Managing the Transition to Transformation: State Insurance Law and Provider Risk under Alternative Payment Models

| |


McDermott’s Managing the Transition to Transformation series is designed to help health systems and other health care industry leaders address the many challenges presented by the transformation in payment and care delivery models. The goal of this series is to help organizations prepare so that they are not only competitive, but can also thrive under alternative payment models (APMs) and quality-based reimbursement models (QBRs). This article explores the different state models for regulating provider risk under APMs.

In Depth

As the health care industry shifts at an ever-accelerating pace from fee-for-service to value-based alternative payment models (APMs), providers and payors are increasingly attempting to align their financial incentives. As part of this effort, health plans are more frequently shifting financial risk to providers, and providers are seeking opportunities to assume such risk in exchange for patient volume and the potential financial gains they may achieve under risk-based contracts. State insurance departments that have historically focused on the regulation of traditional indemnity health insurance companies and HMO-type health plans are evolving to adapt to the nationwide move to value-based care. Either through their insurance departments or other health plan regulatory bodies, more and more states are recognizing that provider risk arrangements warrant greater regulation to ensure protections for both patients and providers. The resulting new regulations create new challenges for payors and providers entering into APMs.

Alternative Payment Models Come in Many Shapes and Sizes

The types of APMs employed by providers and health plans in the current health care market vary widely, and the prevalence of certain models varies geographically. Although most of these regional variations are generally the result of non-regulatory market forces, regional variations can also arise as a result of varied state approaches in regulating APMs.

Some APMs involve direct contractual arrangements between health plans and providers, (generally physicians) under which providers may assume various levels of financial risk, including:

  • Upside “risk” only, typically based on reducing the cost from historical benchmarks for a range of health care services provided to plan members who are assigned or otherwise attributed to those providers;
  • Upside and downside financial risk, but only for the services that the contracting provider entity is licensed to provide or arrange for; or
  • Global financial risk for the contracting provider entity’s own services and the services of other providers (i.e., referral services, including institutional services that the provider is not licensed to provide).

Other APMs may involve risk-bearing entities taking on upside and downside financial risk for health care services, where the third-party entity is not providing any of the services itself. These entities generally are provider-owned, but in some cases the entity may be an entity licensed as a third-party administrator. Some of these third-party entities provide a wide range of services to provider organizations, such as credentialing, claims processing and/or adjudication, and quality improvement services, while others simply enter into risk-based APMs on behalf of the contracting providers and then pass through APM revenue to those providers. Each of these types of arrangements may be regulated differently by state insurance agencies and/or other regulatory bodies.

In any upside or two-sided (upside and downside) risk arrangement, it is advisable to incorporate separate or related financial incentives for the providers to render quality care, to minimize the risk that provider may reduce medically necessary services.

State Approaches to Regulating APMs: All over the Map

The degrees and types of state regulation of provider risk arrangements under APMs vary across the country. Although there is no standardized regulatory framework among the states, there are certain common features of APMs that tend to have a significant impact on the type and degree of state regulation. For example, regulation may depend on following factors:

  • Whether the payor contracting with the risk-bearing entity is a licensed HMO-type health plan;
  • Whether the risk-bearing entity is a licensed health care provider (or provider organization) or a non-provider third party that is contractually or otherwise affiliated with the provider;
  • Whether a provider is taking on risk only for its own services or also for services rendered by other providers; for example, physicians assuming risk for institutional services;
  • What other services (e.g., claims processing, claims adjudication or utilization review) the provider or third party may be responsible for providing under the APM; and
  • Whether the provider or third-party entity is marketing and selling health benefits directly to employers, union trust funds or individuals.

As evidenced by the following snapshots of the currently evolving APM regulatory approaches in California, Tennessee and New Jersey, the factors above can determine not only the degree of state regulation but also whether the APM arrangement will be regulated by the state at all. These three examples also illustrate the wide variation in regulatory approaches across the states. These are just examples; there is APM regulatory activity, to some extent, in most other states.


California has a well-developed legal framework for regulating “health care service plans” offered by HMOs and health insurers, and has extended this legal framework to directly regulate certain providers and other third parties engaged in APMs. Through both this formal regulation as well as the imposition of more indirect regulatory controls, California is substantially more hands-on in its regulation of these provider organizations than most other states. This approach appears to have intensified, in part in response to insolvencies experienced by a number of large physician practice and “middlemen” entities in the 1990s that had widespread ripple effects on physicians and consumers.

Under the Knox-Keene Health Care Service Plan Act of 1975 (Knox-Keene Act), the California Department of Managed Health Care (DMHC) requires licensure for any entity that assumes global financial risk for the provision of both physician and other health professional services and hospital and other institutional health care services. Financial risk is defined broadly under the Knox-Keene Act, but the law and the DMHC have established several categories of licensure based on the level of financial risk an entity assumes and whether or how it markets health insurance products or services to consumers. For example, a provider that assumes global financial risk for health care services but does not collect premiums or directly market to consumers or employers would be required to obtain a more limited form of licensure, known as a “restricted” Knox-Keene license, rather than a full-service HMO.

Restricted Knox-Keene licenses allow licensees to assume global risk by accepting both institutional and professional risk-based capitation payments as subcontractors to unrestricted, full-service plans. These restricted plans must still meet DMHC’s financial solvency and other requirements. This category of licensure is not set forth in the Knox-Keene Act or DMHC regulation, but has been implemented informally by the agency. By longstanding informal DMHC interpretation of the Knox-Keene Act, however, a provider that enters into a capitated or other substantial financial risk contract only for services within the scope of the provider’s own license (including, for example, pharmacy costs for physicians) is not required to obtain Knox-Keene licensure of any type.

Certain entities that are not licensed under the Knox-Keene Act are regulated as risk-bearing organizations (RBOs). For example, physician organizations operating under capitated payment arrangements, but not exposed to global risk, may be regulated as RBOs if they are responsible for processing and paying claims. While RBOs are not subject to direct financial solvency requirements, the Financial Solvency Standards Board (FSSB) of the DMHC engages in indirect financial regulation of these entities. For example, the FSSB monitors the ongoing tangible net equity of RBOs and requires Knox-Keene plans that contract with RBOs to institute corrective action under their contracts if the RBO’s financial solvency and other metrics are determined to fall below the FSSB’s standards. Thus, the DMHC has implemented an informal, indirect regulatory strategy to engage in even more regulation of provider APMs than is required under California law.


In sharp contrast to California’s comprehensive regulation of provider risk arrangements, Tennessee does not engage in any direct regulation of provider organizations that enter into APMs; rather, Tennessee regulates these arrangements entirely through its regulation of the HMOs that the providers contract with. In 2013, the Tennessee legislature amended its HMO statute to expressly permit HMOs and provider organizations (including physician-hospital organizations, provider groups and provider networks) to enter into arrangements for the provision of health care services on a prepayment basis or other risk-sharing basis. Under Tennessee’s regulatory framework, HMOs are responsible for ensuring that applicable provider organizations obtain aggregate or per-patient stop-loss protection insurance coverage for the health care services included within the scope of a risk-based payment arrangement. While these requirements are likely passed through providers by contract, Tennessee law does not place any direct financial or reporting obligations on physician-hospital organizations, providers, provider groups or provider networks with respect to such risk-sharing arrangements. All financial obligations and reporting obligations regarding the risk-sharing arrangement remain with the HMO.

New Jersey

In New Jersey, the state’s Department of Banking and Insurance (DBI) has established a regulatory framework for certain entities that contract or arrange to provide comprehensive or limited health care services to health insurers, HMOs or other carriers. Such a regulated entity is referred to as an “Organized Delivery System” (ODS).

While preferred provider organizations, physician-hospital organizations and independent practice associations (IPAs) may be regulated as ODSs, the definition of an ODS explicitly excludes licensed providers and provider organizations (such as IPAs) that are comprised solely of providers and only perform services for which its members are licensed. These provider entities can enter into APMs with carriers without subjecting themselves to direct regulation by DBI. If, for example, a group of primary care physicians forms an IPA for the purpose of contracting with carriers, the IPA would not be regulated as an ODS if it enters into payment arrangements covering only services performed by members of the IPA. The entity would likely qualify as an ODS, however, if the entity contracts for services performed by physicians outside the IPA, such as specialists.

New Jersey’s regulatory framework for ODSs also covers intermediary entities that hold risk arrangements on behalf of providers, whereby the provider is contracted directly with the carrier but receives shared savings or other incentive payments through an intermediary.

Looking Ahead

The wide variation in state regulation of provider risk under APMs creates legal and operational challenges for health plans and providers, particularly those that operate in multiple states. While the National Association of Insurance Commissioners’ (NAIC’s) HMO Model Act proposes some minimum registration requirements for certain risk-bearing entities, the NAIC does not currently have a model regulatory framework for regulating provider risk under APMs. With so many states having already implemented comprehensive regulatory models, it is unclear whether the NAIC may try to develop such a framework in the future or whether states may otherwise adopt more standardized approaches in future years.

Shifting political dynamics could potentially have an impact on state approaches to regulating APMs. President-elect Trump and congressional Republicans have proposed to remove barriers to selling insurance across state lines. If such a change were implemented, it could potentially give rise to forum shopping among health insurers and HMOs seeking to hold licensure only in the state(s) with the most preferential regulatory frameworks. Given the significant differences in regulation of provider risk under APMs, this could become a differentiating factor between states, potentially influencing how aggressively states regulate these arrangements, in order to avoid losing current licensees or to attract new ones. Thus, varying state regulations are likely to take even greater importance for health plans and providers as the industry continues to evolve toward value-based care.