their submission to CMS if:

  • The ACO certifies in writing its compliance with all the marketing requirements under this section; and
  • CMS does not disapprove the Descriptive ACO Materials or Activities.

CMS may issue a written notice of disapproval of Descriptive ACO Materials or Activities at any time, including after the expiration of the ten-day review period. The ACO, Next Generation Participants, Preferred Providers, or any other individuals or entities performing functions or services related to ACO activities, as applicable, must immediately discontinue use of those materials. Any material changes to CMS-approved Descriptive ACO Materials and Activities must be reviewed and approved by CMS before use.

The ACO is required to retain copies of all written and electronic Descriptive ACO Materials and Activities and appropriate records for all other Descriptive ACO Materials and Activities provided to Next Generation beneficiaries.

Descriptive Materials Language and Appearance

If available, the ACO must use Descriptive ACO Materials templates (Marketing Materials created and provided by CMS) and has to follow all instructions on the template. The materials must meet the following requirements:

  • Be written in a clear, concise, and well-organized manner.
  • Contain a unique identification number to facilitate CMS review of an oversight.
  • All text must be printed with a font size equivalent to or larger than Times New Roman twelve (12) point or 12-point Calibri. Note: Certain items and materials are exempt from meeting these font size requirements, although ACOs should always strive to produce materials using legible fonts and font sizes.
  • Cannot contain any language or image(s) that is likely to be perceived as discriminating based on race, ethnicity, national origin, religion, gender, age, mental or physical disability, health status, claims experience, medical history, genetic information, evidence of insurability or geographic location.
  • Cannot target beneficiaries from higher income areas or state or imply that plans are only available to seniors rather than to all Medicare beneficiaries.
  • Materials cannot be materially inaccurate, misleading, or otherwise make misrepresentations. This includes, but is not limited to language suggesting the following:
    • Beneficiaries must see providers only within the ACO or are prohibited in any way from seeing providers outside of the ACO.
    • Beneficiaries must enroll in or participate in an ACO.
    • CMS endorses one ACO over another.
  • Cannot use words or symbols including “Medicare,” “Centers for Medicare & Medicaid Services,” “Department of Health and Human Services,” or “Health & Human Services” in a manner that would convey the false impression that the business or product mentioned is approved, endorsed, or authorized by Medicare or any other government agency.
  • Comply with prohibitions on beneficiary inducements
  • Must adhere to Federal Plain Language Guidelines
  • Include the following information:
    • Contact information for beneficiaries with general questions about the Shared Savings Program
    • ACO physician contact information
    • Contact information for the ACO (and the participating provider, if applicable) that is sending the information
    • Hours of operation for the ACO participant and ACO provider/supplier

When putting together your risk concerns for Next Generation ACOs, be sure to include failing to comply with the above requirements, along with the fraud risk discussed in Fraud and Abuse Risks Raised by Next Generation ACO Structure article.


[2] See, Next Generation ACO Model Participation Agreement.