Work Requirements Article 7D

Legal architecture for third-party verification and exemption support

States cannot directly verify work or determine exemptions for 18.5 million people. Success requires delegating submission authority to employers, providers, educational institutions, managed care organizations, and community partners. But delegation creates legal questions: What authority can states delegate? Who bears liability when delegated entities make errors? What protections incentivize participation?

This article provides the legal and operational framework for delegation systems that enable third-party verification while protecting all parties from unreasonable liability exposure.

Constitutional and Legal Foundation

#

State Authority to Delegate Medicaid Functions

#

Federal framework: Section 1115 waivers and State Plan Amendments give states broad flexibility in Medicaid administration but require maintaining ultimate state authority over eligibility determinations.

Permissible delegation:

• Data collection and submission (clearly allowed)
• Initial screening and assessment (allowed with state oversight)
• Recommendation on eligibility/exemption (allowed if state makes final determination)
• Case management and navigation support (clearly allowed)

Impermissible delegation:

• Final eligibility determination (must be state function)
• Appeals decisions (must be state authority)
• Program policy setting (state responsibility)
• Enforcement actions (state authority)

Recommended framework: States delegate data submission, initial assessments, and recommendations. State retains final determination authority with streamlined approval for clear cases.

Due Process Requirements

#

Constitutional minimums when private entities participate:

• Notice of adverse actions
• Opportunity to be heard
• Impartial decision-maker
• Right to state-level review
• Written decision with reasoning

Application to work requirements:

• Employer reports zero hours → member receives notice and opportunity to dispute
• Provider denies exemption documentation → member can appeal to state
• MCO determines member doesn’t qualify for support → state reviews if requested
• Educational institution reports non-enrollment → member can provide contrary evidence

Key principle: Private entity actions are recommendations or data submissions. State makes final determination. Individual always has right to state review.

Credentialed Entity Framework

#

Entity Types and Delegation Authority

#

Tier 1 - Primary Submitters (Direct State Delegation):

Employers:

• Authority: Submit work hours for employees
• Scope: Hours worked, employment dates, verification of employment status
• Not authorized: Make exemption determinations, assess work capacity
• Credentialing: Registration with state, EIN verification, designated submitter training

Healthcare Providers:

• Authority: Attest to medical exemption qualification
• Scope: Functional capacity assessment, medical condition documentation, treatment status
• Not authorized: Final exemption approval, coverage determinations
• Credentialing: Active medical license, NPI verification, exemption attestation training

Educational Institutions:

• Authority: Submit enrollment and attendance data
• Scope: Full-time/part-time status, credit hours, program completion, attendance verification
• Not authorized: Determine if education counts toward requirements (state decision)
• Credentialing: Accreditation verification, institutional agreement, data security compliance

State Workforce Agencies:

• Authority: Submit job training, job search, and unemployment insurance data
• Scope: Program enrollment, participation hours, unemployment benefit receipt
• Not authorized: Determine exemption eligibility
• Credentialing: Interagency agreement, data sharing MOU

Tier 2 - Intermediary Submitters (Aggregation Authority):

Managed Care Organizations:

• Authority: Aggregate and submit verification from multiple sources on member’s behalf
• Scope: Coordinate employer/provider/education verification, facilitate exemption applications, provide navigation support
• Not authorized: Make coverage determinations, override state decisions
• Credentialing: Medicaid managed care contract, care coordination infrastructure, HIPAA compliance

Payroll Processors:

• Authority: Submit hours for multiple employers using their services
• Scope: Aggregate payroll data from client employers, transmit to state system
• Not authorized: Verify employment relationships, make determinations
• Credentialing: Business registration, client employer authorization, security certification

Employment Agencies/Staffing Firms:

• Authority: Submit hours for workers placed by agency
• Scope: Verify placement, report hours worked at client sites
• Not authorized: Verify quality of work, determine exemption needs
• Credentialing: Business license, state workforce agency relationship

Tier 3 - Community-Based Submitters (Limited Authority):

Volunteer Organizations (501(c)(3) nonprofits):

• Authority: Submit volunteer hours for individuals
• Scope: Verify volunteer work performed, report hours and dates
• Not authorized: Determine what volunteer work qualifies, assess work capacity
• Credentialing: IRS 501(c)(3) verification, organization registration, designated submitter training

Faith-Based Organizations:

• Authority: Submit volunteer service hours
• Scope: Community service verification, faith-based program participation
• Not authorized: Make eligibility determinations
• Credentialing: Organization registration, designated submitter training, acknowledgment of neutrality requirements

Community-Based Organizations:

• Authority: Facilitate verification and exemption applications for members served
• Scope: Trusted intermediary role, cultural broker, navigation support
• Not authorized: Make determinations, override individual choice
• Credentialing: Community organization registration, navigator training, data security compliance

Tribal Entities:

• Authority: Submit verification for tribal members, coordinate exemption applications
• Scope: Culturally appropriate verification facilitation, tribal program documentation
• Not authorized: Supersede state authority (though tribal sovereignty considerations apply)
• Credentialing: Tribal government recognition, data sharing agreement respecting sovereignty

Safe Harbor and Liability Protections

#

Employer Safe Harbor Provisions

#

Protected activities:

• Submitting hours worked as recorded in standard payroll systems
• Reporting employment dates and status changes
• Providing employment verification letters
• Responding to verification requests from MCOs or state

Good faith standard: Employers protected from liability if they:

• Report hours as recorded in their timekeeping/payroll systems
• Have reasonable procedures for tracking hours
• Make good faith efforts to verify employee identity
• Report errors when discovered

Liability limitations:

• No liability for employee coverage loss due to accurate reporting
• No liability for good-faith errors in hour calculation if corrected when discovered
• No liability for delays in reporting due to payroll cycle timing
• Protected from lawsuits by employees who lose coverage based on accurate work hour data

Exceptions (no safe harbor):

• Intentional false reporting
• Retaliation against employees (reporting zero hours to punish)
• Systematic failure to maintain basic timekeeping
• Refusal to correct known errors

Recommended statutory language: “Employers submitting work hour verification in good faith based on standard business records shall not be held liable for any coverage loss or adverse action resulting from accurate reporting. Employees shall have no cause of action against employers for providing accurate employment information to state Medicaid agencies.”

Healthcare Provider Safe Harbor

#

Protected activities:

• Attesting to patient’s functional limitations
• Documenting medical conditions affecting work capacity
• Providing exemption supporting documentation
• Recommending exemptions based on clinical judgment

Professional judgment standard: Providers protected if attestation:

• Based on clinical relationship with patient
• Reflects reasonable professional judgment
• Documented in medical record
• Follows accepted standards of care

Liability limitations:

• No malpractice liability for exemption attestations made in good faith
• No liability if state denies exemption despite provider recommendation
• No liability for patient losing coverage if provider accurately attests patient can work
• Protected from fraud charges if patient misrepresented condition and provider had no reason to know

Exceptions (no safe harbor):

• Attestations without clinical foundation
• Submitting exemption documentation for people who aren’t patients
• Accepting payment from patients specifically for false attestations
• Systematic fraud (pattern of inappropriate exemptions)

Recommended statutory language: “Healthcare providers submitting medical exemption documentation based on clinical relationship and professional judgment shall not be subject to malpractice liability, professional discipline, or fraud prosecution for good faith attestations, even if subsequent review determines exemption was not warranted.”

Educational Institution Safe Harbor

#

Protected activities:

• Reporting enrollment status
• Submitting attendance data
• Verifying program completion
• Providing academic transcripts for verification

Accuracy standard: Institutions protected if reporting:

• Based on official enrollment records
• Reflects attendance as tracked by institution
• Updated when student status changes
• Follows normal academic record practices

Liability limitations:

• No liability for student coverage loss due to accurate enrollment reporting
• No liability if student stops attending but institution reports based on enrollment records
• No liability for reasonable delays in reporting status changes (within 30 days)
• Protected from FERPA violations when sharing enrollment data for Medicaid verification purposes

FERPA clarification: Medicaid verification is health oversight activity permitting education record disclosure without consent under FERPA exemption.

Exceptions (no safe harbor):

• Intentional false reporting to help students maintain coverage
• Accepting payment to report non-students as enrolled
• Systematic failure to track attendance
• Refusing to correct known errors

MCO Intermediary Protections

#

Protected activities:

• Aggregating verification from multiple sources on member’s behalf
• Facilitating exemption applications
• Coordinating provider documentation
• Providing navigation support

Good faith intermediary standard: MCOs protected when:

• Transmitting data provided by employers, providers, or members
• Relying on documentation from credentialed sources
• Following reasonable verification procedures
• Reporting information accurately as received

Liability limitations:

• Not liable for inaccurate employer-provided data if employer certified accuracy
• Not liable for provider attestations later determined incorrect if provider was licensed
• Not liable for member misrepresentations if MCO had no reason to know of falsity
• Not liable for coverage loss if accurate information submitted

Retained responsibilities:

• Must maintain data security (HIPAA compliance)
• Must submit data accurately as received (cannot alter)
• Must correct known errors promptly
• Must maintain audit trail of data sources

Recommended contractual language: “MCO serving as verification intermediary acts as conduit for member-authorized data transmission. MCO liability limited to ensuring accurate transmission of data as received from credentialed sources. MCO not responsible for verifying underlying accuracy of employer, provider, or educational institution submissions.”

Payroll Processor Protections

#

Protected activities:

• Submitting aggregated hours for multiple employers
• Transmitting payroll data to state system
• Providing verification infrastructure for client employers

Accuracy standard: Protected if:

• Submitting data as recorded in payroll systems
• Following employer instructions for data transmission
• Maintaining data security during transmission
• Correcting errors when identified

Liability limitations:

• Not liable for employer data quality
• Not liable for employee coverage loss due to accurate data transmission
• Not liable for employment relationship verification (processor verifies hours, not employment status)

Recommended agreement terms: Payroll processor liability capped at amount paid for verification services. Not liable for consequential damages (coverage loss, medical bills, etc.).

Credentialing and Oversight

#

Credentialing Requirements by Entity Type

#

Employers (all sizes):

• Registration: Online form, EIN, business address, designated submitter
• Verification: EIN cross-check with IRS database, active business confirmation
• Training: 15-minute online module on submission process and accuracy requirements
• Agreement: Terms of service acknowledging accuracy responsibilities and safe harbor protections
• Timeline: 3-5 business days for approval
• Annual recertification: Confirm information current

Healthcare Providers:

• Registration: NPI, medical license number, specialty, practice address
• Verification: License status check with state medical board, NPI validation
• Training: 30-minute module on functional assessment and exemption criteria
• Agreement: Attestation of professional judgment standard and HIPAA compliance
• Timeline: 5-7 business days for approval
• Continuing education: Annual update training on exemption criteria changes

Educational Institutions:

• Registration: Institution details, accreditation status, designated registrar contact
• Verification: Accreditation confirmation (regional or national accreditor)
• Agreement: Data sharing MOU, FERPA compliance acknowledgment, security requirements
• Technical integration: Connect student information system to state portal or provide file transfer
• Timeline: 2-4 weeks for full integration
• Annual audit: Data quality review

MCOs:

• Credentialing: Through managed care contract amendment
• Requirements: Care coordination infrastructure, navigator staffing, HIPAA compliance, security audit
• Performance metrics: Monitoring and quarterly reporting
• Payment: Capitation rate adjustment for verification support costs
• Oversight: Monthly data quality reviews

Volunteer Organizations:

• Registration: EIN/tax ID, organization type, service focus, contact information
• Verification: 501(c)(3) status confirmation for nonprofits, background on organization
• Training: 20-minute module on volunteer hour verification and documentation
• Agreement: Accuracy attestation, understanding of what qualifies as volunteer work
• Timeline: 5-10 business days
• Random audits: 10% of reported hours verified annually

Tribal Entities:

• Credentialing: Through government-to-government agreement
• Requirements: Respect for tribal sovereignty, culturally appropriate processes, secure data handling
• Flexibility: Tribal processes may differ from standard state processes while maintaining program integrity
• Oversight: Collaborative monitoring respecting tribal authority

Audit and Quality Assurance

#

Random audits by entity type:

• Employers: 5% of submitted hours audited annually
• Providers: 5% of exemption attestations reviewed
• Educational institutions: 2% of enrollment data verified
• Volunteer organizations: 10% of hours verified
• MCOs: 100% of data transmission accuracy reviewed monthly (sample-based)

Targeted audits when:

• Pattern of unusual submissions (all employees reported at exactly 80 hours)
• Complaints received about entity
• Data anomalies detected (employer reports hours for people not in their system)
• Random selection flags issues requiring follow-up

Audit process:

• Notification to entity of audit
• Request for supporting documentation
• Review by state audit team
• Findings letter with corrective action if needed
• Follow-up audit if serious issues found

Audit findings outcomes:

• Clean audit: No action, positive feedback
• Minor errors: Corrective action plan, additional training
• Systematic problems: Probationary status, enhanced monitoring
• Fraud: Credential suspension/revocation, referral to law enforcement

Credential Suspension and Revocation

#

Grounds for suspension:

• Failure to correct errors after notification
• Multiple audit findings of inaccurate data
• Data security breach
• Non-compliance with training requirements
• Change in entity status (business closure, license lapse)

Suspension process:

• Notice of intent to suspend with specific reasons
• 30 days to respond and correct issues
• State decision with right to appeal
• If suspended, cannot submit during suspension period

Grounds for revocation:

• Intentional false reporting
• Pattern of systematic fraud
• Failure to correct during suspension period
• Serious data security violation
• Criminal conduct related to verification

Revocation process:

• Notice of intent to revoke with detailed findings
• 60 days to respond
• Hearing if requested
• State decision with right to judicial review
• If revoked, permanent bar from credentialing (though can reapply after 2 years)

Federal Approval Requirements

#

CMS Review of Delegation Framework

#

State Plan Amendment requirements: States must document in SPA or 1115 waiver:

• Which functions will be delegated and to which entity types
• Credentialing requirements for each entity type
• Oversight and audit protocols
• Safe harbor and liability protections
• Individual due process rights
• State’s retained ultimate authority

CMS approval criteria:

• State maintains final determination authority
• Adequate oversight of delegated entities
• Due process protections for beneficiaries
• Data security and privacy safeguards
• Quality assurance mechanisms
• Ability to revoke delegation if problems arise

Common CMS concerns:

• Private entities making final eligibility determinations (not permissible)
• Inadequate oversight of delegated entities
• Insufficient beneficiary protections
• Unclear liability and appeal rights
• Conflicts of interest (MCOs both providing care and making coverage determinations)

Addressing CMS concerns:

• Emphasize delegation is data submission, not determination
• Document robust oversight plan
• Build in state review rights for all adverse actions
• Separate MCO care provision from administrative support
• Include sunset provisions allowing evaluation and adjustment

Timeline for Federal Approval

#

December 2025: Submit draft delegation framework to CMS for informal feedback

January 2026: Incorporate CMS feedback into formal SPA/waiver amendment

February 2026: Submit formal amendment to CMS

March-April 2026: CMS review and approval (90-day clock)

May 2026: Approval received (or conditional approval with modifications)

June-November 2026: Implement approved framework, begin credentialing

December 2026: Implementation with approved delegation framework operational

Conflict of Interest Management

#

MCO Conflicts

#

Potential conflict: MCO has financial incentive to deny verification support (saves admin costs) or inappropriately approve exemptions (keeps members enrolled and receiving capitation).

Mitigation strategies:

• Payment structure: Capitation adjustment based on actual verification support provided (incentivizes appropriate support)
• Performance metrics: Monitor exemption rates, coverage retention, appeals by MCO
• Independent audits: State audits MCO exemption facilitation practices
• Member choice: Members can work directly with state instead of through MCO
• Separated functions: Care coordinators who support verification separate from utilization management

Provider Conflicts

#

Potential conflict: Provider may inappropriately attest to exemptions to maintain patient relationship and avoid conflict.

Mitigation strategies:

• Professional standards: Clear guidance that attestations must reflect clinical judgment
• Audit focus: Monitor providers with unusually high exemption rates
• Malpractice protection: Safe harbor encourages honest attestations without fear of patient retaliation
• Anonymous reporting: Mechanism for reporting providers who pressure inappropriate attestations

Employer Conflicts

#

Potential conflict: Employer may misreport hours to help or harm employees.

Mitigation strategies:

• Audit randomly: Verify reported hours against payroll records
• Employee verification: Employees can dispute employer-reported hours
• Safe harbor limits: Protections only apply to good-faith reporting
• Whistleblower protection: Employees can report employer misreporting without retaliation

Individual Rights and Due Process

#

Right to Challenge Delegated Entity Actions

#

Employer-reported hours:

• Individual receives monthly statement of hours reported by employer
• 60 days to dispute if hours appear incorrect
• Dispute triggers state review of payroll records
• Coverage continues during dispute resolution
• State makes final determination

Provider exemption denial:

• Individual notified if provider declines to provide attestation
• Can seek attestation from different provider
• Can submit exemption application with available documentation
• State reviews and determines if exemption warranted without provider support
• Appeal rights if state denies

Educational institution non-enrollment:

• Individual receives notification of institution-reported status
• Can provide contrary evidence (enrollment confirmation, schedule, tuition receipt)
• State investigates discrepancy
• Coverage continues during investigation
• Correction made if institution error

MCO denial of navigation support:

• Individual can request state-provided navigator instead
• Can file complaint with state if MCO fails to provide promised support
• State investigates complaints and imposes corrective action on MCO if warranted

State Review Process

#

When individual challenges delegated entity data:

Step 1 - Initial review (10 business days):

• State contacts entity for documentation
• Reviews individual’s contrary evidence
• Makes preliminary determination

Step 2 - If discrepancy remains (additional 10 days):

• State may request additional documentation from both parties
• May conduct interview with individual
• May inspect entity records directly

Step 3 - Final determination (5 days after investigation complete):

• Written decision explaining findings
• Coverage determination based on preponderance of evidence
• Right to appeal state decision through normal Medicaid appeals

Coverage during review: Presumptive eligibility maintained throughout entire process.

Insurance and Bonding Requirements

#

When Required

#

Generally not required for:

• Employers (already have general business liability insurance)
• Healthcare providers (already have malpractice insurance)
• Educational institutions (already insured)

May be required for:

• New MCOs without established track record
• Small volunteer organizations handling sensitive data
• Payroll processors specifically for verification function
• Community-based organizations depending on volume

Recommended Coverage

#

When insurance required:

• Errors and omissions coverage: $1-5 million depending on volume
• Cyber liability: $1-2 million for data breach coverage
• General liability: $1 million minimum

Bonding:

• Generally not required unless entity handles funds (not typical for verification)
• May be required for community-based intermediaries handling member funds for other purposes

Model Agreements and Templates

#

Employer Credentialing Agreement

#

Key terms:

• Employer agrees to submit hours as recorded in standard business records
• Employer acknowledges safe harbor protections and limitations
• Employer agrees to correct errors when discovered
• Employer designates authorized submitters
• Employer maintains audit trail for 3 years
• State may audit submissions
• Either party may terminate with 30 days notice

Provider Attestation Agreement

#

Key terms:

• Provider agrees attestations reflect professional clinical judgment
• Provider acknowledges safe harbor for good-faith attestations
• Provider agrees to maintain documentation in medical records
• Provider submits attestations only for established patients
• State may audit and require supporting documentation
• Safe harbor protections apply absent fraud
• Provider may decline to attest without penalty

MCO Contract Amendment

#

Key provisions:

• MCO responsibilities for verification facilitation
• Performance metrics and reporting requirements
• Payment adjustment for verification support
• Liability limitations as intermediary
• Data security and privacy requirements
• State oversight and audit rights
• Member grievance and appeal processes

Conclusion: Delegation as System Enabler

#

Work requirements cannot function without delegation. States cannot directly verify work for millions of people. The framework must:

Enable participation through clear authority and reasonable liability protections.

Maintain accountability through credentialing, oversight, and audit.

Protect individuals through due process and state review rights.

Preserve state authority with delegated entities making submissions, not determinations.

Balance efficiency with integrity through risk-based audits rather than universal verification.

States have 8 months to build delegation frameworks, obtain federal approval, credential entities, and create oversight systems. The legal architecture determines whether third parties participate willingly or avoid involvement due to liability fears.

Previous in series: Article 7C, “Coordination and Timing Rules”