For Medicare contract sponsors to remain viable, it's now necessary to perform a comprehensive Medicare program compliance review. Proposed rule changes may give CMS additional authority next year.
The Medicare beneficiary volume is rapidly increasing with Baby Boomers entering the system. The increase in Medicare beneficiary volume over time may stress an already fragile operation. It will be critical that the system is sound and that Medicare beneficiaries will not be at risk due to operational deficiencies in the plans they are entering. When coupled with the increase in regulation and rule changes, organizations must get ahead of the compliance curve to prepare for the future of compliance in Medicare and other government programs.
On January 10, 2014, the Department of Health and Human Services (HHS) issued proposed rules that would grant the Centers for Medicare and Medicaid Services (CMS) additional authority to require Medicare Advantage and Medicare prescription drug benefit sponsors to conduct an independent third-party compliance audit of their Medicare program operation. While the proposed rules have not been finalized, they would take effect in 2015 and would require Medicare sponsors to obtain third-party services to perform full or partial Medicare program audits, as CMS deems appropriate. CMS is constrained in the number of Medicare program audits it can conduct annually due to limited resources, which is why CMS may be granted expanded authority. At a minimum, CMS is proposing to require Medicare Advantage and Part D sponsors to complete an independent audit by a third party every three years.
Understanding the elements of a comprehensive Medicare compliance review
A Medicare compliance review is an end-to-end review of a full Medicare program operation, or a thorough review of a part of it, typically performed through the use of an audit or inspection methodology. This type of review is best completed using CMS's program audit protocols, provided online through CMS's website. Sometimes these reviews are informally referred to as Medicare 360 reviews. The objective is to identify any compliance exposure in the Medicare program for remediation and to rectify any occurrence where Medicare beneficiaries may be at risk.
At present, more progressive organizations have performed these reviews with use of internal and/or external resources as part of normal course of business. Of course, the effectiveness of such a review is dependent on resource dedication, bandwidth, and competency available.
Oftentimes, these end-to-end reviews model a "follow-the-member" process.The review process starts upstream in the operational areas first encountered by the member, such as Sales, Product, and Marketing. The review moves downstream into Enrollment, Claims, Billing, Appeals & Grievances, and so forth. By concurrently focusing the approach on CMS rules and the Medicare beneficiary, the most effective outcome can be produced. Audit sampling should mimic the CMS audit protocols, whereby the samples tested are of targeted and valid populations. Using a follow-the-member process can help to determine the root cause of issues downstream that were originally created or encountered upstream during review. It also helps to better refine audit target areas as the review moves downstream.
Certain times of the year may be better than others to conduct the compliance review. It can be performed during non-peak season of Medicare, or it can be conducted during peak season (open enrollment). More often than not it is conducted during non-peak season. On the other hand, while conducting a compliance review during peak season is not ideal for operational workers, it does show where there are gaps amid operational high pressure and volume. This is similar to CMS performing targeted operational audits as opposed to random audits. If performing the review during open enrollment or other high-volume times of year, it is best to be as minimally invasive as possible while still getting the information needed to draw effective conclusions about compliance exposure and beneficiary risk. It will be important to explain to workers the rationale for such timeliness.
Finally, the results of such a comprehensive review are typically and periodically reported out to Audit and Compliance Committees, in addition to a Steering Committee developed solely for the purpose of the compliance review process. These can also be reported to the Board of Directors. If the proposed HHS rule is finalized, this information will also be required to be reported to CMS by the independent third party.
Impetus for performing a comprehensive Medicare program review
The HHS's proposed rule change for CMS is not the only rationale for conducting a review of this nature. Leaders in this space should ask themselves if CMS is likely to audit them in the near future. In this case, a comprehensive Medicare compliance review by an independent third party can act like a dry run of a CMS audit. It will also help the organization get ahead of any issues to minimize the findings by CMS.
CMS has approximately 300 Medicare parent organizations that perform Medicare Advantage and Part D functions nationally. Each year CMS is able to audit only about 30 parent organizations. This is the main reason for proposing expanded authority that will allow CMS to require Medicare sponsors to obtain a third-party review. Currently, to be chosen for a CMS audit, organizations fall into at least one of five categories: high-star-rated plans; sponsors with a low-performing icon; high-risk plans; sponsors not audited in last three years; and CMS Regional or Central Office referrals
The Federal Register also indicates that CMS conducts a risk assessment on an annual basis to determine which high-risk organizations to audit. Many of the program audits currently being conducted are with organizations whose contract performance or data indicators demonstrate the potential risk of failing to perform core program functions that, if not complied with, may result in beneficiary harm. These audits are a useful tool to help identify systemic deficiencies and failures in meeting CMS requirements, and they help to promote compliance with those requirements. While these types of audits are necessary because these organizations pose the most risk, not all organizations are receiving the benefit of having an independent audit of their organization on a regular basis. The leading practice in this case is to perform the compliance review regardless of whether the organization feels it will be selected by CMS in the near future.
Comprehensive Medicare program compliance review can have a number of benefits, beyond preparing for the likelihood of a CMS audit or a third-party required audit. It can also illuminate process and system failures, operational weaknesses in other government programs and vendor deficiencies while providing internal compliance staff with new risks for inclusion in annual audit work plans.
Vanessa Pawlak is a Senior Manager at Ernst & Young LLP.