Skip to main content
Syam Adusumilli
  1. Medicaid Work Requirements/
  2. Administrative Architecture/

Work Requirements Article 7D

·2524 words·12 mins
Author
Syam Adusumilli
MPH, Brown University. 33 years in healthcare systems, policy, and technology. Writes across rural health transformation, Medicare policy, and Medicaid work requirements.
Table of Contents

The Delegation Architecture
#

Legal frameworks enabling participation without creating liability traps

States cannot directly verify work or determine exemptions for 18.5 million people. Administrative capacity doesn’t exist to review employer payroll records, assess medical exemptions, verify educational enrollment, or confirm volunteer hours for millions of individuals monthly. Success requires delegating submission authority to employers, healthcare providers, educational institutions, managed care organizations, and community partners who interact with expansion adults through normal business and service relationships.

But delegation creates legal uncertainty that discourages participation. Employers fear liability for coverage loss if they report hours incorrectly. Providers worry about malpractice exposure from exemption determinations. Educational institutions question whether federal privacy laws permit sharing enrollment data. Managed care organizations seek clarity about whether coordination assistance creates responsibility for coverage outcomes. Community organizations resist facilitating applications if doing so creates legal obligations they lack capacity to fulfill.

The regulatory architecture determining what authority states can delegate, what liability protections incentivize participation, and what oversight mechanisms maintain accountability shapes whether third parties participate willingly or avoid involvement due to legal risks. States have eight months to build delegation frameworks that enable distributed verification and exemption systems without creating liability exposures that prevent participation.

Constitutional Boundaries of Delegation
#

Federal Medicaid law and constitutional due process requirements constrain what functions states can delegate to private entities. The boundaries between permissible delegation and impermissible abdication of state responsibility determine what infrastructure states can build.

Data collection and submission fall clearly within delegable functions. States can authorize employers to submit work hours, providers to submit exemption attestations, educational institutions to report enrollment, and volunteer organizations to verify service hours. These entities serve as information sources rather than decision-makers. Constitutional concerns about private delegation don’t arise when private parties simply provide data rather than making coverage determinations.

Initial screening and assessment occupy middle ground. States can delegate intake functions where entities gather information, assess situations preliminarily, and recommend outcomes to states for final determination. Managed care organizations can screen members for likely exemption eligibility and facilitate applications. Community organizations can assess circumstances and advise people about qualification. Healthcare providers can evaluate functional capacity and recommend medical exemptions. These delegations remain permissible because ultimate determination authority stays with states.

Final eligibility determination cannot be delegated. States must retain authority to approve or deny exemptions, determine compliance status, and make coverage decisions. Private entity recommendations inform state decisions but cannot substitute for state determination. This constitutional minimum requires that automated approvals based on employer or provider submissions actually reflect state system determinations even if no human reviews occur. The legal structure matters even when practical effect is automatic approval.

Appeals decisions similarly must remain state functions. Private entities can facilitate appeals, provide documentation, and advocate for individuals, but cannot render binding determinations overriding state decisions. This limitation creates procedural protections ensuring government accountability for decisions affecting coverage. Independent medical review of exemption denials must still operate under state authority even if reviewers are external medical professionals rather than state employees.

The recommended delegation framework gives private entities authority to submit data, conduct initial assessments, and make recommendations while states retain final determination authority through streamlined approval processes. For straightforward cases meeting clear criteria, state approval occurs automatically without human review. For ambiguous cases, human review applies state standards to private entity submissions. This creates automation benefits while maintaining constitutional responsibility.

The Safe Harbor Imperative
#

Private entities resist participation in government programs creating liability exposure. The legal architecture must provide safe harbor protections clarifying what activities are protected and what standards apply to liability determinations.

Employer safe harbor particularly matters since employer verification provides the backbone of work verification systems. Employers submitting hours worked as recorded in payroll systems, reporting employment dates and status changes, providing verification letters, and responding to state or MCO verification requests need protection from lawsuits by employees who lose coverage based on accurate work hour reporting.

The good faith standard protects employers reporting hours as recorded in timekeeping systems, maintaining reasonable hour tracking procedures, making good faith efforts to verify employee identity, and correcting errors when discovered. This standard acknowledges that payroll systems aren’t perfect and hour tracking involves legitimate complexity. Protected employers can’t face liability for good faith errors in hour calculation if they correct mistakes when found, delays in reporting from payroll cycle timing, or employee coverage loss resulting from accurate hour reporting.

Exceptions to safe harbor prevent abuse. Intentional false reporting loses protection. Employers retaliating against employees by submitting zero hours as punishment face liability. Systematic failure to maintain basic timekeeping removes safe harbor benefits. Refusing to correct known errors eliminates protection. These exceptions prevent safe harbor from becoming immunity while maintaining protection for good faith participants.

Provider safe harbor creates similar protections for medical exemption attestations. Healthcare providers assessing whether patients can work 80 hours monthly, completing functional capacity evaluations, recommending exemption durations, and documenting medical conditions need protection from malpractice claims alleging erroneous exemption determinations. The clinical standard is reasonable medical judgment based on available information and clinical assessment at the time of determination. Providers protected can’t face liability for coverage continuation based on exemption recommendations even if conditions improve sooner than anticipated, coverage loss when exemptions end if assessment was reasonable when made, or coverage outcomes from good faith functional capacity evaluations later disputed.

Educational institution safe harbor protects enrollment and attendance reporting. Institutions submitting full-time versus part-time status, credit hour counts, program completion dates, and attendance records based on institutional records and reasonable verification procedures receive protection. They can’t face liability for student coverage loss based on accurate enrollment reporting, good faith determination of full-time status using standard institutional criteria, or reporting enrollment status changes when they occur.

Managed care organization safe harbor covers verification coordination and navigation services. MCOs aggregating employer and provider verification, facilitating exemption applications, providing navigation support, and coordinating documentation assistance need protection from being deemed responsible for coverage outcomes. They can’t face liability for members losing coverage despite MCO assistance, verification submissions that turn out to be inaccurate if MCO exercised reasonable care, or exemption application denials despite MCO facilitation.

Community organization safe harbor protects facilitation and navigation roles. Organizations helping people complete applications, explaining requirements, connecting people to resources, and advocating for members served need clarity that assistance doesn’t create responsibility for outcomes. They can’t face liability for coverage loss by people they assisted, application denials despite facilitation, or outcomes from referrals to services that people don’t complete.

The Credentialing Framework
#

Safe harbor protection requires credentialing establishing that entities meet minimum standards for participation. Credentialing creates accountability while enabling delegation by verifying organizational capacity, training participants, and establishing data security compliance.

Employer credentialing requires registration with state Medicaid agencies, providing EIN and business verification, designating authorized submitters, and accepting terms including data security and accuracy requirements. States verify EIN against IRS business databases confirming legitimacy and require brief online training covering submission processes and audit procedures. This minimal credentialing balances access with accountability. Large employers credential directly. Small employers may credential through payroll processors or industry associations serving as bulk submitters. The timeframe is three to five business days for individual registration, with bulk registration available for entities handling multiple employers.

Healthcare provider credentialing leverages existing medical licensing. Providers with active state medical licenses and NPI numbers receive automatic qualification to submit exemption attestations. Additional training covers exemption categories, functional assessment standards, and documentation requirements. This minimal burden beyond existing licensing recognizes that medical judgment is the core qualification. States can credential all licensed physicians, nurses, social workers, and psychologists, or limit to specific specialties based on exemption categories. The question is whether states trust medical licensing boards or create additional state-specific requirements.

Educational institution credentialing requires accreditation verification confirming legitimate educational status, institutional agreements accepting submission requirements, and data security compliance. States can limit to institutions with Department of Education recognition or include non-accredited training programs based on whether states want broad qualifying activity inclusion or narrower educational focus. Credentialing establishes what programs count toward requirements and which institutions can verify enrollment.

Managed care organization credentialing flows from existing Medicaid managed care contracts. States can add verification and navigation requirements to MCO contracts as new functions with corresponding capitation rate adjustments. This minimizes separate credentialing by folding work requirement administration into existing managed care relationships. Contract amendments cover verification coordination expectations, exemption facilitation standards, navigation service specifications, and reporting requirements.

Community organization credentialing creates the hardest balance. States want community organization participation for cultural competency, trusted relationships, and local knowledge. But community organizations vary enormously in capacity, sophistication, and infrastructure. Minimal credentialing includes organization registration, designated navigator training, and data security compliance acknowledgment. This maintains access while establishing basic accountability. More stringent credentialing requiring organizational capacity assessments, financial audits, or insurance coverage may exclude smaller grassroots organizations despite their community trust advantages.

The tension is between accountability and access. Stringent credentialing prevents participation by marginal entities potentially creating problems. Minimal credentialing enables broad participation but creates oversight challenges. States must decide whether to err toward inclusion accepting some bad actors or toward restriction accepting reduced access. This philosophical choice shapes participation patterns and coverage outcomes.

Liability Allocation for Errors
#

Even with safe harbor protections, errors occur creating coverage consequences. The legal framework must allocate responsibility determining who bears costs when mistakes happen.

State system errors should not create individual consequences. When state eligibility systems fail to record employer submissions, portals crash during reporting periods, or data interfaces lose transmission, coverage loss shouldn’t result. States bear cost of maintaining coverage during error correction periods and responsibility for error resolution. This is administratively complex requiring tracking system failures and individual impacts, but prevents penalizing people for infrastructure problems.

Employer submission errors require good faith assessment. An employer transposing digits in Social Security numbers submits data that doesn’t match member records. A payroll system reports biweekly hours as monthly creating apparent shortfalls. An employer submits for wrong month due to payroll cycle confusion. These errors are correctable without bad faith implications. States should allow retroactive correction within reasonable timeframes, maintaining coverage during correction. Intentional errors or systematic failures lose this protection creating employer liability exposure.

Provider exemption errors depend on reasonable medical judgment standards. A provider determines someone can’t work based on condition assessment, but improvement occurs sooner than expected. This isn’t provider error but estimation uncertainty. A provider fails to document examination justifying exemption determination. This is documentation error subject to audit but not necessarily malpractice. A provider routinely approves exemptions without legitimate assessments. This is bad faith participation losing safe harbor protection. The standard is reasonableness at time of determination rather than outcome accuracy.

Individual errors in self-reporting create the hardest allocation questions. Someone reports hours worked but employer record shows fewer hours. Someone claims exemption based on condition that provider doesn’t confirm. Someone misunderstands requirements and submits verification late. States can treat these as coverage loss triggers requiring individuals to bear consequences of their mistakes, or as opportunities for correction and education. The choice reveals whether states view work requirements as bright-line compliance tests or as employment promotion accepting learning curves.

The Audit and Oversight Framework
#

Delegation without oversight creates accountability gaps. But excessive oversight discourages participation by creating audit burdens. The audit framework must balance fraud prevention with participation incentives.

Random audit rates determine oversight intensity. Five percent annual audit of employer submissions, provider attestations, and exemption approvals creates baseline verification without overwhelming audited entities. Higher rates up to 25% apply to higher-risk situations like self-employment verification or gig economy hours. Lower rates under 3% apply to automated data sources with high reliability like Social Security disability status or unemployment insurance receipt. The variation reflects risk-based approach concentrating oversight where fraud potential is highest.

Audit triggers beyond random selection include complaints from members alleging inaccurate reporting, patterns suggesting systematic errors across multiple submissions from one entity, or statistical anomalies in submission data suggesting gaming. These targeted audits address specific concerns without requiring universal scrutiny. The question is whether states primarily audit for continuous improvement identifying system problems or for enforcement identifying bad actors for sanctions. Improvement-focused audit treats errors as learning opportunities. Enforcement-focused audit treats errors as compliance failures warranting penalties.

Audit findings create different consequences for good faith participants versus bad actors. Credentialed entities making good faith errors receive education and correction opportunities. Patterns of careless errors may trigger increased audit rates or additional training requirements. Bad faith participation creates credential revocation, exclusion from program participation, and potential legal liability. The standard distinguishes between competence issues addressable through support and fraud issues requiring enforcement.

Recovery from improper payments follows standard Medicaid procedures. States can recover payments made based on erroneous information but must provide due process including notice, explanation, evidence review, and appeals rights. Recovery typically pursues states for coverage during improper exemptions rather than pursuing individuals or providers. This allocation recognizes that improper exemptions often reflect system complexity rather than intentional fraud and that individual recovery is administratively expensive with low yield.

Special Populations Creating Delegation Complexity
#

Some populations require specialized delegation approaches respecting cultural contexts, sovereignty issues, or privacy protections.

Tribal entity delegation involves government-to-government relationships respecting tribal sovereignty. Tribal governments can serve as verification intermediaries for enrolled members, but delegation agreements must acknowledge sovereignty rather than treating tribes as vendors. Data sharing agreements respect tribal data governance. Credentialing processes acknowledge tribal government authority. Oversight respects tribal self-governance while maintaining federal Medicaid requirements. This complexity requires negotiating dozens of individual agreements with federally recognized tribes rather than imposing universal requirements.

Domestic violence service provider participation enables exemption facilitation without requiring victims to provide detailed abuse documentation to state eligibility workers. Providers can attest to domestic violence situations triggering exemptions without disclosing specifics. But this creates verification challenges since states cannot independently confirm situations based on provider attestation alone. Safe harbor protection becomes essential to prevent providers from facing liability for erroneous attestations. The balance is between protecting victim privacy and preventing fraudulent exemption claims.

Substance use disorder treatment provider involvement triggers federal confidentiality requirements under 42 CFR Part 2 restricting treatment information disclosure. Providers can verify treatment participation qualifying for exemptions without disclosing specific diagnoses or treatment details. But coordination across systems becomes complex when information sharing is restricted. States must build technical infrastructure supporting limited disclosure while providers navigate disclosure requirements.

Immigration status complications affect mixed-status families where verification creates fears about immigration consequences. Community organizations serving immigrant populations can facilitate verification and exemption applications without requiring immigration status disclosure. But this intermediary role creates questions about information verification and fraud prevention. Safe harbor protections become critical to enable participation despite verification limitations.

The delegation architecture ultimately determines whether work requirements function through distributed systems reducing individual burden or collapse from liability fears preventing participation. States have eight months to build legal frameworks enabling third-party verification and exemption assistance while protecting entities from unreasonable liability exposure. The regulatory choices made during this period shape participation patterns and coverage outcomes as much as verification technology or exemption categories. Delegation that works requires legal infrastructure as much as technical infrastructure.

Previous in series: Article 7C, “The Coordination Architecture”