Take 2: Revised Audit Protocols for Medicare Plans

ABSTRACT

Background: The audit protocols and process updates released in February 2015 contained significant revisions that resulted in difficulties for plans to prepare for an audit. Because of feedback received and experiences from audits, CMS revised and republished the audit protocols in October of the same year.

Objectives: To outline the key revisions of the 2015/2016 Medicare program audit protocols and process updates and the potential resultant impacts on Medicare Part C and D plans. In addition, to describe the challenges Medicare plans may face as a result of the changes.

Description: Medicare Part C and D plans will need to review and react accordingly to the revisions contained within the audit protocols, particularly the modifications to the record layouts, updates to the Impact Analysis templates, impact of the new Invalid Data Submission condition, and changes to the Compliance Program Effectiveness protocols. With CMS’ data-driven approach to audits and increased scrutiny on data accuracy, plans must invest the time and resources required to prepare for an audit, including robust quality assurance testing. All too often, audit failures result in mandatory corrective actions and enforcement actions, including civil monetary penalties levied by CMS.

Conclusions: As the Medicare audit process and protocols evolve, plans must be flexible and react to the changes. Failure to adapt will result in consequences far greater than audit failure alone.

Am J Pharm Benefits. 2015;7(6):264-267

PRACTICAL IMPLICATIONS

In October 2015, CMS issued revised audit protocols to be used for the rest of 2015 and all of 2016. The key revisions include additional instruction and clarifications related to the universe record layouts, introduction of a new audit condition for the inaccurate or untimely submission of universes, updated impact analysis templates, and modifications to the Compliance Program Effectiveness (CPE) audit process. Overall these revisions should help plans prepare for an audit, but will likely result in additional efforts such as reprogramming universe queries, increasing quality assurance testing to avoid the new Invalid Data Submission audit condition, and devising methods to pull all required data for the new fields in the CPE universes. Faced with the possibility of receiving corrective actions, civil monetary penalties, and other compliance actions by CMS for noncompliance issues identified in a performance audit, plans should start audit preparations immediately.

CMS conducts program audits to evaluate the performance of the Medicare-contracting plans that provide health care services and prescription drug benefits to Medicare eligible beneficiaries. These program audits are designed to provide CMS with “…reasonable assurance that sponsors deliver benefits in accordance with the terms of their contract and plan benefit package.”¹

Each year, CMS publishes the audit protocols that will be utilized for performance audits in the current calendar year. In February of this year, CMS released the 2015 protocols that contained significant revisions compared with previous years. The changes demonstrated CMS’ movement towards a more data-driven approach to performance audits, increased expectations for the timely and accurate submission of plan universes, and amplified consequences for failing to meet the new universe demands. Some of the key changes called for²:

• a restructured format and composition of the audit universes;
• establishment of a required record layout for each universe;
• institution of a “3-strikes” policy for the submission of accurate and timely universes;
• redesign of the Compliance Program Effectiveness (CPE) protocol; and
• required submission of Pre-Audit Issue Summaries and the associated Beneficiary Impact Analysis (BIA).

These key changes often posed numerous challenges throughout the 2015 performance audits of Medicare Advantage/prescription drug plans (MAPDs) and prescription drug plans (PDPs), as well as the pharmacy benefit management (PBM) companies that are used by these plans. Based on industry feedback and CMS audit experience throughout the audits performed in 2015, CMS updated and republished the revised 2015/2016 protocols on October 20. These revisions are in effect for the remainder of 2015 and will remain as the protocols for audits in 2016, with no additional modifications anticipated by CMS.³

Key Revisions and Potential Impacts

Not surprisingly, the majority of the revisions in the October protocols focus on modifying or clarifying the changes introduced in February. These modifications affect both audit scope and process, with the most notable changes related to the following 4 areas of the protocols³:

1. Record layout modifications. In early 2015, CMS introduced all new record layouts for plans to follow when constructing the requested universes. The record layouts contained detailed information (ie, field name, type, length, and description) for each data element required for population within each universe. Due to issues such as field descriptions lacking sufficient detail for population, data elements that appeared to be irrelevant to the universe type, and the duplication of data elements within the universe, plans were often left puzzled about how to create universes based on the new record layouts.²

Among the most welcomed changes to the revised protocols are the modifications to the record layouts. These modifications provide greater clarity along with additional instructions to plans for producing the required universes. Focusing less on format, “CMS added changes to streamline and clarify the content including: rearranging variables, adding or renaming variables, removing superfluous fields and revising field descriptions to include more detail, [along with] examples of what was being requested and/or additional entry options (eg, N/A).”³ Although most record layouts have modifications, the audit areas of Part C organization determinations, appeals, and grievances (ODAG) and Part D coverage determinations, appeals, and grievances (CDAG) contain a significant amount of changes and clarifications.^4,5

Additionally, modifications to the Compliance Program Effectiveness (CPE) record layouts have added more complexity than the previous versions. Four of the 5 universes (ie, First Tier Entity Auditing and Monitoring [FTEAM], Internal Auditing [IA], Internal Monitoring [IM], and Fraud Waste and Abuse Monitoring [FWAM]) have new fields that require information typically stored in multiple fields within a plan’s systems to be consolidated into a single field. For example, the new Corrective Action Description field requires information on the description of the corrective actions, root cause analysis, time frames, and ramifications for failing to implement correctly.⁶ This requires plans to either concatenate all of the fields, which poses problems with meeting the 1000-character limit and making the data unreadable, or manually writing a narrative for that field in the universe. For larger plans, this could result in manually writing narratives for well over 100 items, as this affects the FTEAM, IA, IM, and FWAM universes.

As in previous years, the revisions to the record layouts will require plans to re-program queries used to populate universes and perform comprehensive quality assurance testing. Despite the additional investment of time and resources required to perform these functions, the clarifications and revisions to the record layouts should provide plans with the level of detail needed to assemble the required universes.

2. Invalid Data Submission classification. CMS utilizes a straightforward audit scoring methodology that assigns a point value to each audit condition. An overall audit score for each program area is calculated by dividing the sum of the points from the conditions identified during the audit by the number of elements tested.⁷

The February protocols introduced a new “3-strikes” policy for the submission of timely and accurate universes. Plans were given a maximum of 3 attempts to provide the universes, with the third failure resulting in an “Immediate Corrective Action Required” (ICAR) finding—worth 2 audit points—for every condition that could not be tested.² With so many universes required for submission, underlying system issues could quickly result in a significant accumulation of ICARs and resultant audit points.

The revised protocols maintain the 3-strike policy, but introduce a new “Invalid Data Submission” (IDS) condition, which is worth 1 audit point. Now, instead of an ICAR after 3 failed attempts, an IDS will be cited relative to each element that cannot be tested, grouped by the type of case. An IDS will also be cited if an accurate universe cannot be produced in fewer than 3 attempts due to missing or unavailable data. If a universe is determined to be completely unusable, CMS will cite an applicable condition for the affected element that cannot be tested and may refer the plan for possible enforcement action.³

Plans should not minimize the impact of an IDS condition. The submission of accurate and timely universes remains a critical component of the performance audit. Despite the reduction of audit points assigned to an IDS condition, plans are still at high risk for the rapid accumulation of audit points from untimely or inaccurate universes due to the sheer number of universes and the associated data elements requested.

3. Beneficiary Impact Analysis adjustments. In early 2015, plans were required to submit a Pre-Audit Issue Summary of previously disclosed and self-identified issues of noncompliance to CMS within 5 business days of receiving the audit start notice. In addition, a BIA was required to be submitted with each issue using the templates provided in the protocols by CMS.²

The revised protocols change the name from “Beneficiary Impact Analysis” to “Impact Analysis” (IA), and include revised IA templates. Most notably, IAs are no longer required to be submitted with the Pre-Audit Issue Summary, but “… must be submitted as requested by CMS for every issue discovered during the audit that has potential beneficiary impact and may be cited as a condition of noncompliance.”³

Limiting the IAs to issues found during the audit is a partial sigh of relief for plans; however, plans must still be prepared to produce an IA on short notice during an audit. Therefore, plans should build the queries necessary to generate an IA and conduct adequate quality assurance testing well in advance of an audit.

4. Compliance Program Effectiveness procedural updates. In early 2015, CMS redesigned the protocol used to test the 7 elements of an effective compliance department. Instead of conducting a content review of over 30 documents, CMS used 5 tracer samples to follow the flow of an issue as it moved through the elements of its compliance program.² Plans audited in the first half of 2014 did not receive guidance on how to create a tracer sample in advance of the audit; thus they often scrambled in the time leading up to an audit to produce a comprehensive tracer sample. The tracer sample template was released to the industry and explained in more detail at the CMS Spring Conference, allowing the plans audited in the second half of the year to more fully prepare.⁸

For 2016, CMS will review 6 tracer samples, all of which will occur in the second week of the audit.³ Unlike previous versions, a tracer template is now provided with the revised protocols, allowing plans to understand the elements required to be included within each tracer sample.⁹ In addition to the changes to the tracer process, the compliance interview process modification includes a reduction in employee interviews and adds an interview with an individual responsible for managing the oversight of the plans “first-tier, downstream and related entities.”³

Compiling a complete tracer sample can be an arduous process for plans. The template provided contains instructions for plans to build a tracer that tells the full story of the compliance activity related to its issues; subsequently, the construction of a tracer takes time, as each sample must include, at a minimum, statements or rationales, as well as supporting evidence.⁹ Although there is no limit to the number of slides within a tracer, often the supporting documentation results in tracer samples with over 100 slides. Because of the complexities in creating a comprehensive tracer sample, plans should practice building these samples on a routine basis.

Summary

Although the revised protocols do not reduce the burden of work for Medicare Part C and D plans, they can be viewed overall as a positive step in helping plans prepare for an audit. The revised protocols demonstrate CMS’s shift toward greater transparency, and their willingness to work with plans and the industry to improve the overall audit process and experience.¹

CMS may impose enforcement actions (ie, civil money penalties, intermediate sanctions, and for-cause terminations) on plans as a result of various contract violations, including issues of non-compliance identified during a performance audit.¹⁰ In 2014, 70% of the sponsors audited received enforcement actions, including 16 civil money penalties totaling over $3.7 million, as a direct result of violations identified by CMS during the audit.¹

With CMS’s continued scrutiny of data accuracy, plans should invest in the time and resources needed to improve quality assurance. Mock audits—both internal and external—can provide plans with an assessment of their audit readiness, the quality of their universe pulls, and valuable feedback on plan performance in the different areas of a program audit.¹¹ Since these revised protocols will be used for 2016 audits, plans should start their audit preparations now, instead of waiting to receive an audit notice. Those who choose to wait will find out it is too late.

Author Affiliation: Visante Inc, Avon, OH.

Funding Source: None.

Author Disclosures: Dr Altenburger is an employee of Visante Inc, a consulting company that provides services to health plans, prescription drug plans, and pharmacy benefit managers. He also previously owned a small number of shares in a MAPD plan as a result of previous employment, but all shares of stock were sold in October 2015.

Authorship Information: Concept and design; drafting of the manuscript; critical revision of the manuscript for important intellectual content.

Send correspondence to: Stephen Altenburger, PharmD, 36032 Caronia Cir, Avon, OH 44011. E-mail: saltenburger@visanteinc.com.

REFERENCES

• The 2014 Part C and Part D program audit and enforcement report. CMS website. https://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-Audits/Downloads/2014_Part_C_Part_D_Program_Audit_Annual_Report.pdf. Published October 13, 2015. Accessed November 4, 2015.
• Mulcahy G. 2015 program audit protocols and process updates [HPMS Memo - 2015 Program Audit Process and Protocols.ZIP > 2015ProgramAuditAnnouncementandProcessUpdates.pdf]. CMS website. http://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-Audits/ProgramAudits.html. Published February 13, 2015. Accessed November 4, 2015.
• Mulcahy G. 2015/2016 program audit protocols and process updates [HPMS Memo - 2015-2016 Program Audit Protocols and Process Updates.ZIP > 2015_2016_Program_Audit_Announcement_and_Process_Updates.pdf]. CMS website. http://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-Audits/ProgramAudits.html. Published October 20, 2015. Accessed November 4, 2015.
• Part C organization determinations, appeals and grievances (ODAG) program area audit process and data request [HPMS Memo- 2015-2016 Program Audit Protocols and Process Updates.ZIP > ODAG> Attachment_IV_ODAG_AuditProcess_DataRequest.pdf]. CMS website. http://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-Audits/ProgramAudits.html. Published October 20, 2015. Accessed November 4, 2015.
• Part D coverage determinations, appeals and grievances (CDAG) program area audit process and data request [HPMS Memo - 2015-2016 Program Audit Protocols and Process Updates.ZIP > CDAG > Attachment_III_CDAG_AuditProcess_DataRequest.pdf]. http://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-Audits/ProgramAudits.html. Published October 20, 2015. Accessed November 4, 2015.
• Part C and D compliance program effectiveness (CPE) program area audit process and data request [HPMS Memo - 2015-2016 Program Audit Protocols and Process Updates.ZIP > CPE > Attachment_I_CPE_AuditProcess_DataRequest.pdf]. CMS website. http://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-Audits/ProgramAudits.html. Published October 20, 2015. Accessed November 4, 2015.
• Mulcahy GJ. Final program audit scoring methodology. CMS website. https://www.cms.gov/medicare/compliance-and-audits/part-c-and-part-d-compliance-and-audits/downloads/hpms-memo-final-program-audit-scoring-methodology.pdf. Published May 17, 2013. Accessed November 4, 2015.
• Robinson-Savoy V, Brady B. Compliance program overview & FWA requirements: measuring effectiveness [CMS 2015 Medicare Advantage & Prescription Drug Plan Audit & Enforcement Conference & Webcast > Updated Presentations - As of 6/29/15.ZIP > CMS 2015 Medicare Advantage & Prescription Drug Plan Audit & Enforcement Conference & Webcast presentations.ZIP > 6_Compliance_Overview_FWA_Requirements.pdf]. CMS website. https://www.cms.gov/Outreach-and-Education/Training/CTEO/Event_Archives.html. Published June 16, 2015. Accessed November 4, 2015.
• Attachment I-B Medicare Advantage and prescription drug compliance program effectiveness (CPE) audit tracer sample PPT template [HPMS Memo- 2015-2016 Program Audit Protocols and Process Updates.ZIP > CPE > Attachment_I-B_CPE_Audit_Tracer_PPT_Template.pdf]. CMS website. http://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-Audits/ProgramAudits.html. Published October 20, 2015. Accessed November 4, 2015.
• Levinstim A; Medicare Parts C & D Oversight & Enforcement Group. Medicare Part C and Part D enforcement actions update [CMS 2014 Medicare Advantage & Prescription Drug Plan Fall Conference & Webcast > Updated Presentations — As of 9/10/14.ZIP > 6b_CMS Enforcement Actions.pdf]. CMS website. https://www.cms.gov/Outreach-and-Education/Training/CTEO/Event_Archives.html. Published September 11, 2014. Accessed November 4, 2015.
• Cutcliffe C. CMS program audit preparation—best practices and lessons learned [CMS 2015 Medicare Advantage & Prescription Drug Plan Audit & Enforcement Conference & Webcast > Updated Presentations — As of 6/29/15.ZIP > CMS 2015 Medicare Advantage & Prescription Drug Plan Audit & Enforcement Conference & Webcast presentations.ZIP > 1_CMS_Audit_and_Audit_Validation_Process_V5.pdf]. CMS website. https://www.cms.gov/Outreach-and-Education/Training/CTEO/Event_Archives.html. Published June 16, 2015. Accessed November 4, 2015.