CMS program audit evaluate the performance of the Medicare Advantage/Prescription drug plans (MAPDs) and prescription drug plans (PDPs) that provide health care coverage to Medicare eligible beneficiaries.

In February of 2015 CMS published the audit protocols that will be utilized for performance audits in the current calendar year. CMS introduced significant revisions compared to how the audits have been conducted in previous years. The changes, increased expectations for the timely and accurate submission of plan universes, and amplified consequences for failing to meet the new universe demands.

Key changes in the CMS Program Audit Protocols include:

  • A restructured format and composition of the audit universes;
  • Establishment of a required record layout for each universe;
  • Institution of a “3-strikes” policy for the submission of accurate and timely universes;
  • Redesign of the Compliance Program Effectiveness (CPE) protocol; and
  • Submission of Pre-Audit Issue Summary and associated Beneficiary Impact Analysis (BIA).

These key changes in audit protocols posed numerous challenges throughout the 2015 performance audits of MAPD and PDP plans, as well as the pharmacy benefit management (PBM) companies used by the plans. Based on the audits CMS conducted in early 2015, CMS updated and revised the protocols on October 20, 2015 and is planning on having the revised protocols remain in effect for 2016.

CMS added two additional weeks from the date of receipt of the audit start notice to the date the audit began. This allowed sponsors one additional week to compile universes and one additional week for CMS to analyze and validate universes prior to selecting samples.

The majority of the revisions in the October protocols focuses on modifying or clarifying the changes introduced in February. The following four areas are mostly impacted

1. Record layout modifications
In February, CMS introduced all new record layouts for plans to follow when constructing the requested universes. The record layouts contained detailed information (i.e., field name, type, length, and description) however insufficient detail for populating, data elements often left plans puzzled about how to create universes based on the new record layouts. The October release provides greater clarity along with additional instructions for producing the required universes.

The format of the record layouts remains the same except for the addition of a “Column ID” field. CMS added changes to streamline and clarify the content, including: rearranging variables, adding or renaming variables, removing superfluous fields and revising field descriptions to include more detail, examples of what was being requested and/or additional entry options.

CMS expanded the record layouts to allow sponsors to more easily recreate and conduct the universe timeliness tests for CDAG and ODAG. CMS has incorporated a data dictionary into the record layouts defining what was expected for each field.

The most affected layouts are those of Part C organization determinations, appeals, and grievances (ODAG) and Part D coverage determinations, appeals, and grievances (CDAG)

Modifications to the Compliance Program Effectiveness (CPE) record layouts are a bit more complex now due to the several new fields that have added more complexity than the previous versions due to the fact that the information required is normally stored in multiple fields requiring plans to consolidate the answer into one new field.

2. Invalid Data Submission classification.
The New protocols introduced a “3-strikes” policy for the submission of timely and accurate universes. Plans are given a maximum of 3 attempts to provide the correct universes. If a plan does not submit the correct universe by the third attempt the result is an “Immediate Corrective Action Required” (ICAR) finding—worth 2 audit points—for every condition that could not be tested. With so many universes required this can pose a significant risk to any plan.

The revised CMS Program Audit protocols maintain the 3-strike policy, but introduce a new “Invalid Data Submission” (IDS) condition, which is worth 1 audit point. Now, instead of an ICAR after 3 failed attempts, an IDS will be cited relative to each element that cannot be tested, grouped by the type of case. An IDS will also be cited if an accurate universe cannot be produced in fewer than 3 attempts due to missing or unavailable data.

3. Beneficiary Impact Analysis
Plans are now required to submit a Pre-Audit Issue Summary of previously disclosed and self-identified issues of noncompliance to CMS within 5 business days of receiving the audit start notice using the templates provided in the protocols by CMS.

The revised CMS program Audit protocols change the name from “Beneficiary Impact Analysis” to “Impact Analysis” (IA), and include revised templates. They are no longer required to be submitted with the Pre-Audit Issue Summary, but are required to be submitted as requested by the CMS Audit team for every issue discovered during the audit that has potential beneficiary impact. Though this can be considered a relief a plan will have limited time to produce this IA report, therefore, plans will have to prepare for these type of queries in advance.

4. Compliance Program Effectiveness
CMS redesigned the protocol used to test the 7 elements of an effective compliance department. Instead of conducting a content review of over 30 documents, CMS used 5 tracer samples to follow the flow of an issue as it moved through the elements of its compliance program. At first Plans did not receive much guidance on how to create these tracer samples and often scrambled in the time leading up to an audit to produce a comprehensive tracer sample. A new template was introduced in June 2015 and explained in more detail during the Spring Conference.

For 2016, CMS will review 6 tracer samples, a tracer template is now provided with the revised protocols, In addition to the changes to the tracer process, the compliance interview process modification includes a reduction in employee interviews and adds an interview with an individual responsible for managing the oversight of the plans “first-tier, downstream and related entities.” Because of the complexities in creating a comprehensive tracer sample, plans should practice building these samples on a routine basis.

Overhauling of the CPE audit protocol resulted in a decrease in the volume of documentation requested in advance of each audit

Although the revised CMS Program Audit protocols do not reduce the burden of work for Medicare Part C and D plans, they can be viewed overall as a positive step in helping plans prepare for an audit. The revised protocols demonstrate that CMS’s is series about a shift toward greater transparency, and their willingness to work with our industry to improve the overall audit process and experience.

CMS is in a new cycle of auditing. CMS is planning to evaluate the sustainability of compliance as they audit sponsors that also underwent audit in the last cycle.

With CMS’s continued scrutiny of data accuracy, plans should invest in the time and resources needed to:

Improve Quality assurance.
Conduct Mock audits—both internal and external—to evaluate their audit readiness,
Review the quality of their universe pulls as often as is feasible (Quarterly).