Care Management Regulatory Compliance in the US
Care management in the United States operates within a layered regulatory environment spanning federal statutes, state licensing requirements, payer contractual obligations, and accreditation standards. This page documents the primary regulatory frameworks that govern care management programs, the structural mechanics of compliance, and the classification boundaries that determine which rules apply to which program types. Understanding this landscape is essential for program administrators, credentialing officers, and policy analysts who need a factual reference on applicable law and standards — not legal interpretation.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
- References
Definition and scope
Care management regulatory compliance refers to the set of legal, contractual, and accreditation obligations that care management programs must satisfy to operate lawfully and receive reimbursement in the US healthcare system. The scope is broad: it encompasses federal statutes such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA, 45 CFR Parts 160 and 164), the Social Security Act provisions governing Medicare and Medicaid, the Affordable Care Act of 2010, and state-level managed care regulations that vary across all 50 jurisdictions.
Compliance obligations differ substantially based on program type. A hospital-based transitional care management program billing Medicare under CPT codes 99495 and 99496 faces requirements distinct from those applicable to a Medicaid managed care organization operating a disease management program. Chronic disease care management programs in value-based contracts carry additional quality-reporting obligations under the Centers for Medicare & Medicaid Services (CMS) quality payment frameworks.
The term "care management" has no single statutory definition at the federal level. CMS uses it operationally through billing code descriptors, conditions of participation, and managed care contract requirements — but states and accreditors apply their own definitional frameworks, creating classification complexity that directly affects compliance scope.
Core mechanics or structure
Federal regulatory layer
The primary federal regulatory instruments governing care management compliance are:
HIPAA Privacy and Security Rules — Administered by the HHS Office for Civil Rights (OCR), these rules set minimum standards for protected health information (PHI) handling. Care managers who access, transmit, or store PHI — which virtually all do — must operate within compliant administrative, physical, and technical safeguard frameworks. Civil monetary penalties under HIPAA reach a maximum of $1,919,173 per violation category per calendar year (HHS OCR, adjusted 2023 penalty tiers).
CMS Conditions of Participation (CoPs) — Hospitals and critical access hospitals enrolled in Medicare and Medicaid must meet CoPs codified at 42 CFR Part 482. Discharge planning and care coordination requirements within CoPs were significantly updated by the final rule published at 84 Fed. Reg. 51836 (2019), mandating patient-centered discharge planning processes that intersect directly with care management workflows.
Medicare Chronic Care Management (CCM) Program — CMS established the CCM billing framework, payable under CPT 99490 and related codes, requiring at least 20 minutes per month of qualifying care management services for beneficiaries with 2 or more chronic conditions. Compliance requires documented care plans, 24/7 access assurance, and care team coordination — as detailed in CMS Medicare Learning Network publications.
Medicaid managed care regulations — 42 CFR Part 438 governs managed care organizations (MCOs) contracting with state Medicaid programs. Care management programs within MCOs must comply with care coordination requirements, grievance and appeal standards, and network adequacy rules. The 2024 Medicaid managed care final rule published by CMS at 89 Fed. Reg. 20970 introduced updated access standards affecting care management delivery.
State regulatory layer
State health departments and insurance commissioners regulate care management through managed care organization licensure, utilization review laws (often modeled on the NAIC Utilization Review Model Act), and case management practice acts where enacted. As of 2024, no uniform national licensure framework for care managers exists; state requirements for the case management certification requirements that underpin professional eligibility vary accordingly.
Accreditation standards
Accrediting bodies including NCQA, URAC, and The Joint Commission publish standards that function as de facto compliance baselines. NCQA's Health Plan Accreditation includes case management program standards; URAC's Case Management Accreditation program specifies structural and process requirements for care management operations. CMS has recognized NCQA and URAC accreditation as meeting certain Medicaid managed care regulatory requirements through deemed status mechanisms.
Causal relationships or drivers
Four primary forces drive the current regulatory density around care management:
Cost containment pressure — CMS data consistently shows that the top 5% of Medicare beneficiaries by expenditure account for approximately 40% of total program spending (CMS Office of Enterprise Data and Analytics). This concentration created regulatory pressure to formalize care management as a reimbursable intervention, which required definition and compliance frameworks.
Fraud and abuse risk — The broad latitude inherent in care management services — non-face-to-face interactions, self-reported time tracking, subjective care planning — creates vulnerability to false claims. This has driven CMS to issue increasingly specific documentation and time-tracking requirements for CCM, PCM (Principal Care Management), and behavioral health integration codes.
Quality measurement mandates — The ACA's establishment of the Hospital Readmissions Reduction Program (HRRP) under Section 3025 of the statute (42 USC § 1395ww(q)) tied financial penalties directly to 30-day readmission rates, making care management program outcomes a direct cost driver. This created regulatory feedback loops where outcome metrics generate compliance obligations in payer contracts.
HIPAA enforcement escalation — HHS OCR resolved 45 investigations and collected $135.6 million in settlements and civil monetary penalties in fiscal year 2023 (HHS OCR Annual Report to Congress), increasing compliance investment across care management programs that handle PHI at scale.
Classification boundaries
Regulatory obligations depend on precise program classification. The four primary classification axes are:
Payer type — Medicare, Medicaid, commercial insurance, and self-funded ERISA plans each activate different regulatory regimes. Self-funded ERISA plans are largely exempt from state insurance regulation under ERISA preemption (29 USC § 1144), meaning state utilization review laws and care management mandates may not apply.
Provider vs. plan function — Care management delivered by a licensed provider entity (hospital, physician group) is regulated under provider-facing rules (CoPs, billing compliance, state licensure). Care management delivered by an insurance plan or MCO is regulated under plan-facing rules (42 CFR Part 438 for Medicaid, state plan regulations for commercial).
Service type — Utilization management in healthcare functions such as prior authorization are governed by utilization review statutes, while clinical care management (care planning, coaching, coordination) falls under different documentation and professional practice requirements.
Population — Pediatric care management programs serving CHIP beneficiaries, and geriatric care management programs serving dual-eligible populations, activate overlapping Medicare and Medicaid compliance obligations simultaneously.
Tradeoffs and tensions
Standardization vs. local flexibility — Federal minimum standards set floors, but state Medicaid managed care contracts routinely impose higher specificity requirements. Programs operating across multiple states face compliance architectures that cannot be fully standardized, increasing administrative overhead by design.
Documentation burden vs. care continuity — CMS's documentation requirements for CCM and TCM billing are detailed enough that compliance time competes with direct beneficiary interaction time. The 20-minute monthly minimum for CCM creates a threshold that incentivizes time tracking over relationship continuity.
HIPAA minimum necessary vs. care coordination — HIPAA's minimum necessary standard (45 CFR § 164.502(b)) requires limiting PHI disclosure to what is needed for the stated purpose. In care coordination contexts — particularly interdisciplinary care teams — determining what constitutes "minimum necessary" for effective care management is operationally contested.
Accreditation costs vs. market access — NCQA and URAC accreditation confer market credibility and in some cases deemed status advantages, but accreditation fees and preparation costs can exceed $50,000 for mid-size programs, creating a compliance barrier that disproportionately affects smaller care management organizations.
Common misconceptions
Misconception: HIPAA applies only to hospitals and health plans.
Correction: HIPAA applies to covered entities (health plans, healthcare clearinghouses, healthcare providers who transmit PHI electronically) and their business associates. Care management vendors and technology platforms accessing PHI on behalf of covered entities are subject to HIPAA as business associates under 45 CFR § 160.103, regardless of organizational type.
Misconception: Achieving CCM billing compliance automatically satisfies accreditation requirements.
Correction: CMS billing compliance for CCM codes establishes reimbursement eligibility only. NCQA and URAC accreditation standards impose separate structural requirements — staff credentialing, program governance, quality improvement processes — that billing compliance does not address.
Misconception: State care management regulations are superseded by federal HIPAA.
Correction: HIPAA establishes a federal floor; states may impose stricter privacy protections that coexist with HIPAA under the more-stringent standard rule (45 CFR § 160.203). Programs must analyze both frameworks independently.
Misconception: Care management and case management are regulated identically.
Correction: "Case management" has a distinct professional practice regulatory history, including licensure overlaps with social work and nursing boards. "Care management" as used in CMS billing contexts is defined by service characteristics, not professional credentials per se — though credentialing requirements in specific contracts may narrow this distinction. The distinction between care coordination vs. care management carries real regulatory weight.
Checklist or steps (non-advisory)
The following represents a structural reference of compliance domains that care management programs typically must address. This is a documentation framework, not professional legal advice.
Phase 1 — Entity and program classification
- Identify payer type(s): Medicare, Medicaid, commercial, ERISA self-funded, or mixed
- Determine whether the program is operating as a provider entity or a plan/MCO entity
- Classify service types: clinical care management, utilization management, or both
- Map population served: pediatric, geriatric, dual-eligible, or general adult
Phase 2 — Federal regulatory mapping
- Confirm HIPAA covered entity or business associate status under 45 CFR § 160.103
- Identify applicable CMS billing codes and their documentation requirements (CCM, TCM, PCM, BHI)
- Review CMS Conditions of Participation applicability (42 CFR Part 482 for hospitals)
- Assess applicability of 42 CFR Part 438 for Medicaid MCO functions
Phase 3 — State regulatory analysis
- Identify state utilization review law requirements in each operating state
- Confirm state-level managed care licensure status if applicable
- Review whether state professional practice acts impose supervision or credentialing requirements on care managers (care manager roles and responsibilities)
Phase 4 — Accreditation alignment
- Determine whether NCQA, URAC, or Joint Commission accreditation is required by payer contracts
- Map accreditation standards to existing program documentation and governance structures
- Identify gaps between current operations and accreditation requirements
Phase 5 — Ongoing compliance operations
- Establish HIPAA-compliant PHI handling procedures and business associate agreement inventory
- Implement documentation and time-tracking systems for CMS billing code compliance
- Schedule annual review against CMS rule updates and state regulatory changes
- Maintain audit trail for care plans, patient consent, and inter-team communications per HIPAA and care management privacy requirements
Reference table or matrix
| Regulatory Framework | Governing Body | Primary Citation | Program Types Affected | Enforcement Mechanism |
|---|---|---|---|---|
| HIPAA Privacy Rule | HHS Office for Civil Rights | 45 CFR Part 164, Subpart E | All programs handling PHI | Civil monetary penalties; corrective action plans |
| HIPAA Security Rule | HHS Office for Civil Rights | 45 CFR Part 164, Subpart C | All programs with electronic PHI | Civil monetary penalties; criminal referral |
| Medicare CCM/TCM Billing | CMS | CPT 99490, 99495, 99496; CMS MLN Matters | Medicare-participating providers | Claim denial; RAC audits; False Claims Act exposure |
| CMS Conditions of Participation | CMS | 42 CFR Part 482 | Hospitals and CAHs in Medicare/Medicaid | Survey and certification; payment termination |
| Medicaid Managed Care | CMS / State Medicaid Agencies | 42 CFR Part 438 | Medicaid MCOs | Contract termination; CMS corrective action |
| ERISA Preemption | DOL / Federal courts | 29 USC § 1144 | Self-funded employer health plans | Federal court enforcement; state law preempted |
| NCQA Accreditation | NCQA | Health Plan Accreditation Standards | Health plans, MCOs | Accreditation denial/suspension; payer contract loss |
| URAC Case Management Accreditation | URAC | URAC Case Management Standards v8+ | Care management organizations | Accreditation status; vendor contract eligibility |
| Hospital Readmissions Reduction Program | CMS | 42 USC § 1395ww(q); ACA § 3025 | Hospitals with Medicare admissions | Payment reduction (up to 3% of base DRG payments) |
| State Utilization Review Laws | State insurance/health departments | NAIC Utilization Review Model Act (basis) | UM programs in insured plans | State license revocation; administrative penalties |
References
- HHS Office for Civil Rights — HIPAA Enforcement
- Electronic Code of Federal Regulations — 45 CFR Part 164 (HIPAA)
- Electronic Code of Federal Regulations — 42 CFR Part 482 (Conditions of Participation)
- Electronic Code of Federal Regulations — 42 CFR Part 438 (Medicaid Managed Care)
- CMS Medicare Learning Network — Chronic Care Management
- [CMS Hospital Readmissions Reduction Program](https://www.cms.gov/Medicare/Medicare-Fee-for-Service-Payment/AcuteInpatientPPS/Readmissions-