CMS adds new changes to Medicare audit rules already under review

The Medicare Parts C and D Oversight and Enforcement Group (MOEG) of the Centers for Medicare and Medicaid Services (CMS) have released updates to the proposed 2017 Program Audit Protocols and Data Requests (CMS-10191) for Medicare Parts C and D that RegPulse first commented on in August 2016.

These changes have arisen, in part, because of public comments the agency received during the first 60-day comment period on the revised rules. Health plans that participate in these programs should familiarize themselves with the changes, especially the particular elements that have substantive effect, and may wish to participate in the new public comment period that ends December 5, 2016.

What should plans do, or prepare to do, in light of these changes? Among many granular calls to action, there are some common themes: rewriting and modifying internal reporting processes, creating and testing the new and amended templates and questionnaires, and identifying the shifts in talent and technology resource allocations that the new requirements may make necessary. Having a plan on paper is never a substitute for being demonstrably “audit-ready,” and that distinction may become even sharper now.

A partial list of the revisions, comprising the ones that appear to have the most significant impact, is included below. In general, the changes are consistent with CMS’ move to expand the scope and aggressiveness of the way it audits plans. The agency expects plans to be more self-examining and self-reporting with respect to the issues that come up during audits.

Because of the nature of these changes, plans may face new reporting risks – not only because the data and format requirements themselves are more exacting, but also because regulators will acquire even more data they can use to enforce standards and compare performance from one plan to another. The change also makes it more important for a plan to make sure the data it submits will match the facts auditors will find when they review actual business practices.

In addition to a careful review and possible participation in the comment period, affected plans may wish to assess what it will take to live under the proposed rules and to make preparations. For example, table completeness and accuracy is a common struggle. With requirements for this format likely to tighten, plans can start creating and testing formats now before they are needed.

The more information plans have about the specific data CMS wants to collect before audits, the better they may be able to prepare for those audits by analyzing the data themselves. While the mandate for regulators is still to conduct broad audits, data from plans can help them target specific inquiries, and plans can use the same data to anticipate areas of interest.

Key changes to the proposed Medicare audit protocols

In comparing the new version of the proposed Medicare audit protocols to the ones that were released earlier, hundreds of formal alterations emerge. But in the most significant changes, it appears that CMS has:

  • Modified the Disclosed and Self-Identified issues section in every protocol. The agency is no longer asking for self-identified issues, only issues that have been previously disclosed to CMS;
  • Downgraded the way issues that were disclosed, promptly identified, and corrected will be cited in a final report;
  • Added clarification that instructs sponsors to include both compliance and Fraud, Waste & Abuse (FWA) activities in their data universes;
  • Reduced the required activities to be included in Compliance Program Effectiveness (CPE) universes by removing daily monitoring and auditing activities;
  • Added a new section to the Organizational Structure and Governance template for sponsors to provide an overview of the organization’s standardized processes, tools and controls used to conduct the day-to-day oversight of compliance and FWA issues that may influence Medicare business operations;
  • Added a clarification of the requirement for an annual compliance program effectiveness assessment;
  • Revised the requirement related to the time zone in which universes should be submitted. The previous draft version of the audit protocols indicated that all entries should be submitted in one standardized time zone. This has been revised to indicate that the time zone should be consistent for each case and based on the time zone in which the case was received; and
  • Further clarified instructions on how to pull call logs—an update to the new tables for customer call logs that were added earlier. Specifically, the change limits calls to incoming calls from enrollees and representatives and excludes calls from prescribers. Additionally, CMS has made the record layout a recommendation, instead of a required format, and has narrowed the time range for the universe for calls to depending on organization size.

CMS has also added a brand-new requirement, which will have its own additional comment period: an industry-wide timeliness monitoring effort to test timeliness of all Part C organization determinations, Part D coverage determinations, and Part C and D appeals to better evaluate how well sponsors perform in the respective appeals. CMS is already evaluating sponsors on this information, but with the change, that monitoring will be ongoing instead of limited to plans under audit.


Tom Delegram
Managing Director| Deloitte Advisory
Deloitte & Touche LLP

Jack Scott
Managing Director | Deloitte Advisory
Deloitte & Touche LLP

One thought on “CMS adds new changes to Medicare audit rules already under review

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s